@highflame/policy 2.0.9 → 2.0.10

package/dist/builder.js

@@ -133,8 +133,11 @@ export class Policy {
     /**
      * Convert to Cedar policy text.
      * Uses proper Cedar @annotation syntax.
+     *
+     * @param optionalFields - Set of context field names that are optional and need `context has` guards.
+     *                         Use `getOptionalFields()` to compute this from service context metadata.
      */
-    toCedar() {
+    toCedar(optionalFields) {
         const lines = [];
         // Generate proper Cedar annotations
         if (this.data.id || this.data.name) {
@@ -145,7 +148,7 @@ export class Policy {
             lines.push(...generateAnnotationLines(annotations));
         }
         // Generate policy body
-        lines.push(generatePolicyBody(this.data.effect, this.data.principal, this.data.action, this.data.resource, this.data.conditions, this.data.rawCondition));
+        lines.push(generatePolicyBody(this.data.effect, this.data.principal, this.data.action, this.data.resource, this.data.conditions, this.data.rawCondition, optionalFields));
         return lines.join('\n');
     }
     /**
@@ -170,40 +173,99 @@ export class Policy {
 // ============================================================================
 // Cedar Generation Functions
 // ============================================================================
+/**
+ * Get the set of optional context fields for the given action(s).
+ *
+ * A field is considered optional if it has `required: false` in ANY of the
+ * targeted actions. This is the safe choice because at evaluation time,
+ * the policy could be matched against any of the specified actions.
+ *
+ * @param serviceContext - The service context metadata (from OVERWATCH_CONTEXT, etc.)
+ * @param actions - Single action name or array of action names
+ * @returns Set of field names that are optional and need `context has` guards
+ *
+ * @example
+ * ```typescript
+ * import { OVERWATCH_CONTEXT } from '@highflame/policy/types';
+ *
+ * const optionalFields = getOptionalFields(OVERWATCH_CONTEXT, 'call_tool');
+ * // Set { 'tool_name', 'mcp_server', 'threat_count', ... }
+ *
+ * const cedar = ruleToCedar(rule, optionalFields);
+ * // Conditions on optional fields auto-get `context has` guards
+ * ```
+ */
+export function getOptionalFields(serviceContext, actions) {
+    const actionList = Array.isArray(actions) ? actions : [actions];
+    const optionalFields = new Set();
+    for (const actionName of actionList) {
+        const action = serviceContext.actions.find(a => a.name === actionName);
+        if (action) {
+            for (const attr of action.context_attributes) {
+                if (!attr.required) {
+                    optionalFields.add(attr.key);
+                }
+            }
+        }
+    }
+    return optionalFields;
+}
 /**
  * Convert a condition to Cedar syntax.
  * Field names are sanitized to prevent injection attacks.
+ *
+ * When `optionalFields` is provided and the condition's field is in the set,
+ * the output is wrapped with a `context has` guard:
+ *   `context has field && context.field > value`
  */
-function conditionToCedar(condition) {
+function conditionToCedar(condition, optionalFields) {
     const field = sanitizeIdentifier(condition.field, 'field');
     const { operator, value } = condition;
     const valueStr = valueToString(value);
+    let expr;
     switch (operator) {
         case 'eq':
-            return `context.${field} == ${valueStr}`;
+            expr = `context.${field} == ${valueStr}`;
+            break;
         case 'neq':
-            return `context.${field} != ${valueStr}`;
+            expr = `context.${field} != ${valueStr}`;
+            break;
         case 'lt':
-            return `context.${field} < ${valueStr}`;
+            expr = `context.${field} < ${valueStr}`;
+            break;
         case 'lte':
-            return `context.${field} <= ${valueStr}`;
+            expr = `context.${field} <= ${valueStr}`;
+            break;
         case 'gt':
-            return `context.${field} > ${valueStr}`;
+            expr = `context.${field} > ${valueStr}`;
+            break;
         case 'gte':
-            return `context.${field} >= ${valueStr}`;
+            expr = `context.${field} >= ${valueStr}`;
+            break;
         case 'contains':
-            return `context.${field}.contains(${valueStr})`;
+            expr = `context.${field}.contains(${valueStr})`;
+            break;
         case 'in':
             if (Array.isArray(value)) {
                 const items = value.map(v => `"${escapeCedarString(v)}"`).join(', ');
-                return `context.${field} in [${items}]`;
+                expr = `context.${field} in [${items}]`;
+            }
+            else {
+                expr = `context.${field} in ${valueStr}`;
             }
-            return `context.${field} in ${valueStr}`;
+            break;
         case 'like':
-            return `context.${field} like ${valueStr}`;
+            expr = `context.${field} like ${valueStr}`;
+            break;
         default:
-            return `context.${field} == ${valueStr}`;
+            expr = `context.${field} == ${valueStr}`;
+            break;
+    }
+    // Auto-inject `context has` guard for optional fields
+    if (optionalFields?.has(field)) {
+        return `context has ${field} && ${expr}`;
     }
+    return expr;
 }
 /**
  * Convert a value to Cedar string representation.
@@ -225,7 +287,7 @@ function valueToString(value) {
  * Generate the Cedar policy body (permit/forbid statement).
  * All inputs are sanitized/escaped to prevent injection attacks.
  */
-function generatePolicyBody(effect, principal, action, resource, conditions, rawCondition) {
+function generatePolicyBody(effect, principal, action, resource, conditions, rawCondition, optionalFields) {
     let policyLine = `${effect} (`;
     // Principal
     if (principal) {
@@ -283,7 +345,7 @@ function generatePolicyBody(effect, principal, action, resource, conditions, raw
         }
         else if (conditions.length > 0) {
             // Fallback to structured conditions if rawCondition is rejected
-            const conditionStr = conditions.map(c => conditionToCedar(c)).join(' && ');
+            const conditionStr = conditions.map(c => conditionToCedar(c, optionalFields)).join(' && ');
             policyLine += `\nwhen { ${conditionStr} };`;
         }
         else {
@@ -291,7 +353,7 @@ function generatePolicyBody(effect, principal, action, resource, conditions, raw
         }
     }
     else if (conditions.length > 0) {
-        const conditionStr = conditions.map(c => conditionToCedar(c)).join(' && ');
+        const conditionStr = conditions.map(c => conditionToCedar(c, optionalFields)).join(' && ');
         policyLine += `\nwhen { ${conditionStr} };`;
     }
     else {
@@ -303,6 +365,8 @@ function generatePolicyBody(effect, principal, action, resource, conditions, raw
  * Convert a PolicyRule to Cedar policy text with proper annotations.
  *
  * @param rule - The PolicyRule to convert
+ * @param optionalFields - Set of context field names that are optional and need `context has` guards.
+ *                         Use `getOptionalFields()` to compute this from service context metadata.
  * @returns Cedar policy text string
  *
  * @example
@@ -318,25 +382,22 @@ function generatePolicyBody(effect, principal, action, resource, conditions, raw
  *   order: 0,
  * };
  *
+ * // Without optional fields - no guards injected
  * const cedar = ruleToCedar(rule);
- * // Output:
- * // @id("rule-001")
- * // @name("Block threats")
- * // @severity("high")
- * // forbid (
- * //     principal,
- * //     action == Action::"call_tool",
- * //     resource
- * // )
- * // when { context.threat_count > 0 };
+ *
+ * // With optional fields - auto-injects `context has` guards
+ * import { OVERWATCH_CONTEXT } from '@highflame/policy/types';
+ * const optionalFields = getOptionalFields(OVERWATCH_CONTEXT, 'call_tool');
+ * const cedarWithGuards = ruleToCedar(rule, optionalFields);
+ * // when { context has threat_count && context.threat_count > 0 };
  * ```
  */
-export function ruleToCedar(rule) {
+export function ruleToCedar(rule, optionalFields) {
     const lines = [];
     // Generate Cedar annotations
     lines.push(...generateAnnotationLines(rule.annotations, rule.customAnnotations));
     // Generate policy body
-    lines.push(generatePolicyBody(rule.effect, rule.principal, rule.action, rule.resource, rule.conditions, rule.rawCondition));
+    lines.push(generatePolicyBody(rule.effect, rule.principal, rule.action, rule.resource, rule.conditions, rule.rawCondition, optionalFields));
     return lines.join('\n');
 }
 /**
@@ -345,24 +406,30 @@ export function ruleToCedar(rule) {
  *
  * @param rules - Array of PolicyRules to convert
  * @param includeDisabled - If true, include disabled rules as comments (default: false)
+ * @param optionalFields - Set of context field names that are optional and need `context has` guards.
+ *                         Use `getOptionalFields()` to compute this from service context metadata.
  * @returns Cedar policy text with all rules separated by blank lines
  *
  * @example
  * ```typescript
  * const rules: PolicyRule[] = [...];
  * const cedarText = rulesToCedar(rules);
+ *
+ * // With optional fields awareness
+ * const optionalFields = getOptionalFields(OVERWATCH_CONTEXT, 'call_tool');
+ * const cedarText = rulesToCedar(rules, false, optionalFields);
  * ```
  */
-export function rulesToCedar(rules, includeDisabled = false) {
+export function rulesToCedar(rules, includeDisabled = false, optionalFields) {
     const sortedRules = [...rules].sort((a, b) => a.order - b.order);
     const cedarPolicies = [];
     for (const rule of sortedRules) {
         if (rule.enabled) {
-            cedarPolicies.push(ruleToCedar(rule));
+            cedarPolicies.push(ruleToCedar(rule, optionalFields));
         }
         else if (includeDisabled) {
             // Include disabled rules as comments
-            const cedarLines = ruleToCedar(rule).split('\n');
+            const cedarLines = ruleToCedar(rule, optionalFields).split('\n');
             cedarPolicies.push(cedarLines.map(line => `// [DISABLED] ${line}`).join('\n'));
         }
     }

package/dist/engine.d.ts

@@ -38,11 +38,21 @@ export interface EngineOptions {
 export declare class InputValidationError extends Error {
     constructor(message: string);
 }
+/**
+ * A policy that contributed to the authorization decision,
+ * enriched with its Cedar annotations.
+ */
+export interface DeterminingPolicy {
+    /** Policy ID (from @id annotation or positional fallback) */
+    id: string;
+    /** All annotations from this policy as key-value pairs */
+    annotations: Record<string, string>;
+}
 export declare class Decision {
     readonly effect: "Allow" | "Deny";
-    readonly determining_policies: string[];
+    readonly determining_policies: DeterminingPolicy[];
     readonly reason?: string;
-    constructor(effect: "Allow" | "Deny", determining_policies: string[], reason?: string);
+    constructor(effect: "Allow" | "Deny", determining_policies: DeterminingPolicy[], reason?: string);
     isAllowed(): boolean;
     isDenied(): boolean;
 }
@@ -63,6 +73,7 @@ export interface EvaluateRequest {
  */
 export declare class PolicyEngine {
     private policySet;
+    private policyAnnotations;
     private schema;
     private options;
     private limits;
@@ -74,11 +85,13 @@ export declare class PolicyEngine {
     /**
      * Load a single Cedar policy text string.
      * Uses @id annotations as policy IDs when available.
+     * Stores all annotations per policy for enriching evaluation results.
      */
     loadPolicy(policy: string): void;
     /**
      * Load multiple Cedar policy texts (concatenated with newlines).
      * Uses @id annotations as policy IDs when available.
+     * Stores all annotations per policy for enriching evaluation results.
      */
     loadPolicies(policies: string[]): void;
     /**
@@ -89,6 +102,11 @@ export declare class PolicyEngine {
      * Load schema from a Cedar schema file.
      */
     loadSchemaFromFile(path: string): void;
+    /**
+     * Returns stored annotations for a given policy ID.
+     * Returns undefined if the policy ID is not found.
+     */
+    getPolicyAnnotations(policyId: string): Record<string, string> | undefined;
     /**
      * Evaluate a policy request and return a decision.
      * @throws InputValidationError if context validation fails

package/dist/engine.js

@@ -147,39 +147,51 @@ function parseActionString(action) {
     }
     return { type: actionType, id: actionId };
 }
+/**
+ * Regex to extract Cedar annotations from policy text.
+ * Matches `@key("value")` with proper escaped-quote handling.
+ */
+const ANNOTATION_REGEX = /@(\w+)\("((?:[^"\\]|\\.)*)"\)/g;
+/**
+ * Extract all `@key("value")` annotations from a single Cedar policy text string.
+ */
+function extractAnnotationsFromText(policyText) {
+    const annotations = {};
+    let match;
+    const regex = new RegExp(ANNOTATION_REGEX.source, ANNOTATION_REGEX.flags);
+    while ((match = regex.exec(policyText)) !== null) {
+        // Unescape the annotation value (reverse Cedar escaping)
+        annotations[match[1]] = match[2].replace(/\\"/g, '"').replace(/\\\\/g, '\\');
+    }
+    return annotations;
+}
 /**
  * Extract @id annotations from Cedar policy text and return a
- * Record<PolicyId, Policy> for cedar-wasm. This ensures that
- * determining_policies in evaluation results use the @id values
- * instead of positional IDs (policy0, policy1...).
- *
- * Falls back to the raw string when no @id annotations are found.
+ * Record<PolicyId, Policy> for cedar-wasm, along with a map of
+ * all annotations per policy for enriching evaluation results.
  */
-function extractPolicyIds(policyText) {
+function extractPolicies(policyText) {
+    const annotationsMap = new Map();
     const parts = cedar.policySetTextToParts(policyText);
     if (parts.type !== "success" || parts.policies.length === 0) {
-        return policyText;
+        return { policySet: policyText, annotations: annotationsMap };
     }
     const policyMap = {};
-    let hasAnnotationIds = false;
     for (let i = 0; i < parts.policies.length; i++) {
         const policy = parts.policies[i];
-        const idMatch = policy.match(/@id\("([^"]+)"\)/);
-        if (idMatch) {
-            policyMap[idMatch[1]] = policy;
-            hasAnnotationIds = true;
-        }
-        else {
-            policyMap[`policy${i}`] = policy;
-        }
+        const policyAnnotations = extractAnnotationsFromText(policy);
+        const policyId = policyAnnotations["id"] || `policy${i}`;
+        policyMap[policyId] = policy;
+        annotationsMap.set(policyId, policyAnnotations);
     }
-    return hasAnnotationIds ? policyMap : policyText;
+    return { policySet: policyMap, annotations: annotationsMap };
 }
 /**
  * PolicyEngine wraps cedar-wasm with Highflame schema types.
  */
 export class PolicyEngine {
     policySet = "";
+    policyAnnotations = new Map();
     schema;
     options;
     limits;
@@ -203,16 +215,22 @@ export class PolicyEngine {
     /**
      * Load a single Cedar policy text string.
      * Uses @id annotations as policy IDs when available.
+     * Stores all annotations per policy for enriching evaluation results.
      */
     loadPolicy(policy) {
-        this.policySet = extractPolicyIds(policy);
+        const extracted = extractPolicies(policy);
+        this.policySet = extracted.policySet;
+        this.policyAnnotations = extracted.annotations;
     }
     /**
      * Load multiple Cedar policy texts (concatenated with newlines).
      * Uses @id annotations as policy IDs when available.
+     * Stores all annotations per policy for enriching evaluation results.
      */
     loadPolicies(policies) {
-        this.policySet = extractPolicyIds(policies.join("\n"));
+        const extracted = extractPolicies(policies.join("\n"));
+        this.policySet = extracted.policySet;
+        this.policyAnnotations = extracted.annotations;
     }
     /**
      * Load schema from a Cedar schema string.
@@ -227,6 +245,13 @@ export class PolicyEngine {
         const content = fs.readFileSync(path, "utf-8");
         this.loadSchema(content);
     }
+    /**
+     * Returns stored annotations for a given policy ID.
+     * Returns undefined if the policy ID is not found.
+     */
+    getPolicyAnnotations(policyId) {
+        return this.policyAnnotations.get(policyId);
+    }
     /**
      * Evaluate a policy request and return a decision.
      * @throws InputValidationError if context validation fails
@@ -276,7 +301,12 @@ export class PolicyEngine {
         if (result.type === "failure") {
             return new Decision("Deny", [], result.errors.map(e => e.message).join("; "));
         }
-        return new Decision(result.response.decision === "allow" ? "Allow" : "Deny", result.response.diagnostics.reason, result.response.diagnostics.errors.length > 0
+        // Build enriched DeterminingPolicy objects with annotations
+        const determiningPolicies = result.response.diagnostics.reason.map(id => ({
+            id,
+            annotations: this.policyAnnotations.get(id) || {},
+        }));
+        return new Decision(result.response.decision === "allow" ? "Allow" : "Deny", determiningPolicies, result.response.diagnostics.errors.length > 0
             ? result.response.diagnostics.errors.map(e => e.error.message).join("; ")
             : undefined);
     }

package/dist/overwatch-defaults.gen.js

@@ -59,6 +59,7 @@ const OVERWATCH_SECRETS_DEFAULT_CEDAR = `// ====================================
 @description("Block prompts when YARA scanners detect API keys, tokens, or credential patterns")
 @severity("critical")
 @tags("secrets,credentials,prompts,nist-sc-28,nist-ia-5")
+@reject_message("Your prompt was blocked because it contains detected secrets such as API keys, tokens, or credentials. Remove all secrets before resubmitting.")
 forbid (
     principal,
     action == Overwatch::Action::"process_prompt",
@@ -74,6 +75,7 @@ when {
 @description("Prevent file reads and tool execution when secrets or credentials are detected in content")
 @severity("high")
 @tags("secrets,file-access,tools,credentials,nist-sc-28")
+@reject_message("This operation was blocked because secrets or credentials were detected in the content. File reads and tool calls are restricted when credential exposure is identified.")
 forbid (
     principal,
     action in [Overwatch::Action::"read_file", Overwatch::Action::"call_tool"],
@@ -93,6 +95,7 @@ when {
 @description("Block access to .env files that commonly contain secrets, API keys, and database credentials")
 @severity("high")
 @tags("secrets,env-files,config,nist-sc-28,mitre-t1552")
+@reject_message("Access to .env files is blocked because they commonly contain secrets, API keys, and database credentials. Use a secrets manager instead of .env files.")
 forbid (
     principal,
     action in [Overwatch::Action::"read_file", Overwatch::Action::"write_file", Overwatch::Action::"call_tool"],
@@ -113,6 +116,7 @@ when {
 @description("Detect and block AWS access key IDs (AKIA prefix) in AI responses to prevent credential exfiltration")
 @severity("critical")
 @tags("secrets,aws,credentials,response-scan,nist-ia-5,mitre-t1552")
+@reject_message("This response was blocked because an AWS access key ID (AKIA prefix) was detected. AWS credentials must never be exposed in AI responses.")
 forbid (
     principal,
     action,
@@ -129,6 +133,7 @@ when {
 @description("Detect and block AWS secret access keys in AI responses")
 @severity("critical")
 @tags("secrets,aws,credentials,response-scan,nist-ia-5")
+@reject_message("This response was blocked because an AWS secret access key was detected. AWS credentials must never be exposed in AI responses.")
 forbid (
     principal,
     action,
@@ -146,6 +151,7 @@ when {
 @description("Detect and block GitHub personal access tokens (ghp_), fine-grained tokens (github_pat_), and app tokens (ghs_)")
 @severity("critical")
 @tags("secrets,github,tokens,response-scan,mitre-t1552")
+@reject_message("This response was blocked because a GitHub token (personal access token, fine-grained token, or app token) was detected. GitHub tokens must never be exposed in AI responses.")
 forbid (
     principal,
     action,
@@ -164,6 +170,7 @@ when {
 @description("Detect and block SSH, RSA, and OpenSSH private keys in AI responses")
 @severity("critical")
 @tags("secrets,ssh,private-keys,response-scan,nist-sc-28,mitre-t1552")
+@reject_message("This response was blocked because a private key (SSH, RSA, or OpenSSH) was detected. Private keys must never be exposed in AI responses.")
 forbid (
     principal,
     action,
@@ -187,6 +194,7 @@ when {
 @description("Block content flagged by YARA rules for credential exposure, API key leaks, JWT tokens, and bearer tokens")
 @severity("critical")
 @tags("secrets,yara,credentials,jwt,bearer,nist-ia-5")
+@reject_message("This content was blocked because YARA scanning detected credential patterns including secret exposure, credential leaks, API keys, JWT tokens, or bearer tokens.")
 forbid (
     principal,
     action,
@@ -219,6 +227,7 @@ const OVERWATCH_PII_DEFAULT_CEDAR = `// ========================================
 @description("Detect and block content containing credit card number patterns (PCI DSS compliance)")
 @severity("critical")
 @tags("pci,credit-card,payment,compliance,pci-dss-3.4")
+@reject_message("Your prompt was blocked because credit card number patterns were detected. Sharing payment card data violates PCI DSS requirements.")
 forbid (
     principal,
     action == Overwatch::Action::"process_prompt",
@@ -234,6 +243,7 @@ when {
 @description("Detect and block content containing SSN patterns (XXX-XX-XXXX format)")
 @severity("critical")
 @tags("ssn,identity,privacy,compliance")
+@reject_message("Your prompt was blocked because Social Security Number patterns (XXX-XX-XXXX) were detected. SSNs are protected personal identifiers that must not be shared.")
 forbid (
     principal,
     action == Overwatch::Action::"process_prompt",
@@ -249,6 +259,7 @@ when {
 @description("Block content when PII-related threat categories are detected by YARA or Javelin scanners")
 @severity("high")
 @tags("pii,privacy,data-protection,gdpr")
+@reject_message("Your prompt was blocked because personally identifiable information was detected by threat scanners. Remove all PII before resubmitting.")
 forbid (
     principal,
     action == Overwatch::Action::"process_prompt",
@@ -280,6 +291,7 @@ when {
 @description("Prevent tool execution when PII patterns are detected in content")
 @severity("high")
 @tags("pii,tools,data-protection")
+@reject_message("Tool execution was blocked because personally identifiable information was detected in the content. PII must be removed before tool calls are permitted.")
 forbid (
     principal,
     action == Overwatch::Action::"call_tool",
@@ -308,6 +320,7 @@ const OVERWATCH_SEMANTIC_DEFAULT_CEDAR = `// ===================================
 @description("Detect and block prompt injection patterns in user input via YARA scanning (OWASP LLM01)")
 @severity("critical")
 @tags("injection,security,llm,owasp-llm01,baseline")
+@reject_message("Your prompt was blocked because prompt injection patterns were detected by YARA scanning. This is a security measure to prevent manipulation of AI agent behavior.")
 forbid (
     principal,
     action == Overwatch::Action::"process_prompt",
@@ -339,6 +352,7 @@ when {
 @description("Detect and block jailbreak and bypass attempts against AI agents (OWASP LLM02)")
 @severity("critical")
 @tags("jailbreak,bypass,security,owasp-llm02,baseline")
+@reject_message("Your prompt was blocked because jailbreak or bypass patterns were detected by YARA scanning. This is a security measure to prevent circumvention of AI safety controls.")
 forbid (
     principal,
     action == Overwatch::Action::"process_prompt",
@@ -370,6 +384,7 @@ when {
 @description("Block prompts when semantic threat scanners detect high severity issues (severity >= 3)")
 @severity("high")
 @tags("semantic,severity,security")
+@reject_message("Your prompt was blocked because semantic threat scanners detected high severity issues in the content. Review your prompt for manipulative or adversarial patterns.")
 forbid (
     principal,
     action == Overwatch::Action::"process_prompt",
@@ -387,6 +402,7 @@ when {
 @description("Block all content when any scanner detects critical severity threats")
 @severity("critical")
 @tags("critical,baseline,security")
+@reject_message("Your prompt was blocked because security scanners detected a critical-severity threat. This content cannot be processed.")
 forbid (
     principal,
     action == Overwatch::Action::"process_prompt",
@@ -402,6 +418,7 @@ when {
 @description("Prevent tool execution when prompt injection patterns are detected in content")
 @severity("critical")
 @tags("injection,tools,security,owasp-llm01")
+@reject_message("Tool execution was blocked because prompt injection patterns were detected in the content by YARA scanning.")
 forbid (
     principal,
     action == Overwatch::Action::"call_tool",
@@ -435,6 +452,7 @@ const OVERWATCH_TOOLS_DEFAULT_CEDAR = `// ======================================
 @description("Block direct shell, bash, and command execution tools to prevent command injection (MITRE T1059)")
 @severity("critical")
 @tags("shell,command-injection,execution,nist-cm-7,mitre-t1059,baseline")
+@reject_message("Tool execution was blocked because direct shell and command execution tools (shell, bash, terminal, system.exec) are restricted to prevent command injection attacks.")
 forbid (
     principal,
     action == Overwatch::Action::"call_tool",
@@ -456,6 +474,7 @@ when {
 @description("Block file deletion and other destructive tool operations to prevent data loss")
 @severity("high")
 @tags("file,delete,destructive,nist-ac-3")
+@reject_message("Tool execution was blocked because destructive file operations (delete, rmdir, unlink) are restricted to prevent data loss.")
 forbid (
     principal,
     action == Overwatch::Action::"call_tool",
@@ -478,6 +497,7 @@ when {
 @description("Prevent access to system directories, credential files, SSH keys, and cloud config (MITRE T1005, T1552.001)")
 @severity("high")
 @tags("file,path,system,security,nist-ac-6,mitre-t1005")
+@reject_message("Access to this path was blocked because it targets a sensitive system directory or credential file (/etc, /proc, /sys, .ssh, .aws, .gnupg, or private key files).")
 forbid (
     principal,
     action in [Overwatch::Action::"read_file", Overwatch::Action::"write_file", Overwatch::Action::"call_tool"],
@@ -508,6 +528,7 @@ when {
 @description("Prevent tool execution when high or critical severity threats are detected in content")
 @severity("high")
 @tags("tools,threats,severity,security")
+@reject_message("Tool execution was blocked because high or critical severity threats were detected in the content by security scanners.")
 forbid (
     principal,
     action == Overwatch::Action::"call_tool",
@@ -736,8 +757,9 @@ permit (
     resource
 )
 when {
-    context.mcp_server == "filesystem" ||
-    context.mcp_server == "playwright"
+    context has mcp_server &&
+    (context.mcp_server == "filesystem" ||
+    context.mcp_server == "playwright")
 };
 
 @id("mcp-allowlist-deny")