@highflame/policy 2.1.1 → 2.1.3

package/dist/overwatch-defaults.gen.js

@@ -11,7 +11,7 @@ const OVERWATCH_BASELINE_DEFAULT_CEDAR = `// ===================================
 // Baseline Permit Policy (Default)
 // =============================================================================
 // Permits all actions by default. Threat-specific forbid policies override
-// this to block when YARA, Javelin, or other scanners detect issues.
+// this to block when detection engines identify issues.
 //
 // Cedar is default-deny: without at least one permit rule, every request
 // is denied regardless of forbid rules. This baseline ensures the system
@@ -32,31 +32,340 @@ permit (
     resource
 );
 `;
+const OVERWATCH_SEMANTIC_DEFAULT_CEDAR = `// =============================================================================
+// Semantic Threat Detection Policy (Default)
+// =============================================================================
+// Detects and blocks prompt injection, jailbreak attempts, and high-severity
+// AI security threats. Uses multi-layered detection:
+//
+//   1. Detection engine rule triggers (detected_threats) — pattern-based
+//   2. ML classifier confidence scores (injection_confidence, jailbreak_confidence)
+//   3. Threat severity aggregation (max_threat_severity, highest_severity)
+//   4. Cross-action enforcement (prompts + tool calls + file operations)
+//
+// Compliance:
+//   OWASP LLM01 (Prompt Injection) — direct + indirect
+//   OWASP LLM02 (Insecure Output Handling) — response manipulation
+//   OWASP ASI01 (Agent Goal Hijack) — behavioral manipulation
+//   MITRE ATLAS AML.T0051 (LLM Prompt Injection)
+//   MITRE ATLAS AML.T0054 (LLM Jailbreak)
+//   NIST 800-53 SI-3 (Malicious Code Protection)
+//   NIST 800-53 SI-4 (Information System Monitoring)
+//
+// Category: semantic
+// Namespace: Overwatch
+// =============================================================================
+
+// ---------------------------------------------------------------------------
+// Section 1: Prompt Injection Detection
+// Blocks direct prompt injection — adversarial input designed to override
+// system instructions and hijack agent behavior.
+// Ref: OWASP LLM01, MITRE AML.T0051, 62% of LLM apps vulnerable (2024)
+// ---------------------------------------------------------------------------
+
+// Block content with prompt injection patterns detected by rules
+@id("semantic-block-injection")
+@name("Block prompt injection")
+@description("Block prompts and tool calls when detection engine rules identify prompt injection patterns. Catches instruction override, role assumption, delimiter injection, and other manipulation techniques in both user input and tool arguments (OWASP LLM01).")
+@severity("critical")
+@tags("injection,security,owasp-llm01,mitre-aml-t0051,baseline")
+@reject_message("Content was blocked because prompt injection patterns were detected. This is a security measure to prevent manipulation of AI agent behavior (OWASP LLM01).")
+forbid (
+    principal,
+    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
+    resource
+)
+when {
+    context has detected_threats && context.detected_threats.contains("prompt_injection")
+};
+
+// Block content with high ML injection confidence
+@id("semantic-block-injection-score")
+@name("Block high-confidence injection")
+@description("Block content when the ML injection classifier confidence exceeds threshold (75/100). Catches novel injection techniques that evade pattern-based detection — polymorphic payloads, encoding tricks, and obfuscated instructions.")
+@severity("critical")
+@tags("injection,ml-classifier,security,owasp-llm01,mitre-aml-t0051")
+@reject_message("Your content was blocked because the ML classifier detected prompt injection with high confidence. This appears to be an attempt to manipulate agent behavior.")
+forbid (
+    principal,
+    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
+    resource
+)
+when {
+    context has injection_confidence && context.injection_confidence >= 75
+};
+
+// ---------------------------------------------------------------------------
+// Section 2: Jailbreak Detection
+// Blocks jailbreak attempts — adversarial input designed to bypass AI safety
+// guardrails and elicit restricted outputs.
+// Ref: OWASP LLM02, MITRE AML.T0054, DAN/JailbreakChat/etc.
+// ---------------------------------------------------------------------------
+
+// Block prompts with jailbreak attempts detected by rules
+@id("semantic-block-jailbreak")
+@name("Block jailbreak attempts")
+@description("Block prompts when detection engine rules identify jailbreak patterns: DAN-style prompts, role-play exploits, safety bypass instructions, and constraint removal attempts (OWASP LLM02).")
+@severity("critical")
+@tags("jailbreak,bypass,security,owasp-llm02,mitre-aml-t0054,baseline")
+@reject_message("Your prompt was blocked because jailbreak patterns were detected. This is a security measure to prevent circumvention of AI safety controls (OWASP LLM02).")
+forbid (
+    principal,
+    action == Overwatch::Action::"process_prompt",
+    resource
+)
+when {
+    context has detected_threats && context.detected_threats.contains("jailbreak")
+};
+
+// Block prompts with high ML jailbreak confidence
+@id("semantic-block-jailbreak-score")
+@name("Block high-confidence jailbreak")
+@description("Block content when the ML jailbreak classifier confidence exceeds threshold (75/100). Catches sophisticated jailbreak techniques including multi-turn manipulation, encoded payloads, and novel prompt structures.")
+@severity("critical")
+@tags("jailbreak,ml-classifier,security,owasp-llm02,mitre-aml-t0054")
+@reject_message("Your content was blocked because the ML classifier detected a jailbreak attempt with high confidence. This appears to be an attempt to bypass safety guardrails.")
+forbid (
+    principal,
+    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
+    resource
+)
+when {
+    context has jailbreak_confidence && context.jailbreak_confidence >= 75
+};
+
+// ---------------------------------------------------------------------------
+// Section 3: Threat Severity Aggregation
+// Blocks based on aggregated threat severity from all detection engines.
+// These act as catch-all rules for threats that don't match specific patterns.
+// ---------------------------------------------------------------------------
+
+// Block any content with critical severity threats
+@id("semantic-block-critical")
+@name("Block critical threats")
+@description("Block all content when any detection engine reports critical severity. This is the ultimate catch-all — critical threats are blocked regardless of type or source.")
+@severity("critical")
+@tags("critical,baseline,security,catch-all")
+@reject_message("Your content was blocked because security scanners detected a critical-severity threat. This content cannot be processed.")
+forbid (
+    principal,
+    action,
+    resource
+)
+when {
+    context has highest_severity && context.highest_severity == "critical"
+};
+
+// Block prompts with high severity semantic threats
+@id("semantic-block-high-severity")
+@name("Block high severity threats")
+@description("Block prompts when threat detection reports high severity (>= 3) in semantic categories. Catches threats that are individually below critical but collectively indicate adversarial intent.")
+@severity("high")
+@tags("semantic,severity,security,defense-in-depth")
+@reject_message("Your prompt was blocked because security scanners detected high severity issues in the content. Review your prompt for manipulative or adversarial patterns.")
+forbid (
+    principal,
+    action == Overwatch::Action::"process_prompt",
+    resource
+)
+when {
+    context has threat_categories && context has max_threat_severity &&
+    context.threat_categories.contains("semantic") &&
+    context.max_threat_severity >= 3
+};
+
+// Block tool calls with multiple concurrent threats
+@id("semantic-block-multi-threat-tools")
+@name("Block multi-threat tool calls")
+@description("Block tool execution when multiple distinct threats are detected simultaneously (3+). Multiple concurrent threats in a tool call strongly indicate an adversarial attack chain.")
+@severity("high")
+@tags("multi-threat,tools,security,defense-in-depth")
+@reject_message("Tool execution was blocked because multiple security threats were detected simultaneously. This pattern indicates a potential attack chain.")
+forbid (
+    principal,
+    action == Overwatch::Action::"call_tool",
+    resource
+)
+when {
+    context has threat_count && context.threat_count >= 3
+};
+`;
+const OVERWATCH_TRUST_SAFETY_DEFAULT_CEDAR = `// =============================================================================
+// Content Safety Policy (Default)
+// =============================================================================
+// Detects and blocks violent, harmful, hateful, sexual, and profane content
+// using trust/safety ML classification scores.
+//
+// The detection engine runs multiple ML classifiers (toxicity, content safety)
+// and produces normalized scores (0-100) for each category. These policies
+// enforce enterprise-appropriate content thresholds.
+//
+// Compliance:
+//   NIST 800-53 SI-4 (Information System Monitoring)
+//   EU AI Act Art. 52 (Transparency for AI Systems)
+//   OWASP LLM02 (Insecure Output Handling) — unsafe content generation
+//   ISO 42001 (AI Management System) — responsible AI use
+//
+// Category: trust_safety
+// Namespace: Overwatch
+// =============================================================================
+
+// ---------------------------------------------------------------------------
+// Section 1: Violence & Weapons
+// Blocks content promoting, describing, or instructing violence and weapons.
+// ---------------------------------------------------------------------------
+
+// Block content with high violence score
+@id("ts-block-violence")
+@name("Block violent content")
+@description("Block content when the ML violence detection score exceeds threshold (80/100). Catches graphic violence descriptions, instructions for causing harm, and violent threat language.")
+@severity("critical")
+@tags("violence,content-safety,trust-safety,nist-si-4,iso-42001")
+@reject_message("Content blocked: violent content detected. AI agents in enterprise environments must not process or generate violent content. Please rephrase without violence-related language.")
+forbid (
+    principal,
+    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
+    resource
+)
+when {
+    context has violence_score && context.violence_score >= 80
+};
+
+// Block content with weapons references
+@id("ts-block-weapons")
+@name("Block weapons content")
+@description("Block content when the ML weapons detection score exceeds threshold (80/100). Catches weapon manufacturing instructions, procurement guidance, and detailed weapon specifications.")
+@severity("critical")
+@tags("weapons,content-safety,trust-safety,nist-si-4")
+@reject_message("Content blocked: weapons-related content detected. AI agents must not process weapons manufacturing, procurement, or detailed specification content.")
+forbid (
+    principal,
+    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
+    resource
+)
+when {
+    context has weapons_score && context.weapons_score >= 80
+};
+
+// ---------------------------------------------------------------------------
+// Section 2: Hate Speech & Discrimination
+// Blocks hateful, discriminatory, and dehumanizing content.
+// Lower threshold (75) — enterprises have zero tolerance for hate speech.
+// ---------------------------------------------------------------------------
+
+// Block hate speech content
+@id("ts-block-hate-speech")
+@name("Block hate speech")
+@description("Block content when the ML hate speech detection score exceeds threshold (75/100). Lower threshold than other categories because enterprises have zero tolerance for discriminatory content. Catches slurs, dehumanizing language, and targeted harassment.")
+@severity("critical")
+@tags("hate-speech,content-safety,trust-safety,nist-si-4,eu-ai-act")
+@reject_message("Content blocked: hate speech or discriminatory content detected. AI agents in enterprise environments must not process or generate hateful, discriminatory, or dehumanizing content.")
+forbid (
+    principal,
+    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
+    resource
+)
+when {
+    context has hate_speech_score && context.hate_speech_score >= 75
+};
+
+// ---------------------------------------------------------------------------
+// Section 3: Criminal Content
+// Blocks content related to criminal activities and illegal operations.
+// ---------------------------------------------------------------------------
+
+// Block criminal content
+@id("ts-block-crime")
+@name("Block criminal content")
+@description("Block content when the ML criminal activity detection score exceeds threshold (80/100). Catches illegal activity instructions, fraud techniques, and content promoting criminal behavior.")
+@severity("high")
+@tags("crime,content-safety,trust-safety,nist-si-4")
+@reject_message("Content blocked: criminal activity content detected. AI agents must not process content related to illegal activities, fraud, or other criminal behavior.")
+forbid (
+    principal,
+    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
+    resource
+)
+when {
+    context has crime_score && context.crime_score >= 80
+};
+
+// ---------------------------------------------------------------------------
+// Section 4: Sexual Content
+// Blocks sexually explicit or inappropriate content.
+// ---------------------------------------------------------------------------
+
+// Block sexual content
+@id("ts-block-sexual")
+@name("Block sexual content")
+@description("Block content when the ML sexual content detection score exceeds threshold (80/100). Ensures enterprise AI agents do not process or generate sexually explicit material.")
+@severity("high")
+@tags("sexual,content-safety,trust-safety,eu-ai-act,iso-42001")
+@reject_message("Content blocked: sexual content detected. AI agents in enterprise environments must not process sexually explicit material.")
+forbid (
+    principal,
+    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
+    resource
+)
+when {
+    context has sexual_score && context.sexual_score >= 80
+};
+
+// ---------------------------------------------------------------------------
+// Section 5: Profanity
+// Blocks excessive profanity in enterprise environments.
+// Higher threshold (90) — allows normal expression while blocking abuse.
+// ---------------------------------------------------------------------------
+
+// Block excessive profanity
+@id("ts-block-profanity")
+@name("Block profanity")
+@description("Block content when the ML profanity detection score exceeds threshold (90/100). Higher threshold than other safety categories — allows normal expression while blocking abusive or harassing language patterns.")
+@severity("medium")
+@tags("profanity,content-safety,trust-safety")
+@reject_message("Content blocked: excessive profanity detected. Please rephrase in a professional manner appropriate for enterprise AI interactions.")
+forbid (
+    principal,
+    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
+    resource
+)
+when {
+    context has profanity_score && context.profanity_score >= 90
+};
+`;
 const OVERWATCH_SECRETS_DEFAULT_CEDAR = `// =============================================================================
 // Secrets Detection Policy (Default)
 // =============================================================================
 // Detects and blocks credential leakage across prompts, tool calls, file
-// operations, and AI response content. Combines YARA-based threat detection
-// with pattern matching for known credential formats.
+// operations, and AI response content. Uses multi-layered detection:
 //
-// Defense layers:
-//   1. YARA scanner detection (contains_secrets, yara_threats)
-//   2. Sensitive file path blocking (.env files)
-//   3. Response content pattern matching (AWS, GitHub, SSH keys)
+//   1. Detection engine boolean (contains_secrets) — fastest, broadest catch
+//   2. Granular secret type matching (secret_types) — type-specific blocking
+//   3. Detection rule pattern matching (detected_threats) — named rule triggers
+//   4. Sensitive file path blocking (.env, credentials files)
+//   5. Response content pattern matching (defense-in-depth for AI outputs)
+//
+// Compliance:
+//   NIST 800-53 SC-28 (Protection of Information at Rest)
+//   NIST 800-53 IA-5 (Authenticator Management)
+//   OWASP LLM07 (Insecure Plugin Design) — secrets in tool args
+//   MITRE ATT&CK T1552 (Unsecured Credentials)
+//   MITRE ATT&CK T1555 (Credentials from Password Stores)
+//   CIS Benchmark 1.4 (Secrets Management)
 //
-// Compliance: NIST 800-53 SC-28, IA-5 | OWASP A02 | MITRE T1552, T1555
 // Category: secrets
 // Namespace: Overwatch
 // =============================================================================
 
 // ---------------------------------------------------------------------------
-// Section 1: YARA-Based Secret Detection
+// Section 1: Detection Engine — Primary Secret Detection
+// These fire when the detection pipeline identifies secrets in any content.
 // ---------------------------------------------------------------------------
 
 // Block prompts containing detected secrets
 @id("secrets-block-prompts")
 @name("Block prompts with secrets")
-@description("Block prompts when YARA scanners detect API keys, tokens, or credential patterns")
+@description("Block prompts when detection engines identify API keys, tokens, or credential patterns. First line of defense against accidental secret exposure in user input.")
 @severity("critical")
 @tags("secrets,credentials,prompts,nist-sc-28,nist-ia-5")
 @reject_message("Your prompt was blocked because it contains detected secrets such as API keys, tokens, or credentials. Remove all secrets before resubmitting.")
@@ -66,15 +375,15 @@ forbid (
     resource
 )
 when {
-    context has contains_secrets && context.contains_secrets == true
+    context has contains_secrets && context.contains_secrets
 };
 
 // Block file reads and tool calls when secrets are detected
 @id("secrets-block-reads-and-tools")
 @name("Block file reads and tool calls with secrets")
-@description("Prevent file reads and tool execution when secrets or credentials are detected in content")
+@description("Prevent file reads and tool execution when secrets or credentials are detected in content. Blocks exfiltration of secrets via file operations and tool arguments.")
 @severity("high")
-@tags("secrets,file-access,tools,credentials,nist-sc-28")
+@tags("secrets,file-access,tools,credentials,nist-sc-28,mitre-t1552")
 @reject_message("This operation was blocked because secrets or credentials were detected in the content. File reads and tool calls are restricted when credential exposure is identified.")
 forbid (
     principal,
@@ -82,661 +391,1036 @@ forbid (
     resource
 )
 when {
-    context has contains_secrets && context.contains_secrets == true
+    context has contains_secrets && context.contains_secrets
 };
 
-// ---------------------------------------------------------------------------
-// Section 2: Sensitive File Path Protection
-// ---------------------------------------------------------------------------
-
-// Block .env file access across all operations
-@id("secrets-block-env-files")
-@name("Block .env file access")
-@description("Block access to .env files that commonly contain secrets, API keys, and database credentials")
-@severity("high")
-@tags("secrets,env-files,config,nist-sc-28,mitre-t1552")
-@reject_message("Access to .env files is blocked because they commonly contain secrets, API keys, and database credentials. Use a secrets manager instead of .env files.")
+// Block file writes containing secrets
+@id("secrets-block-file-writes")
+@name("Block file writes with secrets")
+@description("Prevent writing files that contain secrets. Stops credential persistence to disk where they could be committed to version control or accessed by other tools.")
+@severity("critical")
+@tags("secrets,file-write,credentials,nist-sc-28,cis-1.4")
+@reject_message("File write was blocked because secrets or credentials were detected in the content. Credentials should never be written to files — use a secrets manager or environment variables.")
 forbid (
     principal,
-    action in [Overwatch::Action::"read_file", Overwatch::Action::"write_file", Overwatch::Action::"call_tool"],
+    action == Overwatch::Action::"write_file",
     resource
 )
 when {
-    context has path && context.path like "*.env*"
+    context has contains_secrets && context.contains_secrets
 };
 
 // ---------------------------------------------------------------------------
-// Section 3: Response Content Pattern Matching
-// Scans AI responses for known credential formats as defense-in-depth.
+// Section 2: Granular Secret Type Blocking
+// Blocks specific high-risk credential types identified by the detection
+// engine's pattern-matching (e.g., AWS keys, GitHub tokens, SSH keys).
 // ---------------------------------------------------------------------------
 
-// Block responses containing AWS access keys (AKIA prefix)
-@id("secrets-block-aws-keys")
-@name("Block AWS access keys in responses")
-@description("Detect and block AWS access key IDs (AKIA prefix) in AI responses to prevent credential exfiltration")
+// Block high-risk secret types across all actions
+@id("secrets-block-high-risk-types")
+@name("Block high-risk credential types")
+@description("Block content containing cloud provider keys (AWS, GCP, Azure), GitHub tokens, SSH private keys, or database connection strings. These credential types pose the highest exfiltration risk.")
 @severity("critical")
-@tags("secrets,aws,credentials,response-scan,nist-ia-5,mitre-t1552")
-@reject_message("This response was blocked because an AWS access key ID (AKIA prefix) was detected. AWS credentials must never be exposed in AI responses.")
+@tags("secrets,aws,github,ssh,cloud,nist-ia-5,mitre-t1552")
+@reject_message("Content blocked: high-risk credentials detected (cloud provider keys, GitHub tokens, SSH keys, or database credentials). Use a secrets manager — never pass credentials through AI agents.")
 forbid (
     principal,
     action,
     resource
 )
 when {
-    context has response_content &&
-    context.response_content like "*AKIA*"
+    context has secret_types &&
+    (context.secret_types.contains("aws_access_key") ||
+     context.secret_types.contains("aws_secret_key") ||
+     context.secret_types.contains("gcp_service_account") ||
+     context.secret_types.contains("azure_client_secret") ||
+     context.secret_types.contains("github_token") ||
+     context.secret_types.contains("github_pat") ||
+     context.secret_types.contains("ssh_private_key") ||
+     context.secret_types.contains("database_url"))
 };
 
-// Block responses containing AWS secret keys
-@id("secrets-block-aws-secrets")
-@name("Block AWS secret keys in responses")
-@description("Detect and block AWS secret access keys in AI responses")
-@severity("critical")
-@tags("secrets,aws,credentials,response-scan,nist-ia-5")
-@reject_message("This response was blocked because an AWS secret access key was detected. AWS credentials must never be exposed in AI responses.")
+// Block API keys and bearer tokens across all actions
+@id("secrets-block-api-keys")
+@name("Block API keys and bearer tokens")
+@description("Block content containing generic API keys, bearer tokens, JWT tokens, and OAuth credentials. These are the most commonly leaked credential types in AI agent interactions.")
+@severity("high")
+@tags("secrets,api-key,bearer,jwt,oauth,nist-ia-5")
+@reject_message("Content blocked: API keys, bearer tokens, or OAuth credentials detected. These must never be passed through AI agent prompts or tool calls.")
 forbid (
     principal,
     action,
     resource
 )
 when {
-    context has response_content &&
-    (context.response_content like "*AWS_SECRET_ACCESS_KEY*" ||
-     context.response_content like "*aws_secret_access_key*")
+    context has secret_types &&
+    (context.secret_types.contains("api_key") ||
+     context.secret_types.contains("bearer_token") ||
+     context.secret_types.contains("jwt_token") ||
+     context.secret_types.contains("oauth_token") ||
+     context.secret_types.contains("oauth_secret"))
 };
 
-// Block responses containing GitHub tokens
-@id("secrets-block-github-tokens")
-@name("Block GitHub tokens in responses")
-@description("Detect and block GitHub personal access tokens (ghp_), fine-grained tokens (github_pat_), and app tokens (ghs_)")
+// Block when multiple secrets are detected (bulk exposure)
+@id("secrets-block-bulk-exposure")
+@name("Block bulk secret exposure")
+@description("Block content when 3 or more distinct secrets are found. Multiple secrets in a single request indicates either a configuration dump, .env file paste, or credential harvesting attempt.")
 @severity("critical")
-@tags("secrets,github,tokens,response-scan,mitre-t1552")
-@reject_message("This response was blocked because a GitHub token (personal access token, fine-grained token, or app token) was detected. GitHub tokens must never be exposed in AI responses.")
+@tags("secrets,bulk,data-exfiltration,nist-sc-28,mitre-t1552")
+@reject_message("Content blocked: multiple credentials detected (3+). This appears to be a bulk credential exposure — configuration dumps and credential lists must never be passed through AI agents.")
 forbid (
     principal,
     action,
     resource
 )
 when {
-    context has response_content &&
-    (context.response_content like "*ghp_*" ||
-     context.response_content like "*github_pat_*" ||
-     context.response_content like "*ghs_*")
+    context has secret_count && context.secret_count >= 3
 };
 
-// Block responses containing SSH/RSA private keys
-@id("secrets-block-private-keys")
-@name("Block private keys in responses")
-@description("Detect and block SSH, RSA, and OpenSSH private keys in AI responses")
+// ---------------------------------------------------------------------------
+// Section 3: Detection Rule Pattern Matching
+// Catches specific named detection rules that fire for credential exposure.
+// ---------------------------------------------------------------------------
+
+// Block content flagged by detection engine credential rules
+@id("secrets-block-detected-credentials")
+@name("Block detected credential patterns")
+@description("Block content flagged by detection engine rules for credential exposure, API key leaks, JWT tokens, and bearer tokens. Defense-in-depth behind contains_secrets.")
 @severity("critical")
-@tags("secrets,ssh,private-keys,response-scan,nist-sc-28,mitre-t1552")
-@reject_message("This response was blocked because a private key (SSH, RSA, or OpenSSH) was detected. Private keys must never be exposed in AI responses.")
+@tags("secrets,credentials,jwt,bearer,nist-ia-5,mitre-t1552")
+@reject_message("Content blocked: detection engines identified credential patterns including secret exposure, credential leaks, API keys, or token exposure.")
 forbid (
     principal,
     action,
     resource
 )
 when {
-    context has response_content &&
-    (context.response_content like "*-----BEGIN PRIVATE KEY-----*" ||
-     context.response_content like "*-----BEGIN RSA PRIVATE KEY-----*" ||
-     context.response_content like "*-----BEGIN OPENSSH PRIVATE KEY-----*")
+    context has detected_threats &&
+    (context.detected_threats.contains("secret_exposure") ||
+     context.detected_threats.contains("credential_leak") ||
+     context.detected_threats.contains("api_key_exposure") ||
+     context.detected_threats.contains("jwt_token_exposure") ||
+     context.detected_threats.contains("bearer_token_leak"))
 };
 
 // ---------------------------------------------------------------------------
-// Section 4: YARA Credential Pattern Detection
-// Catches credential types identified by YARA rule scanning.
+// Section 4: Sensitive File Path Protection
+// Blocks access to files that commonly contain secrets.
 // ---------------------------------------------------------------------------
 
-// Block YARA-detected credential and token patterns
-@id("secrets-block-yara-credentials")
-@name("Block YARA-detected credential patterns")
-@description("Block content flagged by YARA rules for credential exposure, API key leaks, JWT tokens, and bearer tokens")
-@severity("critical")
-@tags("secrets,yara,credentials,jwt,bearer,nist-ia-5")
-@reject_message("This content was blocked because YARA scanning detected credential patterns including secret exposure, credential leaks, API keys, JWT tokens, or bearer tokens.")
+// Block .env file access across all operations
+@id("secrets-block-env-files")
+@name("Block .env file access")
+@description("Block access to .env files that commonly contain secrets, API keys, and database credentials. Environment files are the #1 source of accidental credential exposure in development workflows.")
+@severity("high")
+@tags("secrets,env-files,config,nist-sc-28,mitre-t1552,cis-1.4")
+@reject_message("Access to .env files is blocked because they commonly contain secrets, API keys, and database credentials. Use a secrets manager instead of .env files.")
 forbid (
     principal,
-    action,
+    action in [Overwatch::Action::"read_file", Overwatch::Action::"write_file", Overwatch::Action::"call_tool"],
     resource
 )
 when {
-    context has yara_threats &&
-    (context.yara_threats.contains("secret_exposure") ||
-     context.yara_threats.contains("credential_leak") ||
-     context.yara_threats.contains("api_key_exposure") ||
-     context.yara_threats.contains("jwt_token_exposure") ||
-     context.yara_threats.contains("bearer_token_leak"))
+    context has path && context.path like "*.env*"
 };
+
+// Block access to known credential files
+@id("secrets-block-credential-files")
+@name("Block credential file access")
+@description("Block access to common credential files: .netrc, .npmrc, .pypirc, credentials, config files in cloud provider directories. These files often contain hardcoded tokens and passwords.")
+@severity("high")
+@tags("secrets,credential-files,config,nist-sc-28,mitre-t1555")
+@reject_message("Access to this credential file is blocked. Files like .netrc, .npmrc, .pypirc, and cloud provider config files commonly contain hardcoded credentials.")
+forbid (
+    principal,
+    action in [Overwatch::Action::"read_file", Overwatch::Action::"write_file", Overwatch::Action::"call_tool"],
+    resource
+)
+when {
+    context has path &&
+    (context.path like "*/.netrc" ||
+     context.path like "*/.npmrc" ||
+     context.path like "*/.pypirc" ||
+     context.path like "*/.docker/config.json" ||
+     context.path like "*/.kube/config" ||
+     context.path like "*/.config/gcloud/*" ||
+     context.path like "*/credentials.json" ||
+     context.path like "*/service-account*.json")
+};
+
+// NOTE: Response content secret detection (AWS keys, GitHub tokens, private keys
+// in AI outputs) is handled by the detection engine's secrets scanner, which
+// analyzes all content types including tool responses. The contains_secrets and
+// secret_types rules above cover this case.
 `;
 const OVERWATCH_PII_DEFAULT_CEDAR = `// =============================================================================
 // PII Detection Policy (Default)
 // =============================================================================
-// Detects and blocks personally identifiable information including credit card
-// numbers, Social Security Numbers, and other PII patterns across prompts
-// and tool calls.
+// Detects and blocks personally identifiable information across prompts, tool
+// calls, file operations, and AI responses. Uses multi-layered detection:
+//
+//   1. PII boolean flag (pii_detected) — broadest catch from detection engine
+//   2. Granular PII type matching (pii_types) — type-specific blocking
+//   3. ML classifier confidence (pii_confidence) — catches novel PII patterns
+//   4. Detection rule triggers (detected_threats) — named rule matches
+//   5. File operation PII blocking — prevents PII persistence to disk
+//
+// Compliance:
+//   PCI DSS 3.4, 4.1 (Payment Card Data)
+//   GDPR Art. 32 (Security of Processing)
+//   HIPAA §164.312 (Technical Safeguards)
+//   NIST 800-53 SI-4 (Information System Monitoring)
+//   CCPA §1798.150 (Data Protection)
+//   OWASP LLM06 (Sensitive Information Disclosure)
 //
-// Compliance: PCI DSS 3.4, 4.1 | NIST 800-53 SI-4 | GDPR Art. 32
 // Category: pii
 // Namespace: Overwatch
 // =============================================================================
 
-// Block prompts containing credit card patterns
+// ---------------------------------------------------------------------------
+// Section 1: Detection Engine — Primary PII Detection
+// Fires when the detection pipeline identifies PII in any content.
+// ---------------------------------------------------------------------------
+
+// Block prompts containing any detected PII
+@id("pii-block-any-detected")
+@name("Block prompts with PII")
+@description("Block prompts when the detection engine identifies any PII patterns. This is the broadest PII catch — fires before type-specific rules.")
+@severity("critical")
+@tags("pii,privacy,data-protection,gdpr-art-32,owasp-llm06")
+@reject_message("Your prompt was blocked because personally identifiable information was detected. Remove all PII (names, addresses, SSNs, credit cards, etc.) before resubmitting.")
+forbid (
+    principal,
+    action == Overwatch::Action::"process_prompt",
+    resource
+)
+when {
+    context has pii_detected && context.pii_detected
+};
+
+// Block tool calls containing PII
+@id("pii-block-tool-calls")
+@name("Block tool calls with PII")
+@description("Prevent tool execution when PII patterns are detected in tool arguments or content. Stops PII from being passed to external tools, MCP servers, or shell commands.")
+@severity("high")
+@tags("pii,tools,data-protection,owasp-llm06")
+@reject_message("Tool execution was blocked because personally identifiable information was detected in the content. PII must be removed before tool calls are permitted.")
+forbid (
+    principal,
+    action == Overwatch::Action::"call_tool",
+    resource
+)
+when {
+    context has pii_detected && context.pii_detected
+};
+
+// ---------------------------------------------------------------------------
+// Section 2: Granular PII Type Blocking
+// Blocks specific PII types based on regulatory requirements.
+// ---------------------------------------------------------------------------
+
+// Block credit card numbers (PCI DSS compliance)
 @id("pii-block-credit-cards")
 @name("Block credit card numbers")
-@description("Detect and block content containing credit card number patterns (PCI DSS compliance)")
+@description("Detect and block content containing credit card number patterns. PCI DSS 3.4 requires that PANs are rendered unreadable — AI agents must never process raw card numbers.")
 @severity("critical")
-@tags("pci,credit-card,payment,compliance,pci-dss-3.4")
-@reject_message("Your prompt was blocked because credit card number patterns were detected. Sharing payment card data violates PCI DSS requirements.")
+@tags("pci,credit-card,payment,compliance,pci-dss-3.4,pci-dss-4.1")
+@reject_message("Content blocked: credit card number patterns detected. Sharing payment card data through AI agents violates PCI DSS requirements. Use tokenized card references instead.")
 forbid (
     principal,
-    action == Overwatch::Action::"process_prompt",
+    action,
     resource
 )
 when {
-    context has yara_threats && context.yara_threats.contains("credit_card")
+    (context has pii_types && context.pii_types.contains("credit_card")) ||
+    (context has detected_threats && context.detected_threats.contains("credit_card"))
 };
 
-// Block prompts containing SSN patterns
+// Block Social Security Numbers
 @id("pii-block-ssn")
 @name("Block Social Security Numbers")
-@description("Detect and block content containing SSN patterns (XXX-XX-XXXX format)")
+@description("Detect and block content containing SSN patterns (XXX-XX-XXXX and variants). SSNs are high-value identity theft targets — exposure through AI agents is a critical privacy violation.")
 @severity("critical")
-@tags("ssn,identity,privacy,compliance")
-@reject_message("Your prompt was blocked because Social Security Number patterns (XXX-XX-XXXX) were detected. SSNs are protected personal identifiers that must not be shared.")
+@tags("ssn,identity,privacy,compliance,nist-si-4")
+@reject_message("Content blocked: Social Security Number patterns detected. SSNs are protected personal identifiers that must never be shared through AI agents.")
 forbid (
     principal,
-    action == Overwatch::Action::"process_prompt",
+    action,
     resource
 )
 when {
-    context has yara_threats && context.yara_threats.contains("ssn")
+    (context has pii_types && context.pii_types.contains("ssn")) ||
+    (context has detected_threats && context.detected_threats.contains("ssn"))
 };
 
-// Block prompts with generic PII threats detected
-@id("pii-block-generic")
-@name("Block detected PII content")
-@description("Block content when PII-related threat categories are detected by YARA or Javelin scanners")
-@severity("high")
-@tags("pii,privacy,data-protection,gdpr")
-@reject_message("Your prompt was blocked because personally identifiable information was detected by threat scanners. Remove all PII before resubmitting.")
+// Block medical/health records (HIPAA compliance)
+@id("pii-block-health-data")
+@name("Block health information")
+@description("Block content containing medical record numbers, health insurance IDs, or other Protected Health Information (PHI). HIPAA §164.312 requires technical safeguards for PHI.")
+@severity("critical")
+@tags("phi,hipaa,health,medical,compliance,hipaa-164.312")
+@reject_message("Content blocked: Protected Health Information (PHI) detected. Health data must not be processed through AI agents per HIPAA requirements.")
 forbid (
     principal,
-    action == Overwatch::Action::"process_prompt",
+    action,
     resource
 )
 when {
-    context has threat_categories && context.threat_categories.contains("pii")
+    context has pii_types &&
+    (context.pii_types.contains("medical_record") ||
+     context.pii_types.contains("health_insurance_id"))
+};
+
+// Block bulk PII exposure (multiple PII items)
+@id("pii-block-bulk-exposure")
+@name("Block bulk PII exposure")
+@description("Block content containing 3 or more PII matches. Multiple PII items in a single request indicates a data dump, CSV paste, or data exfiltration attempt.")
+@severity("critical")
+@tags("pii,bulk,data-exfiltration,gdpr-art-32,ccpa")
+@reject_message("Content blocked: multiple PII items detected (3+). Bulk personal data must never be processed through AI agents. Use data masking or tokenization for batch operations.")
+forbid (
+    principal,
+    action,
+    resource
+)
+when {
+    context has pii_count && context.pii_count >= 3
 };
 
-// Block prompts with high PII confidence score
+// ---------------------------------------------------------------------------
+// Section 3: ML Classifier — Novel PII Detection
+// Catches PII patterns that escape regex detection using ML classifiers.
+// ---------------------------------------------------------------------------
+
+// Block content with high PII classifier confidence
 @id("pii-block-high-confidence")
 @name("Block high-confidence PII")
-@description("Block content when PII classifier confidence exceeds threshold (80/100)")
+@description("Block content when the ML PII classifier confidence exceeds threshold (80/100). Catches novel PII patterns including names, addresses, and identifiers that regex rules may miss.")
 @severity("critical")
-@tags("pii,confidence,privacy,compliance")
-@reject_message("Your content was blocked because personally identifiable information was detected with high confidence.")
+@tags("pii,confidence,privacy,compliance,ml-classifier")
+@reject_message("Content blocked: the ML classifier detected personally identifiable information with high confidence. Even if specific PII types aren't identified, the content appears to contain personal data.")
 forbid (
     principal,
-    action == Overwatch::Action::"process_prompt",
+    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
     resource
 )
 when {
     context has pii_confidence && context.pii_confidence >= 80
 };
 
-// Block PII leakage via tool calls
-@id("pii-block-tool-calls")
-@name("Block tool calls with PII")
-@description("Prevent tool execution when PII patterns are detected in content")
+// ---------------------------------------------------------------------------
+// Section 4: Detection Rule Pattern Matching
+// Catches PII detected by named detection rules.
+// ---------------------------------------------------------------------------
+
+// Block content with PII threat category
+@id("pii-block-threat-category")
+@name("Block PII threat category")
+@description("Block content when threat categorization identifies PII. Defense-in-depth behind the pii_detected boolean — catches cases where PII is flagged at the threat aggregation layer.")
 @severity("high")
-@tags("pii,tools,data-protection")
-@reject_message("Tool execution was blocked because personally identifiable information was detected in the content. PII must be removed before tool calls are permitted.")
+@tags("pii,privacy,data-protection,gdpr")
+@reject_message("Content blocked: threat scanners detected personally identifiable information. Remove all PII before resubmitting.")
 forbid (
     principal,
-    action == Overwatch::Action::"call_tool",
+    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
     resource
 )
 when {
     context has threat_categories && context.threat_categories.contains("pii")
 };
+
+// ---------------------------------------------------------------------------
+// Section 5: File Operation PII Blocking
+// Prevents PII from being read from or written to disk.
+// ---------------------------------------------------------------------------
+
+// Block file operations containing PII
+@id("pii-block-file-ops")
+@name("Block file operations with PII")
+@description("Block file reads and writes when PII is detected. Prevents agents from reading files containing personal data and from writing PII to new files where it could persist or be version-controlled.")
+@severity("high")
+@tags("pii,file-ops,data-protection,gdpr-art-32,nist-si-4")
+@reject_message("File operation blocked: personally identifiable information was detected. Files containing PII must not be read or written through AI agents.")
+forbid (
+    principal,
+    action in [Overwatch::Action::"read_file", Overwatch::Action::"write_file"],
+    resource
+)
+when {
+    context has pii_detected && context.pii_detected
+};
 `;
-const OVERWATCH_SEMANTIC_DEFAULT_CEDAR = `// =============================================================================
-// Semantic Threat Detection Policy (Default)
+const OVERWATCH_TOOLS_DEFAULT_CEDAR = `// =============================================================================
+// Tool Permissioning Policy (Default)
 // =============================================================================
-// Detects and blocks prompt injection, jailbreak attempts, and high-severity
-// AI security threats using YARA and Javelin scanner results. Provides
-// defense-in-depth across both prompts and tool calls.
+// Controls access to IDE tools, shell execution, file system paths, and MCP
+// operations. Enforces least-privilege for agent tool usage with multi-layered
+// controls:
 //
-// Compliance: NIST 800-53 SI-3, SI-4 | OWASP LLM Top 10: LLM01, LLM02
-//             MITRE ATLAS: AML.T0051 (LLM Prompt Injection)
-// Category: semantic
+//   1. Dangerous tool blocking (shell, command execution, destructive ops)
+//   2. Sensitive system path protection (credentials, system dirs)
+//   3. Tool risk scoring (computed risk assessment)
+//   4. Tool category enforcement (safe/sensitive/dangerous classification)
+//   5. Threat-based tool blocking (threat severity gates)
+//   6. Command injection detection (reverse shells, code execution, etc.)
+//
+// Compliance:
+//   NIST 800-53 AC-3 (Access Enforcement)
+//   NIST 800-53 AC-6 (Least Privilege)
+//   NIST 800-53 CM-7 (Least Functionality)
+//   OWASP LLM06 (Excessive Agency) — agent tool access control
+//   OWASP ASI02 (Tool Misuse) — unauthorized tool operations
+//   MITRE ATT&CK T1059 (Command and Scripting Interpreter)
+//   MITRE ATT&CK T1005 (Data from Local System)
+//   MITRE ATT&CK T1552 (Unsecured Credentials)
+//
+// Category: tools
 // Namespace: Overwatch
 // =============================================================================
 
-// Block prompts with prompt injection detected by YARA
-@id("semantic-block-injection")
-@name("Block prompt injection")
-@description("Detect and block prompt injection patterns in user input via YARA scanning (OWASP LLM01)")
+// ---------------------------------------------------------------------------
+// Section 1: Dangerous Tool Blocking
+// Blocks tools classified as inherently dangerous for agent use.
+// Ref: OWASP LLM06, MITRE T1059
+// ---------------------------------------------------------------------------
+
+// Block shell and command execution tools
+@id("tools-block-shell-execution")
+@name("Block shell and command execution")
+@description("Block direct shell, bash, and command execution tools. Unrestricted shell access is the #1 risk in AI coding agents — enables command injection, data exfiltration, and arbitrary code execution (MITRE T1059).")
 @severity("critical")
-@tags("injection,security,llm,owasp-llm01,baseline")
-@reject_message("Your prompt was blocked because prompt injection patterns were detected by YARA scanning. This is a security measure to prevent manipulation of AI agent behavior.")
+@tags("shell,command-injection,execution,nist-cm-7,mitre-t1059,owasp-llm06,baseline")
+@reject_message("Tool execution was blocked: direct shell and command execution tools (shell, bash, terminal) are restricted to prevent command injection attacks (MITRE T1059). Use specific, scoped tools instead.")
 forbid (
     principal,
-    action == Overwatch::Action::"process_prompt",
+    action == Overwatch::Action::"call_tool",
     resource
 )
 when {
-    context has yara_threats && context.yara_threats.contains("prompt_injection")
+    context has tool_name &&
+    (context.tool_name == "shell" ||
+     context.tool_name == "bash" ||
+     context.tool_name == "sh" ||
+     context.tool_name == "terminal" ||
+     context.tool_name == "system.exec" ||
+     context.tool_name == "process.spawn" ||
+     context.tool_name == "cmd" ||
+     context.tool_name == "powershell")
 };
 
-// Block prompts with high injection confidence score
-@id("semantic-block-injection-score")
-@name("Block high-confidence injection")
-@description("Block content when injection classifier confidence exceeds threshold (75/100)")
+// Block destructive file operations
+@id("tools-block-destructive-ops")
+@name("Block destructive file operations")
+@description("Block file deletion, directory removal, and other destructive operations. Agents should not have delete access by default — destructive operations require explicit human approval.")
+@severity("high")
+@tags("file,delete,destructive,nist-ac-3,owasp-asi02")
+@reject_message("Tool execution was blocked: destructive file operations (delete, rmdir, unlink) are restricted to prevent data loss. Request explicit human approval for destructive actions.")
+forbid (
+    principal,
+    action == Overwatch::Action::"call_tool",
+    resource
+)
+when {
+    context has tool_name &&
+    (context.tool_name == "fs.delete" ||
+     context.tool_name == "fs.rmdir" ||
+     context.tool_name == "fs.unlink" ||
+     context.tool_name == "fs.remove" ||
+     context.tool_name == "delete_file" ||
+     context.tool_name == "remove_directory")
+};
+
+// ---------------------------------------------------------------------------
+// Section 2: Sensitive System Path Protection
+// Blocks access to system directories, credential files, and sensitive paths.
+// Ref: MITRE T1005, T1552
+// ---------------------------------------------------------------------------
+
+// Block access to system directories
+@id("tools-block-system-paths")
+@name("Block system directory access")
+@description("Prevent access to sensitive system directories (/etc, /proc, /sys, /root, /var). These directories contain system configuration, process information, and credentials that agents must never access.")
+@severity("high")
+@tags("file,path,system,security,nist-ac-6,mitre-t1005")
+@reject_message("Access blocked: this path targets a sensitive system directory. AI agents are restricted from accessing /etc, /proc, /sys, /root, and /var directories.")
+forbid (
+    principal,
+    action in [Overwatch::Action::"read_file", Overwatch::Action::"write_file", Overwatch::Action::"call_tool"],
+    resource
+)
+when {
+    context has path &&
+    (context.path like "/etc/*" ||
+     context.path like "/proc/*" ||
+     context.path like "/sys/*" ||
+     context.path like "/root/*" ||
+     context.path like "/var/log/*" ||
+     context.path like "/var/run/*")
+};
+
+// Block access to credential and key directories
+@id("tools-block-credential-paths")
+@name("Block credential directory access")
+@description("Prevent access to SSH keys, cloud provider credentials, GPG keys, and other authentication material directories. These are primary targets for credential theft (MITRE T1552).")
 @severity("critical")
-@tags("injection,confidence,security,owasp-llm01")
-@reject_message("Your prompt was blocked because a high-confidence prompt injection pattern was detected.")
+@tags("file,credentials,ssh,aws,security,nist-ac-6,mitre-t1552")
+@reject_message("Access blocked: this path targets a credential or key directory (.ssh, .aws, .gnupg, .config/gcloud). AI agents must never access authentication material.")
 forbid (
     principal,
-    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
+    action in [Overwatch::Action::"read_file", Overwatch::Action::"write_file", Overwatch::Action::"call_tool"],
     resource
 )
 when {
-    context has injection_confidence && context.injection_confidence >= 75
+    context has path &&
+    (context.path like "*/.ssh/*" ||
+     context.path like "*/.aws/*" ||
+     context.path like "*/.gnupg/*" ||
+     context.path like "*/.config/gcloud/*" ||
+     context.path like "*/.azure/*" ||
+     context.path like "*.pem" ||
+     context.path like "*/id_rsa*" ||
+     context.path like "*/id_ed25519*" ||
+     context.path like "*/id_ecdsa*")
 };
 
-// Block prompts with jailbreak attempts
-@id("semantic-block-jailbreak")
-@name("Block jailbreak attempts")
-@description("Detect and block jailbreak and bypass attempts against AI agents (OWASP LLM02)")
+// ---------------------------------------------------------------------------
+// Section 3: Tool Risk Scoring
+// Uses computed tool risk scores from the detection engine to dynamically
+// assess and block risky tool operations.
+// ---------------------------------------------------------------------------
+
+// Block tools with very high computed risk
+@id("tools-block-high-risk-score")
+@name("Block high-risk tool operations")
+@description("Block tool operations when the computed risk score exceeds 90/100. The risk score combines tool type, argument analysis, context, and historical behavior into a single metric.")
 @severity("critical")
-@tags("jailbreak,bypass,security,owasp-llm02,baseline")
-@reject_message("Your prompt was blocked because jailbreak or bypass patterns were detected by YARA scanning. This is a security measure to prevent circumvention of AI safety controls.")
+@tags("tool-risk,dynamic,security,owasp-llm06,owasp-asi02")
+@reject_message("Tool execution blocked: this operation scored 90+ on the risk assessment. The combination of tool type, arguments, and context indicates a high-risk operation.")
 forbid (
     principal,
-    action == Overwatch::Action::"process_prompt",
+    action == Overwatch::Action::"call_tool",
     resource
 )
 when {
-    context has yara_threats && context.yara_threats.contains("jailbreak")
+    context has tool_risk_score && context.tool_risk_score >= 90
 };
 
-// Block prompts with high jailbreak confidence score
-@id("semantic-block-jailbreak-score")
-@name("Block high-confidence jailbreak")
-@description("Block content when jailbreak classifier confidence exceeds threshold (75/100)")
+// Block tools classified as dangerous
+@id("tools-block-dangerous-category")
+@name("Block dangerous tool category")
+@description("Block all tools classified as 'dangerous' by the detection engine. The dangerous category includes tools with unrestricted system access, code execution, or network capabilities.")
 @severity("critical")
-@tags("jailbreak,confidence,security,owasp-llm02")
-@reject_message("Your prompt was blocked because a high-confidence jailbreak attempt was detected.")
+@tags("tool-category,dangerous,security,owasp-llm06,nist-ac-6")
+@reject_message("Tool execution blocked: this tool is classified as 'dangerous' due to its unrestricted system access, code execution, or network capabilities. Use a safer alternative.")
 forbid (
     principal,
-    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
+    action == Overwatch::Action::"call_tool",
     resource
 )
 when {
-    context has jailbreak_confidence && context.jailbreak_confidence >= 75
+    context has tool_category && context.tool_category == "dangerous"
 };
 
-// Block prompts with high severity semantic threats
-@id("semantic-block-high-severity")
-@name("Block high severity threats")
-@description("Block prompts when semantic threat scanners detect high severity issues (severity >= 3)")
+// Stricter threshold for sensitive tools
+@id("tools-block-sensitive-with-threats")
+@name("Block sensitive tools with threats")
+@description("Block sensitive tools (file write, shell, network) when any threats are detected. Sensitive tools with concurrent threats indicate an attack leveraging tool capabilities for malicious purposes.")
 @severity("high")
-@tags("semantic,severity,security")
-@reject_message("Your prompt was blocked because semantic threat scanners detected high severity issues in the content. Review your prompt for manipulative or adversarial patterns.")
+@tags("tool-category,sensitive,security,owasp-asi02,defense-in-depth")
+@reject_message("Sensitive tool execution blocked: threats were detected alongside a sensitive tool operation. Sensitive tools require zero threat context to execute.")
 forbid (
     principal,
-    action == Overwatch::Action::"process_prompt",
+    action == Overwatch::Action::"call_tool",
     resource
 )
 when {
-    context has threat_categories && context has max_threat_severity &&
-    context.threat_categories.contains("semantic") &&
-    context.max_threat_severity >= 3
+    context has tool_is_sensitive && context.tool_is_sensitive &&
+    context has threat_count && context.threat_count > 0
 };
 
-// Block prompts with critical threat level
-@id("semantic-block-critical")
-@name("Block critical threats")
-@description("Block all content when any scanner detects critical severity threats")
-@severity("critical")
-@tags("critical,baseline,security")
-@reject_message("Your prompt was blocked because security scanners detected a critical-severity threat. This content cannot be processed.")
+// ---------------------------------------------------------------------------
+// Section 4: Threat-Based Tool Blocking
+// Blocks tool calls based on threat severity from detection engines.
+// ---------------------------------------------------------------------------
+
+// Block tool calls with high severity threats
+@id("tools-block-high-severity-threats")
+@name("Block tool calls with high severity threats")
+@description("Prevent tool execution when high or critical severity threats (>= 3) are detected in content. Tools must not execute when the content they operate on is flagged as dangerous.")
+@severity("high")
+@tags("tools,threats,severity,security,defense-in-depth")
+@reject_message("Tool execution was blocked because high or critical severity threats were detected in the content by security scanners.")
 forbid (
     principal,
-    action == Overwatch::Action::"process_prompt",
+    action == Overwatch::Action::"call_tool",
     resource
 )
 when {
-    context has highest_severity && context.highest_severity == "critical"
+    context has threat_count && context has max_threat_severity &&
+    context.threat_count > 0 && context.max_threat_severity >= 3
 };
 
-// Block tool calls with prompt injection detected
-@id("semantic-block-tool-injection")
-@name("Block tool calls with injection")
-@description("Prevent tool execution when prompt injection patterns are detected in content")
+// ---------------------------------------------------------------------------
+// Section 5: Command Injection Detection
+// Blocks tool calls containing command injection patterns in arguments.
+// Ref: AIShellJack (41-84% success rate, 314 payloads)
+// ---------------------------------------------------------------------------
+
+// Block detected command injection patterns
+@id("tools-block-command-injection")
+@name("Block command injection in tool calls")
+@description("Block tool calls when command injection patterns are detected in arguments — reverse shells, privilege escalation, code execution, and data exfiltration commands. Ref: AIShellJack attack (41-84% success rate).")
 @severity("critical")
-@tags("injection,tools,security,owasp-llm01")
-@reject_message("Tool execution was blocked because prompt injection patterns were detected in the content by YARA scanning.")
+@tags("command-injection,shell,security,mitre-t1059,owasp-asi02")
+@reject_message("Tool execution blocked: command injection pattern detected in tool arguments. This may be a shell injection attack attempting to execute unauthorized commands.")
 forbid (
     principal,
     action == Overwatch::Action::"call_tool",
     resource
 )
 when {
-    context has yara_threats && context.yara_threats.contains("prompt_injection")
+    context has detected_threats &&
+    context.detected_threats.contains("command_injection")
 };
 `;
-const OVERWATCH_TOOLS_DEFAULT_CEDAR = `// =============================================================================
-// Tool Permissioning Policy (Default)
+const OVERWATCH_AGENT_SECURITY_DEFAULT_CEDAR = `// =============================================================================
+// Agent Security Policy (Default)
 // =============================================================================
-// Controls access to IDE tools, shell execution, file system paths, and MCP
-// operations. Blocks dangerous command execution tools and restricts access
-// to sensitive system directories and credential files.
+// Detects and blocks tool poisoning, rug pull attacks, indirect prompt injection,
+// and MCP supply chain threats targeting AI coding agents.
 //
-// Compliance: NIST 800-53 AC-3, AC-6, CM-7 | OWASP A01, A03
-//             MITRE ATT&CK T1059 (Command/Scripting Interpreter)
-//             MITRE ATT&CK T1005 (Data from Local System)
-// Category: tools
+// These are agentic AI-specific attack vectors (OWASP Agentic Top 10) where tool
+// descriptions, server responses, or behavioral drift manipulate agent behavior.
+//
+// Compliance:
+//   OWASP LLM01 (Prompt Injection) | OWASP LLM06 (Excessive Agency)
+//   OWASP ASI01 (Agent Goal Hijack) | OWASP ASI02 (Tool Misuse)
+//   OWASP ASI04 (Supply Chain) | OWASP MCP01-05
+//   MITRE ATLAS AML.T0051 (Prompt Injection) | AML.T0080 (Memory Manipulation)
+//
+// Category: agent_security
 // Namespace: Overwatch
 // =============================================================================
 
 // ---------------------------------------------------------------------------
-// Section 1: Dangerous Tool Blocking
+// Tool Poisoning — hidden instructions in tool descriptions/arguments
+// Ref: Invariant Labs (April 2025), 84.2% success rate with auto-approval
 // ---------------------------------------------------------------------------
 
-// Block shell and command execution tools
-@id("tools-block-shell-execution")
-@name("Block shell and command execution")
-@description("Block direct shell, bash, and command execution tools to prevent command injection (MITRE T1059)")
+// Block tool calls with tool poisoning risk
+@id("as-block-tool-poisoning")
+@name("Block tool poisoning")
+@description("Block tool execution when hidden instructions are detected in tool descriptions or arguments (score >= 70/100). Catches authority hijack, system prompt injection, and hidden instruction patterns. Adjust the threshold to tune sensitivity — lower catches more but may flag legitimate tools with instructional descriptions (OWASP ASI01).")
 @severity("critical")
-@tags("shell,command-injection,execution,nist-cm-7,mitre-t1059,baseline")
-@reject_message("Tool execution was blocked because direct shell and command execution tools (shell, bash, terminal, system.exec) are restricted to prevent command injection attacks.")
+@tags("tool-poisoning,agent-security,owasp-asi01,mitre-aml-t0051")
+@reject_message("Tool execution blocked: hidden manipulation instructions detected in tool description or arguments. This may be a tool poisoning attack (OWASP ASI01).")
 forbid (
     principal,
     action == Overwatch::Action::"call_tool",
     resource
 )
 when {
-    context has tool_name &&
-    (context.tool_name == "shell" ||
-     context.tool_name == "bash" ||
-     context.tool_name == "sh" ||
-     context.tool_name == "terminal" ||
-     context.tool_name == "system.exec" ||
-     context.tool_name == "process.spawn")
+    context has tool_poisoning_score && context.tool_poisoning_score >= 70
 };
 
-// Block destructive file operations
-@id("tools-block-destructive-ops")
-@name("Block destructive file operations")
-@description("Block file deletion and other destructive tool operations to prevent data loss")
-@severity("high")
-@tags("file,delete,destructive,nist-ac-3")
-@reject_message("Tool execution was blocked because destructive file operations (delete, rmdir, unlink) are restricted to prevent data loss.")
+// Block MCP server connections with poisoning risk
+@id("as-block-server-poisoning")
+@name("Block poisoned MCP servers")
+@description("Block connections to MCP servers when tool poisoning patterns are detected in tool descriptions (score >= 60). Lower threshold for servers since poisoning affects all tools on the server.")
+@severity("critical")
+@tags("tool-poisoning,mcp-security,owasp-asi04,owasp-mcp02")
+@reject_message("MCP server connection blocked: tool poisoning patterns detected in server tool descriptions. Review server tools before connecting.")
 forbid (
     principal,
-    action == Overwatch::Action::"call_tool",
+    action == Overwatch::Action::"connect_server",
     resource
 )
 when {
-    context has tool_name &&
-    (context.tool_name == "fs.delete" ||
-     context.tool_name == "fs.rmdir" ||
-     context.tool_name == "fs.unlink")
+    context has tool_poisoning_score && context.tool_poisoning_score >= 60
+};
+
+// ---------------------------------------------------------------------------
+// Rug Pull — tool behavior changes after trust establishment
+// Ref: Acuvity (2025), tools approved once then silently redefined
+// ---------------------------------------------------------------------------
+
+// Block tool calls with behavioral drift (rug pull)
+@id("as-block-rug-pull")
+@name("Block rug pull attacks")
+@description("Block tool execution when behavioral drift is detected — tool behavior diverges significantly from established patterns (score >= 70/100). Defends against tools that are approved once then silently redefined to act maliciously. Adjust the threshold to tune sensitivity (OWASP ASI04).")
+@severity("critical")
+@tags("rug-pull,agent-security,owasp-asi04,behavioral-drift")
+@reject_message("Tool execution blocked: tool behavior has changed significantly from its established pattern. This may be a rug pull attack where a tool was silently redefined after initial approval.")
+forbid (
+    principal,
+    action in [Overwatch::Action::"call_tool", Overwatch::Action::"connect_server"],
+    resource
+)
+when {
+    context has rug_pull_score && context.rug_pull_score >= 70
 };
 
 // ---------------------------------------------------------------------------
-// Section 2: Sensitive Path Blocking
+// Indirect Prompt Injection — injection via tool outputs and retrieved content
+// Ref: EchoLeak CVE-2025-32711, IDEsaster (30+ CVEs in AI IDEs)
 // ---------------------------------------------------------------------------
 
-// Block access to sensitive system paths and credential files
-@id("tools-block-sensitive-paths")
-@name("Block access to sensitive system paths")
-@description("Prevent access to system directories, credential files, SSH keys, and cloud config (MITRE T1005, T1552.001)")
-@severity("high")
-@tags("file,path,system,security,nist-ac-6,mitre-t1005")
-@reject_message("Access to this path was blocked because it targets a sensitive system directory or credential file (/etc, /proc, /sys, .ssh, .aws, .gnupg, or private key files).")
+// Block prompts with indirect injection from tool outputs
+@id("as-block-indirect-injection")
+@name("Block indirect prompt injection")
+@description("Block when indirect prompt injection is detected in tool outputs, file contents, or retrieved documents (score >= 70). Defends against OWASP LLM01 and ASI01.")
+@severity("critical")
+@tags("indirect-injection,owasp-llm01,owasp-asi01,mitre-aml-t0051")
+@reject_message("Content blocked: indirect prompt injection detected in tool output or retrieved content. An external source may be attempting to hijack agent behavior.")
+forbid (
+    principal,
+    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool", Overwatch::Action::"connect_server"],
+    resource
+)
+when {
+    context has indirect_injection_score && context.indirect_injection_score >= 70
+};
+
+// Strict indirect injection for sensitive tool calls
+@id("as-block-indirect-injection-sensitive-tools")
+@name("Block indirect injection on sensitive tools")
+@description("Lower threshold (>= 50) for indirect injection when the tool is classified as sensitive (shell, file write, network). Even moderate injection risk on sensitive tools warrants blocking.")
+@severity("critical")
+@tags("indirect-injection,sensitive-tools,owasp-asi02")
+@reject_message("Sensitive tool execution blocked: moderate indirect injection risk detected. Sensitive tools require higher confidence that content is safe.")
 forbid (
     principal,
-    action in [Overwatch::Action::"read_file", Overwatch::Action::"write_file", Overwatch::Action::"call_tool"],
+    action == Overwatch::Action::"call_tool",
     resource
 )
 when {
-    context has path &&
-    (context.path like "/etc/*" ||
-     context.path like "/var/*" ||
-     context.path like "/proc/*" ||
-     context.path like "/sys/*" ||
-     context.path like "/root/*" ||
-     context.path like "*/.ssh/*" ||
-     context.path like "*/.aws/*" ||
-     context.path like "*/.gnupg/*" ||
-     context.path like "*.pem" ||
-     context.path like "*/id_rsa*" ||
-     context.path like "*/id_ed25519*")
+    context has indirect_injection_score && context.indirect_injection_score >= 50 &&
+    context has tool_is_sensitive && context.tool_is_sensitive
 };
 
 // ---------------------------------------------------------------------------
-// Section 3: Threat-Based Tool Blocking
+// MCP Supply Chain — unverified servers, risky configs
+// Ref: OWASP MCP Top 10, OWASP ASI04, MITRE AML.T0082
 // ---------------------------------------------------------------------------
 
-// Block tool calls with high severity threats detected
-@id("tools-block-high-severity-threats")
-@name("Block tool calls with high severity threats")
-@description("Prevent tool execution when high or critical severity threats are detected in content")
+// Block unverified MCP server tool calls with detected threats
+@id("as-block-unverified-threats")
+@name("Block unverified server threats")
+@description("Block tool calls from unverified MCP servers when any threat is detected. Unverified servers with threats are high-risk supply chain vectors.")
 @severity("high")
-@tags("tools,threats,severity,security")
-@reject_message("Tool execution was blocked because high or critical severity threats were detected in the content by security scanners.")
+@tags("mcp-trust,owasp-asi04,owasp-mcp02,supply-chain")
+@reject_message("Tool execution blocked: the MCP server is unverified and security threats were detected. Only use tools from verified or trusted servers.")
 forbid (
     principal,
     action == Overwatch::Action::"call_tool",
     resource
 )
 when {
-    context has threat_count && context has max_threat_severity &&
-    context.threat_count > 0 && context.max_threat_severity >= 3
+    context has mcp_server_verified && context.mcp_server_verified == false &&
+    context has threat_count && context.threat_count > 0
 };
-`;
-const OVERWATCH_TRUST_SAFETY_DEFAULT_CEDAR = `// =============================================================================
-// Content Safety Policy (Default)
-// =============================================================================
-// Detects and blocks violent, harmful, hateful, sexual, and profane content
-// using trust/safety classification scores from Javelin/Lakera/LlamaGuard.
-//
-// Compliance: NIST 800-53 SI-4 | EU AI Act Art. 52
-// Category: trust_safety
-// Namespace: Overwatch
-// =============================================================================
 
-// Block prompts with high violence score
-@id("ts-block-violence")
-@name("Block violent content")
-@description("Block content when violence detection score exceeds threshold (80/100)")
-@severity("critical")
-@tags("violence,content-safety,trust-safety,nist-si-4")
-@reject_message("Your prompt was blocked because it contains violent content. Please rephrase without violence-related language.")
+// Block connections to MCP servers with risky configurations
+@id("as-block-mcp-config-risk")
+@name("Block risky MCP server configs")
+@description("Block MCP server connections when risky configuration patterns are detected (inline code execution, mixed transports, proxy patterns). Score >= 70.")
+@severity("high")
+@tags("mcp-config,owasp-mcp03,owasp-asi04,supply-chain")
+@reject_message("MCP server connection blocked: risky server configuration detected (e.g., inline code execution, mixed transports). Review the server configuration before connecting.")
 forbid (
     principal,
-    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
+    action == Overwatch::Action::"connect_server",
     resource
 )
 when {
-    context has violence_score && context.violence_score >= 80
+    context has mcp_config_risk && context.mcp_config_risk &&
+    context has mcp_risk_score && context.mcp_risk_score >= 70
 };
 
-// Block prompts with weapons content
-@id("ts-block-weapons")
-@name("Block weapons content")
-@description("Block content when weapons detection score exceeds threshold (80/100)")
-@severity("critical")
-@tags("weapons,content-safety,trust-safety,nist-si-4")
-@reject_message("Your prompt was blocked because it contains weapons-related content. Please rephrase without weapons references.")
+// Block connections to unverified MCP servers entirely
+@id("as-block-unverified-server-connect")
+@name("Block unverified MCP server connections")
+@description("Block connections to MCP servers that are not from a verified registry. This prevents supply chain attacks via malicious MCP servers.")
+@severity("high")
+@tags("mcp-trust,owasp-asi04,owasp-mcp05,supply-chain")
+@reject_message("MCP server connection blocked: server is not from a verified registry. Add the server to your verified list or contact your admin.")
 forbid (
     principal,
-    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
+    action == Overwatch::Action::"connect_server",
     resource
 )
 when {
-    context has weapons_score && context.weapons_score >= 80
+    context has mcp_server_verified && context.mcp_server_verified == false
 };
+`;
+const OVERWATCH_ENCODING_DEFAULT_CEDAR = `// =============================================================================
+// Encoding & Unicode Attack Detection Policy (Default)
+// =============================================================================
+// Detects and blocks invisible Unicode characters, bidirectional text
+// overrides, tag characters, and other encoding-based attack vectors used
+// to hide malicious instructions from human review while remaining
+// visible to AI model tokenizers.
+//
+// Attack vectors:
+//   - Zero-width characters (U+200B, U+200C, U+200D, U+FEFF) hiding instructions
+//   - Bidirectional overrides (U+202A-U+202E) creating visually misleading text
+//   - Tag characters (U+E0001-U+E007F) embedding invisible payloads
+//   - Variation selectors used as steganographic channels
+//   - Homoglyph attacks using lookalike Unicode characters
+//
+// Ref: EchoLeak CVE-2025-32711 (invisible prompt injection via Unicode)
+//      Rules File Backdoor (Pillar Security, March 2025)
+//      Unicode-based prompt injection in Claude Code (CERT-2025)
+//
+// Compliance:
+//   OWASP LLM01 (Prompt Injection) — encoding evasion
+//   OWASP ASI01 (Agent Goal Hijack) — hidden instructions
+//   MITRE ATLAS AML.T0051 (LLM Prompt Injection)
+//   NIST 800-53 SI-10 (Information Input Validation)
+//
+// Category: encoding
+// Namespace: Overwatch
+// =============================================================================
 
-// Block prompts with hate speech
-@id("ts-block-hate-speech")
-@name("Block hate speech")
-@description("Block content when hate speech detection score exceeds threshold (75/100)")
-@severity("critical")
-@tags("hate-speech,content-safety,trust-safety,nist-si-4")
-@reject_message("Your prompt was blocked because it contains hate speech. Please rephrase without hateful or discriminatory language.")
+// ---------------------------------------------------------------------------
+// Section 1: Invisible Character Detection in Prompts
+// Blocks prompts containing suspicious invisible Unicode patterns.
+// ---------------------------------------------------------------------------
+
+// Block prompts with invisible characters above risk threshold
+@id("encoding-block-invisible-prompt")
+@name("Block invisible characters in prompts")
+@description("Block prompts when invisible Unicode characters are detected with a risk score >= 50. Invisible chars (zero-width joiners, bidi overrides, tag characters) can hide malicious instructions from human review while being processed by AI models. Ref: EchoLeak CVE-2025-32711.")
+@severity("high")
+@tags("unicode,invisible-chars,encoding,owasp-llm01,owasp-asi01,mitre-aml-t0051,nist-si-10")
+@reject_message("Your prompt was blocked because suspicious invisible Unicode characters were detected. These characters (zero-width, bidirectional overrides, tag characters) can be used to hide malicious instructions. Please remove non-visible characters and resubmit.")
 forbid (
     principal,
-    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
+    action == Overwatch::Action::"process_prompt",
     resource
 )
 when {
-    context has hate_speech_score && context.hate_speech_score >= 75
+    context has contains_invisible_chars && context.contains_invisible_chars &&
+    context has invisible_chars_score && context.invisible_chars_score >= 50
 };
 
-// Block prompts with criminal content
-@id("ts-block-crime")
-@name("Block criminal content")
-@description("Block content when criminal activity detection score exceeds threshold (80/100)")
-@severity("high")
-@tags("crime,content-safety,trust-safety,nist-si-4")
-@reject_message("Your prompt was blocked because it contains content related to criminal activity.")
+// ---------------------------------------------------------------------------
+// Section 2: Invisible Characters in Tool Calls
+// Any invisible characters in tool arguments are suspicious — tool args
+// should be plain text/JSON. Lower threshold than prompts.
+// ---------------------------------------------------------------------------
+
+// Block tool calls with any invisible characters
+@id("encoding-block-invisible-tool")
+@name("Block invisible characters in tool calls")
+@description("Block tool execution when invisible Unicode characters are detected in tool arguments or content. Tool arguments should be plain text/JSON — invisible characters in tool calls are almost certainly malicious payload injection.")
+@severity("critical")
+@tags("unicode,invisible-chars,tools,encoding,owasp-asi01,owasp-asi02")
+@reject_message("Tool execution blocked: invisible Unicode characters detected in tool arguments. Tool calls should contain only plain text — invisible characters indicate payload injection or encoding evasion.")
 forbid (
     principal,
-    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
+    action == Overwatch::Action::"call_tool",
     resource
 )
 when {
-    context has crime_score && context.crime_score >= 80
+    context has contains_invisible_chars && context.contains_invisible_chars
 };
 
-// Block prompts with sexual content
-@id("ts-block-sexual")
-@name("Block sexual content")
-@description("Block content when sexual content detection score exceeds threshold (80/100)")
+// ---------------------------------------------------------------------------
+// Section 3: Invisible Characters in File Operations
+// Blocks file reads/writes with encoding attacks to prevent persistence
+// of invisible payloads in the codebase.
+// ---------------------------------------------------------------------------
+
+// Block file writes with invisible characters
+@id("encoding-block-invisible-file-write")
+@name("Block invisible characters in file writes")
+@description("Block file writes when invisible Unicode characters are detected. Prevents persistence of invisible payloads in source code, config files, or documentation where they could later be processed by AI agents. Ref: Rules File Backdoor attack (Pillar Security).")
 @severity("high")
-@tags("sexual,content-safety,trust-safety,eu-ai-act")
-@reject_message("Your prompt was blocked because it contains sexual content.")
+@tags("unicode,invisible-chars,file-write,encoding,owasp-asi01")
+@reject_message("File write blocked: invisible Unicode characters detected in content. Writing invisible characters to files can create persistent backdoors that affect AI agents processing those files later.")
 forbid (
     principal,
-    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
+    action == Overwatch::Action::"write_file",
     resource
 )
 when {
-    context has sexual_score && context.sexual_score >= 80
+    context has contains_invisible_chars && context.contains_invisible_chars
 };
 
-// Block prompts with excessive profanity
-@id("ts-block-profanity")
-@name("Block profanity")
-@description("Block content when profanity detection score exceeds threshold (90/100)")
-@severity("medium")
-@tags("profanity,content-safety,trust-safety")
-@reject_message("Your prompt was blocked due to excessive profanity. Please rephrase in a professional manner.")
+// Block MCP server connections with invisible characters in config
+@id("encoding-block-invisible-server")
+@name("Block invisible characters in server config")
+@description("Block MCP server connections when invisible Unicode characters are detected in server configuration or responses. Invisible chars in server data indicate a compromised or malicious MCP server.")
+@severity("critical")
+@tags("unicode,invisible-chars,mcp,encoding,owasp-mcp02,owasp-asi04")
+@reject_message("MCP server connection blocked: invisible Unicode characters detected in server data. This may indicate a compromised MCP server using encoding attacks to inject hidden instructions.")
 forbid (
     principal,
-    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
+    action == Overwatch::Action::"connect_server",
     resource
 )
 when {
-    context has profanity_score && context.profanity_score >= 90
+    context has contains_invisible_chars && context.contains_invisible_chars
 };
 `;
-const OVERWATCH_AGENT_SECURITY_DEFAULT_CEDAR = `// =============================================================================
-// Agent Security Policy (Default)
+const OVERWATCH_BEHAVIORAL_DEFAULT_CEDAR = `// =============================================================================
+// Behavioral Analysis Policy (Default)
 // =============================================================================
-// Detects and blocks tool poisoning, rug pull attacks, and indirect prompt
-// injection targeting AI coding agents. These are agentic AI-specific attack
-// vectors where tool descriptions or server responses manipulate agent behavior.
+// Detects and blocks suspicious agent behavioral patterns including tool call
+// loops, data exfiltration sequences, credential theft chains, and destructive
+// operation patterns. Operates on session-level behavioral signals rather
+// than single-request content analysis.
 //
-// Compliance: OWASP LLM09 (Improper Output Handling) | MITRE ATLAS AML.T0054
-// Category: agent_security
+// Attack vectors:
+//   - Tool call loops: Agent stuck in retry loop or manipulation-induced recursion
+//   - Data exfiltration: Read sensitive data → send to external endpoint sequence
+//   - Secret exfiltration: Read credentials → curl/fetch external URL
+//   - Credential theft: Access .ssh/.aws → encode/compress → network tool
+//   - Destructive sequences: Bulk delete, permission changes, config overwrites
+//
+// Ref: OWASP LLM10 (Unbounded Consumption) — loop/recursion attacks
+//      OWASP ASI02 (Tool Misuse) — tool abuse sequences
+//      OWASP ASI08 (Lack of Monitoring) — behavioral anomaly detection
+//      GlassWorm Attack (35,800+ installations, cross-agent propagation)
+//      MITRE ATLAS AML.T0080 (Memory Manipulation)
+//
+// Compliance:
+//   OWASP LLM10 (Unbounded Consumption)
+//   OWASP ASI02 (Tool Misuse)
+//   OWASP ASI08 (Lack of Monitoring & Logging)
+//   MITRE ATLAS AML.T0080 (AI Memory Manipulation)
+//   MITRE ATT&CK T1041 (Exfiltration Over C2 Channel)
+//   NIST 800-53 AU-6 (Audit Review, Analysis, and Reporting)
+//   NIST 800-53 SI-4 (Information System Monitoring)
+//
+// Category: behavioral
 // Namespace: Overwatch
 // =============================================================================
 
-// Block tool calls with high tool poisoning risk
-@id("as-block-tool-poisoning")
-@name("Block tool poisoning")
-@description("Block tool execution when tool description contains manipulation patterns (score >= 70/100)")
+// ---------------------------------------------------------------------------
+// Section 1: Tool Call Loop Detection
+// Detects agents trapped in infinite loops — either through manipulation
+// (adversarial prompt inducing repetitive behavior) or bugs (retry storms).
+// Ref: OWASP LLM10 (Unbounded Consumption)
+// ---------------------------------------------------------------------------
+
+// Block tool calls in detected loops (5+ consecutive same-tool calls)
+@id("behavioral-block-loop")
+@name("Block tool call loops")
+@description("Block tool execution when a loop is detected — 5 or more consecutive calls to the same tool. This indicates either adversarial manipulation inducing repetitive agent behavior or a bug causing retry storms. Both waste compute and can cause damage. Adjust the threshold (default 5) to match your workflow — lower for stricter enforcement, higher for agents that legitimately retry (OWASP LLM10).")
+@severity("high")
+@tags("loop-detection,behavioral,owasp-llm10,owasp-asi02,nist-si-4")
+@reject_message("Tool execution blocked: repetitive tool call loop detected (5+ consecutive calls to the same tool). This may indicate adversarial manipulation or a system error. The agent session should be reviewed.")
+forbid (
+    principal,
+    action == Overwatch::Action::"call_tool",
+    resource
+)
+when {
+    context has loop_detected && context.loop_detected &&
+    context has loop_count && context.loop_count >= 5
+};
+
+// ---------------------------------------------------------------------------
+// Section 2: Data Exfiltration Detection
+// Detects sequences where an agent reads sensitive data and then attempts
+// to send it to an external endpoint.
+// Ref: GlassWorm attack, MITRE T1041
+// ---------------------------------------------------------------------------
+
+// Block data exfiltration patterns
+@id("behavioral-block-data-exfil")
+@name("Block data exfiltration")
+@description("Block tool execution when a data exfiltration pattern is detected — the agent reads sensitive local data (files, configs, source code) followed by a network operation sending data externally. This is the hallmark of autonomous agent compromise (GlassWorm, EchoLeak).")
 @severity("critical")
-@tags("tool-poisoning,agent-security,owasp-llm09")
-@reject_message("Tool execution was blocked because the tool description contains manipulation patterns that could compromise agent behavior.")
+@tags("data-exfiltration,behavioral,owasp-asi02,mitre-t1041,nist-si-4")
+@reject_message("Tool execution blocked: data exfiltration pattern detected. The agent appears to be reading sensitive data and sending it to an external endpoint. This is a critical security event — the agent session has been terminated.")
 forbid (
     principal,
     action == Overwatch::Action::"call_tool",
     resource
 )
 when {
-    context has tool_poisoning_score && context.tool_poisoning_score >= 70
+    context has suspicious_pattern && context.suspicious_pattern &&
+    context has pattern_type && context.pattern_type == "data_exfiltration"
 };
 
-// Block tool calls with rug pull detection
-@id("as-block-rug-pull")
-@name("Block rug pull attacks")
-@description("Block tool execution when tool behavior diverges from advertised capabilities (score >= 70/100)")
+// Block secret exfiltration (credential-specific exfil)
+@id("behavioral-block-secret-exfil")
+@name("Block secret exfiltration")
+@description("Block tool execution when a secret exfiltration pattern is detected — the agent accesses credential files (.env, .aws, tokens) followed by a network tool call. This is a targeted credential theft sequence.")
 @severity("critical")
-@tags("rug-pull,agent-security,mcp-security")
-@reject_message("Tool execution was blocked because the tool's actual behavior diverges from its advertised capabilities.")
+@tags("secret-exfiltration,behavioral,owasp-asi02,mitre-t1552,mitre-t1041")
+@reject_message("Tool execution blocked: secret exfiltration pattern detected. The agent accessed credential files and is attempting to send them externally. This is a targeted credential theft attack.")
 forbid (
     principal,
-    action in [Overwatch::Action::"call_tool", Overwatch::Action::"connect_server"],
+    action == Overwatch::Action::"call_tool",
     resource
 )
 when {
-    context has rug_pull_score && context.rug_pull_score >= 70
+    context has suspicious_pattern && context.suspicious_pattern &&
+    context has pattern_type && context.pattern_type == "secret_exfiltration"
 };
 
-// Block MCP server connections with high poisoning risk
-@id("as-block-server-poisoning")
-@name("Block poisoned MCP servers")
-@description("Block connections to MCP servers when tool poisoning patterns are detected (score >= 60/100)")
+// Block credential theft chains
+@id("behavioral-block-credential-theft")
+@name("Block credential theft")
+@description("Block tool execution when a credential theft chain is detected — accessing SSH keys, cloud credentials, or API tokens followed by encoding, compression, or transfer operations. Multi-step attack pattern for autonomous credential harvesting.")
 @severity("critical")
-@tags("tool-poisoning,mcp-security,agent-security")
-@reject_message("Connection to this MCP server was blocked because tool poisoning patterns were detected in its tool descriptions.")
+@tags("credential-theft,behavioral,owasp-asi02,mitre-t1552,mitre-t1555")
+@reject_message("Tool execution blocked: credential theft chain detected. The agent is performing a multi-step operation to harvest and exfiltrate credentials (SSH keys, cloud tokens, API keys). Session terminated.")
 forbid (
     principal,
-    action == Overwatch::Action::"connect_server",
+    action == Overwatch::Action::"call_tool",
     resource
 )
 when {
-    context has tool_poisoning_score && context.tool_poisoning_score >= 60
+    context has suspicious_pattern && context.suspicious_pattern &&
+    context has pattern_type && context.pattern_type == "credential_theft"
 };
 
-// Block prompts with indirect injection patterns
-@id("as-block-indirect-injection")
-@name("Block indirect prompt injection")
-@description("Block content when indirect prompt injection is detected in tool outputs or retrieved documents (score >= 70/100)")
+// ---------------------------------------------------------------------------
+// Section 3: Destructive Sequence Detection
+// Detects sequences of destructive operations that could damage the workspace.
+// ---------------------------------------------------------------------------
+
+// Block destructive operation sequences
+@id("behavioral-block-destructive-sequence")
+@name("Block destructive sequences")
+@description("Block tool execution when a destructive operation sequence is detected — bulk file deletions, permission changes, config overwrites, or repository manipulation patterns. Prevents agent-initiated workspace damage.")
 @severity("critical")
-@tags("indirect-injection,agent-security,owasp-llm01")
-@reject_message("This content was blocked because indirect prompt injection patterns were detected in tool outputs or retrieved documents.")
+@tags("destructive,behavioral,owasp-asi02,nist-si-4")
+@reject_message("Tool execution blocked: destructive operation sequence detected. The agent is performing a pattern of destructive operations (bulk deletions, permission changes, config overwrites) that could damage the workspace.")
 forbid (
     principal,
-    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool", Overwatch::Action::"connect_server"],
+    action == Overwatch::Action::"call_tool",
     resource
 )
 when {
-    context has indirect_injection_score && context.indirect_injection_score >= 70
+    context has suspicious_pattern && context.suspicious_pattern &&
+    context has pattern_type && context.pattern_type == "destructive_sequence"
 };
 
-// Block unverified MCP server tool calls with any detected threats
-@id("as-block-unverified-threats")
-@name("Block unverified server threats")
-@description("Block tool calls from unverified MCP servers when any threat is detected")
+// ---------------------------------------------------------------------------
+// Section 4: Sequence Risk Scoring
+// Uses computed sequence risk scores for dynamic behavioral assessment.
+// ---------------------------------------------------------------------------
+
+// Block high-risk behavioral sequences
+@id("behavioral-block-high-risk-sequence")
+@name("Block high-risk behavioral sequences")
+@description("Block tool execution when the computed sequence risk score exceeds 80/100. The score aggregates behavioral signals including action history, tool combination analysis, and deviation from normal patterns. High scores indicate coordinated multi-step attacks.")
 @severity("high")
-@tags("mcp-trust,agent-security,unverified")
-@reject_message("Tool execution was blocked because the MCP server is unverified and threats were detected in the content.")
+@tags("sequence-risk,behavioral,dynamic,owasp-asi08,nist-au-6")
+@reject_message("Tool execution blocked: high-risk behavioral sequence detected (risk score 80+). The pattern of agent actions indicates a coordinated attack. This session requires human review before continuing.")
 forbid (
     principal,
     action == Overwatch::Action::"call_tool",
     resource
 )
 when {
-    context has mcp_server_verified && context.mcp_server_verified == false &&
-    context has threat_count && context.threat_count > 0
+    context has sequence_risk && context.sequence_risk >= 80
 };
 `;
 const OVERWATCH_TOOLS_MCP_ALLOWLIST_CEDAR = `// MCP Server Allowlist Template
@@ -883,40 +1567,47 @@ permit (
     resource
 );
 `;
-const OVERWATCH_ORG_TEAM_PERMISSIONS_CEDAR = `// Team-Based Permissions (ReBAC)
-// Grant IDE access based on team membership using entity hierarchy
+const OVERWATCH_ORG_TEAM_PERMISSIONS_CEDAR = `// =============================================================================
+// Project-Based Permissions (ReBAC)
+// =============================================================================
+// Grant IDE access based on project scope using entity hierarchy.
+// With the aligned schema, principals (User, Agent) are flat — scoping is
+// done via resource hierarchy instead of principal hierarchy.
+//
 // Category: organization
 // Namespace: Overwatch
 //
 // Entity hierarchy required:
-//   Organization::"acme-corp"
-//     └── Team::"dev-team"       (in Organization)
-//     │     └── Agent::"claude"  (in Team)
-//     └── Team::"support-team"   (in Organization)
-//           └── Agent::"claude-support" (in Team)
-
-// Dev Team: Full IDE access - all actions permitted
-@id("team-dev-full-access")
-@name("Dev team full IDE access")
-@description("Grant development team agents full IDE access including tools, prompts, file operations, and server connections")
+//   Account::"acme-corp"
+//     └── Project::"dev-project"      (in Account)
+//     └── Project::"support-project"  (in Account)
+//
+// Resources (Tool, Server, FilePath, LlmPrompt) are parented under Project,
+// so \`resource in Project::"..."\` matches all resources in that project.
+// =============================================================================
+
+// Dev Project: Full IDE access - all actions permitted on all resources
+@id("project-dev-full-access")
+@name("Dev project full IDE access")
+@description("Grant full IDE access to all resources within the dev project including tools, prompts, file operations, and server connections")
 @severity("medium")
-@tags("rebac,team,dev,permissions,organization")
+@tags("rebac,project,dev,permissions,organization")
 permit (
-    principal in Overwatch::Team::"dev-team",
+    principal,
     action,
-    resource
+    resource in Overwatch::Project::"dev-project"
 );
 
-// Support Team: Read-only access - process prompts and read files only
-@id("team-support-read-only")
-@name("Support team read-only access")
-@description("Grant support team agents read-only access limited to prompt processing and file reading")
+// Support Project: Read-only access - process prompts and read files only
+@id("project-support-read-only")
+@name("Support project read-only access")
+@description("Grant read-only access to support project resources limited to prompt processing and file reading")
 @severity("medium")
-@tags("rebac,team,support,read-only,organization")
+@tags("rebac,project,support,read-only,organization")
 permit (
-    principal in Overwatch::Team::"support-team",
+    principal,
     action in [Overwatch::Action::"process_prompt", Overwatch::Action::"read_file"],
-    resource
+    resource in Overwatch::Project::"support-project"
 );
 `;
 const OVERWATCH_ORG_AGENT_GUARDRAILS_CEDAR = `// Agent-Specific Guardrails
@@ -940,7 +1631,7 @@ forbid (
     resource
 )
 when {
-    context.yara_threats.contains("prompt_injection")
+    context.detected_threats.contains("prompt_injection")
 };
 
 // Cursor: Block PII leakage
@@ -968,7 +1659,9 @@ export const OVERWATCH_CATEGORIES = [
     { id: 'tools', name: 'Tool Permissioning', description: 'Control access to shell execution, file operations, MCP servers, and sensitive system paths' },
     { id: 'organization', name: 'Organization Rules', description: 'Apply organization-wide policy baselines, team permissions, and agent-specific guardrails' },
     { id: 'trust_safety', name: 'Content Safety', description: 'Detect and control violent, harmful, hateful, sexual, and profane content using trust/safety classification scores' },
-    { id: 'agent_security', name: 'Agent Security', description: 'Detect tool poisoning, rug pull attacks, and indirect prompt injection targeting AI agents' },
+    { id: 'agent_security', name: 'Agent Security', description: 'Detect and block tool poisoning, rug pull attacks, indirect prompt injection, and MCP supply chain threats targeting AI agents' },
+    { id: 'encoding', name: 'Encoding & Unicode Attacks', description: 'Detect invisible Unicode characters, bidirectional text overrides, and encoded injection payloads used to hide malicious instructions' },
+    { id: 'behavioral', name: 'Behavioral Analysis', description: 'Detect suspicious action sequences, tool call loops, data exfiltration patterns, and credential theft chains across agent sessions' },
 ];
 // =============================================================================
 // DEFAULT POLICIES
@@ -984,71 +1677,85 @@ export const OVERWATCH_DEFAULTS = [
         tags: ['baseline', 'permit-default', 'organization'],
         isActive: true,
     },
+    {
+        id: 'semantic-default',
+        name: 'Semantic Threat Detection',
+        description: 'Detect and block prompt injection, jailbreak attempts, and high-severity threats using detection rules and ML classifiers',
+        category: 'semantic',
+        cedarText: OVERWATCH_SEMANTIC_DEFAULT_CEDAR,
+        severity: 'critical',
+        tags: ['prompt-injection', 'jailbreak', 'owasp-llm01', 'owasp-llm02', 'security', 'baseline'],
+        isActive: true,
+    },
+    {
+        id: 'trust-safety-default',
+        name: 'Content Safety',
+        description: 'Detect and block violent, harmful, hateful, sexual, and profane content using ML classification scores',
+        category: 'trust_safety',
+        cedarText: OVERWATCH_TRUST_SAFETY_DEFAULT_CEDAR,
+        severity: 'critical',
+        tags: ['violence', 'weapons', 'hate-speech', 'crime', 'sexual', 'profanity', 'content-safety', 'baseline'],
+        isActive: true,
+    },
+];
+// =============================================================================
+// ALL TEMPLATES
+// =============================================================================
+export const OVERWATCH_TEMPLATES = [
     {
         id: 'secrets-default',
         name: 'Secrets Detection',
-        description: 'Detect and block credential leakage across prompts, tool calls, file operations, and AI response content',
+        description: 'Detect and block credential leakage across prompts, tool calls, file operations, and AI responses using multi-layered detection',
         category: 'secrets',
         cedarText: OVERWATCH_SECRETS_DEFAULT_CEDAR,
         severity: 'critical',
         tags: ['api-keys', 'tokens', 'credentials', 'aws', 'github', 'ssh', 'baseline'],
-        isActive: true,
     },
     {
         id: 'pii-default',
         name: 'PII Detection',
-        description: 'Detect and block credit card numbers, SSN, and other sensitive personal information in prompts and tool calls',
+        description: 'Detect and block credit card numbers, SSNs, health data, and other PII in prompts, tool calls, and file operations',
         category: 'pii',
         cedarText: OVERWATCH_PII_DEFAULT_CEDAR,
         severity: 'critical',
-        tags: ['pii', 'privacy', 'compliance', 'pci-dss', 'gdpr', 'baseline'],
-        isActive: true,
-    },
-    {
-        id: 'semantic-default',
-        name: 'Semantic Threat Detection',
-        description: 'Detect and block prompt injection, jailbreak attempts, and high-severity AI security threats',
-        category: 'semantic',
-        cedarText: OVERWATCH_SEMANTIC_DEFAULT_CEDAR,
-        severity: 'critical',
-        tags: ['prompt-injection', 'jailbreak', 'owasp-llm01', 'security', 'baseline'],
-        isActive: true,
+        tags: ['pii', 'privacy', 'compliance', 'pci-dss', 'gdpr', 'hipaa', 'baseline'],
     },
     {
         id: 'tools-default',
         name: 'Tool Permissioning',
-        description: 'Block dangerous shell execution, restrict sensitive file paths, and enforce threat-based tool access controls',
+        description: 'Block dangerous shell execution, restrict sensitive file paths, enforce tool risk scoring, and detect command injection in tool arguments',
         category: 'tools',
         cedarText: OVERWATCH_TOOLS_DEFAULT_CEDAR,
         severity: 'critical',
-        tags: ['shell', 'command-injection', 'file-access', 'mitre-t1059', 'baseline'],
-        isActive: false,
-    },
-    {
-        id: 'trust-safety-default',
-        name: 'Content Safety',
-        description: 'Detect and block violent, harmful, hateful, sexual, and profane content using classification scores',
-        category: 'trust_safety',
-        cedarText: OVERWATCH_TRUST_SAFETY_DEFAULT_CEDAR,
-        severity: 'critical',
-        tags: ['violence', 'weapons', 'hate-speech', 'crime', 'sexual', 'profanity', 'content-safety', 'baseline'],
-        isActive: true,
+        tags: ['shell', 'command-injection', 'file-access', 'tool-risk', 'mitre-t1059', 'owasp-llm06', 'baseline'],
     },
     {
         id: 'agent-security-default',
         name: 'Agent Security',
-        description: 'Detect and block tool poisoning, rug pull attacks, and indirect prompt injection targeting AI agents',
+        description: 'Detect and block tool poisoning, rug pull attacks, indirect prompt injection, and MCP supply chain threats via Shield detection',
         category: 'agent_security',
         cedarText: OVERWATCH_AGENT_SECURITY_DEFAULT_CEDAR,
         severity: 'critical',
-        tags: ['tool-poisoning', 'rug-pull', 'indirect-injection', 'mcp-security', 'agent-security', 'baseline'],
-        isActive: true,
+        tags: ['tool-poisoning', 'rug-pull', 'indirect-injection', 'mcp-security', 'agent-security', 'owasp-asi01', 'owasp-asi04', 'baseline'],
+    },
+    {
+        id: 'encoding-default',
+        name: 'Encoding Attack Detection',
+        description: 'Detect and block invisible Unicode characters, bidirectional overrides, and encoding-based injection attacks across prompts, tools, and files',
+        category: 'encoding',
+        cedarText: OVERWATCH_ENCODING_DEFAULT_CEDAR,
+        severity: 'high',
+        tags: ['unicode', 'invisible-chars', 'bidi-override', 'encoding', 'owasp-llm01', 'baseline'],
+    },
+    {
+        id: 'behavioral-default',
+        name: 'Behavioral Analysis',
+        description: 'Detect and block tool call loops, data exfiltration sequences, credential theft chains, and destructive operation patterns',
+        category: 'behavioral',
+        cedarText: OVERWATCH_BEHAVIORAL_DEFAULT_CEDAR,
+        severity: 'high',
+        tags: ['loop-detection', 'data-exfiltration', 'credential-theft', 'behavioral', 'owasp-llm10', 'owasp-asi02', 'baseline'],
     },
-];
-// =============================================================================
-// ALL TEMPLATES
-// =============================================================================
-export const OVERWATCH_TEMPLATES = [
     {
         id: 'tools-mcp-allowlist',
         name: 'MCP Server Allowlist',
@@ -1111,7 +1818,7 @@ export const OVERWATCH_TEMPLATES = [
 export const OVERWATCH_TEMPLATES_JSON = `{
   "service": "overwatch",
   "version": "3.0.0",
-  "description": "Overwatch policy templates for IDE security",
+  "description": "Overwatch policy templates for IDE agent security",
   "categories": [
     {
       "id": "secrets",
@@ -1146,7 +1853,17 @@ export const OVERWATCH_TEMPLATES_JSON = `{
     {
       "id": "agent_security",
       "name": "Agent Security",
-      "description": "Detect tool poisoning, rug pull attacks, and indirect prompt injection targeting AI agents"
+      "description": "Detect and block tool poisoning, rug pull attacks, indirect prompt injection, and MCP supply chain threats targeting AI agents"
+    },
+    {
+      "id": "encoding",
+      "name": "Encoding & Unicode Attacks",
+      "description": "Detect invisible Unicode characters, bidirectional text overrides, and encoded injection payloads used to hide malicious instructions"
+    },
+    {
+      "id": "behavioral",
+      "name": "Behavioral Analysis",
+      "description": "Detect suspicious action sequences, tool call loops, data exfiltration patterns, and credential theft chains across agent sessions"
     }
   ],
   "defaults": [
@@ -1160,68 +1877,82 @@ export const OVERWATCH_TEMPLATES_JSON = `{
       "tags": ["baseline", "permit-default", "organization"],
       "is_active": true
     },
+    {
+      "id": "semantic-default",
+      "name": "Semantic Threat Detection",
+      "description": "Detect and block prompt injection, jailbreak attempts, and high-severity threats using detection rules and ML classifiers",
+      "category": "semantic",
+      "file": "defaults/semantic.cedar",
+      "severity": "critical",
+      "tags": ["prompt-injection", "jailbreak", "owasp-llm01", "owasp-llm02", "security", "baseline"],
+      "is_active": true
+    },
+    {
+      "id": "trust-safety-default",
+      "name": "Content Safety",
+      "description": "Detect and block violent, harmful, hateful, sexual, and profane content using ML classification scores",
+      "category": "trust_safety",
+      "file": "defaults/trust_safety.cedar",
+      "severity": "critical",
+      "tags": ["violence", "weapons", "hate-speech", "crime", "sexual", "profanity", "content-safety", "baseline"],
+      "is_active": true
+    }
+  ],
+  "templates": [
     {
       "id": "secrets-default",
       "name": "Secrets Detection",
-      "description": "Detect and block credential leakage across prompts, tool calls, file operations, and AI response content",
+      "description": "Detect and block credential leakage across prompts, tool calls, file operations, and AI responses using multi-layered detection",
       "category": "secrets",
       "file": "defaults/secrets.cedar",
       "severity": "critical",
-      "tags": ["api-keys", "tokens", "credentials", "aws", "github", "ssh", "baseline"],
-      "is_active": true
+      "tags": ["api-keys", "tokens", "credentials", "aws", "github", "ssh", "baseline"]
     },
     {
       "id": "pii-default",
       "name": "PII Detection",
-      "description": "Detect and block credit card numbers, SSN, and other sensitive personal information in prompts and tool calls",
+      "description": "Detect and block credit card numbers, SSNs, health data, and other PII in prompts, tool calls, and file operations",
       "category": "pii",
       "file": "defaults/pii.cedar",
       "severity": "critical",
-      "tags": ["pii", "privacy", "compliance", "pci-dss", "gdpr", "baseline"],
-      "is_active": true
-    },
-    {
-      "id": "semantic-default",
-      "name": "Semantic Threat Detection",
-      "description": "Detect and block prompt injection, jailbreak attempts, and high-severity AI security threats",
-      "category": "semantic",
-      "file": "defaults/semantic.cedar",
-      "severity": "critical",
-      "tags": ["prompt-injection", "jailbreak", "owasp-llm01", "security", "baseline"],
-      "is_active": true
+      "tags": ["pii", "privacy", "compliance", "pci-dss", "gdpr", "hipaa", "baseline"]
     },
     {
       "id": "tools-default",
       "name": "Tool Permissioning",
-      "description": "Block dangerous shell execution, restrict sensitive file paths, and enforce threat-based tool access controls",
+      "description": "Block dangerous shell execution, restrict sensitive file paths, enforce tool risk scoring, and detect command injection in tool arguments",
       "category": "tools",
       "file": "defaults/tools.cedar",
       "severity": "critical",
-      "tags": ["shell", "command-injection", "file-access", "mitre-t1059", "baseline"],
-      "is_active": false
-    },
-    {
-      "id": "trust-safety-default",
-      "name": "Content Safety",
-      "description": "Detect and block violent, harmful, hateful, sexual, and profane content using classification scores",
-      "category": "trust_safety",
-      "file": "defaults/trust_safety.cedar",
-      "severity": "critical",
-      "tags": ["violence", "weapons", "hate-speech", "crime", "sexual", "profanity", "content-safety", "baseline"],
-      "is_active": true
+      "tags": ["shell", "command-injection", "file-access", "tool-risk", "mitre-t1059", "owasp-llm06", "baseline"]
     },
     {
       "id": "agent-security-default",
       "name": "Agent Security",
-      "description": "Detect and block tool poisoning, rug pull attacks, and indirect prompt injection targeting AI agents",
+      "description": "Detect and block tool poisoning, rug pull attacks, indirect prompt injection, and MCP supply chain threats via Shield detection",
       "category": "agent_security",
       "file": "defaults/agent_security.cedar",
       "severity": "critical",
-      "tags": ["tool-poisoning", "rug-pull", "indirect-injection", "mcp-security", "agent-security", "baseline"],
-      "is_active": true
-    }
-  ],
-  "templates": [
+      "tags": ["tool-poisoning", "rug-pull", "indirect-injection", "mcp-security", "agent-security", "owasp-asi01", "owasp-asi04", "baseline"]
+    },
+    {
+      "id": "encoding-default",
+      "name": "Encoding Attack Detection",
+      "description": "Detect and block invisible Unicode characters, bidirectional overrides, and encoding-based injection attacks across prompts, tools, and files",
+      "category": "encoding",
+      "file": "defaults/encoding_attacks.cedar",
+      "severity": "high",
+      "tags": ["unicode", "invisible-chars", "bidi-override", "encoding", "owasp-llm01", "baseline"]
+    },
+    {
+      "id": "behavioral-default",
+      "name": "Behavioral Analysis",
+      "description": "Detect and block tool call loops, data exfiltration sequences, credential theft chains, and destructive operation patterns",
+      "category": "behavioral",
+      "file": "defaults/behavioral.cedar",
+      "severity": "high",
+      "tags": ["loop-detection", "data-exfiltration", "credential-theft", "behavioral", "owasp-llm10", "owasp-asi02", "baseline"]
+    },
     {
       "id": "tools-mcp-allowlist",
       "name": "MCP Server Allowlist",