@highflame/policy 2.1.22 → 2.1.24

package/_schemas/ai_gateway/templates/mcp_tool_permissions.cedar

@@ -5,44 +5,25 @@
 // Complements the MCP Server Allowlist (connect_server action)
 // with fine-grained per-tool control on call_tool action.
 //
+// Defaults to permit-all. Customize per-tool gating by adding forbid rules
+// scoped to specific mcp_server / tool_name combinations.
+//
 // Category: tools
 // Namespace: AIGateway
 // =============================================================================
 
-// -- GitHub MCP: Read-only access -------------------------------------------
+// -- Permit all MCP tool calls (opt-in default) -----------------------------
 
-@id("mcp-tool-allow-read-github")
-@name("Allow read-only GitHub tools")
-@description("Permit read operations from GitHub MCP server")
-@severity("medium")
-@tags("mcp,github,read-only,least-privilege")
+@id("mcp-tool-allow-all")
+@name("Allow all MCP tool calls")
+@description("Permit every call_tool action. Add forbid rules below for per-tool gating.")
+@severity("low")
+@tags("mcp,permit-default")
 permit (
     principal,
     action == AIGateway::Action::"call_tool",
     resource
-) when {
-    context has mcp_server && context.mcp_server == "github" &&
-    context has tool_name &&
-    (context.tool_name == "read_issues" ||
-     context.tool_name == "get_issue" ||
-     context.tool_name == "list_repos" ||
-     context.tool_name == "get_pull_request" ||
-     context.tool_name == "search_code" ||
-     context.tool_name == "get_file_contents")
-};
-
-@id("mcp-tool-deny-write-github")
-@name("Deny write GitHub tools")
-@description("Block create/update/delete operations on GitHub MCP server")
-@severity("high")
-@tags("mcp,github,write-block,least-privilege")
-forbid (
-    principal,
-    action == AIGateway::Action::"call_tool",
-    resource
-) when {
-    context has mcp_server && context.mcp_server == "github"
-};
+);
 
 // -- Organization-wide MCP server exclusions --------------------------------
 

package/_schemas/ai_gateway/templates/templates.json

@@ -89,11 +89,11 @@
     {
       "id": "tools-mcp-tool-permissions",
       "name": "MCP Tool Permissions",
-      "description": "Per-tool access control for MCP servers -- allow specific tools while denying others, exclude servers org-wide, block unverified sources",
+      "description": "Permit every MCP call_tool by default. Ships two opt-in safety rails (block untrusted/deprecated servers, block unverified servers). Add forbid rules for per-tool or per-server gating.",
       "category": "tools",
       "file": "mcp_tool_permissions.cedar",
-      "severity": "high",
-      "tags": ["mcp", "tools", "least-privilege", "per-server", "exclusion"]
+      "severity": "low",
+      "tags": ["mcp", "tools", "permit-default", "exclusion"]
     },
     {
       "id": "data-pii-redaction",

package/_schemas/guardrails/context.json

@@ -29,7 +29,7 @@
           "key": "content_type",
           "type": "string",
           "required": true,
-          "description": "Type of content being analyzed: 'prompt', 'response', 'tool_call', or 'file'"
+          "description": "Type of content being analyzed: 'prompt', 'response', 'tool_call', 'file', or 'clipboard'"
         },
         {
           "key": "detector_count",

package/_schemas/sentry/templates/defaults/clipboard.cedar

@@ -0,0 +1,76 @@
+// =============================================================================
+// Clipboard Policy (Default)
+// =============================================================================
+// Controls over paste operations into AI chat services. Covers:
+//   - Blanket paste blocking (admin-configurable)
+//   - Paste-with-secrets blocking
+//   - Paste-with-source-code blocking
+//
+// Cross-cutting secret rules (e.g. high-risk credential types) are defined
+// in secrets.cedar and apply to paste content as well.
+//
+// Category: clipboard
+// Namespace: Sentry
+// =============================================================================
+
+// Block all paste operations
+@id("sentry-org-block-all-paste")
+@name("Block all paste operations")
+@description("Unconditionally block all paste operations into AI chat services. Enable this rule to prevent any content from being pasted into AI chats regardless of content. Disable to allow paste (subject to other policy rules).")
+@severity("high")
+@tags("paste,clipboard,data-protection,organization")
+@reject_message("Paste blocked: your organization does not allow pasting content into AI services. Type your message directly or contact your administrator.")
+forbid (
+    principal,
+    action == Sentry::Action::"paste_content",
+    resource
+);
+
+// Block pasted content containing secrets
+@id("sentry-org-block-secrets-paste")
+@name("Block paste with secrets")
+@description("Block paste operations when secrets are detected. Prevents credential leakage when users paste from terminals, config files, or code editors into AI chats.")
+@severity("critical")
+@tags("secrets,paste-safety,credentials,nist-sc-28")
+@reject_message("Paste blocked: secrets or credentials detected in pasted content. Remove API keys, tokens, and passwords before pasting into AI services.")
+forbid (
+    principal,
+    action == Sentry::Action::"paste_content",
+    resource
+)
+when {
+    context has contains_secrets && context.contains_secrets
+};
+
+// Block pasted content containing PII
+@id("sentry-pii-block-paste")
+@name("Block paste with PII")
+@description("Block paste operations when PII is detected in pasted content. Prevents data leakage when employees paste content from emails, spreadsheets, or documents containing personal data into AI chats.")
+@severity("critical")
+@tags("pii,paste-safety,data-leakage,gdpr-art-32")
+@reject_message("Paste blocked: personally identifiable information detected in pasted content. Remove PII before pasting into AI services.")
+forbid (
+    principal,
+    action == Sentry::Action::"paste_content",
+    resource
+)
+when {
+    context has pii_detected && context.pii_detected
+};
+
+// Block pasted source code
+@id("sentry-org-block-code-paste")
+@name("Block pasted source code")
+@description("Block paste operations when content is primarily source code (>80%). Prevents code exfiltration via clipboard from IDEs, terminals, or code repositories into AI chats.")
+@severity("high")
+@tags("source-code,paste-safety,ip-protection,data-leakage")
+@reject_message("Paste blocked: the content appears to be primarily source code (>80%). Pasting bulk source code into AI services risks intellectual property exposure.")
+forbid (
+    principal,
+    action == Sentry::Action::"paste_content",
+    resource
+)
+when {
+    context has contains_code && context.contains_code &&
+    context has code_ratio && context.code_ratio > 80
+};

package/_schemas/sentry/templates/defaults/file_safety.cedar

@@ -97,20 +97,20 @@ when {
     context has contains_secrets && context.contains_secrets
 };
 
-// Block files with bulk PII
-@id("sentry-file-block-bulk-pii")
-@name("Block files with bulk PII")
-@description("Block file uploads containing 3 or more PII matches. Files with bulk PII likely contain customer lists, employee records, or patient data that must not be shared with AI services.")
+// Block file uploads containing PII
+@id("sentry-pii-block-uploads")
+@name("Block file uploads with PII")
+@description("Block file uploads when PII is detected in document content. Prevents sharing of documents containing personal data (customer lists, HR records, medical files) with AI services.")
 @severity("critical")
-@tags("pii,file-upload,bulk,gdpr-art-32")
-@reject_message("Upload blocked: multiple PII items detected in the file (3+). Documents containing bulk personal data must not be shared with AI services.")
+@tags("pii,file-upload,data-protection,gdpr-art-32")
+@reject_message("File upload blocked: personally identifiable information detected in the document. Files containing PII must not be shared with AI services.")
 forbid (
     principal,
     action == Sentry::Action::"upload_file",
     resource
 )
 when {
-    context has pii_count && context.pii_count >= 3
+    context has pii_detected && context.pii_detected
 };
 
 // Block files with phishing links

package/_schemas/sentry/templates/defaults/organization.cedar

@@ -1,138 +1,22 @@
 // =============================================================================
 // Organization Rules Policy (Default)
 // =============================================================================
-// Organization-wide security policies for browser AI interactions:
-//   - Credential/secret leakage prevention across all channels
-//   - Source code protection
-//   - Session-aware escalation
+// Cross-cutting organization-wide rules that don't fit other categories.
+// Secret/credential rules live in secrets.cedar; paste/clipboard rules live
+// in clipboard.cedar.
 //
-// These rules complement category-specific policies (PII, Content Safety,
-// File Safety) with cross-cutting organizational controls.
+// This template covers:
+//   - Source code protection in messages (non-paste channels)
+//   - Session-aware threat escalation
 //
 // Category: organization
 // Namespace: Sentry
 // =============================================================================
 
 // ---------------------------------------------------------------------------
-// Section 1: Credential & Secret Leakage Prevention
-// Block secrets/credentials across messages, pastes, and file uploads.
-// Shield SecretsDetector identifies 18+ secret types via regex.
-// ---------------------------------------------------------------------------
-
-// Block messages containing secrets
-@id("sentry-org-block-secrets-messages")
-@name("Block messages with secrets")
-@description("Block messages when detection engines identify API keys, tokens, or credential patterns. First line of defense against accidental credential exposure in AI chat interactions.")
-@severity("critical")
-@tags("secrets,credentials,messages,nist-sc-28,nist-ia-5")
-@reject_message("Your message was blocked because it contains detected secrets such as API keys, tokens, or credentials. Remove all secrets before sending to AI services.")
-forbid (
-    principal,
-    action == Sentry::Action::"send_message",
-    resource
-)
-when {
-    context has contains_secrets && context.contains_secrets
-};
-
-// Block pasted content containing secrets
-@id("sentry-org-block-secrets-paste")
-@name("Block paste with secrets")
-@description("Block paste operations when secrets are detected. Prevents credential leakage when users paste from terminals, config files, or code editors into AI chats.")
-@severity("critical")
-@tags("secrets,paste-safety,credentials,nist-sc-28")
-@reject_message("Paste blocked: secrets or credentials detected in pasted content. Remove API keys, tokens, and passwords before pasting into AI services.")
-forbid (
-    principal,
-    action == Sentry::Action::"paste_content",
-    resource
-)
-when {
-    context has contains_secrets && context.contains_secrets
-};
-
-// Block high-risk secret types across all actions
-@id("sentry-org-block-high-risk-secrets")
-@name("Block high-risk credential types")
-@description("Block content containing cloud provider keys (AWS, GCP, Azure), GitHub tokens, SSH private keys, or database connection strings across all actions. These credential types pose the highest exfiltration risk.")
-@severity("critical")
-@tags("secrets,aws,github,ssh,cloud,nist-ia-5,mitre-t1552")
-@reject_message("Content blocked: high-risk credentials detected (cloud keys, GitHub tokens, SSH keys). Use a secrets manager — never share credentials with AI services.")
-forbid (
-    principal,
-    action,
-    resource
-)
-when {
-    context has secret_types &&
-    (context.secret_types.contains("aws_access_key") ||
-     context.secret_types.contains("aws_secret_key") ||
-     context.secret_types.contains("gcp_service_account") ||
-     context.secret_types.contains("azure_connection_string") ||
-     context.secret_types.contains("github_token") ||
-     context.secret_types.contains("github_fine_grained") ||
-     context.secret_types.contains("private_key"))
-};
-
-// Block API keys and tokens across all actions
-@id("sentry-org-block-api-keys")
-@name("Block API keys and tokens")
-@description("Block content containing generic API keys, JWT tokens, and OAuth credentials. These are the most commonly leaked credential types when users interact with AI services.")
-@severity("high")
-@tags("secrets,api-key,jwt,oauth,nist-ia-5")
-@reject_message("Content blocked: API keys, JWT tokens, or OAuth credentials detected. These must never be shared with AI services.")
-forbid (
-    principal,
-    action,
-    resource
-)
-when {
-    context has secret_types &&
-    (context.secret_types.contains("generic_api_key") ||
-     context.secret_types.contains("jwt_token") ||
-     context.secret_types.contains("openai_key") ||
-     context.secret_types.contains("anthropic_key") ||
-     context.secret_types.contains("stripe_key"))
-};
-
-// Block bulk secret exposure
-@id("sentry-org-block-bulk-secrets")
-@name("Block bulk secret exposure")
-@description("Block content when 3+ distinct secrets are found. Multiple secrets indicate a configuration dump, .env file paste, or credential harvesting being sent to AI services.")
-@severity("critical")
-@tags("secrets,bulk,data-exfiltration,nist-sc-28")
-@reject_message("Content blocked: multiple credentials detected (3+). Configuration dumps and credential lists must never be shared with AI services.")
-forbid (
-    principal,
-    action,
-    resource
-)
-when {
-    context has secret_count && context.secret_count >= 3
-};
-
-// Block detected credential patterns
-@id("sentry-org-block-detected-credentials")
-@name("Block detected credential patterns")
-@description("Block content flagged by detection engine rules for credential exposure, API key leaks, and token exposure. Defense-in-depth behind contains_secrets.")
-@severity("critical")
-@tags("secrets,credentials,detection-rules,nist-ia-5")
-@reject_message("Content blocked: detection engines identified credential patterns including secret exposure, API keys, or token leaks.")
-forbid (
-    principal,
-    action,
-    resource
-)
-when {
-    context has detected_threats &&
-    (context.detected_threats.contains("secret_exposure") ||
-     context.detected_threats.contains("credential_leak") ||
-     context.detected_threats.contains("api_key_exposure"))
-};
-
-// ---------------------------------------------------------------------------
-// Section 2: Source Code Protection
-// Prevent bulk source code from being shared with AI services.
+// Section 1: Source Code Protection (Messages)
+// Prevent bulk source code from being shared via messages.
+// Paste-targeted code protection is in clipboard.cedar.
 // ---------------------------------------------------------------------------
 
 // Block messages with high code content
@@ -152,25 +36,8 @@ when {
     context has code_ratio && context.code_ratio > 80
 };
 
-// Block pasted source code
-@id("sentry-org-block-code-paste")
-@name("Block pasted source code")
-@description("Block paste operations when content is primarily source code (>80%). Prevents code exfiltration via clipboard from IDEs, terminals, or code repositories into AI chats.")
-@severity("high")
-@tags("source-code,paste-safety,ip-protection,data-leakage")
-@reject_message("Paste blocked: the content appears to be primarily source code (>80%). Pasting bulk source code into AI services risks intellectual property exposure.")
-forbid (
-    principal,
-    action == Sentry::Action::"paste_content",
-    resource
-)
-when {
-    context has contains_code && context.contains_code &&
-    context has code_ratio && context.code_ratio > 80
-};
-
 // ---------------------------------------------------------------------------
-// Section 3: Session-Aware Escalation
+// Section 2: Session-Aware Escalation
 // Escalate protections when threats are detected across the session.
 // ---------------------------------------------------------------------------
 
@@ -189,19 +56,3 @@ forbid (
 when {
     context has session_threat_turns && context.session_threat_turns >= 3
 };
-
-// Block AI responses when session has leaked secrets
-@id("sentry-org-session-secrets-response")
-@name("Block responses after secret detection")
-@description("Block AI responses when secrets were detected earlier in the session. If credentials were leaked in a previous turn, the AI service may have processed them and could echo or reference them in responses.")
-@severity("high")
-@tags("session,secrets,response-safety,defense-in-depth")
-@reject_message("AI response blocked: secrets were detected in an earlier message in this session. Responses may contain or reference the exposed credentials.")
-forbid (
-    principal,
-    action == Sentry::Action::"receive_response",
-    resource
-)
-when {
-    context has session_secrets_detected && context.session_secrets_detected
-};

package/_schemas/sentry/templates/defaults/pii.cedar

@@ -46,38 +46,6 @@ when {
     context has pii_detected && context.pii_detected
 };
 
-// Block pasted content containing PII
-@id("sentry-pii-block-paste")
-@name("Block paste with PII")
-@description("Block paste operations when PII is detected in pasted content. Prevents data leakage when employees paste content from emails, spreadsheets, or documents containing personal data into AI chats.")
-@severity("critical")
-@tags("pii,paste-safety,data-leakage,gdpr-art-32")
-@reject_message("Paste blocked: personally identifiable information detected in pasted content. Remove PII before pasting into AI services.")
-forbid (
-    principal,
-    action == Sentry::Action::"paste_content",
-    resource
-)
-when {
-    context has pii_detected && context.pii_detected
-};
-
-// Block file uploads containing PII
-@id("sentry-pii-block-uploads")
-@name("Block file uploads with PII")
-@description("Block file uploads when PII is detected in document content. Prevents sharing of documents containing personal data (customer lists, HR records, medical files) with AI services.")
-@severity("critical")
-@tags("pii,file-upload,data-protection,gdpr-art-32")
-@reject_message("File upload blocked: personally identifiable information detected in the document. Files containing PII must not be shared with AI services.")
-forbid (
-    principal,
-    action == Sentry::Action::"upload_file",
-    resource
-)
-when {
-    context has pii_detected && context.pii_detected
-};
-
 // ---------------------------------------------------------------------------
 // Section 2: Granular PII Type Blocking
 // Blocks specific PII types based on regulatory requirements.

package/_schemas/sentry/templates/defaults/secrets.cedar

@@ -0,0 +1,155 @@
+// =============================================================================
+// Secrets Detection Policy (Default)
+// =============================================================================
+// Block credential and secret leakage across messages and AI responses.
+// Shield SecretsDetector identifies 18+ secret types via regex.
+//
+// Paste-targeted secret rules live in clipboard.cedar; this file covers
+// non-paste channels (messages, responses, and cross-cutting rules).
+//
+// Category: secrets
+// Namespace: Sentry
+// =============================================================================
+
+// Block messages containing secrets
+@id("sentry-org-block-secrets-messages")
+@name("Block messages with secrets")
+@description("Block messages when detection engines identify API keys, tokens, or credential patterns. First line of defense against accidental credential exposure in AI chat interactions.")
+@severity("critical")
+@tags("secrets,credentials,messages,nist-sc-28,nist-ia-5")
+@reject_message("Your message was blocked because it contains detected secrets such as API keys, tokens, or credentials. Remove all secrets before sending to AI services.")
+forbid (
+    principal,
+    action == Sentry::Action::"send_message",
+    resource
+)
+when {
+    context has contains_secrets && context.contains_secrets
+};
+
+// Block high-risk secret types across all actions
+@id("sentry-org-block-high-risk-secrets")
+@name("Block high-risk credential types")
+@description("Block content containing cloud provider keys (AWS, GCP, Azure), GitHub tokens, SSH private keys, or database connection strings across all actions. These credential types pose the highest exfiltration risk.")
+@severity("critical")
+@tags("secrets,aws,github,ssh,cloud,nist-ia-5,mitre-t1552")
+@reject_message("Content blocked: high-risk credentials detected (cloud keys, GitHub tokens, SSH keys). Use a secrets manager — never share credentials with AI services.")
+forbid (
+    principal,
+    action,
+    resource
+)
+when {
+    context has secret_types &&
+    (context.secret_types.contains("aws_access_key") ||
+     context.secret_types.contains("aws_secret_key") ||
+     context.secret_types.contains("gcp_service_account") ||
+     context.secret_types.contains("azure_connection_string") ||
+     context.secret_types.contains("github_token") ||
+     context.secret_types.contains("github_fine_grained") ||
+     context.secret_types.contains("private_key"))
+};
+
+// Block API keys and tokens across all actions
+@id("sentry-org-block-api-keys")
+@name("Block API keys and tokens")
+@description("Block content containing generic API keys, JWT tokens, and OAuth credentials. These are the most commonly leaked credential types when users interact with AI services.")
+@severity("high")
+@tags("secrets,api-key,jwt,oauth,nist-ia-5")
+@reject_message("Content blocked: API keys, JWT tokens, or OAuth credentials detected. These must never be shared with AI services.")
+forbid (
+    principal,
+    action,
+    resource
+)
+when {
+    context has secret_types &&
+    (context.secret_types.contains("generic_api_key") ||
+     context.secret_types.contains("jwt_token") ||
+     context.secret_types.contains("openai_key") ||
+     context.secret_types.contains("anthropic_key") ||
+     context.secret_types.contains("stripe_key"))
+};
+
+// Block SSH key exposure across messages, paste, and file uploads
+@id("sentry-secrets-block-ssh-keys")
+@name("Block SSH key exposure")
+@description("Block when SSH private key content or SSH key file paths are detected. Covers messages, paste, and file uploads. AI chat services must not receive SSH credentials.")
+@severity("critical")
+@tags("secrets,ssh,credentials,nist-ia-5,mitre-t1552")
+@reject_message("Blocked: SSH private key content or key file path detected. AI chat services must not receive SSH credentials.")
+forbid (
+    principal,
+    action in [Sentry::Action::"send_message", Sentry::Action::"paste_content", Sentry::Action::"upload_file"],
+    resource
+)
+when {
+    context has secret_types && context.secret_types.contains("ssh_key")
+};
+
+// Block PEM/certificate key exposure across messages, paste, and file uploads
+@id("sentry-secrets-block-pem-keys")
+@name("Block PEM/certificate key exposure")
+@description("Block when PEM private key content or certificate key file paths (.pem, .key, .p12, .pfx) are detected. AI chat services must not receive certificate credentials.")
+@severity("critical")
+@tags("secrets,certificates,pem,nist-ia-5,mitre-t1552")
+@reject_message("Blocked: PEM private key or certificate key file detected. AI chat services must not receive certificate credentials.")
+forbid (
+    principal,
+    action in [Sentry::Action::"send_message", Sentry::Action::"paste_content", Sentry::Action::"upload_file"],
+    resource
+)
+when {
+    context has secret_types && context.secret_types.contains("pem_certificate")
+};
+
+// Block bulk secret exposure
+@id("sentry-org-block-bulk-secrets")
+@name("Block bulk secret exposure")
+@description("Block content when 3+ distinct secrets are found. Multiple secrets indicate a configuration dump, .env file paste, or credential harvesting being sent to AI services.")
+@severity("critical")
+@tags("secrets,bulk,data-exfiltration,nist-sc-28")
+@reject_message("Content blocked: multiple credentials detected (3+). Configuration dumps and credential lists must never be shared with AI services.")
+forbid (
+    principal,
+    action,
+    resource
+)
+when {
+    context has secret_count && context.secret_count >= 3
+};
+
+// Block detected credential patterns
+@id("sentry-org-block-detected-credentials")
+@name("Block detected credential patterns")
+@description("Block content flagged by detection engine rules for credential exposure, API key leaks, and token exposure. Defense-in-depth behind contains_secrets.")
+@severity("critical")
+@tags("secrets,credentials,detection-rules,nist-ia-5")
+@reject_message("Content blocked: detection engines identified credential patterns including secret exposure, API keys, or token leaks.")
+forbid (
+    principal,
+    action,
+    resource
+)
+when {
+    context has detected_threats &&
+    (context.detected_threats.contains("secret_exposure") ||
+     context.detected_threats.contains("credential_leak") ||
+     context.detected_threats.contains("api_key_exposure"))
+};
+
+// Block AI responses when session has leaked secrets
+@id("sentry-org-session-secrets-response")
+@name("Block responses after secret detection")
+@description("Block AI responses when secrets were detected earlier in the session. If credentials were leaked in a previous turn, the AI service may have processed them and could echo or reference them in responses.")
+@severity("high")
+@tags("session,secrets,response-safety,defense-in-depth")
+@reject_message("AI response blocked: secrets were detected in an earlier message in this session. Responses may contain or reference the exposed credentials.")
+forbid (
+    principal,
+    action == Sentry::Action::"receive_response",
+    resource
+)
+when {
+    context has session_secrets_detected && context.session_secrets_detected
+};