@highflame/policy 2.1.22 → 2.1.24

package/_schemas/sentry/templates/templates.json

@@ -3,6 +3,11 @@
   "version": "1.0.0",
   "description": "Sentry policy templates for browser AI security",
   "categories": [
+    {
+      "id": "secrets",
+      "name": "Secrets Detection",
+      "description": "Detect and block secrets, API keys, tokens, and other credentials in messages and AI responses"
+    },
     {
       "id": "pii",
       "name": "PII Detection",
@@ -23,10 +28,15 @@
       "name": "File & Attachment Safety",
       "description": "Enforce document sensitivity controls (MIP labels), block sensitive file uploads, detect secrets and PII in uploaded documents"
     },
+    {
+      "id": "clipboard",
+      "name": "Clipboard Policy",
+      "description": "Control paste operations into AI chat services — block paste outright, block when secrets or source code are detected"
+    },
     {
       "id": "organization",
       "name": "Organization Rules",
-      "description": "Organization-wide baselines, AI service allowlists, credential leakage prevention, and source code protection"
+      "description": "Cross-cutting organization-wide rules: source code protection in messages and session-aware threat escalation"
     }
   ],
   "defaults": [
@@ -39,7 +49,9 @@
       "severity": "low",
       "tags": ["baseline", "permit-default", "organization"],
       "is_active": true
-    },
+    }
+  ],
+  "templates": [
     {
       "id": "sentry-semantic-default",
       "name": "Semantic Threat Detection",
@@ -47,8 +59,7 @@
       "category": "semantic",
       "file": "defaults/semantic.cedar",
       "severity": "critical",
-      "tags": ["injection", "jailbreak", "owasp-llm01", "owasp-llm02", "baseline"],
-      "is_active": true
+      "tags": ["injection", "jailbreak", "owasp-llm01", "owasp-llm02", "baseline"]
     },
     {
       "id": "sentry-content-safety-default",
@@ -57,11 +68,17 @@
       "category": "content_safety",
       "file": "defaults/content_safety.cedar",
       "severity": "critical",
-      "tags": ["violence", "hate-speech", "sexual", "profanity", "content-safety", "paste-safety", "baseline"],
-      "is_active": true
-    }
-  ],
-  "templates": [
+      "tags": ["violence", "hate-speech", "sexual", "profanity", "content-safety", "paste-safety", "baseline"]
+    },
+    {
+      "id": "sentry-secrets-default",
+      "name": "Secrets Detection",
+      "description": "Block secrets, API keys, tokens, and credential leakage in messages and AI responses across all interactions",
+      "category": "secrets",
+      "file": "defaults/secrets.cedar",
+      "severity": "critical",
+      "tags": ["secrets", "credentials", "api-keys", "data-protection"]
+    },
     {
       "id": "sentry-pii-default",
       "name": "PII Detection",
@@ -80,14 +97,23 @@
       "severity": "critical",
       "tags": ["mip", "document-sensitivity", "file-upload", "dlp", "compliance"]
     },
+    {
+      "id": "sentry-clipboard-default",
+      "name": "Clipboard Policy",
+      "description": "Control paste into AI chat services: blanket paste blocking, secrets-in-paste blocking, and source-code-in-paste blocking",
+      "category": "clipboard",
+      "file": "defaults/clipboard.cedar",
+      "severity": "high",
+      "tags": ["paste", "clipboard", "data-protection", "source-code", "secrets"]
+    },
     {
       "id": "sentry-organization-default",
       "name": "Organization Rules",
-      "description": "Organization-wide policies: credential leakage prevention, source code protection, and secrets blocking across all interactions",
+      "description": "Cross-cutting organization-wide policies: source code protection in messages and session-aware threat escalation",
       "category": "organization",
       "file": "defaults/organization.cedar",
-      "severity": "critical",
-      "tags": ["secrets", "credentials", "source-code", "data-protection", "organization"]
+      "severity": "high",
+      "tags": ["source-code", "session", "escalation", "organization"]
     }
   ]
 }

package/dist/ai_gateway-defaults.gen.js

@@ -412,44 +412,25 @@ const AI_GATEWAY_TOOLS_MCP_TOOL_PERMISSIONS_CEDAR = `// ========================
 // Complements the MCP Server Allowlist (connect_server action)
 // with fine-grained per-tool control on call_tool action.
 //
+// Defaults to permit-all. Customize per-tool gating by adding forbid rules
+// scoped to specific mcp_server / tool_name combinations.
+//
 // Category: tools
 // Namespace: AIGateway
 // =============================================================================
 
-// -- GitHub MCP: Read-only access -------------------------------------------
+// -- Permit all MCP tool calls (opt-in default) -----------------------------
 
-@id("mcp-tool-allow-read-github")
-@name("Allow read-only GitHub tools")
-@description("Permit read operations from GitHub MCP server")
-@severity("medium")
-@tags("mcp,github,read-only,least-privilege")
+@id("mcp-tool-allow-all")
+@name("Allow all MCP tool calls")
+@description("Permit every call_tool action. Add forbid rules below for per-tool gating.")
+@severity("low")
+@tags("mcp,permit-default")
 permit (
     principal,
     action == AIGateway::Action::"call_tool",
     resource
-) when {
-    context has mcp_server && context.mcp_server == "github" &&
-    context has tool_name &&
-    (context.tool_name == "read_issues" ||
-     context.tool_name == "get_issue" ||
-     context.tool_name == "list_repos" ||
-     context.tool_name == "get_pull_request" ||
-     context.tool_name == "search_code" ||
-     context.tool_name == "get_file_contents")
-};
-
-@id("mcp-tool-deny-write-github")
-@name("Deny write GitHub tools")
-@description("Block create/update/delete operations on GitHub MCP server")
-@severity("high")
-@tags("mcp,github,write-block,least-privilege")
-forbid (
-    principal,
-    action == AIGateway::Action::"call_tool",
-    resource
-) when {
-    context has mcp_server && context.mcp_server == "github"
-};
+);
 
 // -- Organization-wide MCP server exclusions --------------------------------
 
@@ -668,11 +649,11 @@ export const AI_GATEWAY_TEMPLATES = [
     {
         id: 'tools-mcp-tool-permissions',
         name: 'MCP Tool Permissions',
-        description: 'Per-tool access control for MCP servers -- allow specific tools while denying others, exclude servers org-wide, block unverified sources',
+        description: 'Permit every MCP call_tool by default. Ships two opt-in safety rails (block untrusted/deprecated servers, block unverified servers). Add forbid rules for per-tool or per-server gating.',
         category: 'tools',
         cedarText: AI_GATEWAY_TOOLS_MCP_TOOL_PERMISSIONS_CEDAR,
-        severity: 'high',
-        tags: ['mcp', 'tools', 'least-privilege', 'per-server', 'exclusion'],
+        severity: 'low',
+        tags: ['mcp', 'tools', 'permit-default', 'exclusion'],
     },
     {
         id: 'data-pii-redaction',
@@ -788,11 +769,11 @@ export const AI_GATEWAY_TEMPLATES_JSON = `{
     {
       "id": "tools-mcp-tool-permissions",
       "name": "MCP Tool Permissions",
-      "description": "Per-tool access control for MCP servers -- allow specific tools while denying others, exclude servers org-wide, block unverified sources",
+      "description": "Permit every MCP call_tool by default. Ships two opt-in safety rails (block untrusted/deprecated servers, block unverified servers). Add forbid rules for per-tool or per-server gating.",
       "category": "tools",
       "file": "mcp_tool_permissions.cedar",
-      "severity": "high",
-      "tags": ["mcp", "tools", "least-privilege", "per-server", "exclusion"]
+      "severity": "low",
+      "tags": ["mcp", "tools", "permit-default", "exclusion"]
     },
     {
       "id": "data-pii-redaction",

package/dist/overwatch-defaults.gen.js

@@ -855,44 +855,25 @@ const OVERWATCH_TOOLS_MCP_TOOL_PERMISSIONS_CEDAR = `// =========================
 // Complements the existing MCP Server Allowlist (connect_server action)
 // with fine-grained per-tool control on call_tool action.
 //
+// Defaults to permit-all. Customize per-tool gating by adding forbid rules
+// scoped to specific mcp_server / tool_name combinations.
+//
 // Category: tools
 // Namespace: Overwatch
 // =============================================================================
 
-// -- GitHub MCP: Read-only access -------------------------------------------
+// -- Permit all MCP tool calls (opt-in default) -----------------------------
 
-@id("mcp-tool-allow-read-github")
-@name("Allow read-only GitHub tools")
-@description("Permit read operations from GitHub MCP server")
-@severity("medium")
-@tags("mcp,github,read-only,least-privilege")
+@id("mcp-tool-allow-all")
+@name("Allow all MCP tool calls")
+@description("Permit every call_tool action. Add forbid rules below for per-tool gating.")
+@severity("low")
+@tags("mcp,permit-default")
 permit (
     principal,
     action == Overwatch::Action::"call_tool",
     resource
-) when {
-    context has mcp_server && context.mcp_server == "github" &&
-    context has tool_name &&
-    (context.tool_name == "read_issues" ||
-     context.tool_name == "get_issue" ||
-     context.tool_name == "list_repos" ||
-     context.tool_name == "get_pull_request" ||
-     context.tool_name == "search_code" ||
-     context.tool_name == "get_file_contents")
-};
-
-@id("mcp-tool-deny-write-github")
-@name("Deny write GitHub tools")
-@description("Block create/update/delete operations on GitHub MCP server")
-@severity("high")
-@tags("mcp,github,write-block,least-privilege")
-forbid (
-    principal,
-    action == Overwatch::Action::"call_tool",
-    resource
-) when {
-    context has mcp_server && context.mcp_server == "github"
-};
+);
 
 // -- Organization-wide MCP server exclusions --------------------------------
 
@@ -1117,11 +1098,11 @@ export const OVERWATCH_TEMPLATES = [
     {
         id: 'tools-mcp-tool-permissions',
         name: 'MCP Tool Permissions',
-        description: 'Per-tool access control for MCP servers — allow specific tools while denying others, exclude servers org-wide, block unverified sources',
+        description: 'Permit every MCP call_tool by default. Ships two opt-in safety rails (block untrusted/deprecated servers, block unverified servers). Add forbid rules for per-tool or per-server gating.',
         category: 'tools',
         cedarText: OVERWATCH_TOOLS_MCP_TOOL_PERMISSIONS_CEDAR,
-        severity: 'high',
-        tags: ['mcp', 'tools', 'least-privilege', 'per-server', 'exclusion'],
+        severity: 'low',
+        tags: ['mcp', 'tools', 'permit-default', 'exclusion'],
     },
     {
         id: 'org-default-deny',
@@ -1256,11 +1237,11 @@ export const OVERWATCH_TEMPLATES_JSON = `{
     {
       "id": "tools-mcp-tool-permissions",
       "name": "MCP Tool Permissions",
-      "description": "Per-tool access control for MCP servers — allow specific tools while denying others, exclude servers org-wide, block unverified sources",
+      "description": "Permit every MCP call_tool by default. Ships two opt-in safety rails (block untrusted/deprecated servers, block unverified servers). Add forbid rules for per-tool or per-server gating.",
       "category": "tools",
       "file": "mcp_tool_permissions.cedar",
-      "severity": "high",
-      "tags": ["mcp", "tools", "least-privilege", "per-server", "exclusion"]
+      "severity": "low",
+      "tags": ["mcp", "tools", "permit-default", "exclusion"]
     },
     {
       "id": "org-default-deny",

package/dist/sentry-defaults.gen.d.ts

@@ -2,7 +2,7 @@
  * Sentry policy category identifiers.
  * Maps to UI tab names in Studio.
  */
-export type SentryCategory = 'pii' | 'semantic' | 'content_safety' | 'file_safety' | 'organization';
+export type SentryCategory = 'secrets' | 'pii' | 'semantic' | 'content_safety' | 'file_safety' | 'clipboard' | 'organization';
 /**
  * Category metadata for UI display.
  */