@highflame/policy 2.1.23 → 2.1.25

package/_schemas/sentry/templates/defaults/secrets.cedar

@@ -0,0 +1,155 @@
+// =============================================================================
+// Secrets Detection Policy (Default)
+// =============================================================================
+// Block credential and secret leakage across messages and AI responses.
+// Shield SecretsDetector identifies 18+ secret types via regex.
+//
+// Paste-targeted secret rules live in clipboard.cedar; this file covers
+// non-paste channels (messages, responses, and cross-cutting rules).
+//
+// Category: secrets
+// Namespace: Sentry
+// =============================================================================
+
+// Block messages containing secrets
+@id("sentry-org-block-secrets-messages")
+@name("Block messages with secrets")
+@description("Block messages when detection engines identify API keys, tokens, or credential patterns. First line of defense against accidental credential exposure in AI chat interactions.")
+@severity("critical")
+@tags("secrets,credentials,messages,nist-sc-28,nist-ia-5")
+@reject_message("Your message was blocked because it contains detected secrets such as API keys, tokens, or credentials. Remove all secrets before sending to AI services.")
+forbid (
+    principal,
+    action == Sentry::Action::"send_message",
+    resource
+)
+when {
+    context has contains_secrets && context.contains_secrets
+};
+
+// Block high-risk secret types across all actions
+@id("sentry-org-block-high-risk-secrets")
+@name("Block high-risk credential types")
+@description("Block content containing cloud provider keys (AWS, GCP, Azure), GitHub tokens, SSH private keys, or database connection strings across all actions. These credential types pose the highest exfiltration risk.")
+@severity("critical")
+@tags("secrets,aws,github,ssh,cloud,nist-ia-5,mitre-t1552")
+@reject_message("Content blocked: high-risk credentials detected (cloud keys, GitHub tokens, SSH keys). Use a secrets manager — never share credentials with AI services.")
+forbid (
+    principal,
+    action,
+    resource
+)
+when {
+    context has secret_types &&
+    (context.secret_types.contains("aws_access_key") ||
+     context.secret_types.contains("aws_secret_key") ||
+     context.secret_types.contains("gcp_service_account") ||
+     context.secret_types.contains("azure_connection_string") ||
+     context.secret_types.contains("github_token") ||
+     context.secret_types.contains("github_fine_grained") ||
+     context.secret_types.contains("private_key"))
+};
+
+// Block API keys and tokens across all actions
+@id("sentry-org-block-api-keys")
+@name("Block API keys and tokens")
+@description("Block content containing generic API keys, JWT tokens, and OAuth credentials. These are the most commonly leaked credential types when users interact with AI services.")
+@severity("high")
+@tags("secrets,api-key,jwt,oauth,nist-ia-5")
+@reject_message("Content blocked: API keys, JWT tokens, or OAuth credentials detected. These must never be shared with AI services.")
+forbid (
+    principal,
+    action,
+    resource
+)
+when {
+    context has secret_types &&
+    (context.secret_types.contains("generic_api_key") ||
+     context.secret_types.contains("jwt_token") ||
+     context.secret_types.contains("openai_key") ||
+     context.secret_types.contains("anthropic_key") ||
+     context.secret_types.contains("stripe_key"))
+};
+
+// Block SSH key exposure across messages, paste, and file uploads
+@id("sentry-secrets-block-ssh-keys")
+@name("Block SSH key exposure")
+@description("Block when SSH private key content or SSH key file paths are detected. Covers messages, paste, and file uploads. AI chat services must not receive SSH credentials.")
+@severity("critical")
+@tags("secrets,ssh,credentials,nist-ia-5,mitre-t1552")
+@reject_message("Blocked: SSH private key content or key file path detected. AI chat services must not receive SSH credentials.")
+forbid (
+    principal,
+    action in [Sentry::Action::"send_message", Sentry::Action::"paste_content", Sentry::Action::"upload_file"],
+    resource
+)
+when {
+    context has secret_types && context.secret_types.contains("ssh_key")
+};
+
+// Block PEM/certificate key exposure across messages, paste, and file uploads
+@id("sentry-secrets-block-pem-keys")
+@name("Block PEM/certificate key exposure")
+@description("Block when PEM private key content or certificate key file paths (.pem, .key, .p12, .pfx) are detected. AI chat services must not receive certificate credentials.")
+@severity("critical")
+@tags("secrets,certificates,pem,nist-ia-5,mitre-t1552")
+@reject_message("Blocked: PEM private key or certificate key file detected. AI chat services must not receive certificate credentials.")
+forbid (
+    principal,
+    action in [Sentry::Action::"send_message", Sentry::Action::"paste_content", Sentry::Action::"upload_file"],
+    resource
+)
+when {
+    context has secret_types && context.secret_types.contains("pem_certificate")
+};
+
+// Block bulk secret exposure
+@id("sentry-org-block-bulk-secrets")
+@name("Block bulk secret exposure")
+@description("Block content when 3+ distinct secrets are found. Multiple secrets indicate a configuration dump, .env file paste, or credential harvesting being sent to AI services.")
+@severity("critical")
+@tags("secrets,bulk,data-exfiltration,nist-sc-28")
+@reject_message("Content blocked: multiple credentials detected (3+). Configuration dumps and credential lists must never be shared with AI services.")
+forbid (
+    principal,
+    action,
+    resource
+)
+when {
+    context has secret_count && context.secret_count >= 3
+};
+
+// Block detected credential patterns
+@id("sentry-org-block-detected-credentials")
+@name("Block detected credential patterns")
+@description("Block content flagged by detection engine rules for credential exposure, API key leaks, and token exposure. Defense-in-depth behind contains_secrets.")
+@severity("critical")
+@tags("secrets,credentials,detection-rules,nist-ia-5")
+@reject_message("Content blocked: detection engines identified credential patterns including secret exposure, API keys, or token leaks.")
+forbid (
+    principal,
+    action,
+    resource
+)
+when {
+    context has detected_threats &&
+    (context.detected_threats.contains("secret_exposure") ||
+     context.detected_threats.contains("credential_leak") ||
+     context.detected_threats.contains("api_key_exposure"))
+};
+
+// Block AI responses when session has leaked secrets
+@id("sentry-org-session-secrets-response")
+@name("Block responses after secret detection")
+@description("Block AI responses when secrets were detected earlier in the session. If credentials were leaked in a previous turn, the AI service may have processed them and could echo or reference them in responses.")
+@severity("high")
+@tags("session,secrets,response-safety,defense-in-depth")
+@reject_message("AI response blocked: secrets were detected in an earlier message in this session. Responses may contain or reference the exposed credentials.")
+forbid (
+    principal,
+    action == Sentry::Action::"receive_response",
+    resource
+)
+when {
+    context has session_secrets_detected && context.session_secrets_detected
+};

package/_schemas/sentry/templates/templates.json

@@ -3,6 +3,11 @@
   "version": "1.0.0",
   "description": "Sentry policy templates for browser AI security",
   "categories": [
+    {
+      "id": "secrets",
+      "name": "Secrets Detection",
+      "description": "Detect and block secrets, API keys, tokens, and other credentials in messages and AI responses"
+    },
     {
       "id": "pii",
       "name": "PII Detection",
@@ -23,10 +28,15 @@
       "name": "File & Attachment Safety",
       "description": "Enforce document sensitivity controls (MIP labels), block sensitive file uploads, detect secrets and PII in uploaded documents"
     },
+    {
+      "id": "clipboard",
+      "name": "Clipboard Policy",
+      "description": "Control paste operations into AI chat services — block paste outright, block when secrets or source code are detected"
+    },
     {
       "id": "organization",
       "name": "Organization Rules",
-      "description": "Organization-wide baselines, AI service allowlists, credential leakage prevention, and source code protection"
+      "description": "Cross-cutting organization-wide rules: source code protection in messages and session-aware threat escalation"
     }
   ],
   "defaults": [
@@ -39,7 +49,9 @@
       "severity": "low",
       "tags": ["baseline", "permit-default", "organization"],
       "is_active": true
-    },
+    }
+  ],
+  "templates": [
     {
       "id": "sentry-semantic-default",
       "name": "Semantic Threat Detection",
@@ -47,8 +59,7 @@
       "category": "semantic",
       "file": "defaults/semantic.cedar",
       "severity": "critical",
-      "tags": ["injection", "jailbreak", "owasp-llm01", "owasp-llm02", "baseline"],
-      "is_active": true
+      "tags": ["injection", "jailbreak", "owasp-llm01", "owasp-llm02", "baseline"]
     },
     {
       "id": "sentry-content-safety-default",
@@ -57,11 +68,17 @@
       "category": "content_safety",
       "file": "defaults/content_safety.cedar",
       "severity": "critical",
-      "tags": ["violence", "hate-speech", "sexual", "profanity", "content-safety", "paste-safety", "baseline"],
-      "is_active": true
-    }
-  ],
-  "templates": [
+      "tags": ["violence", "hate-speech", "sexual", "profanity", "content-safety", "paste-safety", "baseline"]
+    },
+    {
+      "id": "sentry-secrets-default",
+      "name": "Secrets Detection",
+      "description": "Block secrets, API keys, tokens, and credential leakage in messages and AI responses across all interactions",
+      "category": "secrets",
+      "file": "defaults/secrets.cedar",
+      "severity": "critical",
+      "tags": ["secrets", "credentials", "api-keys", "data-protection"]
+    },
     {
       "id": "sentry-pii-default",
       "name": "PII Detection",
@@ -80,14 +97,23 @@
       "severity": "critical",
       "tags": ["mip", "document-sensitivity", "file-upload", "dlp", "compliance"]
     },
+    {
+      "id": "sentry-clipboard-default",
+      "name": "Clipboard Policy",
+      "description": "Control paste into AI chat services: blanket paste blocking, secrets-in-paste blocking, and source-code-in-paste blocking",
+      "category": "clipboard",
+      "file": "defaults/clipboard.cedar",
+      "severity": "high",
+      "tags": ["paste", "clipboard", "data-protection", "source-code", "secrets"]
+    },
     {
       "id": "sentry-organization-default",
       "name": "Organization Rules",
-      "description": "Organization-wide policies: credential leakage prevention, source code protection, and secrets blocking across all interactions",
+      "description": "Cross-cutting organization-wide policies: source code protection in messages and session-aware threat escalation",
       "category": "organization",
       "file": "defaults/organization.cedar",
-      "severity": "critical",
-      "tags": ["secrets", "credentials", "source-code", "data-protection", "organization"]
+      "severity": "high",
+      "tags": ["source-code", "session", "escalation", "organization"]
     }
   ]
 }

package/dist/engine.d.ts

@@ -48,6 +48,19 @@ export interface DeterminingPolicy {
     /** All annotations from this policy as key-value pairs */
     annotations: Record<string, string>;
 }
+/**
+ * Pairs a Cedar policy text with a globally-unique identifier (typically the
+ * originating database row's UUID) used as the cedar PolicySet key.
+ *
+ * Use with {@link PolicyEngine.loadPoliciesWithIds} to safely load policies
+ * from multiple tenants whose @id annotations may collide.
+ */
+export interface PolicyTextWithID {
+    /** Cedar policy text (may contain @id and other annotations) */
+    text: string;
+    /** Unique identifier — must be unique across the input set */
+    id: string;
+}
 export declare class Decision {
     readonly effect: "Allow" | "Deny";
     readonly determining_policies: DeterminingPolicy[];
@@ -92,8 +105,32 @@ export declare class PolicyEngine {
      * Load multiple Cedar policy texts (concatenated with newlines).
      * Uses @id annotations as policy IDs when available.
      * Stores all annotations per policy for enriching evaluation results.
+     *
+     * @deprecated Use {@link loadPoliciesWithIds} for any code that may load
+     * policies from multiple tenants. This method's @id-as-PolicyID behavior
+     * silently overwrites the cedar PolicySet entry when later policies share
+     * an @id with earlier ones (e.g., every tenant's `baseline-permit-all`).
+     * Kept for ad-hoc and test usage where uniqueness is guaranteed by the
+     * caller.
      */
     loadPolicies(policies: string[]): void;
+    /**
+     * Load Cedar policies using caller-supplied unique IDs as the cedar
+     * PolicySet key, preventing cross-tenant @id collisions that occur when
+     * multiple tenants author policies from a shared template (e.g., each
+     * tenant's `baseline-permit-all` sharing the same @id annotation).
+     *
+     * Each input is parsed independently so the supplied id maps
+     * deterministically to its policy. If a single text contains multiple
+     * Cedar policies, each is stored under `"<id>#<index>"`. The original
+     * @id annotation remains accessible via {@link getPolicyAnnotations}.
+     *
+     * When `item.id` is empty, the method falls back to @id-annotation-based
+     * id assignment (matching {@link loadPolicies} semantics) — useful for
+     * tests and ad-hoc loaders. Production multi-tenant callers MUST supply
+     * a non-empty id per policy or they reintroduce the collision risk.
+     */
+    loadPoliciesWithIds(policies: PolicyTextWithID[]): void;
     /**
      * Load schema from a Cedar schema string.
      */

package/dist/engine.js

@@ -226,12 +226,68 @@ export class PolicyEngine {
      * Load multiple Cedar policy texts (concatenated with newlines).
      * Uses @id annotations as policy IDs when available.
      * Stores all annotations per policy for enriching evaluation results.
+     *
+     * @deprecated Use {@link loadPoliciesWithIds} for any code that may load
+     * policies from multiple tenants. This method's @id-as-PolicyID behavior
+     * silently overwrites the cedar PolicySet entry when later policies share
+     * an @id with earlier ones (e.g., every tenant's `baseline-permit-all`).
+     * Kept for ad-hoc and test usage where uniqueness is guaranteed by the
+     * caller.
      */
     loadPolicies(policies) {
         const extracted = extractPolicies(policies.join("\n"));
         this.policySet = extracted.policySet;
         this.policyAnnotations = extracted.annotations;
     }
+    /**
+     * Load Cedar policies using caller-supplied unique IDs as the cedar
+     * PolicySet key, preventing cross-tenant @id collisions that occur when
+     * multiple tenants author policies from a shared template (e.g., each
+     * tenant's `baseline-permit-all` sharing the same @id annotation).
+     *
+     * Each input is parsed independently so the supplied id maps
+     * deterministically to its policy. If a single text contains multiple
+     * Cedar policies, each is stored under `"<id>#<index>"`. The original
+     * @id annotation remains accessible via {@link getPolicyAnnotations}.
+     *
+     * When `item.id` is empty, the method falls back to @id-annotation-based
+     * id assignment (matching {@link loadPolicies} semantics) — useful for
+     * tests and ad-hoc loaders. Production multi-tenant callers MUST supply
+     * a non-empty id per policy or they reintroduce the collision risk.
+     */
+    loadPoliciesWithIds(policies) {
+        const policyMap = {};
+        const annotationsMap = new Map();
+        let posIdx = 0;
+        for (const item of policies) {
+            const parts = cedar.policySetTextToParts(item.text);
+            if (parts.type !== "success" || parts.policies.length === 0) {
+                continue;
+            }
+            for (let subIdx = 0; subIdx < parts.policies.length; subIdx++) {
+                const policy = parts.policies[subIdx];
+                const policyAnnotations = extractAnnotationsFromText(policy);
+                let id;
+                if (item.id !== "") {
+                    id = subIdx === 0 ? item.id : `${item.id}#${subIdx}`;
+                }
+                else if (policyAnnotations["id"]) {
+                    id = policyAnnotations["id"];
+                }
+                else {
+                    id = `policy${posIdx}`;
+                }
+                if (annotationsMap.has(id)) {
+                    throw new Error(`duplicate policy ID detected: ${id}`);
+                }
+                policyMap[id] = policy;
+                annotationsMap.set(id, policyAnnotations);
+                posIdx++;
+            }
+        }
+        this.policySet = policyMap;
+        this.policyAnnotations = annotationsMap;
+    }
     /**
      * Load schema from a Cedar schema string.
      */

package/dist/sentry-defaults.gen.d.ts

@@ -2,7 +2,7 @@
  * Sentry policy category identifiers.
  * Maps to UI tab names in Studio.
  */
-export type SentryCategory = 'pii' | 'semantic' | 'content_safety' | 'file_safety' | 'organization';
+export type SentryCategory = 'secrets' | 'pii' | 'semantic' | 'content_safety' | 'file_safety' | 'clipboard' | 'organization';
 /**
  * Category metadata for UI display.
  */