@highflame/policy 2.1.3 → 2.1.5

package/_schemas/sentry/templates/defaults/semantic.cedar

@@ -0,0 +1,167 @@
+// =============================================================================
+// Semantic Threat Detection Policy (Default)
+// =============================================================================
+// Detects and blocks prompt injection, jailbreak attempts, and high-severity
+// threats across all browser AI interactions: messages, paste, file uploads.
+//
+// Uses multi-layered detection from Shield:
+//   1. ML classifier scores (injection_score, jailbreak_score)
+//   2. Detection engine rule triggers (detected_threats)
+//   3. Threat severity aggregation (max_threat_severity, highest_severity)
+//
+// Compliance:
+//   OWASP LLM01 (Prompt Injection) — direct + indirect
+//   OWASP LLM02 (Insecure Output Handling)
+//   MITRE ATLAS AML.T0051 (LLM Prompt Injection)
+//   MITRE ATLAS AML.T0054 (LLM Jailbreak)
+//   NIST 800-53 SI-3, SI-4
+//
+// Category: semantic
+// Namespace: Sentry
+// =============================================================================
+
+// ---------------------------------------------------------------------------
+// Section 1: Prompt Injection Detection
+// Blocks injection attempts in messages, pasted content, and uploaded files.
+// Users may inadvertently paste injection payloads from compromised sources.
+// ---------------------------------------------------------------------------
+
+// Block messages and pastes with prompt injection patterns
+@id("sentry-semantic-block-injection")
+@name("Block prompt injection")
+@description("Block messages and pasted content when detection engine rules identify prompt injection patterns. Catches instruction override, role assumption, and manipulation techniques in user input and pasted content (OWASP LLM01).")
+@severity("critical")
+@tags("injection,security,owasp-llm01,mitre-aml-t0051,baseline")
+@reject_message("Content was blocked because prompt injection patterns were detected. This prevents manipulation of AI agent behavior. Remove adversarial instructions and try again.")
+forbid (
+    principal,
+    action in [Sentry::Action::"send_message", Sentry::Action::"paste_content"],
+    resource
+)
+when {
+    context has detected_threats && context.detected_threats.contains("prompt_injection")
+};
+
+// Block content with high ML injection confidence
+@id("sentry-semantic-block-injection-score")
+@name("Block high-confidence injection")
+@description("Block content when the ML injection classifier confidence exceeds threshold (75/100). Catches novel injection techniques including polymorphic payloads, encoding tricks, and obfuscated instructions.")
+@severity("critical")
+@tags("injection,ml-classifier,security,owasp-llm01")
+@reject_message("Your content was blocked because the ML classifier detected prompt injection with high confidence.")
+forbid (
+    principal,
+    action in [Sentry::Action::"send_message", Sentry::Action::"paste_content", Sentry::Action::"upload_file"],
+    resource
+)
+when {
+    context has injection_score && context.injection_score >= 75
+};
+
+// Block injection payloads hidden in uploaded documents
+@id("sentry-semantic-block-file-injection")
+@name("Block injection in uploaded files")
+@description("Block file uploads when prompt injection patterns are detected in the document content. Attackers embed injection payloads in PDFs, documents, and spreadsheets to hijack AI behavior via RAG or file analysis.")
+@severity("critical")
+@tags("injection,file-upload,security,owasp-llm01")
+@reject_message("File upload was blocked because prompt injection patterns were detected in the document. Files containing adversarial instructions cannot be shared with AI services.")
+forbid (
+    principal,
+    action == Sentry::Action::"upload_file",
+    resource
+)
+when {
+    context has detected_threats && context.detected_threats.contains("prompt_injection")
+};
+
+// ---------------------------------------------------------------------------
+// Section 2: Jailbreak Detection
+// Blocks jailbreak attempts in messages sent to AI services.
+// ---------------------------------------------------------------------------
+
+// Block messages with jailbreak attempts
+@id("sentry-semantic-block-jailbreak")
+@name("Block jailbreak attempts")
+@description("Block messages when detection engine rules identify jailbreak patterns: DAN-style prompts, role-play exploits, safety bypass instructions, and constraint removal attempts (OWASP LLM02).")
+@severity("critical")
+@tags("jailbreak,bypass,security,owasp-llm02,mitre-aml-t0054,baseline")
+@reject_message("Your message was blocked because jailbreak patterns were detected. This prevents circumvention of AI safety controls.")
+forbid (
+    principal,
+    action == Sentry::Action::"send_message",
+    resource
+)
+when {
+    context has detected_threats && context.detected_threats.contains("jailbreak")
+};
+
+// Block content with high ML jailbreak confidence
+@id("sentry-semantic-block-jailbreak-score")
+@name("Block high-confidence jailbreak")
+@description("Block content when the ML jailbreak classifier exceeds threshold (75/100). Catches sophisticated jailbreak techniques including multi-turn manipulation and encoded payloads.")
+@severity("critical")
+@tags("jailbreak,ml-classifier,security,owasp-llm02")
+@reject_message("Your content was blocked because the ML classifier detected a jailbreak attempt with high confidence.")
+forbid (
+    principal,
+    action in [Sentry::Action::"send_message", Sentry::Action::"paste_content"],
+    resource
+)
+when {
+    context has jailbreak_score && context.jailbreak_score >= 75
+};
+
+// ---------------------------------------------------------------------------
+// Section 3: Threat Severity Aggregation
+// Catch-all rules based on aggregated threat severity across all detectors.
+// ---------------------------------------------------------------------------
+
+// Block any content with critical severity threats
+@id("sentry-semantic-block-critical")
+@name("Block critical threats")
+@description("Block all content when any detection engine reports critical severity. This is the ultimate catch-all for critical-severity threats regardless of type or source.")
+@severity("critical")
+@tags("critical,baseline,security,catch-all")
+@reject_message("Your content was blocked because security scanners detected a critical-severity threat. This content cannot be processed by AI services.")
+forbid (
+    principal,
+    action,
+    resource
+)
+when {
+    context has highest_severity && context.highest_severity == "critical"
+};
+
+// Block messages with high severity semantic threats
+@id("sentry-semantic-block-high-severity")
+@name("Block high severity threats")
+@description("Block messages when threat detection reports high severity (>= 3) in semantic categories. Catches threats that individually are below critical but collectively indicate adversarial intent.")
+@severity("high")
+@tags("semantic,severity,security,defense-in-depth")
+@reject_message("Your message was blocked because security scanners detected high severity issues. Review your content for manipulative or adversarial patterns.")
+forbid (
+    principal,
+    action == Sentry::Action::"send_message",
+    resource
+)
+when {
+    context has threat_categories && context has max_threat_severity &&
+    context.threat_categories.contains("injection") &&
+    context.max_threat_severity >= 3
+};
+
+// Block content with multiple concurrent threats
+@id("sentry-semantic-block-multi-threat")
+@name("Block multi-threat content")
+@description("Block content when multiple distinct threats are detected simultaneously (3+). Multiple concurrent threats strongly indicate an adversarial attack chain or compromised content.")
+@severity("high")
+@tags("multi-threat,security,defense-in-depth")
+@reject_message("Content was blocked because multiple security threats were detected simultaneously. This pattern indicates potentially adversarial content.")
+forbid (
+    principal,
+    action in [Sentry::Action::"send_message", Sentry::Action::"paste_content", Sentry::Action::"upload_file"],
+    resource
+)
+when {
+    context has threat_count && context.threat_count >= 3
+};

package/_schemas/sentry/templates/templates.json

@@ -0,0 +1,93 @@
+{
+  "service": "sentry",
+  "version": "1.0.0",
+  "description": "Sentry policy templates for browser AI security",
+  "categories": [
+    {
+      "id": "pii",
+      "name": "PII Detection",
+      "description": "Detect and block personally identifiable information (PII) such as credit card numbers, SSNs, health data, and other sensitive personal data from being shared with AI chat services"
+    },
+    {
+      "id": "semantic",
+      "name": "Semantic Threat Detection",
+      "description": "Detect and block prompt injection, jailbreak attempts, and high-severity threats in messages, pasted content, and uploaded files"
+    },
+    {
+      "id": "content_safety",
+      "name": "Content Safety",
+      "description": "Detect and block violent, harmful, hateful, sexual, and profane content in AI interactions, including cut-and-paste safety rules"
+    },
+    {
+      "id": "file_safety",
+      "name": "File & Attachment Safety",
+      "description": "Enforce document sensitivity controls (MIP labels), block sensitive file uploads, detect secrets and PII in uploaded documents"
+    },
+    {
+      "id": "organization",
+      "name": "Organization Rules",
+      "description": "Organization-wide baselines, AI service allowlists, credential leakage prevention, and source code protection"
+    }
+  ],
+  "defaults": [
+    {
+      "id": "sentry-baseline-default",
+      "name": "Baseline Permit",
+      "description": "Permits all actions by default — threat-specific forbid policies override this when threats are detected",
+      "category": "organization",
+      "file": "defaults/baseline.cedar",
+      "severity": "low",
+      "tags": ["baseline", "permit-default", "organization"],
+      "is_active": true
+    },
+    {
+      "id": "sentry-semantic-default",
+      "name": "Semantic Threat Detection",
+      "description": "Detect and block prompt injection, jailbreak attempts, and high-severity threats across messages, paste, and file uploads",
+      "category": "semantic",
+      "file": "defaults/semantic.cedar",
+      "severity": "critical",
+      "tags": ["injection", "jailbreak", "owasp-llm01", "owasp-llm02", "baseline"],
+      "is_active": true
+    },
+    {
+      "id": "sentry-content-safety-default",
+      "name": "Content Safety",
+      "description": "Detect and block violent, harmful, hateful, sexual, and profane content including cut-and-paste safety enforcement",
+      "category": "content_safety",
+      "file": "defaults/content_safety.cedar",
+      "severity": "critical",
+      "tags": ["violence", "hate-speech", "sexual", "profanity", "content-safety", "paste-safety", "baseline"],
+      "is_active": true
+    }
+  ],
+  "templates": [
+    {
+      "id": "sentry-pii-default",
+      "name": "PII Detection",
+      "description": "Detect and block credit card numbers, SSNs, health data, and other PII in messages, pasted content, file uploads, and AI responses",
+      "category": "pii",
+      "file": "defaults/pii.cedar",
+      "severity": "critical",
+      "tags": ["pii", "privacy", "compliance", "pci-dss", "gdpr", "hipaa", "baseline"]
+    },
+    {
+      "id": "sentry-file-safety-default",
+      "name": "File & Attachment Safety",
+      "description": "Enforce MIP sensitivity labels, block confidential document uploads, detect secrets and PII in files, and restrict file types",
+      "category": "file_safety",
+      "file": "defaults/file_safety.cedar",
+      "severity": "critical",
+      "tags": ["mip", "document-sensitivity", "file-upload", "dlp", "compliance"]
+    },
+    {
+      "id": "sentry-organization-default",
+      "name": "Organization Rules",
+      "description": "Organization-wide policies: credential leakage prevention, source code protection, and secrets blocking across all interactions",
+      "category": "organization",
+      "file": "defaults/organization.cedar",
+      "severity": "critical",
+      "tags": ["secrets", "credentials", "source-code", "data-protection", "organization"]
+    }
+  ]
+}

package/dist/builder.d.ts

@@ -34,6 +34,24 @@ import { EntityType, EntityUID } from './entities.gen.js';
 import { ActionType } from './actions.gen.js';
 import { type PolicyAnnotations, type CustomAnnotations, type PolicySeverity } from './annotations.js';
 import type { ServiceContext } from './service-schemas.gen.js';
+/**
+ * Escape a string value for use in Cedar string literals.
+ * This prevents injection attacks by escaping backslashes and double quotes.
+ */
+export declare function escapeCedarString(value: string): string;
+/**
+ * Check if a string is a valid Cedar identifier.
+ */
+export declare function isValidIdentifier(s: string): boolean;
+/**
+ * Sanitize an identifier, replacing invalid characters with underscores.
+ */
+export declare function sanitizeIdentifier(s: string, context: string): string;
+/**
+ * Validate a raw condition string for potentially dangerous patterns.
+ * Returns true if the condition is safe to use.
+ */
+export declare function isValidRawCondition(condition: string): boolean;
 /**
  * Policy effect - permit or forbid
  */
@@ -266,6 +284,20 @@ export declare class Policy {
  * ```
  */
 export declare function getOptionalFields(serviceContext: ServiceContext, actions: string | string[]): Set<string>;
+/**
+ * Convert a condition to Cedar syntax.
+ * Field names are sanitized to prevent injection attacks.
+ *
+ * When `optionalFields` is provided and the condition's field is in the set,
+ * the output is wrapped with a `context has` guard:
+ *   `context has field && context.field > value`
+ */
+export declare function conditionToCedar(condition: PolicyCondition, optionalFields?: Set<string>): string;
+/**
+ * Convert a value to Cedar string representation.
+ * String values are escaped to prevent injection attacks.
+ */
+export declare function valueToString(value: string | number | boolean | string[]): string;
 /**
  * Convert a PolicyRule to Cedar policy text with proper annotations.
  *

package/dist/builder.js

@@ -48,19 +48,19 @@ const DANGEROUS_PATTERN_REGEX = /;|\/\/|\/\*|\*\/|permit\s*\(|forbid\s*\(/;
  * Escape a string value for use in Cedar string literals.
  * This prevents injection attacks by escaping backslashes and double quotes.
  */
-function escapeCedarString(value) {
+export function escapeCedarString(value) {
     return value.replace(/\\/g, '\\\\').replace(/"/g, '\\"');
 }
 /**
  * Check if a string is a valid Cedar identifier.
  */
-function isValidIdentifier(s) {
+export function isValidIdentifier(s) {
     return VALID_IDENTIFIER_REGEX.test(s);
 }
 /**
  * Sanitize an identifier, replacing invalid characters with underscores.
  */
-function sanitizeIdentifier(s, context) {
+export function sanitizeIdentifier(s, context) {
     if (isValidIdentifier(s)) {
         return s;
     }
@@ -75,7 +75,7 @@ function sanitizeIdentifier(s, context) {
  * Validate a raw condition string for potentially dangerous patterns.
  * Returns true if the condition is safe to use.
  */
-function isValidRawCondition(condition) {
+export function isValidRawCondition(condition) {
     return !DANGEROUS_PATTERN_REGEX.test(condition);
 }
 /**
@@ -218,7 +218,7 @@ export function getOptionalFields(serviceContext, actions) {
  * the output is wrapped with a `context has` guard:
  *   `context has field && context.field > value`
  */
-function conditionToCedar(condition, optionalFields) {
+export function conditionToCedar(condition, optionalFields) {
     const field = sanitizeIdentifier(condition.field, 'field');
     const { operator, value } = condition;
     const valueStr = valueToString(value);
@@ -271,7 +271,7 @@ function conditionToCedar(condition, optionalFields) {
  * Convert a value to Cedar string representation.
  * String values are escaped to prevent injection attacks.
  */
-function valueToString(value) {
+export function valueToString(value) {
     if (typeof value === 'string') {
         return `"${escapeCedarString(value)}"`;
     }

package/dist/condition-groups.d.ts

@@ -0,0 +1,69 @@
+/**
+ * Condition Groups — flat UI-friendly representation of ConditionExpression trees.
+ *
+ * Provides bidirectional conversion between recursive ConditionExpression ASTs
+ * and flat ConditionGroup arrays suitable for visual condition builder UIs.
+ *
+ * Also provides:
+ * - expressionToCedar(): render any AST node to valid Cedar condition text
+ * - extractContextFields(): collect all context field names from an AST
+ */
+import type { ConditionExpression, PolicyCondition } from './builder.js';
+/** Logical operator for combining conditions within a group. */
+export type GroupLogic = 'and' | 'or';
+/**
+ * A flat, UI-friendly condition group.
+ *
+ * Each group maps 1:1 to a visual block in the condition builder.
+ * Groups are implicitly combined with AND at the top level.
+ */
+export interface ConditionGroup {
+    /** Unique group ID (for React keys / reordering). */
+    id: string;
+    /** How conditions within this group combine. */
+    logic: GroupLogic;
+    /** Leaf conditions in the group. */
+    conditions: PolicyCondition[];
+    /** If true, the entire group is wrapped in NOT. */
+    negated: boolean;
+}
+/** Sentinel field name used for raw (unparseable) conditions. */
+export declare const RAW_CONDITION_FIELD = "__raw";
+/** Reset the group counter (for testing). */
+export declare function resetGroupCounter(): void;
+/**
+ * Convert a ConditionExpression AST into a flat array of ConditionGroups.
+ *
+ * The top-level AND is split into separate groups. Each OR subtree becomes
+ * a single group with `logic: 'or'`. NOT wrappers set `negated: true`.
+ * Raw nodes produce a sentinel condition with `field: "__raw"`.
+ */
+export declare function expressionToGroups(expr: ConditionExpression): ConditionGroup[];
+/**
+ * Convert a flat array of ConditionGroups back into a ConditionExpression AST.
+ *
+ * Each group becomes an AND/OR node (or single leaf if only one condition).
+ * If `negated`, the group is wrapped in NOT. Multiple groups are combined
+ * with a top-level AND.
+ */
+export declare function groupsToExpression(groups: ConditionGroup[]): ConditionExpression;
+/**
+ * Render any ConditionExpression node to valid Cedar condition text.
+ *
+ * This handles the full AST including AND, OR, NOT, and raw nodes —
+ * unlike `conditionToCedar()` which only handles leaf PolicyConditions.
+ *
+ * @param expr - The expression tree to render
+ * @param optionalFields - Optional set of field names that need `context has` guards
+ * @returns Cedar condition text (without the `when { ... }` wrapper)
+ */
+export declare function expressionToCedar(expr: ConditionExpression, optionalFields?: Set<string>): string;
+/**
+ * Extract all unique context field names referenced in a ConditionExpression tree.
+ *
+ * Used by Shield to determine which detectors to run — only detectors that
+ * produce fields referenced in active policies need to execute.
+ *
+ * @returns Sorted array of unique field names
+ */
+export declare function extractContextFields(expr: ConditionExpression): string[];