@highflame/policy 2.1.31 → 2.1.33

package/_schemas/sentry/context.json

@@ -4,7 +4,7 @@
   "description": "Sentry browser security — monitors AI chat interactions and enforces data-protection, content-safety, and compliance policies",
   "actions": [
     {
-      "name": "send_message",
+      "name": "process_prompt",
       "description": "User sends a message (prompt) to an AI chat service via the browser",
       "context_attributes": [
         {
@@ -23,7 +23,7 @@
           "key": "event",
           "type": "string",
           "required": true,
-          "description": "Event type (always 'send_message')"
+          "description": "Event type (always 'process_prompt')"
         },
         {
           "key": "user_email",

package/_schemas/sentry/schema.cedarschema

@@ -62,7 +62,7 @@ entity User;
 // ENTITIES - Resources (scoped under Project)
 // =============================================================================
 
-/// AI chat session — resource for send_message and receive_response actions
+/// AI chat session — resource for process_prompt and receive_response actions
 entity ChatSession in [Project];
 
 /// Document or file being uploaded — resource for upload_file action
@@ -74,14 +74,14 @@ entity Document in [Project];
 
 // User sends a message (prompt) to an AI chat service
 // Threat focus: data leakage (PII, secrets, confidential data), injection, content safety
-action send_message appliesTo {
+action process_prompt appliesTo {
   principal: [User],
   resource: [ChatSession],
   context: {
     // --- Core Metadata ---
     content: String,                  // Raw message content being sent
     source: String,                   // Browser extension identifier: "sentry"
-    event: String,                    // Event type: "send_message"
+    event: String,                    // Event type: "process_prompt"
     user_email: String,               // User identifier (SSO/OAuth verified)
     target_app: String,               // AI service: "chatgpt", "gemini", "claude", "copilot", "custom"
     target_url?: String,              // Full URL of the AI chat service

package/_schemas/sentry/templates/defaults/clipboard.cedar

@@ -4,10 +4,15 @@
 // Controls over paste operations into AI chat services. Covers:
 //   - Blanket paste blocking (admin-configurable)
 //   - Paste-with-secrets blocking
+//   - Paste-with-PII blocking
 //   - Paste-with-source-code blocking
+//   - Large-paste threat blocking
+//   - Paste-with-encoded-payload blocking
+//   - Paste-with-invisible-character blocking
 //
-// Cross-cutting secret rules (e.g. high-risk credential types) are defined
-// in secrets.cedar and apply to paste content as well.
+// All policies in this file are scoped to action == "paste_content". Other
+// templates (semantic.cedar, content_safety.cedar, pii.cedar, secrets.cedar)
+// cover process_prompt and upload_file for the same threat categories.
 //
 // Category: clipboard
 // Namespace: Sentry
@@ -58,19 +63,36 @@ when {
     context has pii_detected && context.pii_detected
 };
 
-// Block pasted source code
-@id("sentry-org-block-code-paste")
-@name("Block pasted source code")
-@description("Block paste operations when content is primarily source code (>80%). Prevents code exfiltration via clipboard from IDEs, terminals, or code repositories into AI chats.")
+// Block pastes containing encoded injection payloads
+@id("sentry-clipboard-block-paste-encoded")
+@name("Block encoded paste content")
+@description("Block paste operations when encoded injection payloads (base64, hex, unicode) are detected. Attackers use encoding to smuggle injection payloads via clipboard transfer.")
 @severity("high")
-@tags("source-code,paste-safety,ip-protection,data-leakage")
-@reject_message("Paste blocked: the content appears to be primarily source code (>80%). Pasting bulk source code into AI services risks intellectual property exposure.")
+@tags("paste-safety,encoding,injection,clipboard")
+@reject_message("Paste blocked: encoded injection payloads detected in pasted content. Content with hidden encoded instructions cannot be shared with AI services.")
 forbid (
     principal,
     action == Sentry::Action::"paste_content",
     resource
 )
 when {
-    context has contains_code && context.contains_code &&
-    context has code_ratio && context.code_ratio > 80
+    context has encoded_content_detected && context.encoded_content_detected &&
+    context has encoded_score && context.encoded_score >= 60
+};
+
+// Block pastes with invisible characters
+@id("sentry-clipboard-block-paste-invisible")
+@name("Block paste with invisible characters")
+@description("Block paste operations containing invisible Unicode characters (zero-width, bidi overrides). These can hide malicious instructions that appear invisible to users but are processed by AI models.")
+@severity("high")
+@tags("paste-safety,unicode,invisible-chars,clipboard")
+@reject_message("Paste blocked: invisible Unicode characters detected. Hidden characters can disguise malicious instructions that AI models process but users cannot see.")
+forbid (
+    principal,
+    action == Sentry::Action::"paste_content",
+    resource
+)
+when {
+    context has contains_invisible_chars && context.contains_invisible_chars &&
+    context has invisible_chars_score && context.invisible_chars_score >= 50
 };

package/_schemas/sentry/templates/defaults/content_safety.cedar

@@ -2,8 +2,10 @@
 // Content Safety Policy (Default)
 // =============================================================================
 // Detects and blocks violent, harmful, hateful, sexual, and profane content
-// in AI chat interactions. Includes cut-and-paste safety rules to prevent
-// unsafe content from being transferred into AI services.
+// in AI chat interactions across messages and file uploads.
+//
+// Paste-specific content safety rules live in clipboard.cedar — see
+// "Clipboard Policy".
 //
 // The detection engine runs ML classifiers (toxicity, content safety) and
 // produces normalized scores (0-100) for each category.
@@ -21,19 +23,19 @@
 // ---------------------------------------------------------------------------
 // Section 1: Violence & Weapons
 // Blocks content promoting, describing, or instructing violence and weapons.
-// Applies to messages, paste, and file uploads.
+// Applies to messages and file uploads.
 // ---------------------------------------------------------------------------
 
 // Block violent content across all input channels
 @id("sentry-cs-block-violence")
 @name("Block violent content")
-@description("Block content when the ML violence detection score exceeds threshold (80/100). Catches graphic violence descriptions, instructions for causing harm, and violent threat language in messages, pastes, and uploads.")
+@description("Block content when the ML violence detection score exceeds threshold (80/100). Catches graphic violence descriptions, instructions for causing harm, and violent threat language in messages and uploads.")
 @severity("critical")
 @tags("violence,content-safety,trust-safety,nist-si-4,iso-42001")
 @reject_message("Content blocked: violent content detected. AI services must not process violent content in enterprise environments. Please rephrase without violence-related language.")
 forbid (
     principal,
-    action in [Sentry::Action::"send_message", Sentry::Action::"paste_content", Sentry::Action::"upload_file"],
+    action in [Sentry::Action::"process_prompt", Sentry::Action::"upload_file"],
     resource
 )
 when {
@@ -49,7 +51,7 @@ when {
 @reject_message("Content blocked: weapons-related content detected. AI services must not process weapons manufacturing, procurement, or specification content.")
 forbid (
     principal,
-    action in [Sentry::Action::"send_message", Sentry::Action::"paste_content", Sentry::Action::"upload_file"],
+    action in [Sentry::Action::"process_prompt", Sentry::Action::"upload_file"],
     resource
 )
 when {
@@ -70,7 +72,7 @@ when {
 @reject_message("Content blocked: hate speech or discriminatory content detected. AI services must not process hateful, discriminatory, or dehumanizing content.")
 forbid (
     principal,
-    action in [Sentry::Action::"send_message", Sentry::Action::"paste_content", Sentry::Action::"upload_file"],
+    action in [Sentry::Action::"process_prompt", Sentry::Action::"upload_file"],
     resource
 )
 when {
@@ -90,7 +92,7 @@ when {
 @reject_message("Content blocked: criminal activity content detected. AI services must not process content related to illegal activities or fraud.")
 forbid (
     principal,
-    action in [Sentry::Action::"send_message", Sentry::Action::"paste_content", Sentry::Action::"upload_file"],
+    action in [Sentry::Action::"process_prompt", Sentry::Action::"upload_file"],
     resource
 )
 when {
@@ -110,7 +112,7 @@ when {
 @reject_message("Content blocked: sexual content detected. AI services must not process sexually explicit material in enterprise environments.")
 forbid (
     principal,
-    action in [Sentry::Action::"send_message", Sentry::Action::"paste_content", Sentry::Action::"upload_file"],
+    action in [Sentry::Action::"process_prompt", Sentry::Action::"upload_file"],
     resource
 )
 when {
@@ -131,102 +133,10 @@ when {
 @reject_message("Content blocked: excessive profanity detected. Please rephrase in a professional manner.")
 forbid (
     principal,
-    action in [Sentry::Action::"send_message", Sentry::Action::"paste_content"],
+    action == Sentry::Action::"process_prompt",
     resource
 )
 when {
     context has profanity_score && context.profanity_score >= 90
 };
 
-// ---------------------------------------------------------------------------
-// Section 6: Cut & Paste Safety
-// Specific rules for content pasted from external sources into AI chats.
-// Paste operations are a primary vector for data leakage.
-// ---------------------------------------------------------------------------
-
-// Block large pastes with any detected threats
-@id("sentry-cs-block-large-paste-threats")
-@name("Block large pastes with threats")
-@description("Block large paste operations (>5000 chars) when any threats are detected. Large pastes with threats likely indicate bulk data dumps from emails, documents, or databases being leaked to AI services.")
-@severity("high")
-@tags("paste-safety,data-leakage,content-safety")
-@reject_message("Large paste operation blocked: security threats were detected in the pasted content. Large data transfers to AI services require threat-free content.")
-forbid (
-    principal,
-    action == Sentry::Action::"paste_content",
-    resource
-)
-when {
-    context has paste_length && context has threat_count &&
-    context.paste_length > 5000 && context.threat_count >= 1
-};
-
-// Block pastes containing encoded injection payloads
-@id("sentry-cs-block-paste-encoded")
-@name("Block encoded paste content")
-@description("Block paste operations when encoded injection payloads (base64, hex, unicode) are detected. Attackers use encoding to smuggle injection payloads via clipboard transfer.")
-@severity("high")
-@tags("paste-safety,encoding,injection,content-safety")
-@reject_message("Paste blocked: encoded injection payloads detected in pasted content. Content with hidden encoded instructions cannot be shared with AI services.")
-forbid (
-    principal,
-    action == Sentry::Action::"paste_content",
-    resource
-)
-when {
-    context has encoded_content_detected && context.encoded_content_detected &&
-    context has encoded_score && context.encoded_score >= 60
-};
-
-// Block pastes with invisible characters
-@id("sentry-cs-block-paste-invisible")
-@name("Block paste with invisible characters")
-@description("Block paste operations containing invisible Unicode characters (zero-width, bidi overrides). These can hide malicious instructions that appear invisible to users but are processed by AI models.")
-@severity("high")
-@tags("paste-safety,unicode,invisible-chars,content-safety")
-@reject_message("Paste blocked: invisible Unicode characters detected. Hidden characters can disguise malicious instructions that AI models process but users cannot see.")
-forbid (
-    principal,
-    action == Sentry::Action::"paste_content",
-    resource
-)
-when {
-    context has contains_invisible_chars && context.contains_invisible_chars &&
-    context has invisible_chars_score && context.invisible_chars_score >= 50
-};
-
-// ---------------------------------------------------------------------------
-// Section 7: AI Response Safety
-// Block harmful content in AI responses before user sees it.
-// ---------------------------------------------------------------------------
-
-// Block violent/harmful AI responses
-@id("sentry-cs-block-response-safety")
-@name("Block harmful AI responses")
-@description("Block AI responses containing high-severity violent, hateful, or criminal content. Prevents harmful AI-generated content from reaching users in enterprise environments.")
-@severity("critical")
-@tags("response-safety,content-safety,owasp-llm02")
-@reject_message("AI response blocked: harmful content detected in the response. The AI service generated content that violates enterprise content safety policies.")
-forbid (
-    principal,
-    action == Sentry::Action::"receive_response",
-    resource
-)
-when {
-    context has violence_score && context.violence_score >= 80
-};
-
-@id("sentry-cs-block-response-hate")
-@name("Block hateful AI responses")
-@description("Block AI responses with hate speech or discriminatory content.")
-@severity("critical")
-@tags("response-safety,hate-speech,content-safety,owasp-llm02")
-@reject_message("AI response blocked: hate speech or discriminatory content detected in the response.")
-forbid (
-    principal,
-    action == Sentry::Action::"receive_response",
-    resource
-)
-when {
-    context has hate_speech_score && context.hate_speech_score >= 75
-};

package/_schemas/sentry/templates/defaults/file_safety.cedar

@@ -9,8 +9,6 @@
 //   1. MIP label enforcement — sensitivity_level from document metadata
 //   2. PII/secrets in file content — from Shield PIIRegexDetector/SecretsDetector
 //   3. Injection payloads in files — from Shield InjectionDetector
-//   4. File type restrictions — block dangerous extensions
-//   5. Phishing link detection — from CheckPhishDetector
 //
 // Compliance:
 //   Microsoft Information Protection (MIP) — label-based access control
@@ -112,63 +110,3 @@ forbid (
 when {
     context has pii_detected && context.pii_detected
 };
-
-// Block files with phishing links
-@id("sentry-file-block-phishing")
-@name("Block files with phishing links")
-@description("Block file uploads when phishing URLs are detected in document content. Prevents sharing of compromised documents that could expose phishing links to AI processing.")
-@severity("high")
-@tags("phishing,file-upload,security")
-@reject_message("Upload blocked: phishing URLs detected in the file. Documents containing phishing links cannot be shared with AI services.")
-forbid (
-    principal,
-    action == Sentry::Action::"upload_file",
-    resource
-)
-when {
-    context has phishing_detected && context.phishing_detected
-};
-
-// ---------------------------------------------------------------------------
-// Section 3: File Type & Size Restrictions
-// Block potentially dangerous file types and oversized files.
-// ---------------------------------------------------------------------------
-
-// Block large file uploads with any threats
-@id("sentry-file-block-large-threats")
-@name("Block large files with threats")
-@description("Block file uploads over 10MB when any threats are detected. Large files with threats likely contain data dumps or bulk exports being exfiltrated to AI services.")
-@severity("high")
-@tags("file-upload,size-limit,data-protection")
-@reject_message("Upload blocked: security threats detected in a large file. Large data transfers to AI services require threat-free content.")
-forbid (
-    principal,
-    action == Sentry::Action::"upload_file",
-    resource
-)
-when {
-    context has file_size_bytes && context has threat_count &&
-    context.file_size_bytes > 10485760 && context.threat_count >= 1
-};
-
-// ---------------------------------------------------------------------------
-// Section 4: Source Code Protection
-// Block source code uploads to AI services.
-// ---------------------------------------------------------------------------
-
-// Block files with high code content
-@id("sentry-file-block-source-code")
-@name("Block source code uploads")
-@description("Block file uploads when source code constitutes more than 80% of the content. Prevents bulk source code exfiltration to external AI services where it may be used for training or exposed.")
-@severity("high")
-@tags("source-code,ip-protection,file-upload,data-leakage")
-@reject_message("Upload blocked: the file appears to be primarily source code (>80%). Bulk source code should not be shared with external AI services to protect intellectual property.")
-forbid (
-    principal,
-    action == Sentry::Action::"upload_file",
-    resource
-)
-when {
-    context has contains_code && context.contains_code &&
-    context has code_ratio && context.code_ratio > 80
-};

package/_schemas/sentry/templates/defaults/organization.cedar

@@ -28,7 +28,7 @@
 @reject_message("Message blocked: the content appears to be primarily source code (>80%). Bulk source code should not be shared with external AI services to protect intellectual property.")
 forbid (
     principal,
-    action == Sentry::Action::"send_message",
+    action == Sentry::Action::"process_prompt",
     resource
 )
 when {

package/_schemas/sentry/templates/defaults/pii.cedar

@@ -1,8 +1,10 @@
 // =============================================================================
 // PII Detection Policy (Default)
 // =============================================================================
-// Detects and blocks personally identifiable information across messages,
-// pasted content, file uploads, and AI responses. Uses multi-layered detection:
+// Detects and blocks personally identifiable information across messages
+// and file uploads. Uses multi-layered detection:
+//
+// Paste-targeted PII rules live in clipboard.cedar.
 //
 //   1. PII boolean flag (pii_detected) — broadest catch from detection engine
 //   2. Granular PII type matching (pii_types) — type-specific blocking
@@ -30,16 +32,16 @@
 // Fires when the detection pipeline identifies PII in any content.
 // ---------------------------------------------------------------------------
 
-// Block messages containing detected PII
+// Block messages and uploads containing detected PII
 @id("sentry-pii-block-messages")
-@name("Block messages with PII")
-@description("Block messages when the detection engine identifies any PII patterns. Prevents employees from accidentally sharing personal data with AI chat services.")
+@name("Block messages and uploads with PII")
+@description("Block messages and file uploads when the detection engine identifies any PII patterns. Prevents employees from accidentally sharing personal data with AI chat services.")
 @severity("critical")
 @tags("pii,privacy,data-protection,gdpr-art-32,owasp-llm06")
-@reject_message("Your message was blocked because personally identifiable information was detected. Remove all PII (names, addresses, SSNs, credit cards, etc.) before sending to AI services.")
+@reject_message("Content blocked: personally identifiable information was detected. Remove all PII (names, addresses, SSNs, credit cards, etc.) before sending to AI services.")
 forbid (
     principal,
-    action == Sentry::Action::"send_message",
+    action in [Sentry::Action::"process_prompt", Sentry::Action::"upload_file"],
     resource
 )
 when {
@@ -54,13 +56,13 @@ when {
 // Block credit card numbers (PCI DSS compliance)
 @id("sentry-pii-block-credit-cards")
 @name("Block credit card numbers")
-@description("Block content containing credit card number patterns across all actions. PCI DSS 3.4 requires PANs are rendered unreadable — AI services must never receive raw card numbers.")
+@description("Block messages and file uploads containing credit card number patterns. PCI DSS 3.4 requires PANs are rendered unreadable — AI services must never receive raw card numbers.")
 @severity("critical")
 @tags("pci,credit-card,payment,compliance,pci-dss-3.4")
 @reject_message("Content blocked: credit card number patterns detected. Sharing payment card data with AI services violates PCI DSS. Use tokenized references instead.")
 forbid (
     principal,
-    action,
+    action in [Sentry::Action::"process_prompt", Sentry::Action::"upload_file"],
     resource
 )
 when {
@@ -71,13 +73,13 @@ when {
 // Block Social Security Numbers
 @id("sentry-pii-block-ssn")
 @name("Block Social Security Numbers")
-@description("Block content containing SSN patterns (XXX-XX-XXXX and variants). SSNs are high-value identity theft targets — exposure through AI services is a critical privacy violation.")
+@description("Block messages and file uploads containing SSN patterns (XXX-XX-XXXX and variants). SSNs are high-value identity theft targets — exposure through AI services is a critical privacy violation.")
 @severity("critical")
 @tags("ssn,identity,privacy,compliance,nist-si-4")
 @reject_message("Content blocked: Social Security Number patterns detected. SSNs must never be shared with AI services.")
 forbid (
     principal,
-    action,
+    action in [Sentry::Action::"process_prompt", Sentry::Action::"upload_file"],
     resource
 )
 when {
@@ -88,13 +90,13 @@ when {
 // Block passport numbers
 @id("sentry-pii-block-passport")
 @name("Block passport numbers")
-@description("Block content containing passport number patterns. Passport numbers are government-issued identifiers with high identity theft risk.")
+@description("Block messages and file uploads containing passport number patterns. Passport numbers are government-issued identifiers with high identity theft risk.")
 @severity("critical")
 @tags("passport,identity,privacy,gdpr")
 @reject_message("Content blocked: passport number patterns detected. Government-issued identifiers must not be shared with AI services.")
 forbid (
     principal,
-    action,
+    action in [Sentry::Action::"process_prompt", Sentry::Action::"upload_file"],
     resource
 )
 when {
@@ -104,13 +106,13 @@ when {
 // Block IBAN (International Bank Account Numbers)
 @id("sentry-pii-block-iban")
 @name("Block bank account numbers")
-@description("Block content containing IBAN patterns. Bank account numbers are sensitive financial identifiers that must not be exposed to AI services.")
+@description("Block messages and file uploads containing IBAN patterns. Bank account numbers are sensitive financial identifiers that must not be exposed to AI services.")
 @severity("critical")
 @tags("iban,financial,privacy,gdpr,pci-dss")
 @reject_message("Content blocked: bank account number (IBAN) patterns detected. Financial account numbers must not be shared with AI services.")
 forbid (
     principal,
-    action,
+    action in [Sentry::Action::"process_prompt", Sentry::Action::"upload_file"],
     resource
 )
 when {
@@ -120,13 +122,13 @@ when {
 // Block bulk PII exposure
 @id("sentry-pii-block-bulk-exposure")
 @name("Block bulk PII exposure")
-@description("Block content containing 3 or more PII matches. Multiple PII items indicate a data dump — customer lists, CSV exports, or database content being leaked to AI services.")
+@description("Block messages and file uploads containing 3 or more PII matches. Multiple PII items indicate a data dump — customer lists, CSV exports, or database content being leaked to AI services.")
 @severity("critical")
 @tags("pii,bulk,data-exfiltration,gdpr-art-32,ccpa")
 @reject_message("Content blocked: multiple PII items detected (3+). Bulk personal data must never be shared with AI services. Use data masking or tokenization.")
 forbid (
     principal,
-    action,
+    action in [Sentry::Action::"process_prompt", Sentry::Action::"upload_file"],
     resource
 )
 when {
@@ -141,13 +143,13 @@ when {
 // Block high-confidence PII
 @id("sentry-pii-block-high-confidence")
 @name("Block high-confidence PII")
-@description("Block content when the PII confidence score exceeds threshold (80/100). Catches novel PII patterns including names, addresses, and identifiers that regex rules may miss.")
+@description("Block messages and file uploads when the PII confidence score exceeds threshold (80/100). Catches novel PII patterns including names, addresses, and identifiers that regex rules may miss.")
 @severity("critical")
 @tags("pii,confidence,privacy,compliance,ml-classifier")
 @reject_message("Content blocked: the ML classifier detected personally identifiable information with high confidence. The content appears to contain personal data.")
 forbid (
     principal,
-    action in [Sentry::Action::"send_message", Sentry::Action::"paste_content", Sentry::Action::"upload_file"],
+    action in [Sentry::Action::"process_prompt", Sentry::Action::"upload_file"],
     resource
 )
 when {
@@ -162,36 +164,16 @@ when {
 // Block PII threat category
 @id("sentry-pii-block-threat-category")
 @name("Block PII threat category")
-@description("Block content when threat categorization identifies PII. Defense-in-depth behind the pii_detected boolean — catches cases where PII is flagged at the aggregation layer.")
+@description("Block messages and file uploads when threat categorization identifies PII. Defense-in-depth behind the pii_detected boolean — catches cases where PII is flagged at the aggregation layer.")
 @severity("high")
 @tags("pii,privacy,data-protection,gdpr")
 @reject_message("Content blocked: threat scanners detected personally identifiable information. Remove all PII before submitting.")
 forbid (
     principal,
-    action in [Sentry::Action::"send_message", Sentry::Action::"paste_content", Sentry::Action::"upload_file"],
+    action in [Sentry::Action::"process_prompt", Sentry::Action::"upload_file"],
     resource
 )
 when {
     context has threat_categories && context.threat_categories.contains("pii")
 };
 
-// ---------------------------------------------------------------------------
-// Section 5: AI Response PII Blocking
-// Prevent AI responses containing PII from reaching the user.
-// ---------------------------------------------------------------------------
-
-// Block AI responses containing PII
-@id("sentry-pii-block-responses")
-@name("Block AI responses with PII")
-@description("Block AI responses when PII is detected in the output. Prevents AI services from exposing personal data in generated responses (e.g., when the model echoes back or generates PII from training data).")
-@severity("high")
-@tags("pii,response-safety,data-protection,owasp-llm06")
-@reject_message("AI response blocked: personally identifiable information detected in the AI response. The AI service generated content containing personal data.")
-forbid (
-    principal,
-    action == Sentry::Action::"receive_response",
-    resource
-)
-when {
-    context has pii_detected && context.pii_detected
-};