@highflame/policy 2.1.32 → 2.1.34

package/_schemas/sentry/context.json

@@ -4,7 +4,7 @@
   "description": "Sentry browser security — monitors AI chat interactions and enforces data-protection, content-safety, and compliance policies",
   "actions": [
     {
-      "name": "send_message",
+      "name": "process_prompt",
       "description": "User sends a message (prompt) to an AI chat service via the browser",
       "context_attributes": [
         {
@@ -23,7 +23,7 @@
           "key": "event",
           "type": "string",
           "required": true,
-          "description": "Event type (always 'send_message')"
+          "description": "Event type (always 'process_prompt')"
         },
         {
           "key": "user_email",

package/_schemas/sentry/schema.cedarschema

@@ -62,7 +62,7 @@ entity User;
 // ENTITIES - Resources (scoped under Project)
 // =============================================================================
 
-/// AI chat session — resource for send_message and receive_response actions
+/// AI chat session — resource for process_prompt and receive_response actions
 entity ChatSession in [Project];
 
 /// Document or file being uploaded — resource for upload_file action
@@ -74,14 +74,14 @@ entity Document in [Project];
 
 // User sends a message (prompt) to an AI chat service
 // Threat focus: data leakage (PII, secrets, confidential data), injection, content safety
-action send_message appliesTo {
+action process_prompt appliesTo {
   principal: [User],
   resource: [ChatSession],
   context: {
     // --- Core Metadata ---
     content: String,                  // Raw message content being sent
     source: String,                   // Browser extension identifier: "sentry"
-    event: String,                    // Event type: "send_message"
+    event: String,                    // Event type: "process_prompt"
     user_email: String,               // User identifier (SSO/OAuth verified)
     target_app: String,               // AI service: "chatgpt", "gemini", "claude", "copilot", "custom"
     target_url?: String,              // Full URL of the AI chat service

package/_schemas/sentry/templates/defaults/clipboard.cedar

@@ -4,10 +4,15 @@
 // Controls over paste operations into AI chat services. Covers:
 //   - Blanket paste blocking (admin-configurable)
 //   - Paste-with-secrets blocking
+//   - Paste-with-PII blocking
 //   - Paste-with-source-code blocking
+//   - Large-paste threat blocking
+//   - Paste-with-encoded-payload blocking
+//   - Paste-with-invisible-character blocking
 //
-// Cross-cutting secret rules (e.g. high-risk credential types) are defined
-// in secrets.cedar and apply to paste content as well.
+// All policies in this file are scoped to action == "paste_content". Other
+// templates (semantic.cedar, content_safety.cedar, pii.cedar, secrets.cedar)
+// cover process_prompt and upload_file for the same threat categories.
 //
 // Category: clipboard
 // Namespace: Sentry
@@ -58,19 +63,36 @@ when {
     context has pii_detected && context.pii_detected
 };
 
-// Block pasted source code
-@id("sentry-org-block-code-paste")
-@name("Block pasted source code")
-@description("Block paste operations when content is primarily source code (>80%). Prevents code exfiltration via clipboard from IDEs, terminals, or code repositories into AI chats.")
+// Block pastes containing encoded injection payloads
+@id("sentry-clipboard-block-paste-encoded")
+@name("Block encoded paste content")
+@description("Block paste operations when encoded injection payloads (base64, hex, unicode) are detected. Attackers use encoding to smuggle injection payloads via clipboard transfer.")
 @severity("high")
-@tags("source-code,paste-safety,ip-protection,data-leakage")
-@reject_message("Paste blocked: the content appears to be primarily source code (>80%). Pasting bulk source code into AI services risks intellectual property exposure.")
+@tags("paste-safety,encoding,injection,clipboard")
+@reject_message("Paste blocked: encoded injection payloads detected in pasted content. Content with hidden encoded instructions cannot be shared with AI services.")
 forbid (
     principal,
     action == Sentry::Action::"paste_content",
     resource
 )
 when {
-    context has contains_code && context.contains_code &&
-    context has code_ratio && context.code_ratio > 80
+    context has encoded_content_detected && context.encoded_content_detected &&
+    context has encoded_score && context.encoded_score >= 60
+};
+
+// Block pastes with invisible characters
+@id("sentry-clipboard-block-paste-invisible")
+@name("Block paste with invisible characters")
+@description("Block paste operations containing invisible Unicode characters (zero-width, bidi overrides). These can hide malicious instructions that appear invisible to users but are processed by AI models.")
+@severity("high")
+@tags("paste-safety,unicode,invisible-chars,clipboard")
+@reject_message("Paste blocked: invisible Unicode characters detected. Hidden characters can disguise malicious instructions that AI models process but users cannot see.")
+forbid (
+    principal,
+    action == Sentry::Action::"paste_content",
+    resource
+)
+when {
+    context has contains_invisible_chars && context.contains_invisible_chars &&
+    context has invisible_chars_score && context.invisible_chars_score >= 50
 };

package/_schemas/sentry/templates/defaults/content_safety.cedar

@@ -2,8 +2,10 @@
 // Content Safety Policy (Default)
 // =============================================================================
 // Detects and blocks violent, harmful, hateful, sexual, and profane content
-// in AI chat interactions. Includes cut-and-paste safety rules to prevent
-// unsafe content from being transferred into AI services.
+// in AI chat interactions across messages and file uploads.
+//
+// Paste-specific content safety rules live in clipboard.cedar — see
+// "Clipboard Policy".
 //
 // The detection engine runs ML classifiers (toxicity, content safety) and
 // produces normalized scores (0-100) for each category.
@@ -21,19 +23,19 @@
 // ---------------------------------------------------------------------------
 // Section 1: Violence & Weapons
 // Blocks content promoting, describing, or instructing violence and weapons.
-// Applies to messages, paste, and file uploads.
+// Applies to messages and file uploads.
 // ---------------------------------------------------------------------------
 
 // Block violent content across all input channels
 @id("sentry-cs-block-violence")
 @name("Block violent content")
-@description("Block content when the ML violence detection score exceeds threshold (80/100). Catches graphic violence descriptions, instructions for causing harm, and violent threat language in messages, pastes, and uploads.")
+@description("Block content when the ML violence detection score exceeds threshold (80/100). Catches graphic violence descriptions, instructions for causing harm, and violent threat language in messages and uploads.")
 @severity("critical")
 @tags("violence,content-safety,trust-safety,nist-si-4,iso-42001")
 @reject_message("Content blocked: violent content detected. AI services must not process violent content in enterprise environments. Please rephrase without violence-related language.")
 forbid (
     principal,
-    action in [Sentry::Action::"send_message", Sentry::Action::"paste_content", Sentry::Action::"upload_file"],
+    action in [Sentry::Action::"process_prompt", Sentry::Action::"upload_file"],
     resource
 )
 when {
@@ -49,7 +51,7 @@ when {
 @reject_message("Content blocked: weapons-related content detected. AI services must not process weapons manufacturing, procurement, or specification content.")
 forbid (
     principal,
-    action in [Sentry::Action::"send_message", Sentry::Action::"paste_content", Sentry::Action::"upload_file"],
+    action in [Sentry::Action::"process_prompt", Sentry::Action::"upload_file"],
     resource
 )
 when {
@@ -70,7 +72,7 @@ when {
 @reject_message("Content blocked: hate speech or discriminatory content detected. AI services must not process hateful, discriminatory, or dehumanizing content.")
 forbid (
     principal,
-    action in [Sentry::Action::"send_message", Sentry::Action::"paste_content", Sentry::Action::"upload_file"],
+    action in [Sentry::Action::"process_prompt", Sentry::Action::"upload_file"],
     resource
 )
 when {
@@ -90,7 +92,7 @@ when {
 @reject_message("Content blocked: criminal activity content detected. AI services must not process content related to illegal activities or fraud.")
 forbid (
     principal,
-    action in [Sentry::Action::"send_message", Sentry::Action::"paste_content", Sentry::Action::"upload_file"],
+    action in [Sentry::Action::"process_prompt", Sentry::Action::"upload_file"],
     resource
 )
 when {
@@ -110,7 +112,7 @@ when {
 @reject_message("Content blocked: sexual content detected. AI services must not process sexually explicit material in enterprise environments.")
 forbid (
     principal,
-    action in [Sentry::Action::"send_message", Sentry::Action::"paste_content", Sentry::Action::"upload_file"],
+    action in [Sentry::Action::"process_prompt", Sentry::Action::"upload_file"],
     resource
 )
 when {
@@ -131,102 +133,10 @@ when {
 @reject_message("Content blocked: excessive profanity detected. Please rephrase in a professional manner.")
 forbid (
     principal,
-    action in [Sentry::Action::"send_message", Sentry::Action::"paste_content"],
+    action == Sentry::Action::"process_prompt",
     resource
 )
 when {
     context has profanity_score && context.profanity_score >= 90
 };
 
-// ---------------------------------------------------------------------------
-// Section 6: Cut & Paste Safety
-// Specific rules for content pasted from external sources into AI chats.
-// Paste operations are a primary vector for data leakage.
-// ---------------------------------------------------------------------------
-
-// Block large pastes with any detected threats
-@id("sentry-cs-block-large-paste-threats")
-@name("Block large pastes with threats")
-@description("Block large paste operations (>5000 chars) when any threats are detected. Large pastes with threats likely indicate bulk data dumps from emails, documents, or databases being leaked to AI services.")
-@severity("high")
-@tags("paste-safety,data-leakage,content-safety")
-@reject_message("Large paste operation blocked: security threats were detected in the pasted content. Large data transfers to AI services require threat-free content.")
-forbid (
-    principal,
-    action == Sentry::Action::"paste_content",
-    resource
-)
-when {
-    context has paste_length && context has threat_count &&
-    context.paste_length > 5000 && context.threat_count >= 1
-};
-
-// Block pastes containing encoded injection payloads
-@id("sentry-cs-block-paste-encoded")
-@name("Block encoded paste content")
-@description("Block paste operations when encoded injection payloads (base64, hex, unicode) are detected. Attackers use encoding to smuggle injection payloads via clipboard transfer.")
-@severity("high")
-@tags("paste-safety,encoding,injection,content-safety")
-@reject_message("Paste blocked: encoded injection payloads detected in pasted content. Content with hidden encoded instructions cannot be shared with AI services.")
-forbid (
-    principal,
-    action == Sentry::Action::"paste_content",
-    resource
-)
-when {
-    context has encoded_content_detected && context.encoded_content_detected &&
-    context has encoded_score && context.encoded_score >= 60
-};
-
-// Block pastes with invisible characters
-@id("sentry-cs-block-paste-invisible")
-@name("Block paste with invisible characters")
-@description("Block paste operations containing invisible Unicode characters (zero-width, bidi overrides). These can hide malicious instructions that appear invisible to users but are processed by AI models.")
-@severity("high")
-@tags("paste-safety,unicode,invisible-chars,content-safety")
-@reject_message("Paste blocked: invisible Unicode characters detected. Hidden characters can disguise malicious instructions that AI models process but users cannot see.")
-forbid (
-    principal,
-    action == Sentry::Action::"paste_content",
-    resource
-)
-when {
-    context has contains_invisible_chars && context.contains_invisible_chars &&
-    context has invisible_chars_score && context.invisible_chars_score >= 50
-};
-
-// ---------------------------------------------------------------------------
-// Section 7: AI Response Safety
-// Block harmful content in AI responses before user sees it.
-// ---------------------------------------------------------------------------
-
-// Block violent/harmful AI responses
-@id("sentry-cs-block-response-safety")
-@name("Block harmful AI responses")
-@description("Block AI responses containing high-severity violent, hateful, or criminal content. Prevents harmful AI-generated content from reaching users in enterprise environments.")
-@severity("critical")
-@tags("response-safety,content-safety,owasp-llm02")
-@reject_message("AI response blocked: harmful content detected in the response. The AI service generated content that violates enterprise content safety policies.")
-forbid (
-    principal,
-    action == Sentry::Action::"receive_response",
-    resource
-)
-when {
-    context has violence_score && context.violence_score >= 80
-};
-
-@id("sentry-cs-block-response-hate")
-@name("Block hateful AI responses")
-@description("Block AI responses with hate speech or discriminatory content.")
-@severity("critical")
-@tags("response-safety,hate-speech,content-safety,owasp-llm02")
-@reject_message("AI response blocked: hate speech or discriminatory content detected in the response.")
-forbid (
-    principal,
-    action == Sentry::Action::"receive_response",
-    resource
-)
-when {
-    context has hate_speech_score && context.hate_speech_score >= 75
-};

package/_schemas/sentry/templates/defaults/file_safety.cedar

@@ -1,89 +1,29 @@
 // =============================================================================
 // File & Attachment Safety Policy (Default)
 // =============================================================================
-// Enforces document sensitivity controls for files uploaded to AI chat services.
-// Integrates with Microsoft Information Protection (MIP) labels to prevent
-// confidential and restricted documents from being shared with AI.
+// Blocks file uploads to AI chat services when document content contains
+// secrets or PII.
 //
 // Detection layers:
-//   1. MIP label enforcement — sensitivity_level from document metadata
-//   2. PII/secrets in file content — from Shield PIIRegexDetector/SecretsDetector
-//   3. Injection payloads in files — from Shield InjectionDetector
-//   4. File type restrictions — block dangerous extensions
-//   5. Phishing link detection — from CheckPhishDetector
+//   1. Secrets in file content — from Shield SecretsDetector
+//   2. PII in file content — from Shield PIIRegexDetector
 //
 // Compliance:
-//   Microsoft Information Protection (MIP) — label-based access control
 //   NIST 800-53 SC-28 (Protection of Information at Rest)
 //   GDPR Art. 32 (Security of Processing)
-//   ISO 27001 A.8.2 (Information Classification)
 //
 // Category: file_safety
 // Namespace: Sentry
 // =============================================================================
 
 // ---------------------------------------------------------------------------
-// Section 1: MIP Label Enforcement
-// Block uploads based on Microsoft Information Protection sensitivity labels.
-// Labels are read from document metadata via MIP SDK / Graph API.
+// Section 1: File Content Security
+// Block text files containing secrets or PII.
 // ---------------------------------------------------------------------------
 
-// Block restricted documents
-@id("sentry-file-block-restricted")
-@name("Block restricted documents")
-@description("Block uploads of documents with 'restricted' sensitivity level. Restricted documents contain the most sensitive data (board materials, M&A, legal privilege) and must never be shared with AI services.")
-@severity("critical")
-@tags("mip,restricted,classification,compliance,iso-27001")
-@reject_message("Upload blocked: this document is classified as RESTRICTED. Restricted documents must never be shared with AI services. Contact your security team if you need to process this content.")
-forbid (
-    principal,
-    action == Sentry::Action::"upload_file",
-    resource
-)
-when {
-    context has sensitivity_level && context.sensitivity_level == "restricted"
-};
-
-// Block confidential documents
-@id("sentry-file-block-confidential")
-@name("Block confidential documents")
-@description("Block uploads of documents with 'confidential' sensitivity level. Confidential documents (financial reports, customer data, internal strategy) should not be shared with external AI services.")
-@severity("critical")
-@tags("mip,confidential,classification,compliance,iso-27001")
-@reject_message("Upload blocked: this document is classified as CONFIDENTIAL. Confidential documents should not be shared with AI services without explicit authorization.")
-forbid (
-    principal,
-    action == Sentry::Action::"upload_file",
-    resource
-)
-when {
-    context has sensitivity_level && context.sensitivity_level == "confidential"
-};
-
-// Block rights-managed documents
-@id("sentry-file-block-rights-managed")
-@name("Block rights-managed documents")
-@description("Block uploads of documents with IRM/RMS rights management restrictions. Rights-managed documents have explicit access controls that would be bypassed by sharing with AI services.")
-@severity("critical")
-@tags("mip,irm,rms,rights-management,compliance")
-@reject_message("Upload blocked: this document has rights management restrictions that prohibit sharing with AI services.")
-forbid (
-    principal,
-    action == Sentry::Action::"upload_file",
-    resource
-)
-when {
-    context has is_rights_managed && context.is_rights_managed
-};
-
-// ---------------------------------------------------------------------------
-// Section 2: File Content Security
-// Block files containing secrets, PII, or injection payloads.
-// ---------------------------------------------------------------------------
-
-// Block files containing secrets
+// Block text files with secrets
 @id("sentry-file-block-secrets")
-@name("Block files with secrets")
+@name("Block text files with secrets")
 @description("Block file uploads when secrets or credentials are detected in document content. Prevents uploading configuration files, code, or documents containing API keys, tokens, or passwords to AI services.")
 @severity("critical")
 @tags("secrets,file-upload,credentials,nist-sc-28")
@@ -97,9 +37,9 @@ when {
     context has contains_secrets && context.contains_secrets
 };
 
-// Block file uploads containing PII
+// Block text files with PII
 @id("sentry-pii-block-uploads")
-@name("Block file uploads with PII")
+@name("Block text files with PII")
 @description("Block file uploads when PII is detected in document content. Prevents sharing of documents containing personal data (customer lists, HR records, medical files) with AI services.")
 @severity("critical")
 @tags("pii,file-upload,data-protection,gdpr-art-32")
@@ -112,63 +52,3 @@ forbid (
 when {
     context has pii_detected && context.pii_detected
 };
-
-// Block files with phishing links
-@id("sentry-file-block-phishing")
-@name("Block files with phishing links")
-@description("Block file uploads when phishing URLs are detected in document content. Prevents sharing of compromised documents that could expose phishing links to AI processing.")
-@severity("high")
-@tags("phishing,file-upload,security")
-@reject_message("Upload blocked: phishing URLs detected in the file. Documents containing phishing links cannot be shared with AI services.")
-forbid (
-    principal,
-    action == Sentry::Action::"upload_file",
-    resource
-)
-when {
-    context has phishing_detected && context.phishing_detected
-};
-
-// ---------------------------------------------------------------------------
-// Section 3: File Type & Size Restrictions
-// Block potentially dangerous file types and oversized files.
-// ---------------------------------------------------------------------------
-
-// Block large file uploads with any threats
-@id("sentry-file-block-large-threats")
-@name("Block large files with threats")
-@description("Block file uploads over 10MB when any threats are detected. Large files with threats likely contain data dumps or bulk exports being exfiltrated to AI services.")
-@severity("high")
-@tags("file-upload,size-limit,data-protection")
-@reject_message("Upload blocked: security threats detected in a large file. Large data transfers to AI services require threat-free content.")
-forbid (
-    principal,
-    action == Sentry::Action::"upload_file",
-    resource
-)
-when {
-    context has file_size_bytes && context has threat_count &&
-    context.file_size_bytes > 10485760 && context.threat_count >= 1
-};
-
-// ---------------------------------------------------------------------------
-// Section 4: Source Code Protection
-// Block source code uploads to AI services.
-// ---------------------------------------------------------------------------
-
-// Block files with high code content
-@id("sentry-file-block-source-code")
-@name("Block source code uploads")
-@description("Block file uploads when source code constitutes more than 80% of the content. Prevents bulk source code exfiltration to external AI services where it may be used for training or exposed.")
-@severity("high")
-@tags("source-code,ip-protection,file-upload,data-leakage")
-@reject_message("Upload blocked: the file appears to be primarily source code (>80%). Bulk source code should not be shared with external AI services to protect intellectual property.")
-forbid (
-    principal,
-    action == Sentry::Action::"upload_file",
-    resource
-)
-when {
-    context has contains_code && context.contains_code &&
-    context has code_ratio && context.code_ratio > 80
-};

package/_schemas/sentry/templates/defaults/organization.cedar

@@ -6,7 +6,6 @@
 // in clipboard.cedar.
 //
 // This template covers:
-//   - Source code protection in messages (non-paste channels)
 //   - Session-aware threat escalation
 //
 // Category: organization
@@ -14,30 +13,7 @@
 // =============================================================================
 
 // ---------------------------------------------------------------------------
-// Section 1: Source Code Protection (Messages)
-// Prevent bulk source code from being shared via messages.
-// Paste-targeted code protection is in clipboard.cedar.
-// ---------------------------------------------------------------------------
-
-// Block messages with high code content
-@id("sentry-org-block-code-messages")
-@name("Block messages with source code")
-@description("Block messages when source code constitutes more than 80% of the content. Prevents bulk source code exfiltration to external AI services.")
-@severity("high")
-@tags("source-code,ip-protection,data-leakage")
-@reject_message("Message blocked: the content appears to be primarily source code (>80%). Bulk source code should not be shared with external AI services to protect intellectual property.")
-forbid (
-    principal,
-    action == Sentry::Action::"send_message",
-    resource
-)
-when {
-    context has contains_code && context.contains_code &&
-    context has code_ratio && context.code_ratio > 80
-};
-
-// ---------------------------------------------------------------------------
-// Section 2: Session-Aware Escalation
+// Section 1: Session-Aware Escalation
 // Escalate protections when threats are detected across the session.
 // ---------------------------------------------------------------------------