@highflame/policy 2.1.36 → 2.1.38

package/dist/overwatch-defaults.gen.js

@@ -7,109 +7,92 @@
 // =============================================================================
 // EMBEDDED CEDAR POLICY TEXT
 // =============================================================================
-const OVERWATCH_BASELINE_DEFAULT_CEDAR = `// =============================================================================
-// Baseline Permit Policy (Default)
+const OVERWATCH_ORGANIZATION_PERMIT_BASELINE_CEDAR = `// =============================================================================
+// Baseline Permit (Default)
 // =============================================================================
-// Permits all actions by default. Threat-specific forbid policies override
-// this to block when detection engines identify issues.
+// Permits all Overwatch actions by default. Threat-specific forbid policies
+// override this when detectors fire. Cedar is default-deny: without at least
+// one permit rule, every request is denied regardless of forbid rules.
 //
-// Cedar is default-deny: without at least one permit rule, every request
-// is denied regardless of forbid rules. This baseline ensures the system
-// is "allow unless blocked" rather than "block everything".
-//
-// Category: organization
+// Category:  organization
 // Namespace: Overwatch
 // =============================================================================
 
-@id("baseline-permit-all")
-@name("Permit all actions by default")
-@description("Baseline permit for all actions — threat-specific forbid policies override this when threats are detected")
+@id("organization.permit-baseline")
+@name("Permit baseline")
+@description("Permits all Overwatch actions.")
 @severity("low")
-@tags("baseline,permit-default,organization")
+@tags("category:organization,posture:permit-default")
 permit (
     principal,
     action,
     resource
 );
 `;
-const OVERWATCH_SECRETS_DEFAULT_CEDAR = `// =============================================================================
-// Secrets Detection Policy (Default)
+const OVERWATCH_DATA_PROTECTION_DEFAULTS_CEDAR = `// =============================================================================
+// Secrets Detection (Default)
 // =============================================================================
-// Detects and blocks credential leakage across prompts, tool calls, and file
-// operations using Shield's secrets detector context keys and file path patterns.
-//
-// Detection:
-//   Shield's secrets detector (Tier Fast) populates:
-//     contains_secrets (bool) — true if any secret found
-//     secret_types (Set<String>) — types found: "aws_access_key", "ssh_key",
-//       "pem_certificate", "environment_variable", "github_token", etc.
-//     secret_count (long) — total secret matches
+// Blocks credential leakage across prompts, tool calls, and file operations
+// using Shield's secrets detector outputs and file path patterns.
 //
-//   Policies reference secret_types directly for per-category granularity.
-//   This works with both built-in and user-configured secret types.
+// Context keys consumed:
+//   - secrets_detected: Bool
+//   - secret_types:     Set<String>
+//   - secret_count:     Long
+//   - path:             String
 //
 // Compliance:
-//   NIST 800-53 SC-28 (Protection of Information at Rest)
-//   NIST 800-53 IA-5 (Authenticator Management)
-//   OWASP LLM07 (Insecure Plugin Design) — secrets in tool args
-//   MITRE ATT&CK T1552 (Unsecured Credentials)
-//   CIS Benchmark 1.4 (Secrets Management)
+//   - NIST 800-53 SC-28, IA-5
+//   - OWASP LLM07; MITRE ATT&CK T1552; CIS 1.4
 //
-// Category: secrets
+// Category:  data-protection
 // Namespace: Overwatch
 // =============================================================================
 
 // ---------------------------------------------------------------------------
-// Section 1: General Secret Leakage
-// Detects AWS access keys, GitHub tokens, private key headers, API key
-// assignments, and bearer tokens in content.
+// Section 1: Detected secrets in prompts and tool calls
 // ---------------------------------------------------------------------------
 
-// Block prompts containing any detected secrets
-@id("secrets-block-leakage-prompt")
+@id("data-protection.block-secrets-prompt")
 @name("Block secrets in prompts")
-@description("Block prompts when secrets are detected — AWS access keys (AKIA...), GitHub tokens (ghp_...), private key headers, bearer tokens, or API key assignments.")
+@description("Blocks process_prompt when secrets_detected is true.")
 @severity("high")
-@tags("secrets,credentials,process-prompt,nist-sc-28,nist-ia-5")
-@reject_message("Prompt blocked: exposed secrets detected (AWS keys, tokens, private keys, or API key assignments). Remove sensitive credentials before submitting.")
+@tags("category:data-protection,threat:secrets,detection:rule,surface:process-prompt,owasp:llm06")
+@reject_message("Prompt blocked: exposed secrets detected (AWS keys, tokens, private keys, or API key assignments).")
 forbid (
     principal,
     action == Overwatch::Action::"process_prompt",
     resource
 )
 when {
-    context.contains_secrets == true
+    context has secrets_detected && context.secrets_detected == true
 };
 
-// Block tool calls containing detected secrets
-@id("secrets-block-leakage-tool")
+@id("data-protection.block-secrets-tool")
 @name("Block secrets in tool calls")
-@description("Block tool execution when secrets are detected in tool arguments or command content.")
+@description("Blocks call_tool when secrets_detected is true.")
 @severity("high")
-@tags("secrets,credentials,call-tool,nist-sc-28,mitre-t1552")
-@reject_message("Tool execution blocked: exposed secrets detected in command or arguments. Remove sensitive credentials before executing.")
+@tags("category:data-protection,threat:secrets,detection:rule,surface:call-tool,owasp:llm06")
+@reject_message("Tool execution blocked: exposed secrets detected in command or arguments.")
 forbid (
     principal,
     action == Overwatch::Action::"call_tool",
     resource
 )
 when {
-    context has contains_secrets && context.contains_secrets == true
+    context has secrets_detected && context.secrets_detected == true
 };
 
 // ---------------------------------------------------------------------------
-// Section 2: SSH Key Exposure
-// Detects SSH private key content (BEGIN OPENSSH/RSA PRIVATE KEY) and
-// SSH key file paths (/.ssh/id_rsa, id_ed25519).
+// Section 2: SSH key exposure
 // ---------------------------------------------------------------------------
 
-// Block SSH key exposure across tool calls and file operations
-@id("secrets-block-ssh-keys")
+@id("data-protection.block-ssh-keys")
 @name("Block SSH key exposure")
-@description("Block when SSH private key content or SSH key file paths are detected. Covers tool calls, file reads, and file writes. AI agents must not access SSH credentials.")
+@description("Blocks call_tool, read_file, and write_file when secret_types contains \\"ssh_key\\".")
 @severity("critical")
-@tags("secrets,ssh,credentials,nist-ia-5,mitre-t1552")
-@reject_message("Blocked: SSH private key content or key file path detected. AI agents must not access SSH credentials.")
+@tags("category:data-protection,threat:secrets,detection:rule,compliance:nist-si-3")
+@reject_message("Request blocked: SSH private key content or key file path detected — AI agents must not access SSH credentials.")
 forbid (
     principal,
     action in [Overwatch::Action::"call_tool", Overwatch::Action::"read_file", Overwatch::Action::"write_file"],
@@ -120,18 +103,15 @@ when {
 };
 
 // ---------------------------------------------------------------------------
-// Section 3: PEM / Certificate Key Exposure
-// Detects PEM private key content (BEGIN ENCRYPTED/RSA/EC/DSA PRIVATE KEY)
-// and key file paths (.pem, .key, .p12, .pfx).
+// Section 3: PEM / certificate key exposure
 // ---------------------------------------------------------------------------
 
-// Block PEM/certificate key exposure
-@id("secrets-block-pem-keys")
-@name("Block PEM/certificate key exposure")
-@description("Block when PEM private key content or certificate key file paths (.pem, .key, .p12, .pfx) are detected. AI agents must not access certificate credentials.")
+@id("data-protection.block-pem-keys")
+@name("Block PEM and certificate keys")
+@description("Blocks call_tool, read_file, and write_file when secret_types contains \\"pem_certificate\\".")
 @severity("critical")
-@tags("secrets,certificates,pem,nist-ia-5,mitre-t1552")
-@reject_message("Blocked: PEM private key or certificate key file detected. AI agents must not access certificate credentials.")
+@tags("category:data-protection,threat:secrets,detection:rule,compliance:nist-si-3")
+@reject_message("Request blocked: PEM private key or certificate key file detected — AI agents must not access certificate credentials.")
 forbid (
     principal,
     action in [Overwatch::Action::"call_tool", Overwatch::Action::"read_file", Overwatch::Action::"write_file"],
@@ -142,18 +122,15 @@ when {
 };
 
 // ---------------------------------------------------------------------------
-// Section 4: Environment Variable Leakage
-// Detects OPENAI_API_KEY=sk-..., HF_TOKEN=hf_..., and generic
-// <NAME>_API_KEY=<value> (16+ chars) patterns.
+// Section 4: Environment variable leakage
 // ---------------------------------------------------------------------------
 
-// Block environment variable secret exposure
-@id("secrets-block-env-vars")
-@name("Block environment variable leakage")
-@description("Block when environment variable secret assignments are detected — OPENAI_API_KEY, HF_TOKEN, or generic <NAME>_API_KEY=<value> patterns with 16+ character values.")
+@id("data-protection.block-env-vars")
+@name("Block environment variable secrets")
+@description("Blocks process_prompt and call_tool when secret_types contains \\"environment_variable\\".")
 @severity("high")
-@tags("secrets,environment,nist-ia-5")
-@reject_message("Blocked: environment variable secret detected (API keys, tokens). Remove sensitive values before proceeding.")
+@tags("category:data-protection,threat:secrets,detection:rule,compliance:nist-si-3")
+@reject_message("Request blocked: environment variable secret assignment detected (API key, token).")
 forbid (
     principal,
     action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
@@ -164,20 +141,15 @@ when {
 };
 
 // ---------------------------------------------------------------------------
-// Section 5: Sensitive File Path Protection
-// Blocks file read/write access to credential directories and .env files.
-// NOTE: Targets read_file/write_file only — NOT call_tool. The path field
-// is empty for Bash commands (extractor reads tool_input.file_path which is
-// undefined for Bash). SSH key access via Bash is caught by rules above.
+// Section 5: Credential directories and key material paths
 // ---------------------------------------------------------------------------
 
-// Block access to credential directories
-@id("secrets-block-credential-paths")
+@id("data-protection.block-credential-paths")
 @name("Block credential directory access")
-@description("Block file read/write to SSH keys, cloud credentials, GPG keys, and certificate files. Only applies to Read/Write/Edit tools (path is not populated for Bash commands).")
+@description("Blocks read_file and write_file when path matches an SSH, cloud-provider, GPG, or key-material directory.")
 @severity("critical")
-@tags("secrets,credentials,path,file-access,nist-sc-28,mitre-t1552")
-@reject_message("Blocked: access to credential directory or key file. AI agents must not access .ssh, .aws, .gnupg, .gcloud, or .azure directories.")
+@tags("category:data-protection,threat:secrets,detection:pattern,compliance:nist-si-3")
+@reject_message("File access blocked: SSH, cloud-provider, or GPG key material targeted.")
 forbid (
     principal,
     action in [Overwatch::Action::"read_file", Overwatch::Action::"write_file"],
@@ -185,77 +157,75 @@ forbid (
 )
 when {
     context has path &&
-    (context.path like "*/.ssh/*" ||
-     context.path like "*/.aws/*" ||
-     context.path like "*/.gnupg/*" ||
-     context.path like "*/.config/gcloud/*" ||
-     context.path like "*/.azure/*" ||
-     context.path like "*/id_rsa*" ||
-     context.path like "*/id_ed25519*" ||
-     context.path like "*/id_ecdsa*")
+    (
+        context.path like "*/.ssh/*" ||
+        context.path like "*/.aws/*" ||
+        context.path like "*/.gnupg/*" ||
+        context.path like "*/.config/gcloud/*" ||
+        context.path like "*/.azure/*" ||
+        context.path like "*/id_rsa*" ||
+        context.path like "*/id_ed25519*" ||
+        context.path like "*/id_ecdsa*"
+    )
 };
 
-// Block .env file access
-@id("secrets-block-env-file-paths")
-@name("Block .env file access")
-@description("Block file read/write to .env files which typically contain secrets, API keys, and database credentials.")
+@id("data-protection.block-env-file-paths")
+@name("Block dotenv file access")
+@description("Blocks read_file and write_file when path matches a .env file or .env.<suffix> variant.")
 @severity("high")
-@tags("secrets,environment,path,file-access,nist-sc-28,cis-1.4")
-@reject_message("Blocked: .env file access. These files typically contain secrets and should not be accessed by AI agents.")
+@tags("category:data-protection,threat:secrets,detection:pattern,compliance:nist-si-3")
+@reject_message("File access blocked: .env file targeted, these files typically contain secrets and database credentials.")
 forbid (
     principal,
     action in [Overwatch::Action::"read_file", Overwatch::Action::"write_file"],
     resource
 )
 when {
-    context has path && context.path like "*.env*"
+    context has path &&
+    (
+        context.path like "*.env" ||
+        context.path like "*.env.*"
+    )
 };
 `;
-const OVERWATCH_SEMANTIC_DEFAULT_CEDAR = `// =============================================================================
-// Semantic Threat Detection Policy (Default)
+const OVERWATCH_SEMANTIC_DEFAULTS_CEDAR = `// =============================================================================
+// Semantic Threat Detection (Default)
 // =============================================================================
-// Detects and blocks injection attacks, prompt injection, jailbreak attempts,
-// and unsafe content using multi-layered detection:
+// Blocks injection attacks (command, SQL, path traversal), prompt injection,
+// jailbreak attempts, and encoded payloads using two detection tiers:
 //
-//   Tier 1 — Pattern-based detection (always available, no external dependency):
+//   Tier 1 — Pattern-based (always available, no external dependency)
 //     command_injection, sql_injection, path_traversal, detect_encoded
 //
-//   Tier 2 — Injection and jailbreak classifiers (require Highflame API token):
-//     injection_confidence, jailbreak_confidence
+//   Tier 2 — ML classifiers (require Highflame API token)
+//     injection_score, jailbreak_score
 //
-//   Tier 3 — Content safety scores (require Highflame API token):
-//     violence, weapons, hate_speech, crime, sexual, profanity
+// Content-safety rules (violence, hate, sexual, etc.) live in content_safety.cedar.
 //
+// Context keys consumed:
+//   - detected_threats: Set<String>
+//   - injection_score:  Long (0-100)
+//   - jailbreak_score:  Long (0-100)
 //
 // Compliance:
-//   OWASP LLM01 (Prompt Injection) — direct + indirect
-//   OWASP LLM02 (Insecure Output Handling) — response manipulation
-//   OWASP ASI01 (Agent Goal Hijack) — behavioral manipulation
-//   MITRE ATLAS AML.T0051 (LLM Prompt Injection)
-//   MITRE ATLAS AML.T0054 (LLM Jailbreak)
-//   NIST 800-53 SI-3 (Malicious Code Protection)
-//   NIST 800-53 SI-4 (Information System Monitoring)
-//   EU AI Act Art. 52 (Transparency for AI Systems)
-//   ISO 42001 (AI Management System)
+//   - OWASP LLM01, LLM02; OWASP ASI01, ASI02
+//   - MITRE ATLAS AML.T0051, AML.T0054; MITRE ATT&CK T1059, T1005
+//   - NIST 800-53 SI-3, SI-4
 //
-// Category: semantic
+// Category:  semantic
 // Namespace: Overwatch
 // =============================================================================
 
-
 // ---------------------------------------------------------------------------
-// Tier 1: Pattern-Based Injection Detection (always available)
-// These fire on detected threat names from the detection engine.
-// No external API dependency — works offline with local scanning.
+// Tier 1: Pattern-based injection detection
 // ---------------------------------------------------------------------------
 
-// Block command injection in tool calls
-@id("semantic-block-command-injection-tool")
+@id("semantic.block-command-injection-tool")
 @name("Block command injection in tool calls")
-@description("Block tool execution when command injection is detected — reverse shells, rm -rf, privilege escalation, code execution, pipe-to-shell, or encoding evasion. Ref: AIShellJack (41-84% success rate).")
+@description("Blocks call_tool when detected_threats contains \\"command_injection\\".")
 @severity("critical")
-@tags("command-injection,call-tool,mitre-t1059,owasp-asi02")
-@reject_message("Tool execution blocked: command injection pattern detected — reverse shell, destructive command, privilege escalation, or code execution attempt.")
+@tags("category:semantic,threat:command-injection,detection:pattern,surface:call-tool,mitre:t1059,owasp:asi02")
+@reject_message("Tool execution blocked: command injection pattern detected — reverse shell, destructive command, or privilege escalation.")
 forbid (
     principal,
     action == Overwatch::Action::"call_tool",
@@ -265,29 +235,27 @@ when {
     context has detected_threats && context.detected_threats.contains("command_injection")
 };
 
-// Block command injection in prompts
-@id("semantic-block-command-injection-prompt")
+@id("semantic.block-command-injection-prompt")
 @name("Block command injection in prompts")
-@description("Block prompts when command injection patterns are detected. Catches prompt-level injection where the user or injected content includes shell commands.")
+@description("Blocks process_prompt when detected_threats contains \\"command_injection\\".")
 @severity("critical")
-@tags("command-injection,process-prompt,mitre-t1059")
-@reject_message("Prompt blocked: command injection pattern detected. The prompt contains shell commands, reverse shells, or code execution patterns.")
+@tags("category:semantic,threat:command-injection,detection:pattern,surface:process-prompt,mitre:t1059")
+@reject_message("Prompt blocked: command injection pattern detected.")
 forbid (
     principal,
     action == Overwatch::Action::"process_prompt",
     resource
 )
 when {
-    context.detected_threats.contains("command_injection")
+    context has detected_threats && context.detected_threats.contains("command_injection")
 };
 
-// Block SQL injection in tool calls
-@id("semantic-block-sql-injection-tool")
+@id("semantic.block-sql-injection-tool")
 @name("Block SQL injection in tool calls")
-@description("Block tool execution when SQL injection is detected — tautologies (OR 1=1), UNION SELECT, DROP TABLE, time-based attacks (SLEEP, WAITFOR), or system object access (information_schema).")
+@description("Blocks call_tool when detected_threats contains \\"sql_injection\\".")
 @severity("high")
-@tags("sql-injection,call-tool,database")
-@reject_message("Tool execution blocked: SQL injection pattern detected — tautology, UNION attack, destructive SQL, or system object access.")
+@tags("category:semantic,threat:sql-injection,detection:pattern,surface:call-tool")
+@reject_message("Tool execution blocked: SQL injection pattern detected — tautology, UNION attack, or destructive query.")
 forbid (
     principal,
     action == Overwatch::Action::"call_tool",
@@ -297,12 +265,11 @@ when {
     context has detected_threats && context.detected_threats.contains("sql_injection")
 };
 
-// Block SQL injection in prompts
-@id("semantic-block-sql-injection-prompt")
+@id("semantic.block-sql-injection-prompt")
 @name("Block SQL injection in prompts")
-@description("Block prompts when SQL injection patterns are detected.")
+@description("Blocks process_prompt when detected_threats contains \\"sql_injection\\".")
 @severity("high")
-@tags("sql-injection,process-prompt,database")
+@tags("category:semantic,threat:sql-injection,detection:pattern,surface:process-prompt")
 @reject_message("Prompt blocked: SQL injection pattern detected.")
 forbid (
     principal,
@@ -310,16 +277,15 @@ forbid (
     resource
 )
 when {
-    context.detected_threats.contains("sql_injection")
+    context has detected_threats && context.detected_threats.contains("sql_injection")
 };
 
-// Block path traversal attacks
-@id("semantic-block-path-traversal")
-@name("Block path traversal attacks")
-@description("Block when path traversal is detected — 2+ levels of ../ combined with sensitive file targets (/etc/passwd, /etc/shadow) or file read/include operations with traversal.")
+@id("semantic.block-path-traversal")
+@name("Block path traversal")
+@description("Blocks call_tool, read_file, and write_file when detected_threats contains \\"path_traversal\\".")
 @severity("high")
-@tags("path-traversal,file-access,mitre-t1005")
-@reject_message("Blocked: path traversal attack detected — directory traversal sequences targeting sensitive system files.")
+@tags("category:semantic,threat:path-traversal,detection:pattern,mitre:t1005")
+@reject_message("Request blocked: path traversal pattern detected — sensitive system files or deep directory traversal.")
 forbid (
     principal,
     action in [Overwatch::Action::"call_tool", Overwatch::Action::"read_file", Overwatch::Action::"write_file"],
@@ -329,13 +295,12 @@ when {
     context has detected_threats && context.detected_threats.contains("path_traversal")
 };
 
-// Block encoded/obfuscated payloads in tool calls
-@id("semantic-block-encoded")
+@id("semantic.block-encoded")
 @name("Block encoded payloads in tool calls")
-@description("Block tool calls when base64-encoded payloads (30+ chars) or hash IOCs are detected. Base64 detection excludes npm package paths to reduce false positives.")
+@description("Blocks call_tool when detected_threats contains \\"detect_encoded\\".")
 @severity("medium")
-@tags("encoded,obfuscation,call-tool")
-@reject_message("Tool execution blocked: encoded or obfuscated payload detected. Base64-encoded content or hash IOCs found in tool arguments.")
+@tags("category:semantic,threat:encoded-payload,detection:pattern,surface:call-tool")
+@reject_message("Tool execution blocked: encoded or obfuscated payload detected (base64 or hash IOCs in tool arguments).")
 forbid (
     principal,
     action == Overwatch::Action::"call_tool",
@@ -345,60 +310,68 @@ when {
     context has detected_threats && context.detected_threats.contains("detect_encoded")
 };
 
-
 // ---------------------------------------------------------------------------
-// Tier 2: Classifier-Based Detection (require Highflame API token)
-// Prompt injection and jailbreak classifiers. These are inert without
-// the API token — scores default to 0 (prompts) or are absent (tools).
+// Tier 2: ML classifier detection
 // ---------------------------------------------------------------------------
 
-// Block ML-detected prompt injection
-@id("semantic-block-injection-ml")
-@name("Block ML-detected prompt injection")
-@description("Block when Javelin's ML classifier scores prompt injection confidence >= 75/100. Catches sophisticated injection that pattern matching misses — authority hijack, instruction override, polymorphic payloads.")
+@id("semantic.block-injection-ml")
+@name("Block injection (ML)")
+@description("Blocks process_prompt and call_tool when injection_score >= 75.")
 @severity("critical")
-@tags("prompt-injection,ml,javelin,owasp-llm01,mitre-aml-t0051")
-@reject_message("Blocked: prompt injection detected by ML classifier (confidence 75+). The content attempts to override agent instructions.")
+@tags("category:semantic,threat:injection,detection:ml,owasp:llm01,mitre:atlas-t0051")
+@reject_message("Request blocked: prompt injection detected by ML classifier with high confidence.")
 forbid (
     principal,
     action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
     resource
 )
 when {
-    context has injection_confidence && context.injection_confidence >= 75
+    context has injection_score && context.injection_score >= 75
 };
 
-// Block ML-detected jailbreak attempts
-@id("semantic-block-jailbreak-ml")
-@name("Block ML-detected jailbreak attempts")
-@description("Block when Javelin's ML classifier scores jailbreak confidence >= 75/100. Catches DAN prompts, role-playing bypasses, and safety guideline override attempts.")
+@id("semantic.block-jailbreak-ml")
+@name("Block jailbreak (ML)")
+@description("Blocks process_prompt and call_tool when jailbreak_score >= 75.")
 @severity("critical")
-@tags("jailbreak,ml,javelin,owasp-llm02,mitre-aml-t0054")
-@reject_message("Blocked: jailbreak attempt detected by ML classifier (confidence 75+). The content attempts to bypass agent safety guidelines.")
+@tags("category:semantic,threat:jailbreak,detection:ml,owasp:llm02,mitre:atlas-t0054")
+@reject_message("Request blocked: jailbreak attempt detected by ML classifier with high confidence.")
 forbid (
     principal,
     action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
     resource
 )
 when {
-    context has jailbreak_confidence && context.jailbreak_confidence >= 75
+    context has jailbreak_score && context.jailbreak_score >= 75
 };
+`;
+const OVERWATCH_TRUST_SAFETY_DEFAULTS_CEDAR = `// =============================================================================
+// Content Safety (Default)
+// =============================================================================
+// Blocks unsafe content using ML classifier scores: violence, weapons, hate
+// speech, criminal activity, sexual content, and excessive profanity.
+//
+// Thresholds:
+//   - violence, weapons, sexual, crime: >= 80 (critical/high)
+//   - hate_speech: >= 75 (lower threshold, zero tolerance)
+//   - profanity:   >= 90 (higher threshold, allows normal expression)
+//
+// Context keys consumed:
+//   - violence_score, weapons_score, hate_speech_score:  Long (0-100)
+//   - crime_score, sexual_score, profanity_score:        Long (0-100)
+//
+// Compliance:
+//   - NIST 800-53 SI-4; ISO 42001; EU AI Act Art. 52
+//
+// Category:  trust-safety
+// Namespace: Overwatch
+// =============================================================================
 
-
-// ---------------------------------------------------------------------------
-// Tier 3: Content Safety (classifier scores, require API token)
-// Trust & safety classification scores for violence, weapons, hate speech,
-// crime, sexual content, and profanity. Ensures enterprise-appropriate
-// content thresholds.
-// ---------------------------------------------------------------------------
-
-// Block violent content
-@id("semantic-block-violence")
+@id("trust-safety.block-violence")
 @name("Block violent content")
-@description("Block content when the ML violence detection score exceeds threshold (80/100). Catches graphic violence descriptions, instructions for causing harm, and violent threat language.")
+@description("Blocks process_prompt and call_tool when violence_score >= 80.")
 @severity("critical")
-@tags("violence,content-safety,trust-safety,nist-si-4,iso-42001")
-@reject_message("Content blocked: violent content detected. AI agents in enterprise environments must not process or generate violent content.")
+@tags("category:trust-safety,threat:violence,detection:ml,compliance:nist-si-4,compliance:iso-42001")
+@reject_message("Content blocked: violent content detected.")
 forbid (
     principal,
     action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
@@ -408,13 +381,12 @@ when {
     context has violence_score && context.violence_score >= 80
 };
 
-// Block weapons content
-@id("semantic-block-weapons")
+@id("trust-safety.block-weapons")
 @name("Block weapons content")
-@description("Block content when the ML weapons detection score exceeds threshold (80/100). Catches weapon manufacturing instructions, procurement guidance, and detailed specifications.")
+@description("Blocks process_prompt and call_tool when weapons_score >= 80.")
 @severity("critical")
-@tags("weapons,content-safety,trust-safety,nist-si-4")
-@reject_message("Content blocked: weapons-related content detected. AI agents must not process weapons manufacturing, procurement, or detailed specification content.")
+@tags("category:trust-safety,threat:weapons,detection:ml,compliance:nist-si-4")
+@reject_message("Content blocked: weapons-related content detected (manufacturing, procurement, or specifications).")
 forbid (
     principal,
     action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
@@ -424,13 +396,12 @@ when {
     context has weapons_score && context.weapons_score >= 80
 };
 
-// Block hate speech (lower threshold — zero tolerance)
-@id("semantic-block-hate-speech")
+@id("trust-safety.block-hate-speech")
 @name("Block hate speech")
-@description("Block content when the ML hate speech detection score exceeds threshold (75/100). Lower threshold than other categories — enterprises have zero tolerance for discriminatory content.")
+@description("Blocks process_prompt and call_tool when hate_speech_score >= 75.")
 @severity("critical")
-@tags("hate-speech,content-safety,trust-safety,nist-si-4,eu-ai-act")
-@reject_message("Content blocked: hate speech or discriminatory content detected. AI agents must not process or generate hateful, discriminatory, or dehumanizing content.")
+@tags("category:trust-safety,threat:hate-speech,detection:ml,compliance:nist-si-4,compliance:eu-ai-act")
+@reject_message("Content blocked: hate speech or discriminatory content detected.")
 forbid (
     principal,
     action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
@@ -440,13 +411,12 @@ when {
     context has hate_speech_score && context.hate_speech_score >= 75
 };
 
-// Block criminal content
-@id("semantic-block-crime")
+@id("trust-safety.block-crime")
 @name("Block criminal content")
-@description("Block content when the ML criminal activity detection score exceeds threshold (80/100). Catches illegal activity instructions, fraud techniques, and content promoting criminal behavior.")
+@description("Blocks process_prompt and call_tool when crime_score >= 80.")
 @severity("high")
-@tags("crime,content-safety,trust-safety,nist-si-4")
-@reject_message("Content blocked: criminal activity content detected. AI agents must not process content related to illegal activities, fraud, or other criminal behavior.")
+@tags("category:trust-safety,threat:crime,detection:ml,compliance:nist-si-4")
+@reject_message("Content blocked: criminal activity content detected (illegal activity, fraud, or related).")
 forbid (
     principal,
     action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
@@ -456,13 +426,12 @@ when {
     context has crime_score && context.crime_score >= 80
 };
 
-// Block sexual content
-@id("semantic-block-sexual")
+@id("trust-safety.block-sexual")
 @name("Block sexual content")
-@description("Block content when the ML sexual content detection score exceeds threshold (80/100). Ensures enterprise AI agents do not process sexually explicit material.")
+@description("Blocks process_prompt and call_tool when sexual_score >= 80.")
 @severity("high")
-@tags("sexual,content-safety,trust-safety,eu-ai-act,iso-42001")
-@reject_message("Content blocked: sexual content detected. AI agents in enterprise environments must not process sexually explicit material.")
+@tags("category:trust-safety,threat:sexual,detection:ml,compliance:eu-ai-act,compliance:iso-42001")
+@reject_message("Content blocked: sexually explicit content detected.")
 forbid (
     principal,
     action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
@@ -472,13 +441,12 @@ when {
     context has sexual_score && context.sexual_score >= 80
 };
 
-// Block excessive profanity (higher threshold — allows normal expression)
-@id("semantic-block-profanity")
-@name("Block profanity")
-@description("Block content when the ML profanity detection score exceeds threshold (90/100). Higher threshold — allows normal expression while blocking abusive or harassing language patterns.")
+@id("trust-safety.block-profanity")
+@name("Block excessive profanity")
+@description("Blocks process_prompt and call_tool when profanity_score >= 90.")
 @severity("medium")
-@tags("profanity,content-safety,trust-safety")
-@reject_message("Content blocked: excessive profanity detected. Please rephrase in a professional manner appropriate for enterprise AI interactions.")
+@tags("category:trust-safety,threat:profanity,detection:ml")
+@reject_message("Content blocked: excessive profanity detected — please rephrase in professional language.")
 forbid (
     principal,
     action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
@@ -488,79 +456,66 @@ when {
     context has profanity_score && context.profanity_score >= 90
 };
 `;
-const OVERWATCH_TOOLS_DEFAULT_CEDAR = `// =============================================================================
-// Tool Permissioning Policy (Default)
+const OVERWATCH_TOOLS_DEFAULTS_CEDAR = `// =============================================================================
+// Tool Permissioning (Default)
 // =============================================================================
-// Controls access to IDE tools, shell execution, file system paths, and MCP
-// operations. Enforces least-privilege for agent tool usage with:
-//
-//   1. Shell/command execution blocking (opt-in — inactive by default)
-//   2. Destructive file operation blocking (opt-in — inactive by default)
-//   3. Sensitive system path protection (active)
-//   4. Threat-severity-based tool blocking (active)
+// Sensitive system-path file access and destructive MCP file-operation
+// blocking. Shell-execution blocking lives in tools_shell_block.cedar as a
+// separate opt-in template and is not bundled with this default.
 //
-// NOTE: Policies 1-2 are included in this file but classified as opt-in
-// templates in templates.json (not in the defaults array). They are shipped
-// as part of the tool permissioning category but must be explicitly enabled.
+// Context keys consumed:
+//   - path:      String
+//   - tool_name: String
 //
 // Compliance:
-//   NIST 800-53 AC-3 (Access Enforcement)
-//   NIST 800-53 AC-6 (Least Privilege)
-//   NIST 800-53 CM-7 (Least Functionality)
-//   OWASP LLM06 (Excessive Agency)
-//   OWASP ASI02 (Tool Misuse)
-//   MITRE ATT&CK T1059 (Command and Scripting Interpreter)
-//   MITRE ATT&CK T1005 (Data from Local System)
+//   - NIST 800-53 AC-3, AC-6, CM-7
+//   - OWASP ASI02; MITRE ATT&CK T1005
 //
-// Category: tools
+// Category:  tools
 // Namespace: Overwatch
 // =============================================================================
 
 // ---------------------------------------------------------------------------
-// Section 1: Shell Blocking (opt-in — inactive by default)
-// Blocks all shell/command execution tools. Enable for high-security
-// environments where shell access is explicitly prohibited.
-// WARNING: Blocks ALL shell use including safe commands (git, npm, echo).
-// Ref: OWASP LLM06, MITRE T1059
+// Section 1: Sensitive system paths
 // ---------------------------------------------------------------------------
 
-// Block shell and command execution tools
-@id("tools-block-shell")
-@name("Block shell and command execution")
-@description("Block direct shell, bash, and command execution tools. Unrestricted shell access enables command injection, data exfiltration, and arbitrary code execution. INACTIVE BY DEFAULT — enable for high-security environments where all shell access is prohibited.")
-@severity("critical")
-@tags("shell,execution,nist-cm-7,mitre-t1059,owasp-llm06,opt-in")
-@reject_message("Tool blocked: shell/command execution is restricted in this environment. Use specific, scoped tools instead.")
+@id("tools.block-system-paths")
+@name("Block system directory access")
+@description("Blocks read_file and write_file when path matches a sensitive Linux or macOS system directory.")
+@severity("high")
+@tags("category:tools,threat:path-traversal,detection:pattern,mitre:t1005")
+@reject_message("File access blocked: sensitive system directory targeted (/etc, /proc, /sys, /root, /var, /System, /Library, /private).")
 forbid (
     principal,
-    action == Overwatch::Action::"call_tool",
+    action in [Overwatch::Action::"read_file", Overwatch::Action::"write_file"],
     resource
 )
 when {
-    context has tool_name &&
-    (context.tool_name == "shell" ||
-     context.tool_name == "bash" ||
-     context.tool_name == "sh" ||
-     context.tool_name == "terminal" ||
-     context.tool_name == "cmd" ||
-     context.tool_name == "powershell")
+    context has path &&
+    (
+        context.path like "/etc/*" ||
+        context.path like "/proc/*" ||
+        context.path like "/sys/*" ||
+        context.path like "/root/*" ||
+        context.path like "/var/log/*" ||
+        context.path like "/var/run/*" ||
+        context.path like "/private/etc/*" ||
+        context.path like "/private/var/*" ||
+        context.path like "/Library/*" ||
+        context.path like "/System/*"
+    )
 };
 
 // ---------------------------------------------------------------------------
-// Section 2: Destructive Operations (opt-in — inactive by default)
-// Blocks file deletion tools. Enable when agents should not have delete access.
-// NOTE: Only matches MCP tool names, not Bash rm commands (which use
-// tool_name "shell"). Bash destructive commands are caught by the
-// command_injection rule in semantic.cedar.
+// Section 2: Destructive MCP file operations
 // ---------------------------------------------------------------------------
 
-// Block destructive file operations
-@id("tools-block-destructive-ops")
+@id("tools.block-destructive-ops")
 @name("Block destructive file operations")
-@description("Block file deletion and directory removal tools. INACTIVE BY DEFAULT — enable when agents should not have delete access. Only matches MCP tool names; Bash rm commands go through 'shell' tool name.")
+@description("Blocks call_tool when tool_name is a destructive MCP file operation.")
 @severity("high")
-@tags("file,delete,destructive,nist-ac-3,owasp-asi02,opt-in")
-@reject_message("Tool blocked: destructive file operations (delete, rmdir) are restricted. Request human approval for destructive actions.")
+@tags("category:tools,detection:rule,surface:call-tool,owasp:asi02")
+@reject_message("Tool execution blocked: destructive file operations (delete, rmdir, unlink) require explicit human approval.")
 forbid (
     principal,
     action == Overwatch::Action::"call_tool",
@@ -568,113 +523,92 @@ forbid (
 )
 when {
     context has tool_name &&
-    (context.tool_name == "fs.delete" ||
-     context.tool_name == "fs.rmdir" ||
-     context.tool_name == "fs.unlink" ||
-     context.tool_name == "fs.remove" ||
-     context.tool_name == "delete_file" ||
-     context.tool_name == "remove_directory")
-};
-
-// ---------------------------------------------------------------------------
-// Section 3: Sensitive System Path Protection (active)
-// Blocks file read/write access to system directories.
-// NOTE: Targets read_file/write_file only — NOT call_tool. The path field
-// is empty for Bash commands. Bash access to system files is caught by
-// rules in semantic.cedar (command_injection, path_traversal).
-// Ref: MITRE T1005, T1552
-// ---------------------------------------------------------------------------
-
-// Block access to system directories
-@id("tools-block-system-paths")
-@name("Block system directory access")
-@description("Block file read/write to sensitive system directories. Includes Linux (/etc, /proc, /sys, /root, /var) and macOS (/private/etc, /Library, /System) paths. Only applies to Read/Write/Edit tools.")
-@severity("high")
-@tags("file,path,system,nist-ac-6,mitre-t1005")
-@reject_message("Blocked: access to sensitive system directory. AI agents are restricted from system configuration and process directories.")
-forbid (
-    principal,
-    action in [Overwatch::Action::"read_file", Overwatch::Action::"write_file"],
-    resource
-)
-when {
-    context has path &&
-    (context.path like "/etc/*" ||
-     context.path like "/proc/*" ||
-     context.path like "/sys/*" ||
-     context.path like "/root/*" ||
-     context.path like "/var/log/*" ||
-     context.path like "/var/run/*" ||
-     context.path like "/private/etc/*" ||
-     context.path like "/private/var/*" ||
-     context.path like "/Library/*" ||
-     context.path like "/System/*")
+    (
+        context.tool_name == "fs.delete" ||
+        context.tool_name == "fs.rmdir" ||
+        context.tool_name == "fs.unlink" ||
+        context.tool_name == "fs.remove" ||
+        context.tool_name == "delete_file" ||
+        context.tool_name == "remove_directory"
+    )
 };
+`;
+const OVERWATCH_TOOLS_BLOCK_SHELL_CEDAR = `// =============================================================================
+// Tool Permissioning — Shell execution block (Opt-in)
+// =============================================================================
+// Blocks shell and command execution tools. Inactive unless explicitly enabled
+// because it blocks ALL shell access (including safe commands like git and
+// echo). Intended for high-security environments where shell access is
+// prohibited.
+//
+// Context keys consumed:
+//   - tool_name: String
+//
+// Compliance:
+//   - NIST 800-53 CM-7; OWASP LLM06; MITRE ATT&CK T1059
+//
+// Category:  tools
+// Namespace: Overwatch
+// =============================================================================
 
-// ---------------------------------------------------------------------------
-// Section 4: Threat-Based Tool Blocking (active)
-// Blocks tool calls based on threat severity from detection engines.
-// This is the primary catch-all — any rule with severity HIGH (3)
-// or CRITICAL (4) triggers this. Provides defense-in-depth behind
-// specific rule policies in semantic.cedar and secrets.cedar.
-// ---------------------------------------------------------------------------
-
-// Block tool calls with high/critical severity threats
-@id("tools-block-high-severity")
-@name("Block tool calls with high severity threats")
-@description("Block tool execution when threats with severity >= HIGH (3) are detected. Primary catch-all defense — any rule with severity HIGH or CRITICAL triggers this.")
-@severity("high")
-@tags("tools,threats,severity,defense-in-depth")
-@reject_message("Tool execution blocked: high or critical severity threats detected in content by security scanners.")
+@id("tools.block-shell")
+@name("Block shell and command execution")
+@description("Blocks call_tool when tool_name is shell, bash, sh, terminal, cmd, or powershell.")
+@severity("critical")
+@tags("category:tools,threat:command-injection,detection:rule,surface:call-tool,owasp:llm06,mitre:t1059")
+@reject_message("Tool execution blocked: shell/command execution is restricted in this environment.")
 forbid (
     principal,
     action == Overwatch::Action::"call_tool",
     resource
 )
 when {
-    context has max_threat_severity && context.max_threat_severity >= 3
+    context has tool_name &&
+    (
+        context.tool_name == "shell" ||
+        context.tool_name == "bash" ||
+        context.tool_name == "sh" ||
+        context.tool_name == "terminal" ||
+        context.tool_name == "cmd" ||
+        context.tool_name == "powershell"
+    )
 };
 `;
-const OVERWATCH_PII_DEFAULT_CEDAR = `// =============================================================================
-// PII Detection Policy (Default)
+const OVERWATCH_PRIVACY_DEFAULTS_CEDAR = `// =============================================================================
+// PII Detection (Default)
 // =============================================================================
-// Detects and blocks personally identifiable information across prompts, tool
-// calls, and file operations using Shield's PII detector context keys.
+// Blocks personally identifiable information across prompts, tool calls, and
+// file operations using Shield's PII detector context keys.
 //
-// Detection:
-//   Shield's pii_regex (Tier Fast) and gcp_dlp (Tier Slow) detectors populate:
-//     pii_detected (bool) — true if any PII found
-//     pii_types (Set<String>) — types found: "ssn", "credit_card", "email", etc.
-//     pii_count (long) — total PII matches
+// Severity tiers:
+//   - Critical: SSN, credit card
+//   - High:     passport, IBAN
+//   - Medium:   email, phone, date of birth
+//   - Low:      IP address (prompt only)
 //
-//   Policies reference pii_types directly for per-type granularity. This works
-//   with both built-in and user-configured PII types (via ConfigReloader).
+// Context keys consumed:
+//   - pii_detected: Bool
+//   - pii_types:    Set<String>
+//   - pii_count:    Long
 //
 // Compliance:
-//   PCI DSS 3.4, 4.1 (Payment Card Data)
-//   GDPR Art. 32 (Security of Processing)
-//   HIPAA §164.312 (Technical Safeguards)
-//   NIST 800-53 SI-4 (Information System Monitoring)
-//   CCPA §1798.150 (Data Protection)
-//   OWASP LLM06 (Sensitive Information Disclosure)
+//   - PCI DSS 3.4/4.1, GDPR Art. 32, HIPAA §164.312, CCPA §1798.150
+//   - NIST 800-53 SI-4; OWASP LLM06
 //
-// Category: pii
+// Category:  privacy
 // Namespace: Overwatch
 // =============================================================================
 
 // ---------------------------------------------------------------------------
-// Section 1: Critical PII — Identity Theft Risk
-// SSNs and credit card numbers are the highest-risk PII types.
-// Blocked across all actions (prompts, tool calls, file reads/writes).
+// Section 1: Critical PII (SSN, credit card)
 // ---------------------------------------------------------------------------
 
-// Block Social Security Numbers
-@id("pii-block-ssn")
+@id("privacy.block-ssn")
 @name("Block Social Security Numbers")
-@description("Block content containing SSN patterns (XXX-XX-XXXX). SSNs are high-value identity theft targets — exposure through AI agents is a critical privacy violation.")
+@description("Blocks process_prompt, call_tool, read_file, and write_file when pii_types contains \\"ssn\\".")
 @severity("critical")
-@tags("pii,ssn,identity,pci-dss,nist-si-4")
-@reject_message("Content blocked: Social Security Number patterns detected. SSNs must never be processed through AI agents.")
+@tags("category:privacy,threat:pii,detection:pattern,compliance:pci-dss,compliance:gdpr")
+@reject_message("Content blocked: Social Security Number patterns detected.")
 forbid (
     principal,
     action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool", Overwatch::Action::"read_file", Overwatch::Action::"write_file"],
@@ -684,13 +618,12 @@ when {
     context has pii_types && context.pii_types.contains("ssn")
 };
 
-// Block credit card numbers (PCI DSS compliance)
-@id("pii-block-credit-card")
+@id("privacy.block-credit-card")
 @name("Block credit card numbers")
-@description("Block content containing credit card number patterns (13-19 digits). PCI DSS 3.4 requires PANs are rendered unreadable — AI agents must never process raw card numbers.")
+@description("Blocks process_prompt, call_tool, read_file, and write_file when pii_types contains \\"credit_card\\".")
 @severity("critical")
-@tags("pii,credit-card,payment,pci-dss-3.4,pci-dss-4.1")
-@reject_message("Content blocked: credit card number patterns detected. Sharing payment card data through AI agents violates PCI DSS. Use tokenized references instead.")
+@tags("category:privacy,threat:pii,detection:pattern,compliance:pci-dss")
+@reject_message("Content blocked: credit card number patterns detected — PCI DSS prohibits raw PAN handling.")
 forbid (
     principal,
     action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool", Overwatch::Action::"read_file", Overwatch::Action::"write_file"],
@@ -701,18 +634,15 @@ when {
 };
 
 // ---------------------------------------------------------------------------
-// Section 2: High PII — Government & Financial Identifiers
-// Passport numbers and IBANs are regulated identifiers with high
-// identity theft and financial fraud risk.
+// Section 2: High PII (passport, IBAN)
 // ---------------------------------------------------------------------------
 
-// Block passport numbers
-@id("pii-block-passport")
+@id("privacy.block-passport")
 @name("Block passport numbers")
-@description("Block content containing passport number patterns (1-2 letters + 6-9 digits). Passport numbers are government-issued identifiers with high identity theft risk.")
+@description("Blocks process_prompt, call_tool, read_file, and write_file when pii_types contains \\"passport\\".")
 @severity("high")
-@tags("pii,passport,identity,gdpr-art-32")
-@reject_message("Content blocked: passport number patterns detected. Government-issued identifiers must not be processed through AI agents.")
+@tags("category:privacy,threat:pii,detection:pattern,compliance:gdpr")
+@reject_message("Content blocked: passport number patterns detected.")
 forbid (
     principal,
     action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool", Overwatch::Action::"read_file", Overwatch::Action::"write_file"],
@@ -722,13 +652,12 @@ when {
     context has pii_types && context.pii_types.contains("passport")
 };
 
-// Block IBAN (International Bank Account Numbers)
-@id("pii-block-iban")
+@id("privacy.block-iban")
 @name("Block bank account numbers")
-@description("Block content containing IBAN patterns. Bank account numbers are sensitive financial identifiers that must not be exposed through AI agents.")
+@description("Blocks process_prompt, call_tool, read_file, and write_file when pii_types contains \\"iban\\".")
 @severity("high")
-@tags("pii,iban,financial,gdpr-art-32,pci-dss")
-@reject_message("Content blocked: bank account number (IBAN) patterns detected. Financial account numbers must not be processed through AI agents.")
+@tags("category:privacy,threat:pii,detection:pattern,compliance:gdpr,compliance:pci-dss")
+@reject_message("Content blocked: IBAN / bank account number patterns detected.")
 forbid (
     principal,
     action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool", Overwatch::Action::"read_file", Overwatch::Action::"write_file"],
@@ -739,18 +668,15 @@ when {
 };
 
 // ---------------------------------------------------------------------------
-// Section 3: Medium PII — Contact Information
-// Email addresses and phone numbers. Only blocked in prompts and tool calls
-// (not file ops — too common in source code, configs, and test fixtures).
+// Section 3: Medium PII (contact info)
 // ---------------------------------------------------------------------------
 
-// Block email addresses
-@id("pii-block-email")
+@id("privacy.block-email")
 @name("Block email addresses")
-@description("Block prompts and tool calls containing email address patterns. Prevents accidental sharing of personal email addresses with AI agents.")
+@description("Blocks process_prompt and call_tool when pii_types contains \\"email\\".")
 @severity("medium")
-@tags("pii,email,contact,gdpr-art-32")
-@reject_message("Content blocked: email address patterns detected. Remove personal email addresses before submitting to AI agents.")
+@tags("category:privacy,threat:pii,detection:pattern,compliance:gdpr")
+@reject_message("Content blocked: email address patterns detected.")
 forbid (
     principal,
     action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
@@ -760,13 +686,12 @@ when {
     context has pii_types && context.pii_types.contains("email")
 };
 
-// Block US phone numbers
-@id("pii-block-phone")
+@id("privacy.block-phone")
 @name("Block phone numbers")
-@description("Block prompts and tool calls containing US phone number patterns. Prevents accidental sharing of personal phone numbers with AI agents.")
+@description("Blocks process_prompt and call_tool when pii_types contains \\"phone\\".")
 @severity("medium")
-@tags("pii,phone,contact,ccpa")
-@reject_message("Content blocked: phone number patterns detected. Remove personal phone numbers before submitting to AI agents.")
+@tags("category:privacy,threat:pii,detection:pattern,compliance:gdpr")
+@reject_message("Content blocked: phone number patterns detected.")
 forbid (
     principal,
     action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
@@ -776,13 +701,12 @@ when {
     context has pii_types && context.pii_types.contains("phone")
 };
 
-// Block dates of birth
-@id("pii-block-dob")
+@id("privacy.block-dob")
 @name("Block dates of birth")
-@description("Block prompts and tool calls containing date of birth patterns (MM/DD/YYYY). Date of birth combined with other identifiers enables identity theft.")
+@description("Blocks process_prompt and call_tool when pii_types contains \\"date_of_birth\\".")
 @severity("medium")
-@tags("pii,dob,identity,hipaa-164.312")
-@reject_message("Content blocked: date of birth patterns detected. Remove personal dates before submitting to AI agents.")
+@tags("category:privacy,threat:pii,detection:pattern,compliance:hipaa")
+@reject_message("Content blocked: date of birth patterns detected.")
 forbid (
     principal,
     action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
@@ -793,18 +717,15 @@ when {
 };
 
 // ---------------------------------------------------------------------------
-// Section 4: Low PII — Network Identifiers
-// IP addresses are extremely common in code, configs, and logs.
-// Only blocked in prompts to catch accidental data dumps.
+// Section 4: Low PII (IP addresses, prompts only)
 // ---------------------------------------------------------------------------
 
-// Block IP addresses in prompts
-@id("pii-block-ip-address")
+@id("privacy.block-ip-address")
 @name("Block IP addresses in prompts")
-@description("Block prompts containing IPv4 address patterns. Only targets prompts — IP addresses are too common in source code and config files to block in tool calls or file operations.")
+@description("Blocks process_prompt when pii_types contains \\"ip_address\\".")
 @severity("low")
-@tags("pii,ip-address,network")
-@reject_message("Content blocked: IP address patterns detected in prompt. Remove network identifiers before submitting.")
+@tags("category:privacy,threat:pii,detection:pattern,surface:process-prompt")
+@reject_message("Prompt blocked: IP address patterns detected.")
 forbid (
     principal,
     action == Overwatch::Action::"process_prompt",
@@ -814,18 +735,24 @@ when {
     context has pii_types && context.pii_types.contains("ip_address")
 };
 `;
-const OVERWATCH_TOOLS_MCP_ALLOWLIST_CEDAR = `// MCP Server Allowlist Template
-// Only allow specific MCP servers to be used
-// Category: tools
+const OVERWATCH_TOOLS_MCP_SERVER_ALLOWLIST_CEDAR = `// =============================================================================
+// MCP Server Allowlist
+// =============================================================================
+// Restricts MCP server connections to a pre-approved list. Customize the
+// \`context.mcp_server\` values in the permit rule to match allowed servers.
+//
+// Context keys consumed:
+//   - mcp_server: String
 //
-// NOTE: Users should customize the mcp_server values in the permit rule
-// to match their allowed servers before deploying this template.
+// Category:  tools
+// Namespace: Overwatch
+// =============================================================================
 
-@id("mcp-allowlist-permit")
-@name("Allow specific MCP servers")
-@description("Only allow connections to pre-approved MCP servers (customize the list)")
+@id("tools.allow-mcp-allowlist")
+@name("Allow allowlisted MCP servers")
+@description("Permits connect_server when mcp_server is in the allowlist.")
 @severity("medium")
-@tags("mcp,allowlist,server,governance")
+@tags("category:tools,surface:connect-server,scope:org-wide,posture:deny-default")
 permit (
     principal,
     action == Overwatch::Action::"connect_server",
@@ -833,15 +760,15 @@ permit (
 )
 when {
     context has mcp_server &&
-    (context.mcp_server == "filesystem" ||
-    context.mcp_server == "playwright")
+    (context.mcp_server == "filesystem" || context.mcp_server == "playwright")
 };
 
-@id("mcp-allowlist-deny")
-@name("Deny unallowed MCP servers")
-@description("Block all MCP server connections not in the allowlist")
+@id("tools.deny-non-allowlisted-mcp")
+@name("Block non-allowlisted MCP servers")
+@description("Blocks connect_server unconditionally so only the allowlist permit applies.")
 @severity("medium")
-@tags("mcp,deny-default,server")
+@tags("category:tools,surface:connect-server,scope:org-wide,posture:deny-default")
+@reject_message("MCP server connection blocked: server is not on the allowlist.")
 forbid (
     principal,
     action == Overwatch::Action::"connect_server",
@@ -849,200 +776,216 @@ forbid (
 );
 `;
 const OVERWATCH_TOOLS_MCP_TOOL_PERMISSIONS_CEDAR = `// =============================================================================
-// MCP Tool Permissions Template (Overwatch)
+// MCP Tool Permissions
 // =============================================================================
-// Per-tool access control for MCP servers in IDE environments.
-// Complements the existing MCP Server Allowlist (connect_server action)
-// with fine-grained per-tool control on call_tool action.
+// Per-tool access control for MCP servers. Permit-all by default plus two
+// opt-in safety rails (exclude untrusted servers, block unverified servers).
+// Add additional forbid rules to gate specific server/tool combinations.
 //
-// Defaults to permit-all. Customize per-tool gating by adding forbid rules
-// scoped to specific mcp_server / tool_name combinations.
+// Context keys consumed:
+//   - mcp_server:          String
+//   - mcp_server_verified: Bool
 //
-// Category: tools
+// Category:  tools
 // Namespace: Overwatch
 // =============================================================================
 
-// -- Permit all MCP tool calls (opt-in default) -----------------------------
-
-@id("mcp-tool-allow-all")
-@name("Allow all MCP tool calls")
-@description("Permit every call_tool action. Add forbid rules below for per-tool gating.")
+@id("tools.allow-mcp-tools-baseline")
+@name("Permit MCP tool calls")
+@description("Permits all call_tool actions; combine with forbid rules for gating.")
 @severity("low")
-@tags("mcp,permit-default")
+@tags("category:tools,surface:call-tool,posture:permit-default")
 permit (
     principal,
     action == Overwatch::Action::"call_tool",
     resource
 );
 
-// -- Organization-wide MCP server exclusions --------------------------------
-
-@id("mcp-tool-exclude-server")
-@name("Exclude specific MCP servers")
-@description("Block all tool calls from excluded MCP servers (org-wide exclusion list)")
+@id("tools.exclude-mcp-servers")
+@name("Block excluded MCP servers")
+@description("Blocks call_tool when mcp_server is in the org-wide exclusion list.")
 @severity("critical")
-@tags("mcp,exclusion,org-wide,block")
+@tags("category:tools,surface:call-tool,scope:org-wide,posture:deny-default")
+@reject_message("Tool execution blocked: MCP server is on the org-wide exclusion list.")
 forbid (
     principal,
     action == Overwatch::Action::"call_tool",
     resource
-) when {
-    // Add server names to block across the organization.
-    // Modify this list to match your exclusion requirements.
+)
+when {
     context has mcp_server &&
-    (context.mcp_server == "untrusted-server" ||
-     context.mcp_server == "deprecated-server")
+    (context.mcp_server == "untrusted-server" || context.mcp_server == "deprecated-server")
 };
 
-// -- Block unverified MCP servers -------------------------------------------
-
-@id("mcp-tool-block-unverified")
-@name("Block tools from unverified MCP servers")
-@description("Deny tool calls from MCP servers not in the verified registry")
+@id("tools.block-unverified-mcp-tools")
+@name("Block unverified MCP server tools")
+@description("Blocks call_tool when mcp_server_verified is false.")
 @severity("high")
-@tags("mcp,trust,verification")
+@tags("category:tools,threat:supply-chain,detection:rule,surface:call-tool")
+@reject_message("Tool execution blocked: MCP server is not from a verified registry.")
 forbid (
     principal,
     action == Overwatch::Action::"call_tool",
     resource
-) when {
+)
+when {
     context has mcp_server_verified && context.mcp_server_verified == false
 };
 `;
-const OVERWATCH_ORG_DEFAULT_DENY_CEDAR = `// Default Deny All Template
-// Organization-wide baseline: deny all unless explicitly permitted
-// Category: organization
+const OVERWATCH_ORGANIZATION_DENY_BASELINE_CEDAR = `// =============================================================================
+// Default Deny All
+// =============================================================================
+// Org-wide baseline that blocks everything unless explicitly permitted by
+// other policies. Pair with scoped permit rules (e.g. team_permissions) for
+// a deny-by-default posture.
+//
+// Category:  organization
+// Namespace: Overwatch
+// =============================================================================
 
-@id("org-deny-all")
-@name("Deny all actions by default")
-@description("Block all actions unless explicitly permitted by other policies - use as organization baseline")
+@id("organization.deny-baseline")
+@name("Block all actions (deny baseline)")
+@description("Blocks all actions; pair with scoped permit rules for a deny-by-default posture.")
 @severity("high")
-@tags("baseline,security,deny-by-default,organization")
+@tags("category:organization,posture:deny-default,scope:org-wide")
+@reject_message("Request blocked: this organization uses a deny-by-default baseline — only explicitly permitted actions are allowed.")
 forbid (
     principal,
     action,
     resource
 );
 `;
-const OVERWATCH_ORG_AUDIT_ALL_CEDAR = `// Audit All Actions Template
-// Log all agent actions for compliance and monitoring
-// Category: organization
+const OVERWATCH_ORGANIZATION_AUDIT_ALL_CEDAR = `// =============================================================================
+// Audit All Actions
+// =============================================================================
+// Permits and logs all agent actions for compliance auditing and monitoring.
+// This is a permit rule — combine with monitoring/observability tooling to
+// capture an audit trail.
+//
+// Category:  organization
+// Namespace: Overwatch
+// =============================================================================
 
-@id("org-audit-all")
-@name("Audit all actions")
-@description("Permit and log all agent actions for compliance auditing and monitoring")
+@id("organization.audit-all")
+@name("Permit and audit all actions")
+@description("Permits all actions while emitting audit-logging signals for compliance and monitoring.")
 @severity("low")
-@tags("audit,compliance,logging,organization")
+@tags("category:organization,posture:permit-default,compliance:soc2")
 permit (
     principal,
     action,
     resource
 );
 `;
-const OVERWATCH_ORG_TEAM_PERMISSIONS_CEDAR = `// =============================================================================
+const OVERWATCH_ORGANIZATION_TEAM_PERMISSIONS_CEDAR = `// =============================================================================
 // Project-Based Permissions (ReBAC)
 // =============================================================================
-// Grant IDE access based on project scope using entity hierarchy.
-// With the aligned schema, principals (User, Agent) are flat — scoping is
-// done via resource hierarchy instead of principal hierarchy.
-//
-// Category: organization
-// Namespace: Overwatch
+// Grants IDE access based on project membership using Cedar's entity
+// hierarchy. Resources (Tool, Server, FilePath, etc.) are parented under
+// Project, so \`resource in Project::"..."\` matches all resources scoped
+// to that project.
 //
 // Entity hierarchy required:
 //   Account::"acme-corp"
-//     └── Project::"dev-project"      (in Account)
-//     └── Project::"support-project"  (in Account)
+//     ├── Project::"dev-project"
+//     └── Project::"support-project"
 //
-// Resources (Tool, Server, FilePath, LlmPrompt) are parented under Project,
-// so \`resource in Project::"..."\` matches all resources in that project.
+// Category:  organization
+// Namespace: Overwatch
 // =============================================================================
 
-// Dev Project: Full IDE access - all actions permitted on all resources
-@id("project-dev-full-access")
-@name("Dev project full IDE access")
-@description("Grant full IDE access to all resources within the dev project including tools, prompts, file operations, and server connections")
+@id("organization.allow-dev-project")
+@name("Permit dev project full access")
+@description("Permits all actions on resources scoped to Project::\\"dev-project\\".")
 @severity("medium")
-@tags("rebac,project,dev,permissions,organization")
+@tags("category:organization,scope:per-tool,posture:deny-default")
 permit (
     principal,
     action,
     resource in Overwatch::Project::"dev-project"
 );
 
-// Support Project: Read-only access - process prompts and read files only
-@id("project-support-read-only")
-@name("Support project read-only access")
-@description("Grant read-only access to support project resources limited to prompt processing and file reading")
+@id("organization.allow-support-project-read")
+@name("Permit support project read-only access")
+@description("Permits process_prompt and read_file actions on resources scoped to Project::\\"support-project\\".")
 @severity("medium")
-@tags("rebac,project,support,read-only,organization")
+@tags("category:organization,scope:per-tool,posture:deny-default")
 permit (
     principal,
     action in [Overwatch::Action::"process_prompt", Overwatch::Action::"read_file"],
     resource in Overwatch::Project::"support-project"
 );
 `;
-const OVERWATCH_ORG_AGENT_GUARDRAILS_CEDAR = `// Agent-Specific Guardrails
-// Apply per-agent security policies based on agent identity
-// Category: organization
-// Namespace: Overwatch
+const OVERWATCH_AGENT_IDENTITY_AGENT_GUARDRAILS_CEDAR = `// =============================================================================
+// Agent-Specific Guardrails
+// =============================================================================
+// Per-agent security policies applied based on the agent identity. Different
+// agents have different risk profiles — these template rules cover Claude
+// (injection focus) and Cursor (PII focus); customize the agent IDs for
+// your deployment.
+//
+// Context keys consumed:
+//   - detected_threats:  Set<String>
+//   - threat_categories: Set<String>
 //
-// Different agents have different risk profiles:
-//   Claude Code → prompt injection detection
-//   Cursor      → PII leakage detection
+// Category:  agent-identity
+// Namespace: Overwatch
+// =============================================================================
 
-// Claude Code: Block prompt injection attempts
-@id("agent-claude-block-injection")
-@name("Claude Code injection guardrail")
-@description("Block prompt injection attempts specifically for Claude Code agent")
+@id("agent-identity.claude-block-injection")
+@name("Block injection on Claude agent")
+@description("Blocks process_prompt for the Claude agent when detected_threats contains \\"prompt_injection\\".")
 @severity("critical")
-@tags("rebac,agent,claude,injection,guardrail,organization")
+@tags("category:agent-identity,threat:injection,scope:per-agent,detection:rule,surface:process-prompt,owasp:llm01")
+@reject_message("Prompt blocked: prompt injection detected for the Claude agent.")
 forbid (
     principal == Overwatch::Agent::"claude",
     action == Overwatch::Action::"process_prompt",
     resource
 )
 when {
-    context.detected_threats.contains("prompt_injection")
+    context has detected_threats && context.detected_threats.contains("prompt_injection")
 };
 
-// Cursor: Block PII leakage
-@id("agent-cursor-block-pii")
-@name("Cursor PII guardrail")
-@description("Block PII content in Cursor agent prompts to prevent data leakage")
+@id("agent-identity.cursor-block-pii")
+@name("Block PII on Cursor agent")
+@description("Blocks process_prompt for the Cursor agent when threat_categories contains \\"pii\\".")
 @severity("critical")
-@tags("rebac,agent,cursor,pii,guardrail,organization")
+@tags("category:agent-identity,threat:pii,scope:per-agent,detection:rule,surface:process-prompt,compliance:gdpr")
+@reject_message("Prompt blocked: PII detected for the Cursor agent — prevents leakage through code agent prompts.")
 forbid (
     principal == Overwatch::Agent::"cursor",
     action == Overwatch::Action::"process_prompt",
     resource
 )
 when {
-    context.threat_categories.contains("pii")
+    context has threat_categories && context.threat_categories.contains("pii")
 };
 `;
 // =============================================================================
 // CATEGORIES
 // =============================================================================
 export const OVERWATCH_CATEGORIES = [
-    { id: 'secrets', name: 'Secrets Detection', description: 'Detect and block credentials, tokens, API keys, and sensitive key patterns in prompts, tool calls, and file operations' },
-    { id: 'pii', name: 'PII Detection', description: 'Detect and block personally identifiable information (PII) such as credit card numbers, SSNs, and other sensitive data' },
-    { id: 'semantic', name: 'Semantic Threat Detection', description: 'Detect and block injection attacks, prompt injection, jailbreak attempts, and unsafe content' },
-    { id: 'tools', name: 'Tool Permissioning', description: 'Control access to shell execution, file operations, MCP servers, and sensitive system paths' },
-    { id: 'organization', name: 'Organization Rules', description: 'Apply organization-wide policy baselines, team permissions, and agent-specific guardrails' },
+    { id: 'data-protection', name: 'Secrets & Data Protection', description: 'Block credential leakage and protect sensitive file paths.' },
+    { id: 'privacy', name: 'PII Detection', description: 'Block personally identifiable information across prompts, tool calls, and file operations.' },
+    { id: 'semantic', name: 'Semantic Threat Detection', description: 'Block injection attacks (command, SQL, path traversal, encoded), prompt injection, and jailbreak attempts.' },
+    { id: 'trust-safety', name: 'Content Safety', description: 'Block violent, hateful, sexual, criminal, or excessively profane content.' },
+    { id: 'tools', name: 'Tool Permissioning', description: 'Control shell execution, file operations, MCP servers, and sensitive system paths.' },
+    { id: 'agent-identity', name: 'Agent-Specific Guardrails', description: 'Per-agent security policies applied based on agent identity.' },
+    { id: 'organization', name: 'Organization', description: 'Organization-wide baselines, audit, and project-scoped permissions.' },
 ];
 // =============================================================================
 // DEFAULT POLICIES
 // =============================================================================
 export const OVERWATCH_DEFAULTS = [
     {
-        id: 'baseline-default',
+        id: 'organization.permit-baseline',
         name: 'Baseline Permit',
-        description: 'Permits all actions by default — threat-specific forbid policies override this when threats are detected',
+        description: 'Permits all actions by default; threat-specific forbid policies override this when detectors fire.',
         category: 'organization',
-        cedarText: OVERWATCH_BASELINE_DEFAULT_CEDAR,
+        cedarText: OVERWATCH_ORGANIZATION_PERMIT_BASELINE_CEDAR,
         severity: 'low',
-        tags: ['baseline', 'permit-default', 'organization'],
+        tags: ['category:organization', 'posture:permit-default'],
         isActive: true,
     },
 ];
@@ -1051,104 +994,122 @@ export const OVERWATCH_DEFAULTS = [
 // =============================================================================
 export const OVERWATCH_TEMPLATES = [
     {
-        id: 'baseline-default',
+        id: 'organization.permit-baseline',
         name: 'Baseline Permit',
-        description: 'Permits all actions by default — threat-specific forbid policies override this when threats are detected',
+        description: 'Permits all actions by default; threat-specific forbid policies override this when detectors fire.',
         category: 'organization',
-        cedarText: OVERWATCH_BASELINE_DEFAULT_CEDAR,
+        cedarText: OVERWATCH_ORGANIZATION_PERMIT_BASELINE_CEDAR,
         severity: 'low',
-        tags: ['baseline', 'permit-default', 'organization'],
+        tags: ['category:organization', 'posture:permit-default'],
         autoDeploy: true,
     },
     {
-        id: 'secrets-default',
+        id: 'data-protection.defaults',
         name: 'Secrets Detection',
-        description: 'Detect and block credential leakage (secrets_leakage, ssh_key_exposure, pem_file_access, environment_variable_leakage) and sensitive file path protection',
-        category: 'secrets',
-        cedarText: OVERWATCH_SECRETS_DEFAULT_CEDAR,
+        description: 'Block credential leakage across prompts, tool calls, and file operations; SSH/PEM key blocks; env-var secrets; credential paths.',
+        category: 'data-protection',
+        cedarText: OVERWATCH_DATA_PROTECTION_DEFAULTS_CEDAR,
         severity: 'critical',
-        tags: ['secrets', 'credentials', 'aws', 'github', 'ssh', 'pem', 'baseline'],
+        tags: ['category:data-protection', 'threat:secrets', 'owasp:llm06'],
     },
     {
-        id: 'semantic-default',
+        id: 'semantic.defaults',
         name: 'Semantic Threat Detection',
-        description: 'Detect and block injection attacks (command, SQL, path traversal), prompt injection, jailbreak, and unsafe content (violence, hate speech, etc.)',
+        description: 'Block injection attacks (command, SQL, path, encoded) plus ML-detected prompt injection and jailbreak attempts.',
         category: 'semantic',
-        cedarText: OVERWATCH_SEMANTIC_DEFAULT_CEDAR,
+        cedarText: OVERWATCH_SEMANTIC_DEFAULTS_CEDAR,
+        severity: 'critical',
+        tags: ['category:semantic', 'threat:injection', 'threat:jailbreak', 'owasp:llm01', 'owasp:llm02'],
+    },
+    {
+        id: 'trust-safety.defaults',
+        name: 'Content Safety',
+        description: 'Block violent, hateful, sexual, criminal content plus excessive profanity using ML classifier scores.',
+        category: 'trust-safety',
+        cedarText: OVERWATCH_TRUST_SAFETY_DEFAULTS_CEDAR,
         severity: 'critical',
-        tags: ['injection', 'jailbreak', 'content-safety', 'ml', 'owasp-llm01', 'owasp-llm02', 'baseline'],
+        tags: ['category:trust-safety', 'threat:harmful', 'compliance:eu-ai-act', 'compliance:iso-42001'],
     },
     {
-        id: 'tools-default',
+        id: 'tools.defaults',
         name: 'Tool Permissioning',
-        description: 'Block access to sensitive system paths and tool calls with high-severity threats. Includes opt-in shell blocking and destructive operation blocking.',
+        description: 'Block sensitive system-path file access and destructive MCP file-operation tools.',
         category: 'tools',
-        cedarText: OVERWATCH_TOOLS_DEFAULT_CEDAR,
+        cedarText: OVERWATCH_TOOLS_DEFAULTS_CEDAR,
         severity: 'high',
-        tags: ['tools', 'file-access', 'system-paths', 'severity', 'baseline'],
+        tags: ['category:tools', 'threat:path-traversal', 'detection:pattern', 'mitre:t1005', 'owasp:asi02'],
+    },
+    {
+        id: 'tools.block-shell',
+        name: 'Block shell and command execution',
+        description: 'Blocks call_tool when tool_name is shell, bash, sh, terminal, cmd, or powershell.',
+        category: 'tools',
+        cedarText: OVERWATCH_TOOLS_BLOCK_SHELL_CEDAR,
+        severity: 'critical',
+        tags: ['category:tools', 'threat:command-injection', 'detection:rule', 'surface:call-tool', 'owasp:llm06', 'mitre:t1059'],
     },
     {
-        id: 'pii-default',
+        id: 'privacy.defaults',
         name: 'PII Detection',
-        description: 'Detect and block credit card numbers, SSNs, health data, and other PII in prompts, tool calls, and file operations',
-        category: 'pii',
-        cedarText: OVERWATCH_PII_DEFAULT_CEDAR,
+        description: 'Block credit card numbers, SSNs, passport numbers, IBANs, email/phone/DOB, and IP addresses across actions.',
+        category: 'privacy',
+        cedarText: OVERWATCH_PRIVACY_DEFAULTS_CEDAR,
         severity: 'critical',
-        tags: ['pii', 'privacy', 'compliance', 'pci-dss', 'gdpr', 'hipaa', 'baseline'],
+        tags: ['category:privacy', 'threat:pii', 'compliance:pci-dss', 'compliance:gdpr', 'compliance:hipaa'],
     },
     {
-        id: 'tools-mcp-allowlist',
+        id: 'tools.mcp-server-allowlist',
         name: 'MCP Server Allowlist',
-        description: 'Only allow specific MCP servers to be used',
+        description: 'Allow only specific MCP servers to be used; customize the allowlist.',
         category: 'tools',
-        cedarText: OVERWATCH_TOOLS_MCP_ALLOWLIST_CEDAR,
+        cedarText: OVERWATCH_TOOLS_MCP_SERVER_ALLOWLIST_CEDAR,
         severity: 'medium',
-        tags: ['mcp', 'allowlist', 'whitelist'],
+        tags: ['category:tools', 'scope:org-wide', 'posture:deny-default'],
     },
     {
-        id: 'tools-mcp-tool-permissions',
+        id: 'tools.mcp-tool-permissions',
         name: 'MCP Tool Permissions',
-        description: 'Permit every MCP call_tool by default. Ships two opt-in safety rails (block untrusted/deprecated servers, block unverified servers). Add forbid rules for per-tool or per-server gating.',
+        description: 'Permit MCP call_tool by default plus two safety rails (org-wide exclusion, unverified server block).',
         category: 'tools',
         cedarText: OVERWATCH_TOOLS_MCP_TOOL_PERMISSIONS_CEDAR,
-        severity: 'low',
-        tags: ['mcp', 'tools', 'permit-default', 'exclusion'],
+        severity: 'critical',
+        tags: ['category:tools', 'threat:supply-chain', 'posture:permit-default'],
     },
     {
-        id: 'org-default-deny',
+        id: 'organization.deny-baseline',
         name: 'Default Deny All',
-        description: 'Organization-wide baseline: deny all unless explicitly permitted',
+        description: 'Organization-wide deny baseline; combine with scoped permit rules for deny-by-default posture.',
         category: 'organization',
-        cedarText: OVERWATCH_ORG_DEFAULT_DENY_CEDAR,
+        cedarText: OVERWATCH_ORGANIZATION_DENY_BASELINE_CEDAR,
         severity: 'high',
-        tags: ['baseline', 'security', 'deny-by-default'],
+        tags: ['category:organization', 'posture:deny-default', 'scope:org-wide'],
     },
     {
-        id: 'org-audit-all',
+        id: 'organization.audit-all',
         name: 'Audit All Actions',
-        description: 'Log all agent actions for compliance and monitoring',
+        description: 'Permit and audit all agent actions for compliance and monitoring.',
         category: 'organization',
-        cedarText: OVERWATCH_ORG_AUDIT_ALL_CEDAR,
+        cedarText: OVERWATCH_ORGANIZATION_AUDIT_ALL_CEDAR,
         severity: 'low',
-        tags: ['audit', 'compliance', 'logging'],
+        tags: ['category:organization', 'posture:permit-default', 'compliance:soc2'],
     },
     {
-        id: 'org-team-permissions',
-        name: 'Team-Based Permissions (ReBAC)',
-        description: 'Grant IDE access based on team membership using entity hierarchy - supports dev team full access and support team read-only',
+        id: 'organization.team-permissions',
+        name: 'Project-Based Permissions (ReBAC)',
+        description: 'Grant IDE access based on project scope using Cedar entity hierarchy — example dev/support project split.',
         category: 'organization',
-        cedarText: OVERWATCH_ORG_TEAM_PERMISSIONS_CEDAR,
+        cedarText: OVERWATCH_ORGANIZATION_TEAM_PERMISSIONS_CEDAR,
         severity: 'medium',
-        tags: ['rebac', 'team', 'permissions', 'hierarchy'],
+        tags: ['category:organization', 'scope:per-tool', 'posture:deny-default'],
     },
     {
-        id: 'org-agent-guardrails',
+        id: 'agent-identity.agent-guardrails',
         name: 'Agent-Specific Guardrails',
-        description: 'Apply per-agent security guardrails - injection blocking for Claude, PII blocking for Cursor',
-        category: 'organization',
-        cedarText: OVERWATCH_ORG_AGENT_GUARDRAILS_CEDAR,
+        description: 'Per-agent security guardrails — injection blocking for Claude, PII blocking for Cursor. Customize agent IDs for your deployment.',
+        category: 'agent-identity',
+        cedarText: OVERWATCH_AGENT_IDENTITY_AGENT_GUARDRAILS_CEDAR,
         severity: 'critical',
-        tags: ['rebac', 'agent', 'guardrails', 'per-agent'],
+        tags: ['category:agent-identity', 'scope:per-agent', 'threat:injection', 'threat:pii'],
     },
 ];
 // =============================================================================
@@ -1157,147 +1118,226 @@ export const OVERWATCH_TEMPLATES = [
 /** Raw templates.json metadata for the Overwatch service. */
 export const OVERWATCH_TEMPLATES_JSON = `{
   "service": "overwatch",
-  "version": "4.0.0",
+  "version": "5.0.0",
   "description": "Overwatch policy templates for IDE agent security",
   "categories": [
     {
-      "id": "secrets",
-      "name": "Secrets Detection",
-      "description": "Detect and block credentials, tokens, API keys, and sensitive key patterns in prompts, tool calls, and file operations"
+      "id": "data-protection",
+      "name": "Secrets & Data Protection",
+      "description": "Block credential leakage and protect sensitive file paths."
     },
     {
-      "id": "pii",
+      "id": "privacy",
       "name": "PII Detection",
-      "description": "Detect and block personally identifiable information (PII) such as credit card numbers, SSNs, and other sensitive data"
+      "description": "Block personally identifiable information across prompts, tool calls, and file operations."
     },
     {
       "id": "semantic",
       "name": "Semantic Threat Detection",
-      "description": "Detect and block injection attacks, prompt injection, jailbreak attempts, and unsafe content"
+      "description": "Block injection attacks (command, SQL, path traversal, encoded), prompt injection, and jailbreak attempts."
+    },
+    {
+      "id": "trust-safety",
+      "name": "Content Safety",
+      "description": "Block violent, hateful, sexual, criminal, or excessively profane content."
     },
     {
       "id": "tools",
       "name": "Tool Permissioning",
-      "description": "Control access to shell execution, file operations, MCP servers, and sensitive system paths"
+      "description": "Control shell execution, file operations, MCP servers, and sensitive system paths."
+    },
+    {
+      "id": "agent-identity",
+      "name": "Agent-Specific Guardrails",
+      "description": "Per-agent security policies applied based on agent identity."
     },
     {
       "id": "organization",
-      "name": "Organization Rules",
-      "description": "Apply organization-wide policy baselines, team permissions, and agent-specific guardrails"
+      "name": "Organization",
+      "description": "Organization-wide baselines, audit, and project-scoped permissions."
     }
   ],
   "defaults": [
     {
-      "id": "baseline-default",
+      "id": "organization.permit-baseline",
       "name": "Baseline Permit",
-      "description": "Permits all actions by default — threat-specific forbid policies override this when threats are detected",
+      "description": "Permits all actions by default; threat-specific forbid policies override this when detectors fire.",
       "category": "organization",
       "file": "defaults/baseline.cedar",
       "severity": "low",
-      "tags": ["baseline", "permit-default", "organization"],
+      "tags": ["category:organization", "posture:permit-default"],
       "is_active": true
     }
   ],
   "templates": [
     {
-      "id": "baseline-default",
+      "id": "organization.permit-baseline",
       "name": "Baseline Permit",
-      "description": "Permits all actions by default — threat-specific forbid policies override this when threats are detected",
+      "description": "Permits all actions by default; threat-specific forbid policies override this when detectors fire.",
       "category": "organization",
       "file": "defaults/baseline.cedar",
       "severity": "low",
-      "tags": ["baseline", "permit-default", "organization"],
+      "tags": ["category:organization", "posture:permit-default"],
       "auto_deploy": true
     },
     {
-      "id": "secrets-default",
+      "id": "data-protection.defaults",
       "name": "Secrets Detection",
-      "description": "Detect and block credential leakage (secrets_leakage, ssh_key_exposure, pem_file_access, environment_variable_leakage) and sensitive file path protection",
-      "category": "secrets",
+      "description": "Block credential leakage across prompts, tool calls, and file operations; SSH/PEM key blocks; env-var secrets; credential paths.",
+      "category": "data-protection",
       "file": "defaults/secrets.cedar",
       "severity": "critical",
-      "tags": ["secrets", "credentials", "aws", "github", "ssh", "pem", "baseline"]
+      "tags": ["category:data-protection", "threat:secrets", "owasp:llm06"]
     },
     {
-      "id": "semantic-default",
+      "id": "semantic.defaults",
       "name": "Semantic Threat Detection",
-      "description": "Detect and block injection attacks (command, SQL, path traversal), prompt injection, jailbreak, and unsafe content (violence, hate speech, etc.)",
+      "description": "Block injection attacks (command, SQL, path, encoded) plus ML-detected prompt injection and jailbreak attempts.",
       "category": "semantic",
       "file": "defaults/semantic.cedar",
       "severity": "critical",
-      "tags": ["injection", "jailbreak", "content-safety", "ml", "owasp-llm01", "owasp-llm02", "baseline"]
+      "tags": [
+        "category:semantic",
+        "threat:injection",
+        "threat:jailbreak",
+        "owasp:llm01",
+        "owasp:llm02"
+      ]
     },
     {
-      "id": "tools-default",
+      "id": "trust-safety.defaults",
+      "name": "Content Safety",
+      "description": "Block violent, hateful, sexual, criminal content plus excessive profanity using ML classifier scores.",
+      "category": "trust-safety",
+      "file": "defaults/content_safety.cedar",
+      "severity": "critical",
+      "tags": [
+        "category:trust-safety",
+        "threat:harmful",
+        "compliance:eu-ai-act",
+        "compliance:iso-42001"
+      ]
+    },
+    {
+      "id": "tools.defaults",
       "name": "Tool Permissioning",
-      "description": "Block access to sensitive system paths and tool calls with high-severity threats. Includes opt-in shell blocking and destructive operation blocking.",
+      "description": "Block sensitive system-path file access and destructive MCP file-operation tools.",
       "category": "tools",
       "file": "defaults/tools.cedar",
       "severity": "high",
-      "tags": ["tools", "file-access", "system-paths", "severity", "baseline"]
+      "tags": [
+        "category:tools",
+        "threat:path-traversal",
+        "detection:pattern",
+        "mitre:t1005",
+        "owasp:asi02"
+      ]
     },
     {
-      "id": "pii-default",
+      "id": "tools.block-shell",
+      "name": "Block shell and command execution",
+      "description": "Blocks call_tool when tool_name is shell, bash, sh, terminal, cmd, or powershell.",
+      "category": "tools",
+      "file": "tools_shell_block.cedar",
+      "severity": "critical",
+      "tags": [
+        "category:tools",
+        "threat:command-injection",
+        "detection:rule",
+        "surface:call-tool",
+        "owasp:llm06",
+        "mitre:t1059"
+      ]
+    },
+    {
+      "id": "privacy.defaults",
       "name": "PII Detection",
-      "description": "Detect and block credit card numbers, SSNs, health data, and other PII in prompts, tool calls, and file operations",
-      "category": "pii",
+      "description": "Block credit card numbers, SSNs, passport numbers, IBANs, email/phone/DOB, and IP addresses across actions.",
+      "category": "privacy",
       "file": "defaults/pii.cedar",
       "severity": "critical",
-      "tags": ["pii", "privacy", "compliance", "pci-dss", "gdpr", "hipaa", "baseline"]
+      "tags": [
+        "category:privacy",
+        "threat:pii",
+        "compliance:pci-dss",
+        "compliance:gdpr",
+        "compliance:hipaa"
+      ]
     },
     {
-      "id": "tools-mcp-allowlist",
+      "id": "tools.mcp-server-allowlist",
       "name": "MCP Server Allowlist",
-      "description": "Only allow specific MCP servers to be used",
+      "description": "Allow only specific MCP servers to be used; customize the allowlist.",
       "category": "tools",
       "file": "mcp_server_allowlist.cedar",
       "severity": "medium",
-      "tags": ["mcp", "allowlist", "whitelist"]
+      "tags": ["category:tools", "scope:org-wide", "posture:deny-default"]
     },
     {
-      "id": "tools-mcp-tool-permissions",
+      "id": "tools.mcp-tool-permissions",
       "name": "MCP Tool Permissions",
-      "description": "Permit every MCP call_tool by default. Ships two opt-in safety rails (block untrusted/deprecated servers, block unverified servers). Add forbid rules for per-tool or per-server gating.",
+      "description": "Permit MCP call_tool by default plus two safety rails (org-wide exclusion, unverified server block).",
       "category": "tools",
       "file": "mcp_tool_permissions.cedar",
-      "severity": "low",
-      "tags": ["mcp", "tools", "permit-default", "exclusion"]
+      "severity": "critical",
+      "tags": [
+        "category:tools",
+        "threat:supply-chain",
+        "posture:permit-default"
+      ]
     },
     {
-      "id": "org-default-deny",
+      "id": "organization.deny-baseline",
       "name": "Default Deny All",
-      "description": "Organization-wide baseline: deny all unless explicitly permitted",
+      "description": "Organization-wide deny baseline; combine with scoped permit rules for deny-by-default posture.",
       "category": "organization",
       "file": "default_deny_all.cedar",
       "severity": "high",
-      "tags": ["baseline", "security", "deny-by-default"]
+      "tags": [
+        "category:organization",
+        "posture:deny-default",
+        "scope:org-wide"
+      ]
     },
     {
-      "id": "org-audit-all",
+      "id": "organization.audit-all",
       "name": "Audit All Actions",
-      "description": "Log all agent actions for compliance and monitoring",
+      "description": "Permit and audit all agent actions for compliance and monitoring.",
       "category": "organization",
       "file": "audit_all_actions.cedar",
       "severity": "low",
-      "tags": ["audit", "compliance", "logging"]
+      "tags": [
+        "category:organization",
+        "posture:permit-default",
+        "compliance:soc2"
+      ]
     },
     {
-      "id": "org-team-permissions",
-      "name": "Team-Based Permissions (ReBAC)",
-      "description": "Grant IDE access based on team membership using entity hierarchy - supports dev team full access and support team read-only",
+      "id": "organization.team-permissions",
+      "name": "Project-Based Permissions (ReBAC)",
+      "description": "Grant IDE access based on project scope using Cedar entity hierarchy — example dev/support project split.",
       "category": "organization",
       "file": "team_permissions.cedar",
       "severity": "medium",
-      "tags": ["rebac", "team", "permissions", "hierarchy"]
+      "tags": [
+        "category:organization",
+        "scope:per-tool",
+        "posture:deny-default"
+      ]
     },
     {
-      "id": "org-agent-guardrails",
+      "id": "agent-identity.agent-guardrails",
       "name": "Agent-Specific Guardrails",
-      "description": "Apply per-agent security guardrails - injection blocking for Claude, PII blocking for Cursor",
-      "category": "organization",
+      "description": "Per-agent security guardrails — injection blocking for Claude, PII blocking for Cursor. Customize agent IDs for your deployment.",
+      "category": "agent-identity",
       "file": "agent_guardrails.cedar",
       "severity": "critical",
-      "tags": ["rebac", "agent", "guardrails", "per-agent"]
+      "tags": [
+        "category:agent-identity",
+        "scope:per-agent",
+        "threat:injection",
+        "threat:pii"
+      ]
     }
   ]
 }