@highflame/policy 2.1.37 → 2.1.38
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/overwatch-defaults.gen.js +147 -81
- package/package.json +1 -1
|
@@ -171,17 +171,21 @@ when {
|
|
|
171
171
|
|
|
172
172
|
@id("data-protection.block-env-file-paths")
|
|
173
173
|
@name("Block dotenv file access")
|
|
174
|
-
@description("Blocks read_file and write_file when path matches
|
|
174
|
+
@description("Blocks read_file and write_file when path matches a .env file or .env.<suffix> variant.")
|
|
175
175
|
@severity("high")
|
|
176
176
|
@tags("category:data-protection,threat:secrets,detection:pattern,compliance:nist-si-3")
|
|
177
|
-
@reject_message("File access blocked: .env file targeted
|
|
177
|
+
@reject_message("File access blocked: .env file targeted, these files typically contain secrets and database credentials.")
|
|
178
178
|
forbid (
|
|
179
179
|
principal,
|
|
180
180
|
action in [Overwatch::Action::"read_file", Overwatch::Action::"write_file"],
|
|
181
181
|
resource
|
|
182
182
|
)
|
|
183
183
|
when {
|
|
184
|
-
context has path &&
|
|
184
|
+
context has path &&
|
|
185
|
+
(
|
|
186
|
+
context.path like "*.env" ||
|
|
187
|
+
context.path like "*.env.*"
|
|
188
|
+
)
|
|
185
189
|
};
|
|
186
190
|
`;
|
|
187
191
|
const OVERWATCH_SEMANTIC_DEFAULTS_CEDAR = `// =============================================================================
|
|
@@ -455,58 +459,60 @@ when {
|
|
|
455
459
|
const OVERWATCH_TOOLS_DEFAULTS_CEDAR = `// =============================================================================
|
|
456
460
|
// Tool Permissioning (Default)
|
|
457
461
|
// =============================================================================
|
|
458
|
-
//
|
|
459
|
-
//
|
|
460
|
-
//
|
|
462
|
+
// Sensitive system-path file access and destructive MCP file-operation
|
|
463
|
+
// blocking. Shell-execution blocking lives in tools_shell_block.cedar as a
|
|
464
|
+
// separate opt-in template and is not bundled with this default.
|
|
461
465
|
//
|
|
462
466
|
// Context keys consumed:
|
|
463
|
-
// -
|
|
464
|
-
// -
|
|
465
|
-
// - max_threat_severity: Long (0-4)
|
|
467
|
+
// - path: String
|
|
468
|
+
// - tool_name: String
|
|
466
469
|
//
|
|
467
470
|
// Compliance:
|
|
468
471
|
// - NIST 800-53 AC-3, AC-6, CM-7
|
|
469
|
-
// - OWASP
|
|
470
|
-
// - MITRE ATT&CK T1059, T1005
|
|
472
|
+
// - OWASP ASI02; MITRE ATT&CK T1005
|
|
471
473
|
//
|
|
472
474
|
// Category: tools
|
|
473
475
|
// Namespace: Overwatch
|
|
474
476
|
// =============================================================================
|
|
475
477
|
|
|
476
478
|
// ---------------------------------------------------------------------------
|
|
477
|
-
// Section 1:
|
|
479
|
+
// Section 1: Sensitive system paths
|
|
478
480
|
// ---------------------------------------------------------------------------
|
|
479
481
|
|
|
480
|
-
@id("tools.block-
|
|
481
|
-
@name("Block
|
|
482
|
-
@description("Blocks
|
|
483
|
-
@severity("
|
|
484
|
-
@tags("category:tools,threat:
|
|
485
|
-
@reject_message("
|
|
482
|
+
@id("tools.block-system-paths")
|
|
483
|
+
@name("Block system directory access")
|
|
484
|
+
@description("Blocks read_file and write_file when path matches a sensitive Linux or macOS system directory.")
|
|
485
|
+
@severity("high")
|
|
486
|
+
@tags("category:tools,threat:path-traversal,detection:pattern,mitre:t1005")
|
|
487
|
+
@reject_message("File access blocked: sensitive system directory targeted (/etc, /proc, /sys, /root, /var, /System, /Library, /private).")
|
|
486
488
|
forbid (
|
|
487
489
|
principal,
|
|
488
|
-
action
|
|
490
|
+
action in [Overwatch::Action::"read_file", Overwatch::Action::"write_file"],
|
|
489
491
|
resource
|
|
490
492
|
)
|
|
491
493
|
when {
|
|
492
|
-
context has
|
|
494
|
+
context has path &&
|
|
493
495
|
(
|
|
494
|
-
context.
|
|
495
|
-
context.
|
|
496
|
-
context.
|
|
497
|
-
context.
|
|
498
|
-
context.
|
|
499
|
-
context.
|
|
496
|
+
context.path like "/etc/*" ||
|
|
497
|
+
context.path like "/proc/*" ||
|
|
498
|
+
context.path like "/sys/*" ||
|
|
499
|
+
context.path like "/root/*" ||
|
|
500
|
+
context.path like "/var/log/*" ||
|
|
501
|
+
context.path like "/var/run/*" ||
|
|
502
|
+
context.path like "/private/etc/*" ||
|
|
503
|
+
context.path like "/private/var/*" ||
|
|
504
|
+
context.path like "/Library/*" ||
|
|
505
|
+
context.path like "/System/*"
|
|
500
506
|
)
|
|
501
507
|
};
|
|
502
508
|
|
|
503
509
|
// ---------------------------------------------------------------------------
|
|
504
|
-
// Section 2: Destructive file operations
|
|
510
|
+
// Section 2: Destructive MCP file operations
|
|
505
511
|
// ---------------------------------------------------------------------------
|
|
506
512
|
|
|
507
513
|
@id("tools.block-destructive-ops")
|
|
508
514
|
@name("Block destructive file operations")
|
|
509
|
-
@description("Blocks call_tool when tool_name is a destructive file operation.")
|
|
515
|
+
@description("Blocks call_tool when tool_name is a destructive MCP file operation.")
|
|
510
516
|
@severity("high")
|
|
511
517
|
@tags("category:tools,detection:rule,surface:call-tool,owasp:asi02")
|
|
512
518
|
@reject_message("Tool execution blocked: destructive file operations (delete, rmdir, unlink) require explicit human approval.")
|
|
@@ -526,56 +532,47 @@ when {
|
|
|
526
532
|
context.tool_name == "remove_directory"
|
|
527
533
|
)
|
|
528
534
|
};
|
|
535
|
+
`;
|
|
536
|
+
const OVERWATCH_TOOLS_BLOCK_SHELL_CEDAR = `// =============================================================================
|
|
537
|
+
// Tool Permissioning — Shell execution block (Opt-in)
|
|
538
|
+
// =============================================================================
|
|
539
|
+
// Blocks shell and command execution tools. Inactive unless explicitly enabled
|
|
540
|
+
// because it blocks ALL shell access (including safe commands like git and
|
|
541
|
+
// echo). Intended for high-security environments where shell access is
|
|
542
|
+
// prohibited.
|
|
543
|
+
//
|
|
544
|
+
// Context keys consumed:
|
|
545
|
+
// - tool_name: String
|
|
546
|
+
//
|
|
547
|
+
// Compliance:
|
|
548
|
+
// - NIST 800-53 CM-7; OWASP LLM06; MITRE ATT&CK T1059
|
|
549
|
+
//
|
|
550
|
+
// Category: tools
|
|
551
|
+
// Namespace: Overwatch
|
|
552
|
+
// =============================================================================
|
|
529
553
|
|
|
530
|
-
|
|
531
|
-
|
|
532
|
-
|
|
533
|
-
|
|
534
|
-
@
|
|
535
|
-
@
|
|
536
|
-
@description("Blocks read_file and write_file when path matches a sensitive Linux or macOS system directory.")
|
|
537
|
-
@severity("high")
|
|
538
|
-
@tags("category:tools,threat:path-traversal,detection:pattern,mitre:t1005")
|
|
539
|
-
@reject_message("File access blocked: sensitive system directory targeted (/etc, /proc, /sys, /root, /var, /System, /Library, /private).")
|
|
554
|
+
@id("tools.block-shell")
|
|
555
|
+
@name("Block shell and command execution")
|
|
556
|
+
@description("Blocks call_tool when tool_name is shell, bash, sh, terminal, cmd, or powershell.")
|
|
557
|
+
@severity("critical")
|
|
558
|
+
@tags("category:tools,threat:command-injection,detection:rule,surface:call-tool,owasp:llm06,mitre:t1059")
|
|
559
|
+
@reject_message("Tool execution blocked: shell/command execution is restricted in this environment.")
|
|
540
560
|
forbid (
|
|
541
561
|
principal,
|
|
542
|
-
action
|
|
562
|
+
action == Overwatch::Action::"call_tool",
|
|
543
563
|
resource
|
|
544
564
|
)
|
|
545
565
|
when {
|
|
546
|
-
context has
|
|
566
|
+
context has tool_name &&
|
|
547
567
|
(
|
|
548
|
-
context.
|
|
549
|
-
context.
|
|
550
|
-
context.
|
|
551
|
-
context.
|
|
552
|
-
context.
|
|
553
|
-
context.
|
|
554
|
-
context.path like "/private/etc/*" ||
|
|
555
|
-
context.path like "/private/var/*" ||
|
|
556
|
-
context.path like "/Library/*" ||
|
|
557
|
-
context.path like "/System/*"
|
|
568
|
+
context.tool_name == "shell" ||
|
|
569
|
+
context.tool_name == "bash" ||
|
|
570
|
+
context.tool_name == "sh" ||
|
|
571
|
+
context.tool_name == "terminal" ||
|
|
572
|
+
context.tool_name == "cmd" ||
|
|
573
|
+
context.tool_name == "powershell"
|
|
558
574
|
)
|
|
559
575
|
};
|
|
560
|
-
|
|
561
|
-
// ---------------------------------------------------------------------------
|
|
562
|
-
// Section 4: Threat-severity catch-all
|
|
563
|
-
// ---------------------------------------------------------------------------
|
|
564
|
-
|
|
565
|
-
@id("tools.block-high-severity")
|
|
566
|
-
@name("Block high-severity tool calls")
|
|
567
|
-
@description("Blocks call_tool when max_threat_severity >= 3.")
|
|
568
|
-
@severity("high")
|
|
569
|
-
@tags("category:tools,detection:aggregate,surface:call-tool,posture:catch-all")
|
|
570
|
-
@reject_message("Tool execution blocked: high or critical severity threats detected in content.")
|
|
571
|
-
forbid (
|
|
572
|
-
principal,
|
|
573
|
-
action == Overwatch::Action::"call_tool",
|
|
574
|
-
resource
|
|
575
|
-
)
|
|
576
|
-
when {
|
|
577
|
-
context has max_threat_severity && context.max_threat_severity >= 3
|
|
578
|
-
};
|
|
579
576
|
`;
|
|
580
577
|
const OVERWATCH_PRIVACY_DEFAULTS_CEDAR = `// =============================================================================
|
|
581
578
|
// PII Detection (Default)
|
|
@@ -1036,11 +1033,20 @@ export const OVERWATCH_TEMPLATES = [
|
|
|
1036
1033
|
{
|
|
1037
1034
|
id: 'tools.defaults',
|
|
1038
1035
|
name: 'Tool Permissioning',
|
|
1039
|
-
description: 'Block sensitive system
|
|
1036
|
+
description: 'Block sensitive system-path file access and destructive MCP file-operation tools.',
|
|
1040
1037
|
category: 'tools',
|
|
1041
1038
|
cedarText: OVERWATCH_TOOLS_DEFAULTS_CEDAR,
|
|
1039
|
+
severity: 'high',
|
|
1040
|
+
tags: ['category:tools', 'threat:path-traversal', 'detection:pattern', 'mitre:t1005', 'owasp:asi02'],
|
|
1041
|
+
},
|
|
1042
|
+
{
|
|
1043
|
+
id: 'tools.block-shell',
|
|
1044
|
+
name: 'Block shell and command execution',
|
|
1045
|
+
description: 'Blocks call_tool when tool_name is shell, bash, sh, terminal, cmd, or powershell.',
|
|
1046
|
+
category: 'tools',
|
|
1047
|
+
cedarText: OVERWATCH_TOOLS_BLOCK_SHELL_CEDAR,
|
|
1042
1048
|
severity: 'critical',
|
|
1043
|
-
tags: ['category:tools', 'threat:command-injection', 'owasp:llm06'],
|
|
1049
|
+
tags: ['category:tools', 'threat:command-injection', 'detection:rule', 'surface:call-tool', 'owasp:llm06', 'mitre:t1059'],
|
|
1044
1050
|
},
|
|
1045
1051
|
{
|
|
1046
1052
|
id: 'privacy.defaults',
|
|
@@ -1190,7 +1196,13 @@ export const OVERWATCH_TEMPLATES_JSON = `{
|
|
|
1190
1196
|
"category": "semantic",
|
|
1191
1197
|
"file": "defaults/semantic.cedar",
|
|
1192
1198
|
"severity": "critical",
|
|
1193
|
-
"tags": [
|
|
1199
|
+
"tags": [
|
|
1200
|
+
"category:semantic",
|
|
1201
|
+
"threat:injection",
|
|
1202
|
+
"threat:jailbreak",
|
|
1203
|
+
"owasp:llm01",
|
|
1204
|
+
"owasp:llm02"
|
|
1205
|
+
]
|
|
1194
1206
|
},
|
|
1195
1207
|
{
|
|
1196
1208
|
"id": "trust-safety.defaults",
|
|
@@ -1199,16 +1211,43 @@ export const OVERWATCH_TEMPLATES_JSON = `{
|
|
|
1199
1211
|
"category": "trust-safety",
|
|
1200
1212
|
"file": "defaults/content_safety.cedar",
|
|
1201
1213
|
"severity": "critical",
|
|
1202
|
-
"tags": [
|
|
1214
|
+
"tags": [
|
|
1215
|
+
"category:trust-safety",
|
|
1216
|
+
"threat:harmful",
|
|
1217
|
+
"compliance:eu-ai-act",
|
|
1218
|
+
"compliance:iso-42001"
|
|
1219
|
+
]
|
|
1203
1220
|
},
|
|
1204
1221
|
{
|
|
1205
1222
|
"id": "tools.defaults",
|
|
1206
1223
|
"name": "Tool Permissioning",
|
|
1207
|
-
"description": "Block sensitive system
|
|
1224
|
+
"description": "Block sensitive system-path file access and destructive MCP file-operation tools.",
|
|
1208
1225
|
"category": "tools",
|
|
1209
1226
|
"file": "defaults/tools.cedar",
|
|
1227
|
+
"severity": "high",
|
|
1228
|
+
"tags": [
|
|
1229
|
+
"category:tools",
|
|
1230
|
+
"threat:path-traversal",
|
|
1231
|
+
"detection:pattern",
|
|
1232
|
+
"mitre:t1005",
|
|
1233
|
+
"owasp:asi02"
|
|
1234
|
+
]
|
|
1235
|
+
},
|
|
1236
|
+
{
|
|
1237
|
+
"id": "tools.block-shell",
|
|
1238
|
+
"name": "Block shell and command execution",
|
|
1239
|
+
"description": "Blocks call_tool when tool_name is shell, bash, sh, terminal, cmd, or powershell.",
|
|
1240
|
+
"category": "tools",
|
|
1241
|
+
"file": "tools_shell_block.cedar",
|
|
1210
1242
|
"severity": "critical",
|
|
1211
|
-
"tags": [
|
|
1243
|
+
"tags": [
|
|
1244
|
+
"category:tools",
|
|
1245
|
+
"threat:command-injection",
|
|
1246
|
+
"detection:rule",
|
|
1247
|
+
"surface:call-tool",
|
|
1248
|
+
"owasp:llm06",
|
|
1249
|
+
"mitre:t1059"
|
|
1250
|
+
]
|
|
1212
1251
|
},
|
|
1213
1252
|
{
|
|
1214
1253
|
"id": "privacy.defaults",
|
|
@@ -1217,7 +1256,13 @@ export const OVERWATCH_TEMPLATES_JSON = `{
|
|
|
1217
1256
|
"category": "privacy",
|
|
1218
1257
|
"file": "defaults/pii.cedar",
|
|
1219
1258
|
"severity": "critical",
|
|
1220
|
-
"tags": [
|
|
1259
|
+
"tags": [
|
|
1260
|
+
"category:privacy",
|
|
1261
|
+
"threat:pii",
|
|
1262
|
+
"compliance:pci-dss",
|
|
1263
|
+
"compliance:gdpr",
|
|
1264
|
+
"compliance:hipaa"
|
|
1265
|
+
]
|
|
1221
1266
|
},
|
|
1222
1267
|
{
|
|
1223
1268
|
"id": "tools.mcp-server-allowlist",
|
|
@@ -1235,7 +1280,11 @@ export const OVERWATCH_TEMPLATES_JSON = `{
|
|
|
1235
1280
|
"category": "tools",
|
|
1236
1281
|
"file": "mcp_tool_permissions.cedar",
|
|
1237
1282
|
"severity": "critical",
|
|
1238
|
-
"tags": [
|
|
1283
|
+
"tags": [
|
|
1284
|
+
"category:tools",
|
|
1285
|
+
"threat:supply-chain",
|
|
1286
|
+
"posture:permit-default"
|
|
1287
|
+
]
|
|
1239
1288
|
},
|
|
1240
1289
|
{
|
|
1241
1290
|
"id": "organization.deny-baseline",
|
|
@@ -1244,7 +1293,11 @@ export const OVERWATCH_TEMPLATES_JSON = `{
|
|
|
1244
1293
|
"category": "organization",
|
|
1245
1294
|
"file": "default_deny_all.cedar",
|
|
1246
1295
|
"severity": "high",
|
|
1247
|
-
"tags": [
|
|
1296
|
+
"tags": [
|
|
1297
|
+
"category:organization",
|
|
1298
|
+
"posture:deny-default",
|
|
1299
|
+
"scope:org-wide"
|
|
1300
|
+
]
|
|
1248
1301
|
},
|
|
1249
1302
|
{
|
|
1250
1303
|
"id": "organization.audit-all",
|
|
@@ -1253,7 +1306,11 @@ export const OVERWATCH_TEMPLATES_JSON = `{
|
|
|
1253
1306
|
"category": "organization",
|
|
1254
1307
|
"file": "audit_all_actions.cedar",
|
|
1255
1308
|
"severity": "low",
|
|
1256
|
-
"tags": [
|
|
1309
|
+
"tags": [
|
|
1310
|
+
"category:organization",
|
|
1311
|
+
"posture:permit-default",
|
|
1312
|
+
"compliance:soc2"
|
|
1313
|
+
]
|
|
1257
1314
|
},
|
|
1258
1315
|
{
|
|
1259
1316
|
"id": "organization.team-permissions",
|
|
@@ -1262,7 +1319,11 @@ export const OVERWATCH_TEMPLATES_JSON = `{
|
|
|
1262
1319
|
"category": "organization",
|
|
1263
1320
|
"file": "team_permissions.cedar",
|
|
1264
1321
|
"severity": "medium",
|
|
1265
|
-
"tags": [
|
|
1322
|
+
"tags": [
|
|
1323
|
+
"category:organization",
|
|
1324
|
+
"scope:per-tool",
|
|
1325
|
+
"posture:deny-default"
|
|
1326
|
+
]
|
|
1266
1327
|
},
|
|
1267
1328
|
{
|
|
1268
1329
|
"id": "agent-identity.agent-guardrails",
|
|
@@ -1271,7 +1332,12 @@ export const OVERWATCH_TEMPLATES_JSON = `{
|
|
|
1271
1332
|
"category": "agent-identity",
|
|
1272
1333
|
"file": "agent_guardrails.cedar",
|
|
1273
1334
|
"severity": "critical",
|
|
1274
|
-
"tags": [
|
|
1335
|
+
"tags": [
|
|
1336
|
+
"category:agent-identity",
|
|
1337
|
+
"scope:per-agent",
|
|
1338
|
+
"threat:injection",
|
|
1339
|
+
"threat:pii"
|
|
1340
|
+
]
|
|
1275
1341
|
}
|
|
1276
1342
|
]
|
|
1277
1343
|
}
|