@highflame/policy 2.1.42 → 2.1.43

package/dist/overwatch-defaults.gen.js

@@ -574,6 +574,149 @@ when {
     )
 };
 `;
+const OVERWATCH_TOOLS_BASH_OPERATION_CLASSES_CEDAR = `// =============================================================================
+// Tool Permissioning: Bash AST operation classes (Opt-in)
+// =============================================================================
+// Tiered shell control driven by Shield's bash_ast classifier. The classifier
+// parses every shell command (bash, sh, zsh, dash) into an AST and emits
+// tool_operation_classes, a set drawn from:
+//
+//   readonly | network_access | write_enabling | execute_enabling | unknown
+//
+// One command can carry several classes ("curl -o f https://x" is
+// {network_access, write_enabling}). "unknown" means the classifier saw a
+// command it cannot vouch for (not in its command lists, or variable
+// expanded) and is a reason to deny, never to allow. The set is never empty,
+// so every shell command lands in at least one section below.
+//
+// Posture per class when this template is active:
+//
+//   readonly          -> allowed silently
+//   network_access    -> blocked (Section 1)
+//   write_enabling    -> blocked (Section 2)
+//   execute_enabling  -> step-up human approval (Section 3)
+//   unknown           -> step-up human approval (Section 3)
+//
+// Together, Sections 1 and 3 close the side door where an operation denied
+// as an MCP tool is replayed through the shell: recognized network
+// primitives (curl, ssh, nc) are blocked outright, and unrecognized CLI
+// clients (gh, aws) classify as "unknown" and require human approval. No
+// shell command reaches the network or executes silently unless it is
+// purely read-only.
+//
+// Section 3 carries @step_up_required (AARM R4, CAP-ENF-004): Shield
+// suspends the command and issues an OpenID CIBA challenge; the command
+// runs only after an approver carrying the named AuthN role approves it,
+// and the timeout denies it (fail-closed). Customize before deploying:
+//   - role: must exist in authn.roles ("security_oncall" is a placeholder;
+//     unknown roles reject the policy at deploy time)
+//   - timeout_seconds: default 86400 (24h), bounds [60, 604800]
+//
+// Context keys consumed:
+//   - tool_operation_classes: Set<String>
+//
+// Compliance:
+//   - NIST 800-53 CM-7, AC-6(1); OWASP LLM06, ASI02; MITRE ATT&CK T1059
+//
+// Category:  tools
+// Namespace: Overwatch
+// =============================================================================
+
+// ---------------------------------------------------------------------------
+// Section 1: Network access
+// ---------------------------------------------------------------------------
+// Recognized network primitives: curl, wget, ssh, scp, nc, rsync, dig, nmap.
+// Blocking this class forces network operations back through MCP tools,
+// where per-tool policies apply.
+
+@id("tools.block-bash-network")
+@name("Block network access from shell commands")
+@description("Blocks call_tool when the bash AST classifier marks the command network_access (curl, wget, ssh, nc), closing the side door where an operation denied as an MCP tool is replayed through the shell.")
+@severity("high")
+@tags("category:tools,threat:exfiltration,detection:rule,surface:call-tool,owasp:asi02")
+@reject_message("Tool execution blocked: network access from shell commands is restricted; use the approved MCP tool for this operation.")
+forbid (
+    principal,
+    action == Overwatch::Action::"call_tool",
+    resource
+)
+when {
+    context has tool_operation_classes &&
+    context.tool_operation_classes.contains("network_access")
+};
+
+// ---------------------------------------------------------------------------
+// Section 2: Filesystem and environment writes
+// ---------------------------------------------------------------------------
+// rm, mv, cp, chmod, dd, sed -i, output redirects (>, >>, &>), and
+// environment mutation (export VAR=val, unset).
+
+@id("tools.block-bash-write")
+@name("Block filesystem and environment writes from shell")
+@description("Blocks call_tool when the bash AST classifier marks the command write_enabling (rm, mv, sed -i, output redirects, environment mutation).")
+@severity("high")
+@tags("category:tools,detection:rule,surface:call-tool,owasp:asi02,mitre:t1059")
+@reject_message("Tool execution blocked: filesystem and environment modification from shell commands is restricted in this environment.")
+forbid (
+    principal,
+    action == Overwatch::Action::"call_tool",
+    resource
+)
+when {
+    context has tool_operation_classes &&
+    context.tool_operation_classes.contains("write_enabling")
+};
+
+// ---------------------------------------------------------------------------
+// Section 3: Execute-enabling and unrecognized commands (step-up approval)
+// ---------------------------------------------------------------------------
+// Process spawning and sub-interpreters ($(...), python3, sudo, PATH=
+// hijacks) plus any command the classifier could not recognize. Routed to
+// human approval rather than blocked: these classes cover a large legitimate
+// surface (build scripts, interpreters, CLI clients), so a human decides.
+//
+// Cedar is deny-overrides and Shield emits step-up only when the decision is
+// Allow, so this permit must not coexist with a forbid on the same classes.
+// To hard-block instead of gating on approval, replace this rule with:
+//
+//   @id("tools.block-bash-execute-unknown")
+//   @name("Block execute-enabling and unknown shell commands")
+//   @description("Blocks call_tool when the bash AST classifier marks the command execute_enabling (spawns processes or sub-interpreters) or unknown (unrecognized or variable-expanded commands).")
+//   @severity("critical")
+//   @tags("category:tools,threat:command-injection,detection:rule,surface:call-tool,owasp:llm06,mitre:t1059")
+//   @reject_message("Tool execution blocked: the shell command spawns processes or contains commands that cannot be classified.")
+//   forbid (
+//       principal,
+//       action == Overwatch::Action::"call_tool",
+//       resource
+//   )
+//   when {
+//       context has tool_operation_classes &&
+//       (
+//           context.tool_operation_classes.contains("execute_enabling") ||
+//           context.tool_operation_classes.contains("unknown")
+//       )
+//   };
+
+@id("tools.allow-bash-step-up")
+@name("Permit risky shell commands with step-up approval")
+@description("Permits call_tool but suspends it for human approval when the bash AST classifier marks the command execute_enabling or unknown; an approver with the configured AuthN role must approve before the command runs.")
+@severity("high")
+@tags("category:tools,threat:command-injection,surface:call-tool,mitre:t1059,step-up")
+@step_up_required("role=security_oncall,timeout_seconds=3600")
+permit (
+    principal,
+    action == Overwatch::Action::"call_tool",
+    resource
+)
+when {
+    context has tool_operation_classes &&
+    (
+        context.tool_operation_classes.contains("execute_enabling") ||
+        context.tool_operation_classes.contains("unknown")
+    )
+};
+`;
 const OVERWATCH_PRIVACY_DEFAULTS_CEDAR = `// =============================================================================
 // PII Detection (Default)
 // =============================================================================
@@ -1048,6 +1191,15 @@ export const OVERWATCH_TEMPLATES = [
         severity: 'critical',
         tags: ['category:tools', 'threat:command-injection', 'detection:rule', 'surface:call-tool', 'owasp:llm06', 'mitre:t1059'],
     },
+    {
+        id: 'tools.bash-operation-classes',
+        name: 'Bash Operation Class Restrictions',
+        description: 'Tiered shell control from the bash AST classifier: blocks network access and writes, requires step-up approval for execute-enabling or unrecognized commands; closes MCP guardrail bypass via the shell.',
+        category: 'tools',
+        cedarText: OVERWATCH_TOOLS_BASH_OPERATION_CLASSES_CEDAR,
+        severity: 'high',
+        tags: ['category:tools', 'threat:exfiltration', 'threat:command-injection', 'detection:rule', 'surface:call-tool', 'owasp:asi02', 'mitre:t1059', 'step-up'],
+    },
     {
         id: 'privacy.defaults',
         name: 'PII Detection',
@@ -1118,7 +1270,7 @@ export const OVERWATCH_TEMPLATES = [
 /** Raw templates.json metadata for the Overwatch service. */
 export const OVERWATCH_TEMPLATES_JSON = `{
   "service": "overwatch",
-  "version": "5.0.0",
+  "version": "5.1.0",
   "description": "Overwatch policy templates for IDE agent security",
   "categories": [
     {
@@ -1249,6 +1401,24 @@ export const OVERWATCH_TEMPLATES_JSON = `{
         "mitre:t1059"
       ]
     },
+    {
+      "id": "tools.bash-operation-classes",
+      "name": "Bash Operation Class Restrictions",
+      "description": "Tiered shell control from the bash AST classifier: blocks network access and writes, requires step-up approval for execute-enabling or unrecognized commands; closes MCP guardrail bypass via the shell.",
+      "category": "tools",
+      "file": "tools_bash_operation_classes.cedar",
+      "severity": "high",
+      "tags": [
+        "category:tools",
+        "threat:exfiltration",
+        "threat:command-injection",
+        "detection:rule",
+        "surface:call-tool",
+        "owasp:asi02",
+        "mitre:t1059",
+        "step-up"
+      ]
+    },
     {
       "id": "privacy.defaults",
       "name": "PII Detection",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@highflame/policy",
-  "version": "2.1.42",
+  "version": "2.1.43",
   "engines": {
     "node": ">=18"
   },