@highflame/policy 2.1.42 → 2.1.44

package/dist/index.d.ts

@@ -5,6 +5,7 @@ export * from './schema.gen.js';
 export * from './decision-effects.gen.js';
 export * from './aarm-annotations.gen.js';
 export * from './aarm-annotation.js';
+export * from './privilege-catalog.gen.js';
 export * from './engine.js';
 export * from './builder.js';
 export * from './parser.js';

package/dist/index.js

@@ -16,6 +16,9 @@ export * from './aarm-annotations.gen.js';
 // AARM annotation parser/validator (typed parse + fail-closed validation,
 // parity with Go's aarm_annotation.go).
 export * from './aarm-annotation.js';
+// Role -> capability privilege catalog (privilege_scope minted into
+// the trusted-service JWT; checked by role-conditioned Cedar policies).
+export * from './privilege-catalog.gen.js';
 // Non-generated modules (require Node.js)
 export * from './engine.js';
 export * from './builder.js';

package/dist/overwatch-defaults.gen.js

@@ -574,6 +574,149 @@ when {
     )
 };
 `;
+const OVERWATCH_TOOLS_BASH_OPERATION_CLASSES_CEDAR = `// =============================================================================
+// Tool Permissioning: Bash AST operation classes (Opt-in)
+// =============================================================================
+// Tiered shell control driven by Shield's bash_ast classifier. The classifier
+// parses every shell command (bash, sh, zsh, dash) into an AST and emits
+// tool_operation_classes, a set drawn from:
+//
+//   readonly | network_access | write_enabling | execute_enabling | unknown
+//
+// One command can carry several classes ("curl -o f https://x" is
+// {network_access, write_enabling}). "unknown" means the classifier saw a
+// command it cannot vouch for (not in its command lists, or variable
+// expanded) and is a reason to deny, never to allow. The set is never empty,
+// so every shell command lands in at least one section below.
+//
+// Posture per class when this template is active:
+//
+//   readonly          -> allowed silently
+//   network_access    -> blocked (Section 1)
+//   write_enabling    -> blocked (Section 2)
+//   execute_enabling  -> step-up human approval (Section 3)
+//   unknown           -> step-up human approval (Section 3)
+//
+// Together, Sections 1 and 3 close the side door where an operation denied
+// as an MCP tool is replayed through the shell: recognized network
+// primitives (curl, ssh, nc) are blocked outright, and unrecognized CLI
+// clients (gh, aws) classify as "unknown" and require human approval. No
+// shell command reaches the network or executes silently unless it is
+// purely read-only.
+//
+// Section 3 carries @step_up_required (AARM R4, CAP-ENF-004): Shield
+// suspends the command and issues an OpenID CIBA challenge; the command
+// runs only after an approver carrying the named AuthN role approves it,
+// and the timeout denies it (fail-closed). Customize before deploying:
+//   - role: must exist in authn.roles ("security_oncall" is a placeholder;
+//     unknown roles reject the policy at deploy time)
+//   - timeout_seconds: default 86400 (24h), bounds [60, 604800]
+//
+// Context keys consumed:
+//   - tool_operation_classes: Set<String>
+//
+// Compliance:
+//   - NIST 800-53 CM-7, AC-6(1); OWASP LLM06, ASI02; MITRE ATT&CK T1059
+//
+// Category:  tools
+// Namespace: Overwatch
+// =============================================================================
+
+// ---------------------------------------------------------------------------
+// Section 1: Network access
+// ---------------------------------------------------------------------------
+// Recognized network primitives: curl, wget, ssh, scp, nc, rsync, dig, nmap.
+// Blocking this class forces network operations back through MCP tools,
+// where per-tool policies apply.
+
+@id("tools.block-bash-network")
+@name("Block network access from shell commands")
+@description("Blocks call_tool when the bash AST classifier marks the command network_access (curl, wget, ssh, nc), closing the side door where an operation denied as an MCP tool is replayed through the shell.")
+@severity("high")
+@tags("category:tools,threat:exfiltration,detection:rule,surface:call-tool,owasp:asi02")
+@reject_message("Tool execution blocked: network access from shell commands is restricted; use the approved MCP tool for this operation.")
+forbid (
+    principal,
+    action == Overwatch::Action::"call_tool",
+    resource
+)
+when {
+    context has tool_operation_classes &&
+    context.tool_operation_classes.contains("network_access")
+};
+
+// ---------------------------------------------------------------------------
+// Section 2: Filesystem and environment writes
+// ---------------------------------------------------------------------------
+// rm, mv, cp, chmod, dd, sed -i, output redirects (>, >>, &>), and
+// environment mutation (export VAR=val, unset).
+
+@id("tools.block-bash-write")
+@name("Block filesystem and environment writes from shell")
+@description("Blocks call_tool when the bash AST classifier marks the command write_enabling (rm, mv, sed -i, output redirects, environment mutation).")
+@severity("high")
+@tags("category:tools,detection:rule,surface:call-tool,owasp:asi02,mitre:t1059")
+@reject_message("Tool execution blocked: filesystem and environment modification from shell commands is restricted in this environment.")
+forbid (
+    principal,
+    action == Overwatch::Action::"call_tool",
+    resource
+)
+when {
+    context has tool_operation_classes &&
+    context.tool_operation_classes.contains("write_enabling")
+};
+
+// ---------------------------------------------------------------------------
+// Section 3: Execute-enabling and unrecognized commands (step-up approval)
+// ---------------------------------------------------------------------------
+// Process spawning and sub-interpreters ($(...), python3, sudo, PATH=
+// hijacks) plus any command the classifier could not recognize. Routed to
+// human approval rather than blocked: these classes cover a large legitimate
+// surface (build scripts, interpreters, CLI clients), so a human decides.
+//
+// Cedar is deny-overrides and Shield emits step-up only when the decision is
+// Allow, so this permit must not coexist with a forbid on the same classes.
+// To hard-block instead of gating on approval, replace this rule with:
+//
+//   @id("tools.block-bash-execute-unknown")
+//   @name("Block execute-enabling and unknown shell commands")
+//   @description("Blocks call_tool when the bash AST classifier marks the command execute_enabling (spawns processes or sub-interpreters) or unknown (unrecognized or variable-expanded commands).")
+//   @severity("critical")
+//   @tags("category:tools,threat:command-injection,detection:rule,surface:call-tool,owasp:llm06,mitre:t1059")
+//   @reject_message("Tool execution blocked: the shell command spawns processes or contains commands that cannot be classified.")
+//   forbid (
+//       principal,
+//       action == Overwatch::Action::"call_tool",
+//       resource
+//   )
+//   when {
+//       context has tool_operation_classes &&
+//       (
+//           context.tool_operation_classes.contains("execute_enabling") ||
+//           context.tool_operation_classes.contains("unknown")
+//       )
+//   };
+
+@id("tools.allow-bash-step-up")
+@name("Permit risky shell commands with step-up approval")
+@description("Permits call_tool but suspends it for human approval when the bash AST classifier marks the command execute_enabling or unknown; an approver with the configured AuthN role must approve before the command runs.")
+@severity("high")
+@tags("category:tools,threat:command-injection,surface:call-tool,mitre:t1059,step-up")
+@step_up_required("role=security_oncall,timeout_seconds=3600")
+permit (
+    principal,
+    action == Overwatch::Action::"call_tool",
+    resource
+)
+when {
+    context has tool_operation_classes &&
+    (
+        context.tool_operation_classes.contains("execute_enabling") ||
+        context.tool_operation_classes.contains("unknown")
+    )
+};
+`;
 const OVERWATCH_PRIVACY_DEFAULTS_CEDAR = `// =============================================================================
 // PII Detection (Default)
 // =============================================================================
@@ -1048,6 +1191,15 @@ export const OVERWATCH_TEMPLATES = [
         severity: 'critical',
         tags: ['category:tools', 'threat:command-injection', 'detection:rule', 'surface:call-tool', 'owasp:llm06', 'mitre:t1059'],
     },
+    {
+        id: 'tools.bash-operation-classes',
+        name: 'Bash Operation Class Restrictions',
+        description: 'Tiered shell control from the bash AST classifier: blocks network access and writes, requires step-up approval for execute-enabling or unrecognized commands; closes MCP guardrail bypass via the shell.',
+        category: 'tools',
+        cedarText: OVERWATCH_TOOLS_BASH_OPERATION_CLASSES_CEDAR,
+        severity: 'high',
+        tags: ['category:tools', 'threat:exfiltration', 'threat:command-injection', 'detection:rule', 'surface:call-tool', 'owasp:asi02', 'mitre:t1059', 'step-up'],
+    },
     {
         id: 'privacy.defaults',
         name: 'PII Detection',
@@ -1118,7 +1270,7 @@ export const OVERWATCH_TEMPLATES = [
 /** Raw templates.json metadata for the Overwatch service. */
 export const OVERWATCH_TEMPLATES_JSON = `{
   "service": "overwatch",
-  "version": "5.0.0",
+  "version": "5.1.0",
   "description": "Overwatch policy templates for IDE agent security",
   "categories": [
     {
@@ -1249,6 +1401,24 @@ export const OVERWATCH_TEMPLATES_JSON = `{
         "mitre:t1059"
       ]
     },
+    {
+      "id": "tools.bash-operation-classes",
+      "name": "Bash Operation Class Restrictions",
+      "description": "Tiered shell control from the bash AST classifier: blocks network access and writes, requires step-up approval for execute-enabling or unrecognized commands; closes MCP guardrail bypass via the shell.",
+      "category": "tools",
+      "file": "tools_bash_operation_classes.cedar",
+      "severity": "high",
+      "tags": [
+        "category:tools",
+        "threat:exfiltration",
+        "threat:command-injection",
+        "detection:rule",
+        "surface:call-tool",
+        "owasp:asi02",
+        "mitre:t1059",
+        "step-up"
+      ]
+    },
     {
       "id": "privacy.defaults",
       "name": "PII Detection",

package/dist/privilege-catalog.gen.d.ts

@@ -0,0 +1,17 @@
+export declare const PRIVILEGE_CATALOG_VERSION = "2026-06-08";
+/** Every role in the catalog, in declaration order. */
+export declare const PRIVILEGE_CATALOG_ROLES: readonly string[];
+/** Every product the catalog applies to, in declaration order. */
+export declare const PRIVILEGE_CATALOG_PRODUCTS: readonly string[];
+/**
+* Capabilities granted to `role` for `product`, as a fresh sorted
+* `"<product>:<action>"[]`. Returns `[]` for an unknown role or product
+* (least privilege). The returned array is a copy; callers may mutate it.
+*/
+export declare function privilegeScopeForProduct(role: string, product: string): string[];
+/**
+* Capabilities granted to `role` across every catalog product, as a fresh
+* sorted+deduped `"<product>:<action>"[]`. Returns `[]` for an unknown
+* role (least privilege). The returned array is a copy.
+*/
+export declare function privilegeScopeForRole(role: string): string[];

package/dist/privilege-catalog.gen.js

@@ -0,0 +1,97 @@
+// Code generated by highflame-policy-codegen. DO NOT EDIT.
+// Source: schemas/privilege_catalog.json
+//
+// Role -> capability privilege catalog. Maps each RBAC role to the
+// namespaced "<product>:<action>" capabilities it is provisioned to
+// drive. privilege_scope is minted into the trusted-service JWT and
+// checked by role-conditioned Cedar policies. Grants are validated
+// against each product's Cedar action schema at codegen time.
+// See adrs/0006-privilege-scope-catalog.md.
+export const PRIVILEGE_CATALOG_VERSION = '2026-06-08';
+/** Every role in the catalog, in declaration order. */
+export const PRIVILEGE_CATALOG_ROLES = [
+    'auditor',
+    'viewer',
+    'support',
+    'member',
+    'admin',
+    'partner-admin',
+    'super-admin',
+];
+/** Every product the catalog applies to, in declaration order. */
+export const PRIVILEGE_CATALOG_PRODUCTS = [
+    'guardrails',
+    'overwatch',
+    'ai_gateway',
+];
+// Role -> product -> sorted namespaced capabilities for that exact
+// (role, product). Read via privilegeScopeForProduct.
+const PRIVILEGE_SCOPE_BY_ROLE_PRODUCT = {
+    'auditor': {
+        'guardrails': ['guardrails:read_file'],
+        'overwatch': ['overwatch:read_file'],
+        'ai_gateway': ['ai_gateway:read_file'],
+    },
+    'viewer': {
+        'guardrails': ['guardrails:process_prompt', 'guardrails:read_file'],
+        'overwatch': ['overwatch:process_prompt', 'overwatch:read_file'],
+        'ai_gateway': ['ai_gateway:process_prompt', 'ai_gateway:read_file'],
+    },
+    'support': {
+        'guardrails': ['guardrails:process_prompt', 'guardrails:read_file'],
+        'overwatch': ['overwatch:process_prompt', 'overwatch:read_file'],
+        'ai_gateway': ['ai_gateway:process_prompt', 'ai_gateway:read_file'],
+    },
+    'member': {
+        'guardrails': ['guardrails:call_tool', 'guardrails:connect_server', 'guardrails:process_prompt', 'guardrails:read_file'],
+        'overwatch': ['overwatch:call_tool', 'overwatch:connect_server', 'overwatch:process_prompt', 'overwatch:read_file'],
+        'ai_gateway': ['ai_gateway:call_tool', 'ai_gateway:connect_server', 'ai_gateway:process_prompt', 'ai_gateway:read_file'],
+    },
+    'admin': {
+        'guardrails': ['guardrails:call_tool', 'guardrails:connect_server', 'guardrails:process_prompt', 'guardrails:read_file', 'guardrails:write_file'],
+        'overwatch': ['overwatch:call_tool', 'overwatch:connect_server', 'overwatch:process_prompt', 'overwatch:read_file', 'overwatch:write_file'],
+        'ai_gateway': ['ai_gateway:call_tool', 'ai_gateway:connect_server', 'ai_gateway:process_prompt', 'ai_gateway:read_file', 'ai_gateway:write_file'],
+    },
+    'partner-admin': {
+        'guardrails': ['guardrails:call_tool', 'guardrails:connect_server', 'guardrails:process_prompt', 'guardrails:read_file', 'guardrails:write_file'],
+        'overwatch': ['overwatch:call_tool', 'overwatch:connect_server', 'overwatch:process_prompt', 'overwatch:read_file', 'overwatch:write_file'],
+        'ai_gateway': ['ai_gateway:call_tool', 'ai_gateway:connect_server', 'ai_gateway:process_prompt', 'ai_gateway:read_file', 'ai_gateway:write_file'],
+    },
+    'super-admin': {
+        'guardrails': ['guardrails:call_tool', 'guardrails:connect_server', 'guardrails:process_prompt', 'guardrails:read_file', 'guardrails:write_file'],
+        'overwatch': ['overwatch:call_tool', 'overwatch:connect_server', 'overwatch:process_prompt', 'overwatch:read_file', 'overwatch:write_file'],
+        'ai_gateway': ['ai_gateway:call_tool', 'ai_gateway:connect_server', 'ai_gateway:process_prompt', 'ai_gateway:read_file', 'ai_gateway:write_file'],
+    },
+};
+// Role -> sorted+deduped union of namespaced capabilities across every
+// catalog product. Read via privilegeScopeForRole.
+const PRIVILEGE_SCOPE_BY_ROLE = {
+    'auditor': ['ai_gateway:read_file', 'guardrails:read_file', 'overwatch:read_file'],
+    'viewer': ['ai_gateway:process_prompt', 'ai_gateway:read_file', 'guardrails:process_prompt', 'guardrails:read_file', 'overwatch:process_prompt', 'overwatch:read_file'],
+    'support': ['ai_gateway:process_prompt', 'ai_gateway:read_file', 'guardrails:process_prompt', 'guardrails:read_file', 'overwatch:process_prompt', 'overwatch:read_file'],
+    'member': ['ai_gateway:call_tool', 'ai_gateway:connect_server', 'ai_gateway:process_prompt', 'ai_gateway:read_file', 'guardrails:call_tool', 'guardrails:connect_server', 'guardrails:process_prompt', 'guardrails:read_file', 'overwatch:call_tool', 'overwatch:connect_server', 'overwatch:process_prompt', 'overwatch:read_file'],
+    'admin': ['ai_gateway:call_tool', 'ai_gateway:connect_server', 'ai_gateway:process_prompt', 'ai_gateway:read_file', 'ai_gateway:write_file', 'guardrails:call_tool', 'guardrails:connect_server', 'guardrails:process_prompt', 'guardrails:read_file', 'guardrails:write_file', 'overwatch:call_tool', 'overwatch:connect_server', 'overwatch:process_prompt', 'overwatch:read_file', 'overwatch:write_file'],
+    'partner-admin': ['ai_gateway:call_tool', 'ai_gateway:connect_server', 'ai_gateway:process_prompt', 'ai_gateway:read_file', 'ai_gateway:write_file', 'guardrails:call_tool', 'guardrails:connect_server', 'guardrails:process_prompt', 'guardrails:read_file', 'guardrails:write_file', 'overwatch:call_tool', 'overwatch:connect_server', 'overwatch:process_prompt', 'overwatch:read_file', 'overwatch:write_file'],
+    'super-admin': ['ai_gateway:call_tool', 'ai_gateway:connect_server', 'ai_gateway:process_prompt', 'ai_gateway:read_file', 'ai_gateway:write_file', 'guardrails:call_tool', 'guardrails:connect_server', 'guardrails:process_prompt', 'guardrails:read_file', 'guardrails:write_file', 'overwatch:call_tool', 'overwatch:connect_server', 'overwatch:process_prompt', 'overwatch:read_file', 'overwatch:write_file'],
+};
+/**
+* Capabilities granted to `role` for `product`, as a fresh sorted
+* `"<product>:<action>"[]`. Returns `[]` for an unknown role or product
+* (least privilege). The returned array is a copy; callers may mutate it.
+*/
+export function privilegeScopeForProduct(role, product) {
+    const byProduct = PRIVILEGE_SCOPE_BY_ROLE_PRODUCT[role];
+    if (!byProduct)
+        return [];
+    const caps = byProduct[product];
+    return caps ? [...caps] : [];
+}
+/**
+* Capabilities granted to `role` across every catalog product, as a fresh
+* sorted+deduped `"<product>:<action>"[]`. Returns `[]` for an unknown
+* role (least privilege). The returned array is a copy.
+*/
+export function privilegeScopeForRole(role) {
+    const caps = PRIVILEGE_SCOPE_BY_ROLE[role];
+    return caps ? [...caps] : [];
+}

package/dist/types.d.ts

@@ -5,6 +5,7 @@ export * from './schema.gen.js';
 export * from './decision-effects.gen.js';
 export * from './aarm-annotations.gen.js';
 export * from './aarm-annotation.js';
+export * from './privilege-catalog.gen.js';
 export * from './builder.js';
 export * from './errors.js';
 export * from './annotations.js';

package/dist/types.js

@@ -18,6 +18,9 @@ export * from './aarm-annotations.gen.js';
 // AARM annotation parser/validator (browser-safe — typed parse + fail-closed
 // validation; Studio lints with the exact rules Shield runs at sync time).
 export * from './aarm-annotation.js';
+// Role -> capability privilege catalog (browser-safe — Studio surfaces
+// the default scope per role; checked by role-conditioned Cedar policies).
+export * from './privilege-catalog.gen.js';
 // PolicyBuilder - works in browser (no WASM dependency)
 export * from './builder.js';
 // Error types - works in browser (no WASM dependency)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@highflame/policy",
-  "version": "2.1.42",
+  "version": "2.1.44",
   "engines": {
     "node": ">=18"
   },