awguard 1.4.0 → 1.6.0

package/src/config.js

@@ -33,7 +33,8 @@ export function normalizeConfig(rawConfig = {}, source = 'config') {
 
   return {
     rules: normalizeRules(mergedConfig.rules || {}, source),
-    suppressions: normalizeSuppressions(mergedConfig.suppressions || {}, source)
+    suppressions: normalizeSuppressions(mergedConfig.suppressions || {}, source),
+    policy: normalizePolicy(mergedConfig.policy || {}, source)
   };
 }
 
@@ -51,7 +52,8 @@ function mergePresetConfigs(rawConfig, source) {
 
   return mergeConfigObjects(merged, {
     rules: rawConfig.rules || {},
-    suppressions: rawConfig.suppressions || {}
+    suppressions: rawConfig.suppressions || {},
+    policy: rawConfig.policy || {}
   });
 }
 
@@ -64,6 +66,10 @@ function mergeConfigObjects(base, override) {
     suppressions: {
       ...(base.suppressions || {}),
       ...(override.suppressions || {})
+    },
+    policy: {
+      ...(base.policy || {}),
+      ...(override.policy || {})
     }
   };
 }
@@ -149,6 +155,27 @@ function normalizeSuppressions(suppressions, source) {
   };
 }
 
+function normalizePolicy(policy, source) {
+  if (!isObject(policy)) {
+    throw new Error(`${source} policy must be an object`);
+  }
+
+  return {
+    approvedFiles: normalizeStringArray(policy.approvedFiles || [], `${source} policy.approvedFiles`),
+    approvedMcpServers: normalizeStringArray(policy.approvedMcpServers || [], `${source} policy.approvedMcpServers`),
+    approvedMcpPackages: normalizeStringArray(policy.approvedMcpPackages || [], `${source} policy.approvedMcpPackages`),
+    approvedMcpCommands: normalizeStringArray(policy.approvedMcpCommands || [], `${source} policy.approvedMcpCommands`)
+  };
+}
+
+function normalizeStringArray(value, source) {
+  if (!Array.isArray(value)) {
+    throw new Error(`${source} must be an array`);
+  }
+
+  return value.map((item) => String(item));
+}
+
 function ensureKnownRule(ruleId, source) {
   if (!ruleCatalog[ruleId]) {
     throw new Error(`${source} references unknown rule id: ${ruleId}`);

package/src/graph.js

@@ -14,7 +14,8 @@ const impactByRule = {
   AWG011: 'Suppression policy can hide real risk',
   AWG012: 'Persistent agent instructions can weaken CI guardrails',
   AWG013: 'Mutable MCP tool server can change agent capabilities',
-  AWG014: 'Committed MCP credential can expose external tools or data'
+  AWG014: 'Committed MCP credential can expose external tools or data',
+  AWG015: 'Unapproved agentic surface can drift outside policy'
 };
 
 export function buildAttackGraphs(result) {
@@ -218,6 +219,7 @@ function inferSource(finding) {
   if (finding.ruleId === 'AWG012') return 'persistent agent instruction file';
   if (finding.ruleId === 'AWG013') return 'project-scoped MCP server config';
   if (finding.ruleId === 'AWG014') return 'committed MCP credential material';
+  if (finding.ruleId === 'AWG015') return 'repository policy';
   return 'workflow configuration';
 }
 
@@ -228,6 +230,7 @@ function inferBoundary(finding) {
   if (finding.ruleId === 'AWG007') return 'command execution sink';
   if (finding.ruleId === 'AWG012') return 'agent instruction context';
   if (finding.ruleId === 'AWG013' || finding.ruleId === 'AWG014') return 'MCP tool boundary';
+  if (finding.ruleId === 'AWG015') return 'policy allowlist boundary';
   return 'workflow execution';
 }
 
@@ -238,6 +241,7 @@ function inferCapability(finding) {
   if (finding.ruleId === 'AWG012') return 'persistent prompt steering';
   if (finding.ruleId === 'AWG013') return 'MCP server startup';
   if (finding.ruleId === 'AWG014') return 'credentialed MCP tool access';
+  if (finding.ruleId === 'AWG015') return 'agentic surface drift';
   return 'CI runner and agent tools';
 }
 
@@ -248,6 +252,7 @@ function inferAuthority(finding) {
   if (finding.ruleId === 'AWG012') return 'agent policy context';
   if (finding.ruleId === 'AWG013') return 'developer machine or CI tool process';
   if (finding.ruleId === 'AWG014') return 'MCP server secrets';
+  if (finding.ruleId === 'AWG015') return 'repository policy approval';
   return 'workflow permissions';
 }
 

package/src/init.js

@@ -0,0 +1,81 @@
+export function renderInitGuide({ actionRef = 'v0' } = {}) {
+  return [
+    '# Agentic Workflow Guard Setup',
+    '',
+    'Create `.github/workflows/awguard.yml`:',
+    '',
+    '```yaml',
+    `name: Agentic Workflow Guard`,
+    '',
+    'on:',
+    '  pull_request:',
+    '  workflow_dispatch:',
+    '  schedule:',
+    "    - cron: '17 4 * * 1'",
+    '',
+    'permissions:',
+    '  contents: read',
+    '  security-events: write',
+    '',
+    'jobs:',
+    '  scan:',
+    '    runs-on: ubuntu-latest',
+    '    steps:',
+    '      - uses: actions/checkout@v4',
+    `      - uses: Mughal-Baig/agentic-workflow-guard@${actionRef}`,
+    '        with:',
+    '          preset: strict',
+    '          format: sarif',
+    '          output: awguard.sarif',
+    '          fail-on: high',
+    '      - uses: github/codeql-action/upload-sarif@v4',
+    '        if: always()',
+    '        with:',
+    '          sarif_file: awguard.sarif',
+    '          category: agentic-workflow-guard',
+    '```',
+    '',
+    'Create `awguard.config.json`:',
+    '',
+    '```json',
+    JSON.stringify(
+      {
+        extends: ['strict'],
+        policy: {
+          approvedFiles: ['AGENTS.md', '.github/workflows/*'],
+          approvedMcpServers: [],
+          approvedMcpPackages: [],
+          approvedMcpCommands: ['npx', 'node', 'uvx', 'docker']
+        },
+        suppressions: {
+          minimumReasonLength: 20
+        }
+      },
+      null,
+      2
+    ),
+    '```',
+    '',
+    'Adopt without breaking existing CI:',
+    '',
+    '```bash',
+    'npx awguard@latest . --write-baseline awguard.baseline.json --fail-on none',
+    'npx awguard@latest . --baseline awguard.baseline.json --fail-on high',
+    '```',
+    '',
+    'Generate useful reports:',
+    '',
+    '```bash',
+    'npx awguard@latest . --format inventory',
+    'npx awguard@latest . --format inventory-json --output awguard-inventory.json',
+    'npx awguard@latest . --format score',
+    'npx awguard@latest . --format badge --output docs/awguard-badge.json',
+    '```',
+    '',
+    'README badge:',
+    '',
+    '```markdown',
+    '[![AWI risk](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/OWNER/REPO/main/docs/awguard-badge.json)](docs/awguard-badge.json)',
+    '```'
+  ].join('\n');
+}

package/src/inventory.js

@@ -0,0 +1,159 @@
+import path from 'node:path';
+import { classifyScanFile, severityRank } from './scanner.js';
+
+const surfaceLabels = {
+  'github-workflow': 'GitHub Actions workflows',
+  'agent-context': 'Agent context files',
+  'mcp-config': 'MCP configs',
+  other: 'Other scanned files'
+};
+
+const surfaceOrder = ['github-workflow', 'agent-context', 'mcp-config', 'other'];
+
+export function buildInventory(result) {
+  const fileRows = result.scannedFiles.map((file) => {
+    const relativeFile = path.relative(result.root, file) || file;
+    const surface = classifyScanFile(file, result.root);
+    const findings = result.findings.filter((finding) => finding.file === relativeFile);
+
+    return {
+      file: relativeFile,
+      surface,
+      label: surfaceLabels[surface] || surfaceLabels.other,
+      findings: findings.length,
+      highest: highestSeverity(findings),
+      rules: [...new Set(findings.map((finding) => finding.ruleId))]
+    };
+  });
+
+  const surfaces = surfaceOrder
+    .map((surface) => {
+      const files = fileRows.filter((file) => file.surface === surface);
+      const findings = result.findings.filter((finding) => files.some((file) => file.file === finding.file));
+
+      return {
+        surface,
+        label: surfaceLabels[surface],
+        files: files.length,
+        findings: findings.length,
+        highest: highestSeverity(findings),
+        rules: [...new Set(findings.map((finding) => finding.ruleId))]
+      };
+    })
+    .filter((surface) => surface.files > 0);
+
+  return {
+    summary: {
+      scannedFiles: result.scannedFiles.length,
+      surfaces: surfaces.length,
+      findings: result.findings.length,
+      highest: result.summary.highest
+    },
+    surfaces,
+    files: fileRows,
+    recommendations: recommendationsFor(surfaces, result.findings)
+  };
+}
+
+export function renderInventory(result) {
+  const inventory = buildInventory(result);
+  const lines = [
+    '# Agentic Surface Inventory',
+    '',
+    `Scanned files: **${inventory.summary.scannedFiles}**`,
+    `Agentic surfaces: **${inventory.summary.surfaces}**`,
+    `Findings: **${inventory.summary.findings}**`,
+    `Highest severity: **${inventory.summary.highest}**`,
+    '',
+    '## Surface Summary',
+    '',
+    '| Surface | Files | Findings | Highest | Rules |',
+    '| --- | ---: | ---: | --- | --- |'
+  ];
+
+  if (inventory.surfaces.length === 0) {
+    lines.push('| None found | 0 | 0 | none |  |');
+  } else {
+    for (const surface of inventory.surfaces) {
+      lines.push(
+        `| ${surface.label} | ${surface.files} | ${surface.findings} | ${surface.highest} | ${
+          surface.rules.length > 0 ? surface.rules.join(', ') : ''
+        } |`
+      );
+    }
+  }
+
+  lines.push('', '## Files', '', '| Surface | File | Findings | Highest | Rules |', '| --- | --- | ---: | --- | --- |');
+
+  if (inventory.files.length === 0) {
+    lines.push('| None found |  | 0 | none |  |');
+  } else {
+    for (const file of inventory.files) {
+      lines.push(
+        `| ${file.label} | \`${escapeMarkdown(file.file)}\` | ${file.findings} | ${file.highest} | ${
+          file.rules.length > 0 ? file.rules.join(', ') : ''
+        } |`
+      );
+    }
+  }
+
+  lines.push('', '## Recommended Next Steps', '');
+  for (const recommendation of inventory.recommendations) {
+    lines.push(`- ${recommendation}`);
+  }
+
+  return lines.join('\n');
+}
+
+export function renderInventoryJson(result) {
+  return JSON.stringify(
+    {
+      root: result.root,
+      ...buildInventory(result)
+    },
+    null,
+    2
+  );
+}
+
+function recommendationsFor(surfaces, findings) {
+  const surfaceNames = new Set(surfaces.map((surface) => surface.surface));
+  const rules = new Set(findings.map((finding) => finding.ruleId));
+  const recommendations = [];
+
+  if (rules.has('AWG014')) {
+    recommendations.push('Remove and rotate committed MCP credentials before widening agent access.');
+  }
+
+  if (rules.has('AWG013')) {
+    recommendations.push('Pin MCP server packages, container images, and startup commands before enabling repository-scoped tools.');
+  }
+
+  if (rules.has('AWG012')) {
+    recommendations.push('Review persistent agent context files before relying on workflow permission boundaries.');
+  }
+
+  if (!surfaceNames.has('agent-context')) {
+    recommendations.push('Add an explicit `AGENTS.md` or `.github/copilot-instructions.md` with conservative safety rules before introducing agents.');
+  }
+
+  if (!surfaceNames.has('mcp-config')) {
+    recommendations.push('Keep MCP configs absent until there is a reviewed tool allowlist and credential handling plan.');
+  }
+
+  if (recommendations.length === 0) {
+    recommendations.push('Keep this inventory in CI so new agent surfaces are visible during review.');
+  }
+
+  return recommendations;
+}
+
+function highestSeverity(findings) {
+  return findings.reduce((current, finding) => {
+    return severityRank[finding.severity] > severityRank[current] ? finding.severity : current;
+  }, 'none');
+}
+
+function escapeMarkdown(value) {
+  return String(value).replaceAll('|', '\\|');
+}

package/src/migration.js

@@ -63,6 +63,11 @@ const ruleActions = {
     'Remove committed MCP tokens, API keys, passwords, and auth headers.',
     'Use prompted inputs, environment variables, or managed secrets for MCP credentials.',
     'Rotate credentials that were present in repository history.'
+  ],
+  AWG015: [
+    'Review the unapproved agentic surface and decide whether it belongs in the repository.',
+    'Add approved files, MCP servers, packages, and commands to policy allowlists.',
+    'Fail CI on policy drift so new agent surfaces are visible in review.'
   ]
 };
 
@@ -180,6 +185,7 @@ function riskShapeFor(findings) {
   if (rules.has('AWG012')) pieces.push('persistent agent instructions weaken review or permission boundaries');
   if (rules.has('AWG013')) pieces.push('project MCP config can change agent tool capabilities through mutable startup');
   if (rules.has('AWG014')) pieces.push('project MCP config contains committed credentials');
+  if (rules.has('AWG015')) pieces.push('agentic surface is outside the repository policy');
 
   return pieces.length > 0 ? pieces.join('; ') : 'workflow hardening issue';
 }
@@ -230,6 +236,10 @@ function allowedOperationsFor(findings) {
     operations.add('MCP credentials supplied by prompt input, environment variable, or secret manager only');
   }
 
+  if (rules.has('AWG015')) {
+    operations.add('policy approval only after reviewing the workflow, agent context, MCP server, package, and command');
+  }
+
   operations.add('noop or missing-data report when validation fails');
   return [...operations];
 }

package/src/presets.js

@@ -8,7 +8,8 @@ export const presetCatalog = {
       AWG006: 'critical',
       AWG008: 'high',
       AWG010: 'medium',
-      AWG013: 'critical'
+      AWG013: 'critical',
+      AWG015: 'high'
     },
     suppressions: {
       minimumReasonLength: 25

package/src/remediation.js

@@ -68,6 +68,11 @@ const fixCatalog = {
     'Move MCP credentials into prompt inputs, environment variables, or a managed secret store.',
     'Use placeholders such as ${input:token} or ${TOKEN} instead of committed literal values.',
     'Rotate any token, API key, password, or auth header that was committed.'
+  ],
+  AWG015: [
+    'Review the new agentic surface before approving it in policy.',
+    'Add reviewed files to policy.approvedFiles and reviewed MCP tools to the MCP policy allowlists.',
+    'Remove or quarantine unapproved workflows, agent instructions, prompts, skills, and MCP configs.'
   ]
 };
 
@@ -181,5 +186,19 @@ run: |
     };
   }
 
+  if (finding.ruleId === 'AWG015') {
+    return {
+      language: 'json',
+      text: `{
+  "policy": {
+    "approvedFiles": ["AGENTS.md", ".github/workflows/*", ".github/agents/*"],
+    "approvedMcpServers": ["github"],
+    "approvedMcpPackages": ["@modelcontextprotocol/server-github@1.2.3"],
+    "approvedMcpCommands": ["npx", "node"]
+  }
+}`
+    };
+  }
+
   return null;
 }

package/src/reporters.js

@@ -1,6 +1,7 @@
 import path from 'node:path';
 import { findingFingerprint } from './fingerprints.js';
 import { renderGraphMarkdown, renderHtmlReport } from './graph.js';
+import { renderInventory, renderInventoryJson } from './inventory.js';
 import { renderMigrationPlan } from './migration.js';
 import { renderBadgeJson, renderScorecard } from './score.js';
 import { ruleCatalog } from './scanner.js';
@@ -83,7 +84,7 @@ export function renderSarif(result) {
             driver: {
               name: 'Agentic Workflow Guard',
               informationUri: 'https://github.com/Mughal-Baig/agentic-workflow-guard',
-              semanticVersion: '1.4.0',
+              semanticVersion: '1.6.0',
               rules: Object.entries(ruleCatalog).map(([id, rule]) => ({
                 id,
                 name: id,
@@ -205,6 +206,14 @@ export function renderBadge(result) {
   return renderBadgeJson(result);
 }
 
+export function renderSurfaceInventory(result) {
+  return renderInventory(result);
+}
+
+export function renderSurfaceInventoryJson(result) {
+  return renderInventoryJson(result);
+}
+
 export function renderGithubAnnotations(result) {
   if (result.findings.length === 0) {
     return 'Agentic Workflow Guard: no findings.';

package/src/scanner.js

@@ -175,6 +175,12 @@ export const ruleCatalog = {
     severity: 'critical',
     suggestion:
       'Move MCP credentials into input prompts, environment variables, or a secret manager. Do not commit bearer tokens, API keys, passwords, or auth headers in MCP config files.'
+  },
+  AWG015: {
+    title: 'Agentic surface is not approved by policy',
+    severity: 'medium',
+    suggestion:
+      'Add the workflow, agent context file, MCP config, MCP server, package, or command to the policy allowlist only after review. Otherwise remove or harden it.'
   }
 };
 
@@ -306,15 +312,24 @@ export function scanMcpConfigText(text, file = '.mcp.json', root = process.cwd()
   return context.findings;
 }
 
+export function classifyScanFile(file, root = process.cwd()) {
+  if (isMcpConfigFile(file, root)) return 'mcp-config';
+  if (isAgentInstructionFile(file, root)) return 'agent-context';
+  if (workflowExtensions.has(path.extname(file))) return 'github-workflow';
+  return 'other';
+}
+
 function scanFile(file, root, config) {
   const text = fs.readFileSync(file, 'utf8');
+  let findings;
   if (isAgentInstructionFile(file, root)) {
-    return scanAgentInstructionText(text, file, root, config);
-  }
-  if (isMcpConfigFile(file, root)) {
-    return scanMcpConfigText(text, file, root, config);
+    findings = scanAgentInstructionText(text, file, root, config);
+  } else if (isMcpConfigFile(file, root)) {
+    findings = scanMcpConfigText(text, file, root, config);
+  } else {
+    findings = scanWorkflowText(text, file, root, config);
   }
-  return scanWorkflowText(text, file, root, config);
+  return [...findings, ...detectFilePolicy(file, root, config)];
 }
 
 function discoverScanFiles(root) {
@@ -546,6 +561,7 @@ function detectMcpConfigRisks(context, config) {
   for (const server of servers) {
     detectMutableMcpServer(context, server);
     detectMcpSecretMaterial(context, server);
+    detectMcpPolicy(context, server);
   }
 }
 
@@ -603,6 +619,71 @@ function detectMcpSecretMaterial(context, server) {
   }
 }
 
+function detectMcpPolicy(context, server) {
+  const policy = context.config.policy || {};
+  const command = normalizeCommand(stringValue(server.config.command));
+  const args = arrayOfStrings(server.config.args);
+  const packageSpec = findMcpPackageSpec(command, args);
+
+  if (policy.approvedMcpServers?.length > 0 && !policy.approvedMcpServers.includes(server.name)) {
+    addFinding(context, 'AWG015', locateMcpLine(context, server, server.name), {
+      evidence: `MCP server "${server.name}"`,
+      message: `MCP server "${server.name}" is not listed in policy.approvedMcpServers.`
+    });
+  }
+
+  if (policy.approvedMcpCommands?.length > 0 && command && !policy.approvedMcpCommands.includes(command)) {
+    addFinding(context, 'AWG015', locateMcpLine(context, server, command), {
+      evidence: `MCP server "${server.name}" command: ${command}`,
+      message: `MCP server "${server.name}" uses a command not listed in policy.approvedMcpCommands.`
+    });
+  }
+
+  if (policy.approvedMcpPackages?.length > 0 && packageSpec && !policy.approvedMcpPackages.includes(packageSpec)) {
+    addFinding(context, 'AWG015', locateMcpLine(context, server, packageSpec), {
+      evidence: `MCP server "${server.name}" package: ${packageSpec}`,
+      message: `MCP server "${server.name}" uses a package not listed in policy.approvedMcpPackages.`
+    });
+  }
+}
+
+function detectFilePolicy(file, root, config) {
+  const policy = config.policy || {};
+  if (!policy.approvedFiles || policy.approvedFiles.length === 0) return [];
+
+  const relativeFile = path.relative(root, file).split(path.sep).join('/') || path.basename(file);
+  if (matchesAnyPolicyPattern(relativeFile, policy.approvedFiles)) return [];
+
+  const context = createPolicyContext(file, root, config);
+  addFinding(context, 'AWG015', 1, {
+    evidence: relativeFile,
+    message: `${relativeFile} is an agentic surface that is not listed in policy.approvedFiles.`
+  });
+  return context.findings;
+}
+
+function createPolicyContext(file, root, config) {
+  return {
+    file,
+    relativeFile: path.isAbsolute(file) ? path.relative(root, file) || path.basename(file) : file,
+    lines: [],
+    runBlocks: new Set(),
+    triggers: new Set(),
+    hasAgent: true,
+    hasPromptBoundary: true,
+    hasUntrustedTrigger: false,
+    hasPermissionBlock: false,
+    hasBroadPermission: false,
+    hasSecret: false,
+    config,
+    suppressions: new Map(),
+    invalidSuppressions: [],
+    suppressedFindings: [],
+    findings: [],
+    seen: new Set()
+  };
+}
+
 function addFinding(context, ruleId, line, overrides = {}) {
   const docs = ruleCatalog[ruleId];
   const ruleConfig = context.config.rules?.[ruleId];
@@ -831,6 +912,21 @@ function discoverAgentInstructionFiles(root) {
     files.push(...walk(githubInstructionsDir).filter((file) => file.endsWith('.instructions.md')));
   }
 
+  const githubAgentsDir = path.join(root, '.github', 'agents');
+  if (fs.existsSync(githubAgentsDir)) {
+    files.push(...walk(githubAgentsDir).filter((file) => file.endsWith('.md')));
+  }
+
+  const githubPromptsDir = path.join(root, '.github', 'prompts');
+  if (fs.existsSync(githubPromptsDir)) {
+    files.push(...walk(githubPromptsDir).filter((file) => file.endsWith('.prompt.md')));
+  }
+
+  const githubSkillsDir = path.join(root, '.github', 'skills');
+  if (fs.existsSync(githubSkillsDir)) {
+    files.push(...walk(githubSkillsDir).filter((file) => path.basename(file).toLowerCase() === 'skill.md'));
+  }
+
   const cursorRulesDir = path.join(root, '.cursor', 'rules');
   if (fs.existsSync(cursorRulesDir)) {
     files.push(...walk(cursorRulesDir).filter((file) => ['.md', '.mdc', '.txt'].includes(path.extname(file))));
@@ -859,6 +955,12 @@ function isAgentInstructionFile(file, root) {
     /\/\.github\/copilot-instructions\.md$/i.test(normalizedFile) ||
     /^\.github\/instructions\/.+\.instructions\.md$/i.test(relativeFile) ||
     /\/\.github\/instructions\/.+\.instructions\.md$/i.test(normalizedFile) ||
+    /^\.github\/agents\/.+\.md$/i.test(relativeFile) ||
+    /\/\.github\/agents\/.+\.md$/i.test(normalizedFile) ||
+    /^\.github\/prompts\/.+\.prompt\.md$/i.test(relativeFile) ||
+    /\/\.github\/prompts\/.+\.prompt\.md$/i.test(normalizedFile) ||
+    /^\.github\/skills\/.+\/skill\.md$/i.test(relativeFile) ||
+    /\/\.github\/skills\/.+\/skill\.md$/i.test(normalizedFile) ||
     /^\.cursor\/rules\/.+\.(?:md|mdc|txt)$/i.test(relativeFile) ||
     /\/\.cursor\/rules\/.+\.(?:md|mdc|txt)$/i.test(normalizedFile)
   );
@@ -1179,6 +1281,18 @@ function isPlainObject(value) {
   return Boolean(value) && typeof value === 'object' && !Array.isArray(value);
 }
 
+function matchesAnyPolicyPattern(value, patterns) {
+  return patterns.some((pattern) => wildcardToRegExp(pattern).test(value));
+}
+
+function wildcardToRegExp(pattern) {
+  const escaped = String(pattern)
+    .split('*')
+    .map((part) => escapeRegex(part))
+    .join('.*');
+  return new RegExp(`^${escaped}$`);
+}
+
 function windowAround(lines, index, radius) {
   return lines.slice(Math.max(0, index - radius), Math.min(lines.length, index + radius + 1));
 }

package/src/score.js

@@ -114,6 +114,9 @@ function actionFor(result, counts) {
   }
 
   if (counts.medium > 0) {
+    if (rules.has('AWG015')) {
+      return 'Review policy drift and approve only expected agentic surfaces.';
+    }
     return 'Tighten explicit permissions, artifact boundaries, and suppression policy.';
   }