Documentation · Policy Pack

BeProof Policy Pack v1.2.2

A versioned set of AI governance rules used by BeProof to evaluate declared tools, granted access, observed usage, MCP risk, audit completeness, privacy consent, and evidence trust.

Version 1.2.2Contract v0.1.12macOS guide

What This Pack Decides

Policy Pack v1.2.2 defines whether each rule is Active, Approved, Exception, Passed, or N/A for a specific audit. It is not the app version; it is the version of the rule catalog used to interpret the evidence in a report.

Declared

Configured agent surfaces, instruction files, MCP config, project roots, and install signals.

Granted

Credential references, keychain consent, cloud grants, OAuth/GitHub scopes, and grant edges.

Observed

Local/cloud usage events, runtime signals, observed undeclared activity, and correlations.

MCP Risk

Local command execution, network access, environment credentials, and first-seen server review.

Audit Quality

Coverage gaps, audit freshness, exportability, evidence integrity, and trust controls.

Outcome Statuses

StatusMeaning
ActiveRequires action: remediation, policy decision, or documented exception.
ApprovedVisible and allowed by policy allowlist with a review reference.
ExceptionTemporarily accepted by a time-bounded exception.
PassedEvaluated successfully for the current dataset.
N/ANot applicable to the current dataset, audit mode, or unavailable connector context.

Baseline Rules

The baseline 20 rules are the core macOS audit checks. Missing required data must surface as a coverage gap or N/A decision, not as a silent pass.

RulePolicyLayerSeveritySignalStateNotes
POL-D01Every endpoint with AI tools must have a declared surface inventory scopeDeclaredMedium`surfacesCount`, `AgentInventorySnapshot`, `scan_scope` gapsAuto-evaluableMissing or unreadable scope is a coverage gap, not a clean pass.
POL-D02Active Codex automations must appear in inventoryDeclaredHigh`SurfaceKind.codexAutomation` + `AgentOperationalStatus.active`Auto-evaluableConfirms active automations are inventoried.
POL-D03Agent surfaces in vendor/build paths require exceptionDeclaredMediumPaths under `.build/`, `DerivedData`, `node_modules`, `SourcePackages/checkouts`Auto-evaluableUse allowlist or move config into project source.
POL-D04MCP config must live under an approved project rootDeclaredHigh`SurfaceKind.mcpConfig`, finding evidence refsConditionalEvaluates when approved scan roots are configured.
POL-G01AI provider credentials must be inventory-visible for reviewGrantedMedium`CredentialRef.provider` for OpenAI, Anthropic, CursorAuto-evaluableMetadata only; raw secrets are not stored.
POL-G02Keychain scan only with explicit user consentGrantedLow`CoverageGap(keychain_metadata)`, `ConsentRecord` ledgerAuto-evaluableConsent is persisted in `.beproof/consent-records.json`.
POL-G03Cloud grants enumerated for org AI accounts where applicableGrantedMedium`cloudGrantsCount`, `CloudGrant.provider`Auto-evaluableN/A or explicit coverage gap when org tokens are absent.
POL-G04Duplicate credential refs require justificationGrantedLowMultiple `CredentialRef` entries per providerPartialRule engine flags duplicates; review expected duplication patterns.
POL-O01Declared automations should have observed usage or an explicit gapObservedMedium`ObservedUsageSignal.unusedConfigured`, `.noUsageData`Auto-evaluableHelps separate configured-but-unused from missing telemetry.
POL-O02Audit incomplete if declared data exists but no usage layerObservedHigh`usageEventsCount == 0` with declared surfacesAuto-evaluablePrevents false clean results without observed evidence.
POL-O03Org with cloud AI contracts should load cloud usageObservedMedium`cloudUsageCount == 0` when tokens are availableAuto-evaluableN/A or explicit coverage gap when connector context is missing.
POL-O04Local and cloud usage should be correlated when both existObservedLow`correlationsCount`, min confidence policyAuto-evaluableUses allowlist correlation threshold, default 0.65.
POL-O05Paused automation with recent runs requires reviewObservedMedium`operationalStatus == paused` + observed runsPartialRequires human decision when paused automations still have run history.
POL-F01No unapproved MCP local command executionMCP RiskCriticalFinding `category: mcp_local_command`Auto-evaluableReview shell/npx execution and approved server list.
POL-F02No unapproved MCP network endpointsMCP RiskHighFinding `category: mcp_network_access`Auto-evaluableConfirm endpoint/domain approval.
POL-F03MCP environment credentials require reviewMCP RiskMediumFinding `category: mcp_env_credentials`Auto-evaluableVerify least privilege and non-committed credential handling.
POL-F04Open MCP finding older than 30 days escalatesMCP RiskMedium`Finding.status == open`, `createdAt`Auto-evaluableResolve, approve, or time-bound exception.
POL-M01No coverage gaps before treating audit as completeAudit QualityHigh`coverageGapsCount > 0`Auto-evaluableNo silent pass: missing evidence blocks audit completeness.
POL-M02Full audit run at least every N daysAudit QualityLow`AuditRunRecord.finishedAt`Auto-evaluableKeeps audit history fresh enough for review.
POL-M03Audit evidence exportable for GRC / sharingAudit QualityLow`AuditReportDocument` JSON/MarkdownAuto-evaluableEnsures evidence can leave the endpoint in reviewable form.

POL-X Extension Controls

POL-X controls track shipped and target-state capabilities beyond the baseline 20 rules. Audit-trust controls POL-X11 and POL-X12 are shipped on macOS. POL-X13 release trust is shipped in the public release pipeline; enterprise release controls remain partial — see Trust Center.

RuleControlLayerStateNotes
POL-X01Installed agent inventory must include package-manager and extension ecosystemsDeclaredSupportedHomebrew Cellar, npm/pnpm global prefixes, VS Code/Cursor/Windsurf extension metadata.
POL-X02Managed settings and policy overlays must be visible in endpoint inventoryDeclaredSupportedManagedSettingsScanner (Claude managed-settings, org overlay, MDM plist metadata); auto managed mode; export section.
POL-X03Cloud agent declarations must be represented in declared inventoryDeclaredShippedCloud declarations and Local vs Cloud reconciliation are available.
POL-X04OAuth/GitHub App scopes and permissions must be reviewable as grant edgesGrantedShippedGrantEdge storage + GrantScopeTemplateSettings: org overlay templates in managed mode, policy-allowlist in personal mode; POL-X04 fail-closed when granted layer required without templates.
POL-X05Personal-account usage inside managed/work contexts must be flaggedGranted/ObservedShippedProviderAccountAttributor classifies OpenAI, Anthropic, Cursor, and GitHub; cloud usage carries accountType/workspaceId; managed POL-X05 and Review Queue personal_account_usage.
POL-X06Observed usage without declared surface must trigger policy reviewObservedShippedUnlinked local usage becomes a policy violation.
POL-X07Managed mode requires runtime telemetry minimum coverageObservedShippedManaged mode enforces runtime telemetry minimum in policy evaluation.
POL-X08Correlations below confidence threshold must not clear policy checksObservedShippedPOL-O04 uses configured correlation minimum confidence.
POL-X09Unknown MCP server first-seen events require review/approval pathMCP RiskShippedBaseline, review queue, expiring exceptions, and policy linkage are available.
POL-X10Plaintext/cached auth-state risk in agent stores must be reviewableMCP/AccessShipped`env_file` and `mcp_env` credential refs produce reviewable violations.
POL-X11Exports must include signed integrity manifestAudit TrustShippedEd25519 signing (`ed25519-v1`) with Keychain-bound endpoint key; `verify-export-manifest` verifies artifact SHA256, manifest hash, and signature. Legacy `sha256-only` manifests verify artifact hash only.
POL-X12Local evidence store must provide tamper-evident journal guaranteesAudit TrustShippedAppend-only hash-chain journal with `verify-journal`; journal payloads encrypted at rest (AES-256-GCM, Keychain-bound key). Inventory tables are metadata-only but not encrypted in the current release.
POL-X13Release artifacts must be attributable via provenance and SBOMAudit TrustPartialPublic release pipeline (shipped): signed/notarized macOS DMG + CLI, published checksum, SPDX SBOM, provenance JSON, CI verify-install gate, Sparkle appcast (disabled in managed mode). Enterprise release controls (partial): fleet-wide verify-install attestation, tenant-private artifact mirror, org-enforced release version policy, automated MDM promotion workflow.
POL-X14Sensitive-source consent and retention policy must be machine-verifiablePrivacyShippedConsent ledger, POL-G02 evaluation, and export consent section are available.

Evidence Mapping

Rule outcomes are explainable because each violation links back to inventory, access, usage, finding, coverage, or audit-run records.

EntityKey fields
Finding`id`, `severity`, `category`, `agentId`, `status`, `summary`, `evidenceRefs`, `createdAt`
CoverageGap`area`, `reason`, `source`, `createdAt`
AgentSurface`path`, `kind`, `lastModified`
CredentialRef`provider`, `storageType`, `locator`, `fingerprint`, `source`
CloudAgentSurface`provider`, `accountType`, `workspaceId`, `kind`, `coverageStatus`, `grantEdges`
UsageEvent`source`, `provider`, `agentId`, `eventType`, `count`, `timestamp`, `accountType`, `workspaceId`
ReviewQueueItem`kind` (includes `personal_account_usage` for POL-X05), `ruleId`, `subjectId`, `severity`, `status`
RuntimeSignal`source`, `vendor`, `agentSurfaceId`, `timestamp`, `confidence`, `privacyClass`, `consentRecordId`
CorrelationEdge`leftEventId`, `rightEventId`, `confidence`, `reason`
AuditRunRecord`runId`, `mode`, `scanRoot`, `startedAt`, `finishedAt`, policy summary counts

Version Notes

  • Policy Pack v1.2.2 is aligned with contract v0.1.12.
  • Baseline rules cover Declared, Granted, Observed, MCP Risk, and Audit Quality layers.
  • POL-X11 and POL-X12 audit-trust controls are shipped on macOS. POL-X13 public release pipeline (signed/notarized DMG, SBOM, provenance, verify-install) is shipped; enterprise release controls remain partial.
  • Full source documentation lives in docs/POLICY_PACK_v1.md in the BeProof repository.