# Secret Leak Detection Policy Pack
# Sprint: SPRINT_20260104_004_POLICY - Task PSD-010
#
# This policy pack enforces security gates based on secret leak detection findings.
# Uses signals from SecretSignalBinder for policy evaluation.
#
# Available signals:
#   secret.has_finding       - true if any secret finding exists
#   secret.count             - total number of findings
#   secret.severity.critical - true if any critical finding exists
#   secret.severity.high     - true if any high severity finding exists
#   secret.severity.medium   - true if any medium severity finding exists
#   secret.severity.low      - true if any low severity finding exists
#   secret.confidence.high   - true if any high confidence finding exists
#   secret.confidence.medium - true if any medium confidence finding exists
#   secret.confidence.low    - true if any low confidence finding exists
#   secret.mask.applied      - true if masking was applied to all findings
#   secret.bundle.version    - the active bundle version string
#   secret.bundle.id         - the active bundle ID

name: secret-detection-gates
version: 1.0.0
description: |
  Security gates for secret leak detection. 
  Blocks deployments when critical or high-severity secrets are detected.

rules:
  # Block on any critical severity secret (private keys, service account keys, etc.)
  - id: block-critical-secrets
    description: Block deployment when critical secrets are detected
    severity: critical
    when:
      signal: secret.severity.critical
      equals: true
    deny_message: |
      CRITICAL: Secrets with critical severity detected.
      Review findings and rotate any exposed credentials before proceeding.
      Common causes: Private keys, GCP service account keys, Stripe secret keys.

  # Block on high severity secrets with high confidence (real credentials)
  - id: block-high-confidence-secrets
    description: Block deployment when high-confidence high-severity secrets are detected
    severity: high
    when:
      all:
        - signal: secret.severity.high
          equals: true
        - signal: secret.confidence.high
          equals: true
    deny_message: |
      HIGH: High-confidence secrets detected with high severity.
      These are likely real credentials. Review and remediate before deployment.

  # Warn on medium severity secrets (potential API keys, passwords)
  - id: warn-medium-secrets
    description: Warn when medium-severity secrets are detected
    severity: medium
    when:
      signal: secret.severity.medium
      equals: true
    warn_message: |
      WARNING: Medium-severity secrets detected.
      Review findings to confirm they are not false positives.
      Consider adding legitimate patterns to the exception list.

  # Warn when any secrets are found (informational)
  - id: info-any-secrets
    description: Log when any secrets are detected
    severity: low
    when:
      signal: secret.has_finding
      equals: true
    info_message: |
      Secret detection found {{secret.count}} potential secret(s).
      Review the findings in the scan results.

  # Ensure masking is applied before allowing export
  - id: require-masking
    description: Block export if masking was not applied
    severity: high
    context: export
    when:
      signal: secret.mask.applied
      equals: false
    deny_message: |
      BLOCKED: Secrets must be masked before export.
      Ensure revelation policy is not set to FullReveal for exports.