14:02:31ingeststep.startclassify ticket TCK-1

Governance

Policies

The 8 Cedar policies the agent enforces, read straight from the repo. One policy per tab, each mapped to an OWASP Agentic Top 10 threat ID.

permitASI02 · Tool Misuse

SupportLead may read and triage Zendesk tickets, including writing internal notes; deletes are not permitted by any policy and so are denied by default.

packages/policies/policies/01-zendesk-read-only.cedarread-only
@id("01-zendesk-read-only")
@asi("ASI02 Tool Misuse")
@description("SupportLead may read and triage Zendesk tickets, including writing internal notes; deletes are not permitted by any policy and so are denied by default.")
permit (
  principal in Role::"SupportLead",
  action in [
    Action::"listTickets",
    Action::"getTicket",
    Action::"replyInternal",
    Action::"closeTicket"
  ],
  resource is Ticket
);