Feature: Template for Organization's Security Policies #79
Description
Each organization has its own unique policy requirements for software development, and we may not hard‑code these into rules (prompts). Instead, we should provide a template that others can extend to fit their specific needs. This will allow organizations to enforce their internal secure software policies effectively during the code generation.
Objective
Provide an extensible Contextual Security Policy Template that organizations can adapt to their own internal software development requirements. Because every organization has their own unique security, compliance, and governance needs, and these policies cannot be hard‑coded into universal rules or prompts, for example FIPS‑validated cryptography enforcement.
Deliver a flexible template that teams can customize to enforce their internal secure‑coding standards effectively.
Proposed Deliverables:
a) Org Agnostic Contextual Policy Template
A modular, organization‑agnostic template that can be extended with custom rules, controls, and enforcement requirements. Examples of Organization‑Specific Policy:
"All user authentications must use approved enterprise authentication mechanisms with multi‑factor authentication support."
<< Detailed structured prompt blocks for Policy Enforcement >>
"All sensitive data must be encrypted at rest and in transit according to organizational encryption standards"
<<Detailed prompt blocks for organizational policy on encryption for example:
"Only use BSAFE for encryption",
"Do not generate cryptographic keys. Always use the organization approved secret‑management system (e.g., Hashi Corp Vault, Azure Key Vault, AWS KMS) for key creation, storage, rotation, and retrieval.">>
b) Guidance for Extending and Customizing Policies
Instructions on how organizations can add, modify, or override rules to align with their internal governance, regulatory requirements, and risk posture.