Skip to main content

Community Policy Library

Feature row 39 — Sprints CPL-1 / CPL-2

The Community Library is included on every plan. Publishing is open to all tenants; contributed artifacts pass through a validation gate before they're live.

What this is

Running Behavry should not mean starting from a blank policy file. The Community Library is a shared repository of:

  • Policy templates — Rego policies contributed by other tenants or by the Behavry team
  • DLP patterns — regex + entropy patterns for PII, secrets, regulated data
  • Inbound rules — preconfigured rule sets for common attack classes
  • Compliance packs — bundled policy + DLP + inbound-rule sets mapped to a specific framework (SOC 2, HIPAA, FSI, etc.)

Every artifact has a name, a description, a maintainer, a license, a version history, and a usage signal (how many tenants have subscribed to it).

Two subscribe, install, or publish flows

Subscribe

Subscribing to an artifact means "pull the latest version on a schedule." When the maintainer pushes a new version, the subscribed tenant gets it on the next sync (default daily) without any manual action.

  • Policies — auto-update into a community/* namespace that can be referenced from your own policies
  • DLP patterns — auto-update into a community pattern group
  • Compliance packs — auto-update all contents

Subscribe with confidence: the version history is tamper-evident and you can pin a version if you don't want auto-updates.

Install

Installing is a one-time copy. The artifact is duplicated into your tenant, you own it from that point forward, and you can edit freely. Use this when you want a starting point, not an ongoing dependency.

Publish

Any tenant can publish. Publishing is a 4-step wizard:

  1. Pick the source — an existing policy, DLP pattern, inbound rule, or a new pack composed of existing artifacts
  2. Metadata — name, description, tags, license (MIT / Apache 2.0 / custom), maintainer contact
  3. Validation — the contribution service runs the artifact through an OPA compile check (for policies), a test-corpus run (for DLP), and a schema validator (for packs). Failures are shown inline.
  4. Submit — the artifact lands in a review queue; once approved, it appears in the public browse list

See Publishing to the Community Library for the full flow and gate details.

Browse, search, install

Library → Community opens the browser with four tabs:

  • Featured — editorially curated artifacts, refreshed weekly
  • Browse — filterable list by category, framework, language, subscribe count
  • Packs — curated bundles with a multi-step install flow (preview → customize → confirm)
  • Subscriptions — your current subscriptions, versions, last sync time

Each artifact has a detail panel showing source (CodeMirror syntax highlighting for Rego / regex), contributor, test corpus, framework coverage, and a one-click Install or Subscribe button.

Storage

The library lives in a dedicated community PostgreSQL schema (backend/behavry/community/models.py) that is not tenant-scoped. This is deliberate: community artifacts are shared across tenants. Tenant-level subscriptions and installs reference the community schema via foreign keys to specific versions.

API

Routes: backend/behavry/community/routes.py.

MethodPathPurpose
GET/api/v1/community/artifactsBrowse with filters
GET/api/v1/community/artifacts/{id}Artifact detail with version history
POST/api/v1/community/artifacts/{id}/installInstall a copy into the tenant
POST/api/v1/community/artifacts/{id}/subscribeSubscribe with auto-update cadence
GET/api/v1/community/packsList compliance packs
POST/api/v1/community/contributeSubmit a new artifact for review