# DTwo Policy Catalog > A curated catalog of reusable OPA/Rego policies for the DTwo MCP Gateway. Each policy is evaluated on every MCP tool call to allow, deny, redact, or rewrite the request or response — governing what AI agents can do with Slack, Jira, Salesforce, HubSpot and other connected apps. Policies are small and single-purpose; you compose a security posture by attaching several together. 18 policies span 4 apps and 4 bundles. The canonical source of truth is the policy-store repository on GitHub (https://github.com/dtwoai/policy-store). Full policy text inline: https://www.intentbasedpolicy.com/llms-full.txt. Structured index: https://www.intentbasedpolicy.com/catalog.json. ## Stories (problem-first guides) - [Stop AI agents from leaking secrets into Slack](https://www.intentbasedpolicy.com/stories/stop-secrets-leaking-into-slack): Once an agent posts to Slack, an API key is in channel history and search. Catch it before the send, not after. - [Keep customer PII from walking out of your CRM](https://www.intentbasedpolicy.com/stories/keep-customer-pii-inside-your-crm): An agent reading Salesforce or HubSpot pulls emails, phone numbers, and addresses into its context and your chat logs. Mask them on the way out. - [Give AI agents read-only access to your CRM](https://www.intentbasedpolicy.com/stories/read-only-crm-for-ai-agents): For a low-risk CRM pilot, give the agent a one-way mirror: it reads every record and changes none. The read-only policies enforce that, and a query allowlist tightens it further. - [Guard the CRM writes your revenue depends on](https://www.intentbasedpolicy.com/stories/guard-high-stakes-crm-writes): You want agents logging activities and creating records, just not closing deals or reassigning owners on their own. Gate the few writes that matter. - [Wall off sensitive Jira projects from AI agents](https://www.intentbasedpolicy.com/stories/wall-off-sensitive-jira-projects): Security, legal, and HR projects share the same Jira as your sprint board. Keep agents from reading or writing them, and redact whatever still comes back. - [Slack hygiene for autonomous AI agents](https://www.intentbasedpolicy.com/stories/slack-hygiene-for-ai-agents): Slack's OAuth scopes pick capabilities, not the channels they apply to: you can grant an agent 'post messages,' but not 'post only in #status' — one scope covers every channel at once. ## Apps - [Hubspot](https://www.intentbasedpolicy.com/apps/hubspot): 6 policies - [Jira](https://www.intentbasedpolicy.com/apps/jira): 3 policies - [Salesforce](https://www.intentbasedpolicy.com/apps/salesforce): 4 policies - [Slack](https://www.intentbasedpolicy.com/apps/slack): 5 policies ## Bundles - [Atlassian](https://www.intentbasedpolicy.com/bundles/atlassian): 3 policies - [Crm](https://www.intentbasedpolicy.com/bundles/crm): 10 policies - [Im Messaging](https://www.intentbasedpolicy.com/bundles/im-messaging): 1 policies - [Slack](https://www.intentbasedpolicy.com/bundles/slack): 4 policies ## Policies - [Block Secrets in Slack Messages](https://www.intentbasedpolicy.com/policies/slack/block-secrets) (slack, ingress): Blocks Slack send-message tool calls whose message body looks like it contains a secret — API keys, passwords, tokens, or PEM-formatted private keys. - [HubSpot Block Deal Closure](https://www.intentbasedpolicy.com/policies/hubspot/block-deal-closure) (hubspot, ingress): Blocks HubSpot CRM-object calls that move a deal into a closed stage (closedwon or closedlost). Both create and update requests are inspected. - [HubSpot Protect Associations](https://www.intentbasedpolicy.com/policies/hubspot/protect-associations) (hubspot, ingress): Blocks HubSpot CRM-object calls that create or change associations between objects (deal↔company, contact↔company, etc.). - [HubSpot Protect Deal Owner](https://www.intentbasedpolicy.com/policies/hubspot/protect-deal-owner) (hubspot, ingress): Blocks HubSpot CRM-object update calls that set or change a deal's owner. - [HubSpot Protect Lifecycle Stage](https://www.intentbasedpolicy.com/policies/hubspot/protect-lifecycle-stage) (hubspot, ingress): Blocks HubSpot CRM-object calls that set or change a contact's lifecycle stage. - [HubSpot Read-Only](https://www.intentbasedpolicy.com/policies/hubspot/read-only) (hubspot, ingress): Makes the HubSpot connection read-only by blocking the write tool. - [HubSpot Redact PII](https://www.intentbasedpolicy.com/policies/hubspot/redact-pii) (hubspot, egress): Redacts sensitive contact information from HubSpot tool responses before they reach the caller. - [JIRA: Deny Sensitive Project Search and View](https://www.intentbasedpolicy.com/policies/jira/deny-view-search-sensitive-projects) (jira, ingress): Keeps issues that belong to a configurable set of "sensitive" JIRA projects out of read access through the JIRA MCP server. - [JIRA: Protect Sensitive Projects from Writes](https://www.intentbasedpolicy.com/policies/jira/deny-write-sensitive-projects) (jira, ingress): Blocks write operations against issues that belong to a configurable set of "sensitive" JIRA projects. - [JIRA: Redact Sensitive Information from Issue Views](https://www.intentbasedpolicy.com/policies/jira/redact-sensitive-info) (jira, egress): Redacts sensitive content from the responses of JIRA issue-view tools before they reach the caller. - [Salesforce Protect Contact Fields](https://www.intentbasedpolicy.com/policies/salesforce/protect-contact-fields) (salesforce, ingress): Blocks Salesforce Contact updates that modify protected fields — ownership, account linkage, contact PII, name, and consent flags. - [Salesforce Query Allowlist](https://www.intentbasedpolicy.com/policies/salesforce/query-allowlist) (salesforce, ingress): Restricts Salesforce SOQL queries so only Account, Contact, and Opportunity records can be retrieved. - [Salesforce Read-Only Access](https://www.intentbasedpolicy.com/policies/salesforce/read-only) (salesforce, ingress): Restricts the Salesforce MCP server to read-only access. - [Salesforce Redact PII](https://www.intentbasedpolicy.com/policies/salesforce/redact-pii) (salesforce, egress): Redacts personal contact information from Salesforce tool responses before they reach the caller. - [Slack: Deny Channel Creation](https://www.intentbasedpolicy.com/policies/slack/deny-channel-creation) (slack, ingress): Blocks Slack channel-creation tool calls at ingress. Every other Slack tool — and every non-Slack tool — passes through untouched. - [Slack: Deny Read/Search/Summarize of Sensitive Channels](https://www.intentbasedpolicy.com/policies/slack/deny-read-search-summarize-sensitive-channels) (slack, ingress): Blocks read, search, and summarize operations that target a configurable set of "sensitive" Slack channels. - [Slack: Deny Sending Direct Messages](https://www.intentbasedpolicy.com/policies/slack/deny-direct-messages) (slack, ingress): Blocks Slack message-write calls whose destination resolves to a direct conversation — a 1:1 DM, a message posted to a user ID (which Slack auto-opens as a… - [Slack: Redact Sensitive Information from Messages](https://www.intentbasedpolicy.com/policies/slack/redact-sensitive-info) (slack, ingress): Redacts sensitive content from outgoing Slack message arguments before the call reaches Slack.