@highflame/policy 1.1.3 → 1.2.0

package/dist/parser.test.js

@@ -0,0 +1,99 @@
+/**
+ * Parser unit tests
+ *
+ * Tests the Cedar text → PolicyRule conversion using the official Cedar engine.
+ * These tests demonstrate how a client like highflame-authz would use the parser.
+ */
+import { describe, it, expect } from 'vitest';
+import { parseCedarToRules } from './parser.js';
+describe('parseCedarToRules', () => {
+    it('should parse a simple permit policy', () => {
+        const cedarText = `
+      @id("allow-read-files")
+      permit(
+        principal is User,
+        action == Action::"read_file",
+        resource is FilePath
+      );
+    `;
+        const result = parseCedarToRules(cedarText);
+        expect(result.errors).toHaveLength(0);
+        expect(result.rules).toHaveLength(1);
+        expect(result.unstructured).toHaveLength(0);
+        const rule = result.rules[0];
+        expect(rule.id).toBe('allow-read-files');
+        expect(rule.effect).toBe('permit');
+        expect(rule.principal).toEqual({ type: 'User' });
+        expect(rule.action).toBe('read_file');
+        expect(rule.resource).toEqual({ type: 'FilePath' });
+        expect(rule.enabled).toBe(true);
+    });
+    it('should parse a policy with when conditions', () => {
+        const cedarText = `
+      @id("block-high-risk")
+      forbid(
+        principal,
+        action == Action::"execute_tool",
+        resource
+      )
+      when {
+        context.threat_level == "high"
+      };
+    `;
+        const result = parseCedarToRules(cedarText);
+        expect(result.errors).toHaveLength(0);
+        expect(result.rules).toHaveLength(1);
+        const rule = result.rules[0];
+        expect(rule.id).toBe('block-high-risk');
+        expect(rule.effect).toBe('forbid');
+        expect(rule.action).toBe('execute_tool');
+        // Check condition was parsed
+        expect(rule.conditions.length).toBeGreaterThanOrEqual(0);
+        // If condition parsing works, it should have the condition
+        // If not, it should be in rawCondition
+        if (rule.conditions.length > 0) {
+            expect(rule.conditions[0].field).toBe('threat_level');
+            expect(rule.conditions[0].operator).toBe('eq');
+            expect(rule.conditions[0].value).toBe('high');
+        }
+        else {
+            expect(rule.rawCondition).toBeDefined();
+        }
+    });
+    it('should return errors for invalid Cedar syntax', () => {
+        const invalidCedar = `
+      permit(
+        principal is User
+        // missing comma and rest of policy
+    `;
+        const result = parseCedarToRules(invalidCedar);
+        expect(result.errors.length).toBeGreaterThan(0);
+    });
+    it('should handle multiple policies', () => {
+        const cedarText = `
+      @id("rule-1")
+      permit(principal, action == Action::"read", resource);
+
+      @id("rule-2")
+      forbid(principal, action == Action::"delete", resource);
+    `;
+        const result = parseCedarToRules(cedarText);
+        expect(result.errors).toHaveLength(0);
+        expect(result.rules).toHaveLength(2);
+        expect(result.rules[0].effect).toBe('permit');
+        expect(result.rules[1].effect).toBe('forbid');
+    });
+    it('should put policies with unless clauses in unstructured', () => {
+        const cedarText = `
+      permit(principal, action, resource)
+      unless {
+        context.is_blocked == true
+      };
+    `;
+        const result = parseCedarToRules(cedarText);
+        // Unless clauses can't be represented as PolicyRule
+        expect(result.rules).toHaveLength(0);
+        expect(result.unstructured.length).toBeGreaterThan(0);
+    });
+});
+//# sourceMappingURL=parser.test.js.map

package/dist/parser.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"parser.test.js","sourceRoot":"","sources":["../src/parser.test.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAEhD,QAAQ,CAAC,mBAAmB,EAAE,GAAG,EAAE;IACjC,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE;QAC7C,MAAM,SAAS,GAAG;;;;;;;KAOjB,CAAC;QAEF,MAAM,MAAM,GAAG,iBAAiB,CAAC,SAAS,CAAC,CAAC;QAE5C,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACtC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACrC,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAE5C,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAC7B,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;QACzC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACnC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;QACjD,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACtC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,CAAC;QACpD,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,GAAG,EAAE;QACpD,MAAM,SAAS,GAAG;;;;;;;;;;KAUjB,CAAC;QAEF,MAAM,MAAM,GAAG,iBAAiB,CAAC,SAAS,CAAC,CAAC;QAE5C,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACtC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAErC,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAC7B,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;QACxC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACnC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QAEzC,6BAA6B;QAC7B,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC;QACzD,2DAA2D;QAC3D,uCAAuC;QACvC,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC/B,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;YACtD,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC/C,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAChD,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,WAAW,EAAE,CAAC;QAC1C,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+CAA+C,EAAE,GAAG,EAAE;QACvD,MAAM,YAAY,GAAG;;;;KAIpB,CAAC;QAEF,MAAM,MAAM,GAAG,iBAAiB,CAAC,YAAY,CAAC,CAAC;QAE/C,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,MAAM,SAAS,GAAG;;;;;;KAMjB,CAAC;QAEF,MAAM,MAAM,GAAG,iBAAiB,CAAC,SAAS,CAAC,CAAC;QAE5C,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACtC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACrC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC9C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yDAAyD,EAAE,GAAG,EAAE;QACjE,MAAM,SAAS,GAAG;;;;;KAKjB,CAAC;QAEF,MAAM,MAAM,GAAG,iBAAiB,CAAC,SAAS,CAAC,CAAC;QAE5C,oDAAoD;QACpD,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACrC,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;IACxD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/schema.gen.d.ts

@@ -2,5 +2,5 @@
  * Embedded Cedar schema for policy validation.
  * This is the Highflame Cedar schema used across all services.
  */
-export declare const CEDAR_SCHEMA = "// Highflame Cedar Schema\n// ======================\n// This is the SOURCE OF TRUTH for all entity types, actions, and their relationships\n// across the Highflame platform.\n//\n// All services (authz, Core, Guardian, Palisade) MUST use the types defined here.\n// The codegen tool parses this file and generates typed constants for Go, TypeScript,\n// and Python to ensure consistency.\n//\n// Usage:\n//   - Policies are validated against this schema when created/updated\n//   - Generated types prevent typos in application code\n//   - Cedar CLI can validate: cedar validate --schema highflame.cedarschema --policies policy.cedar\n\n// =============================================================================\n// PRINCIPAL TYPES (Who is making the request)\n// =============================================================================\n\n// Human user or service account making requests\n// Well-known IDs: \"mcp_client\", \"threat_processor\"\nentity User {\n    // User type: \"external\", \"internal\"\n    user_type: String,\n};\n\n// AI agent or bot\nentity Agent {\n    // Agent type: \"llm\", \"scanner\", \"bot\"\n    agent_type: String,\n};\n\n// Security scanner service\n// Well-known IDs: \"ramparts\", \"palisade\"\nentity Scanner {\n    // Scanner type: \"ramparts\", \"palisade\"\n    scanner_type: String,\n    // Scanner version\n    version: String,\n};\n\n// Backend service account\nentity Service {\n    // Service name\n    service_name: String,\n    // Environment: \"production\", \"staging\", \"development\"\n    environment: String,\n};\n\n// =============================================================================\n// RESOURCE TYPES (What is being accessed)\n// =============================================================================\n\n// Generic resource\n// Well-known IDs: \"threat_analysis\", \"tools/list\", \"tools/call\", \"resources/list\",\n//                 \"resources/read\", \"prompts/list\", \"unknown\"\nentity Resource {};\n\n// LLM response data\n// Well-known IDs: \"response_data\"\nentity ResponseData {};\n\n// MCP tool that can be called\nentity Tool {\n    // Tool name\n    tool_name: String,\n    // Risk level: \"safe\", \"moderate\", \"dangerous\"\n    risk_level: String,\n    // Category: \"file\", \"network\", \"shell\", \"api\"\n    category: String,\n};\n\n// File system path\nentity FilePath {\n    // Full path\n    path: String,\n    // File extension\n    extension: String,\n    // Whether file is sensitive (.env, credentials, etc.)\n    is_sensitive: Bool,\n};\n\n// HTTP endpoint\nentity HttpEndpoint {\n    // Hostname\n    hostname: String,\n    // Scheme: \"http\", \"https\"\n    scheme: String,\n    // Port number\n    port: Long,\n    // Whether endpoint is internal\n    is_internal: Bool,\n};\n\n// MCP Server\nentity Server {\n    // Server name\n    server_name: String,\n};\n\n// ML model artifact (for Palisade)\nentity Artifact {\n    // Format: \"safetensors\", \"pickle\", \"gguf\", \"onnx\"\n    artifact_type: String,\n    // Source URL or path\n    source: String,\n    // SHA256 hash\n    hash: String,\n    // Whether artifact is signed\n    is_signed: Bool,\n};\n\n// Code repository\nentity Repository {\n    // Repository URL\n    url: String,\n};\n\n// Software package\nentity Package {\n    // Package name\n    name: String,\n    // Package version\n    version: String,\n};\n\n// =============================================================================\n// ACTIONS\n// =============================================================================\n\n// --- LLM/Guardrails Actions ---\n\n// Process an LLM prompt\n// Context: prompt_text, yara_threats, threat_count, max_threat_severity,\n//          user_type, monitoring_enabled\naction process_prompt appliesTo {\n    principal: [User, Agent],\n    resource: [Resource],\n};\n\n// Process an LLM response\n// Context: response_size_mb\naction process_response appliesTo {\n    principal: [User, Agent],\n    resource: [ResponseData],\n};\n\n// --- MCP/Tool Actions ---\n\n// Call an MCP tool\n// Context: tool_name\naction call_tool appliesTo {\n    principal: [User, Agent, Service],\n    resource: [Tool, Resource],\n};\n\n// Connect to an MCP server\naction connect_server appliesTo {\n    principal: [User, Agent, Service],\n    resource: [Server, Resource],\n};\n\n// Access a server-specific resource\n// Context: tool_name, resource_name, prompt_name\naction access_server_resource appliesTo {\n    principal: [User, Agent, Service],\n    resource: [Resource],\n};\n\n// Skip guardrails for an operation\naction skip_guardrails appliesTo {\n    principal: [User, Agent, Service],\n    resource: [Resource],\n};\n\n// --- File System Actions ---\n\n// Read a file\n// Context: path\naction read_file appliesTo {\n    principal: [User, Agent, Scanner],\n    resource: [FilePath, Resource],\n};\n\n// Write a file\n// Context: path\naction write_file appliesTo {\n    principal: [User, Agent],\n    resource: [FilePath, Resource],\n};\n\n// --- HTTP Actions ---\n\n// Make an HTTP request\n// Context: hostname, ip_address, scheme, port\naction http_request appliesTo {\n    principal: [User, Agent, Service],\n    resource: [HttpEndpoint, Resource],\n};\n\n// --- Scanner Actions ---\n\n// Scan a target (MCP server, repository, etc.)\naction scan_target appliesTo {\n    principal: [Scanner, Service],\n    resource: [Resource, Repository, Server],\n};\n\n// Scan a software package\naction scan_package appliesTo {\n    principal: [Scanner, Service],\n    resource: [Package, Resource],\n};\n\n// --- Palisade/ML Actions ---\n\n// Scan an ML artifact\n// Context: environment, artifact_format, artifact_signed, severity, finding_type,\n//          provenance_signer, pickle_exec_path_detected, metadata_malicious_pattern,\n//          tokenizer_added_tokens_count, safetensors_integrity_violation,\n//          gguf_suspicious_metadata, adapter_base_digest_mismatch,\n//          metadata_cosai_level_numeric\naction scan_artifact appliesTo {\n    principal: [Scanner, Service],\n    resource: [Artifact, Resource],\n};\n\n// Validate artifact integrity\naction validate_integrity appliesTo {\n    principal: [Scanner, Service],\n    resource: [Artifact],\n};\n\n// Validate artifact provenance\naction validate_provenance appliesTo {\n    principal: [Scanner, Service],\n    resource: [Artifact],\n};\n\n// Quarantine an artifact\naction quarantine_artifact appliesTo {\n    principal: [Scanner, Service],\n    resource: [Artifact],\n};\n\n// Load an ML model\naction load_model appliesTo {\n    principal: [User, Agent, Service],\n    resource: [Artifact],\n};\n\n// Deploy an ML model\naction deploy_model appliesTo {\n    principal: [User, Service],\n    resource: [Artifact],\n};\n\n// =============================================================================\n// CONTEXT ATTRIBUTES REFERENCE (Documentation Only)\n// =============================================================================\n// Cedar context is dynamic and not enforced by schema, but these are the\n// standard attributes used across Highflame services:\n//\n// GUARDRAILS/CORE:\n//   tool_name: String           - Name of tool being called\n//   resource_name: String       - Name of resource being accessed\n//   prompt_name: String         - Name of prompt\n//   prompt_text: String         - Raw prompt text (for injection detection)\n//   response_size_mb: Long      - Response size in megabytes\n//   yara_threats: Set<String>   - Set of detected YARA threat names\n//   threat_count: Long          - Number of threats detected\n//   max_threat_severity: Long   - Highest severity (0=INFO, 4=CRITICAL)\n//   user_type: String           - \"external\" or \"internal\"\n//   monitoring_enabled: Bool    - Whether monitoring is active\n//   path: String                - File path\n//   hostname: String            - HTTP hostname\n//   ip_address: String          - IP address (for SSRF detection)\n//   scheme: String              - HTTP scheme\n//   port: Long                  - Port number\n//\n// PALISADE:\n//   environment: String                    - \"production\", \"development\", \"research\"\n//   artifact_format: String                - \"pickle\", \"safetensors\", \"gguf\", \"onnx\"\n//   artifact_signed: Bool                  - Whether artifact has signature\n//   severity: String                       - \"CRITICAL\", \"HIGH\", \"MEDIUM\", \"LOW\", \"INFO\"\n//   finding_type: String                   - Type of security finding\n//   provenance_signer: String              - Who signed (\"unknown\", \"unsigned\", or name)\n//   pickle_exec_path_detected: Bool        - RCE path found in pickle\n//   metadata_malicious_pattern: Bool       - Malicious pattern in metadata\n//   tokenizer_added_tokens_count: Long     - Number of added tokens\n//   safetensors_integrity_violation: Bool  - Safetensors integrity failed\n//   gguf_suspicious_metadata: Bool         - Suspicious GGUF metadata\n//   adapter_base_digest_mismatch: Bool     - LoRA adapter digest mismatch\n//   metadata_cosai_level_numeric: Long     - CoSAI maturity level (0-5)\n";
+export declare const CEDAR_SCHEMA = "// Highflame Cedar Schema\n// ======================\n// This is the SOURCE OF TRUTH for all entity types, actions, and their relationships\n// across the Highflame platform.\n//\n// All services (authz, Core, Guardian, Palisade) MUST use the types defined here.\n// The codegen tool parses this file and generates typed constants for Go, TypeScript,\n// and Python to ensure consistency.\n//\n// Usage:\n//   - Policies are validated against this schema when created/updated\n//   - Generated types prevent typos in application code\n//   - Cedar CLI can validate: cedar validate --schema highflame.cedarschema --policies policy.cedar\n\n// =============================================================================\n// PRINCIPAL TYPES (Who is making the request)\n// =============================================================================\n\n// Human user or service account making requests\n// Well-known IDs: \"mcp_client\", \"threat_processor\"\nentity User {\n    // User type: \"external\", \"internal\"\n    user_type: String,\n};\n\n// AI agent or bot\nentity Agent {\n    // Agent type: \"llm\", \"scanner\", \"bot\", \"coding_assistant\"\n    agent_type: String,\n};\n\n// Security scanner service\n// Well-known IDs: \"ramparts\", \"palisade\"\nentity Scanner {\n    // Scanner type: \"ramparts\", \"palisade\"\n    scanner_type: String,\n    // Scanner version\n    version: String,\n};\n\n// Backend service account\nentity Service {\n    // Service name\n    service_name: String,\n    // Environment: \"production\", \"staging\", \"development\"\n    environment: String,\n};\n\n// =============================================================================\n// RESOURCE TYPES (What is being accessed)\n// =============================================================================\n\n// Generic resource\n// Well-known IDs: \"threat_analysis\", \"tools/list\", \"tools/call\", \"resources/list\",\n//                 \"resources/read\", \"prompts/list\", \"unknown\"\nentity Resource {};\n\n// LLM response data\n// Well-known IDs: \"response_data\"\nentity ResponseData {};\n\n// MCP tool that can be called\nentity Tool {\n    // Tool name\n    tool_name: String,\n    // Risk level: \"safe\", \"moderate\", \"dangerous\"\n    risk_level: String,\n    // Category: \"file\", \"network\", \"shell\", \"api\"\n    category: String,\n};\n\n// File system path\nentity FilePath {\n    // Full path\n    path: String,\n    // File extension\n    extension: String,\n    // Whether file is sensitive (.env, credentials, etc.)\n    is_sensitive: Bool,\n};\n\n// HTTP endpoint\nentity HttpEndpoint {\n    // Hostname\n    hostname: String,\n    // Scheme: \"http\", \"https\"\n    scheme: String,\n    // Port number\n    port: Long,\n    // Whether endpoint is internal\n    is_internal: Bool,\n};\n\n// MCP Server\nentity Server {\n    // Server name\n    server_name: String,\n};\n\n// ML model artifact (for Palisade)\nentity Artifact {\n    // Format: \"safetensors\", \"pickle\", \"gguf\", \"onnx\"\n    artifact_type: String,\n    // Source URL or path\n    source: String,\n    // SHA256 hash\n    hash: String,\n    // Whether artifact is signed\n    is_signed: Bool,\n};\n\n// Code repository\nentity Repository {\n    // Repository URL\n    url: String,\n};\n\n// Software package\nentity Package {\n    // Package name\n    name: String,\n    // Package version\n    version: String,\n};\n\n// Git branch (for branch protection policies)\nentity GitBranch {\n    // Branch name (e.g., \"main\", \"develop\", \"feature/xyz\")\n    branch_name: String,\n    // Whether this is a protected branch\n    is_protected: Bool,\n};\n\n// LLM Model (for model-specific policies)\nentity Model {\n    // Model name (e.g., \"gpt-4\", \"claude-3-opus\")\n    model_name: String,\n    // Provider (e.g., \"openai\", \"anthropic\", \"google\")\n    provider: String,\n    // Whether model is in preview/beta\n    is_preview: Bool,\n};\n\n// External API endpoint (for external service calls)\nentity ExternalAPI {\n    // API name or identifier\n    api_name: String,\n    // Base URL or hostname\n    base_url: String,\n    // Whether the API is trusted/verified\n    is_trusted: Bool,\n};\n\n// Agent memory or RAG storage\nentity Memory {\n    // Memory type: \"short_term\", \"long_term\", \"rag\", \"vector_store\"\n    memory_type: String,\n    // Whether memory contains sensitive data\n    is_sensitive: Bool,\n};\n\n// =============================================================================\n// ACTIONS - LLM/Guardrails\n// =============================================================================\n\n// Process an LLM prompt\n// Context: prompt_text, yara_threats, threat_count, max_threat_severity,\n//          user_type, monitoring_enabled, injection_score, content_score\naction process_prompt appliesTo {\n    principal: [User, Agent],\n    resource: [Resource],\n};\n\n// Process an LLM response\n// Context: response_size_mb, contains_pii, pii_types, content_category\naction process_response appliesTo {\n    principal: [User, Agent],\n    resource: [ResponseData],\n};\n\n// Invoke an LLM model\n// Context: model_name, model_provider, is_preview_model, estimated_tokens,\n//          max_tokens, temperature, top_p, is_streaming\naction invoke_model appliesTo {\n    principal: [User, Agent, Service],\n    resource: [Model, Resource],\n};\n\n// Filter content (apply content filtering policies)\n// Context: content_type, content_category, content_score, harm_categories,\n//          language, is_harmful, filter_action\naction filter_content appliesTo {\n    principal: [User, Agent, Service],\n    resource: [Resource, ResponseData],\n};\n\n// =============================================================================\n// ACTIONS - MCP/Tool\n// =============================================================================\n\n// Call an MCP tool\n// Context: tool_name, tool_arguments, risk_level\naction call_tool appliesTo {\n    principal: [User, Agent, Service],\n    resource: [Tool, Resource],\n};\n\n// Connect to an MCP server\n// Context: server_name, server_url, transport_type\naction connect_server appliesTo {\n    principal: [User, Agent, Service],\n    resource: [Server, Resource],\n};\n\n// Access a server-specific resource\n// Context: tool_name, resource_name, prompt_name\naction access_server_resource appliesTo {\n    principal: [User, Agent, Service],\n    resource: [Resource],\n};\n\n// Skip guardrails for an operation\naction skip_guardrails appliesTo {\n    principal: [User, Agent, Service],\n    resource: [Resource],\n};\n\n// =============================================================================\n// ACTIONS - File System\n// =============================================================================\n\n// Read a file\n// Context: path, extension, is_sensitive\naction read_file appliesTo {\n    principal: [User, Agent, Scanner],\n    resource: [FilePath, Resource],\n};\n\n// Write a file\n// Context: path, extension, is_sensitive, file_size_bytes\naction write_file appliesTo {\n    principal: [User, Agent],\n    resource: [FilePath, Resource],\n};\n\n// Delete a file\n// Context: path, extension, is_sensitive\naction delete_file appliesTo {\n    principal: [User, Agent],\n    resource: [FilePath, Resource],\n};\n\n// =============================================================================\n// ACTIONS - HTTP/Network\n// =============================================================================\n\n// Make an HTTP request\n// Context: hostname, ip_address, scheme, port, method, is_internal\naction http_request appliesTo {\n    principal: [User, Agent, Service],\n    resource: [HttpEndpoint, Resource],\n};\n\n// Call an external API\n// Context: api_name, endpoint_path, method, is_trusted, request_size_bytes\naction call_external_api appliesTo {\n    principal: [User, Agent, Service],\n    resource: [ExternalAPI, HttpEndpoint, Resource],\n};\n\n// =============================================================================\n// ACTIONS - Code Execution\n// =============================================================================\n\n// Execute code in a sandbox or environment\n// Context: code_language, is_sandboxed, code_size_bytes, has_network_access,\n//          has_filesystem_access, execution_timeout_ms\naction execute_code appliesTo {\n    principal: [User, Agent],\n    resource: [Resource],\n};\n\n// Run tests\n// Context: test_framework, test_count, is_sandboxed, code_language\naction run_tests appliesTo {\n    principal: [User, Agent, Service],\n    resource: [Repository, Resource],\n};\n\n// Run build process\n// Context: build_tool, is_sandboxed, code_language\naction run_build appliesTo {\n    principal: [User, Agent, Service],\n    resource: [Repository, Resource],\n};\n\n// =============================================================================\n// ACTIONS - Git Operations\n// =============================================================================\n\n// General git operation (use for policies that apply to all git actions)\n// Context: git_op, target_branch, source_branch, is_force, is_protected_branch,\n//          changed_files_count, commit_message, remote_url\naction git_operation appliesTo {\n    principal: [User, Agent],\n    resource: [Repository, GitBranch, Resource],\n};\n\n// Clone a repository\n// Context: remote_url, is_shallow, depth\naction git_clone appliesTo {\n    principal: [User, Agent],\n    resource: [Repository, Resource],\n};\n\n// Create a commit\n// Context: commit_message, changed_files_count, author, is_amend\naction git_commit appliesTo {\n    principal: [User, Agent],\n    resource: [Repository, GitBranch, Resource],\n};\n\n// Push changes to remote\n// Context: target_branch, is_force_push, is_protected_branch, remote_url\naction git_push appliesTo {\n    principal: [User, Agent],\n    resource: [Repository, GitBranch, Resource],\n};\n\n// Pull changes from remote\n// Context: source_branch, remote_url, is_rebase\naction git_pull appliesTo {\n    principal: [User, Agent],\n    resource: [Repository, GitBranch, Resource],\n};\n\n// Merge branches\n// Context: source_branch, target_branch, is_protected_branch, merge_strategy\naction git_merge appliesTo {\n    principal: [User, Agent],\n    resource: [Repository, GitBranch, Resource],\n};\n\n// Checkout branch or commit\n// Context: target_branch, is_new_branch, commit_hash\naction git_checkout appliesTo {\n    principal: [User, Agent],\n    resource: [Repository, GitBranch, Resource],\n};\n\n// Reset changes (potentially destructive)\n// Context: reset_mode, target_commit, is_hard_reset\naction git_reset appliesTo {\n    principal: [User, Agent],\n    resource: [Repository, GitBranch, Resource],\n};\n\n// Rebase branch\n// Context: source_branch, target_branch, is_interactive\naction git_rebase appliesTo {\n    principal: [User, Agent],\n    resource: [Repository, GitBranch, Resource],\n};\n\n// =============================================================================\n// ACTIONS - Agent Orchestration\n// =============================================================================\n\n// Delegate task to another agent\n// Context: delegation_depth, parent_agent_id, task_type, is_autonomous\naction delegate_task appliesTo {\n    principal: [Agent, Service],\n    resource: [Resource],\n};\n\n// Spawn a subprocess or child process\n// Context: process_name, is_sandboxed, has_network_access, has_filesystem_access\naction spawn_subprocess appliesTo {\n    principal: [User, Agent, Service],\n    resource: [Resource],\n};\n\n// Access agent memory or RAG storage\n// Context: memory_type, operation (read, write, delete), is_sensitive\naction access_memory appliesTo {\n    principal: [Agent, Service],\n    resource: [Memory, Resource],\n};\n\n// =============================================================================\n// ACTIONS - Scanner\n// =============================================================================\n\n// Scan a target (MCP server, repository, etc.)\naction scan_target appliesTo {\n    principal: [Scanner, Service],\n    resource: [Resource, Repository, Server],\n};\n\n// Scan a software package\naction scan_package appliesTo {\n    principal: [Scanner, Service],\n    resource: [Package, Resource],\n};\n\n// =============================================================================\n// ACTIONS - Palisade/ML\n// =============================================================================\n\n// Scan an ML artifact\n// Context: environment, artifact_format, artifact_signed, severity, finding_type,\n//          provenance_signer, pickle_exec_path_detected, metadata_malicious_pattern,\n//          tokenizer_added_tokens_count, safetensors_integrity_violation,\n//          gguf_suspicious_metadata, adapter_base_digest_mismatch,\n//          metadata_cosai_level_numeric\naction scan_artifact appliesTo {\n    principal: [Scanner, Service],\n    resource: [Artifact, Resource],\n};\n\n// Validate artifact integrity\naction validate_integrity appliesTo {\n    principal: [Scanner, Service],\n    resource: [Artifact],\n};\n\n// Validate artifact provenance\naction validate_provenance appliesTo {\n    principal: [Scanner, Service],\n    resource: [Artifact],\n};\n\n// Quarantine an artifact\naction quarantine_artifact appliesTo {\n    principal: [Scanner, Service],\n    resource: [Artifact],\n};\n\n// Load an ML model\naction load_model appliesTo {\n    principal: [User, Agent, Service],\n    resource: [Artifact],\n};\n\n// Deploy an ML model\naction deploy_model appliesTo {\n    principal: [User, Service],\n    resource: [Artifact],\n};\n\n// =============================================================================\n// ACTIONS - Data Loss Prevention (DLP)\n// =============================================================================\n\n// Transfer data (for DLP policies)\n// Context: data_classification, destination_type, transfer_size_bytes,\n//          contains_pii, pii_types, is_encrypted\naction transfer_data appliesTo {\n    principal: [User, Agent, Service],\n    resource: [Resource],\n};\n\n// Export data (for DLP policies)\n// Context: export_format, data_classification, destination_type, is_encrypted\naction export_data appliesTo {\n    principal: [User, Agent, Service],\n    resource: [Resource],\n};\n\n// =============================================================================\n// CONTEXT ATTRIBUTES REFERENCE (Documentation Only)\n// =============================================================================\n// Cedar context is dynamic and not enforced by schema, but these are the\n// standard attributes used across Highflame services:\n//\n// -----------------------------------------------------------------------------\n// GUARDRAILS/CORE\n// -----------------------------------------------------------------------------\n//   tool_name: String           - Name of tool being called\n//   resource_name: String       - Name of resource being accessed\n//   prompt_name: String         - Name of prompt\n//   prompt_text: String         - Raw prompt text (for injection detection)\n//   response_size_mb: Long      - Response size in megabytes\n//   yara_threats: Set<String>   - Set of detected YARA threat names\n//   threat_count: Long          - Number of threats detected\n//   max_threat_severity: Long   - Highest severity (0=INFO, 4=CRITICAL)\n//   user_type: String           - \"external\" or \"internal\"\n//   monitoring_enabled: Bool    - Whether monitoring is active\n//   path: String                - File path\n//   hostname: String            - HTTP hostname\n//   ip_address: String          - IP address (for SSRF detection)\n//   scheme: String              - HTTP scheme\n//   port: Long                  - Port number\n//\n// -----------------------------------------------------------------------------\n// MODEL INVOCATION\n// -----------------------------------------------------------------------------\n//   model_name: String          - Name of the model (e.g., \"gpt-4\", \"claude-3-opus\")\n//   model_provider: String      - Provider name (e.g., \"openai\", \"anthropic\", \"google\", \"azure\", \"bedrock\")\n//   is_preview_model: Bool      - Whether model is in preview/beta\n//   estimated_tokens: Long      - Estimated input + output tokens\n//   max_tokens: Long            - Maximum tokens allowed for response\n//   temperature: Long           - Temperature setting (scaled by 100, e.g., 70 = 0.7)\n//   top_p: Long                 - Top-p sampling (scaled by 100)\n//   is_streaming: Bool          - Whether response is streamed\n//\n// -----------------------------------------------------------------------------\n// CONTENT FILTERING\n// -----------------------------------------------------------------------------\n//   content_type: String        - Type of content (\"text\", \"code\", \"image\", \"audio\", \"video\")\n//   content_category: String    - Category (\"general\", \"adult\", \"violence\", \"hate\", etc.)\n//   content_score: Long         - Content risk score (0-100)\n//   injection_score: Long       - Prompt injection detection score (0-100)\n//   jailbreak_score: Long       - Jailbreak attempt detection score (0-100)\n//   contains_pii: Bool          - Whether content contains PII\n//   pii_types: Set<String>      - Types of PII detected (\"email\", \"phone\", \"ssn\", \"credit_card\", etc.)\n//   language: String            - Detected language code (e.g., \"en\", \"es\", \"zh\")\n//   is_harmful: Bool            - Whether content is harmful\n//   harm_categories: Set<String> - Categories of harm (\"violence\", \"hate\", \"self_harm\", \"sexual\", etc.)\n//   filter_action: String       - Action to take (\"inspect\", \"mask\", \"redact\", \"replace\", \"anonymize\", \"reject\")\n//   csam_detected: Bool         - Whether CSAM was detected\n//   hallucination_score: Long   - Hallucination detection score (0-100)\n//\n// -----------------------------------------------------------------------------\n// RATE LIMITING\n// -----------------------------------------------------------------------------\n//   concurrent_calls: Long      - Current number of concurrent calls\n//   requests_per_minute: Long   - Current requests per minute\n//   tokens_per_minute: Long     - Current tokens per minute\n//   rate_limit_bucket: String   - Rate limit bucket identifier\n//   is_rate_limited: Bool       - Whether rate limit is exceeded\n//\n// -----------------------------------------------------------------------------\n// GIT OPERATIONS\n// -----------------------------------------------------------------------------\n//   git_op: String              - Type of git operation (\"clone\", \"commit\", \"push\", \"pull\", etc.)\n//   target_branch: String       - Target branch name\n//   source_branch: String       - Source branch name\n//   is_force_push: Bool         - Whether this is a force push\n//   is_protected_branch: Bool   - Whether target is a protected branch\n//   changed_files_count: Long   - Number of files changed\n//   commit_message: String      - Commit message text\n//   remote_url: String          - Remote repository URL\n//   is_shallow: Bool            - Whether clone is shallow\n//   depth: Long                 - Clone depth for shallow clones\n//   is_amend: Bool              - Whether commit is an amend\n//   merge_strategy: String      - Merge strategy (\"merge\", \"rebase\", \"squash\")\n//   is_hard_reset: Bool         - Whether reset is hard (destructive)\n//   reset_mode: String          - Reset mode (\"soft\", \"mixed\", \"hard\")\n//   is_interactive: Bool        - Whether operation is interactive\n//\n// -----------------------------------------------------------------------------\n// CODE EXECUTION\n// -----------------------------------------------------------------------------\n//   code_language: String       - Programming language (\"python\", \"javascript\", \"go\", etc.)\n//   is_sandboxed: Bool          - Whether code runs in a sandbox\n//   code_size_bytes: Long       - Size of code in bytes\n//   has_network_access: Bool    - Whether code has network access\n//   has_filesystem_access: Bool - Whether code has filesystem access\n//   execution_timeout_ms: Long  - Execution timeout in milliseconds\n//   test_framework: String      - Test framework being used\n//   test_count: Long            - Number of tests being run\n//   build_tool: String          - Build tool being used\n//\n// -----------------------------------------------------------------------------\n// AGENT ORCHESTRATION\n// -----------------------------------------------------------------------------\n//   delegation_depth: Long      - Current delegation nesting depth\n//   parent_agent_id: String     - ID of parent agent (if delegated)\n//   task_type: String           - Type of task being performed\n//   is_autonomous: Bool         - Whether agent is operating autonomously\n//   session_id: String          - Agent session identifier\n//   process_name: String        - Name of subprocess being spawned\n//\n// -----------------------------------------------------------------------------\n// MEMORY/RAG\n// -----------------------------------------------------------------------------\n//   memory_type: String         - Type of memory (\"short_term\", \"long_term\", \"rag\", \"vector_store\")\n//   memory_operation: String    - Operation being performed (\"read\", \"write\", \"delete\", \"search\")\n//   memory_is_sensitive: Bool   - Whether memory contains sensitive data\n//\n// -----------------------------------------------------------------------------\n// DATA LOSS PREVENTION (DLP)\n// -----------------------------------------------------------------------------\n//   data_classification: String - Classification level (\"public\", \"internal\", \"confidential\", \"restricted\")\n//   destination_type: String    - Where data is going (\"internal\", \"external\", \"cloud\", \"email\")\n//   transfer_size_bytes: Long   - Size of data being transferred\n//   is_encrypted: Bool          - Whether data is encrypted\n//   export_format: String       - Format of exported data (\"json\", \"csv\", \"pdf\", etc.)\n//\n// -----------------------------------------------------------------------------\n// PALISADE/ML\n// -----------------------------------------------------------------------------\n//   environment: String                    - \"production\", \"development\", \"research\"\n//   artifact_format: String                - \"pickle\", \"safetensors\", \"gguf\", \"onnx\"\n//   artifact_signed: Bool                  - Whether artifact has signature\n//   severity: String                       - \"CRITICAL\", \"HIGH\", \"MEDIUM\", \"LOW\", \"INFO\"\n//   finding_type: String                   - Type of security finding\n//   provenance_signer: String              - Who signed (\"unknown\", \"unsigned\", or name)\n//   pickle_exec_path_detected: Bool        - RCE path found in pickle\n//   metadata_malicious_pattern: Bool       - Malicious pattern in metadata\n//   tokenizer_added_tokens_count: Long     - Number of added tokens\n//   safetensors_integrity_violation: Bool  - Safetensors integrity failed\n//   gguf_suspicious_metadata: Bool         - Suspicious GGUF metadata\n//   adapter_base_digest_mismatch: Bool     - LoRA adapter digest mismatch\n//   metadata_cosai_level_numeric: Long     - CoSAI maturity level (0-5)\n//\n";
 //# sourceMappingURL=schema.gen.d.ts.map

package/dist/schema.gen.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"schema.gen.d.ts","sourceRoot":"","sources":["../src/schema.gen.ts"],"names":[],"mappings":"AAGA;;;GAGG;AACH,eAAO,MAAM,YAAY,27RAqSxB,CAAC"}
+{"version":3,"file":"schema.gen.d.ts","sourceRoot":"","sources":["../src/schema.gen.ts"],"names":[],"mappings":"AAGA;;;GAGG;AACH,eAAO,MAAM,YAAY,i9tBA+lBxB,CAAC"}

package/dist/schema.gen.js

@@ -31,7 +31,7 @@ entity User {
 
 // AI agent or bot
 entity Agent {
-    // Agent type: "llm", "scanner", "bot"
+    // Agent type: "llm", "scanner", "bot", "coding_assistant"
     agent_type: String,
 };
 
@@ -129,37 +129,90 @@ entity Package {
     version: String,
 };
 
+// Git branch (for branch protection policies)
+entity GitBranch {
+    // Branch name (e.g., "main", "develop", "feature/xyz")
+    branch_name: String,
+    // Whether this is a protected branch
+    is_protected: Bool,
+};
+
+// LLM Model (for model-specific policies)
+entity Model {
+    // Model name (e.g., "gpt-4", "claude-3-opus")
+    model_name: String,
+    // Provider (e.g., "openai", "anthropic", "google")
+    provider: String,
+    // Whether model is in preview/beta
+    is_preview: Bool,
+};
+
+// External API endpoint (for external service calls)
+entity ExternalAPI {
+    // API name or identifier
+    api_name: String,
+    // Base URL or hostname
+    base_url: String,
+    // Whether the API is trusted/verified
+    is_trusted: Bool,
+};
+
+// Agent memory or RAG storage
+entity Memory {
+    // Memory type: "short_term", "long_term", "rag", "vector_store"
+    memory_type: String,
+    // Whether memory contains sensitive data
+    is_sensitive: Bool,
+};
+
 // =============================================================================
-// ACTIONS
+// ACTIONS - LLM/Guardrails
 // =============================================================================
 
-// --- LLM/Guardrails Actions ---
-
 // Process an LLM prompt
 // Context: prompt_text, yara_threats, threat_count, max_threat_severity,
-//          user_type, monitoring_enabled
+//          user_type, monitoring_enabled, injection_score, content_score
 action process_prompt appliesTo {
     principal: [User, Agent],
     resource: [Resource],
 };
 
 // Process an LLM response
-// Context: response_size_mb
+// Context: response_size_mb, contains_pii, pii_types, content_category
 action process_response appliesTo {
     principal: [User, Agent],
     resource: [ResponseData],
 };
 
-// --- MCP/Tool Actions ---
+// Invoke an LLM model
+// Context: model_name, model_provider, is_preview_model, estimated_tokens,
+//          max_tokens, temperature, top_p, is_streaming
+action invoke_model appliesTo {
+    principal: [User, Agent, Service],
+    resource: [Model, Resource],
+};
+
+// Filter content (apply content filtering policies)
+// Context: content_type, content_category, content_score, harm_categories,
+//          language, is_harmful, filter_action
+action filter_content appliesTo {
+    principal: [User, Agent, Service],
+    resource: [Resource, ResponseData],
+};
+
+// =============================================================================
+// ACTIONS - MCP/Tool
+// =============================================================================
 
 // Call an MCP tool
-// Context: tool_name
+// Context: tool_name, tool_arguments, risk_level
 action call_tool appliesTo {
     principal: [User, Agent, Service],
     resource: [Tool, Resource],
 };
 
 // Connect to an MCP server
+// Context: server_name, server_url, transport_type
 action connect_server appliesTo {
     principal: [User, Agent, Service],
     resource: [Server, Resource],
@@ -178,32 +231,171 @@ action skip_guardrails appliesTo {
     resource: [Resource],
 };
 
-// --- File System Actions ---
+// =============================================================================
+// ACTIONS - File System
+// =============================================================================
 
 // Read a file
-// Context: path
+// Context: path, extension, is_sensitive
 action read_file appliesTo {
     principal: [User, Agent, Scanner],
     resource: [FilePath, Resource],
 };
 
 // Write a file
-// Context: path
+// Context: path, extension, is_sensitive, file_size_bytes
 action write_file appliesTo {
     principal: [User, Agent],
     resource: [FilePath, Resource],
 };
 
-// --- HTTP Actions ---
+// Delete a file
+// Context: path, extension, is_sensitive
+action delete_file appliesTo {
+    principal: [User, Agent],
+    resource: [FilePath, Resource],
+};
+
+// =============================================================================
+// ACTIONS - HTTP/Network
+// =============================================================================
 
 // Make an HTTP request
-// Context: hostname, ip_address, scheme, port
+// Context: hostname, ip_address, scheme, port, method, is_internal
 action http_request appliesTo {
     principal: [User, Agent, Service],
     resource: [HttpEndpoint, Resource],
 };
 
-// --- Scanner Actions ---
+// Call an external API
+// Context: api_name, endpoint_path, method, is_trusted, request_size_bytes
+action call_external_api appliesTo {
+    principal: [User, Agent, Service],
+    resource: [ExternalAPI, HttpEndpoint, Resource],
+};
+
+// =============================================================================
+// ACTIONS - Code Execution
+// =============================================================================
+
+// Execute code in a sandbox or environment
+// Context: code_language, is_sandboxed, code_size_bytes, has_network_access,
+//          has_filesystem_access, execution_timeout_ms
+action execute_code appliesTo {
+    principal: [User, Agent],
+    resource: [Resource],
+};
+
+// Run tests
+// Context: test_framework, test_count, is_sandboxed, code_language
+action run_tests appliesTo {
+    principal: [User, Agent, Service],
+    resource: [Repository, Resource],
+};
+
+// Run build process
+// Context: build_tool, is_sandboxed, code_language
+action run_build appliesTo {
+    principal: [User, Agent, Service],
+    resource: [Repository, Resource],
+};
+
+// =============================================================================
+// ACTIONS - Git Operations
+// =============================================================================
+
+// General git operation (use for policies that apply to all git actions)
+// Context: git_op, target_branch, source_branch, is_force, is_protected_branch,
+//          changed_files_count, commit_message, remote_url
+action git_operation appliesTo {
+    principal: [User, Agent],
+    resource: [Repository, GitBranch, Resource],
+};
+
+// Clone a repository
+// Context: remote_url, is_shallow, depth
+action git_clone appliesTo {
+    principal: [User, Agent],
+    resource: [Repository, Resource],
+};
+
+// Create a commit
+// Context: commit_message, changed_files_count, author, is_amend
+action git_commit appliesTo {
+    principal: [User, Agent],
+    resource: [Repository, GitBranch, Resource],
+};
+
+// Push changes to remote
+// Context: target_branch, is_force_push, is_protected_branch, remote_url
+action git_push appliesTo {
+    principal: [User, Agent],
+    resource: [Repository, GitBranch, Resource],
+};
+
+// Pull changes from remote
+// Context: source_branch, remote_url, is_rebase
+action git_pull appliesTo {
+    principal: [User, Agent],
+    resource: [Repository, GitBranch, Resource],
+};
+
+// Merge branches
+// Context: source_branch, target_branch, is_protected_branch, merge_strategy
+action git_merge appliesTo {
+    principal: [User, Agent],
+    resource: [Repository, GitBranch, Resource],
+};
+
+// Checkout branch or commit
+// Context: target_branch, is_new_branch, commit_hash
+action git_checkout appliesTo {
+    principal: [User, Agent],
+    resource: [Repository, GitBranch, Resource],
+};
+
+// Reset changes (potentially destructive)
+// Context: reset_mode, target_commit, is_hard_reset
+action git_reset appliesTo {
+    principal: [User, Agent],
+    resource: [Repository, GitBranch, Resource],
+};
+
+// Rebase branch
+// Context: source_branch, target_branch, is_interactive
+action git_rebase appliesTo {
+    principal: [User, Agent],
+    resource: [Repository, GitBranch, Resource],
+};
+
+// =============================================================================
+// ACTIONS - Agent Orchestration
+// =============================================================================
+
+// Delegate task to another agent
+// Context: delegation_depth, parent_agent_id, task_type, is_autonomous
+action delegate_task appliesTo {
+    principal: [Agent, Service],
+    resource: [Resource],
+};
+
+// Spawn a subprocess or child process
+// Context: process_name, is_sandboxed, has_network_access, has_filesystem_access
+action spawn_subprocess appliesTo {
+    principal: [User, Agent, Service],
+    resource: [Resource],
+};
+
+// Access agent memory or RAG storage
+// Context: memory_type, operation (read, write, delete), is_sensitive
+action access_memory appliesTo {
+    principal: [Agent, Service],
+    resource: [Memory, Resource],
+};
+
+// =============================================================================
+// ACTIONS - Scanner
+// =============================================================================
 
 // Scan a target (MCP server, repository, etc.)
 action scan_target appliesTo {
@@ -217,7 +409,9 @@ action scan_package appliesTo {
     resource: [Package, Resource],
 };
 
-// --- Palisade/ML Actions ---
+// =============================================================================
+// ACTIONS - Palisade/ML
+// =============================================================================
 
 // Scan an ML artifact
 // Context: environment, artifact_format, artifact_signed, severity, finding_type,
@@ -260,13 +454,34 @@ action deploy_model appliesTo {
     resource: [Artifact],
 };
 
+// =============================================================================
+// ACTIONS - Data Loss Prevention (DLP)
+// =============================================================================
+
+// Transfer data (for DLP policies)
+// Context: data_classification, destination_type, transfer_size_bytes,
+//          contains_pii, pii_types, is_encrypted
+action transfer_data appliesTo {
+    principal: [User, Agent, Service],
+    resource: [Resource],
+};
+
+// Export data (for DLP policies)
+// Context: export_format, data_classification, destination_type, is_encrypted
+action export_data appliesTo {
+    principal: [User, Agent, Service],
+    resource: [Resource],
+};
+
 // =============================================================================
 // CONTEXT ATTRIBUTES REFERENCE (Documentation Only)
 // =============================================================================
 // Cedar context is dynamic and not enforced by schema, but these are the
 // standard attributes used across Highflame services:
 //
-// GUARDRAILS/CORE:
+// -----------------------------------------------------------------------------
+// GUARDRAILS/CORE
+// -----------------------------------------------------------------------------
 //   tool_name: String           - Name of tool being called
 //   resource_name: String       - Name of resource being accessed
 //   prompt_name: String         - Name of prompt
@@ -283,7 +498,105 @@ action deploy_model appliesTo {
 //   scheme: String              - HTTP scheme
 //   port: Long                  - Port number
 //
-// PALISADE:
+// -----------------------------------------------------------------------------
+// MODEL INVOCATION
+// -----------------------------------------------------------------------------
+//   model_name: String          - Name of the model (e.g., "gpt-4", "claude-3-opus")
+//   model_provider: String      - Provider name (e.g., "openai", "anthropic", "google", "azure", "bedrock")
+//   is_preview_model: Bool      - Whether model is in preview/beta
+//   estimated_tokens: Long      - Estimated input + output tokens
+//   max_tokens: Long            - Maximum tokens allowed for response
+//   temperature: Long           - Temperature setting (scaled by 100, e.g., 70 = 0.7)
+//   top_p: Long                 - Top-p sampling (scaled by 100)
+//   is_streaming: Bool          - Whether response is streamed
+//
+// -----------------------------------------------------------------------------
+// CONTENT FILTERING
+// -----------------------------------------------------------------------------
+//   content_type: String        - Type of content ("text", "code", "image", "audio", "video")
+//   content_category: String    - Category ("general", "adult", "violence", "hate", etc.)
+//   content_score: Long         - Content risk score (0-100)
+//   injection_score: Long       - Prompt injection detection score (0-100)
+//   jailbreak_score: Long       - Jailbreak attempt detection score (0-100)
+//   contains_pii: Bool          - Whether content contains PII
+//   pii_types: Set<String>      - Types of PII detected ("email", "phone", "ssn", "credit_card", etc.)
+//   language: String            - Detected language code (e.g., "en", "es", "zh")
+//   is_harmful: Bool            - Whether content is harmful
+//   harm_categories: Set<String> - Categories of harm ("violence", "hate", "self_harm", "sexual", etc.)
+//   filter_action: String       - Action to take ("inspect", "mask", "redact", "replace", "anonymize", "reject")
+//   csam_detected: Bool         - Whether CSAM was detected
+//   hallucination_score: Long   - Hallucination detection score (0-100)
+//
+// -----------------------------------------------------------------------------
+// RATE LIMITING
+// -----------------------------------------------------------------------------
+//   concurrent_calls: Long      - Current number of concurrent calls
+//   requests_per_minute: Long   - Current requests per minute
+//   tokens_per_minute: Long     - Current tokens per minute
+//   rate_limit_bucket: String   - Rate limit bucket identifier
+//   is_rate_limited: Bool       - Whether rate limit is exceeded
+//
+// -----------------------------------------------------------------------------
+// GIT OPERATIONS
+// -----------------------------------------------------------------------------
+//   git_op: String              - Type of git operation ("clone", "commit", "push", "pull", etc.)
+//   target_branch: String       - Target branch name
+//   source_branch: String       - Source branch name
+//   is_force_push: Bool         - Whether this is a force push
+//   is_protected_branch: Bool   - Whether target is a protected branch
+//   changed_files_count: Long   - Number of files changed
+//   commit_message: String      - Commit message text
+//   remote_url: String          - Remote repository URL
+//   is_shallow: Bool            - Whether clone is shallow
+//   depth: Long                 - Clone depth for shallow clones
+//   is_amend: Bool              - Whether commit is an amend
+//   merge_strategy: String      - Merge strategy ("merge", "rebase", "squash")
+//   is_hard_reset: Bool         - Whether reset is hard (destructive)
+//   reset_mode: String          - Reset mode ("soft", "mixed", "hard")
+//   is_interactive: Bool        - Whether operation is interactive
+//
+// -----------------------------------------------------------------------------
+// CODE EXECUTION
+// -----------------------------------------------------------------------------
+//   code_language: String       - Programming language ("python", "javascript", "go", etc.)
+//   is_sandboxed: Bool          - Whether code runs in a sandbox
+//   code_size_bytes: Long       - Size of code in bytes
+//   has_network_access: Bool    - Whether code has network access
+//   has_filesystem_access: Bool - Whether code has filesystem access
+//   execution_timeout_ms: Long  - Execution timeout in milliseconds
+//   test_framework: String      - Test framework being used
+//   test_count: Long            - Number of tests being run
+//   build_tool: String          - Build tool being used
+//
+// -----------------------------------------------------------------------------
+// AGENT ORCHESTRATION
+// -----------------------------------------------------------------------------
+//   delegation_depth: Long      - Current delegation nesting depth
+//   parent_agent_id: String     - ID of parent agent (if delegated)
+//   task_type: String           - Type of task being performed
+//   is_autonomous: Bool         - Whether agent is operating autonomously
+//   session_id: String          - Agent session identifier
+//   process_name: String        - Name of subprocess being spawned
+//
+// -----------------------------------------------------------------------------
+// MEMORY/RAG
+// -----------------------------------------------------------------------------
+//   memory_type: String         - Type of memory ("short_term", "long_term", "rag", "vector_store")
+//   memory_operation: String    - Operation being performed ("read", "write", "delete", "search")
+//   memory_is_sensitive: Bool   - Whether memory contains sensitive data
+//
+// -----------------------------------------------------------------------------
+// DATA LOSS PREVENTION (DLP)
+// -----------------------------------------------------------------------------
+//   data_classification: String - Classification level ("public", "internal", "confidential", "restricted")
+//   destination_type: String    - Where data is going ("internal", "external", "cloud", "email")
+//   transfer_size_bytes: Long   - Size of data being transferred
+//   is_encrypted: Bool          - Whether data is encrypted
+//   export_format: String       - Format of exported data ("json", "csv", "pdf", etc.)
+//
+// -----------------------------------------------------------------------------
+// PALISADE/ML
+// -----------------------------------------------------------------------------
 //   environment: String                    - "production", "development", "research"
 //   artifact_format: String                - "pickle", "safetensors", "gguf", "onnx"
 //   artifact_signed: Bool                  - Whether artifact has signature
@@ -297,5 +610,6 @@ action deploy_model appliesTo {
 //   gguf_suspicious_metadata: Bool         - Suspicious GGUF metadata
 //   adapter_base_digest_mismatch: Bool     - LoRA adapter digest mismatch
 //   metadata_cosai_level_numeric: Long     - CoSAI maturity level (0-5)
+//
 `;
 //# sourceMappingURL=schema.gen.js.map

package/dist/schema.gen.js.map

@@ -1 +1 @@
-{"version":3,"file":"schema.gen.js","sourceRoot":"","sources":["../src/schema.gen.ts"],"names":[],"mappings":"AAAA,2DAA2D;AAC3D,uCAAuC;AAEvC;;;GAGG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAqS3B,CAAC"}
+{"version":3,"file":"schema.gen.js","sourceRoot":"","sources":["../src/schema.gen.ts"],"names":[],"mappings":"AAAA,2DAA2D;AAC3D,uCAAuC;AAEvC;;;GAGG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA+lB3B,CAAC"}