@highflame/policy 1.1.3 → 1.2.1

package/src/schema.gen.ts

@@ -32,7 +32,7 @@ entity User {
 
 // AI agent or bot
 entity Agent {
-    // Agent type: "llm", "scanner", "bot"
+    // Agent type: "llm", "scanner", "bot", "coding_assistant"
     agent_type: String,
 };
 
@@ -130,37 +130,90 @@ entity Package {
     version: String,
 };
 
+// Git branch (for branch protection policies)
+entity GitBranch {
+    // Branch name (e.g., "main", "develop", "feature/xyz")
+    branch_name: String,
+    // Whether this is a protected branch
+    is_protected: Bool,
+};
+
+// LLM Model (for model-specific policies)
+entity Model {
+    // Model name (e.g., "gpt-4", "claude-3-opus")
+    model_name: String,
+    // Provider (e.g., "openai", "anthropic", "google")
+    provider: String,
+    // Whether model is in preview/beta
+    is_preview: Bool,
+};
+
+// External API endpoint (for external service calls)
+entity ExternalAPI {
+    // API name or identifier
+    api_name: String,
+    // Base URL or hostname
+    base_url: String,
+    // Whether the API is trusted/verified
+    is_trusted: Bool,
+};
+
+// Agent memory or RAG storage
+entity Memory {
+    // Memory type: "short_term", "long_term", "rag", "vector_store"
+    memory_type: String,
+    // Whether memory contains sensitive data
+    is_sensitive: Bool,
+};
+
 // =============================================================================
-// ACTIONS
+// ACTIONS - LLM/Guardrails
 // =============================================================================
 
-// --- LLM/Guardrails Actions ---
-
 // Process an LLM prompt
 // Context: prompt_text, yara_threats, threat_count, max_threat_severity,
-//          user_type, monitoring_enabled
+//          user_type, monitoring_enabled, injection_score, content_score
 action process_prompt appliesTo {
     principal: [User, Agent],
     resource: [Resource],
 };
 
 // Process an LLM response
-// Context: response_size_mb
+// Context: response_size_mb, contains_pii, pii_types, content_category
 action process_response appliesTo {
     principal: [User, Agent],
     resource: [ResponseData],
 };
 
-// --- MCP/Tool Actions ---
+// Invoke an LLM model
+// Context: model_name, model_provider, is_preview_model, estimated_tokens,
+//          max_tokens, temperature, top_p, is_streaming
+action invoke_model appliesTo {
+    principal: [User, Agent, Service],
+    resource: [Model, Resource],
+};
+
+// Filter content (apply content filtering policies)
+// Context: content_type, content_category, content_score, harm_categories,
+//          language, is_harmful, filter_action
+action filter_content appliesTo {
+    principal: [User, Agent, Service],
+    resource: [Resource, ResponseData],
+};
+
+// =============================================================================
+// ACTIONS - MCP/Tool
+// =============================================================================
 
 // Call an MCP tool
-// Context: tool_name
+// Context: tool_name, tool_arguments, risk_level
 action call_tool appliesTo {
     principal: [User, Agent, Service],
     resource: [Tool, Resource],
 };
 
 // Connect to an MCP server
+// Context: server_name, server_url, transport_type
 action connect_server appliesTo {
     principal: [User, Agent, Service],
     resource: [Server, Resource],
@@ -179,32 +232,171 @@ action skip_guardrails appliesTo {
     resource: [Resource],
 };
 
-// --- File System Actions ---
+// =============================================================================
+// ACTIONS - File System
+// =============================================================================
 
 // Read a file
-// Context: path
+// Context: path, extension, is_sensitive
 action read_file appliesTo {
     principal: [User, Agent, Scanner],
     resource: [FilePath, Resource],
 };
 
 // Write a file
-// Context: path
+// Context: path, extension, is_sensitive, file_size_bytes
 action write_file appliesTo {
     principal: [User, Agent],
     resource: [FilePath, Resource],
 };
 
-// --- HTTP Actions ---
+// Delete a file
+// Context: path, extension, is_sensitive
+action delete_file appliesTo {
+    principal: [User, Agent],
+    resource: [FilePath, Resource],
+};
+
+// =============================================================================
+// ACTIONS - HTTP/Network
+// =============================================================================
 
 // Make an HTTP request
-// Context: hostname, ip_address, scheme, port
+// Context: hostname, ip_address, scheme, port, method, is_internal
 action http_request appliesTo {
     principal: [User, Agent, Service],
     resource: [HttpEndpoint, Resource],
 };
 
-// --- Scanner Actions ---
+// Call an external API
+// Context: api_name, endpoint_path, method, is_trusted, request_size_bytes
+action call_external_api appliesTo {
+    principal: [User, Agent, Service],
+    resource: [ExternalAPI, HttpEndpoint, Resource],
+};
+
+// =============================================================================
+// ACTIONS - Code Execution
+// =============================================================================
+
+// Execute code in a sandbox or environment
+// Context: code_language, is_sandboxed, code_size_bytes, has_network_access,
+//          has_filesystem_access, execution_timeout_ms
+action execute_code appliesTo {
+    principal: [User, Agent],
+    resource: [Resource],
+};
+
+// Run tests
+// Context: test_framework, test_count, is_sandboxed, code_language
+action run_tests appliesTo {
+    principal: [User, Agent, Service],
+    resource: [Repository, Resource],
+};
+
+// Run build process
+// Context: build_tool, is_sandboxed, code_language
+action run_build appliesTo {
+    principal: [User, Agent, Service],
+    resource: [Repository, Resource],
+};
+
+// =============================================================================
+// ACTIONS - Git Operations
+// =============================================================================
+
+// General git operation (use for policies that apply to all git actions)
+// Context: git_op, target_branch, source_branch, is_force, is_protected_branch,
+//          changed_files_count, commit_message, remote_url
+action git_operation appliesTo {
+    principal: [User, Agent],
+    resource: [Repository, GitBranch, Resource],
+};
+
+// Clone a repository
+// Context: remote_url, is_shallow, depth
+action git_clone appliesTo {
+    principal: [User, Agent],
+    resource: [Repository, Resource],
+};
+
+// Create a commit
+// Context: commit_message, changed_files_count, author, is_amend
+action git_commit appliesTo {
+    principal: [User, Agent],
+    resource: [Repository, GitBranch, Resource],
+};
+
+// Push changes to remote
+// Context: target_branch, is_force_push, is_protected_branch, remote_url
+action git_push appliesTo {
+    principal: [User, Agent],
+    resource: [Repository, GitBranch, Resource],
+};
+
+// Pull changes from remote
+// Context: source_branch, remote_url, is_rebase
+action git_pull appliesTo {
+    principal: [User, Agent],
+    resource: [Repository, GitBranch, Resource],
+};
+
+// Merge branches
+// Context: source_branch, target_branch, is_protected_branch, merge_strategy
+action git_merge appliesTo {
+    principal: [User, Agent],
+    resource: [Repository, GitBranch, Resource],
+};
+
+// Checkout branch or commit
+// Context: target_branch, is_new_branch, commit_hash
+action git_checkout appliesTo {
+    principal: [User, Agent],
+    resource: [Repository, GitBranch, Resource],
+};
+
+// Reset changes (potentially destructive)
+// Context: reset_mode, target_commit, is_hard_reset
+action git_reset appliesTo {
+    principal: [User, Agent],
+    resource: [Repository, GitBranch, Resource],
+};
+
+// Rebase branch
+// Context: source_branch, target_branch, is_interactive
+action git_rebase appliesTo {
+    principal: [User, Agent],
+    resource: [Repository, GitBranch, Resource],
+};
+
+// =============================================================================
+// ACTIONS - Agent Orchestration
+// =============================================================================
+
+// Delegate task to another agent
+// Context: delegation_depth, parent_agent_id, task_type, is_autonomous
+action delegate_task appliesTo {
+    principal: [Agent, Service],
+    resource: [Resource],
+};
+
+// Spawn a subprocess or child process
+// Context: process_name, is_sandboxed, has_network_access, has_filesystem_access
+action spawn_subprocess appliesTo {
+    principal: [User, Agent, Service],
+    resource: [Resource],
+};
+
+// Access agent memory or RAG storage
+// Context: memory_type, operation (read, write, delete), is_sensitive
+action access_memory appliesTo {
+    principal: [Agent, Service],
+    resource: [Memory, Resource],
+};
+
+// =============================================================================
+// ACTIONS - Scanner
+// =============================================================================
 
 // Scan a target (MCP server, repository, etc.)
 action scan_target appliesTo {
@@ -218,7 +410,9 @@ action scan_package appliesTo {
     resource: [Package, Resource],
 };
 
-// --- Palisade/ML Actions ---
+// =============================================================================
+// ACTIONS - Palisade/ML
+// =============================================================================
 
 // Scan an ML artifact
 // Context: environment, artifact_format, artifact_signed, severity, finding_type,
@@ -261,13 +455,34 @@ action deploy_model appliesTo {
     resource: [Artifact],
 };
 
+// =============================================================================
+// ACTIONS - Data Loss Prevention (DLP)
+// =============================================================================
+
+// Transfer data (for DLP policies)
+// Context: data_classification, destination_type, transfer_size_bytes,
+//          contains_pii, pii_types, is_encrypted
+action transfer_data appliesTo {
+    principal: [User, Agent, Service],
+    resource: [Resource],
+};
+
+// Export data (for DLP policies)
+// Context: export_format, data_classification, destination_type, is_encrypted
+action export_data appliesTo {
+    principal: [User, Agent, Service],
+    resource: [Resource],
+};
+
 // =============================================================================
 // CONTEXT ATTRIBUTES REFERENCE (Documentation Only)
 // =============================================================================
 // Cedar context is dynamic and not enforced by schema, but these are the
 // standard attributes used across Highflame services:
 //
-// GUARDRAILS/CORE:
+// -----------------------------------------------------------------------------
+// GUARDRAILS/CORE
+// -----------------------------------------------------------------------------
 //   tool_name: String           - Name of tool being called
 //   resource_name: String       - Name of resource being accessed
 //   prompt_name: String         - Name of prompt
@@ -284,7 +499,105 @@ action deploy_model appliesTo {
 //   scheme: String              - HTTP scheme
 //   port: Long                  - Port number
 //
-// PALISADE:
+// -----------------------------------------------------------------------------
+// MODEL INVOCATION
+// -----------------------------------------------------------------------------
+//   model_name: String          - Name of the model (e.g., "gpt-4", "claude-3-opus")
+//   model_provider: String      - Provider name (e.g., "openai", "anthropic", "google", "azure", "bedrock")
+//   is_preview_model: Bool      - Whether model is in preview/beta
+//   estimated_tokens: Long      - Estimated input + output tokens
+//   max_tokens: Long            - Maximum tokens allowed for response
+//   temperature: Long           - Temperature setting (scaled by 100, e.g., 70 = 0.7)
+//   top_p: Long                 - Top-p sampling (scaled by 100)
+//   is_streaming: Bool          - Whether response is streamed
+//
+// -----------------------------------------------------------------------------
+// CONTENT FILTERING
+// -----------------------------------------------------------------------------
+//   content_type: String        - Type of content ("text", "code", "image", "audio", "video")
+//   content_category: String    - Category ("general", "adult", "violence", "hate", etc.)
+//   content_score: Long         - Content risk score (0-100)
+//   injection_score: Long       - Prompt injection detection score (0-100)
+//   jailbreak_score: Long       - Jailbreak attempt detection score (0-100)
+//   contains_pii: Bool          - Whether content contains PII
+//   pii_types: Set<String>      - Types of PII detected ("email", "phone", "ssn", "credit_card", etc.)
+//   language: String            - Detected language code (e.g., "en", "es", "zh")
+//   is_harmful: Bool            - Whether content is harmful
+//   harm_categories: Set<String> - Categories of harm ("violence", "hate", "self_harm", "sexual", etc.)
+//   filter_action: String       - Action to take ("inspect", "mask", "redact", "replace", "anonymize", "reject")
+//   csam_detected: Bool         - Whether CSAM was detected
+//   hallucination_score: Long   - Hallucination detection score (0-100)
+//
+// -----------------------------------------------------------------------------
+// RATE LIMITING
+// -----------------------------------------------------------------------------
+//   concurrent_calls: Long      - Current number of concurrent calls
+//   requests_per_minute: Long   - Current requests per minute
+//   tokens_per_minute: Long     - Current tokens per minute
+//   rate_limit_bucket: String   - Rate limit bucket identifier
+//   is_rate_limited: Bool       - Whether rate limit is exceeded
+//
+// -----------------------------------------------------------------------------
+// GIT OPERATIONS
+// -----------------------------------------------------------------------------
+//   git_op: String              - Type of git operation ("clone", "commit", "push", "pull", etc.)
+//   target_branch: String       - Target branch name
+//   source_branch: String       - Source branch name
+//   is_force_push: Bool         - Whether this is a force push
+//   is_protected_branch: Bool   - Whether target is a protected branch
+//   changed_files_count: Long   - Number of files changed
+//   commit_message: String      - Commit message text
+//   remote_url: String          - Remote repository URL
+//   is_shallow: Bool            - Whether clone is shallow
+//   depth: Long                 - Clone depth for shallow clones
+//   is_amend: Bool              - Whether commit is an amend
+//   merge_strategy: String      - Merge strategy ("merge", "rebase", "squash")
+//   is_hard_reset: Bool         - Whether reset is hard (destructive)
+//   reset_mode: String          - Reset mode ("soft", "mixed", "hard")
+//   is_interactive: Bool        - Whether operation is interactive
+//
+// -----------------------------------------------------------------------------
+// CODE EXECUTION
+// -----------------------------------------------------------------------------
+//   code_language: String       - Programming language ("python", "javascript", "go", etc.)
+//   is_sandboxed: Bool          - Whether code runs in a sandbox
+//   code_size_bytes: Long       - Size of code in bytes
+//   has_network_access: Bool    - Whether code has network access
+//   has_filesystem_access: Bool - Whether code has filesystem access
+//   execution_timeout_ms: Long  - Execution timeout in milliseconds
+//   test_framework: String      - Test framework being used
+//   test_count: Long            - Number of tests being run
+//   build_tool: String          - Build tool being used
+//
+// -----------------------------------------------------------------------------
+// AGENT ORCHESTRATION
+// -----------------------------------------------------------------------------
+//   delegation_depth: Long      - Current delegation nesting depth
+//   parent_agent_id: String     - ID of parent agent (if delegated)
+//   task_type: String           - Type of task being performed
+//   is_autonomous: Bool         - Whether agent is operating autonomously
+//   session_id: String          - Agent session identifier
+//   process_name: String        - Name of subprocess being spawned
+//
+// -----------------------------------------------------------------------------
+// MEMORY/RAG
+// -----------------------------------------------------------------------------
+//   memory_type: String         - Type of memory ("short_term", "long_term", "rag", "vector_store")
+//   memory_operation: String    - Operation being performed ("read", "write", "delete", "search")
+//   memory_is_sensitive: Bool   - Whether memory contains sensitive data
+//
+// -----------------------------------------------------------------------------
+// DATA LOSS PREVENTION (DLP)
+// -----------------------------------------------------------------------------
+//   data_classification: String - Classification level ("public", "internal", "confidential", "restricted")
+//   destination_type: String    - Where data is going ("internal", "external", "cloud", "email")
+//   transfer_size_bytes: Long   - Size of data being transferred
+//   is_encrypted: Bool          - Whether data is encrypted
+//   export_format: String       - Format of exported data ("json", "csv", "pdf", etc.)
+//
+// -----------------------------------------------------------------------------
+// PALISADE/ML
+// -----------------------------------------------------------------------------
 //   environment: String                    - "production", "development", "research"
 //   artifact_format: String                - "pickle", "safetensors", "gguf", "onnx"
 //   artifact_signed: Bool                  - Whether artifact has signature
@@ -298,4 +611,5 @@ action deploy_model appliesTo {
 //   gguf_suspicious_metadata: Bool         - Suspicious GGUF metadata
 //   adapter_base_digest_mismatch: Bool     - LoRA adapter digest mismatch
 //   metadata_cosai_level_numeric: Long     - CoSAI maturity level (0-5)
+//
 `;

package/src/types.ts

@@ -13,3 +13,6 @@ export * from './schema.gen.js';
 
 // PolicyBuilder - works in browser (no WASM dependency)
 export * from './builder.js';
+
+// Error types - works in browser (no WASM dependency)
+export * from './errors.js';