@highflame/policy 1.2.0 → 2.0.0

package/dist/schema.gen.js

@@ -4,612 +4,131 @@
  * Embedded Cedar schema for policy validation.
  * This is the Highflame Cedar schema used across all services.
  */
-export const CEDAR_SCHEMA = `// Highflame Cedar Schema
-// ======================
-// This is the SOURCE OF TRUTH for all entity types, actions, and their relationships
-// across the Highflame platform.
+export const CEDAR_SCHEMA = `// Highflame Cedar Schema - Entity and Action Definitions
+// =======================================================
+// This file defines all entity types and actions used across Highflame services.
+// Used for code generation (EntityType and ActionType constants).
 //
-// All services (authz, Core, Guardian, Palisade) MUST use the types defined here.
-// The codegen tool parses this file and generates typed constants for Go, TypeScript,
-// and Python to ensure consistency.
-//
-// Usage:
-//   - Policies are validated against this schema when created/updated
-//   - Generated types prevent typos in application code
-//   - Cedar CLI can validate: cedar validate --schema highflame.cedarschema --policies policy.cedar
+// For policy validation, use service-specific schemas:
+// - schemas/overwatch/schema.cedarschema (Guardian IDE security)
+// - schemas/palisade/schema.cedarschema (ML supply chain security)
+
+namespace Highflame {
 
 // =============================================================================
-// PRINCIPAL TYPES (Who is making the request)
+// ENTITIES
 // =============================================================================
 
-// Human user or service account making requests
-// Well-known IDs: "mcp_client", "threat_processor"
 entity User {
-    // User type: "external", "internal"
     user_type: String,
 };
 
-// AI agent or bot
 entity Agent {
-    // Agent type: "llm", "scanner", "bot", "coding_assistant"
     agent_type: String,
 };
 
-// Security scanner service
-// Well-known IDs: "ramparts", "palisade"
 entity Scanner {
-    // Scanner type: "ramparts", "palisade"
     scanner_type: String,
-    // Scanner version
-    version: String,
 };
 
-// Backend service account
 entity Service {
-    // Service name
-    service_name: String,
-    // Environment: "production", "staging", "development"
-    environment: String,
+    service_type: String,
 };
 
-// =============================================================================
-// RESOURCE TYPES (What is being accessed)
-// =============================================================================
-
-// Generic resource
-// Well-known IDs: "threat_analysis", "tools/list", "tools/call", "resources/list",
-//                 "resources/read", "prompts/list", "unknown"
 entity Resource {};
 
-// LLM response data
-// Well-known IDs: "response_data"
+entity LlmPrompt {
+    prompt_type: String,
+};
+
 entity ResponseData {};
 
-// MCP tool that can be called
 entity Tool {
-    // Tool name
     tool_name: String,
-    // Risk level: "safe", "moderate", "dangerous"
-    risk_level: String,
-    // Category: "file", "network", "shell", "api"
-    category: String,
 };
 
-// File system path
 entity FilePath {
-    // Full path
     path: String,
-    // File extension
-    extension: String,
-    // Whether file is sensitive (.env, credentials, etc.)
-    is_sensitive: Bool,
 };
 
-// HTTP endpoint
 entity HttpEndpoint {
-    // Hostname
     hostname: String,
-    // Scheme: "http", "https"
-    scheme: String,
-    // Port number
-    port: Long,
-    // Whether endpoint is internal
-    is_internal: Bool,
 };
 
-// MCP Server
 entity Server {
-    // Server name
     server_name: String,
 };
 
-// ML model artifact (for Palisade)
 entity Artifact {
-    // Format: "safetensors", "pickle", "gguf", "onnx"
-    artifact_type: String,
-    // Source URL or path
-    source: String,
-    // SHA256 hash
-    hash: String,
-    // Whether artifact is signed
-    is_signed: Bool,
+    artifact_format: String,
 };
 
-// Code repository
 entity Repository {
-    // Repository URL
-    url: String,
+    repo_url: String,
 };
 
-// Software package
 entity Package {
-    // Package name
-    name: String,
-    // Package version
-    version: String,
+    package_name: String,
 };
 
-// Git branch (for branch protection policies)
 entity GitBranch {
-    // Branch name (e.g., "main", "develop", "feature/xyz")
     branch_name: String,
-    // Whether this is a protected branch
-    is_protected: Bool,
 };
 
-// LLM Model (for model-specific policies)
 entity Model {
-    // Model name (e.g., "gpt-4", "claude-3-opus")
     model_name: String,
-    // Provider (e.g., "openai", "anthropic", "google")
-    provider: String,
-    // Whether model is in preview/beta
-    is_preview: Bool,
 };
 
-// External API endpoint (for external service calls)
 entity ExternalAPI {
-    // API name or identifier
     api_name: String,
-    // Base URL or hostname
-    base_url: String,
-    // Whether the API is trusted/verified
-    is_trusted: Bool,
 };
 
-// Agent memory or RAG storage
 entity Memory {
-    // Memory type: "short_term", "long_term", "rag", "vector_store"
     memory_type: String,
-    // Whether memory contains sensitive data
-    is_sensitive: Bool,
-};
-
-// =============================================================================
-// ACTIONS - LLM/Guardrails
-// =============================================================================
-
-// Process an LLM prompt
-// Context: prompt_text, yara_threats, threat_count, max_threat_severity,
-//          user_type, monitoring_enabled, injection_score, content_score
-action process_prompt appliesTo {
-    principal: [User, Agent],
-    resource: [Resource],
-};
-
-// Process an LLM response
-// Context: response_size_mb, contains_pii, pii_types, content_category
-action process_response appliesTo {
-    principal: [User, Agent],
-    resource: [ResponseData],
-};
-
-// Invoke an LLM model
-// Context: model_name, model_provider, is_preview_model, estimated_tokens,
-//          max_tokens, temperature, top_p, is_streaming
-action invoke_model appliesTo {
-    principal: [User, Agent, Service],
-    resource: [Model, Resource],
 };
 
-// Filter content (apply content filtering policies)
-// Context: content_type, content_category, content_score, harm_categories,
-//          language, is_harmful, filter_action
-action filter_content appliesTo {
-    principal: [User, Agent, Service],
-    resource: [Resource, ResponseData],
-};
-
-// =============================================================================
-// ACTIONS - MCP/Tool
-// =============================================================================
-
-// Call an MCP tool
-// Context: tool_name, tool_arguments, risk_level
-action call_tool appliesTo {
-    principal: [User, Agent, Service],
-    resource: [Tool, Resource],
-};
-
-// Connect to an MCP server
-// Context: server_name, server_url, transport_type
-action connect_server appliesTo {
-    principal: [User, Agent, Service],
-    resource: [Server, Resource],
-};
-
-// Access a server-specific resource
-// Context: tool_name, resource_name, prompt_name
-action access_server_resource appliesTo {
-    principal: [User, Agent, Service],
-    resource: [Resource],
-};
-
-// Skip guardrails for an operation
-action skip_guardrails appliesTo {
-    principal: [User, Agent, Service],
-    resource: [Resource],
-};
-
-// =============================================================================
-// ACTIONS - File System
 // =============================================================================
-
-// Read a file
-// Context: path, extension, is_sensitive
-action read_file appliesTo {
-    principal: [User, Agent, Scanner],
-    resource: [FilePath, Resource],
-};
-
-// Write a file
-// Context: path, extension, is_sensitive, file_size_bytes
-action write_file appliesTo {
-    principal: [User, Agent],
-    resource: [FilePath, Resource],
-};
-
-// Delete a file
-// Context: path, extension, is_sensitive
-action delete_file appliesTo {
-    principal: [User, Agent],
-    resource: [FilePath, Resource],
-};
-
-// =============================================================================
-// ACTIONS - HTTP/Network
-// =============================================================================
-
-// Make an HTTP request
-// Context: hostname, ip_address, scheme, port, method, is_internal
-action http_request appliesTo {
-    principal: [User, Agent, Service],
-    resource: [HttpEndpoint, Resource],
-};
-
-// Call an external API
-// Context: api_name, endpoint_path, method, is_trusted, request_size_bytes
-action call_external_api appliesTo {
-    principal: [User, Agent, Service],
-    resource: [ExternalAPI, HttpEndpoint, Resource],
-};
-
-// =============================================================================
-// ACTIONS - Code Execution
-// =============================================================================
-
-// Execute code in a sandbox or environment
-// Context: code_language, is_sandboxed, code_size_bytes, has_network_access,
-//          has_filesystem_access, execution_timeout_ms
-action execute_code appliesTo {
-    principal: [User, Agent],
-    resource: [Resource],
-};
-
-// Run tests
-// Context: test_framework, test_count, is_sandboxed, code_language
-action run_tests appliesTo {
-    principal: [User, Agent, Service],
-    resource: [Repository, Resource],
-};
-
-// Run build process
-// Context: build_tool, is_sandboxed, code_language
-action run_build appliesTo {
-    principal: [User, Agent, Service],
-    resource: [Repository, Resource],
-};
-
-// =============================================================================
-// ACTIONS - Git Operations
-// =============================================================================
-
-// General git operation (use for policies that apply to all git actions)
-// Context: git_op, target_branch, source_branch, is_force, is_protected_branch,
-//          changed_files_count, commit_message, remote_url
-action git_operation appliesTo {
-    principal: [User, Agent],
-    resource: [Repository, GitBranch, Resource],
-};
-
-// Clone a repository
-// Context: remote_url, is_shallow, depth
-action git_clone appliesTo {
-    principal: [User, Agent],
-    resource: [Repository, Resource],
-};
-
-// Create a commit
-// Context: commit_message, changed_files_count, author, is_amend
-action git_commit appliesTo {
-    principal: [User, Agent],
-    resource: [Repository, GitBranch, Resource],
-};
-
-// Push changes to remote
-// Context: target_branch, is_force_push, is_protected_branch, remote_url
-action git_push appliesTo {
-    principal: [User, Agent],
-    resource: [Repository, GitBranch, Resource],
-};
-
-// Pull changes from remote
-// Context: source_branch, remote_url, is_rebase
-action git_pull appliesTo {
-    principal: [User, Agent],
-    resource: [Repository, GitBranch, Resource],
-};
-
-// Merge branches
-// Context: source_branch, target_branch, is_protected_branch, merge_strategy
-action git_merge appliesTo {
-    principal: [User, Agent],
-    resource: [Repository, GitBranch, Resource],
-};
-
-// Checkout branch or commit
-// Context: target_branch, is_new_branch, commit_hash
-action git_checkout appliesTo {
-    principal: [User, Agent],
-    resource: [Repository, GitBranch, Resource],
-};
-
-// Reset changes (potentially destructive)
-// Context: reset_mode, target_commit, is_hard_reset
-action git_reset appliesTo {
-    principal: [User, Agent],
-    resource: [Repository, GitBranch, Resource],
-};
-
-// Rebase branch
-// Context: source_branch, target_branch, is_interactive
-action git_rebase appliesTo {
-    principal: [User, Agent],
-    resource: [Repository, GitBranch, Resource],
-};
-
-// =============================================================================
-// ACTIONS - Agent Orchestration
-// =============================================================================
-
-// Delegate task to another agent
-// Context: delegation_depth, parent_agent_id, task_type, is_autonomous
-action delegate_task appliesTo {
-    principal: [Agent, Service],
-    resource: [Resource],
-};
-
-// Spawn a subprocess or child process
-// Context: process_name, is_sandboxed, has_network_access, has_filesystem_access
-action spawn_subprocess appliesTo {
-    principal: [User, Agent, Service],
-    resource: [Resource],
-};
-
-// Access agent memory or RAG storage
-// Context: memory_type, operation (read, write, delete), is_sensitive
-action access_memory appliesTo {
-    principal: [Agent, Service],
-    resource: [Memory, Resource],
-};
-
-// =============================================================================
-// ACTIONS - Scanner
-// =============================================================================
-
-// Scan a target (MCP server, repository, etc.)
-action scan_target appliesTo {
-    principal: [Scanner, Service],
-    resource: [Resource, Repository, Server],
-};
-
-// Scan a software package
-action scan_package appliesTo {
-    principal: [Scanner, Service],
-    resource: [Package, Resource],
-};
-
-// =============================================================================
-// ACTIONS - Palisade/ML
-// =============================================================================
-
-// Scan an ML artifact
-// Context: environment, artifact_format, artifact_signed, severity, finding_type,
-//          provenance_signer, pickle_exec_path_detected, metadata_malicious_pattern,
-//          tokenizer_added_tokens_count, safetensors_integrity_violation,
-//          gguf_suspicious_metadata, adapter_base_digest_mismatch,
-//          metadata_cosai_level_numeric
-action scan_artifact appliesTo {
-    principal: [Scanner, Service],
-    resource: [Artifact, Resource],
-};
-
-// Validate artifact integrity
-action validate_integrity appliesTo {
-    principal: [Scanner, Service],
-    resource: [Artifact],
-};
-
-// Validate artifact provenance
-action validate_provenance appliesTo {
-    principal: [Scanner, Service],
-    resource: [Artifact],
-};
-
-// Quarantine an artifact
-action quarantine_artifact appliesTo {
-    principal: [Scanner, Service],
-    resource: [Artifact],
-};
-
-// Load an ML model
-action load_model appliesTo {
-    principal: [User, Agent, Service],
-    resource: [Artifact],
-};
-
-// Deploy an ML model
-action deploy_model appliesTo {
-    principal: [User, Service],
-    resource: [Artifact],
-};
-
-// =============================================================================
-// ACTIONS - Data Loss Prevention (DLP)
-// =============================================================================
-
-// Transfer data (for DLP policies)
-// Context: data_classification, destination_type, transfer_size_bytes,
-//          contains_pii, pii_types, is_encrypted
-action transfer_data appliesTo {
-    principal: [User, Agent, Service],
-    resource: [Resource],
-};
-
-// Export data (for DLP policies)
-// Context: export_format, data_classification, destination_type, is_encrypted
-action export_data appliesTo {
-    principal: [User, Agent, Service],
-    resource: [Resource],
-};
-
-// =============================================================================
-// CONTEXT ATTRIBUTES REFERENCE (Documentation Only)
-// =============================================================================
-// Cedar context is dynamic and not enforced by schema, but these are the
-// standard attributes used across Highflame services:
-//
-// -----------------------------------------------------------------------------
-// GUARDRAILS/CORE
-// -----------------------------------------------------------------------------
-//   tool_name: String           - Name of tool being called
-//   resource_name: String       - Name of resource being accessed
-//   prompt_name: String         - Name of prompt
-//   prompt_text: String         - Raw prompt text (for injection detection)
-//   response_size_mb: Long      - Response size in megabytes
-//   yara_threats: Set<String>   - Set of detected YARA threat names
-//   threat_count: Long          - Number of threats detected
-//   max_threat_severity: Long   - Highest severity (0=INFO, 4=CRITICAL)
-//   user_type: String           - "external" or "internal"
-//   monitoring_enabled: Bool    - Whether monitoring is active
-//   path: String                - File path
-//   hostname: String            - HTTP hostname
-//   ip_address: String          - IP address (for SSRF detection)
-//   scheme: String              - HTTP scheme
-//   port: Long                  - Port number
-//
-// -----------------------------------------------------------------------------
-// MODEL INVOCATION
-// -----------------------------------------------------------------------------
-//   model_name: String          - Name of the model (e.g., "gpt-4", "claude-3-opus")
-//   model_provider: String      - Provider name (e.g., "openai", "anthropic", "google", "azure", "bedrock")
-//   is_preview_model: Bool      - Whether model is in preview/beta
-//   estimated_tokens: Long      - Estimated input + output tokens
-//   max_tokens: Long            - Maximum tokens allowed for response
-//   temperature: Long           - Temperature setting (scaled by 100, e.g., 70 = 0.7)
-//   top_p: Long                 - Top-p sampling (scaled by 100)
-//   is_streaming: Bool          - Whether response is streamed
-//
-// -----------------------------------------------------------------------------
-// CONTENT FILTERING
-// -----------------------------------------------------------------------------
-//   content_type: String        - Type of content ("text", "code", "image", "audio", "video")
-//   content_category: String    - Category ("general", "adult", "violence", "hate", etc.)
-//   content_score: Long         - Content risk score (0-100)
-//   injection_score: Long       - Prompt injection detection score (0-100)
-//   jailbreak_score: Long       - Jailbreak attempt detection score (0-100)
-//   contains_pii: Bool          - Whether content contains PII
-//   pii_types: Set<String>      - Types of PII detected ("email", "phone", "ssn", "credit_card", etc.)
-//   language: String            - Detected language code (e.g., "en", "es", "zh")
-//   is_harmful: Bool            - Whether content is harmful
-//   harm_categories: Set<String> - Categories of harm ("violence", "hate", "self_harm", "sexual", etc.)
-//   filter_action: String       - Action to take ("inspect", "mask", "redact", "replace", "anonymize", "reject")
-//   csam_detected: Bool         - Whether CSAM was detected
-//   hallucination_score: Long   - Hallucination detection score (0-100)
-//
-// -----------------------------------------------------------------------------
-// RATE LIMITING
-// -----------------------------------------------------------------------------
-//   concurrent_calls: Long      - Current number of concurrent calls
-//   requests_per_minute: Long   - Current requests per minute
-//   tokens_per_minute: Long     - Current tokens per minute
-//   rate_limit_bucket: String   - Rate limit bucket identifier
-//   is_rate_limited: Bool       - Whether rate limit is exceeded
-//
-// -----------------------------------------------------------------------------
-// GIT OPERATIONS
-// -----------------------------------------------------------------------------
-//   git_op: String              - Type of git operation ("clone", "commit", "push", "pull", etc.)
-//   target_branch: String       - Target branch name
-//   source_branch: String       - Source branch name
-//   is_force_push: Bool         - Whether this is a force push
-//   is_protected_branch: Bool   - Whether target is a protected branch
-//   changed_files_count: Long   - Number of files changed
-//   commit_message: String      - Commit message text
-//   remote_url: String          - Remote repository URL
-//   is_shallow: Bool            - Whether clone is shallow
-//   depth: Long                 - Clone depth for shallow clones
-//   is_amend: Bool              - Whether commit is an amend
-//   merge_strategy: String      - Merge strategy ("merge", "rebase", "squash")
-//   is_hard_reset: Bool         - Whether reset is hard (destructive)
-//   reset_mode: String          - Reset mode ("soft", "mixed", "hard")
-//   is_interactive: Bool        - Whether operation is interactive
-//
-// -----------------------------------------------------------------------------
-// CODE EXECUTION
-// -----------------------------------------------------------------------------
-//   code_language: String       - Programming language ("python", "javascript", "go", etc.)
-//   is_sandboxed: Bool          - Whether code runs in a sandbox
-//   code_size_bytes: Long       - Size of code in bytes
-//   has_network_access: Bool    - Whether code has network access
-//   has_filesystem_access: Bool - Whether code has filesystem access
-//   execution_timeout_ms: Long  - Execution timeout in milliseconds
-//   test_framework: String      - Test framework being used
-//   test_count: Long            - Number of tests being run
-//   build_tool: String          - Build tool being used
-//
-// -----------------------------------------------------------------------------
-// AGENT ORCHESTRATION
-// -----------------------------------------------------------------------------
-//   delegation_depth: Long      - Current delegation nesting depth
-//   parent_agent_id: String     - ID of parent agent (if delegated)
-//   task_type: String           - Type of task being performed
-//   is_autonomous: Bool         - Whether agent is operating autonomously
-//   session_id: String          - Agent session identifier
-//   process_name: String        - Name of subprocess being spawned
-//
-// -----------------------------------------------------------------------------
-// MEMORY/RAG
-// -----------------------------------------------------------------------------
-//   memory_type: String         - Type of memory ("short_term", "long_term", "rag", "vector_store")
-//   memory_operation: String    - Operation being performed ("read", "write", "delete", "search")
-//   memory_is_sensitive: Bool   - Whether memory contains sensitive data
-//
-// -----------------------------------------------------------------------------
-// DATA LOSS PREVENTION (DLP)
-// -----------------------------------------------------------------------------
-//   data_classification: String - Classification level ("public", "internal", "confidential", "restricted")
-//   destination_type: String    - Where data is going ("internal", "external", "cloud", "email")
-//   transfer_size_bytes: Long   - Size of data being transferred
-//   is_encrypted: Bool          - Whether data is encrypted
-//   export_format: String       - Format of exported data ("json", "csv", "pdf", etc.)
-//
-// -----------------------------------------------------------------------------
-// PALISADE/ML
-// -----------------------------------------------------------------------------
-//   environment: String                    - "production", "development", "research"
-//   artifact_format: String                - "pickle", "safetensors", "gguf", "onnx"
-//   artifact_signed: Bool                  - Whether artifact has signature
-//   severity: String                       - "CRITICAL", "HIGH", "MEDIUM", "LOW", "INFO"
-//   finding_type: String                   - Type of security finding
-//   provenance_signer: String              - Who signed ("unknown", "unsigned", or name)
-//   pickle_exec_path_detected: Bool        - RCE path found in pickle
-//   metadata_malicious_pattern: Bool       - Malicious pattern in metadata
-//   tokenizer_added_tokens_count: Long     - Number of added tokens
-//   safetensors_integrity_violation: Bool  - Safetensors integrity failed
-//   gguf_suspicious_metadata: Bool         - Suspicious GGUF metadata
-//   adapter_base_digest_mismatch: Bool     - LoRA adapter digest mismatch
-//   metadata_cosai_level_numeric: Long     - CoSAI maturity level (0-5)
-//
+// ACTIONS
+// =============================================================================
+
+action process_prompt;
+action process_response;
+action invoke_model;
+action filter_content;
+action call_tool;
+action connect_server;
+action access_server_resource;
+action skip_guardrails;
+action read_file;
+action write_file;
+action delete_file;
+action http_request;
+action call_external_api;
+action execute_code;
+action run_tests;
+action run_build;
+action git_operation;
+action git_clone;
+action git_commit;
+action git_push;
+action git_pull;
+action git_merge;
+action git_checkout;
+action git_reset;
+action git_rebase;
+action delegate_task;
+action spawn_subprocess;
+action access_memory;
+action scan_target;
+action scan_package;
+action scan_artifact;
+action validate_integrity;
+action validate_provenance;
+action quarantine_artifact;
+action load_model;
+action deploy_model;
+action transfer_data;
+action export_data;
+}
 `;
 //# sourceMappingURL=schema.gen.js.map

package/dist/schema.gen.js.map

@@ -1 +1 @@
-{"version":3,"file":"schema.gen.js","sourceRoot":"","sources":["../src/schema.gen.ts"],"names":[],"mappings":"AAAA,2DAA2D;AAC3D,uCAAuC;AAEvC;;;GAGG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA+lB3B,CAAC"}
+{"version":3,"file":"schema.gen.js","sourceRoot":"","sources":["../src/schema.gen.ts"],"names":[],"mappings":"AAAA,2DAA2D;AAC3D,uCAAuC;AAEvC;;;GAGG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA8H3B,CAAC"}