@highflame/policy 1.2.1 → 2.0.0

package/_schemas/overwatch/schema.cedarschema

@@ -0,0 +1,184 @@
+// Overwatch (Guardian) Cedar Schema
+// ===================================
+// IDE Security & Policy Enforcement
+//
+// Overwatch protects IDE operations (prompts, tool calls, file access) by evaluating
+// threats detected by YARA and Javelin scanners against Cedar policies.
+//
+// Architecture:
+//   User/Agent → IDE Hook → YARA/Javelin → Cedar Policy → Allow/Deny
+//
+// Supported IDEs:
+//   - Cursor (beforeSubmitPrompt, beforeShellExecution, beforeMCPExecution, etc.)
+//   - Claude Code (UserPromptSubmit, PreToolUse)
+//   - GitHub Copilot (userPromptSubmitted, preToolUse)
+
+namespace Overwatch {
+
+// =============================================================================
+// ENTITIES
+// =============================================================================
+
+// Human user or service account making requests to the IDE
+entity User {
+  user_type: String,      // "external" or "internal"
+  email: String,          // User email (optional)
+};
+
+// AI agent (Claude, GitHub Copilot, etc.)
+entity Agent {
+  agent_type: String,      // "claude", "copilot", etc.
+};
+
+// LLM prompt or session
+entity LlmPrompt {
+  prompt_type: String,     // "user_prompt", "session"
+};
+
+// MCP tool or native IDE tool
+entity Tool {
+  tool_name: String,       // "shell", "read_file", "playwright", etc.
+  risk_level: String,      // "low", "medium", "high"
+};
+
+// MCP server
+entity Server {
+  server_name: String,     // "filesystem", "playwright", etc.
+};
+
+// File system path
+entity FilePath {
+  path: String,
+  is_within_workspace: Bool,
+};
+
+// =============================================================================
+// ACTIONS
+// =============================================================================
+
+// User submits a prompt or receives AI response
+action process_prompt appliesTo {
+  principal: [User, Agent],
+  resource: [LlmPrompt],
+  context: {
+    // Event & Source
+    content: String,                // Raw content being scanned
+    source: String,                 // IDE source: "cursor", "claudecode", "github_copilot"
+    event: String,                  // Hook event name
+    user_email: String,             // User identifier
+
+    // Workspace
+    cwd: String,                   // Current working directory
+    workspace_root: String,        // Workspace/repository root
+
+    // Threat Detection
+    threat_count: Long,             // Total threats detected
+    highest_severity: String,       // "critical", "high", "medium", "low"
+    threat_categories: Set<String>, // Threat category names
+    threat_types: Set<String>,      // YARA threat categories
+    yara_threats: Set<String>,      // YARA rule names
+    max_threat_severity: Long,      // Numeric severity (0-4)
+    contains_secrets: Bool,         // Whether secrets detected
+    prompt_text: String,           // Same as content (legacy)
+    response_content: String,      // Response content (if available)
+  },
+};
+
+// User calls a tool (native IDE tool or MCP tool)
+action call_tool appliesTo {
+  principal: [User, Agent],
+  resource: [Tool, FilePath],
+  context: {
+    // Event & Source
+    content: String,                // Raw content being scanned (e.g., shell command)
+    source: String,                 // IDE source
+    event: String,                  // Hook event name
+    user_email: String,             // User identifier
+
+    // Tool & MCP
+    tool_name: String,             // Normalized tool name ("shell", "read_file", etc.)
+    mcp_server: String,            // MCP server name
+    mcp_tool: String,              // MCP tool name
+    server_name: String,           // Alias for mcp_server
+
+    // File & Path
+    path: String,                  // File path (if file operation)
+    file_path: String,             // Duplicate of path field
+
+    // Workspace
+    cwd: String,
+    workspace_root: String,
+
+    // Threat Detection
+    threat_count: Long,
+    highest_severity: String,
+    threat_categories: Set<String>,
+    threat_types: Set<String>,
+    yara_threats: Set<String>,
+    max_threat_severity: Long,
+    contains_secrets: Bool,
+    response_content: String,
+  },
+};
+
+// Connect to an MCP server
+action connect_server appliesTo {
+  principal: [User, Agent],
+  resource: [Server],
+  context: {
+    content: String,
+    source: String,
+    event: String,
+    user_email: String,
+    mcp_server: String,
+    server_name: String,
+    threat_count: Long,
+    highest_severity: String,
+    threat_categories: Set<String>,
+    max_threat_severity: Long,
+  },
+};
+
+// Read a file from disk
+action read_file appliesTo {
+  principal: [User, Agent],
+  resource: [FilePath],
+  context: {
+    content: String,
+    source: String,
+    event: String,
+    user_email: String,
+    path: String,
+    file_path: String,
+    cwd: String,
+    workspace_root: String,
+    threat_count: Long,
+    highest_severity: String,
+    threat_categories: Set<String>,
+    max_threat_severity: Long,
+    contains_secrets: Bool,
+  },
+};
+
+// Write a file to disk
+action write_file appliesTo {
+  principal: [User, Agent],
+  resource: [FilePath],
+  context: {
+    content: String,
+    source: String,
+    event: String,
+    user_email: String,
+    path: String,
+    file_path: String,
+    cwd: String,
+    workspace_root: String,
+    threat_count: Long,
+    highest_severity: String,
+    threat_categories: Set<String>,
+    max_threat_severity: Long,
+    contains_secrets: Bool,
+  },
+};
+
+}

package/_schemas/palisade/context.json

@@ -0,0 +1,325 @@
+{
+  "service": "palisade",
+  "version": "1.0.0",
+  "description": "Palisade ML supply chain security & artifact scanning",
+  "actions": [
+    {
+      "name": "scan_artifact",
+      "description": "Scan an ML artifact for security issues",
+      "context_attributes": [
+        {
+          "key": "finding_type",
+          "type": "string",
+          "required": true,
+          "description": "Type of security finding (e.g., backdoor_detected, safetensors_integrity_violation)"
+        },
+        {
+          "key": "severity",
+          "type": "string",
+          "required": true,
+          "description": "Severity level: CRITICAL, HIGH, MEDIUM, LOW, INFO"
+        },
+        {
+          "key": "environment",
+          "type": "string",
+          "required": true,
+          "description": "Deployment environment: production, strict_production, development, permissive_development, research"
+        },
+        {
+          "key": "artifact_format",
+          "type": "string",
+          "required": true,
+          "description": "Model format: safetensors, gguf, pickle, pytorch, onnx"
+        },
+        {
+          "key": "path",
+          "type": "string",
+          "required": true,
+          "description": "File path to the ML artifact"
+        },
+        {
+          "key": "artifact_signed",
+          "type": "boolean",
+          "required": true,
+          "description": "Whether the artifact is digitally signed"
+        },
+        {
+          "key": "provenance_signer",
+          "type": "string",
+          "required": true,
+          "description": "Who signed the artifact: unknown, unsigned, or signer name"
+        },
+        {
+          "key": "pickle_exec_path_detected",
+          "type": "boolean",
+          "required": false,
+          "description": "Pickle RCE execution path detected (CRITICAL security issue)"
+        },
+        {
+          "key": "tokenizer_added_tokens_count",
+          "type": "number",
+          "required": false,
+          "description": "Number of added tokens in tokenizer (0-5000+, high count suspicious)"
+        },
+        {
+          "key": "adapter_base_digest_mismatch",
+          "type": "boolean",
+          "required": false,
+          "description": "LoRA adapter base model digest mismatch (integrity issue)"
+        },
+        {
+          "key": "gguf_suspicious_metadata",
+          "type": "boolean",
+          "required": false,
+          "description": "GGUF metadata contains suspicious patterns"
+        },
+        {
+          "key": "safetensors_integrity_violation",
+          "type": "boolean",
+          "required": false,
+          "description": "SafeTensors file integrity violated or corrupted"
+        },
+        {
+          "key": "metadata_malicious_pattern",
+          "type": "boolean",
+          "required": false,
+          "description": "Metadata contains malicious patterns"
+        },
+        {
+          "key": "metadata_cosai_level_numeric",
+          "type": "number",
+          "required": false,
+          "description": "CoSAI maturity level (0-5, where higher = more trustworthy)"
+        },
+        {
+          "key": "match_count",
+          "type": "number",
+          "required": false,
+          "description": "Number of behavioral backdoor indicator matches (for confidence scoring)"
+        }
+      ]
+    },
+    {
+      "name": "validate_integrity",
+      "description": "Validate artifact integrity (checksum, signature)",
+      "context_attributes": [
+        {
+          "key": "artifact_format",
+          "type": "string",
+          "required": true,
+          "description": "Model format"
+        },
+        {
+          "key": "path",
+          "type": "string",
+          "required": true,
+          "description": "File path"
+        },
+        {
+          "key": "artifact_signed",
+          "type": "boolean",
+          "required": true,
+          "description": "Whether digitally signed"
+        },
+        {
+          "key": "provenance_signer",
+          "type": "string",
+          "required": true,
+          "description": "Signer name"
+        },
+        {
+          "key": "safetensors_integrity_violation",
+          "type": "boolean",
+          "required": false,
+          "description": "SafeTensors integrity check result"
+        },
+        {
+          "key": "finding_type",
+          "type": "string",
+          "required": false,
+          "description": "Type of integrity finding"
+        },
+        {
+          "key": "severity",
+          "type": "string",
+          "required": false,
+          "description": "Severity of integrity issue"
+        }
+      ]
+    },
+    {
+      "name": "validate_provenance",
+      "description": "Validate artifact provenance (signer, origin)",
+      "context_attributes": [
+        {
+          "key": "artifact_format",
+          "type": "string",
+          "required": true,
+          "description": "Model format"
+        },
+        {
+          "key": "path",
+          "type": "string",
+          "required": true,
+          "description": "File path"
+        },
+        {
+          "key": "artifact_signed",
+          "type": "boolean",
+          "required": true,
+          "description": "Whether signed"
+        },
+        {
+          "key": "provenance_signer",
+          "type": "string",
+          "required": true,
+          "description": "Signer identity"
+        },
+        {
+          "key": "metadata_cosai_level_numeric",
+          "type": "number",
+          "required": false,
+          "description": "CoSAI maturity level"
+        },
+        {
+          "key": "finding_type",
+          "type": "string",
+          "required": false,
+          "description": "Type of provenance finding"
+        },
+        {
+          "key": "severity",
+          "type": "string",
+          "required": false,
+          "description": "Severity level"
+        }
+      ]
+    },
+    {
+      "name": "quarantine_artifact",
+      "description": "Quarantine a malicious artifact",
+      "context_attributes": [
+        {
+          "key": "finding_type",
+          "type": "string",
+          "required": true,
+          "description": "Type of security finding"
+        },
+        {
+          "key": "severity",
+          "type": "string",
+          "required": true,
+          "description": "Severity level"
+        },
+        {
+          "key": "environment",
+          "type": "string",
+          "required": true,
+          "description": "Deployment environment"
+        },
+        {
+          "key": "artifact_format",
+          "type": "string",
+          "required": true,
+          "description": "Model format"
+        },
+        {
+          "key": "path",
+          "type": "string",
+          "required": true,
+          "description": "File path"
+        }
+      ]
+    },
+    {
+      "name": "load_model",
+      "description": "Load an ML model into memory",
+      "context_attributes": [
+        {
+          "key": "artifact_format",
+          "type": "string",
+          "required": true,
+          "description": "Model format"
+        },
+        {
+          "key": "environment",
+          "type": "string",
+          "required": true,
+          "description": "Deployment environment"
+        },
+        {
+          "key": "artifact_signed",
+          "type": "boolean",
+          "required": true,
+          "description": "Whether signed"
+        },
+        {
+          "key": "severity",
+          "type": "string",
+          "required": false,
+          "description": "Severity of any findings"
+        }
+      ]
+    },
+    {
+      "name": "deploy_model",
+      "description": "Deploy an ML model to production",
+      "context_attributes": [
+        {
+          "key": "artifact_format",
+          "type": "string",
+          "required": true,
+          "description": "Model format"
+        },
+        {
+          "key": "environment",
+          "type": "string",
+          "required": true,
+          "description": "Deployment environment"
+        },
+        {
+          "key": "artifact_signed",
+          "type": "boolean",
+          "required": true,
+          "description": "Whether signed"
+        },
+        {
+          "key": "provenance_signer",
+          "type": "string",
+          "required": true,
+          "description": "Signer identity"
+        },
+        {
+          "key": "severity",
+          "type": "string",
+          "required": false,
+          "description": "Severity of any findings"
+        }
+      ]
+    },
+    {
+      "name": "scan_package",
+      "description": "Scan a software package",
+      "context_attributes": [
+        {
+          "key": "finding_type",
+          "type": "string",
+          "required": false,
+          "description": "Type of finding"
+        },
+        {
+          "key": "severity",
+          "type": "string",
+          "required": false,
+          "description": "Severity level"
+        },
+        {
+          "key": "environment",
+          "type": "string",
+          "required": true,
+          "description": "Deployment environment"
+        }
+      ]
+    }
+  ]
+}

package/_schemas/palisade/schema.cedarschema

@@ -0,0 +1,168 @@
+// Palisade Cedar Schema
+// =====================
+// ML Supply Chain Security & Artifact Scanning
+//
+// Palisade scans ML model artifacts (safetensors, GGUF, pickle, PyTorch) for
+// security vulnerabilities and enforces policies based on findings.
+//
+// Architecture:
+//   Scanner → Validators (Pickle, SafeTensors, GGUF, etc.) → Cedar Policy → Allow/Deny/Quarantine
+//
+// Supported Formats:
+//   - SafeTensors (.safetensors)
+//   - GGUF (.gguf)
+//   - Pickle (.pkl, .pickle, .pt)
+//   - PyTorch (.pth, .pt)
+//   - ONNX (.onnx)
+
+namespace Palisade {
+
+// =============================================================================
+// ENTITIES
+// =============================================================================
+
+// Security scanner service
+entity Scanner {
+  scanner_type: String,    // "palisade", "redteam", etc.
+};
+
+// ML model artifact
+entity Artifact {
+  artifact_format: String, // "safetensors", "gguf", "pickle", "pytorch", "onnx"
+  path: String,            // File path
+  signed: Bool,            // Whether digitally signed
+  signer: String,          // Who signed (if applicable)
+};
+
+// Software package (npm, PyPI, etc.)
+entity Package {
+  package_name: String,
+  package_version: String,
+};
+
+// =============================================================================
+// ACTIONS
+// =============================================================================
+
+// Scan an ML artifact for security issues
+action scan_artifact appliesTo {
+  principal: [Scanner],
+  resource: [Artifact],
+  context: {
+    // Core Finding & Severity
+    finding_type: String,              // Type of finding (e.g., "backdoor_detected", "safetensors_integrity_violation")
+    severity: String,                  // "CRITICAL", "HIGH", "MEDIUM", "LOW", "INFO"
+    environment: String,               // "production", "strict_production", "development", "permissive_development", "research"
+
+    // Artifact Metadata
+    artifact_format: String,           // "safetensors", "gguf", "pickle", "pytorch", "onnx"
+    path: String,                      // File path to artifact
+    artifact_signed: Bool,             // Whether artifact is digitally signed
+    provenance_signer: String,         // "unknown", "unsigned", or signer name
+
+    // Pickle Security
+    pickle_exec_path_detected: Bool,  // Pickle RCE execution path detected (CRITICAL)
+
+    // Tokenizer Security
+    tokenizer_added_tokens_count: Long, // Number of added tokens (0-5000+)
+
+    // LoRA Security
+    adapter_base_digest_mismatch: Bool, // LoRA adapter base model digest mismatch
+
+    // GGUF Security
+    gguf_suspicious_metadata: Bool,   // GGUF metadata contains suspicious patterns
+
+    // SafeTensors Security
+    safetensors_integrity_violation: Bool, // SafeTensors file integrity violated
+
+    // General Metadata Security
+    metadata_malicious_pattern: Bool, // Metadata contains malicious patterns
+
+    // CoSAI Maturity
+    metadata_cosai_level_numeric: Long, // CoSAI maturity level (0-5, higher = more trustworthy)
+
+    // Backdoor Detection
+    match_count: Long,                // Number of behavioral backdoor indicator matches
+  },
+};
+
+// Validate artifact integrity (checksum, signature)
+action validate_integrity appliesTo {
+  principal: [Scanner],
+  resource: [Artifact],
+  context: {
+    artifact_format: String,
+    path: String,
+    artifact_signed: Bool,
+    provenance_signer: String,
+    safetensors_integrity_violation: Bool,
+    finding_type: String,
+    severity: String,
+  },
+};
+
+// Validate artifact provenance (signer, origin)
+action validate_provenance appliesTo {
+  principal: [Scanner],
+  resource: [Artifact],
+  context: {
+    artifact_format: String,
+    path: String,
+    artifact_signed: Bool,
+    provenance_signer: String,
+    metadata_cosai_level_numeric: Long,
+    finding_type: String,
+    severity: String,
+  },
+};
+
+// Quarantine a malicious artifact
+action quarantine_artifact appliesTo {
+  principal: [Scanner],
+  resource: [Artifact],
+  context: {
+    finding_type: String,
+    severity: String,
+    environment: String,
+    artifact_format: String,
+    path: String,
+  },
+};
+
+// Load an ML model into memory
+action load_model appliesTo {
+  principal: [Scanner],
+  resource: [Artifact],
+  context: {
+    artifact_format: String,
+    environment: String,
+    artifact_signed: Bool,
+    severity: String,
+  },
+};
+
+// Deploy an ML model to production
+action deploy_model appliesTo {
+  principal: [Scanner],
+  resource: [Artifact],
+  context: {
+    artifact_format: String,
+    environment: String,
+    artifact_signed: Bool,
+    provenance_signer: String,
+    severity: String,
+  },
+};
+
+// Scan a software package
+action scan_package appliesTo {
+  principal: [Scanner],
+  resource: [Package],
+  context: {
+    finding_type: String,
+    severity: String,
+    environment: String,
+  },
+};
+
+}

package/dist/builder.d.ts

@@ -23,7 +23,6 @@
  */
 import { EntityType, EntityUID } from './entities.gen.js';
 import { ActionType } from './actions.gen.js';
-import { ContextKey } from './context.gen.js';
 /**
  * Policy effect - permit or forbid
  */
@@ -199,7 +198,7 @@ export declare class PolicyBuilder {
     /**
      * Add a structured condition
      */
-    when(field: ContextKey | string, operator: ConditionOperator, value: string | number | boolean | string[]): PolicyBuilder;
+    when(field: string, operator: ConditionOperator, value: string | number | boolean | string[]): PolicyBuilder;
     /**
      * Add a raw condition string (for advanced users)
      */