@highflame/policy 2.0.10 → 2.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (46) hide show
  1. package/_schemas/guardrails/context.json +435 -0
  2. package/_schemas/guardrails/schema.cedarschema +225 -0
  3. package/_schemas/guardrails/templates/defaults/agentic_safety.cedar +94 -0
  4. package/_schemas/guardrails/templates/defaults/baseline.cedar +24 -0
  5. package/_schemas/guardrails/templates/defaults/injection.cedar +70 -0
  6. package/_schemas/guardrails/templates/defaults/pii.cedar +48 -0
  7. package/_schemas/guardrails/templates/defaults/secrets.cedar +40 -0
  8. package/_schemas/guardrails/templates/defaults/semantic.cedar +59 -0
  9. package/_schemas/guardrails/templates/defaults/tool_risk.cedar +58 -0
  10. package/_schemas/guardrails/templates/defaults/toxicity.cedar +76 -0
  11. package/_schemas/guardrails/templates/mcp_tool_permissions.cedar +84 -0
  12. package/_schemas/guardrails/templates/profiles/chat_assistant/privacy.cedar +22 -0
  13. package/_schemas/guardrails/templates/profiles/chat_assistant/security.cedar +35 -0
  14. package/_schemas/guardrails/templates/profiles/chat_assistant/trust_safety.cedar +43 -0
  15. package/_schemas/guardrails/templates/profiles/chat_assistant.cedar +85 -0
  16. package/_schemas/guardrails/templates/profiles/code_agent/agentic_security.cedar +109 -0
  17. package/_schemas/guardrails/templates/profiles/code_agent/security.cedar +22 -0
  18. package/_schemas/guardrails/templates/profiles/code_agent.cedar +125 -0
  19. package/_schemas/guardrails/templates/profiles/data_pipeline/agentic_security.cedar +38 -0
  20. package/_schemas/guardrails/templates/profiles/data_pipeline/privacy.cedar +40 -0
  21. package/_schemas/guardrails/templates/profiles/data_pipeline/security.cedar +49 -0
  22. package/_schemas/guardrails/templates/profiles/data_pipeline.cedar +111 -0
  23. package/_schemas/guardrails/templates/templates.json +213 -0
  24. package/dist/builder.d.ts +61 -0
  25. package/dist/builder.js +4 -2
  26. package/dist/entities.gen.d.ts +4 -0
  27. package/dist/entities.gen.js +4 -0
  28. package/dist/explain.d.ts +178 -0
  29. package/dist/explain.js +390 -0
  30. package/dist/guardrails-context.gen.d.ts +49 -0
  31. package/dist/guardrails-context.gen.js +50 -0
  32. package/dist/guardrails-defaults.gen.d.ts +61 -0
  33. package/dist/guardrails-defaults.gen.js +1278 -0
  34. package/dist/guardrails-entities.gen.d.ts +11 -0
  35. package/dist/guardrails-entities.gen.js +37 -0
  36. package/dist/index.d.ts +6 -1
  37. package/dist/index.js +6 -1
  38. package/dist/overwatch-defaults.gen.js +98 -0
  39. package/dist/parser.js +136 -4
  40. package/dist/schema.gen.d.ts +1 -1
  41. package/dist/schema.gen.js +6 -0
  42. package/dist/service-schemas.gen.d.ts +10 -0
  43. package/dist/service-schemas.gen.js +337 -1
  44. package/dist/types.d.ts +6 -1
  45. package/dist/types.js +6 -1
  46. package/package.json +5 -1
package/_schemas/guardrails/context.json ADDED
@@ -0,0 +1,435 @@
1
+ {
2
+ "service": "guardrails",
3
+ "version": "1.0.0",
4
+ "description": "Guardrails (Shield) content security & policy enforcement for LLM applications",
5
+ "actions": [
6
+ {
7
+ "name": "process_prompt",
8
+ "description": "Analyze user prompts and AI responses for security threats, PII, and content violations",
9
+ "context_attributes": [
10
+ {
11
+ "key": "request_id",
12
+ "type": "string",
13
+ "required": true,
14
+ "description": "Unique identifier for this request, useful for audit trails and debugging"
15
+ },
16
+ {
17
+ "key": "timestamp",
18
+ "type": "number",
19
+ "required": true,
20
+ "description": "Unix timestamp in milliseconds when the request was processed"
21
+ },
22
+ {
23
+ "key": "direction",
24
+ "type": "string",
25
+ "required": true,
26
+ "description": "Content flow direction: 'input' for user prompts, 'output' for AI responses. Use this to apply different policies to inputs vs outputs (e.g., block PII only in outputs)"
27
+ },
28
+ {
29
+ "key": "content_type",
30
+ "type": "string",
31
+ "required": true,
32
+ "description": "Type of content being analyzed: 'prompt', 'response', 'tool_call', or 'file'"
33
+ },
34
+ {
35
+ "key": "detector_count",
36
+ "type": "number",
37
+ "required": true,
38
+ "description": "Number of detectors that were executed for this request"
39
+ },
40
+ {
41
+ "key": "injection_score",
42
+ "type": "number",
43
+ "required": false,
44
+ "description": "ML-based confidence score for prompt injection attacks (0-100). Higher scores indicate higher confidence. Typical threshold: >85 for high-confidence blocks",
45
+ "range": "0-100"
46
+ },
47
+ {
48
+ "key": "jailbreak_score",
49
+ "type": "number",
50
+ "required": false,
51
+ "description": "ML-based confidence score for jailbreak attempts (0-100). Detects attempts to bypass safety guardrails. Typical threshold: >80 for blocks",
52
+ "range": "0-100"
53
+ },
54
+ {
55
+ "key": "injection_type",
56
+ "type": "string",
57
+ "required": false,
58
+ "description": "Type of injection detected: 'prompt', 'sql', 'command', or 'none'. Use this to apply different policies per injection type"
59
+ },
60
+ {
61
+ "key": "contains_secrets",
62
+ "type": "boolean",
63
+ "required": false,
64
+ "description": "Whether any API keys, tokens, passwords, or credentials were detected in the content. True indicates presence of secrets"
65
+ },
66
+ {
67
+ "key": "secret_count",
68
+ "type": "number",
69
+ "required": false,
70
+ "description": "Total number of secret matches found. Multiple matches may indicate data dumps or accidental credential exposure"
71
+ },
72
+ {
73
+ "key": "secret_types",
74
+ "type": "array",
75
+ "required": false,
76
+ "description": "Array of secret types found (e.g., ['aws_access_key', 'github_token']). Use set operations like .contains() to check for specific types"
77
+ },
78
+ {
79
+ "key": "pii_detected",
80
+ "type": "boolean",
81
+ "required": false,
82
+ "description": "Whether personally identifiable information (PII) was found in the content. Commonly used to block PII in outputs to prevent data leakage"
83
+ },
84
+ {
85
+ "key": "pii_count",
86
+ "type": "number",
87
+ "required": false,
88
+ "description": "Total number of PII matches found (emails, phone numbers, SSNs, etc.)"
89
+ },
90
+ {
91
+ "key": "pii_types",
92
+ "type": "array",
93
+ "required": false,
94
+ "description": "Array of PII types detected (e.g., ['email', 'phone', 'ssn', 'credit_card']). Use .contains() to block specific sensitive types"
95
+ },
96
+ {
97
+ "key": "violence_score",
98
+ "type": "number",
99
+ "required": false,
100
+ "description": "ML-based score for violent content references (0-100). Typical threshold: >90 for critical blocks, >60 for warnings",
101
+ "range": "0-100"
102
+ },
103
+ {
104
+ "key": "hate_speech_score",
105
+ "type": "number",
106
+ "required": false,
107
+ "description": "ML-based score for hate speech, discriminatory language, or targeted harassment (0-100). Typical threshold: >75 for blocks",
108
+ "range": "0-100"
109
+ },
110
+ {
111
+ "key": "sexual_score",
112
+ "type": "number",
113
+ "required": false,
114
+ "description": "ML-based score for sexual or adult content (0-100). Adjust thresholds based on your application's audience",
115
+ "range": "0-100"
116
+ },
117
+ {
118
+ "key": "weapons_score",
119
+ "type": "number",
120
+ "required": false,
121
+ "description": "ML-based score for weapons references or violent imagery (0-100)",
122
+ "range": "0-100"
123
+ },
124
+ {
125
+ "key": "crime_score",
126
+ "type": "number",
127
+ "required": false,
128
+ "description": "ML-based score for criminal activity discussions (0-100)",
129
+ "range": "0-100"
130
+ },
131
+ {
132
+ "key": "profanity_score",
133
+ "type": "number",
134
+ "required": false,
135
+ "description": "ML-based score for profanity and vulgar language (0-100)",
136
+ "range": "0-100"
137
+ },
138
+ {
139
+ "key": "content_topics",
140
+ "type": "array",
141
+ "required": false,
142
+ "description": "Semantic topics detected in content (e.g., ['controlled_substances', 'weapons_manufacturing']). Use .contains() to block specific topics per application"
143
+ },
144
+ {
145
+ "key": "topic_confidence",
146
+ "type": "number",
147
+ "required": false,
148
+ "description": "Confidence score from topic classifier (0-100). Use with content_topics to tune sensitivity — higher thresholds reduce false positives",
149
+ "range": "0-100"
150
+ },
151
+ {
152
+ "key": "contains_invisible_chars",
153
+ "type": "boolean",
154
+ "required": false,
155
+ "description": "Whether invisible Unicode characters (zero-width joiners, RTL marks, etc.) were detected in the content. Commonly used for prompt injection evasion"
156
+ },
157
+ {
158
+ "key": "invisible_chars_score",
159
+ "type": "number",
160
+ "required": false,
161
+ "description": "Density score for invisible characters in the content (0-100). Higher scores indicate more invisible characters, suggesting evasion attempts",
162
+ "range": "0-100"
163
+ }
164
+ ]
165
+ },
166
+ {
167
+ "name": "call_tool",
168
+ "description": "Execute agentic tool calls, including shell commands, file operations, and MCP tools",
169
+ "context_attributes": [
170
+ {
171
+ "key": "request_id",
172
+ "type": "string",
173
+ "required": true,
174
+ "description": "Unique identifier for this request"
175
+ },
176
+ {
177
+ "key": "timestamp",
178
+ "type": "number",
179
+ "required": true,
180
+ "description": "Unix timestamp in milliseconds"
181
+ },
182
+ {
183
+ "key": "tool_name",
184
+ "type": "string",
185
+ "required": false,
186
+ "description": "Name of the tool being called (e.g., 'shell', 'write_file', 'http_post'). Use this to block specific dangerous tools"
187
+ },
188
+ {
189
+ "key": "tool_risk_score",
190
+ "type": "number",
191
+ "required": false,
192
+ "description": "Computed risk score for this tool call (0-100). Considers tool sensitivity, argument patterns, and MCP verification status. Typical threshold: >85 for dangerous tools",
193
+ "range": "0-100"
194
+ },
195
+ {
196
+ "key": "tool_is_sensitive",
197
+ "type": "boolean",
198
+ "required": false,
199
+ "description": "Whether the tool is classified as sensitive (shell, file operations, network access, etc.)"
200
+ },
201
+ {
202
+ "key": "tool_category",
203
+ "type": "string",
204
+ "required": false,
205
+ "description": "Tool classification: 'safe', 'sensitive', or 'dangerous'. Based on tool type and argument patterns"
206
+ },
207
+ {
208
+ "key": "tool_is_builtin",
209
+ "type": "boolean",
210
+ "required": false,
211
+ "description": "Whether the tool is a built-in tool (vs MCP external tool). Built-in tools are generally more trusted"
212
+ },
213
+ {
214
+ "key": "mcp_server",
215
+ "type": "string",
216
+ "required": false,
217
+ "description": "Name of the MCP server providing this tool (e.g., 'github', 'filesystem', 'slack'). Empty for built-in tools. Use this to control which tools are allowed per MCP server"
218
+ },
219
+ {
220
+ "key": "mcp_tool",
221
+ "type": "string",
222
+ "required": false,
223
+ "description": "Name of the specific tool within the MCP server (e.g., 'read_issues', 'create_file'). Use with mcp_server for fine-grained per-tool permissioning"
224
+ },
225
+ {
226
+ "key": "mcp_server_verified",
227
+ "type": "boolean",
228
+ "required": false,
229
+ "description": "Whether the MCP server is from a verified/trusted registry. Unverified servers have elevated risk scores. Use this to block tool calls from unverified sources"
230
+ },
231
+ {
232
+ "key": "suspicious_pattern",
233
+ "type": "boolean",
234
+ "required": false,
235
+ "description": "Whether a suspicious action sequence was detected (e.g., read_file → http_post indicating data exfiltration). Requires session tracking"
236
+ },
237
+ {
238
+ "key": "pattern_type",
239
+ "type": "string",
240
+ "required": false,
241
+ "description": "Type of suspicious pattern: 'data_exfiltration', 'secret_exfiltration', 'db_exfiltration', or 'none'. Use this to apply different policies per threat type"
242
+ },
243
+ {
244
+ "key": "sequence_risk",
245
+ "type": "number",
246
+ "required": false,
247
+ "description": "Risk score from action sequence analysis (0-100). Analyzes history of tool calls to detect attack patterns. Typical threshold: >80 for blocks",
248
+ "range": "0-100"
249
+ },
250
+ {
251
+ "key": "loop_detected",
252
+ "type": "boolean",
253
+ "required": false,
254
+ "description": "Whether a tool call loop was detected (same tool called repeatedly). May indicate infinite loops or runaway agents. Requires session tracking"
255
+ },
256
+ {
257
+ "key": "loop_count",
258
+ "type": "number",
259
+ "required": false,
260
+ "description": "Number of consecutive repeated tool calls. Typical threshold: >3 for loop detection"
261
+ },
262
+ {
263
+ "key": "loop_tool",
264
+ "type": "string",
265
+ "required": false,
266
+ "description": "Name of the tool involved in the loop"
267
+ },
268
+ {
269
+ "key": "budget_remaining_pct",
270
+ "type": "number",
271
+ "required": false,
272
+ "description": "Remaining token budget as percentage (0-100). Use this to warn or block when budget is low. Requires session with token budget configuration",
273
+ "range": "0-100"
274
+ },
275
+ {
276
+ "key": "budget_exceeded",
277
+ "type": "boolean",
278
+ "required": false,
279
+ "description": "Whether the token budget has been exceeded. Use this to enforce cost controls on agentic sessions"
280
+ },
281
+ {
282
+ "key": "content_topics",
283
+ "type": "array",
284
+ "required": false,
285
+ "description": "Semantic topics detected in tool arguments or content (e.g., ['controlled_substances']). Use .contains() to restrict tool calls involving specific topics"
286
+ },
287
+ {
288
+ "key": "topic_confidence",
289
+ "type": "number",
290
+ "required": false,
291
+ "description": "Confidence score from topic classifier for tool content (0-100)",
292
+ "range": "0-100"
293
+ },
294
+ {
295
+ "key": "contains_secrets",
296
+ "type": "boolean",
297
+ "required": false,
298
+ "description": "Whether secrets were detected in tool arguments or content"
299
+ },
300
+ {
301
+ "key": "secret_types",
302
+ "type": "array",
303
+ "required": false,
304
+ "description": "Array of secret types found in tool arguments"
305
+ },
306
+ {
307
+ "key": "pii_detected",
308
+ "type": "boolean",
309
+ "required": false,
310
+ "description": "Whether PII was detected in tool arguments or content"
311
+ },
312
+ {
313
+ "key": "pii_types",
314
+ "type": "array",
315
+ "required": false,
316
+ "description": "Array of PII types found in tool arguments"
317
+ }
318
+ ]
319
+ },
320
+ {
321
+ "name": "read_file",
322
+ "description": "Read file operations for analyzing file content before allowing access",
323
+ "context_attributes": [
324
+ {
325
+ "key": "request_id",
326
+ "type": "string",
327
+ "required": true,
328
+ "description": "Unique identifier for this request"
329
+ },
330
+ {
331
+ "key": "timestamp",
332
+ "type": "number",
333
+ "required": true,
334
+ "description": "Unix timestamp in milliseconds"
335
+ },
336
+ {
337
+ "key": "contains_secrets",
338
+ "type": "boolean",
339
+ "required": false,
340
+ "description": "Whether secrets were detected in the file content being read"
341
+ },
342
+ {
343
+ "key": "secret_types",
344
+ "type": "array",
345
+ "required": false,
346
+ "description": "Array of secret types found in file content"
347
+ },
348
+ {
349
+ "key": "pii_detected",
350
+ "type": "boolean",
351
+ "required": false,
352
+ "description": "Whether PII was detected in the file content"
353
+ },
354
+ {
355
+ "key": "pii_types",
356
+ "type": "array",
357
+ "required": false,
358
+ "description": "Array of PII types found in file content"
359
+ }
360
+ ]
361
+ },
362
+ {
363
+ "name": "write_file",
364
+ "description": "Write file operations for preventing writes of sensitive content",
365
+ "context_attributes": [
366
+ {
367
+ "key": "request_id",
368
+ "type": "string",
369
+ "required": true,
370
+ "description": "Unique identifier for this request"
371
+ },
372
+ {
373
+ "key": "timestamp",
374
+ "type": "number",
375
+ "required": true,
376
+ "description": "Unix timestamp in milliseconds"
377
+ },
378
+ {
379
+ "key": "contains_secrets",
380
+ "type": "boolean",
381
+ "required": false,
382
+ "description": "Whether secrets were detected in the content being written. Block writes containing credentials"
383
+ },
384
+ {
385
+ "key": "secret_types",
386
+ "type": "array",
387
+ "required": false,
388
+ "description": "Array of secret types found in write content"
389
+ },
390
+ {
391
+ "key": "pii_detected",
392
+ "type": "boolean",
393
+ "required": false,
394
+ "description": "Whether PII was detected in the content being written"
395
+ },
396
+ {
397
+ "key": "pii_types",
398
+ "type": "array",
399
+ "required": false,
400
+ "description": "Array of PII types found in write content"
401
+ }
402
+ ]
403
+ },
404
+ {
405
+ "name": "connect_server",
406
+ "description": "Connect to an MCP server, used to control which MCP servers are allowed",
407
+ "context_attributes": [
408
+ {
409
+ "key": "request_id",
410
+ "type": "string",
411
+ "required": true,
412
+ "description": "Unique identifier for this request"
413
+ },
414
+ {
415
+ "key": "timestamp",
416
+ "type": "number",
417
+ "required": true,
418
+ "description": "Unix timestamp in milliseconds"
419
+ },
420
+ {
421
+ "key": "mcp_server",
422
+ "type": "string",
423
+ "required": false,
424
+ "description": "Name of the MCP server being connected to (e.g., 'github', 'filesystem', 'slack'). Use this to allow or block specific MCP servers"
425
+ },
426
+ {
427
+ "key": "mcp_server_verified",
428
+ "type": "boolean",
429
+ "required": false,
430
+ "description": "Whether the MCP server is from a verified/trusted registry. Use this to block connections to unverified servers"
431
+ }
432
+ ]
433
+ }
434
+ ]
435
+ }
package/_schemas/guardrails/schema.cedarschema ADDED
@@ -0,0 +1,225 @@
1
+ // =============================================================================
2
+ // Guardrails Cedar Schema
3
+ // =============================================================================
4
+ // Defines entity types, actions, and context attributes for the highflame-shield
5
+ // guardrails service. This schema enables type-safe policy authoring and
6
+ // validation in both Studio UI and backend.
7
+ //
8
+ // Service: highflame-shield (guardrails)
9
+ // Namespace: Guardrails
10
+ // =============================================================================
11
+
12
+ namespace Guardrails {
13
+ // =========================================================================
14
+ // Entity Types — ReBAC Hierarchy
15
+ // =========================================================================
16
+ // Entity hierarchy enables Cedar's `in` operator for policy scoping:
17
+ // Account (org root)
18
+ // └── Project in [Account]
19
+ // └── App in [Project]
20
+ // └── Session in [App]
21
+ //
22
+ // Policy scoping examples:
23
+ // resource == Guardrails::App::"<uuid>" → app-scoped
24
+ // resource in Guardrails::Project::"<uuid>" → project-wide
25
+ // resource in Guardrails::Account::"<uuid>" → org-wide
26
+ // =========================================================================
27
+
28
+ /// Account represents an organization (top-level tenant)
29
+ entity Account;
30
+
31
+ /// Project represents a project within an account
32
+ entity Project in [Account];
33
+
34
+ /// User represents a principal (human or service) making requests
35
+ entity User;
36
+
37
+ /// Agent represents an AI agent (Claude, Cursor, Copilot, etc.) making requests
38
+ entity Agent;
39
+
40
+ /// App represents a protected application (guardrails-enabled LLM app)
41
+ entity App in [Project];
42
+
43
+ /// Session represents an agentic conversation session with state tracking
44
+ entity Session in [App];
45
+
46
+ // =========================================================================
47
+ // Actions
48
+ // =========================================================================
49
+
50
+ /// Process user prompts and AI responses for security threats and content violations
51
+ action "process_prompt" appliesTo {
52
+ principal: [User, Agent],
53
+ resource: [App, Session],
54
+ context: ProcessPromptContext
55
+ };
56
+
57
+ /// Execute tool calls (shell, file operations, MCP tools)
58
+ action "call_tool" appliesTo {
59
+ principal: [User, Agent],
60
+ resource: [Session],
61
+ context: CallToolContext
62
+ };
63
+
64
+ /// Read file operations
65
+ action "read_file" appliesTo {
66
+ principal: [User, Agent],
67
+ resource: [Session],
68
+ context: FileReadContext
69
+ };
70
+
71
+ /// Write file operations
72
+ action "write_file" appliesTo {
73
+ principal: [User, Agent],
74
+ resource: [Session],
75
+ context: FileWriteContext
76
+ };
77
+
78
+ /// Connect to an MCP server
79
+ action "connect_server" appliesTo {
80
+ principal: [User, Agent],
81
+ resource: [Session],
82
+ context: ConnectServerContext
83
+ };
84
+
85
+ // =========================================================================
86
+ // Context Types (Action-Specific)
87
+ // =========================================================================
88
+
89
+ /// Context for process_prompt action (user prompts & AI responses)
90
+ type ProcessPromptContext = {
91
+ // Core metadata (required)
92
+ "request_id": String,
93
+ "timestamp": Long,
94
+ "direction": String, // "input" | "output"
95
+ "content_type": String, // "prompt" | "response" | "tool_call" | "file"
96
+ "detector_count": Long,
97
+
98
+ // Security - Injection & Jailbreak (optional)
99
+ "injection_score"?: Long, // 0-100
100
+ "jailbreak_score"?: Long, // 0-100
101
+ "injection_type"?: String, // "prompt" | "sql" | "command" | "none"
102
+
103
+ // Privacy - Secrets (optional)
104
+ "contains_secrets"?: Bool,
105
+ "secret_count"?: Long,
106
+ "secret_types"?: Set<String>, // ["aws_access_key", "github_token", ...]
107
+
108
+ // Privacy - PII (optional)
109
+ "pii_detected"?: Bool,
110
+ "pii_count"?: Long,
111
+ "pii_types"?: Set<String>, // ["email", "phone", "ssn", "credit_card", ...]
112
+
113
+ // Trust & Safety - Toxicity (optional)
114
+ "violence_score"?: Long, // 0-100
115
+ "hate_speech_score"?: Long, // 0-100
116
+ "sexual_score"?: Long, // 0-100
117
+ "weapons_score"?: Long, // 0-100
118
+ "crime_score"?: Long, // 0-100
119
+ "profanity_score"?: Long, // 0-100
120
+
121
+ // Semantic - Topic Classification (optional)
122
+ "content_topics"?: Set<String>, // ["controlled_substances", "weapons_manufacturing", ...]
123
+ "topic_confidence"?: Long, // 0-100
124
+
125
+ // Security - Invisible Character Detection (optional)
126
+ "contains_invisible_chars"?: Bool,
127
+ "invisible_chars_score"?: Long, // 0-100
128
+
129
+ // Additional detectors (optional)
130
+ "hallucination_score"?: Long,
131
+ "sentiment_score"?: Long,
132
+ "contains_code"?: Bool,
133
+ "code_languages"?: Set<String>,
134
+ "keyword_matched"?: Bool,
135
+ "keyword_categories"?: Set<String>,
136
+ "detected_language"?: String,
137
+ "phishing_detected"?: Bool,
138
+
139
+ };
140
+
141
+ /// Context for call_tool action (agentic tool execution)
142
+ type CallToolContext = {
143
+ // Core metadata (required)
144
+ "request_id": String,
145
+ "timestamp": Long,
146
+
147
+ // Tool Risk (optional)
148
+ "tool_name"?: String, // "shell", "write_file", "http_post", etc.
149
+ "tool_risk_score"?: Long, // 0-100
150
+ "tool_is_sensitive"?: Bool,
151
+ "tool_category"?: String, // "safe" | "sensitive" | "dangerous"
152
+ "tool_is_builtin"?: Bool,
153
+
154
+ // MCP context (optional — only present for MCP tool calls)
155
+ "mcp_server"?: String, // MCP server name (e.g., "github", "filesystem")
156
+ "mcp_tool"?: String, // MCP tool name within the server
157
+ "mcp_server_verified"?: Bool, // Whether server is from verified registry
158
+
159
+ // Agentic - Behavioral Patterns (optional)
160
+ "suspicious_pattern"?: Bool,
161
+ "pattern_type"?: String, // "data_exfiltration" | "secret_exfiltration" | "db_exfiltration" | "none"
162
+ "sequence_risk"?: Long, // 0-100
163
+
164
+ // Agentic - Loop Detection (optional)
165
+ "loop_detected"?: Bool,
166
+ "loop_count"?: Long,
167
+ "loop_tool"?: String,
168
+
169
+ // Agentic - Budget Control (optional)
170
+ "budget_remaining_pct"?: Long, // 0-100
171
+ "budget_exceeded"?: Bool,
172
+
173
+ // Semantic - Topic Classification (optional)
174
+ "content_topics"?: Set<String>, // ["controlled_substances", "weapons_manufacturing", ...]
175
+ "topic_confidence"?: Long, // 0-100
176
+
177
+ // Security checks on tool arguments (optional)
178
+ "contains_secrets"?: Bool,
179
+ "secret_types"?: Set<String>,
180
+ "pii_detected"?: Bool,
181
+ "pii_types"?: Set<String>,
182
+ "injection_score"?: Long,
183
+
184
+ };
185
+
186
+ /// Context for read_file action
187
+ type FileReadContext = {
188
+ // Core metadata (required)
189
+ "request_id": String,
190
+ "timestamp": Long,
191
+
192
+ // Security checks on file content (optional)
193
+ "contains_secrets"?: Bool,
194
+ "secret_types"?: Set<String>,
195
+ "pii_detected"?: Bool,
196
+ "pii_types"?: Set<String>,
197
+
198
+ };
199
+
200
+ /// Context for write_file action
201
+ type FileWriteContext = {
202
+ // Core metadata (required)
203
+ "request_id": String,
204
+ "timestamp": Long,
205
+
206
+ // Security checks on content being written (optional)
207
+ "contains_secrets"?: Bool,
208
+ "secret_types"?: Set<String>,
209
+ "pii_detected"?: Bool,
210
+ "pii_types"?: Set<String>,
211
+
212
+ };
213
+
214
+ /// Context for connect_server action (MCP server connections)
215
+ type ConnectServerContext = {
216
+ // Core metadata (required)
217
+ "request_id": String,
218
+ "timestamp": Long,
219
+
220
+ // MCP context (optional)
221
+ "mcp_server"?: String, // MCP server name (e.g., "github", "filesystem")
222
+ "mcp_server_verified"?: Bool, // Whether server is from verified registry
223
+
224
+ };
225
+ }