@highflame/policy 2.0.10 → 2.1.1

package/dist/guardrails-entities.gen.d.ts

@@ -0,0 +1,11 @@
+import type { ServiceEntityMetadata, ActionEntityMetadata } from './entity-metadata-types.gen.js';
+/**
+ * Guardrails entity metadata for UI components.
+ * Extracted from Cedar schema appliesTo blocks.
+ */
+export declare const GUARDRAILS_ENTITIES: ServiceEntityMetadata;
+/**
+ * Per-action entity mapping for Guardrails.
+ * Maps action names to their valid principals and resources.
+ */
+export declare const GUARDRAILS_ACTION_ENTITIES: Record<string, ActionEntityMetadata>;

package/dist/guardrails-entities.gen.js

@@ -0,0 +1,37 @@
+// Code generated by highflame-policy-codegen. DO NOT EDIT.
+// Source: schemas/guardrails/schema.cedarschema
+/**
+ * Guardrails entity metadata for UI components.
+ * Extracted from Cedar schema appliesTo blocks.
+ */
+export const GUARDRAILS_ENTITIES = {
+    principals: ['Agent', 'User'],
+    resources: ['App', 'Session'],
+    actions: ['call_tool', 'connect_server', 'process_prompt', 'read_file', 'write_file'],
+};
+/**
+ * Per-action entity mapping for Guardrails.
+ * Maps action names to their valid principals and resources.
+ */
+export const GUARDRAILS_ACTION_ENTITIES = {
+    'call_tool': {
+        principals: ['User', 'Agent'],
+        resources: ['Session'],
+    },
+    'connect_server': {
+        principals: ['User', 'Agent'],
+        resources: ['Session'],
+    },
+    'process_prompt': {
+        principals: ['User', 'Agent'],
+        resources: ['App', 'Session'],
+    },
+    'read_file': {
+        principals: ['User', 'Agent'],
+        resources: ['Session'],
+    },
+    'write_file': {
+        principals: ['User', 'Agent'],
+        resources: ['Session'],
+    },
+};

package/dist/index.d.ts

@@ -7,12 +7,17 @@ export * from './builder.js';
 export * from './parser.js';
 export * from './errors.js';
 export * from './annotations.js';
-export { OVERWATCH_SCHEMA, OVERWATCH_CONTEXT, PALISADE_SCHEMA, PALISADE_CONTEXT, } from './service-schemas.gen.js';
+export * from './explain.js';
+export { GUARDRAILS_SCHEMA, GUARDRAILS_CONTEXT, OVERWATCH_SCHEMA, OVERWATCH_CONTEXT, PALISADE_SCHEMA, PALISADE_CONTEXT, } from './service-schemas.gen.js';
 export type { ContextAttribute, ActionContext, ServiceContext, } from './service-schemas.gen.js';
+export { GuardrailsContextKey } from './guardrails-context.gen.js';
 export { OverwatchContextKey } from './overwatch-context.gen.js';
 export { PalisadeContextKey } from './palisade-context.gen.js';
+export { GUARDRAILS_ENTITIES, GUARDRAILS_ACTION_ENTITIES, } from './guardrails-entities.gen.js';
 export { OVERWATCH_ENTITIES, OVERWATCH_ACTION_ENTITIES, } from './overwatch-entities.gen.js';
 export { PALISADE_ENTITIES, PALISADE_ACTION_ENTITIES, } from './palisade-entities.gen.js';
 export type { ServiceEntityMetadata, ActionEntityMetadata } from './entity-metadata-types.gen.js';
+export { GUARDRAILS_DEFAULTS, GUARDRAILS_TEMPLATES, GUARDRAILS_CATEGORIES, GUARDRAILS_TEMPLATES_JSON, getGuardrailsDefaultsByCategory, getGuardrailsTemplatesByCategory, getGuardrailsTemplateById, } from './guardrails-defaults.gen.js';
+export type { GuardrailsCategory, GuardrailsCategoryInfo, GuardrailsDefaultPolicy, GuardrailsTemplate, } from './guardrails-defaults.gen.js';
 export { OVERWATCH_DEFAULTS, OVERWATCH_TEMPLATES, OVERWATCH_CATEGORIES, OVERWATCH_TEMPLATES_JSON, getOverwatchDefaultsByCategory, getOverwatchTemplatesByCategory, getOverwatchTemplateById, } from './overwatch-defaults.gen.js';
 export type { OverwatchCategory, OverwatchCategoryInfo, OverwatchDefaultPolicy, OverwatchTemplate, } from './overwatch-defaults.gen.js';

package/dist/index.js

@@ -13,13 +13,18 @@ export * from './builder.js';
 export * from './parser.js';
 export * from './errors.js';
 export * from './annotations.js';
+// Decision explanation
+export * from './explain.js';
 // Service-specific schemas and context (inlined)
-export { OVERWATCH_SCHEMA, OVERWATCH_CONTEXT, PALISADE_SCHEMA, PALISADE_CONTEXT, } from './service-schemas.gen.js';
+export { GUARDRAILS_SCHEMA, GUARDRAILS_CONTEXT, OVERWATCH_SCHEMA, OVERWATCH_CONTEXT, PALISADE_SCHEMA, PALISADE_CONTEXT, } from './service-schemas.gen.js';
 // Service-specific context key enums
+export { GuardrailsContextKey } from './guardrails-context.gen.js';
 export { OverwatchContextKey } from './overwatch-context.gen.js';
 export { PalisadeContextKey } from './palisade-context.gen.js';
 // Service-specific entity metadata (for UI - principals, resources, actions)
+export { GUARDRAILS_ENTITIES, GUARDRAILS_ACTION_ENTITIES, } from './guardrails-entities.gen.js';
 export { OVERWATCH_ENTITIES, OVERWATCH_ACTION_ENTITIES, } from './overwatch-entities.gen.js';
 export { PALISADE_ENTITIES, PALISADE_ACTION_ENTITIES, } from './palisade-entities.gen.js';
 // Service-specific default policies, templates, and categories
+export { GUARDRAILS_DEFAULTS, GUARDRAILS_TEMPLATES, GUARDRAILS_CATEGORIES, GUARDRAILS_TEMPLATES_JSON, getGuardrailsDefaultsByCategory, getGuardrailsTemplatesByCategory, getGuardrailsTemplateById, } from './guardrails-defaults.gen.js';
 export { OVERWATCH_DEFAULTS, OVERWATCH_TEMPLATES, OVERWATCH_CATEGORIES, OVERWATCH_TEMPLATES_JSON, getOverwatchDefaultsByCategory, getOverwatchTemplatesByCategory, getOverwatchTemplateById, } from './overwatch-defaults.gen.js';

package/dist/overwatch-defaults.gen.js

@@ -773,6 +773,86 @@ forbid (
     resource
 );
 `;
+const OVERWATCH_TOOLS_MCP_TOOL_PERMISSIONS_CEDAR = `// =============================================================================
+// MCP Tool Permissions Template (Overwatch)
+// =============================================================================
+// Per-tool access control for MCP servers in IDE environments.
+// Complements the existing MCP Server Allowlist (connect_server action)
+// with fine-grained per-tool control on call_tool action.
+//
+// Category: tools
+// Namespace: Overwatch
+// =============================================================================
+
+// -- GitHub MCP: Read-only access -------------------------------------------
+
+@id("mcp-tool-allow-read-github")
+@name("Allow read-only GitHub tools")
+@description("Permit read operations from GitHub MCP server")
+@severity("medium")
+@tags("mcp,github,read-only,least-privilege")
+permit (
+    principal,
+    action == Overwatch::Action::"call_tool",
+    resource
+) when {
+    context has mcp_server && context.mcp_server == "github" &&
+    context has tool_name &&
+    (context.tool_name == "read_issues" ||
+     context.tool_name == "get_issue" ||
+     context.tool_name == "list_repos" ||
+     context.tool_name == "get_pull_request" ||
+     context.tool_name == "search_code" ||
+     context.tool_name == "get_file_contents")
+};
+
+@id("mcp-tool-deny-write-github")
+@name("Deny write GitHub tools")
+@description("Block create/update/delete operations on GitHub MCP server")
+@severity("high")
+@tags("mcp,github,write-block,least-privilege")
+forbid (
+    principal,
+    action == Overwatch::Action::"call_tool",
+    resource
+) when {
+    context has mcp_server && context.mcp_server == "github"
+};
+
+// -- Organization-wide MCP server exclusions --------------------------------
+
+@id("mcp-tool-exclude-server")
+@name("Exclude specific MCP servers")
+@description("Block all tool calls from excluded MCP servers (org-wide exclusion list)")
+@severity("critical")
+@tags("mcp,exclusion,org-wide,block")
+forbid (
+    principal,
+    action == Overwatch::Action::"call_tool",
+    resource
+) when {
+    // Add server names to block across the organization.
+    // Modify this list to match your exclusion requirements.
+    context has mcp_server &&
+    (context.mcp_server == "untrusted-server" ||
+     context.mcp_server == "deprecated-server")
+};
+
+// -- Block unverified MCP servers -------------------------------------------
+
+@id("mcp-tool-block-unverified")
+@name("Block tools from unverified MCP servers")
+@description("Deny tool calls from MCP servers not in the verified registry")
+@severity("high")
+@tags("mcp,trust,verification")
+forbid (
+    principal,
+    action == Overwatch::Action::"call_tool",
+    resource
+) when {
+    context has mcp_server_verified && context.mcp_server_verified == false
+};
+`;
 const OVERWATCH_ORG_DEFAULT_DENY_CEDAR = `// Default Deny All Template
 // Organization-wide baseline: deny all unless explicitly permitted
 // Category: organization
@@ -978,6 +1058,15 @@ export const OVERWATCH_TEMPLATES = [
         severity: 'medium',
         tags: ['mcp', 'allowlist', 'whitelist'],
     },
+    {
+        id: 'tools-mcp-tool-permissions',
+        name: 'MCP Tool Permissions',
+        description: 'Per-tool access control for MCP servers — allow specific tools while denying others, exclude servers org-wide, block unverified sources',
+        category: 'tools',
+        cedarText: OVERWATCH_TOOLS_MCP_TOOL_PERMISSIONS_CEDAR,
+        severity: 'high',
+        tags: ['mcp', 'tools', 'least-privilege', 'per-server', 'exclusion'],
+    },
     {
         id: 'org-default-deny',
         name: 'Default Deny All',
@@ -1142,6 +1231,15 @@ export const OVERWATCH_TEMPLATES_JSON = `{
       "severity": "medium",
       "tags": ["mcp", "allowlist", "whitelist"]
     },
+    {
+      "id": "tools-mcp-tool-permissions",
+      "name": "MCP Tool Permissions",
+      "description": "Per-tool access control for MCP servers — allow specific tools while denying others, exclude servers org-wide, block unverified sources",
+      "category": "tools",
+      "file": "mcp_tool_permissions.cedar",
+      "severity": "high",
+      "tags": ["mcp", "tools", "least-privilege", "per-server", "exclusion"]
+    },
     {
       "id": "org-default-deny",
       "name": "Default Deny All",

package/dist/parser.js

@@ -134,11 +134,14 @@ function cedarJsonToRule(policy, policyId, index, originalText) {
             order: index,
         };
         // Map conditions
-        const { conditions, rawCondition } = mapConditions(policy.conditions, originalText);
+        const { conditions, rawCondition, conditionExpression } = mapConditions(policy.conditions, originalText);
         rule.conditions = conditions;
         if (rawCondition) {
             rule.rawCondition = rawCondition;
         }
+        if (conditionExpression) {
+            rule.conditionExpression = conditionExpression;
+        }
         return { rule };
     }
     catch (e) {
@@ -227,7 +230,7 @@ function mapScopeToEntity(scope, field) {
     if (scope.op === "in") {
         if ("entity" in scope) {
             const entity = normalizeEntityRef(scope.entity);
-            return { type: entity.type, id: entity.id };
+            return { type: entity.type, id: entity.id, operator: 'in' };
         }
         if ("slot" in scope) {
             throw ParserError.scopeSlotNotSupported("in", field);
@@ -279,17 +282,20 @@ function mapActionScope(scope) {
     throw ParserError.actionUnsupportedOp(scope.op);
 }
 /**
- * Map Cedar conditions to PolicyCondition array.
- * When conditions can't be mapped to structured format, extract the raw Cedar
+ * Map Cedar conditions to PolicyCondition array + recursive ConditionExpression.
+ * When conditions can't be mapped to the flat format, extract the raw Cedar
  * condition text from the engine-serialized policy text (not JSON AST).
  */
 function mapConditions(conditions, originalText) {
     const result = [];
     let hasUnmapped = false;
+    // Collect condition expressions from all when clauses
+    const expressions = [];
     for (const cond of conditions) {
         if (cond.kind !== "when") {
             continue;
         }
+        // Flat mapping (backward compat)
         const parsed = mapConditionBody(cond.body);
         if (parsed.condition) {
             result.push(parsed.condition);
@@ -297,15 +303,26 @@ function mapConditions(conditions, originalText) {
         else if (parsed.raw) {
             hasUnmapped = true;
         }
+        // Recursive mapping (new)
+        expressions.push(mapConditionBodyToExpression(cond.body, originalText));
     }
     // Extract readable Cedar condition text instead of storing JSON AST
     let rawCondition;
     if (hasUnmapped && originalText) {
         rawCondition = extractWhenClause(originalText);
     }
+    // Build the final condition expression
+    let conditionExpression;
+    if (expressions.length === 1) {
+        conditionExpression = expressions[0];
+    }
+    else if (expressions.length > 1) {
+        conditionExpression = { kind: 'and', children: expressions };
+    }
     return {
         conditions: result,
         rawCondition: rawCondition || undefined,
+        conditionExpression,
     };
 }
 /**
@@ -365,6 +382,121 @@ function mapConditionBody(body) {
     // Can't map - return as raw JSON
     return { raw: JSON.stringify(body) };
 }
+// ---------------------------------------------------------------------------
+// Recursive condition expression walker
+// ---------------------------------------------------------------------------
+/**
+ * Recursively walk the Cedar JSON AST to build a ConditionExpression tree.
+ * Flattens binary && / || chains into n-ary and/or nodes.
+ */
+function mapConditionBodyToExpression(expr, originalText) {
+    // Logical AND — flatten binary chain
+    if (expr["&&"]) {
+        const children = flattenBinaryChain("&&", expr);
+        return { kind: 'and', children };
+    }
+    // Logical OR — flatten binary chain
+    if (expr["||"]) {
+        const children = flattenBinaryChain("||", expr);
+        return { kind: 'or', children };
+    }
+    // Negation
+    if (expr["!"]) {
+        const child = mapConditionBodyToExpression(expr["!"].arg, originalText);
+        return { kind: 'not', child };
+    }
+    // Has (existence check): { has: { left: { Var: "context" }, attr: "field" } }
+    if (expr.has) {
+        const field = extractHasField(expr.has);
+        if (field) {
+            return { kind: 'has', field };
+        }
+    }
+    // Leaf: comparison operators
+    for (const op of ["==", "!=", "<", "<=", ">", ">="]) {
+        const comparison = expr[op];
+        if (comparison) {
+            const mapped = mapComparisonToExpression(op, comparison);
+            if (mapped)
+                return mapped;
+        }
+    }
+    // Leaf: contains
+    if (expr.contains) {
+        const mapped = mapContainsToExpression(expr.contains);
+        if (mapped)
+            return mapped;
+    }
+    // Leaf: like
+    if (expr.like) {
+        const mapped = mapLikeToExpression(expr.like);
+        if (mapped)
+            return mapped;
+    }
+    // Fallback — extract readable text if possible
+    const text = originalText ? extractWhenClause(originalText) : JSON.stringify(expr);
+    return { kind: 'raw', text };
+}
+/**
+ * Flatten a binary chain of && or || into a flat array of expressions.
+ * (A && B) && C becomes [A, B, C] instead of nested binary pairs.
+ */
+function flattenBinaryChain(op, expr) {
+    const node = expr[op];
+    if (!node)
+        return [mapConditionBodyToExpression(expr)];
+    return [
+        ...flattenBinaryChain(op, node.left),
+        ...flattenBinaryChain(op, node.right),
+    ];
+}
+/**
+ * Extract field name from a "has" expression.
+ * Pattern: { left: { Var: "context" }, attr: "field_name" }
+ */
+function extractHasField(has) {
+    if (has.left.Var === "context") {
+        return has.attr;
+    }
+    return null;
+}
+function mapComparisonToExpression(op, args) {
+    const field = extractContextField(args.left);
+    if (!field)
+        return null;
+    const value = extractLiteralValue(args.right);
+    if (value === undefined)
+        return null;
+    const operator = mapOperator(op);
+    if (!operator)
+        return null;
+    return { kind: 'comparison', field, operator, value };
+}
+function mapContainsToExpression(args) {
+    const field = extractContextField(args.left);
+    if (!field)
+        return null;
+    const value = extractLiteralValue(args.right);
+    if (value === undefined || typeof value === 'object')
+        return null;
+    return { kind: 'contains', field, value: value };
+}
+function mapLikeToExpression(args) {
+    const field = extractContextField(args.left);
+    if (!field)
+        return null;
+    const patternStr = args.pattern.map(p => {
+        if (p === "Wildcard")
+            return "*";
+        if (typeof p === "object" && "Literal" in p)
+            return p.Literal.replace(/\*/g, "\\*");
+        return "";
+    }).join("");
+    return { kind: 'like', field, pattern: patternStr };
+}
+// ---------------------------------------------------------------------------
+// Flat condition mapping (backward compat)
+// ---------------------------------------------------------------------------
 function mapComparison(op, args) {
     const field = extractContextField(args.left);
     if (!field)

package/dist/schema.gen.d.ts

@@ -2,4 +2,4 @@
  * Embedded Cedar schema for policy validation.
  * This is the Highflame Cedar schema used across all services.
  */
-export declare const CEDAR_SCHEMA = "// Highflame Cedar Schema - Entity and Action Definitions\n// =======================================================\n// This file defines all entity types and actions used across Highflame services.\n// Used for code generation (EntityType and ActionType constants).\n//\n// For policy validation, use service-specific schemas:\n// - schemas/overwatch/schema.cedarschema (Guardian IDE security)\n// - schemas/palisade/schema.cedarschema (ML supply chain security)\n\nnamespace Highflame {\n\n// =============================================================================\n// ENTITIES\n// =============================================================================\n\nentity User {\n    user_type: String,\n};\n\nentity Agent {\n    agent_type: String,\n};\n\nentity Scanner {\n    scanner_type: String,\n};\n\nentity Service {\n    service_type: String,\n};\n\nentity Resource {};\n\nentity LlmPrompt {\n    prompt_type: String,\n};\n\nentity ResponseData {};\n\nentity Tool {\n    tool_name: String,\n};\n\nentity FilePath {\n    path: String,\n};\n\nentity HttpEndpoint {\n    hostname: String,\n};\n\nentity Server {\n    server_name: String,\n};\n\nentity Artifact {\n    artifact_format: String,\n};\n\nentity Repository {\n    repo_url: String,\n};\n\nentity Package {\n    package_name: String,\n};\n\nentity GitBranch {\n    branch_name: String,\n};\n\nentity Model {\n    model_name: String,\n};\n\nentity ExternalAPI {\n    api_name: String,\n};\n\nentity Memory {\n    memory_type: String,\n};\n\n// =============================================================================\n// ACTIONS\n// =============================================================================\n\naction process_prompt;\naction process_response;\naction invoke_model;\naction filter_content;\naction call_tool;\naction connect_server;\naction access_server_resource;\naction skip_guardrails;\naction read_file;\naction write_file;\naction delete_file;\naction http_request;\naction call_external_api;\naction execute_code;\naction run_tests;\naction run_build;\naction git_operation;\naction git_clone;\naction git_commit;\naction git_push;\naction git_pull;\naction git_merge;\naction git_checkout;\naction git_reset;\naction git_rebase;\naction delegate_task;\naction spawn_subprocess;\naction access_memory;\naction scan_target;\naction scan_package;\naction scan_artifact;\naction validate_integrity;\naction validate_provenance;\naction quarantine_artifact;\naction load_model;\naction deploy_model;\naction transfer_data;\naction export_data;\n}\n";
+export declare const CEDAR_SCHEMA = "// Highflame Cedar Schema - Entity and Action Definitions\n// =======================================================\n// This file defines all entity types and actions used across Highflame services.\n// Used for code generation (EntityType and ActionType constants).\n//\n// For policy validation, use service-specific schemas:\n// - schemas/overwatch/schema.cedarschema (Guardian IDE security)\n// - schemas/palisade/schema.cedarschema (ML supply chain security)\n\nnamespace Highflame {\n\n// =============================================================================\n// ENTITIES\n// =============================================================================\n\n// Multi-tenant hierarchy (used by services for ReBAC policy scoping)\nentity Account {};\nentity Project {};\nentity App {};\nentity Session {};\n\nentity User {\n    user_type: String,\n};\n\nentity Agent {\n    agent_type: String,\n};\n\nentity Scanner {\n    scanner_type: String,\n};\n\nentity Service {\n    service_type: String,\n};\n\nentity Resource {};\n\nentity LlmPrompt {\n    prompt_type: String,\n};\n\nentity ResponseData {};\n\nentity Tool {\n    tool_name: String,\n};\n\nentity FilePath {\n    path: String,\n};\n\nentity HttpEndpoint {\n    hostname: String,\n};\n\nentity Server {\n    server_name: String,\n};\n\nentity Artifact {\n    artifact_format: String,\n};\n\nentity Repository {\n    repo_url: String,\n};\n\nentity Package {\n    package_name: String,\n};\n\nentity GitBranch {\n    branch_name: String,\n};\n\nentity Model {\n    model_name: String,\n};\n\nentity ExternalAPI {\n    api_name: String,\n};\n\nentity Memory {\n    memory_type: String,\n};\n\n// =============================================================================\n// ACTIONS\n// =============================================================================\n\naction process_prompt;\naction process_response;\naction invoke_model;\naction filter_content;\naction call_tool;\naction connect_server;\naction access_server_resource;\naction skip_guardrails;\naction read_file;\naction write_file;\naction delete_file;\naction http_request;\naction call_external_api;\naction execute_code;\naction run_tests;\naction run_build;\naction git_operation;\naction git_clone;\naction git_commit;\naction git_push;\naction git_pull;\naction git_merge;\naction git_checkout;\naction git_reset;\naction git_rebase;\naction delegate_task;\naction spawn_subprocess;\naction access_memory;\naction scan_target;\naction scan_package;\naction scan_artifact;\naction validate_integrity;\naction validate_provenance;\naction quarantine_artifact;\naction load_model;\naction deploy_model;\naction transfer_data;\naction export_data;\n}\n";

package/dist/schema.gen.js

@@ -19,6 +19,12 @@ namespace Highflame {
 // ENTITIES
 // =============================================================================
 
+// Multi-tenant hierarchy (used by services for ReBAC policy scoping)
+entity Account {};
+entity Project {};
+entity App {};
+entity Session {};
+
 entity User {
     user_type: String,
 };

package/dist/service-schemas.gen.d.ts

@@ -1,3 +1,9 @@
+/**
+ * Guardrails Cedar schema
+ *
+ * Full Cedar schema for guardrails, embedded at codegen time.
+ */
+export declare const GUARDRAILS_SCHEMA = "// =============================================================================\n// Guardrails Cedar Schema\n// =============================================================================\n// Defines entity types, actions, and context attributes for the highflame-shield\n// guardrails service. This schema enables type-safe policy authoring and\n// validation in both Studio UI and backend.\n//\n// Service: highflame-shield (guardrails)\n// Namespace: Guardrails\n// =============================================================================\n\nnamespace Guardrails {\n    // =========================================================================\n    // Entity Types \u2014 ReBAC Hierarchy\n    // =========================================================================\n    // Entity hierarchy enables Cedar's `in` operator for policy scoping:\n    //   Account (org root)\n    //     \u2514\u2500\u2500 Project in [Account]\n    //           \u2514\u2500\u2500 App in [Project]\n    //                 \u2514\u2500\u2500 Session in [App]\n    //\n    // Policy scoping examples:\n    //   resource == Guardrails::App::\"<uuid>\"              \u2192 app-scoped\n    //   resource in Guardrails::Project::\"<uuid>\"          \u2192 project-wide\n    //   resource in Guardrails::Account::\"<uuid>\"          \u2192 org-wide\n    // =========================================================================\n\n    /// Account represents an organization (top-level tenant)\n    entity Account;\n\n    /// Project represents a project within an account\n    entity Project in [Account];\n\n    /// User represents a principal (human or service) making requests\n    entity User;\n\n    /// Agent represents an AI agent (Claude, Cursor, Copilot, etc.) making requests\n    entity Agent;\n\n    /// App represents a protected application (guardrails-enabled LLM app)\n    entity App in [Project];\n\n    /// Session represents an agentic conversation session with state tracking\n    entity Session in [App];\n\n    // =========================================================================\n    // Actions\n    // =========================================================================\n\n    /// Process user prompts and AI responses for security threats and content violations\n    action \"process_prompt\" appliesTo {\n        principal: [User, Agent],\n        resource: [App, Session],\n        context: ProcessPromptContext\n    };\n\n    /// Execute tool calls (shell, file operations, MCP tools)\n    action \"call_tool\" appliesTo {\n        principal: [User, Agent],\n        resource: [Session],\n        context: CallToolContext\n    };\n\n    /// Read file operations\n    action \"read_file\" appliesTo {\n        principal: [User, Agent],\n        resource: [Session],\n        context: FileReadContext\n    };\n\n    /// Write file operations\n    action \"write_file\" appliesTo {\n        principal: [User, Agent],\n        resource: [Session],\n        context: FileWriteContext\n    };\n\n    /// Connect to an MCP server\n    action \"connect_server\" appliesTo {\n        principal: [User, Agent],\n        resource: [Session],\n        context: ConnectServerContext\n    };\n\n    // =========================================================================\n    // Context Types (Action-Specific)\n    // =========================================================================\n\n    /// Context for process_prompt action (user prompts & AI responses)\n    type ProcessPromptContext = {\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n        \"direction\": String,        // \"input\" | \"output\"\n        \"content_type\": String,     // \"prompt\" | \"response\" | \"tool_call\" | \"file\"\n        \"detector_count\": Long,\n\n        // Security - Injection & Jailbreak (optional)\n        \"injection_score\"?: Long,        // 0-100\n        \"jailbreak_score\"?: Long,        // 0-100\n        \"injection_type\"?: String,       // \"prompt\" | \"sql\" | \"command\" | \"none\"\n\n        // Privacy - Secrets (optional)\n        \"contains_secrets\"?: Bool,\n        \"secret_count\"?: Long,\n        \"secret_types\"?: Set<String>,    // [\"aws_access_key\", \"github_token\", ...]\n\n        // Privacy - PII (optional)\n        \"pii_detected\"?: Bool,\n        \"pii_count\"?: Long,\n        \"pii_types\"?: Set<String>,       // [\"email\", \"phone\", \"ssn\", \"credit_card\", ...]\n\n        // Trust & Safety - Toxicity (optional)\n        \"violence_score\"?: Long,         // 0-100\n        \"hate_speech_score\"?: Long,      // 0-100\n        \"sexual_score\"?: Long,           // 0-100\n        \"weapons_score\"?: Long,          // 0-100\n        \"crime_score\"?: Long,            // 0-100\n        \"profanity_score\"?: Long,        // 0-100\n\n        // Semantic - Topic Classification (optional)\n        \"content_topics\"?: Set<String>,      // [\"controlled_substances\", \"weapons_manufacturing\", ...]\n        \"topic_confidence\"?: Long,           // 0-100\n\n        // Security - Invisible Character Detection (optional)\n        \"contains_invisible_chars\"?: Bool,\n        \"invisible_chars_score\"?: Long,      // 0-100\n\n        // Additional detectors (optional)\n        \"hallucination_score\"?: Long,\n        \"sentiment_score\"?: Long,\n        \"contains_code\"?: Bool,\n        \"code_languages\"?: Set<String>,\n        \"keyword_matched\"?: Bool,\n        \"keyword_categories\"?: Set<String>,\n        \"detected_language\"?: String,\n        \"phishing_detected\"?: Bool,\n\n    };\n\n    /// Context for call_tool action (agentic tool execution)\n    type CallToolContext = {\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n\n        // Tool Risk (optional)\n        \"tool_name\"?: String,            // \"shell\", \"write_file\", \"http_post\", etc.\n        \"tool_risk_score\"?: Long,        // 0-100\n        \"tool_is_sensitive\"?: Bool,\n        \"tool_category\"?: String,        // \"safe\" | \"sensitive\" | \"dangerous\"\n        \"tool_is_builtin\"?: Bool,\n\n        // MCP context (optional \u2014 only present for MCP tool calls)\n        \"mcp_server\"?: String,           // MCP server name (e.g., \"github\", \"filesystem\")\n        \"mcp_tool\"?: String,             // MCP tool name within the server\n        \"mcp_server_verified\"?: Bool,    // Whether server is from verified registry\n\n        // Agentic - Behavioral Patterns (optional)\n        \"suspicious_pattern\"?: Bool,\n        \"pattern_type\"?: String,         // \"data_exfiltration\" | \"secret_exfiltration\" | \"db_exfiltration\" | \"none\"\n        \"sequence_risk\"?: Long,          // 0-100\n\n        // Agentic - Loop Detection (optional)\n        \"loop_detected\"?: Bool,\n        \"loop_count\"?: Long,\n        \"loop_tool\"?: String,\n\n        // Agentic - Budget Control (optional)\n        \"budget_remaining_pct\"?: Long,   // 0-100\n        \"budget_exceeded\"?: Bool,\n\n        // Semantic - Topic Classification (optional)\n        \"content_topics\"?: Set<String>,      // [\"controlled_substances\", \"weapons_manufacturing\", ...]\n        \"topic_confidence\"?: Long,           // 0-100\n\n        // Security checks on tool arguments (optional)\n        \"contains_secrets\"?: Bool,\n        \"secret_types\"?: Set<String>,\n        \"pii_detected\"?: Bool,\n        \"pii_types\"?: Set<String>,\n        \"injection_score\"?: Long,\n\n    };\n\n    /// Context for read_file action\n    type FileReadContext = {\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n\n        // Security checks on file content (optional)\n        \"contains_secrets\"?: Bool,\n        \"secret_types\"?: Set<String>,\n        \"pii_detected\"?: Bool,\n        \"pii_types\"?: Set<String>,\n\n    };\n\n    /// Context for write_file action\n    type FileWriteContext = {\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n\n        // Security checks on content being written (optional)\n        \"contains_secrets\"?: Bool,\n        \"secret_types\"?: Set<String>,\n        \"pii_detected\"?: Bool,\n        \"pii_types\"?: Set<String>,\n\n    };\n\n    /// Context for connect_server action (MCP server connections)\n    type ConnectServerContext = {\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n\n        // MCP context (optional)\n        \"mcp_server\"?: String,           // MCP server name (e.g., \"github\", \"filesystem\")\n        \"mcp_server_verified\"?: Bool,    // Whether server is from verified registry\n\n    };\n}\n";
 /**
  * Overwatch Cedar schema
  *
@@ -31,6 +37,10 @@ export interface ServiceContext {
     description: string;
     actions: ActionContext[];
 }
+/**
+ * Guardrails context metadata (parsed JSON)
+ */
+export declare const GUARDRAILS_CONTEXT: ServiceContext;
 /**
  * Overwatch context metadata (parsed JSON)
  */