@highflame/policy 2.0.8 → 2.0.10

package/dist/overwatch-defaults.gen.js

@@ -59,6 +59,7 @@ const OVERWATCH_SECRETS_DEFAULT_CEDAR = `// ====================================
 @description("Block prompts when YARA scanners detect API keys, tokens, or credential patterns")
 @severity("critical")
 @tags("secrets,credentials,prompts,nist-sc-28,nist-ia-5")
+@reject_message("Your prompt was blocked because it contains detected secrets such as API keys, tokens, or credentials. Remove all secrets before resubmitting.")
 forbid (
     principal,
     action == Overwatch::Action::"process_prompt",
@@ -74,6 +75,7 @@ when {
 @description("Prevent file reads and tool execution when secrets or credentials are detected in content")
 @severity("high")
 @tags("secrets,file-access,tools,credentials,nist-sc-28")
+@reject_message("This operation was blocked because secrets or credentials were detected in the content. File reads and tool calls are restricted when credential exposure is identified.")
 forbid (
     principal,
     action in [Overwatch::Action::"read_file", Overwatch::Action::"call_tool"],
@@ -93,6 +95,7 @@ when {
 @description("Block access to .env files that commonly contain secrets, API keys, and database credentials")
 @severity("high")
 @tags("secrets,env-files,config,nist-sc-28,mitre-t1552")
+@reject_message("Access to .env files is blocked because they commonly contain secrets, API keys, and database credentials. Use a secrets manager instead of .env files.")
 forbid (
     principal,
     action in [Overwatch::Action::"read_file", Overwatch::Action::"write_file", Overwatch::Action::"call_tool"],
@@ -113,6 +116,7 @@ when {
 @description("Detect and block AWS access key IDs (AKIA prefix) in AI responses to prevent credential exfiltration")
 @severity("critical")
 @tags("secrets,aws,credentials,response-scan,nist-ia-5,mitre-t1552")
+@reject_message("This response was blocked because an AWS access key ID (AKIA prefix) was detected. AWS credentials must never be exposed in AI responses.")
 forbid (
     principal,
     action,
@@ -129,6 +133,7 @@ when {
 @description("Detect and block AWS secret access keys in AI responses")
 @severity("critical")
 @tags("secrets,aws,credentials,response-scan,nist-ia-5")
+@reject_message("This response was blocked because an AWS secret access key was detected. AWS credentials must never be exposed in AI responses.")
 forbid (
     principal,
     action,
@@ -146,6 +151,7 @@ when {
 @description("Detect and block GitHub personal access tokens (ghp_), fine-grained tokens (github_pat_), and app tokens (ghs_)")
 @severity("critical")
 @tags("secrets,github,tokens,response-scan,mitre-t1552")
+@reject_message("This response was blocked because a GitHub token (personal access token, fine-grained token, or app token) was detected. GitHub tokens must never be exposed in AI responses.")
 forbid (
     principal,
     action,
@@ -164,6 +170,7 @@ when {
 @description("Detect and block SSH, RSA, and OpenSSH private keys in AI responses")
 @severity("critical")
 @tags("secrets,ssh,private-keys,response-scan,nist-sc-28,mitre-t1552")
+@reject_message("This response was blocked because a private key (SSH, RSA, or OpenSSH) was detected. Private keys must never be exposed in AI responses.")
 forbid (
     principal,
     action,
@@ -187,6 +194,7 @@ when {
 @description("Block content flagged by YARA rules for credential exposure, API key leaks, JWT tokens, and bearer tokens")
 @severity("critical")
 @tags("secrets,yara,credentials,jwt,bearer,nist-ia-5")
+@reject_message("This content was blocked because YARA scanning detected credential patterns including secret exposure, credential leaks, API keys, JWT tokens, or bearer tokens.")
 forbid (
     principal,
     action,
@@ -219,6 +227,7 @@ const OVERWATCH_PII_DEFAULT_CEDAR = `// ========================================
 @description("Detect and block content containing credit card number patterns (PCI DSS compliance)")
 @severity("critical")
 @tags("pci,credit-card,payment,compliance,pci-dss-3.4")
+@reject_message("Your prompt was blocked because credit card number patterns were detected. Sharing payment card data violates PCI DSS requirements.")
 forbid (
     principal,
     action == Overwatch::Action::"process_prompt",
@@ -234,6 +243,7 @@ when {
 @description("Detect and block content containing SSN patterns (XXX-XX-XXXX format)")
 @severity("critical")
 @tags("ssn,identity,privacy,compliance")
+@reject_message("Your prompt was blocked because Social Security Number patterns (XXX-XX-XXXX) were detected. SSNs are protected personal identifiers that must not be shared.")
 forbid (
     principal,
     action == Overwatch::Action::"process_prompt",
@@ -249,6 +259,7 @@ when {
 @description("Block content when PII-related threat categories are detected by YARA or Javelin scanners")
 @severity("high")
 @tags("pii,privacy,data-protection,gdpr")
+@reject_message("Your prompt was blocked because personally identifiable information was detected by threat scanners. Remove all PII before resubmitting.")
 forbid (
     principal,
     action == Overwatch::Action::"process_prompt",
@@ -280,6 +291,7 @@ when {
 @description("Prevent tool execution when PII patterns are detected in content")
 @severity("high")
 @tags("pii,tools,data-protection")
+@reject_message("Tool execution was blocked because personally identifiable information was detected in the content. PII must be removed before tool calls are permitted.")
 forbid (
     principal,
     action == Overwatch::Action::"call_tool",
@@ -308,6 +320,7 @@ const OVERWATCH_SEMANTIC_DEFAULT_CEDAR = `// ===================================
 @description("Detect and block prompt injection patterns in user input via YARA scanning (OWASP LLM01)")
 @severity("critical")
 @tags("injection,security,llm,owasp-llm01,baseline")
+@reject_message("Your prompt was blocked because prompt injection patterns were detected by YARA scanning. This is a security measure to prevent manipulation of AI agent behavior.")
 forbid (
     principal,
     action == Overwatch::Action::"process_prompt",
@@ -339,6 +352,7 @@ when {
 @description("Detect and block jailbreak and bypass attempts against AI agents (OWASP LLM02)")
 @severity("critical")
 @tags("jailbreak,bypass,security,owasp-llm02,baseline")
+@reject_message("Your prompt was blocked because jailbreak or bypass patterns were detected by YARA scanning. This is a security measure to prevent circumvention of AI safety controls.")
 forbid (
     principal,
     action == Overwatch::Action::"process_prompt",
@@ -370,6 +384,7 @@ when {
 @description("Block prompts when semantic threat scanners detect high severity issues (severity >= 3)")
 @severity("high")
 @tags("semantic,severity,security")
+@reject_message("Your prompt was blocked because semantic threat scanners detected high severity issues in the content. Review your prompt for manipulative or adversarial patterns.")
 forbid (
     principal,
     action == Overwatch::Action::"process_prompt",
@@ -387,6 +402,7 @@ when {
 @description("Block all content when any scanner detects critical severity threats")
 @severity("critical")
 @tags("critical,baseline,security")
+@reject_message("Your prompt was blocked because security scanners detected a critical-severity threat. This content cannot be processed.")
 forbid (
     principal,
     action == Overwatch::Action::"process_prompt",
@@ -402,6 +418,7 @@ when {
 @description("Prevent tool execution when prompt injection patterns are detected in content")
 @severity("critical")
 @tags("injection,tools,security,owasp-llm01")
+@reject_message("Tool execution was blocked because prompt injection patterns were detected in the content by YARA scanning.")
 forbid (
     principal,
     action == Overwatch::Action::"call_tool",
@@ -435,6 +452,7 @@ const OVERWATCH_TOOLS_DEFAULT_CEDAR = `// ======================================
 @description("Block direct shell, bash, and command execution tools to prevent command injection (MITRE T1059)")
 @severity("critical")
 @tags("shell,command-injection,execution,nist-cm-7,mitre-t1059,baseline")
+@reject_message("Tool execution was blocked because direct shell and command execution tools (shell, bash, terminal, system.exec) are restricted to prevent command injection attacks.")
 forbid (
     principal,
     action == Overwatch::Action::"call_tool",
@@ -456,6 +474,7 @@ when {
 @description("Block file deletion and other destructive tool operations to prevent data loss")
 @severity("high")
 @tags("file,delete,destructive,nist-ac-3")
+@reject_message("Tool execution was blocked because destructive file operations (delete, rmdir, unlink) are restricted to prevent data loss.")
 forbid (
     principal,
     action == Overwatch::Action::"call_tool",
@@ -478,6 +497,7 @@ when {
 @description("Prevent access to system directories, credential files, SSH keys, and cloud config (MITRE T1005, T1552.001)")
 @severity("high")
 @tags("file,path,system,security,nist-ac-6,mitre-t1005")
+@reject_message("Access to this path was blocked because it targets a sensitive system directory or credential file (/etc, /proc, /sys, .ssh, .aws, .gnupg, or private key files).")
 forbid (
     principal,
     action in [Overwatch::Action::"read_file", Overwatch::Action::"write_file", Overwatch::Action::"call_tool"],
@@ -508,6 +528,7 @@ when {
 @description("Prevent tool execution when high or critical severity threats are detected in content")
 @severity("high")
 @tags("tools,threats,severity,security")
+@reject_message("Tool execution was blocked because high or critical severity threats were detected in the content by security scanners.")
 forbid (
     principal,
     action == Overwatch::Action::"call_tool",
@@ -736,8 +757,9 @@ permit (
     resource
 )
 when {
-    context.mcp_server == "filesystem" ||
-    context.mcp_server == "playwright"
+    context has mcp_server &&
+    (context.mcp_server == "filesystem" ||
+    context.mcp_server == "playwright")
 };
 
 @id("mcp-allowlist-deny")
@@ -1171,4 +1193,3 @@ export function getOverwatchTemplatesByCategory(category) {
 export function getOverwatchTemplateById(id) {
     return OVERWATCH_TEMPLATES.find(t => t.id === id);
 }
-//# sourceMappingURL=overwatch-defaults.gen.js.map

package/dist/overwatch-entities.gen.d.ts

@@ -9,4 +9,3 @@ export declare const OVERWATCH_ENTITIES: ServiceEntityMetadata;
  * Maps action names to their valid principals and resources.
  */
 export declare const OVERWATCH_ACTION_ENTITIES: Record<string, ActionEntityMetadata>;
-//# sourceMappingURL=overwatch-entities.gen.d.ts.map

package/dist/overwatch-entities.gen.js

@@ -35,4 +35,3 @@ export const OVERWATCH_ACTION_ENTITIES = {
         resources: ['FilePath'],
     },
 };
-//# sourceMappingURL=overwatch-entities.gen.js.map

package/dist/palisade-context.gen.d.ts

@@ -22,4 +22,3 @@ export declare const PalisadeContextKey: {
     readonly TokenizerAddedTokensCount: "tokenizer_added_tokens_count";
 };
 export type PalisadeContextKey = (typeof PalisadeContextKey)[keyof typeof PalisadeContextKey];
-//# sourceMappingURL=palisade-context.gen.d.ts.map

package/dist/palisade-context.gen.js

@@ -23,4 +23,3 @@ export const PalisadeContextKey = {
     Severity: 'severity',
     TokenizerAddedTokensCount: 'tokenizer_added_tokens_count',
 };
-//# sourceMappingURL=palisade-context.gen.js.map

package/dist/palisade-entities.gen.d.ts

@@ -9,4 +9,3 @@ export declare const PALISADE_ENTITIES: ServiceEntityMetadata;
  * Maps action names to their valid principals and resources.
  */
 export declare const PALISADE_ACTION_ENTITIES: Record<string, ActionEntityMetadata>;
-//# sourceMappingURL=palisade-entities.gen.d.ts.map

package/dist/palisade-entities.gen.js

@@ -43,4 +43,3 @@ export const PALISADE_ACTION_ENTITIES = {
         resources: ['Artifact'],
     },
 };
-//# sourceMappingURL=palisade-entities.gen.js.map

package/dist/parser.d.ts

@@ -31,4 +31,3 @@ export interface ParseResult {
  * @returns ParseResult with structured rules, unstructured policies, and errors
  */
 export declare function parseCedarToRules(cedarText: string): ParseResult;
-//# sourceMappingURL=parser.d.ts.map

package/dist/parser.js

@@ -445,4 +445,3 @@ function mapOperator(cedarOp) {
     };
     return mapping[cedarOp] || null;
 }
-//# sourceMappingURL=parser.js.map

package/dist/schema.gen.d.ts

@@ -3,4 +3,3 @@
  * This is the Highflame Cedar schema used across all services.
  */
 export declare const CEDAR_SCHEMA = "// Highflame Cedar Schema - Entity and Action Definitions\n// =======================================================\n// This file defines all entity types and actions used across Highflame services.\n// Used for code generation (EntityType and ActionType constants).\n//\n// For policy validation, use service-specific schemas:\n// - schemas/overwatch/schema.cedarschema (Guardian IDE security)\n// - schemas/palisade/schema.cedarschema (ML supply chain security)\n\nnamespace Highflame {\n\n// =============================================================================\n// ENTITIES\n// =============================================================================\n\nentity User {\n    user_type: String,\n};\n\nentity Agent {\n    agent_type: String,\n};\n\nentity Scanner {\n    scanner_type: String,\n};\n\nentity Service {\n    service_type: String,\n};\n\nentity Resource {};\n\nentity LlmPrompt {\n    prompt_type: String,\n};\n\nentity ResponseData {};\n\nentity Tool {\n    tool_name: String,\n};\n\nentity FilePath {\n    path: String,\n};\n\nentity HttpEndpoint {\n    hostname: String,\n};\n\nentity Server {\n    server_name: String,\n};\n\nentity Artifact {\n    artifact_format: String,\n};\n\nentity Repository {\n    repo_url: String,\n};\n\nentity Package {\n    package_name: String,\n};\n\nentity GitBranch {\n    branch_name: String,\n};\n\nentity Model {\n    model_name: String,\n};\n\nentity ExternalAPI {\n    api_name: String,\n};\n\nentity Memory {\n    memory_type: String,\n};\n\n// =============================================================================\n// ACTIONS\n// =============================================================================\n\naction process_prompt;\naction process_response;\naction invoke_model;\naction filter_content;\naction call_tool;\naction connect_server;\naction access_server_resource;\naction skip_guardrails;\naction read_file;\naction write_file;\naction delete_file;\naction http_request;\naction call_external_api;\naction execute_code;\naction run_tests;\naction run_build;\naction git_operation;\naction git_clone;\naction git_commit;\naction git_push;\naction git_pull;\naction git_merge;\naction git_checkout;\naction git_reset;\naction git_rebase;\naction delegate_task;\naction spawn_subprocess;\naction access_memory;\naction scan_target;\naction scan_package;\naction scan_artifact;\naction validate_integrity;\naction validate_provenance;\naction quarantine_artifact;\naction load_model;\naction deploy_model;\naction transfer_data;\naction export_data;\n}\n";
-//# sourceMappingURL=schema.gen.d.ts.map

package/dist/schema.gen.js

@@ -131,4 +131,3 @@ action transfer_data;
 action export_data;
 }
 `;
-//# sourceMappingURL=schema.gen.js.map

package/dist/schemas.d.ts

@@ -61,4 +61,3 @@ export declare const PALISADE_SCHEMA: string;
  * Used by PolicyBuilder UI to generate context dropdowns with type information.
  */
 export declare const PALISADE_CONTEXT: string;
-//# sourceMappingURL=schemas.d.ts.map

package/dist/schemas.js

@@ -67,4 +67,3 @@ export const PALISADE_SCHEMA = fs.readFileSync(path.join(SCHEMAS_DIR, 'palisade'
  * Used by PolicyBuilder UI to generate context dropdowns with type information.
  */
 export const PALISADE_CONTEXT = fs.readFileSync(path.join(SCHEMAS_DIR, 'palisade', 'context.json'), 'utf-8');
-//# sourceMappingURL=schemas.js.map

package/dist/service-schemas.gen.d.ts

@@ -1,23 +1,17 @@
 /**
- * Overwatch (Guardian) Cedar schema
+ * Overwatch Cedar schema
  *
- * Full Cedar schema for IDE security, including:
- * - Actions: process_prompt, call_tool, connect_server, read_file, write_file
- * - Entities: User, Agent, LlmPrompt, Tool, Server, FilePath
- * - Context attributes for threat detection and workspace security
+ * Full Cedar schema for overwatch, embedded at codegen time.
  */
-export declare const OVERWATCH_SCHEMA = "// Overwatch (Guardian) Cedar Schema\n// ===================================\n// IDE Security & Policy Enforcement\n//\n// Overwatch protects IDE operations (prompts, tool calls, file access) by evaluating\n// threats detected by YARA and Javelin scanners against Cedar policies.\n//\n// Architecture:\n//   User/Agent \u2192 IDE Hook \u2192 YARA/Javelin \u2192 Cedar Policy \u2192 Allow/Deny\n//\n// Supported IDEs:\n//   - Cursor (beforeSubmitPrompt, beforeShellExecution, beforeMCPExecution, etc.)\n//   - Claude Code (UserPromptSubmit, PreToolUse)\n//   - GitHub Copilot (userPromptSubmitted, preToolUse)\n\nnamespace Overwatch {\n\n// =============================================================================\n// ENTITIES\n// =============================================================================\n\n// Human user or service account making requests to the IDE\nentity User {\n  user_type: String,      // \"external\" or \"internal\"\n  email: String,          // User email (optional)\n};\n\n// AI agent (Claude, GitHub Copilot, etc.)\nentity Agent {\n  agent_type: String,      // \"claude\", \"copilot\", etc.\n};\n\n// LLM prompt or session\nentity LlmPrompt {\n  prompt_type: String,     // \"user_prompt\", \"session\"\n};\n\n// MCP tool or native IDE tool\nentity Tool {\n  tool_name: String,       // \"shell\", \"read_file\", \"playwright\", etc.\n  risk_level: String,      // \"low\", \"medium\", \"high\"\n};\n\n// MCP server\nentity Server {\n  server_name: String,     // \"filesystem\", \"playwright\", etc.\n};\n\n// File system path\nentity FilePath {\n  path: String,\n  is_within_workspace: Bool,\n};\n\n// =============================================================================\n// ACTIONS\n// =============================================================================\n\n// User submits a prompt or receives AI response\naction process_prompt appliesTo {\n  principal: [User, Agent],\n  resource: [LlmPrompt],\n  context: {\n    // Event & Source\n    content: String,                // Raw content being scanned\n    source: String,                 // IDE source: \"cursor\", \"claudecode\", \"github_copilot\"\n    event: String,                  // Hook event name\n    user_email: String,             // User identifier\n\n    // Workspace\n    cwd: String,                   // Current working directory\n    workspace_root: String,        // Workspace/repository root\n\n    // Threat Detection\n    threat_count: Long,             // Total threats detected\n    highest_severity: String,       // \"critical\", \"high\", \"medium\", \"low\"\n    threat_categories: Set<String>, // Threat category names\n\n    yara_threats: Set<String>,      // YARA rule names\n    max_threat_severity: Long,      // Numeric severity (0-4)\n    contains_secrets: Bool,         // Whether secrets detected\n    prompt_text: String,           // Same as content (legacy)\n    response_content: String,      // Response content (if available)\n  },\n};\n\n// User calls a tool (native IDE tool or MCP tool)\naction call_tool appliesTo {\n  principal: [User, Agent],\n  resource: [Tool, FilePath],\n  context: {\n    // Event & Source\n    content: String,                // Raw content being scanned (e.g., shell command)\n    source: String,                 // IDE source\n    event: String,                  // Hook event name\n    user_email: String,             // User identifier\n\n    // Tool & MCP\n    tool_name: String,             // Normalized tool name (\"shell\", \"read_file\", etc.)\n    mcp_server: String,            // MCP server name\n    mcp_tool: String,              // MCP tool name\n\n    // File & Path\n    path: String,                  // File path (if file operation)\n\n    // Workspace\n    cwd: String,\n    workspace_root: String,\n\n    // Threat Detection\n    threat_count: Long,\n    highest_severity: String,\n    threat_categories: Set<String>,\n\n    yara_threats: Set<String>,\n    max_threat_severity: Long,\n    contains_secrets: Bool,\n    response_content: String,\n  },\n};\n\n// Connect to an MCP server\naction connect_server appliesTo {\n  principal: [User, Agent],\n  resource: [Server],\n  context: {\n    content: String,\n    source: String,\n    event: String,\n    user_email: String,\n    mcp_server: String,\n    threat_count: Long,\n    highest_severity: String,\n    threat_categories: Set<String>,\n    max_threat_severity: Long,\n  },\n};\n\n// Read a file from disk\naction read_file appliesTo {\n  principal: [User, Agent],\n  resource: [FilePath],\n  context: {\n    content: String,\n    source: String,\n    event: String,\n    user_email: String,\n    path: String,\n    cwd: String,\n    workspace_root: String,\n    threat_count: Long,\n    highest_severity: String,\n    threat_categories: Set<String>,\n    max_threat_severity: Long,\n    contains_secrets: Bool,\n  },\n};\n\n// Write a file to disk\naction write_file appliesTo {\n  principal: [User, Agent],\n  resource: [FilePath],\n  context: {\n    content: String,\n    source: String,\n    event: String,\n    user_email: String,\n    path: String,\n    cwd: String,\n    workspace_root: String,\n    threat_count: Long,\n    highest_severity: String,\n    threat_categories: Set<String>,\n    max_threat_severity: Long,\n    contains_secrets: Bool,\n  },\n};\n\n}\n";
+export declare const OVERWATCH_SCHEMA = "// Overwatch (Guardian) Cedar Schema\n// ===================================\n// IDE Security & Policy Enforcement\n//\n// Overwatch protects IDE operations (prompts, tool calls, file access) by evaluating\n// threats detected by YARA and Javelin scanners against Cedar policies.\n//\n// Architecture:\n//   User/Agent \u2192 IDE Hook \u2192 YARA/Javelin \u2192 Cedar Policy \u2192 Allow/Deny\n//\n// Supported IDEs:\n//   - Cursor (beforeSubmitPrompt, beforeShellExecution, beforeMCPExecution, etc.)\n//   - Claude Code (UserPromptSubmit, PreToolUse)\n//   - GitHub Copilot (userPromptSubmitted, preToolUse)\n\nnamespace Overwatch {\n\n// =============================================================================\n// ENTITIES - Organization Hierarchy (ReBAC)\n// =============================================================================\n\n// Top-level organization for multi-tenant policy enforcement\n// Enables policies like: principal in Overwatch::Organization::\"acme-corp\"\nentity Organization {\n  name: String,            // \"Acme Corp\", \"Highflame\"\n};\n\n// Team within an organization\n// Enables policies like: principal in Overwatch::Team::\"security-team\"\nentity Team in [Organization] {\n  name: String,            // \"security\", \"engineering\", \"devops\"\n};\n\n// =============================================================================\n// ENTITIES - Principals\n// =============================================================================\n\n// Human user or service account making requests to the IDE\nentity User in [Team] {\n  user_type: String,      // \"external\" or \"internal\"\n  email: String,          // User email (optional)\n};\n\n// AI agent (Claude, GitHub Copilot, etc.)\nentity Agent in [Team] {\n  agent_type: String,      // \"claude\", \"copilot\", etc.\n};\n\n// LLM prompt or session\nentity LlmPrompt {\n  prompt_type: String,     // \"user_prompt\", \"session\"\n};\n\n// MCP tool or native IDE tool\nentity Tool {\n  tool_name: String,       // \"shell\", \"read_file\", \"playwright\", etc.\n  risk_level: String,      // \"low\", \"medium\", \"high\"\n};\n\n// MCP server\nentity Server {\n  server_name: String,     // \"filesystem\", \"playwright\", etc.\n};\n\n// File system path\nentity FilePath {\n  path: String,\n  is_within_workspace: Bool,\n};\n\n// =============================================================================\n// ACTIONS\n// =============================================================================\n\n// User submits a prompt or receives AI response\naction process_prompt appliesTo {\n  principal: [User, Agent],\n  resource: [LlmPrompt],\n  context: {\n    // Event & Source\n    content: String,                // Raw content being scanned\n    source: String,                 // IDE source: \"cursor\", \"claudecode\", \"github_copilot\"\n    event: String,                  // Hook event name\n    user_email: String,             // User identifier\n\n    // Workspace\n    cwd?: String,                   // Current working directory\n    workspace_root?: String,        // Workspace/repository root\n\n    // Threat Detection\n    threat_count: Long,             // Total threats detected\n    highest_severity: String,       // \"critical\", \"high\", \"medium\", \"low\"\n    threat_categories: Set<String>, // Threat category names\n    yara_threats: Set<String>,      // YARA rule names\n    max_threat_severity: Long,      // Numeric severity (0-4)\n    contains_secrets: Bool,         // Whether secrets detected\n    prompt_text?: String,           // Same as content (legacy)\n    response_content?: String,      // Response content (if available)\n\n    // Trust/Safety Scores (0-100, from Javelin/Lakera/LlamaGuard classifiers)\n    // Required: content safety classifiers always run for prompt processing\n    violence_score: Long,           // Violence content detection score\n    weapons_score: Long,            // Weapons content detection score\n    hate_speech_score: Long,        // Hate speech detection score\n    crime_score: Long,              // Criminal content detection score\n    sexual_score: Long,             // Sexual content detection score\n    profanity_score: Long,          // Profanity detection score\n\n    // Detector Confidence Scores (0-100, ML classifier confidence)\n    // Required: ML classifiers always run for prompt processing\n    pii_confidence: Long,           // PII detection confidence\n    injection_confidence: Long,     // Prompt injection confidence\n    jailbreak_confidence: Long,     // Jailbreak detection confidence\n\n    // Agent Security (0-100)\n    // Required: agent security scanners always run for prompt processing\n    indirect_injection_score: Long,  // Indirect prompt injection risk\n  },\n};\n\n// User calls a tool (native IDE tool or MCP tool)\naction call_tool appliesTo {\n  principal: [User, Agent],\n  resource: [Tool, FilePath],\n  context: {\n    // Event & Source\n    content: String,                // Raw content being scanned (e.g., shell command)\n    source: String,                 // IDE source\n    event: String,                  // Hook event name\n    user_email: String,             // User identifier\n\n    // Tool & MCP\n    tool_name?: String,             // Normalized tool name (\"shell\", \"read_file\", etc.)\n    mcp_server?: String,            // MCP server name\n    mcp_tool?: String,              // MCP tool name\n\n    // File & Path\n    path?: String,                  // File path (if file operation)\n\n    // Workspace\n    cwd?: String,\n    workspace_root?: String,\n\n    // Threat Detection (optional: scanning may not have run before tool call)\n    threat_count?: Long,\n    highest_severity?: String,\n    threat_categories?: Set<String>,\n    yara_threats?: Set<String>,\n    max_threat_severity?: Long,\n    contains_secrets?: Bool,\n    response_content?: String,\n\n    // Trust/Safety Scores (0-100, from Javelin/Lakera/LlamaGuard classifiers)\n    // Optional: only present when trust/safety classifiers have run\n    violence_score?: Long,          // Violence content detection score\n    weapons_score?: Long,           // Weapons content detection score\n    hate_speech_score?: Long,       // Hate speech detection score\n    crime_score?: Long,             // Criminal content detection score\n    sexual_score?: Long,            // Sexual content detection score\n    profanity_score?: Long,         // Profanity detection score\n\n    // Detector Confidence Scores (0-100, ML classifier confidence)\n    // Optional: only present when ML classifiers have run\n    pii_confidence?: Long,          // PII detection confidence\n    injection_confidence?: Long,    // Prompt injection confidence\n    jailbreak_confidence?: Long,    // Jailbreak detection confidence\n\n    // Agent Security (0-100)\n    // Optional: only present when agent security scanners have run\n    tool_poisoning_score?: Long,    // Tool description manipulation risk\n    rug_pull_score?: Long,          // Tool behavior mismatch risk\n    indirect_injection_score?: Long, // Indirect prompt injection risk\n\n    // MCP Trust\n    // Optional: only present when MCP server verification has run\n    mcp_server_verified?: Bool,     // Whether server is from verified registry\n  },\n};\n\n// Connect to an MCP server\naction connect_server appliesTo {\n  principal: [User, Agent],\n  resource: [Server],\n  context: {\n    content?: String,               // No content to scan when connecting\n    source: String,\n    event: String,\n    user_email: String,\n    mcp_server?: String,\n    threat_count?: Long,            // Threat scanning may not run for connections\n    highest_severity?: String,\n    threat_categories?: Set<String>,\n    max_threat_severity?: Long,\n\n    // Agent Security (0-100)\n    // Optional: only present when agent security scanners have run\n    tool_poisoning_score?: Long,    // Tool description manipulation risk\n    rug_pull_score?: Long,          // Tool behavior mismatch risk\n    indirect_injection_score?: Long, // Indirect prompt injection risk\n\n    // MCP Trust\n    // Optional: only present when MCP server verification has run\n    mcp_server_verified?: Bool,     // Whether server is from verified registry\n  },\n};\n\n// Read a file from disk\naction read_file appliesTo {\n  principal: [User, Agent],\n  resource: [FilePath],\n  context: {\n    content: String,\n    source: String,\n    event: String,\n    user_email: String,\n    path?: String,\n    cwd?: String,\n    workspace_root?: String,\n    threat_count?: Long,             // Threat scanning may not have run\n    highest_severity?: String,\n    threat_categories?: Set<String>,\n    max_threat_severity?: Long,\n    contains_secrets?: Bool,\n  },\n};\n\n// Write a file to disk\naction write_file appliesTo {\n  principal: [User, Agent],\n  resource: [FilePath],\n  context: {\n    content: String,\n    source: String,\n    event: String,\n    user_email: String,\n    path?: String,\n    cwd?: String,\n    workspace_root?: String,\n    threat_count?: Long,             // Threat scanning may not have run\n    highest_severity?: String,\n    threat_categories?: Set<String>,\n    max_threat_severity?: Long,\n    contains_secrets?: Bool,\n  },\n};\n\n}\n";
 /**
  * Palisade Cedar schema
  *
- * Full Cedar schema for ML supply chain security, including:
- * - Actions: scan_artifact, validate_integrity, validate_provenance, quarantine_artifact, load_model, deploy_model
- * - Entities: Scanner, Artifact, Package
- * - Context attributes for ML security findings
+ * Full Cedar schema for palisade, embedded at codegen time.
  */
 export declare const PALISADE_SCHEMA = "// Palisade Cedar Schema\n// =====================\n// ML Supply Chain Security & Artifact Scanning\n//\n// Palisade scans ML model artifacts (safetensors, GGUF, pickle, PyTorch) for\n// security vulnerabilities and enforces policies based on findings.\n//\n// Architecture:\n//   Scanner \u2192 Validators (Pickle, SafeTensors, GGUF, etc.) \u2192 Cedar Policy \u2192 Allow/Deny/Quarantine\n//\n// Supported Formats:\n//   - SafeTensors (.safetensors)\n//   - GGUF (.gguf)\n//   - Pickle (.pkl, .pickle, .pt)\n//   - PyTorch (.pth, .pt)\n//   - ONNX (.onnx)\n\nnamespace Palisade {\n\n// =============================================================================\n// ENTITIES\n// =============================================================================\n\n// Security scanner service\nentity Scanner {\n  scanner_type: String,    // \"palisade\", \"redteam\", etc.\n};\n\n// ML model artifact\nentity Artifact {\n  artifact_format: String, // \"safetensors\", \"gguf\", \"pickle\", \"pytorch\", \"onnx\"\n  path: String,            // File path\n  signed: Bool,            // Whether digitally signed\n  signer: String,          // Who signed (if applicable)\n};\n\n// Software package (npm, PyPI, etc.)\nentity Package {\n  package_name: String,\n  package_version: String,\n};\n\n// =============================================================================\n// ACTIONS\n// =============================================================================\n\n// Scan an ML artifact for security issues\naction scan_artifact appliesTo {\n  principal: [Scanner],\n  resource: [Artifact],\n  context: {\n    // Core Finding & Severity\n    finding_type: String,              // Type of finding (e.g., \"backdoor_detected\", \"safetensors_integrity_violation\")\n    severity: String,                  // \"CRITICAL\", \"HIGH\", \"MEDIUM\", \"LOW\", \"INFO\"\n    environment: String,               // \"production\", \"strict_production\", \"development\", \"permissive_development\", \"research\"\n\n    // Artifact Metadata\n    artifact_format: String,           // \"safetensors\", \"gguf\", \"pickle\", \"pytorch\", \"onnx\"\n    path: String,                      // File path to artifact\n    artifact_signed: Bool,             // Whether artifact is digitally signed\n    provenance_signer: String,         // \"unknown\", \"unsigned\", or signer name\n\n    // Pickle Security\n    pickle_exec_path_detected: Bool,  // Pickle RCE execution path detected (CRITICAL)\n\n    // Tokenizer Security\n    tokenizer_added_tokens_count: Long, // Number of added tokens (0-5000+)\n\n    // LoRA Security\n    adapter_base_digest_mismatch: Bool, // LoRA adapter base model digest mismatch\n\n    // GGUF Security\n    gguf_suspicious_metadata: Bool,   // GGUF metadata contains suspicious patterns\n\n    // SafeTensors Security\n    safetensors_integrity_violation: Bool, // SafeTensors file integrity violated\n\n    // General Metadata Security\n    metadata_malicious_pattern: Bool, // Metadata contains malicious patterns\n\n    // CoSAI Maturity\n    metadata_cosai_level_numeric: Long, // CoSAI maturity level (0-5, higher = more trustworthy)\n\n    // Backdoor Detection\n    match_count: Long,                // Number of behavioral backdoor indicator matches\n  },\n};\n\n// Validate artifact integrity (checksum, signature)\naction validate_integrity appliesTo {\n  principal: [Scanner],\n  resource: [Artifact],\n  context: {\n    artifact_format: String,\n    path: String,\n    artifact_signed: Bool,\n    provenance_signer: String,\n    safetensors_integrity_violation: Bool,\n    finding_type: String,\n    severity: String,\n  },\n};\n\n// Validate artifact provenance (signer, origin)\naction validate_provenance appliesTo {\n  principal: [Scanner],\n  resource: [Artifact],\n  context: {\n    artifact_format: String,\n    path: String,\n    artifact_signed: Bool,\n    provenance_signer: String,\n    metadata_cosai_level_numeric: Long,\n    finding_type: String,\n    severity: String,\n  },\n};\n\n// Quarantine a malicious artifact\naction quarantine_artifact appliesTo {\n  principal: [Scanner],\n  resource: [Artifact],\n  context: {\n    finding_type: String,\n    severity: String,\n    environment: String,\n    artifact_format: String,\n    path: String,\n  },\n};\n\n// Load an ML model into memory\naction load_model appliesTo {\n  principal: [Scanner],\n  resource: [Artifact],\n  context: {\n    artifact_format: String,\n    environment: String,\n    artifact_signed: Bool,\n    severity: String,\n  },\n};\n\n// Deploy an ML model to production\naction deploy_model appliesTo {\n  principal: [Scanner],\n  resource: [Artifact],\n  context: {\n    artifact_format: String,\n    environment: String,\n    artifact_signed: Bool,\n    provenance_signer: String,\n    severity: String,\n  },\n};\n\n// Scan a software package\naction scan_package appliesTo {\n  principal: [Scanner],\n  resource: [Package],\n  context: {\n    finding_type: String,\n    severity: String,\n    environment: String,\n  },\n};\n\n}\n";
 /**
- * Context attribute metadata for Overwatch actions.
+ * Context attribute metadata for service actions.
  * Used by PolicyBuilder UI to generate form fields.
  */
 export interface ContextAttribute {
@@ -45,4 +39,3 @@ export declare const OVERWATCH_CONTEXT: ServiceContext;
  * Palisade context metadata (parsed JSON)
  */
 export declare const PALISADE_CONTEXT: ServiceContext;
-//# sourceMappingURL=service-schemas.gen.d.ts.map