@highflame/policy 2.0.9 → 2.0.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/_schemas/overwatch/context.json +54 -54
- package/_schemas/overwatch/schema.cedarschema +77 -68
- package/dist/builder.d.ts +45 -13
- package/dist/builder.js +99 -32
- package/dist/engine.d.ts +20 -2
- package/dist/engine.js +50 -20
- package/dist/overwatch-defaults.gen.js +24 -2
- package/dist/service-schemas.gen.d.ts +5 -11
- package/dist/service-schemas.gen.js +172 -83
- package/package.json +1 -1
|
@@ -1,23 +1,17 @@
|
|
|
1
1
|
/**
|
|
2
|
-
* Overwatch
|
|
2
|
+
* Overwatch Cedar schema
|
|
3
3
|
*
|
|
4
|
-
* Full Cedar schema for
|
|
5
|
-
* - Actions: process_prompt, call_tool, connect_server, read_file, write_file
|
|
6
|
-
* - Entities: User, Agent, LlmPrompt, Tool, Server, FilePath
|
|
7
|
-
* - Context attributes for threat detection and workspace security
|
|
4
|
+
* Full Cedar schema for overwatch, embedded at codegen time.
|
|
8
5
|
*/
|
|
9
|
-
export declare const OVERWATCH_SCHEMA = "// Overwatch (Guardian) Cedar Schema\n// ===================================\n// IDE Security & Policy Enforcement\n//\n// Overwatch protects IDE operations (prompts, tool calls, file access) by evaluating\n// threats detected by YARA and Javelin scanners against Cedar policies.\n//\n// Architecture:\n// User/Agent \u2192 IDE Hook \u2192 YARA/Javelin \u2192 Cedar Policy \u2192 Allow/Deny\n//\n// Supported IDEs:\n// - Cursor (beforeSubmitPrompt, beforeShellExecution, beforeMCPExecution, etc.)\n// - Claude Code (UserPromptSubmit, PreToolUse)\n// - GitHub Copilot (userPromptSubmitted, preToolUse)\n\nnamespace Overwatch {\n\n// =============================================================================\n// ENTITIES\n// =============================================================================\n\n// Human user or service account making requests to the IDE\nentity User {\n user_type: String, // \"external\" or \"internal\"\n email: String, // User email (optional)\n};\n\n// AI agent (Claude, GitHub Copilot, etc.)\nentity Agent {\n agent_type: String, // \"claude\", \"copilot\", etc.\n};\n\n// LLM prompt or session\nentity LlmPrompt {\n prompt_type: String, // \"user_prompt\", \"session\"\n};\n\n// MCP tool or native IDE tool\nentity Tool {\n tool_name: String, // \"shell\", \"read_file\", \"playwright\", etc.\n risk_level: String, // \"low\", \"medium\", \"high\"\n};\n\n// MCP server\nentity Server {\n server_name: String, // \"filesystem\", \"playwright\", etc.\n};\n\n// File system path\nentity FilePath {\n path: String,\n is_within_workspace: Bool,\n};\n\n// =============================================================================\n// ACTIONS\n// =============================================================================\n\n// User submits a prompt or receives AI response\naction process_prompt appliesTo {\n principal: [User, Agent],\n resource: [LlmPrompt],\n context: {\n // Event & Source\n content: String, // Raw content being scanned\n source: String, // IDE source: \"cursor\", \"claudecode\", \"github_copilot\"\n event: String, // Hook event name\n user_email: String, // User identifier\n\n // Workspace\n cwd
|
|
6
|
+
export declare const OVERWATCH_SCHEMA = "// Overwatch (Guardian) Cedar Schema\n// ===================================\n// IDE Security & Policy Enforcement\n//\n// Overwatch protects IDE operations (prompts, tool calls, file access) by evaluating\n// threats detected by YARA and Javelin scanners against Cedar policies.\n//\n// Architecture:\n// User/Agent \u2192 IDE Hook \u2192 YARA/Javelin \u2192 Cedar Policy \u2192 Allow/Deny\n//\n// Supported IDEs:\n// - Cursor (beforeSubmitPrompt, beforeShellExecution, beforeMCPExecution, etc.)\n// - Claude Code (UserPromptSubmit, PreToolUse)\n// - GitHub Copilot (userPromptSubmitted, preToolUse)\n\nnamespace Overwatch {\n\n// =============================================================================\n// ENTITIES - Organization Hierarchy (ReBAC)\n// =============================================================================\n\n// Top-level organization for multi-tenant policy enforcement\n// Enables policies like: principal in Overwatch::Organization::\"acme-corp\"\nentity Organization {\n name: String, // \"Acme Corp\", \"Highflame\"\n};\n\n// Team within an organization\n// Enables policies like: principal in Overwatch::Team::\"security-team\"\nentity Team in [Organization] {\n name: String, // \"security\", \"engineering\", \"devops\"\n};\n\n// =============================================================================\n// ENTITIES - Principals\n// =============================================================================\n\n// Human user or service account making requests to the IDE\nentity User in [Team] {\n user_type: String, // \"external\" or \"internal\"\n email: String, // User email (optional)\n};\n\n// AI agent (Claude, GitHub Copilot, etc.)\nentity Agent in [Team] {\n agent_type: String, // \"claude\", \"copilot\", etc.\n};\n\n// LLM prompt or session\nentity LlmPrompt {\n prompt_type: String, // \"user_prompt\", \"session\"\n};\n\n// MCP tool or native IDE tool\nentity Tool {\n tool_name: String, // \"shell\", \"read_file\", \"playwright\", etc.\n risk_level: String, // \"low\", \"medium\", \"high\"\n};\n\n// MCP server\nentity Server {\n server_name: String, // \"filesystem\", \"playwright\", etc.\n};\n\n// File system path\nentity FilePath {\n path: String,\n is_within_workspace: Bool,\n};\n\n// =============================================================================\n// ACTIONS\n// =============================================================================\n\n// User submits a prompt or receives AI response\naction process_prompt appliesTo {\n principal: [User, Agent],\n resource: [LlmPrompt],\n context: {\n // Event & Source\n content: String, // Raw content being scanned\n source: String, // IDE source: \"cursor\", \"claudecode\", \"github_copilot\"\n event: String, // Hook event name\n user_email: String, // User identifier\n\n // Workspace\n cwd?: String, // Current working directory\n workspace_root?: String, // Workspace/repository root\n\n // Threat Detection\n threat_count: Long, // Total threats detected\n highest_severity: String, // \"critical\", \"high\", \"medium\", \"low\"\n threat_categories: Set<String>, // Threat category names\n yara_threats: Set<String>, // YARA rule names\n max_threat_severity: Long, // Numeric severity (0-4)\n contains_secrets: Bool, // Whether secrets detected\n prompt_text?: String, // Same as content (legacy)\n response_content?: String, // Response content (if available)\n\n // Trust/Safety Scores (0-100, from Javelin/Lakera/LlamaGuard classifiers)\n // Required: content safety classifiers always run for prompt processing\n violence_score: Long, // Violence content detection score\n weapons_score: Long, // Weapons content detection score\n hate_speech_score: Long, // Hate speech detection score\n crime_score: Long, // Criminal content detection score\n sexual_score: Long, // Sexual content detection score\n profanity_score: Long, // Profanity detection score\n\n // Detector Confidence Scores (0-100, ML classifier confidence)\n // Required: ML classifiers always run for prompt processing\n pii_confidence: Long, // PII detection confidence\n injection_confidence: Long, // Prompt injection confidence\n jailbreak_confidence: Long, // Jailbreak detection confidence\n\n // Agent Security (0-100)\n // Required: agent security scanners always run for prompt processing\n indirect_injection_score: Long, // Indirect prompt injection risk\n },\n};\n\n// User calls a tool (native IDE tool or MCP tool)\naction call_tool appliesTo {\n principal: [User, Agent],\n resource: [Tool, FilePath],\n context: {\n // Event & Source\n content: String, // Raw content being scanned (e.g., shell command)\n source: String, // IDE source\n event: String, // Hook event name\n user_email: String, // User identifier\n\n // Tool & MCP\n tool_name?: String, // Normalized tool name (\"shell\", \"read_file\", etc.)\n mcp_server?: String, // MCP server name\n mcp_tool?: String, // MCP tool name\n\n // File & Path\n path?: String, // File path (if file operation)\n\n // Workspace\n cwd?: String,\n workspace_root?: String,\n\n // Threat Detection (optional: scanning may not have run before tool call)\n threat_count?: Long,\n highest_severity?: String,\n threat_categories?: Set<String>,\n yara_threats?: Set<String>,\n max_threat_severity?: Long,\n contains_secrets?: Bool,\n response_content?: String,\n\n // Trust/Safety Scores (0-100, from Javelin/Lakera/LlamaGuard classifiers)\n // Optional: only present when trust/safety classifiers have run\n violence_score?: Long, // Violence content detection score\n weapons_score?: Long, // Weapons content detection score\n hate_speech_score?: Long, // Hate speech detection score\n crime_score?: Long, // Criminal content detection score\n sexual_score?: Long, // Sexual content detection score\n profanity_score?: Long, // Profanity detection score\n\n // Detector Confidence Scores (0-100, ML classifier confidence)\n // Optional: only present when ML classifiers have run\n pii_confidence?: Long, // PII detection confidence\n injection_confidence?: Long, // Prompt injection confidence\n jailbreak_confidence?: Long, // Jailbreak detection confidence\n\n // Agent Security (0-100)\n // Optional: only present when agent security scanners have run\n tool_poisoning_score?: Long, // Tool description manipulation risk\n rug_pull_score?: Long, // Tool behavior mismatch risk\n indirect_injection_score?: Long, // Indirect prompt injection risk\n\n // MCP Trust\n // Optional: only present when MCP server verification has run\n mcp_server_verified?: Bool, // Whether server is from verified registry\n },\n};\n\n// Connect to an MCP server\naction connect_server appliesTo {\n principal: [User, Agent],\n resource: [Server],\n context: {\n content?: String, // No content to scan when connecting\n source: String,\n event: String,\n user_email: String,\n mcp_server?: String,\n threat_count?: Long, // Threat scanning may not run for connections\n highest_severity?: String,\n threat_categories?: Set<String>,\n max_threat_severity?: Long,\n\n // Agent Security (0-100)\n // Optional: only present when agent security scanners have run\n tool_poisoning_score?: Long, // Tool description manipulation risk\n rug_pull_score?: Long, // Tool behavior mismatch risk\n indirect_injection_score?: Long, // Indirect prompt injection risk\n\n // MCP Trust\n // Optional: only present when MCP server verification has run\n mcp_server_verified?: Bool, // Whether server is from verified registry\n },\n};\n\n// Read a file from disk\naction read_file appliesTo {\n principal: [User, Agent],\n resource: [FilePath],\n context: {\n content: String,\n source: String,\n event: String,\n user_email: String,\n path?: String,\n cwd?: String,\n workspace_root?: String,\n threat_count?: Long, // Threat scanning may not have run\n highest_severity?: String,\n threat_categories?: Set<String>,\n max_threat_severity?: Long,\n contains_secrets?: Bool,\n },\n};\n\n// Write a file to disk\naction write_file appliesTo {\n principal: [User, Agent],\n resource: [FilePath],\n context: {\n content: String,\n source: String,\n event: String,\n user_email: String,\n path?: String,\n cwd?: String,\n workspace_root?: String,\n threat_count?: Long, // Threat scanning may not have run\n highest_severity?: String,\n threat_categories?: Set<String>,\n max_threat_severity?: Long,\n contains_secrets?: Bool,\n },\n};\n\n}\n";
|
|
10
7
|
/**
|
|
11
8
|
* Palisade Cedar schema
|
|
12
9
|
*
|
|
13
|
-
* Full Cedar schema for
|
|
14
|
-
* - Actions: scan_artifact, validate_integrity, validate_provenance, quarantine_artifact, load_model, deploy_model
|
|
15
|
-
* - Entities: Scanner, Artifact, Package
|
|
16
|
-
* - Context attributes for ML security findings
|
|
10
|
+
* Full Cedar schema for palisade, embedded at codegen time.
|
|
17
11
|
*/
|
|
18
12
|
export declare const PALISADE_SCHEMA = "// Palisade Cedar Schema\n// =====================\n// ML Supply Chain Security & Artifact Scanning\n//\n// Palisade scans ML model artifacts (safetensors, GGUF, pickle, PyTorch) for\n// security vulnerabilities and enforces policies based on findings.\n//\n// Architecture:\n// Scanner \u2192 Validators (Pickle, SafeTensors, GGUF, etc.) \u2192 Cedar Policy \u2192 Allow/Deny/Quarantine\n//\n// Supported Formats:\n// - SafeTensors (.safetensors)\n// - GGUF (.gguf)\n// - Pickle (.pkl, .pickle, .pt)\n// - PyTorch (.pth, .pt)\n// - ONNX (.onnx)\n\nnamespace Palisade {\n\n// =============================================================================\n// ENTITIES\n// =============================================================================\n\n// Security scanner service\nentity Scanner {\n scanner_type: String, // \"palisade\", \"redteam\", etc.\n};\n\n// ML model artifact\nentity Artifact {\n artifact_format: String, // \"safetensors\", \"gguf\", \"pickle\", \"pytorch\", \"onnx\"\n path: String, // File path\n signed: Bool, // Whether digitally signed\n signer: String, // Who signed (if applicable)\n};\n\n// Software package (npm, PyPI, etc.)\nentity Package {\n package_name: String,\n package_version: String,\n};\n\n// =============================================================================\n// ACTIONS\n// =============================================================================\n\n// Scan an ML artifact for security issues\naction scan_artifact appliesTo {\n principal: [Scanner],\n resource: [Artifact],\n context: {\n // Core Finding & Severity\n finding_type: String, // Type of finding (e.g., \"backdoor_detected\", \"safetensors_integrity_violation\")\n severity: String, // \"CRITICAL\", \"HIGH\", \"MEDIUM\", \"LOW\", \"INFO\"\n environment: String, // \"production\", \"strict_production\", \"development\", \"permissive_development\", \"research\"\n\n // Artifact Metadata\n artifact_format: String, // \"safetensors\", \"gguf\", \"pickle\", \"pytorch\", \"onnx\"\n path: String, // File path to artifact\n artifact_signed: Bool, // Whether artifact is digitally signed\n provenance_signer: String, // \"unknown\", \"unsigned\", or signer name\n\n // Pickle Security\n pickle_exec_path_detected: Bool, // Pickle RCE execution path detected (CRITICAL)\n\n // Tokenizer Security\n tokenizer_added_tokens_count: Long, // Number of added tokens (0-5000+)\n\n // LoRA Security\n adapter_base_digest_mismatch: Bool, // LoRA adapter base model digest mismatch\n\n // GGUF Security\n gguf_suspicious_metadata: Bool, // GGUF metadata contains suspicious patterns\n\n // SafeTensors Security\n safetensors_integrity_violation: Bool, // SafeTensors file integrity violated\n\n // General Metadata Security\n metadata_malicious_pattern: Bool, // Metadata contains malicious patterns\n\n // CoSAI Maturity\n metadata_cosai_level_numeric: Long, // CoSAI maturity level (0-5, higher = more trustworthy)\n\n // Backdoor Detection\n match_count: Long, // Number of behavioral backdoor indicator matches\n },\n};\n\n// Validate artifact integrity (checksum, signature)\naction validate_integrity appliesTo {\n principal: [Scanner],\n resource: [Artifact],\n context: {\n artifact_format: String,\n path: String,\n artifact_signed: Bool,\n provenance_signer: String,\n safetensors_integrity_violation: Bool,\n finding_type: String,\n severity: String,\n },\n};\n\n// Validate artifact provenance (signer, origin)\naction validate_provenance appliesTo {\n principal: [Scanner],\n resource: [Artifact],\n context: {\n artifact_format: String,\n path: String,\n artifact_signed: Bool,\n provenance_signer: String,\n metadata_cosai_level_numeric: Long,\n finding_type: String,\n severity: String,\n },\n};\n\n// Quarantine a malicious artifact\naction quarantine_artifact appliesTo {\n principal: [Scanner],\n resource: [Artifact],\n context: {\n finding_type: String,\n severity: String,\n environment: String,\n artifact_format: String,\n path: String,\n },\n};\n\n// Load an ML model into memory\naction load_model appliesTo {\n principal: [Scanner],\n resource: [Artifact],\n context: {\n artifact_format: String,\n environment: String,\n artifact_signed: Bool,\n severity: String,\n },\n};\n\n// Deploy an ML model to production\naction deploy_model appliesTo {\n principal: [Scanner],\n resource: [Artifact],\n context: {\n artifact_format: String,\n environment: String,\n artifact_signed: Bool,\n provenance_signer: String,\n severity: String,\n },\n};\n\n// Scan a software package\naction scan_package appliesTo {\n principal: [Scanner],\n resource: [Package],\n context: {\n finding_type: String,\n severity: String,\n environment: String,\n },\n};\n\n}\n";
|
|
19
13
|
/**
|
|
20
|
-
* Context attribute metadata for
|
|
14
|
+
* Context attribute metadata for service actions.
|
|
21
15
|
* Used by PolicyBuilder UI to generate form fields.
|
|
22
16
|
*/
|
|
23
17
|
export interface ContextAttribute {
|
|
@@ -5,15 +5,12 @@
|
|
|
5
5
|
// Works in both browser and Node.js environments.
|
|
6
6
|
//
|
|
7
7
|
// Usage:
|
|
8
|
-
// import { OVERWATCH_SCHEMA,
|
|
9
|
-
// import {
|
|
8
|
+
// import { OVERWATCH_SCHEMA, OVERWATCH_CONTEXT } from '@highflame/policy/types';
|
|
9
|
+
// import { PALISADE_SCHEMA, PALISADE_CONTEXT } from '@highflame/policy/types';
|
|
10
10
|
/**
|
|
11
|
-
* Overwatch
|
|
11
|
+
* Overwatch Cedar schema
|
|
12
12
|
*
|
|
13
|
-
* Full Cedar schema for
|
|
14
|
-
* - Actions: process_prompt, call_tool, connect_server, read_file, write_file
|
|
15
|
-
* - Entities: User, Agent, LlmPrompt, Tool, Server, FilePath
|
|
16
|
-
* - Context attributes for threat detection and workspace security
|
|
13
|
+
* Full Cedar schema for overwatch, embedded at codegen time.
|
|
17
14
|
*/
|
|
18
15
|
export const OVERWATCH_SCHEMA = `// Overwatch (Guardian) Cedar Schema
|
|
19
16
|
// ===================================
|
|
@@ -33,17 +30,33 @@ export const OVERWATCH_SCHEMA = `// Overwatch (Guardian) Cedar Schema
|
|
|
33
30
|
namespace Overwatch {
|
|
34
31
|
|
|
35
32
|
// =============================================================================
|
|
36
|
-
// ENTITIES
|
|
33
|
+
// ENTITIES - Organization Hierarchy (ReBAC)
|
|
34
|
+
// =============================================================================
|
|
35
|
+
|
|
36
|
+
// Top-level organization for multi-tenant policy enforcement
|
|
37
|
+
// Enables policies like: principal in Overwatch::Organization::"acme-corp"
|
|
38
|
+
entity Organization {
|
|
39
|
+
name: String, // "Acme Corp", "Highflame"
|
|
40
|
+
};
|
|
41
|
+
|
|
42
|
+
// Team within an organization
|
|
43
|
+
// Enables policies like: principal in Overwatch::Team::"security-team"
|
|
44
|
+
entity Team in [Organization] {
|
|
45
|
+
name: String, // "security", "engineering", "devops"
|
|
46
|
+
};
|
|
47
|
+
|
|
48
|
+
// =============================================================================
|
|
49
|
+
// ENTITIES - Principals
|
|
37
50
|
// =============================================================================
|
|
38
51
|
|
|
39
52
|
// Human user or service account making requests to the IDE
|
|
40
|
-
entity User {
|
|
53
|
+
entity User in [Team] {
|
|
41
54
|
user_type: String, // "external" or "internal"
|
|
42
55
|
email: String, // User email (optional)
|
|
43
56
|
};
|
|
44
57
|
|
|
45
58
|
// AI agent (Claude, GitHub Copilot, etc.)
|
|
46
|
-
entity Agent {
|
|
59
|
+
entity Agent in [Team] {
|
|
47
60
|
agent_type: String, // "claude", "copilot", etc.
|
|
48
61
|
};
|
|
49
62
|
|
|
@@ -85,19 +98,37 @@ action process_prompt appliesTo {
|
|
|
85
98
|
user_email: String, // User identifier
|
|
86
99
|
|
|
87
100
|
// Workspace
|
|
88
|
-
cwd
|
|
89
|
-
workspace_root
|
|
101
|
+
cwd?: String, // Current working directory
|
|
102
|
+
workspace_root?: String, // Workspace/repository root
|
|
90
103
|
|
|
91
104
|
// Threat Detection
|
|
92
105
|
threat_count: Long, // Total threats detected
|
|
93
106
|
highest_severity: String, // "critical", "high", "medium", "low"
|
|
94
107
|
threat_categories: Set<String>, // Threat category names
|
|
95
|
-
|
|
96
108
|
yara_threats: Set<String>, // YARA rule names
|
|
97
109
|
max_threat_severity: Long, // Numeric severity (0-4)
|
|
98
110
|
contains_secrets: Bool, // Whether secrets detected
|
|
99
|
-
prompt_text
|
|
100
|
-
response_content
|
|
111
|
+
prompt_text?: String, // Same as content (legacy)
|
|
112
|
+
response_content?: String, // Response content (if available)
|
|
113
|
+
|
|
114
|
+
// Trust/Safety Scores (0-100, from Javelin/Lakera/LlamaGuard classifiers)
|
|
115
|
+
// Required: content safety classifiers always run for prompt processing
|
|
116
|
+
violence_score: Long, // Violence content detection score
|
|
117
|
+
weapons_score: Long, // Weapons content detection score
|
|
118
|
+
hate_speech_score: Long, // Hate speech detection score
|
|
119
|
+
crime_score: Long, // Criminal content detection score
|
|
120
|
+
sexual_score: Long, // Sexual content detection score
|
|
121
|
+
profanity_score: Long, // Profanity detection score
|
|
122
|
+
|
|
123
|
+
// Detector Confidence Scores (0-100, ML classifier confidence)
|
|
124
|
+
// Required: ML classifiers always run for prompt processing
|
|
125
|
+
pii_confidence: Long, // PII detection confidence
|
|
126
|
+
injection_confidence: Long, // Prompt injection confidence
|
|
127
|
+
jailbreak_confidence: Long, // Jailbreak detection confidence
|
|
128
|
+
|
|
129
|
+
// Agent Security (0-100)
|
|
130
|
+
// Required: agent security scanners always run for prompt processing
|
|
131
|
+
indirect_injection_score: Long, // Indirect prompt injection risk
|
|
101
132
|
},
|
|
102
133
|
};
|
|
103
134
|
|
|
@@ -113,26 +144,50 @@ action call_tool appliesTo {
|
|
|
113
144
|
user_email: String, // User identifier
|
|
114
145
|
|
|
115
146
|
// Tool & MCP
|
|
116
|
-
tool_name
|
|
117
|
-
mcp_server
|
|
118
|
-
mcp_tool
|
|
147
|
+
tool_name?: String, // Normalized tool name ("shell", "read_file", etc.)
|
|
148
|
+
mcp_server?: String, // MCP server name
|
|
149
|
+
mcp_tool?: String, // MCP tool name
|
|
119
150
|
|
|
120
151
|
// File & Path
|
|
121
|
-
path
|
|
152
|
+
path?: String, // File path (if file operation)
|
|
122
153
|
|
|
123
154
|
// Workspace
|
|
124
|
-
cwd
|
|
125
|
-
workspace_root
|
|
126
|
-
|
|
127
|
-
// Threat Detection
|
|
128
|
-
threat_count
|
|
129
|
-
highest_severity
|
|
130
|
-
threat_categories
|
|
131
|
-
|
|
132
|
-
|
|
133
|
-
|
|
134
|
-
|
|
135
|
-
|
|
155
|
+
cwd?: String,
|
|
156
|
+
workspace_root?: String,
|
|
157
|
+
|
|
158
|
+
// Threat Detection (optional: scanning may not have run before tool call)
|
|
159
|
+
threat_count?: Long,
|
|
160
|
+
highest_severity?: String,
|
|
161
|
+
threat_categories?: Set<String>,
|
|
162
|
+
yara_threats?: Set<String>,
|
|
163
|
+
max_threat_severity?: Long,
|
|
164
|
+
contains_secrets?: Bool,
|
|
165
|
+
response_content?: String,
|
|
166
|
+
|
|
167
|
+
// Trust/Safety Scores (0-100, from Javelin/Lakera/LlamaGuard classifiers)
|
|
168
|
+
// Optional: only present when trust/safety classifiers have run
|
|
169
|
+
violence_score?: Long, // Violence content detection score
|
|
170
|
+
weapons_score?: Long, // Weapons content detection score
|
|
171
|
+
hate_speech_score?: Long, // Hate speech detection score
|
|
172
|
+
crime_score?: Long, // Criminal content detection score
|
|
173
|
+
sexual_score?: Long, // Sexual content detection score
|
|
174
|
+
profanity_score?: Long, // Profanity detection score
|
|
175
|
+
|
|
176
|
+
// Detector Confidence Scores (0-100, ML classifier confidence)
|
|
177
|
+
// Optional: only present when ML classifiers have run
|
|
178
|
+
pii_confidence?: Long, // PII detection confidence
|
|
179
|
+
injection_confidence?: Long, // Prompt injection confidence
|
|
180
|
+
jailbreak_confidence?: Long, // Jailbreak detection confidence
|
|
181
|
+
|
|
182
|
+
// Agent Security (0-100)
|
|
183
|
+
// Optional: only present when agent security scanners have run
|
|
184
|
+
tool_poisoning_score?: Long, // Tool description manipulation risk
|
|
185
|
+
rug_pull_score?: Long, // Tool behavior mismatch risk
|
|
186
|
+
indirect_injection_score?: Long, // Indirect prompt injection risk
|
|
187
|
+
|
|
188
|
+
// MCP Trust
|
|
189
|
+
// Optional: only present when MCP server verification has run
|
|
190
|
+
mcp_server_verified?: Bool, // Whether server is from verified registry
|
|
136
191
|
},
|
|
137
192
|
};
|
|
138
193
|
|
|
@@ -141,15 +196,25 @@ action connect_server appliesTo {
|
|
|
141
196
|
principal: [User, Agent],
|
|
142
197
|
resource: [Server],
|
|
143
198
|
context: {
|
|
144
|
-
content
|
|
199
|
+
content?: String, // No content to scan when connecting
|
|
145
200
|
source: String,
|
|
146
201
|
event: String,
|
|
147
202
|
user_email: String,
|
|
148
|
-
mcp_server
|
|
149
|
-
threat_count
|
|
150
|
-
highest_severity
|
|
151
|
-
threat_categories
|
|
152
|
-
max_threat_severity
|
|
203
|
+
mcp_server?: String,
|
|
204
|
+
threat_count?: Long, // Threat scanning may not run for connections
|
|
205
|
+
highest_severity?: String,
|
|
206
|
+
threat_categories?: Set<String>,
|
|
207
|
+
max_threat_severity?: Long,
|
|
208
|
+
|
|
209
|
+
// Agent Security (0-100)
|
|
210
|
+
// Optional: only present when agent security scanners have run
|
|
211
|
+
tool_poisoning_score?: Long, // Tool description manipulation risk
|
|
212
|
+
rug_pull_score?: Long, // Tool behavior mismatch risk
|
|
213
|
+
indirect_injection_score?: Long, // Indirect prompt injection risk
|
|
214
|
+
|
|
215
|
+
// MCP Trust
|
|
216
|
+
// Optional: only present when MCP server verification has run
|
|
217
|
+
mcp_server_verified?: Bool, // Whether server is from verified registry
|
|
153
218
|
},
|
|
154
219
|
};
|
|
155
220
|
|
|
@@ -162,14 +227,14 @@ action read_file appliesTo {
|
|
|
162
227
|
source: String,
|
|
163
228
|
event: String,
|
|
164
229
|
user_email: String,
|
|
165
|
-
path
|
|
166
|
-
cwd
|
|
167
|
-
workspace_root
|
|
168
|
-
threat_count
|
|
169
|
-
highest_severity
|
|
170
|
-
threat_categories
|
|
171
|
-
max_threat_severity
|
|
172
|
-
contains_secrets
|
|
230
|
+
path?: String,
|
|
231
|
+
cwd?: String,
|
|
232
|
+
workspace_root?: String,
|
|
233
|
+
threat_count?: Long, // Threat scanning may not have run
|
|
234
|
+
highest_severity?: String,
|
|
235
|
+
threat_categories?: Set<String>,
|
|
236
|
+
max_threat_severity?: Long,
|
|
237
|
+
contains_secrets?: Bool,
|
|
173
238
|
},
|
|
174
239
|
};
|
|
175
240
|
|
|
@@ -182,14 +247,14 @@ action write_file appliesTo {
|
|
|
182
247
|
source: String,
|
|
183
248
|
event: String,
|
|
184
249
|
user_email: String,
|
|
185
|
-
path
|
|
186
|
-
cwd
|
|
187
|
-
workspace_root
|
|
188
|
-
threat_count
|
|
189
|
-
highest_severity
|
|
190
|
-
threat_categories
|
|
191
|
-
max_threat_severity
|
|
192
|
-
contains_secrets
|
|
250
|
+
path?: String,
|
|
251
|
+
cwd?: String,
|
|
252
|
+
workspace_root?: String,
|
|
253
|
+
threat_count?: Long, // Threat scanning may not have run
|
|
254
|
+
highest_severity?: String,
|
|
255
|
+
threat_categories?: Set<String>,
|
|
256
|
+
max_threat_severity?: Long,
|
|
257
|
+
contains_secrets?: Bool,
|
|
193
258
|
},
|
|
194
259
|
};
|
|
195
260
|
|
|
@@ -198,10 +263,7 @@ action write_file appliesTo {
|
|
|
198
263
|
/**
|
|
199
264
|
* Palisade Cedar schema
|
|
200
265
|
*
|
|
201
|
-
* Full Cedar schema for
|
|
202
|
-
* - Actions: scan_artifact, validate_integrity, validate_provenance, quarantine_artifact, load_model, deploy_model
|
|
203
|
-
* - Entities: Scanner, Artifact, Package
|
|
204
|
-
* - Context attributes for ML security findings
|
|
266
|
+
* Full Cedar schema for palisade, embedded at codegen time.
|
|
205
267
|
*/
|
|
206
268
|
export const PALISADE_SCHEMA = `// Palisade Cedar Schema
|
|
207
269
|
// =====================
|
|
@@ -377,7 +439,7 @@ action scan_package appliesTo {
|
|
|
377
439
|
*/
|
|
378
440
|
export const OVERWATCH_CONTEXT = {
|
|
379
441
|
"service": "overwatch",
|
|
380
|
-
"version": "
|
|
442
|
+
"version": "2.0.0",
|
|
381
443
|
"description": "Overwatch (Guardian) IDE security & policy enforcement",
|
|
382
444
|
"actions": [
|
|
383
445
|
{
|
|
@@ -393,11 +455,22 @@ export const OVERWATCH_CONTEXT = {
|
|
|
393
455
|
{ "key": "threat_count", "type": "number", "required": true, "description": "Total number of threats detected by YARA/Javelin" },
|
|
394
456
|
{ "key": "highest_severity", "type": "string", "required": true, "description": "Highest severity level: critical, high, medium, low" },
|
|
395
457
|
{ "key": "threat_categories", "type": "array", "required": true, "description": "Threat category names from aggregator" },
|
|
458
|
+
{ "key": "threat_types", "type": "array", "required": true, "description": "YARA threat category names" },
|
|
396
459
|
{ "key": "yara_threats", "type": "array", "required": true, "description": "YARA rule names that matched" },
|
|
397
460
|
{ "key": "max_threat_severity", "type": "number", "required": true, "description": "Numeric severity (0-4, where 4=CRITICAL)" },
|
|
398
461
|
{ "key": "contains_secrets", "type": "boolean", "required": true, "description": "Whether secrets or credentials were detected" },
|
|
399
462
|
{ "key": "prompt_text", "type": "string", "required": false, "description": "Same as content (legacy field)" },
|
|
400
|
-
{ "key": "response_content", "type": "string", "required": false, "description": "Response content from AI (if available)" }
|
|
463
|
+
{ "key": "response_content", "type": "string", "required": false, "description": "Response content from AI (if available)" },
|
|
464
|
+
{ "key": "violence_score", "type": "number", "required": true, "description": "Violence content detection score (0-100)" },
|
|
465
|
+
{ "key": "weapons_score", "type": "number", "required": true, "description": "Weapons content detection score (0-100)" },
|
|
466
|
+
{ "key": "hate_speech_score", "type": "number", "required": true, "description": "Hate speech detection score (0-100)" },
|
|
467
|
+
{ "key": "crime_score", "type": "number", "required": true, "description": "Criminal content detection score (0-100)" },
|
|
468
|
+
{ "key": "sexual_score", "type": "number", "required": true, "description": "Sexual content detection score (0-100)" },
|
|
469
|
+
{ "key": "profanity_score", "type": "number", "required": true, "description": "Profanity detection score (0-100)" },
|
|
470
|
+
{ "key": "pii_confidence", "type": "number", "required": true, "description": "PII detection classifier confidence (0-100)" },
|
|
471
|
+
{ "key": "injection_confidence", "type": "number", "required": true, "description": "Prompt injection classifier confidence (0-100)" },
|
|
472
|
+
{ "key": "jailbreak_confidence", "type": "number", "required": true, "description": "Jailbreak detection classifier confidence (0-100)" },
|
|
473
|
+
{ "key": "indirect_injection_score", "type": "number", "required": true, "description": "Indirect prompt injection risk score (0-100)" }
|
|
401
474
|
]
|
|
402
475
|
},
|
|
403
476
|
{
|
|
@@ -414,28 +487,46 @@ export const OVERWATCH_CONTEXT = {
|
|
|
414
487
|
{ "key": "path", "type": "string", "required": false, "description": "File path (if file operation)" },
|
|
415
488
|
{ "key": "cwd", "type": "string", "required": false, "description": "Current working directory" },
|
|
416
489
|
{ "key": "workspace_root", "type": "string", "required": false, "description": "Workspace/repository root path" },
|
|
417
|
-
{ "key": "threat_count", "type": "number", "required":
|
|
418
|
-
{ "key": "highest_severity", "type": "string", "required":
|
|
419
|
-
{ "key": "threat_categories", "type": "array", "required":
|
|
420
|
-
{ "key": "
|
|
421
|
-
{ "key": "
|
|
422
|
-
{ "key": "
|
|
423
|
-
{ "key": "
|
|
490
|
+
{ "key": "threat_count", "type": "number", "required": false, "description": "Total threats detected (if scanning ran)" },
|
|
491
|
+
{ "key": "highest_severity", "type": "string", "required": false, "description": "Highest severity (if scanning ran)" },
|
|
492
|
+
{ "key": "threat_categories", "type": "array", "required": false, "description": "Threat category names (if scanning ran)" },
|
|
493
|
+
{ "key": "threat_types", "type": "array", "required": false, "description": "YARA threat categories (if scanning ran)" },
|
|
494
|
+
{ "key": "yara_threats", "type": "array", "required": false, "description": "YARA rule names (if scanning ran)" },
|
|
495
|
+
{ "key": "max_threat_severity", "type": "number", "required": false, "description": "Numeric severity 0-4 (if scanning ran)" },
|
|
496
|
+
{ "key": "contains_secrets", "type": "boolean", "required": false, "description": "Whether secrets detected (if scanning ran)" },
|
|
497
|
+
{ "key": "response_content", "type": "string", "required": false, "description": "Response content (if available)" },
|
|
498
|
+
{ "key": "violence_score", "type": "number", "required": false, "description": "Violence content detection score (0-100)" },
|
|
499
|
+
{ "key": "weapons_score", "type": "number", "required": false, "description": "Weapons content detection score (0-100)" },
|
|
500
|
+
{ "key": "hate_speech_score", "type": "number", "required": false, "description": "Hate speech detection score (0-100)" },
|
|
501
|
+
{ "key": "crime_score", "type": "number", "required": false, "description": "Criminal content detection score (0-100)" },
|
|
502
|
+
{ "key": "sexual_score", "type": "number", "required": false, "description": "Sexual content detection score (0-100)" },
|
|
503
|
+
{ "key": "profanity_score", "type": "number", "required": false, "description": "Profanity detection score (0-100)" },
|
|
504
|
+
{ "key": "pii_confidence", "type": "number", "required": false, "description": "PII detection classifier confidence (0-100)" },
|
|
505
|
+
{ "key": "injection_confidence", "type": "number", "required": false, "description": "Prompt injection classifier confidence (0-100)" },
|
|
506
|
+
{ "key": "jailbreak_confidence", "type": "number", "required": false, "description": "Jailbreak detection classifier confidence (0-100)" },
|
|
507
|
+
{ "key": "tool_poisoning_score", "type": "number", "required": false, "description": "Tool description manipulation risk score (0-100)" },
|
|
508
|
+
{ "key": "rug_pull_score", "type": "number", "required": false, "description": "Tool behavior mismatch risk score (0-100)" },
|
|
509
|
+
{ "key": "indirect_injection_score", "type": "number", "required": false, "description": "Indirect prompt injection risk score (0-100)" },
|
|
510
|
+
{ "key": "mcp_server_verified", "type": "boolean", "required": false, "description": "Whether MCP server is from a verified registry" }
|
|
424
511
|
]
|
|
425
512
|
},
|
|
426
513
|
{
|
|
427
514
|
"name": "connect_server",
|
|
428
515
|
"description": "Connect to an MCP server",
|
|
429
516
|
"context_attributes": [
|
|
430
|
-
{ "key": "content", "type": "string", "required":
|
|
517
|
+
{ "key": "content", "type": "string", "required": false, "description": "Raw content being scanned (if available)" },
|
|
431
518
|
{ "key": "source", "type": "string", "required": true, "description": "IDE source" },
|
|
432
519
|
{ "key": "event", "type": "string", "required": true, "description": "Hook event name" },
|
|
433
520
|
{ "key": "user_email", "type": "string", "required": true, "description": "User identifier" },
|
|
434
521
|
{ "key": "mcp_server", "type": "string", "required": false, "description": "MCP server name" },
|
|
435
|
-
{ "key": "threat_count", "type": "number", "required":
|
|
436
|
-
{ "key": "highest_severity", "type": "string", "required":
|
|
437
|
-
{ "key": "threat_categories", "type": "array", "required":
|
|
438
|
-
{ "key": "max_threat_severity", "type": "number", "required":
|
|
522
|
+
{ "key": "threat_count", "type": "number", "required": false, "description": "Total threats detected (if scanning ran)" },
|
|
523
|
+
{ "key": "highest_severity", "type": "string", "required": false, "description": "Highest severity level (if scanning ran)" },
|
|
524
|
+
{ "key": "threat_categories", "type": "array", "required": false, "description": "Threat category names (if scanning ran)" },
|
|
525
|
+
{ "key": "max_threat_severity", "type": "number", "required": false, "description": "Numeric severity 0-4 (if scanning ran)" },
|
|
526
|
+
{ "key": "tool_poisoning_score", "type": "number", "required": false, "description": "Tool description manipulation risk score (0-100)" },
|
|
527
|
+
{ "key": "rug_pull_score", "type": "number", "required": false, "description": "Tool behavior mismatch risk score (0-100)" },
|
|
528
|
+
{ "key": "indirect_injection_score", "type": "number", "required": false, "description": "Indirect prompt injection risk score (0-100)" },
|
|
529
|
+
{ "key": "mcp_server_verified", "type": "boolean", "required": false, "description": "Whether MCP server is from a verified registry" }
|
|
439
530
|
]
|
|
440
531
|
},
|
|
441
532
|
{
|
|
@@ -447,14 +538,13 @@ export const OVERWATCH_CONTEXT = {
|
|
|
447
538
|
{ "key": "event", "type": "string", "required": true, "description": "Hook event name (e.g., beforeReadFile)" },
|
|
448
539
|
{ "key": "user_email", "type": "string", "required": true, "description": "User identifier" },
|
|
449
540
|
{ "key": "path", "type": "string", "required": false, "description": "File path being read" },
|
|
450
|
-
{ "key": "file_path", "type": "string", "required": false, "description": "Duplicate of path field" },
|
|
451
541
|
{ "key": "cwd", "type": "string", "required": false, "description": "Current working directory" },
|
|
452
542
|
{ "key": "workspace_root", "type": "string", "required": false, "description": "Workspace root path" },
|
|
453
|
-
{ "key": "threat_count", "type": "number", "required":
|
|
454
|
-
{ "key": "highest_severity", "type": "string", "required":
|
|
455
|
-
{ "key": "threat_categories", "type": "array", "required":
|
|
456
|
-
{ "key": "max_threat_severity", "type": "number", "required":
|
|
457
|
-
{ "key": "contains_secrets", "type": "boolean", "required":
|
|
543
|
+
{ "key": "threat_count", "type": "number", "required": false, "description": "Total threats detected (if scanning ran)" },
|
|
544
|
+
{ "key": "highest_severity", "type": "string", "required": false, "description": "Highest severity level (if scanning ran)" },
|
|
545
|
+
{ "key": "threat_categories", "type": "array", "required": false, "description": "Threat categories (if scanning ran)" },
|
|
546
|
+
{ "key": "max_threat_severity", "type": "number", "required": false, "description": "Numeric severity 0-4 (if scanning ran)" },
|
|
547
|
+
{ "key": "contains_secrets", "type": "boolean", "required": false, "description": "Whether secrets detected (if scanning ran)" }
|
|
458
548
|
]
|
|
459
549
|
},
|
|
460
550
|
{
|
|
@@ -466,14 +556,13 @@ export const OVERWATCH_CONTEXT = {
|
|
|
466
556
|
{ "key": "event", "type": "string", "required": true, "description": "Hook event name" },
|
|
467
557
|
{ "key": "user_email", "type": "string", "required": true, "description": "User identifier" },
|
|
468
558
|
{ "key": "path", "type": "string", "required": false, "description": "File path being written" },
|
|
469
|
-
{ "key": "file_path", "type": "string", "required": false, "description": "Duplicate of path field" },
|
|
470
559
|
{ "key": "cwd", "type": "string", "required": false, "description": "Current working directory" },
|
|
471
560
|
{ "key": "workspace_root", "type": "string", "required": false, "description": "Workspace root path" },
|
|
472
|
-
{ "key": "threat_count", "type": "number", "required":
|
|
473
|
-
{ "key": "highest_severity", "type": "string", "required":
|
|
474
|
-
{ "key": "threat_categories", "type": "array", "required":
|
|
475
|
-
{ "key": "max_threat_severity", "type": "number", "required":
|
|
476
|
-
{ "key": "contains_secrets", "type": "boolean", "required":
|
|
561
|
+
{ "key": "threat_count", "type": "number", "required": false, "description": "Total threats detected (if scanning ran)" },
|
|
562
|
+
{ "key": "highest_severity", "type": "string", "required": false, "description": "Highest severity level (if scanning ran)" },
|
|
563
|
+
{ "key": "threat_categories", "type": "array", "required": false, "description": "Threat categories (if scanning ran)" },
|
|
564
|
+
{ "key": "max_threat_severity", "type": "number", "required": false, "description": "Numeric severity 0-4 (if scanning ran)" },
|
|
565
|
+
{ "key": "contains_secrets", "type": "boolean", "required": false, "description": "Whether secrets detected (if scanning ran)" }
|
|
477
566
|
]
|
|
478
567
|
}
|
|
479
568
|
]
|