@highflame/policy 2.0.9 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (50) hide show
  1. package/_schemas/guardrails/context.json +435 -0
  2. package/_schemas/guardrails/schema.cedarschema +225 -0
  3. package/_schemas/guardrails/templates/defaults/agentic_safety.cedar +94 -0
  4. package/_schemas/guardrails/templates/defaults/baseline.cedar +24 -0
  5. package/_schemas/guardrails/templates/defaults/injection.cedar +70 -0
  6. package/_schemas/guardrails/templates/defaults/pii.cedar +48 -0
  7. package/_schemas/guardrails/templates/defaults/secrets.cedar +40 -0
  8. package/_schemas/guardrails/templates/defaults/semantic.cedar +59 -0
  9. package/_schemas/guardrails/templates/defaults/tool_risk.cedar +58 -0
  10. package/_schemas/guardrails/templates/defaults/toxicity.cedar +76 -0
  11. package/_schemas/guardrails/templates/mcp_tool_permissions.cedar +84 -0
  12. package/_schemas/guardrails/templates/profiles/chat_assistant/privacy.cedar +22 -0
  13. package/_schemas/guardrails/templates/profiles/chat_assistant/security.cedar +35 -0
  14. package/_schemas/guardrails/templates/profiles/chat_assistant/trust_safety.cedar +43 -0
  15. package/_schemas/guardrails/templates/profiles/chat_assistant.cedar +85 -0
  16. package/_schemas/guardrails/templates/profiles/code_agent/agentic_security.cedar +109 -0
  17. package/_schemas/guardrails/templates/profiles/code_agent/security.cedar +22 -0
  18. package/_schemas/guardrails/templates/profiles/code_agent.cedar +125 -0
  19. package/_schemas/guardrails/templates/profiles/data_pipeline/agentic_security.cedar +38 -0
  20. package/_schemas/guardrails/templates/profiles/data_pipeline/privacy.cedar +40 -0
  21. package/_schemas/guardrails/templates/profiles/data_pipeline/security.cedar +49 -0
  22. package/_schemas/guardrails/templates/profiles/data_pipeline.cedar +111 -0
  23. package/_schemas/guardrails/templates/templates.json +213 -0
  24. package/_schemas/overwatch/context.json +54 -54
  25. package/_schemas/overwatch/schema.cedarschema +77 -68
  26. package/dist/builder.d.ts +106 -13
  27. package/dist/builder.js +103 -34
  28. package/dist/engine.d.ts +20 -2
  29. package/dist/engine.js +50 -20
  30. package/dist/entities.gen.d.ts +4 -0
  31. package/dist/entities.gen.js +4 -0
  32. package/dist/explain.d.ts +150 -0
  33. package/dist/explain.js +363 -0
  34. package/dist/guardrails-context.gen.d.ts +49 -0
  35. package/dist/guardrails-context.gen.js +50 -0
  36. package/dist/guardrails-defaults.gen.d.ts +61 -0
  37. package/dist/guardrails-defaults.gen.js +1278 -0
  38. package/dist/guardrails-entities.gen.d.ts +11 -0
  39. package/dist/guardrails-entities.gen.js +37 -0
  40. package/dist/index.d.ts +6 -1
  41. package/dist/index.js +6 -1
  42. package/dist/overwatch-defaults.gen.js +122 -2
  43. package/dist/parser.js +136 -4
  44. package/dist/schema.gen.d.ts +1 -1
  45. package/dist/schema.gen.js +6 -0
  46. package/dist/service-schemas.gen.d.ts +15 -11
  47. package/dist/service-schemas.gen.js +509 -84
  48. package/dist/types.d.ts +6 -1
  49. package/dist/types.js +6 -1
  50. package/package.json +5 -1
package/dist/service-schemas.gen.d.ts CHANGED
@@ -1,23 +1,23 @@
1
1
  /**
2
- * Overwatch (Guardian) Cedar schema
2
+ * Guardrails Cedar schema
3
3
  *
4
- * Full Cedar schema for IDE security, including:
5
- * - Actions: process_prompt, call_tool, connect_server, read_file, write_file
6
- * - Entities: User, Agent, LlmPrompt, Tool, Server, FilePath
7
- * - Context attributes for threat detection and workspace security
4
+ * Full Cedar schema for guardrails, embedded at codegen time.
8
5
  */
9
- export declare const OVERWATCH_SCHEMA = "// Overwatch (Guardian) Cedar Schema\n// ===================================\n// IDE Security & Policy Enforcement\n//\n// Overwatch protects IDE operations (prompts, tool calls, file access) by evaluating\n// threats detected by YARA and Javelin scanners against Cedar policies.\n//\n// Architecture:\n// User/Agent \u2192 IDE Hook \u2192 YARA/Javelin \u2192 Cedar Policy \u2192 Allow/Deny\n//\n// Supported IDEs:\n// - Cursor (beforeSubmitPrompt, beforeShellExecution, beforeMCPExecution, etc.)\n// - Claude Code (UserPromptSubmit, PreToolUse)\n// - GitHub Copilot (userPromptSubmitted, preToolUse)\n\nnamespace Overwatch {\n\n// =============================================================================\n// ENTITIES\n// =============================================================================\n\n// Human user or service account making requests to the IDE\nentity User {\n user_type: String, // \"external\" or \"internal\"\n email: String, // User email (optional)\n};\n\n// AI agent (Claude, GitHub Copilot, etc.)\nentity Agent {\n agent_type: String, // \"claude\", \"copilot\", etc.\n};\n\n// LLM prompt or session\nentity LlmPrompt {\n prompt_type: String, // \"user_prompt\", \"session\"\n};\n\n// MCP tool or native IDE tool\nentity Tool {\n tool_name: String, // \"shell\", \"read_file\", \"playwright\", etc.\n risk_level: String, // \"low\", \"medium\", \"high\"\n};\n\n// MCP server\nentity Server {\n server_name: String, // \"filesystem\", \"playwright\", etc.\n};\n\n// File system path\nentity FilePath {\n path: String,\n is_within_workspace: Bool,\n};\n\n// =============================================================================\n// ACTIONS\n// =============================================================================\n\n// User submits a prompt or receives AI response\naction process_prompt appliesTo {\n principal: [User, Agent],\n resource: [LlmPrompt],\n context: {\n // Event & Source\n content: String, // Raw content being scanned\n source: String, // IDE source: \"cursor\", \"claudecode\", \"github_copilot\"\n event: String, // Hook event name\n user_email: String, // User identifier\n\n // Workspace\n cwd: String, // Current working directory\n workspace_root: String, // Workspace/repository root\n\n // Threat Detection\n threat_count: Long, // Total threats detected\n highest_severity: String, // \"critical\", \"high\", \"medium\", \"low\"\n threat_categories: Set<String>, // Threat category names\n\n yara_threats: Set<String>, // YARA rule names\n max_threat_severity: Long, // Numeric severity (0-4)\n contains_secrets: Bool, // Whether secrets detected\n prompt_text: String, // Same as content (legacy)\n response_content: String, // Response content (if available)\n },\n};\n\n// User calls a tool (native IDE tool or MCP tool)\naction call_tool appliesTo {\n principal: [User, Agent],\n resource: [Tool, FilePath],\n context: {\n // Event & Source\n content: String, // Raw content being scanned (e.g., shell command)\n source: String, // IDE source\n event: String, // Hook event name\n user_email: String, // User identifier\n\n // Tool & MCP\n tool_name: String, // Normalized tool name (\"shell\", \"read_file\", etc.)\n mcp_server: String, // MCP server name\n mcp_tool: String, // MCP tool name\n\n // File & Path\n path: String, // File path (if file operation)\n\n // Workspace\n cwd: String,\n workspace_root: String,\n\n // Threat Detection\n threat_count: Long,\n highest_severity: String,\n threat_categories: Set<String>,\n\n yara_threats: Set<String>,\n max_threat_severity: Long,\n contains_secrets: Bool,\n response_content: String,\n },\n};\n\n// Connect to an MCP server\naction connect_server appliesTo {\n principal: [User, Agent],\n resource: [Server],\n context: {\n content: String,\n source: String,\n event: String,\n user_email: String,\n mcp_server: String,\n threat_count: Long,\n highest_severity: String,\n threat_categories: Set<String>,\n max_threat_severity: Long,\n },\n};\n\n// Read a file from disk\naction read_file appliesTo {\n principal: [User, Agent],\n resource: [FilePath],\n context: {\n content: String,\n source: String,\n event: String,\n user_email: String,\n path: String,\n cwd: String,\n workspace_root: String,\n threat_count: Long,\n highest_severity: String,\n threat_categories: Set<String>,\n max_threat_severity: Long,\n contains_secrets: Bool,\n },\n};\n\n// Write a file to disk\naction write_file appliesTo {\n principal: [User, Agent],\n resource: [FilePath],\n context: {\n content: String,\n source: String,\n event: String,\n user_email: String,\n path: String,\n cwd: String,\n workspace_root: String,\n threat_count: Long,\n highest_severity: String,\n threat_categories: Set<String>,\n max_threat_severity: Long,\n contains_secrets: Bool,\n },\n};\n\n}\n";
6
+ export declare const GUARDRAILS_SCHEMA = "// =============================================================================\n// Guardrails Cedar Schema\n// =============================================================================\n// Defines entity types, actions, and context attributes for the highflame-shield\n// guardrails service. This schema enables type-safe policy authoring and\n// validation in both Studio UI and backend.\n//\n// Service: highflame-shield (guardrails)\n// Namespace: Guardrails\n// =============================================================================\n\nnamespace Guardrails {\n // =========================================================================\n // Entity Types \u2014 ReBAC Hierarchy\n // =========================================================================\n // Entity hierarchy enables Cedar's `in` operator for policy scoping:\n // Account (org root)\n // \u2514\u2500\u2500 Project in [Account]\n // \u2514\u2500\u2500 App in [Project]\n // \u2514\u2500\u2500 Session in [App]\n //\n // Policy scoping examples:\n // resource == Guardrails::App::\"<uuid>\" \u2192 app-scoped\n // resource in Guardrails::Project::\"<uuid>\" \u2192 project-wide\n // resource in Guardrails::Account::\"<uuid>\" \u2192 org-wide\n // =========================================================================\n\n /// Account represents an organization (top-level tenant)\n entity Account;\n\n /// Project represents a project within an account\n entity Project in [Account];\n\n /// User represents a principal (human or service) making requests\n entity User;\n\n /// Agent represents an AI agent (Claude, Cursor, Copilot, etc.) making requests\n entity Agent;\n\n /// App represents a protected application (guardrails-enabled LLM app)\n entity App in [Project];\n\n /// Session represents an agentic conversation session with state tracking\n entity Session in [App];\n\n // =========================================================================\n // Actions\n // =========================================================================\n\n /// Process user prompts and AI responses for security threats and content violations\n action \"process_prompt\" appliesTo {\n principal: [User, Agent],\n resource: [App, Session],\n context: ProcessPromptContext\n };\n\n /// Execute tool calls (shell, file operations, MCP tools)\n action \"call_tool\" appliesTo {\n principal: [User, Agent],\n resource: [Session],\n context: CallToolContext\n };\n\n /// Read file operations\n action \"read_file\" appliesTo {\n principal: [User, Agent],\n resource: [Session],\n context: FileReadContext\n };\n\n /// Write file operations\n action \"write_file\" appliesTo {\n principal: [User, Agent],\n resource: [Session],\n context: FileWriteContext\n };\n\n /// Connect to an MCP server\n action \"connect_server\" appliesTo {\n principal: [User, Agent],\n resource: [Session],\n context: ConnectServerContext\n };\n\n // =========================================================================\n // Context Types (Action-Specific)\n // =========================================================================\n\n /// Context for process_prompt action (user prompts & AI responses)\n type ProcessPromptContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n \"direction\": String, // \"input\" | \"output\"\n \"content_type\": String, // \"prompt\" | \"response\" | \"tool_call\" | \"file\"\n \"detector_count\": Long,\n\n // Security - Injection & Jailbreak (optional)\n \"injection_score\"?: Long, // 0-100\n \"jailbreak_score\"?: Long, // 0-100\n \"injection_type\"?: String, // \"prompt\" | \"sql\" | \"command\" | \"none\"\n\n // Privacy - Secrets (optional)\n \"contains_secrets\"?: Bool,\n \"secret_count\"?: Long,\n \"secret_types\"?: Set<String>, // [\"aws_access_key\", \"github_token\", ...]\n\n // Privacy - PII (optional)\n \"pii_detected\"?: Bool,\n \"pii_count\"?: Long,\n \"pii_types\"?: Set<String>, // [\"email\", \"phone\", \"ssn\", \"credit_card\", ...]\n\n // Trust & Safety - Toxicity (optional)\n \"violence_score\"?: Long, // 0-100\n \"hate_speech_score\"?: Long, // 0-100\n \"sexual_score\"?: Long, // 0-100\n \"weapons_score\"?: Long, // 0-100\n \"crime_score\"?: Long, // 0-100\n \"profanity_score\"?: Long, // 0-100\n\n // Semantic - Topic Classification (optional)\n \"content_topics\"?: Set<String>, // [\"controlled_substances\", \"weapons_manufacturing\", ...]\n \"topic_confidence\"?: Long, // 0-100\n\n // Security - Invisible Character Detection (optional)\n \"contains_invisible_chars\"?: Bool,\n \"invisible_chars_score\"?: Long, // 0-100\n\n // Additional detectors (optional)\n \"hallucination_score\"?: Long,\n \"sentiment_score\"?: Long,\n \"contains_code\"?: Bool,\n \"code_languages\"?: Set<String>,\n \"keyword_matched\"?: Bool,\n \"keyword_categories\"?: Set<String>,\n \"detected_language\"?: String,\n \"phishing_detected\"?: Bool,\n\n };\n\n /// Context for call_tool action (agentic tool execution)\n type CallToolContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // Tool Risk (optional)\n \"tool_name\"?: String, // \"shell\", \"write_file\", \"http_post\", etc.\n \"tool_risk_score\"?: Long, // 0-100\n \"tool_is_sensitive\"?: Bool,\n \"tool_category\"?: String, // \"safe\" | \"sensitive\" | \"dangerous\"\n \"tool_is_builtin\"?: Bool,\n\n // MCP context (optional \u2014 only present for MCP tool calls)\n \"mcp_server\"?: String, // MCP server name (e.g., \"github\", \"filesystem\")\n \"mcp_tool\"?: String, // MCP tool name within the server\n \"mcp_server_verified\"?: Bool, // Whether server is from verified registry\n\n // Agentic - Behavioral Patterns (optional)\n \"suspicious_pattern\"?: Bool,\n \"pattern_type\"?: String, // \"data_exfiltration\" | \"secret_exfiltration\" | \"db_exfiltration\" | \"none\"\n \"sequence_risk\"?: Long, // 0-100\n\n // Agentic - Loop Detection (optional)\n \"loop_detected\"?: Bool,\n \"loop_count\"?: Long,\n \"loop_tool\"?: String,\n\n // Agentic - Budget Control (optional)\n \"budget_remaining_pct\"?: Long, // 0-100\n \"budget_exceeded\"?: Bool,\n\n // Semantic - Topic Classification (optional)\n \"content_topics\"?: Set<String>, // [\"controlled_substances\", \"weapons_manufacturing\", ...]\n \"topic_confidence\"?: Long, // 0-100\n\n // Security checks on tool arguments (optional)\n \"contains_secrets\"?: Bool,\n \"secret_types\"?: Set<String>,\n \"pii_detected\"?: Bool,\n \"pii_types\"?: Set<String>,\n \"injection_score\"?: Long,\n\n };\n\n /// Context for read_file action\n type FileReadContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // Security checks on file content (optional)\n \"contains_secrets\"?: Bool,\n \"secret_types\"?: Set<String>,\n \"pii_detected\"?: Bool,\n \"pii_types\"?: Set<String>,\n\n };\n\n /// Context for write_file action\n type FileWriteContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // Security checks on content being written (optional)\n \"contains_secrets\"?: Bool,\n \"secret_types\"?: Set<String>,\n \"pii_detected\"?: Bool,\n \"pii_types\"?: Set<String>,\n\n };\n\n /// Context for connect_server action (MCP server connections)\n type ConnectServerContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // MCP context (optional)\n \"mcp_server\"?: String, // MCP server name (e.g., \"github\", \"filesystem\")\n \"mcp_server_verified\"?: Bool, // Whether server is from verified registry\n\n };\n}\n";
7
+ /**
8
+ * Overwatch Cedar schema
9
+ *
10
+ * Full Cedar schema for overwatch, embedded at codegen time.
11
+ */
12
+ export declare const OVERWATCH_SCHEMA = "// Overwatch (Guardian) Cedar Schema\n// ===================================\n// IDE Security & Policy Enforcement\n//\n// Overwatch protects IDE operations (prompts, tool calls, file access) by evaluating\n// threats detected by YARA and Javelin scanners against Cedar policies.\n//\n// Architecture:\n// User/Agent \u2192 IDE Hook \u2192 YARA/Javelin \u2192 Cedar Policy \u2192 Allow/Deny\n//\n// Supported IDEs:\n// - Cursor (beforeSubmitPrompt, beforeShellExecution, beforeMCPExecution, etc.)\n// - Claude Code (UserPromptSubmit, PreToolUse)\n// - GitHub Copilot (userPromptSubmitted, preToolUse)\n\nnamespace Overwatch {\n\n// =============================================================================\n// ENTITIES - Organization Hierarchy (ReBAC)\n// =============================================================================\n\n// Top-level organization for multi-tenant policy enforcement\n// Enables policies like: principal in Overwatch::Organization::\"acme-corp\"\nentity Organization {\n name: String, // \"Acme Corp\", \"Highflame\"\n};\n\n// Team within an organization\n// Enables policies like: principal in Overwatch::Team::\"security-team\"\nentity Team in [Organization] {\n name: String, // \"security\", \"engineering\", \"devops\"\n};\n\n// =============================================================================\n// ENTITIES - Principals\n// =============================================================================\n\n// Human user or service account making requests to the IDE\nentity User in [Team] {\n user_type: String, // \"external\" or \"internal\"\n email: String, // User email (optional)\n};\n\n// AI agent (Claude, GitHub Copilot, etc.)\nentity Agent in [Team] {\n agent_type: String, // \"claude\", \"copilot\", etc.\n};\n\n// LLM prompt or session\nentity LlmPrompt {\n prompt_type: String, // \"user_prompt\", \"session\"\n};\n\n// MCP tool or native IDE tool\nentity Tool {\n tool_name: String, // \"shell\", \"read_file\", \"playwright\", etc.\n risk_level: String, // \"low\", \"medium\", \"high\"\n};\n\n// MCP server\nentity Server {\n server_name: String, // \"filesystem\", \"playwright\", etc.\n};\n\n// File system path\nentity FilePath {\n path: String,\n is_within_workspace: Bool,\n};\n\n// =============================================================================\n// ACTIONS\n// =============================================================================\n\n// User submits a prompt or receives AI response\naction process_prompt appliesTo {\n principal: [User, Agent],\n resource: [LlmPrompt],\n context: {\n // Event & Source\n content: String, // Raw content being scanned\n source: String, // IDE source: \"cursor\", \"claudecode\", \"github_copilot\"\n event: String, // Hook event name\n user_email: String, // User identifier\n\n // Workspace\n cwd?: String, // Current working directory\n workspace_root?: String, // Workspace/repository root\n\n // Threat Detection\n threat_count: Long, // Total threats detected\n highest_severity: String, // \"critical\", \"high\", \"medium\", \"low\"\n threat_categories: Set<String>, // Threat category names\n yara_threats: Set<String>, // YARA rule names\n max_threat_severity: Long, // Numeric severity (0-4)\n contains_secrets: Bool, // Whether secrets detected\n prompt_text?: String, // Same as content (legacy)\n response_content?: String, // Response content (if available)\n\n // Trust/Safety Scores (0-100, from Javelin/Lakera/LlamaGuard classifiers)\n // Required: content safety classifiers always run for prompt processing\n violence_score: Long, // Violence content detection score\n weapons_score: Long, // Weapons content detection score\n hate_speech_score: Long, // Hate speech detection score\n crime_score: Long, // Criminal content detection score\n sexual_score: Long, // Sexual content detection score\n profanity_score: Long, // Profanity detection score\n\n // Detector Confidence Scores (0-100, ML classifier confidence)\n // Required: ML classifiers always run for prompt processing\n pii_confidence: Long, // PII detection confidence\n injection_confidence: Long, // Prompt injection confidence\n jailbreak_confidence: Long, // Jailbreak detection confidence\n\n // Agent Security (0-100)\n // Required: agent security scanners always run for prompt processing\n indirect_injection_score: Long, // Indirect prompt injection risk\n },\n};\n\n// User calls a tool (native IDE tool or MCP tool)\naction call_tool appliesTo {\n principal: [User, Agent],\n resource: [Tool, FilePath],\n context: {\n // Event & Source\n content: String, // Raw content being scanned (e.g., shell command)\n source: String, // IDE source\n event: String, // Hook event name\n user_email: String, // User identifier\n\n // Tool & MCP\n tool_name?: String, // Normalized tool name (\"shell\", \"read_file\", etc.)\n mcp_server?: String, // MCP server name\n mcp_tool?: String, // MCP tool name\n\n // File & Path\n path?: String, // File path (if file operation)\n\n // Workspace\n cwd?: String,\n workspace_root?: String,\n\n // Threat Detection (optional: scanning may not have run before tool call)\n threat_count?: Long,\n highest_severity?: String,\n threat_categories?: Set<String>,\n yara_threats?: Set<String>,\n max_threat_severity?: Long,\n contains_secrets?: Bool,\n response_content?: String,\n\n // Trust/Safety Scores (0-100, from Javelin/Lakera/LlamaGuard classifiers)\n // Optional: only present when trust/safety classifiers have run\n violence_score?: Long, // Violence content detection score\n weapons_score?: Long, // Weapons content detection score\n hate_speech_score?: Long, // Hate speech detection score\n crime_score?: Long, // Criminal content detection score\n sexual_score?: Long, // Sexual content detection score\n profanity_score?: Long, // Profanity detection score\n\n // Detector Confidence Scores (0-100, ML classifier confidence)\n // Optional: only present when ML classifiers have run\n pii_confidence?: Long, // PII detection confidence\n injection_confidence?: Long, // Prompt injection confidence\n jailbreak_confidence?: Long, // Jailbreak detection confidence\n\n // Agent Security (0-100)\n // Optional: only present when agent security scanners have run\n tool_poisoning_score?: Long, // Tool description manipulation risk\n rug_pull_score?: Long, // Tool behavior mismatch risk\n indirect_injection_score?: Long, // Indirect prompt injection risk\n\n // MCP Trust\n // Optional: only present when MCP server verification has run\n mcp_server_verified?: Bool, // Whether server is from verified registry\n },\n};\n\n// Connect to an MCP server\naction connect_server appliesTo {\n principal: [User, Agent],\n resource: [Server],\n context: {\n content?: String, // No content to scan when connecting\n source: String,\n event: String,\n user_email: String,\n mcp_server?: String,\n threat_count?: Long, // Threat scanning may not run for connections\n highest_severity?: String,\n threat_categories?: Set<String>,\n max_threat_severity?: Long,\n\n // Agent Security (0-100)\n // Optional: only present when agent security scanners have run\n tool_poisoning_score?: Long, // Tool description manipulation risk\n rug_pull_score?: Long, // Tool behavior mismatch risk\n indirect_injection_score?: Long, // Indirect prompt injection risk\n\n // MCP Trust\n // Optional: only present when MCP server verification has run\n mcp_server_verified?: Bool, // Whether server is from verified registry\n },\n};\n\n// Read a file from disk\naction read_file appliesTo {\n principal: [User, Agent],\n resource: [FilePath],\n context: {\n content: String,\n source: String,\n event: String,\n user_email: String,\n path?: String,\n cwd?: String,\n workspace_root?: String,\n threat_count?: Long, // Threat scanning may not have run\n highest_severity?: String,\n threat_categories?: Set<String>,\n max_threat_severity?: Long,\n contains_secrets?: Bool,\n },\n};\n\n// Write a file to disk\naction write_file appliesTo {\n principal: [User, Agent],\n resource: [FilePath],\n context: {\n content: String,\n source: String,\n event: String,\n user_email: String,\n path?: String,\n cwd?: String,\n workspace_root?: String,\n threat_count?: Long, // Threat scanning may not have run\n highest_severity?: String,\n threat_categories?: Set<String>,\n max_threat_severity?: Long,\n contains_secrets?: Bool,\n },\n};\n\n}\n";
10
13
  /**
11
14
  * Palisade Cedar schema
12
15
  *
13
- * Full Cedar schema for ML supply chain security, including:
14
- * - Actions: scan_artifact, validate_integrity, validate_provenance, quarantine_artifact, load_model, deploy_model
15
- * - Entities: Scanner, Artifact, Package
16
- * - Context attributes for ML security findings
16
+ * Full Cedar schema for palisade, embedded at codegen time.
17
17
  */
18
18
  export declare const PALISADE_SCHEMA = "// Palisade Cedar Schema\n// =====================\n// ML Supply Chain Security & Artifact Scanning\n//\n// Palisade scans ML model artifacts (safetensors, GGUF, pickle, PyTorch) for\n// security vulnerabilities and enforces policies based on findings.\n//\n// Architecture:\n// Scanner \u2192 Validators (Pickle, SafeTensors, GGUF, etc.) \u2192 Cedar Policy \u2192 Allow/Deny/Quarantine\n//\n// Supported Formats:\n// - SafeTensors (.safetensors)\n// - GGUF (.gguf)\n// - Pickle (.pkl, .pickle, .pt)\n// - PyTorch (.pth, .pt)\n// - ONNX (.onnx)\n\nnamespace Palisade {\n\n// =============================================================================\n// ENTITIES\n// =============================================================================\n\n// Security scanner service\nentity Scanner {\n scanner_type: String, // \"palisade\", \"redteam\", etc.\n};\n\n// ML model artifact\nentity Artifact {\n artifact_format: String, // \"safetensors\", \"gguf\", \"pickle\", \"pytorch\", \"onnx\"\n path: String, // File path\n signed: Bool, // Whether digitally signed\n signer: String, // Who signed (if applicable)\n};\n\n// Software package (npm, PyPI, etc.)\nentity Package {\n package_name: String,\n package_version: String,\n};\n\n// =============================================================================\n// ACTIONS\n// =============================================================================\n\n// Scan an ML artifact for security issues\naction scan_artifact appliesTo {\n principal: [Scanner],\n resource: [Artifact],\n context: {\n // Core Finding & Severity\n finding_type: String, // Type of finding (e.g., \"backdoor_detected\", \"safetensors_integrity_violation\")\n severity: String, // \"CRITICAL\", \"HIGH\", \"MEDIUM\", \"LOW\", \"INFO\"\n environment: String, // \"production\", \"strict_production\", \"development\", \"permissive_development\", \"research\"\n\n // Artifact Metadata\n artifact_format: String, // \"safetensors\", \"gguf\", \"pickle\", \"pytorch\", \"onnx\"\n path: String, // File path to artifact\n artifact_signed: Bool, // Whether artifact is digitally signed\n provenance_signer: String, // \"unknown\", \"unsigned\", or signer name\n\n // Pickle Security\n pickle_exec_path_detected: Bool, // Pickle RCE execution path detected (CRITICAL)\n\n // Tokenizer Security\n tokenizer_added_tokens_count: Long, // Number of added tokens (0-5000+)\n\n // LoRA Security\n adapter_base_digest_mismatch: Bool, // LoRA adapter base model digest mismatch\n\n // GGUF Security\n gguf_suspicious_metadata: Bool, // GGUF metadata contains suspicious patterns\n\n // SafeTensors Security\n safetensors_integrity_violation: Bool, // SafeTensors file integrity violated\n\n // General Metadata Security\n metadata_malicious_pattern: Bool, // Metadata contains malicious patterns\n\n // CoSAI Maturity\n metadata_cosai_level_numeric: Long, // CoSAI maturity level (0-5, higher = more trustworthy)\n\n // Backdoor Detection\n match_count: Long, // Number of behavioral backdoor indicator matches\n },\n};\n\n// Validate artifact integrity (checksum, signature)\naction validate_integrity appliesTo {\n principal: [Scanner],\n resource: [Artifact],\n context: {\n artifact_format: String,\n path: String,\n artifact_signed: Bool,\n provenance_signer: String,\n safetensors_integrity_violation: Bool,\n finding_type: String,\n severity: String,\n },\n};\n\n// Validate artifact provenance (signer, origin)\naction validate_provenance appliesTo {\n principal: [Scanner],\n resource: [Artifact],\n context: {\n artifact_format: String,\n path: String,\n artifact_signed: Bool,\n provenance_signer: String,\n metadata_cosai_level_numeric: Long,\n finding_type: String,\n severity: String,\n },\n};\n\n// Quarantine a malicious artifact\naction quarantine_artifact appliesTo {\n principal: [Scanner],\n resource: [Artifact],\n context: {\n finding_type: String,\n severity: String,\n environment: String,\n artifact_format: String,\n path: String,\n },\n};\n\n// Load an ML model into memory\naction load_model appliesTo {\n principal: [Scanner],\n resource: [Artifact],\n context: {\n artifact_format: String,\n environment: String,\n artifact_signed: Bool,\n severity: String,\n },\n};\n\n// Deploy an ML model to production\naction deploy_model appliesTo {\n principal: [Scanner],\n resource: [Artifact],\n context: {\n artifact_format: String,\n environment: String,\n artifact_signed: Bool,\n provenance_signer: String,\n severity: String,\n },\n};\n\n// Scan a software package\naction scan_package appliesTo {\n principal: [Scanner],\n resource: [Package],\n context: {\n finding_type: String,\n severity: String,\n environment: String,\n },\n};\n\n}\n";
19
19
  /**
20
- * Context attribute metadata for Overwatch actions.
20
+ * Context attribute metadata for service actions.
21
21
  * Used by PolicyBuilder UI to generate form fields.
22
22
  */
23
23
  export interface ContextAttribute {
@@ -37,6 +37,10 @@ export interface ServiceContext {
37
37
  description: string;
38
38
  actions: ActionContext[];
39
39
  }
40
+ /**
41
+ * Guardrails context metadata (parsed JSON)
42
+ */
43
+ export declare const GUARDRAILS_CONTEXT: ServiceContext;
40
44
  /**
41
45
  * Overwatch context metadata (parsed JSON)
42
46
  */