@highflame/policy 2.0.9 → 2.1.0

package/dist/service-schemas.gen.js

@@ -1,19 +1,248 @@
 // Code generated by highflame-policy-codegen. DO NOT EDIT.
-// Source: schemas/overwatch/schema.cedarschema, schemas/palisade/schema.cedarschema
+// Source: schemas/guardrails/schema.cedarschema, schemas/overwatch/schema.cedarschema, schemas/palisade/schema.cedarschema
 //
 // Service-specific Cedar schemas and context metadata.
 // Works in both browser and Node.js environments.
 //
 // Usage:
-//   import { OVERWATCH_SCHEMA, PALISADE_SCHEMA } from '@highflame/policy/types';
-//   import { OVERWATCH_CONTEXT, PALISADE_CONTEXT } from '@highflame/policy/types';
+//   import { GUARDRAILS_SCHEMA, GUARDRAILS_CONTEXT } from '@highflame/policy/types';
+//   import { OVERWATCH_SCHEMA, OVERWATCH_CONTEXT } from '@highflame/policy/types';
+//   import { PALISADE_SCHEMA, PALISADE_CONTEXT } from '@highflame/policy/types';
 /**
- * Overwatch (Guardian) Cedar schema
+ * Guardrails Cedar schema
  *
- * Full Cedar schema for IDE security, including:
- * - Actions: process_prompt, call_tool, connect_server, read_file, write_file
- * - Entities: User, Agent, LlmPrompt, Tool, Server, FilePath
- * - Context attributes for threat detection and workspace security
+ * Full Cedar schema for guardrails, embedded at codegen time.
+ */
+export const GUARDRAILS_SCHEMA = `// =============================================================================
+// Guardrails Cedar Schema
+// =============================================================================
+// Defines entity types, actions, and context attributes for the highflame-shield
+// guardrails service. This schema enables type-safe policy authoring and
+// validation in both Studio UI and backend.
+//
+// Service: highflame-shield (guardrails)
+// Namespace: Guardrails
+// =============================================================================
+
+namespace Guardrails {
+    // =========================================================================
+    // Entity Types — ReBAC Hierarchy
+    // =========================================================================
+    // Entity hierarchy enables Cedar's \`in\` operator for policy scoping:
+    //   Account (org root)
+    //     └── Project in [Account]
+    //           └── App in [Project]
+    //                 └── Session in [App]
+    //
+    // Policy scoping examples:
+    //   resource == Guardrails::App::"<uuid>"              → app-scoped
+    //   resource in Guardrails::Project::"<uuid>"          → project-wide
+    //   resource in Guardrails::Account::"<uuid>"          → org-wide
+    // =========================================================================
+
+    /// Account represents an organization (top-level tenant)
+    entity Account;
+
+    /// Project represents a project within an account
+    entity Project in [Account];
+
+    /// User represents a principal (human or service) making requests
+    entity User;
+
+    /// Agent represents an AI agent (Claude, Cursor, Copilot, etc.) making requests
+    entity Agent;
+
+    /// App represents a protected application (guardrails-enabled LLM app)
+    entity App in [Project];
+
+    /// Session represents an agentic conversation session with state tracking
+    entity Session in [App];
+
+    // =========================================================================
+    // Actions
+    // =========================================================================
+
+    /// Process user prompts and AI responses for security threats and content violations
+    action "process_prompt" appliesTo {
+        principal: [User, Agent],
+        resource: [App, Session],
+        context: ProcessPromptContext
+    };
+
+    /// Execute tool calls (shell, file operations, MCP tools)
+    action "call_tool" appliesTo {
+        principal: [User, Agent],
+        resource: [Session],
+        context: CallToolContext
+    };
+
+    /// Read file operations
+    action "read_file" appliesTo {
+        principal: [User, Agent],
+        resource: [Session],
+        context: FileReadContext
+    };
+
+    /// Write file operations
+    action "write_file" appliesTo {
+        principal: [User, Agent],
+        resource: [Session],
+        context: FileWriteContext
+    };
+
+    /// Connect to an MCP server
+    action "connect_server" appliesTo {
+        principal: [User, Agent],
+        resource: [Session],
+        context: ConnectServerContext
+    };
+
+    // =========================================================================
+    // Context Types (Action-Specific)
+    // =========================================================================
+
+    /// Context for process_prompt action (user prompts & AI responses)
+    type ProcessPromptContext = {
+        // Core metadata (required)
+        "request_id": String,
+        "timestamp": Long,
+        "direction": String,        // "input" | "output"
+        "content_type": String,     // "prompt" | "response" | "tool_call" | "file"
+        "detector_count": Long,
+
+        // Security - Injection & Jailbreak (optional)
+        "injection_score"?: Long,        // 0-100
+        "jailbreak_score"?: Long,        // 0-100
+        "injection_type"?: String,       // "prompt" | "sql" | "command" | "none"
+
+        // Privacy - Secrets (optional)
+        "contains_secrets"?: Bool,
+        "secret_count"?: Long,
+        "secret_types"?: Set<String>,    // ["aws_access_key", "github_token", ...]
+
+        // Privacy - PII (optional)
+        "pii_detected"?: Bool,
+        "pii_count"?: Long,
+        "pii_types"?: Set<String>,       // ["email", "phone", "ssn", "credit_card", ...]
+
+        // Trust & Safety - Toxicity (optional)
+        "violence_score"?: Long,         // 0-100
+        "hate_speech_score"?: Long,      // 0-100
+        "sexual_score"?: Long,           // 0-100
+        "weapons_score"?: Long,          // 0-100
+        "crime_score"?: Long,            // 0-100
+        "profanity_score"?: Long,        // 0-100
+
+        // Semantic - Topic Classification (optional)
+        "content_topics"?: Set<String>,      // ["controlled_substances", "weapons_manufacturing", ...]
+        "topic_confidence"?: Long,           // 0-100
+
+        // Security - Invisible Character Detection (optional)
+        "contains_invisible_chars"?: Bool,
+        "invisible_chars_score"?: Long,      // 0-100
+
+        // Additional detectors (optional)
+        "hallucination_score"?: Long,
+        "sentiment_score"?: Long,
+        "contains_code"?: Bool,
+        "code_languages"?: Set<String>,
+        "keyword_matched"?: Bool,
+        "keyword_categories"?: Set<String>,
+        "detected_language"?: String,
+        "phishing_detected"?: Bool,
+
+    };
+
+    /// Context for call_tool action (agentic tool execution)
+    type CallToolContext = {
+        // Core metadata (required)
+        "request_id": String,
+        "timestamp": Long,
+
+        // Tool Risk (optional)
+        "tool_name"?: String,            // "shell", "write_file", "http_post", etc.
+        "tool_risk_score"?: Long,        // 0-100
+        "tool_is_sensitive"?: Bool,
+        "tool_category"?: String,        // "safe" | "sensitive" | "dangerous"
+        "tool_is_builtin"?: Bool,
+
+        // MCP context (optional — only present for MCP tool calls)
+        "mcp_server"?: String,           // MCP server name (e.g., "github", "filesystem")
+        "mcp_tool"?: String,             // MCP tool name within the server
+        "mcp_server_verified"?: Bool,    // Whether server is from verified registry
+
+        // Agentic - Behavioral Patterns (optional)
+        "suspicious_pattern"?: Bool,
+        "pattern_type"?: String,         // "data_exfiltration" | "secret_exfiltration" | "db_exfiltration" | "none"
+        "sequence_risk"?: Long,          // 0-100
+
+        // Agentic - Loop Detection (optional)
+        "loop_detected"?: Bool,
+        "loop_count"?: Long,
+        "loop_tool"?: String,
+
+        // Agentic - Budget Control (optional)
+        "budget_remaining_pct"?: Long,   // 0-100
+        "budget_exceeded"?: Bool,
+
+        // Semantic - Topic Classification (optional)
+        "content_topics"?: Set<String>,      // ["controlled_substances", "weapons_manufacturing", ...]
+        "topic_confidence"?: Long,           // 0-100
+
+        // Security checks on tool arguments (optional)
+        "contains_secrets"?: Bool,
+        "secret_types"?: Set<String>,
+        "pii_detected"?: Bool,
+        "pii_types"?: Set<String>,
+        "injection_score"?: Long,
+
+    };
+
+    /// Context for read_file action
+    type FileReadContext = {
+        // Core metadata (required)
+        "request_id": String,
+        "timestamp": Long,
+
+        // Security checks on file content (optional)
+        "contains_secrets"?: Bool,
+        "secret_types"?: Set<String>,
+        "pii_detected"?: Bool,
+        "pii_types"?: Set<String>,
+
+    };
+
+    /// Context for write_file action
+    type FileWriteContext = {
+        // Core metadata (required)
+        "request_id": String,
+        "timestamp": Long,
+
+        // Security checks on content being written (optional)
+        "contains_secrets"?: Bool,
+        "secret_types"?: Set<String>,
+        "pii_detected"?: Bool,
+        "pii_types"?: Set<String>,
+
+    };
+
+    /// Context for connect_server action (MCP server connections)
+    type ConnectServerContext = {
+        // Core metadata (required)
+        "request_id": String,
+        "timestamp": Long,
+
+        // MCP context (optional)
+        "mcp_server"?: String,           // MCP server name (e.g., "github", "filesystem")
+        "mcp_server_verified"?: Bool,    // Whether server is from verified registry
+
+    };
+}
+`;
+/**
+ * Overwatch Cedar schema
+ *
+ * Full Cedar schema for overwatch, embedded at codegen time.
  */
 export const OVERWATCH_SCHEMA = `// Overwatch (Guardian) Cedar Schema
 // ===================================
@@ -33,17 +262,33 @@ export const OVERWATCH_SCHEMA = `// Overwatch (Guardian) Cedar Schema
 namespace Overwatch {
 
 // =============================================================================
-// ENTITIES
+// ENTITIES - Organization Hierarchy (ReBAC)
+// =============================================================================
+
+// Top-level organization for multi-tenant policy enforcement
+// Enables policies like: principal in Overwatch::Organization::"acme-corp"
+entity Organization {
+  name: String,            // "Acme Corp", "Highflame"
+};
+
+// Team within an organization
+// Enables policies like: principal in Overwatch::Team::"security-team"
+entity Team in [Organization] {
+  name: String,            // "security", "engineering", "devops"
+};
+
+// =============================================================================
+// ENTITIES - Principals
 // =============================================================================
 
 // Human user or service account making requests to the IDE
-entity User {
+entity User in [Team] {
   user_type: String,      // "external" or "internal"
   email: String,          // User email (optional)
 };
 
 // AI agent (Claude, GitHub Copilot, etc.)
-entity Agent {
+entity Agent in [Team] {
   agent_type: String,      // "claude", "copilot", etc.
 };
 
@@ -85,19 +330,37 @@ action process_prompt appliesTo {
     user_email: String,             // User identifier
 
     // Workspace
-    cwd: String,                   // Current working directory
-    workspace_root: String,        // Workspace/repository root
+    cwd?: String,                   // Current working directory
+    workspace_root?: String,        // Workspace/repository root
 
     // Threat Detection
     threat_count: Long,             // Total threats detected
     highest_severity: String,       // "critical", "high", "medium", "low"
     threat_categories: Set<String>, // Threat category names
-
     yara_threats: Set<String>,      // YARA rule names
     max_threat_severity: Long,      // Numeric severity (0-4)
     contains_secrets: Bool,         // Whether secrets detected
-    prompt_text: String,           // Same as content (legacy)
-    response_content: String,      // Response content (if available)
+    prompt_text?: String,           // Same as content (legacy)
+    response_content?: String,      // Response content (if available)
+
+    // Trust/Safety Scores (0-100, from Javelin/Lakera/LlamaGuard classifiers)
+    // Required: content safety classifiers always run for prompt processing
+    violence_score: Long,           // Violence content detection score
+    weapons_score: Long,            // Weapons content detection score
+    hate_speech_score: Long,        // Hate speech detection score
+    crime_score: Long,              // Criminal content detection score
+    sexual_score: Long,             // Sexual content detection score
+    profanity_score: Long,          // Profanity detection score
+
+    // Detector Confidence Scores (0-100, ML classifier confidence)
+    // Required: ML classifiers always run for prompt processing
+    pii_confidence: Long,           // PII detection confidence
+    injection_confidence: Long,     // Prompt injection confidence
+    jailbreak_confidence: Long,     // Jailbreak detection confidence
+
+    // Agent Security (0-100)
+    // Required: agent security scanners always run for prompt processing
+    indirect_injection_score: Long,  // Indirect prompt injection risk
   },
 };
 
@@ -113,26 +376,50 @@ action call_tool appliesTo {
     user_email: String,             // User identifier
 
     // Tool & MCP
-    tool_name: String,             // Normalized tool name ("shell", "read_file", etc.)
-    mcp_server: String,            // MCP server name
-    mcp_tool: String,              // MCP tool name
+    tool_name?: String,             // Normalized tool name ("shell", "read_file", etc.)
+    mcp_server?: String,            // MCP server name
+    mcp_tool?: String,              // MCP tool name
 
     // File & Path
-    path: String,                  // File path (if file operation)
+    path?: String,                  // File path (if file operation)
 
     // Workspace
-    cwd: String,
-    workspace_root: String,
-
-    // Threat Detection
-    threat_count: Long,
-    highest_severity: String,
-    threat_categories: Set<String>,
-
-    yara_threats: Set<String>,
-    max_threat_severity: Long,
-    contains_secrets: Bool,
-    response_content: String,
+    cwd?: String,
+    workspace_root?: String,
+
+    // Threat Detection (optional: scanning may not have run before tool call)
+    threat_count?: Long,
+    highest_severity?: String,
+    threat_categories?: Set<String>,
+    yara_threats?: Set<String>,
+    max_threat_severity?: Long,
+    contains_secrets?: Bool,
+    response_content?: String,
+
+    // Trust/Safety Scores (0-100, from Javelin/Lakera/LlamaGuard classifiers)
+    // Optional: only present when trust/safety classifiers have run
+    violence_score?: Long,          // Violence content detection score
+    weapons_score?: Long,           // Weapons content detection score
+    hate_speech_score?: Long,       // Hate speech detection score
+    crime_score?: Long,             // Criminal content detection score
+    sexual_score?: Long,            // Sexual content detection score
+    profanity_score?: Long,         // Profanity detection score
+
+    // Detector Confidence Scores (0-100, ML classifier confidence)
+    // Optional: only present when ML classifiers have run
+    pii_confidence?: Long,          // PII detection confidence
+    injection_confidence?: Long,    // Prompt injection confidence
+    jailbreak_confidence?: Long,    // Jailbreak detection confidence
+
+    // Agent Security (0-100)
+    // Optional: only present when agent security scanners have run
+    tool_poisoning_score?: Long,    // Tool description manipulation risk
+    rug_pull_score?: Long,          // Tool behavior mismatch risk
+    indirect_injection_score?: Long, // Indirect prompt injection risk
+
+    // MCP Trust
+    // Optional: only present when MCP server verification has run
+    mcp_server_verified?: Bool,     // Whether server is from verified registry
   },
 };
 
@@ -141,15 +428,25 @@ action connect_server appliesTo {
   principal: [User, Agent],
   resource: [Server],
   context: {
-    content: String,
+    content?: String,               // No content to scan when connecting
     source: String,
     event: String,
     user_email: String,
-    mcp_server: String,
-    threat_count: Long,
-    highest_severity: String,
-    threat_categories: Set<String>,
-    max_threat_severity: Long,
+    mcp_server?: String,
+    threat_count?: Long,            // Threat scanning may not run for connections
+    highest_severity?: String,
+    threat_categories?: Set<String>,
+    max_threat_severity?: Long,
+
+    // Agent Security (0-100)
+    // Optional: only present when agent security scanners have run
+    tool_poisoning_score?: Long,    // Tool description manipulation risk
+    rug_pull_score?: Long,          // Tool behavior mismatch risk
+    indirect_injection_score?: Long, // Indirect prompt injection risk
+
+    // MCP Trust
+    // Optional: only present when MCP server verification has run
+    mcp_server_verified?: Bool,     // Whether server is from verified registry
   },
 };
 
@@ -162,14 +459,14 @@ action read_file appliesTo {
     source: String,
     event: String,
     user_email: String,
-    path: String,
-    cwd: String,
-    workspace_root: String,
-    threat_count: Long,
-    highest_severity: String,
-    threat_categories: Set<String>,
-    max_threat_severity: Long,
-    contains_secrets: Bool,
+    path?: String,
+    cwd?: String,
+    workspace_root?: String,
+    threat_count?: Long,             // Threat scanning may not have run
+    highest_severity?: String,
+    threat_categories?: Set<String>,
+    max_threat_severity?: Long,
+    contains_secrets?: Bool,
   },
 };
 
@@ -182,14 +479,14 @@ action write_file appliesTo {
     source: String,
     event: String,
     user_email: String,
-    path: String,
-    cwd: String,
-    workspace_root: String,
-    threat_count: Long,
-    highest_severity: String,
-    threat_categories: Set<String>,
-    max_threat_severity: Long,
-    contains_secrets: Bool,
+    path?: String,
+    cwd?: String,
+    workspace_root?: String,
+    threat_count?: Long,             // Threat scanning may not have run
+    highest_severity?: String,
+    threat_categories?: Set<String>,
+    max_threat_severity?: Long,
+    contains_secrets?: Bool,
   },
 };
 
@@ -198,10 +495,7 @@ action write_file appliesTo {
 /**
  * Palisade Cedar schema
  *
- * Full Cedar schema for ML supply chain security, including:
- * - Actions: scan_artifact, validate_integrity, validate_provenance, quarantine_artifact, load_model, deploy_model
- * - Entities: Scanner, Artifact, Package
- * - Context attributes for ML security findings
+ * Full Cedar schema for palisade, embedded at codegen time.
  */
 export const PALISADE_SCHEMA = `// Palisade Cedar Schema
 // =====================
@@ -372,12 +666,116 @@ action scan_package appliesTo {
 
 }
 `;
+/**
+ * Guardrails context metadata (parsed JSON)
+ */
+export const GUARDRAILS_CONTEXT = {
+    "service": "guardrails",
+    "version": "1.0.0",
+    "description": "Guardrails (Shield) content security & policy enforcement for LLM applications",
+    "actions": [
+        {
+            "name": "process_prompt",
+            "description": "Analyze user prompts and AI responses for security threats, PII, and content violations",
+            "context_attributes": [
+                { "key": "request_id", "type": "string", "required": true, "description": "Unique identifier for this request, useful for audit trails and debugging" },
+                { "key": "timestamp", "type": "number", "required": true, "description": "Unix timestamp in milliseconds when the request was processed" },
+                { "key": "direction", "type": "string", "required": true, "description": "Content flow direction: \'input\' for user prompts, \'output\' for AI responses. Use this to apply different policies to inputs vs outputs (e.g., block PII only in outputs)" },
+                { "key": "content_type", "type": "string", "required": true, "description": "Type of content being analyzed: \'prompt\', \'response\', \'tool_call\', or \'file\'" },
+                { "key": "detector_count", "type": "number", "required": true, "description": "Number of detectors that were executed for this request" },
+                { "key": "injection_score", "type": "number", "required": false, "description": "ML-based confidence score for prompt injection attacks (0-100). Higher scores indicate higher confidence. Typical threshold: >85 for high-confidence blocks" },
+                { "key": "jailbreak_score", "type": "number", "required": false, "description": "ML-based confidence score for jailbreak attempts (0-100). Detects attempts to bypass safety guardrails. Typical threshold: >80 for blocks" },
+                { "key": "injection_type", "type": "string", "required": false, "description": "Type of injection detected: \'prompt\', \'sql\', \'command\', or \'none\'. Use this to apply different policies per injection type" },
+                { "key": "contains_secrets", "type": "boolean", "required": false, "description": "Whether any API keys, tokens, passwords, or credentials were detected in the content. True indicates presence of secrets" },
+                { "key": "secret_count", "type": "number", "required": false, "description": "Total number of secret matches found. Multiple matches may indicate data dumps or accidental credential exposure" },
+                { "key": "secret_types", "type": "array", "required": false, "description": "Array of secret types found (e.g., [\'aws_access_key\', \'github_token\']). Use set operations like .contains() to check for specific types" },
+                { "key": "pii_detected", "type": "boolean", "required": false, "description": "Whether personally identifiable information (PII) was found in the content. Commonly used to block PII in outputs to prevent data leakage" },
+                { "key": "pii_count", "type": "number", "required": false, "description": "Total number of PII matches found (emails, phone numbers, SSNs, etc.)" },
+                { "key": "pii_types", "type": "array", "required": false, "description": "Array of PII types detected (e.g., [\'email\', \'phone\', \'ssn\', \'credit_card\']). Use .contains() to block specific sensitive types" },
+                { "key": "violence_score", "type": "number", "required": false, "description": "ML-based score for violent content references (0-100). Typical threshold: >90 for critical blocks, >60 for warnings" },
+                { "key": "hate_speech_score", "type": "number", "required": false, "description": "ML-based score for hate speech, discriminatory language, or targeted harassment (0-100). Typical threshold: >75 for blocks" },
+                { "key": "sexual_score", "type": "number", "required": false, "description": "ML-based score for sexual or adult content (0-100). Adjust thresholds based on your application\'s audience" },
+                { "key": "weapons_score", "type": "number", "required": false, "description": "ML-based score for weapons references or violent imagery (0-100)" },
+                { "key": "crime_score", "type": "number", "required": false, "description": "ML-based score for criminal activity discussions (0-100)" },
+                { "key": "profanity_score", "type": "number", "required": false, "description": "ML-based score for profanity and vulgar language (0-100)" },
+                { "key": "content_topics", "type": "array", "required": false, "description": "Semantic topics detected in content (e.g., [\'controlled_substances\', \'weapons_manufacturing\']). Use .contains() to block specific topics per application" },
+                { "key": "topic_confidence", "type": "number", "required": false, "description": "Confidence score from topic classifier (0-100). Use with content_topics to tune sensitivity — higher thresholds reduce false positives" },
+                { "key": "contains_invisible_chars", "type": "boolean", "required": false, "description": "Whether invisible Unicode characters (zero-width joiners, RTL marks, etc.) were detected in the content. Commonly used for prompt injection evasion" },
+                { "key": "invisible_chars_score", "type": "number", "required": false, "description": "Density score for invisible characters in the content (0-100). Higher scores indicate more invisible characters, suggesting evasion attempts" }
+            ]
+        },
+        {
+            "name": "call_tool",
+            "description": "Execute agentic tool calls, including shell commands, file operations, and MCP tools",
+            "context_attributes": [
+                { "key": "request_id", "type": "string", "required": true, "description": "Unique identifier for this request" },
+                { "key": "timestamp", "type": "number", "required": true, "description": "Unix timestamp in milliseconds" },
+                { "key": "tool_name", "type": "string", "required": false, "description": "Name of the tool being called (e.g., \'shell\', \'write_file\', \'http_post\'). Use this to block specific dangerous tools" },
+                { "key": "tool_risk_score", "type": "number", "required": false, "description": "Computed risk score for this tool call (0-100). Considers tool sensitivity, argument patterns, and MCP verification status. Typical threshold: >85 for dangerous tools" },
+                { "key": "tool_is_sensitive", "type": "boolean", "required": false, "description": "Whether the tool is classified as sensitive (shell, file operations, network access, etc.)" },
+                { "key": "tool_category", "type": "string", "required": false, "description": "Tool classification: \'safe\', \'sensitive\', or \'dangerous\'. Based on tool type and argument patterns" },
+                { "key": "tool_is_builtin", "type": "boolean", "required": false, "description": "Whether the tool is a built-in tool (vs MCP external tool). Built-in tools are generally more trusted" },
+                { "key": "mcp_server", "type": "string", "required": false, "description": "Name of the MCP server providing this tool (e.g., \'github\', \'filesystem\', \'slack\'). Empty for built-in tools. Use this to control which tools are allowed per MCP server" },
+                { "key": "mcp_tool", "type": "string", "required": false, "description": "Name of the specific tool within the MCP server (e.g., \'read_issues\', \'create_file\'). Use with mcp_server for fine-grained per-tool permissioning" },
+                { "key": "mcp_server_verified", "type": "boolean", "required": false, "description": "Whether the MCP server is from a verified/trusted registry. Unverified servers have elevated risk scores. Use this to block tool calls from unverified sources" },
+                { "key": "suspicious_pattern", "type": "boolean", "required": false, "description": "Whether a suspicious action sequence was detected (e.g., read_file → http_post indicating data exfiltration). Requires session tracking" },
+                { "key": "pattern_type", "type": "string", "required": false, "description": "Type of suspicious pattern: \'data_exfiltration\', \'secret_exfiltration\', \'db_exfiltration\', or \'none\'. Use this to apply different policies per threat type" },
+                { "key": "sequence_risk", "type": "number", "required": false, "description": "Risk score from action sequence analysis (0-100). Analyzes history of tool calls to detect attack patterns. Typical threshold: >80 for blocks" },
+                { "key": "loop_detected", "type": "boolean", "required": false, "description": "Whether a tool call loop was detected (same tool called repeatedly). May indicate infinite loops or runaway agents. Requires session tracking" },
+                { "key": "loop_count", "type": "number", "required": false, "description": "Number of consecutive repeated tool calls. Typical threshold: >3 for loop detection" },
+                { "key": "loop_tool", "type": "string", "required": false, "description": "Name of the tool involved in the loop" },
+                { "key": "budget_remaining_pct", "type": "number", "required": false, "description": "Remaining token budget as percentage (0-100). Use this to warn or block when budget is low. Requires session with token budget configuration" },
+                { "key": "budget_exceeded", "type": "boolean", "required": false, "description": "Whether the token budget has been exceeded. Use this to enforce cost controls on agentic sessions" },
+                { "key": "content_topics", "type": "array", "required": false, "description": "Semantic topics detected in tool arguments or content (e.g., [\'controlled_substances\']). Use .contains() to restrict tool calls involving specific topics" },
+                { "key": "topic_confidence", "type": "number", "required": false, "description": "Confidence score from topic classifier for tool content (0-100)" },
+                { "key": "contains_secrets", "type": "boolean", "required": false, "description": "Whether secrets were detected in tool arguments or content" },
+                { "key": "secret_types", "type": "array", "required": false, "description": "Array of secret types found in tool arguments" },
+                { "key": "pii_detected", "type": "boolean", "required": false, "description": "Whether PII was detected in tool arguments or content" },
+                { "key": "pii_types", "type": "array", "required": false, "description": "Array of PII types found in tool arguments" }
+            ]
+        },
+        {
+            "name": "read_file",
+            "description": "Read file operations for analyzing file content before allowing access",
+            "context_attributes": [
+                { "key": "request_id", "type": "string", "required": true, "description": "Unique identifier for this request" },
+                { "key": "timestamp", "type": "number", "required": true, "description": "Unix timestamp in milliseconds" },
+                { "key": "contains_secrets", "type": "boolean", "required": false, "description": "Whether secrets were detected in the file content being read" },
+                { "key": "secret_types", "type": "array", "required": false, "description": "Array of secret types found in file content" },
+                { "key": "pii_detected", "type": "boolean", "required": false, "description": "Whether PII was detected in the file content" },
+                { "key": "pii_types", "type": "array", "required": false, "description": "Array of PII types found in file content" }
+            ]
+        },
+        {
+            "name": "write_file",
+            "description": "Write file operations for preventing writes of sensitive content",
+            "context_attributes": [
+                { "key": "request_id", "type": "string", "required": true, "description": "Unique identifier for this request" },
+                { "key": "timestamp", "type": "number", "required": true, "description": "Unix timestamp in milliseconds" },
+                { "key": "contains_secrets", "type": "boolean", "required": false, "description": "Whether secrets were detected in the content being written. Block writes containing credentials" },
+                { "key": "secret_types", "type": "array", "required": false, "description": "Array of secret types found in write content" },
+                { "key": "pii_detected", "type": "boolean", "required": false, "description": "Whether PII was detected in the content being written" },
+                { "key": "pii_types", "type": "array", "required": false, "description": "Array of PII types found in write content" }
+            ]
+        },
+        {
+            "name": "connect_server",
+            "description": "Connect to an MCP server, used to control which MCP servers are allowed",
+            "context_attributes": [
+                { "key": "request_id", "type": "string", "required": true, "description": "Unique identifier for this request" },
+                { "key": "timestamp", "type": "number", "required": true, "description": "Unix timestamp in milliseconds" },
+                { "key": "mcp_server", "type": "string", "required": false, "description": "Name of the MCP server being connected to (e.g., \'github\', \'filesystem\', \'slack\'). Use this to allow or block specific MCP servers" },
+                { "key": "mcp_server_verified", "type": "boolean", "required": false, "description": "Whether the MCP server is from a verified/trusted registry. Use this to block connections to unverified servers" }
+            ]
+        }
+    ]
+};
 /**
  * Overwatch context metadata (parsed JSON)
  */
 export const OVERWATCH_CONTEXT = {
     "service": "overwatch",
-    "version": "1.0.0",
+    "version": "2.0.0",
     "description": "Overwatch (Guardian) IDE security & policy enforcement",
     "actions": [
         {
@@ -393,11 +791,22 @@ export const OVERWATCH_CONTEXT = {
                 { "key": "threat_count", "type": "number", "required": true, "description": "Total number of threats detected by YARA/Javelin" },
                 { "key": "highest_severity", "type": "string", "required": true, "description": "Highest severity level: critical, high, medium, low" },
                 { "key": "threat_categories", "type": "array", "required": true, "description": "Threat category names from aggregator" },
+                { "key": "threat_types", "type": "array", "required": true, "description": "YARA threat category names" },
                 { "key": "yara_threats", "type": "array", "required": true, "description": "YARA rule names that matched" },
                 { "key": "max_threat_severity", "type": "number", "required": true, "description": "Numeric severity (0-4, where 4=CRITICAL)" },
                 { "key": "contains_secrets", "type": "boolean", "required": true, "description": "Whether secrets or credentials were detected" },
                 { "key": "prompt_text", "type": "string", "required": false, "description": "Same as content (legacy field)" },
-                { "key": "response_content", "type": "string", "required": false, "description": "Response content from AI (if available)" }
+                { "key": "response_content", "type": "string", "required": false, "description": "Response content from AI (if available)" },
+                { "key": "violence_score", "type": "number", "required": true, "description": "Violence content detection score (0-100)" },
+                { "key": "weapons_score", "type": "number", "required": true, "description": "Weapons content detection score (0-100)" },
+                { "key": "hate_speech_score", "type": "number", "required": true, "description": "Hate speech detection score (0-100)" },
+                { "key": "crime_score", "type": "number", "required": true, "description": "Criminal content detection score (0-100)" },
+                { "key": "sexual_score", "type": "number", "required": true, "description": "Sexual content detection score (0-100)" },
+                { "key": "profanity_score", "type": "number", "required": true, "description": "Profanity detection score (0-100)" },
+                { "key": "pii_confidence", "type": "number", "required": true, "description": "PII detection classifier confidence (0-100)" },
+                { "key": "injection_confidence", "type": "number", "required": true, "description": "Prompt injection classifier confidence (0-100)" },
+                { "key": "jailbreak_confidence", "type": "number", "required": true, "description": "Jailbreak detection classifier confidence (0-100)" },
+                { "key": "indirect_injection_score", "type": "number", "required": true, "description": "Indirect prompt injection risk score (0-100)" }
             ]
         },
         {
@@ -414,28 +823,46 @@ export const OVERWATCH_CONTEXT = {
                 { "key": "path", "type": "string", "required": false, "description": "File path (if file operation)" },
                 { "key": "cwd", "type": "string", "required": false, "description": "Current working directory" },
                 { "key": "workspace_root", "type": "string", "required": false, "description": "Workspace/repository root path" },
-                { "key": "threat_count", "type": "number", "required": true, "description": "Total threats detected" },
-                { "key": "highest_severity", "type": "string", "required": true, "description": "Highest severity: critical, high, medium, low" },
-                { "key": "threat_categories", "type": "array", "required": true, "description": "Threat category names" },
-                { "key": "yara_threats", "type": "array", "required": true, "description": "YARA rule names" },
-                { "key": "max_threat_severity", "type": "number", "required": true, "description": "Numeric severity (0-4)" },
-                { "key": "contains_secrets", "type": "boolean", "required": true, "description": "Whether secrets detected" },
-                { "key": "response_content", "type": "string", "required": false, "description": "Response content (if available)" }
+                { "key": "threat_count", "type": "number", "required": false, "description": "Total threats detected (if scanning ran)" },
+                { "key": "highest_severity", "type": "string", "required": false, "description": "Highest severity (if scanning ran)" },
+                { "key": "threat_categories", "type": "array", "required": false, "description": "Threat category names (if scanning ran)" },
+                { "key": "threat_types", "type": "array", "required": false, "description": "YARA threat categories (if scanning ran)" },
+                { "key": "yara_threats", "type": "array", "required": false, "description": "YARA rule names (if scanning ran)" },
+                { "key": "max_threat_severity", "type": "number", "required": false, "description": "Numeric severity 0-4 (if scanning ran)" },
+                { "key": "contains_secrets", "type": "boolean", "required": false, "description": "Whether secrets detected (if scanning ran)" },
+                { "key": "response_content", "type": "string", "required": false, "description": "Response content (if available)" },
+                { "key": "violence_score", "type": "number", "required": false, "description": "Violence content detection score (0-100)" },
+                { "key": "weapons_score", "type": "number", "required": false, "description": "Weapons content detection score (0-100)" },
+                { "key": "hate_speech_score", "type": "number", "required": false, "description": "Hate speech detection score (0-100)" },
+                { "key": "crime_score", "type": "number", "required": false, "description": "Criminal content detection score (0-100)" },
+                { "key": "sexual_score", "type": "number", "required": false, "description": "Sexual content detection score (0-100)" },
+                { "key": "profanity_score", "type": "number", "required": false, "description": "Profanity detection score (0-100)" },
+                { "key": "pii_confidence", "type": "number", "required": false, "description": "PII detection classifier confidence (0-100)" },
+                { "key": "injection_confidence", "type": "number", "required": false, "description": "Prompt injection classifier confidence (0-100)" },
+                { "key": "jailbreak_confidence", "type": "number", "required": false, "description": "Jailbreak detection classifier confidence (0-100)" },
+                { "key": "tool_poisoning_score", "type": "number", "required": false, "description": "Tool description manipulation risk score (0-100)" },
+                { "key": "rug_pull_score", "type": "number", "required": false, "description": "Tool behavior mismatch risk score (0-100)" },
+                { "key": "indirect_injection_score", "type": "number", "required": false, "description": "Indirect prompt injection risk score (0-100)" },
+                { "key": "mcp_server_verified", "type": "boolean", "required": false, "description": "Whether MCP server is from a verified registry" }
             ]
         },
         {
             "name": "connect_server",
             "description": "Connect to an MCP server",
             "context_attributes": [
-                { "key": "content", "type": "string", "required": true, "description": "Raw content being scanned" },
+                { "key": "content", "type": "string", "required": false, "description": "Raw content being scanned (if available)" },
                 { "key": "source", "type": "string", "required": true, "description": "IDE source" },
                 { "key": "event", "type": "string", "required": true, "description": "Hook event name" },
                 { "key": "user_email", "type": "string", "required": true, "description": "User identifier" },
                 { "key": "mcp_server", "type": "string", "required": false, "description": "MCP server name" },
-                { "key": "threat_count", "type": "number", "required": true, "description": "Total threats detected" },
-                { "key": "highest_severity", "type": "string", "required": true, "description": "Highest severity level" },
-                { "key": "threat_categories", "type": "array", "required": true, "description": "Threat category names" },
-                { "key": "max_threat_severity", "type": "number", "required": true, "description": "Numeric severity (0-4)" }
+                { "key": "threat_count", "type": "number", "required": false, "description": "Total threats detected (if scanning ran)" },
+                { "key": "highest_severity", "type": "string", "required": false, "description": "Highest severity level (if scanning ran)" },
+                { "key": "threat_categories", "type": "array", "required": false, "description": "Threat category names (if scanning ran)" },
+                { "key": "max_threat_severity", "type": "number", "required": false, "description": "Numeric severity 0-4 (if scanning ran)" },
+                { "key": "tool_poisoning_score", "type": "number", "required": false, "description": "Tool description manipulation risk score (0-100)" },
+                { "key": "rug_pull_score", "type": "number", "required": false, "description": "Tool behavior mismatch risk score (0-100)" },
+                { "key": "indirect_injection_score", "type": "number", "required": false, "description": "Indirect prompt injection risk score (0-100)" },
+                { "key": "mcp_server_verified", "type": "boolean", "required": false, "description": "Whether MCP server is from a verified registry" }
             ]
         },
         {
@@ -447,14 +874,13 @@ export const OVERWATCH_CONTEXT = {
                 { "key": "event", "type": "string", "required": true, "description": "Hook event name (e.g., beforeReadFile)" },
                 { "key": "user_email", "type": "string", "required": true, "description": "User identifier" },
                 { "key": "path", "type": "string", "required": false, "description": "File path being read" },
-                { "key": "file_path", "type": "string", "required": false, "description": "Duplicate of path field" },
                 { "key": "cwd", "type": "string", "required": false, "description": "Current working directory" },
                 { "key": "workspace_root", "type": "string", "required": false, "description": "Workspace root path" },
-                { "key": "threat_count", "type": "number", "required": true, "description": "Total threats detected" },
-                { "key": "highest_severity", "type": "string", "required": true, "description": "Highest severity level" },
-                { "key": "threat_categories", "type": "array", "required": true, "description": "Threat categories" },
-                { "key": "max_threat_severity", "type": "number", "required": true, "description": "Numeric severity (0-4)" },
-                { "key": "contains_secrets", "type": "boolean", "required": true, "description": "Whether secrets detected" }
+                { "key": "threat_count", "type": "number", "required": false, "description": "Total threats detected (if scanning ran)" },
+                { "key": "highest_severity", "type": "string", "required": false, "description": "Highest severity level (if scanning ran)" },
+                { "key": "threat_categories", "type": "array", "required": false, "description": "Threat categories (if scanning ran)" },
+                { "key": "max_threat_severity", "type": "number", "required": false, "description": "Numeric severity 0-4 (if scanning ran)" },
+                { "key": "contains_secrets", "type": "boolean", "required": false, "description": "Whether secrets detected (if scanning ran)" }
             ]
         },
         {
@@ -466,14 +892,13 @@ export const OVERWATCH_CONTEXT = {
                 { "key": "event", "type": "string", "required": true, "description": "Hook event name" },
                 { "key": "user_email", "type": "string", "required": true, "description": "User identifier" },
                 { "key": "path", "type": "string", "required": false, "description": "File path being written" },
-                { "key": "file_path", "type": "string", "required": false, "description": "Duplicate of path field" },
                 { "key": "cwd", "type": "string", "required": false, "description": "Current working directory" },
                 { "key": "workspace_root", "type": "string", "required": false, "description": "Workspace root path" },
-                { "key": "threat_count", "type": "number", "required": true, "description": "Total threats detected" },
-                { "key": "highest_severity", "type": "string", "required": true, "description": "Highest severity level" },
-                { "key": "threat_categories", "type": "array", "required": true, "description": "Threat categories" },
-                { "key": "max_threat_severity", "type": "number", "required": true, "description": "Numeric severity (0-4)" },
-                { "key": "contains_secrets", "type": "boolean", "required": true, "description": "Whether secrets detected" }
+                { "key": "threat_count", "type": "number", "required": false, "description": "Total threats detected (if scanning ran)" },
+                { "key": "highest_severity", "type": "string", "required": false, "description": "Highest severity level (if scanning ran)" },
+                { "key": "threat_categories", "type": "array", "required": false, "description": "Threat categories (if scanning ran)" },
+                { "key": "max_threat_severity", "type": "number", "required": false, "description": "Numeric severity 0-4 (if scanning ran)" },
+                { "key": "contains_secrets", "type": "boolean", "required": false, "description": "Whether secrets detected (if scanning ran)" }
             ]
         }
     ]