@highflame/policy 2.0.9 → 2.1.0

package/_schemas/guardrails/templates/profiles/chat_assistant.cedar

@@ -0,0 +1,85 @@
+// =============================================================================
+// Chat Assistant Profile
+// =============================================================================
+// Optimized for customer-facing chatbots and conversational AI.
+// Strict content moderation, PII protection, and injection defense.
+// No tool-related policies (chat assistants don't call tools).
+//
+// Deploy: One-click deploy scopes all rules to a specific application via
+// resource == Guardrails::App::"<app-uuid>" (injected at deploy time).
+//
+// Category: organization
+// Namespace: Guardrails
+// =============================================================================
+
+@id("chat-toxicity-strict")
+@name("Strict toxicity for chat")
+@description("Lower thresholds for customer-facing content — blocks toxicity above 70")
+@severity("critical")
+@tags("profile,chat-assistant,toxicity,trust-safety")
+forbid (
+    principal,
+    action == Guardrails::Action::"process_prompt",
+    resource
+) when {
+    context.violence_score > 70 ||
+    context.hate_speech_score > 70 ||
+    context.sexual_score > 70 ||
+    context.profanity_score > 70
+};
+
+@id("chat-pii-block-input-output")
+@name("Block PII in both directions")
+@description("Blocks PII in both user inputs and assistant outputs for chat applications")
+@severity("high")
+@tags("profile,chat-assistant,pii,privacy")
+forbid (
+    principal,
+    action == Guardrails::Action::"process_prompt",
+    resource
+) when {
+    context.pii_detected == true
+};
+
+@id("chat-injection-lower-threshold")
+@name("Aggressive injection defense for chat")
+@description("Lower injection threshold for public-facing chat — blocks above 70")
+@severity("high")
+@tags("profile,chat-assistant,injection,security")
+forbid (
+    principal,
+    action == Guardrails::Action::"process_prompt",
+    resource
+) when {
+    context.injection_score > 70
+};
+
+@id("chat-jailbreak-lower-threshold")
+@name("Aggressive jailbreak defense for chat")
+@description("Lower jailbreak threshold for public-facing chat — blocks above 65")
+@severity("high")
+@tags("profile,chat-assistant,jailbreak,security")
+forbid (
+    principal,
+    action == Guardrails::Action::"process_prompt",
+    resource
+) when {
+    context.jailbreak_score > 65
+};
+
+@id("chat-topic-restriction")
+@name("Block restricted topics in chat")
+@description("Prevents chat assistants from discussing dangerous or regulated topics")
+@severity("high")
+@tags("profile,chat-assistant,semantic,compliance")
+forbid (
+    principal,
+    action == Guardrails::Action::"process_prompt",
+    resource
+) when {
+    context.topic_confidence > 70 &&
+    (context.content_topics.contains("weapons_manufacturing") ||
+     context.content_topics.contains("illegal_activity") ||
+     context.content_topics.contains("controlled_substances") ||
+     context.content_topics.contains("financial_fraud"))
+};

package/_schemas/guardrails/templates/profiles/code_agent/agentic_security.cedar

@@ -0,0 +1,109 @@
+// =============================================================================
+// Code Agent — Agentic Security
+// =============================================================================
+// Tool risk controls, shell execution blocking, loop detection,
+// exfiltration prevention, and budget enforcement for coding assistants.
+//
+// Category: agentic_security
+// Namespace: Guardrails
+// =============================================================================
+
+@id("code-block-dangerous-tools")
+@name("Block dangerous tool execution")
+@description("Forbids tools classified as dangerous or with very high risk scores")
+@severity("critical")
+@tags("profile,code-agent,tools,agentic")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+) when {
+    (context has tool_risk_score && context.tool_risk_score > 85) ||
+    (context has tool_category && context.tool_category == "dangerous")
+};
+
+@id("code-block-shell-execution")
+@name("Block direct shell commands")
+@description("Forbids direct shell and command execution tools")
+@severity("high")
+@tags("profile,code-agent,tools,shell")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+) when {
+    context has tool_name &&
+    (context.tool_name == "shell" ||
+     context.tool_name == "execute_command" ||
+     context.tool_name == "bash")
+};
+
+@id("code-block-sensitive-tools")
+@name("Block sensitive tools with elevated risk")
+@description("Forbids sensitive tool calls with risk above 70")
+@severity("high")
+@tags("profile,code-agent,tools,security")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+) when {
+    context has tool_is_sensitive && context.tool_is_sensitive == true &&
+    context has tool_risk_score && context.tool_risk_score > 70
+};
+
+@id("code-block-loops")
+@name("Block tool call loops")
+@description("Stops infinite tool call loops in agentic workflows")
+@severity("high")
+@tags("profile,code-agent,agentic,loops")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+) when {
+    context has loop_detected && context.loop_detected == true &&
+    context has loop_count && context.loop_count > 5
+};
+
+@id("code-block-exfiltration")
+@name("Block data exfiltration patterns")
+@description("Detects and blocks read → send patterns indicating data theft")
+@severity("critical")
+@tags("profile,code-agent,agentic,exfiltration")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    context has suspicious_pattern && context.suspicious_pattern == true &&
+    context has pattern_type &&
+    (context.pattern_type == "data_exfiltration" ||
+     context.pattern_type == "secret_exfiltration")
+};
+
+@id("code-block-high-sequence-risk")
+@name("Block high-risk action sequences")
+@description("Forbids suspicious multi-step tool sequences with risk above 75")
+@severity("high")
+@tags("profile,code-agent,agentic,patterns")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    context has sequence_risk && context.sequence_risk > 75
+};
+
+@id("code-block-budget-exceeded")
+@name("Block on budget exceeded")
+@description("Stops agent execution when token budget is exhausted")
+@severity("medium")
+@tags("profile,code-agent,budget,cost-control")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    context has budget_exceeded && context.budget_exceeded == true
+};

package/_schemas/guardrails/templates/profiles/code_agent/security.cedar

@@ -0,0 +1,22 @@
+// =============================================================================
+// Code Agent — Security
+// =============================================================================
+// Secrets protection for coding assistants.
+// Prevents code agents from writing detected secrets to output files.
+//
+// Category: security
+// Namespace: Guardrails
+// =============================================================================
+
+@id("code-block-write-secrets")
+@name("Block writing secrets to files")
+@description("Prevents code agents from writing detected secrets to output files")
+@severity("critical")
+@tags("profile,code-agent,secrets,security")
+forbid (
+    principal,
+    action == Guardrails::Action::"write_file",
+    resource
+) when {
+    context has contains_secrets && context.contains_secrets == true
+};

package/_schemas/guardrails/templates/profiles/code_agent.cedar

@@ -0,0 +1,125 @@
+// =============================================================================
+// Code Agent Profile
+// =============================================================================
+// Optimized for coding assistants and agentic development tools.
+// Focuses on tool risk, shell execution controls, agentic safety patterns,
+// and data exfiltration prevention. Relaxed toxicity (code discussions may
+// reference security topics legitimately).
+//
+// Deploy: One-click deploy scopes all rules to a specific application via
+// resource == Guardrails::App::"<app-uuid>" (injected at deploy time).
+//
+// Category: agentic_security
+// Namespace: Guardrails
+// =============================================================================
+
+@id("code-block-dangerous-tools")
+@name("Block dangerous tool execution")
+@description("Forbids tools classified as dangerous or with very high risk scores")
+@severity("critical")
+@tags("profile,code-agent,tools,agentic")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+) when {
+    context.tool_risk_score > 85 ||
+    context.tool_category == "dangerous"
+};
+
+@id("code-block-shell-execution")
+@name("Block direct shell commands")
+@description("Forbids direct shell and command execution tools")
+@severity("high")
+@tags("profile,code-agent,tools,shell")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+) when {
+    context.tool_name == "shell" ||
+    context.tool_name == "execute_command" ||
+    context.tool_name == "bash"
+};
+
+@id("code-block-sensitive-tools")
+@name("Block sensitive tools with elevated risk")
+@description("Forbids sensitive tool calls with risk above 70")
+@severity("high")
+@tags("profile,code-agent,tools,security")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+) when {
+    context.tool_is_sensitive == true &&
+    context.tool_risk_score > 70
+};
+
+@id("code-block-loops")
+@name("Block tool call loops")
+@description("Stops infinite tool call loops in agentic workflows")
+@severity("high")
+@tags("profile,code-agent,agentic,loops")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+) when {
+    context.loop_detected == true &&
+    context.loop_count > 5
+};
+
+@id("code-block-exfiltration")
+@name("Block data exfiltration patterns")
+@description("Detects and blocks read → send patterns indicating data theft")
+@severity("critical")
+@tags("profile,code-agent,agentic,exfiltration")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    context.suspicious_pattern == true &&
+    (context.pattern_type == "data_exfiltration" ||
+     context.pattern_type == "secret_exfiltration")
+};
+
+@id("code-block-high-sequence-risk")
+@name("Block high-risk action sequences")
+@description("Forbids suspicious multi-step tool sequences with risk above 75")
+@severity("high")
+@tags("profile,code-agent,agentic,patterns")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    context.sequence_risk > 75
+};
+
+@id("code-block-budget-exceeded")
+@name("Block on budget exceeded")
+@description("Stops agent execution when token budget is exhausted")
+@severity("medium")
+@tags("profile,code-agent,budget,cost-control")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    context.budget_exceeded == true
+};
+
+@id("code-block-write-secrets")
+@name("Block writing secrets to files")
+@description("Prevents code agents from writing detected secrets to output files")
+@severity("critical")
+@tags("profile,code-agent,secrets,security")
+forbid (
+    principal,
+    action == Guardrails::Action::"write_file",
+    resource
+) when {
+    context.contains_secrets == true
+};

package/_schemas/guardrails/templates/profiles/data_pipeline/agentic_security.cedar

@@ -0,0 +1,38 @@
+// =============================================================================
+// Data Pipeline — Agentic Security
+// =============================================================================
+// Exfiltration prevention and tool risk controls for data pipelines.
+// Prevents retrieval data from being sent to external endpoints.
+//
+// Category: agentic_security
+// Namespace: Guardrails
+// =============================================================================
+
+@id("data-block-exfiltration")
+@name("Block data exfiltration from pipeline")
+@description("Prevents retrieval data from being sent to external endpoints")
+@severity("critical")
+@tags("profile,data-pipeline,exfiltration,security")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    context has suspicious_pattern && context.suspicious_pattern == true &&
+    context has pattern_type &&
+    (context.pattern_type == "data_exfiltration" ||
+     context.pattern_type == "db_exfiltration")
+};
+
+@id("data-block-high-risk-tools")
+@name("Block high-risk tools in pipeline")
+@description("Forbids tools with elevated risk in data processing context")
+@severity("high")
+@tags("profile,data-pipeline,tools,security")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+) when {
+    context has tool_risk_score && context.tool_risk_score > 60
+};

package/_schemas/guardrails/templates/profiles/data_pipeline/privacy.cedar

@@ -0,0 +1,40 @@
+// =============================================================================
+// Data Pipeline — Privacy
+// =============================================================================
+// Strict PII protection for RAG pipelines and data processing agents.
+// Zero-tolerance for sensitive PII types — data pipelines must not leak PII.
+//
+// Category: privacy
+// Namespace: Guardrails
+// =============================================================================
+
+@id("data-pii-block-all")
+@name("Block all PII in data pipeline")
+@description("Forbids any PII in both inputs and outputs — data pipelines must not process or leak PII")
+@severity("critical")
+@tags("profile,data-pipeline,pii,privacy")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    context has pii_detected && context.pii_detected == true
+};
+
+@id("data-pii-block-sensitive-types")
+@name("Block sensitive PII types strictly")
+@description("Zero-tolerance for SSN, credit cards, passport numbers, and medical IDs in data pipelines")
+@severity("critical")
+@tags("profile,data-pipeline,pii,compliance")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    context has pii_types &&
+    (context.pii_types.contains("ssn") ||
+     context.pii_types.contains("credit_card") ||
+     context.pii_types.contains("passport") ||
+     context.pii_types.contains("medical_id") ||
+     context.pii_types.contains("tax_id"))
+};

package/_schemas/guardrails/templates/profiles/data_pipeline/security.cedar

@@ -0,0 +1,49 @@
+// =============================================================================
+// Data Pipeline — Security
+// =============================================================================
+// Strict secrets detection and injection defense for data pipelines.
+// RAG inputs are high-risk for injection — lower thresholds than defaults.
+//
+// Category: security
+// Namespace: Guardrails
+// =============================================================================
+
+@id("data-secrets-strict")
+@name("Strict secrets detection for data pipeline")
+@description("Blocks any content containing secrets — even a single match")
+@severity("critical")
+@tags("profile,data-pipeline,secrets,security")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    context has contains_secrets && context.contains_secrets == true
+};
+
+@id("data-block-output-secrets")
+@name("Block secrets in pipeline outputs")
+@description("Prevents data pipeline from writing secrets to any output")
+@severity("critical")
+@tags("profile,data-pipeline,secrets,output")
+forbid (
+    principal,
+    action == Guardrails::Action::"write_file",
+    resource
+) when {
+    (context has contains_secrets && context.contains_secrets == true) ||
+    (context has secret_count && context.secret_count > 0)
+};
+
+@id("data-injection-defense")
+@name("Pipeline injection defense")
+@description("Lower injection threshold for data pipelines — RAG inputs are high-risk for injection")
+@severity("high")
+@tags("profile,data-pipeline,injection,security")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    context has injection_score && context.injection_score > 65
+};

package/_schemas/guardrails/templates/profiles/data_pipeline.cedar

@@ -0,0 +1,111 @@
+// =============================================================================
+// Data Pipeline Profile
+// =============================================================================
+// Optimized for RAG pipelines, data processing agents, and retrieval systems.
+// Strong PII and secrets protection, exfiltration detection, and output
+// filtering. Focused on data integrity and privacy compliance.
+//
+// Deploy: One-click deploy scopes all rules to a specific application via
+// resource == Guardrails::App::"<app-uuid>" (injected at deploy time).
+//
+// Category: privacy
+// Namespace: Guardrails
+// =============================================================================
+
+@id("data-pii-block-all")
+@name("Block all PII in data pipeline")
+@description("Forbids any PII in both inputs and outputs — data pipelines must not process or leak PII")
+@severity("critical")
+@tags("profile,data-pipeline,pii,privacy")
+forbid (
+    principal,
+    action == Guardrails::Action::"process_prompt",
+    resource
+) when {
+    context.pii_detected == true
+};
+
+@id("data-pii-block-sensitive-types")
+@name("Block sensitive PII types strictly")
+@description("Zero-tolerance for SSN, credit cards, passport numbers, and medical IDs in data pipelines")
+@severity("critical")
+@tags("profile,data-pipeline,pii,compliance")
+forbid (
+    principal,
+    action == Guardrails::Action::"process_prompt",
+    resource
+) when {
+    context.pii_types.contains("ssn") ||
+    context.pii_types.contains("credit_card") ||
+    context.pii_types.contains("passport") ||
+    context.pii_types.contains("medical_id") ||
+    context.pii_types.contains("tax_id")
+};
+
+@id("data-secrets-strict")
+@name("Strict secrets detection for data pipeline")
+@description("Blocks any content containing secrets — even a single match")
+@severity("critical")
+@tags("profile,data-pipeline,secrets,security")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    context.contains_secrets == true
+};
+
+@id("data-block-exfiltration")
+@name("Block data exfiltration from pipeline")
+@description("Prevents retrieval data from being sent to external endpoints")
+@severity("critical")
+@tags("profile,data-pipeline,exfiltration,security")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    context.suspicious_pattern == true &&
+    (context.pattern_type == "data_exfiltration" ||
+     context.pattern_type == "db_exfiltration")
+};
+
+@id("data-block-high-risk-tools")
+@name("Block high-risk tools in pipeline")
+@description("Forbids tools with elevated risk in data processing context")
+@severity("high")
+@tags("profile,data-pipeline,tools,security")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+) when {
+    context.tool_risk_score > 60
+};
+
+@id("data-block-output-secrets")
+@name("Block secrets in pipeline outputs")
+@description("Prevents data pipeline from writing secrets to any output")
+@severity("critical")
+@tags("profile,data-pipeline,secrets,output")
+forbid (
+    principal,
+    action == Guardrails::Action::"write_file",
+    resource
+) when {
+    context.contains_secrets == true ||
+    context.secret_count > 0
+};
+
+@id("data-injection-defense")
+@name("Pipeline injection defense")
+@description("Lower injection threshold for data pipelines — RAG inputs are high-risk for injection")
+@severity("high")
+@tags("profile,data-pipeline,injection,security")
+forbid (
+    principal,
+    action == Guardrails::Action::"process_prompt",
+    resource
+) when {
+    context.injection_score > 65
+};