@highflame/policy 2.0.9 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (50) hide show
  1. package/_schemas/guardrails/context.json +435 -0
  2. package/_schemas/guardrails/schema.cedarschema +225 -0
  3. package/_schemas/guardrails/templates/defaults/agentic_safety.cedar +94 -0
  4. package/_schemas/guardrails/templates/defaults/baseline.cedar +24 -0
  5. package/_schemas/guardrails/templates/defaults/injection.cedar +70 -0
  6. package/_schemas/guardrails/templates/defaults/pii.cedar +48 -0
  7. package/_schemas/guardrails/templates/defaults/secrets.cedar +40 -0
  8. package/_schemas/guardrails/templates/defaults/semantic.cedar +59 -0
  9. package/_schemas/guardrails/templates/defaults/tool_risk.cedar +58 -0
  10. package/_schemas/guardrails/templates/defaults/toxicity.cedar +76 -0
  11. package/_schemas/guardrails/templates/mcp_tool_permissions.cedar +84 -0
  12. package/_schemas/guardrails/templates/profiles/chat_assistant/privacy.cedar +22 -0
  13. package/_schemas/guardrails/templates/profiles/chat_assistant/security.cedar +35 -0
  14. package/_schemas/guardrails/templates/profiles/chat_assistant/trust_safety.cedar +43 -0
  15. package/_schemas/guardrails/templates/profiles/chat_assistant.cedar +85 -0
  16. package/_schemas/guardrails/templates/profiles/code_agent/agentic_security.cedar +109 -0
  17. package/_schemas/guardrails/templates/profiles/code_agent/security.cedar +22 -0
  18. package/_schemas/guardrails/templates/profiles/code_agent.cedar +125 -0
  19. package/_schemas/guardrails/templates/profiles/data_pipeline/agentic_security.cedar +38 -0
  20. package/_schemas/guardrails/templates/profiles/data_pipeline/privacy.cedar +40 -0
  21. package/_schemas/guardrails/templates/profiles/data_pipeline/security.cedar +49 -0
  22. package/_schemas/guardrails/templates/profiles/data_pipeline.cedar +111 -0
  23. package/_schemas/guardrails/templates/templates.json +213 -0
  24. package/_schemas/overwatch/context.json +54 -54
  25. package/_schemas/overwatch/schema.cedarschema +77 -68
  26. package/dist/builder.d.ts +106 -13
  27. package/dist/builder.js +103 -34
  28. package/dist/engine.d.ts +20 -2
  29. package/dist/engine.js +50 -20
  30. package/dist/entities.gen.d.ts +4 -0
  31. package/dist/entities.gen.js +4 -0
  32. package/dist/explain.d.ts +150 -0
  33. package/dist/explain.js +363 -0
  34. package/dist/guardrails-context.gen.d.ts +49 -0
  35. package/dist/guardrails-context.gen.js +50 -0
  36. package/dist/guardrails-defaults.gen.d.ts +61 -0
  37. package/dist/guardrails-defaults.gen.js +1278 -0
  38. package/dist/guardrails-entities.gen.d.ts +11 -0
  39. package/dist/guardrails-entities.gen.js +37 -0
  40. package/dist/index.d.ts +6 -1
  41. package/dist/index.js +6 -1
  42. package/dist/overwatch-defaults.gen.js +122 -2
  43. package/dist/parser.js +136 -4
  44. package/dist/schema.gen.d.ts +1 -1
  45. package/dist/schema.gen.js +6 -0
  46. package/dist/service-schemas.gen.d.ts +15 -11
  47. package/dist/service-schemas.gen.js +509 -84
  48. package/dist/types.d.ts +6 -1
  49. package/dist/types.js +6 -1
  50. package/package.json +5 -1
package/_schemas/guardrails/templates/templates.json ADDED
@@ -0,0 +1,213 @@
1
+ {
2
+ "service": "guardrails",
3
+ "version": "1.0.0",
4
+ "description": "Guardrails policy templates for LLM application security",
5
+ "categories": [
6
+ {
7
+ "id": "security",
8
+ "name": "Security",
9
+ "description": "Detect and block prompt injection, jailbreak attempts, and credential leakage"
10
+ },
11
+ {
12
+ "id": "privacy",
13
+ "name": "Privacy",
14
+ "description": "Detect and block personally identifiable information (PII) in prompts and responses"
15
+ },
16
+ {
17
+ "id": "trust_safety",
18
+ "name": "Trust & Safety",
19
+ "description": "Detect and block toxic, violent, hateful, sexual, or profane content"
20
+ },
21
+ {
22
+ "id": "agentic_security",
23
+ "name": "Agentic Security",
24
+ "description": "Detect tool abuse, data exfiltration patterns, infinite loops, and budget violations"
25
+ },
26
+ {
27
+ "id": "organization",
28
+ "name": "Organization",
29
+ "description": "Organization-wide baselines and default permit/deny policies"
30
+ }
31
+ ],
32
+ "defaults": [
33
+ {
34
+ "id": "baseline-default",
35
+ "name": "Baseline Permit",
36
+ "description": "Permits all actions by default — threat-specific forbid policies override this when threats are detected",
37
+ "category": "organization",
38
+ "file": "defaults/baseline.cedar",
39
+ "severity": "low",
40
+ "tags": ["baseline", "permit-default", "organization"],
41
+ "is_active": true
42
+ },
43
+ {
44
+ "id": "secrets-default",
45
+ "name": "Secrets Detection",
46
+ "description": "Block content containing API keys, tokens, credentials, or other secrets",
47
+ "category": "security",
48
+ "file": "defaults/secrets.cedar",
49
+ "severity": "critical",
50
+ "tags": ["secrets", "api-keys", "credentials", "data-leak"],
51
+ "is_active": true
52
+ },
53
+ {
54
+ "id": "injection-default",
55
+ "name": "Injection & Jailbreak Detection",
56
+ "description": "Block prompt injection, jailbreak attempts, and command injection using ML confidence scores",
57
+ "category": "security",
58
+ "file": "defaults/injection.cedar",
59
+ "severity": "high",
60
+ "tags": ["injection", "jailbreak", "security"],
61
+ "is_active": true
62
+ },
63
+ {
64
+ "id": "pii-default",
65
+ "name": "PII Detection",
66
+ "description": "Block content containing PII such as SSN, credit cards, or passport numbers in outputs",
67
+ "category": "privacy",
68
+ "file": "defaults/pii.cedar",
69
+ "severity": "high",
70
+ "tags": ["pii", "privacy", "data-protection"],
71
+ "is_active": true
72
+ },
73
+ {
74
+ "id": "toxicity-default",
75
+ "name": "Toxicity & Content Moderation",
76
+ "description": "Block toxic, violent, hateful, sexual, and profane content based on classifier scores",
77
+ "category": "trust_safety",
78
+ "file": "defaults/toxicity.cedar",
79
+ "severity": "critical",
80
+ "tags": ["toxicity", "trust-safety", "content-moderation"],
81
+ "is_active": true
82
+ },
83
+ {
84
+ "id": "tool-risk-default",
85
+ "name": "Tool Risk",
86
+ "description": "Block dangerous tool calls, shell execution, and sensitive tool usage based on risk scoring",
87
+ "category": "agentic_security",
88
+ "file": "defaults/tool_risk.cedar",
89
+ "severity": "critical",
90
+ "tags": ["tools", "agentic", "security"],
91
+ "is_active": true
92
+ },
93
+ {
94
+ "id": "agentic-safety-default",
95
+ "name": "Agentic Safety",
96
+ "description": "Block tool call loops, data exfiltration patterns, high-risk sequences, and budget violations",
97
+ "category": "agentic_security",
98
+ "file": "defaults/agentic_safety.cedar",
99
+ "severity": "high",
100
+ "tags": ["agentic", "safety", "loops", "exfiltration", "budget"],
101
+ "is_active": true
102
+ }
103
+ ],
104
+ "templates": [
105
+ {
106
+ "id": "mcp-tool-permissions",
107
+ "name": "MCP Tool Permissions",
108
+ "description": "Per-tool access control for MCP servers — allow specific tools while denying others, exclude servers org-wide, block unverified sources",
109
+ "category": "agentic_security",
110
+ "file": "mcp_tool_permissions.cedar",
111
+ "severity": "high",
112
+ "tags": ["mcp", "tools", "least-privilege", "per-server", "exclusion"]
113
+ },
114
+ {
115
+ "id": "chat-assistant-security",
116
+ "name": "Chat Assistant — Security",
117
+ "description": "Aggressive injection and jailbreak defense for customer-facing chatbots with lower thresholds",
118
+ "category": "security",
119
+ "file": "profiles/chat_assistant/security.cedar",
120
+ "severity": "high",
121
+ "tags": ["profile", "chat-assistant", "injection", "jailbreak", "security"]
122
+ },
123
+ {
124
+ "id": "chat-assistant-privacy",
125
+ "name": "Chat Assistant — Privacy",
126
+ "description": "Block PII in both user inputs and assistant outputs for chat applications",
127
+ "category": "privacy",
128
+ "file": "profiles/chat_assistant/privacy.cedar",
129
+ "severity": "high",
130
+ "tags": ["profile", "chat-assistant", "pii", "privacy"]
131
+ },
132
+ {
133
+ "id": "chat-assistant-trust-safety",
134
+ "name": "Chat Assistant — Trust & Safety",
135
+ "description": "Strict content moderation with lower toxicity thresholds and topic restrictions for public-facing chat",
136
+ "category": "trust_safety",
137
+ "file": "profiles/chat_assistant/trust_safety.cedar",
138
+ "severity": "critical",
139
+ "tags": ["profile", "chat-assistant", "toxicity", "trust-safety", "topics"]
140
+ },
141
+ {
142
+ "id": "code-agent-agentic-security",
143
+ "name": "Code Agent — Agentic Security",
144
+ "description": "Tool risk controls, shell blocking, loop detection, exfiltration prevention, and budget enforcement for coding assistants",
145
+ "category": "agentic_security",
146
+ "file": "profiles/code_agent/agentic_security.cedar",
147
+ "severity": "high",
148
+ "tags": ["profile", "code-agent", "tools", "agentic", "exfiltration", "budget"]
149
+ },
150
+ {
151
+ "id": "code-agent-security",
152
+ "name": "Code Agent — Security",
153
+ "description": "Prevent code agents from writing detected secrets to output files",
154
+ "category": "security",
155
+ "file": "profiles/code_agent/security.cedar",
156
+ "severity": "critical",
157
+ "tags": ["profile", "code-agent", "secrets", "security"]
158
+ },
159
+ {
160
+ "id": "data-pipeline-privacy",
161
+ "name": "Data Pipeline — Privacy",
162
+ "description": "Strict PII protection with zero-tolerance for sensitive PII types in data pipelines",
163
+ "category": "privacy",
164
+ "file": "profiles/data_pipeline/privacy.cedar",
165
+ "severity": "critical",
166
+ "tags": ["profile", "data-pipeline", "pii", "privacy", "compliance"]
167
+ },
168
+ {
169
+ "id": "data-pipeline-security",
170
+ "name": "Data Pipeline — Security",
171
+ "description": "Strict secrets detection and lower injection thresholds for RAG and data processing pipelines",
172
+ "category": "security",
173
+ "file": "profiles/data_pipeline/security.cedar",
174
+ "severity": "critical",
175
+ "tags": ["profile", "data-pipeline", "secrets", "injection", "security"]
176
+ },
177
+ {
178
+ "id": "data-pipeline-agentic-security",
179
+ "name": "Data Pipeline — Agentic Security",
180
+ "description": "Exfiltration prevention and tool risk controls for data processing pipelines",
181
+ "category": "agentic_security",
182
+ "file": "profiles/data_pipeline/agentic_security.cedar",
183
+ "severity": "critical",
184
+ "tags": ["profile", "data-pipeline", "exfiltration", "tools"]
185
+ }
186
+ ],
187
+ "profiles": [
188
+ {
189
+ "id": "chat-assistant",
190
+ "name": "Chat Assistant",
191
+ "description": "Optimized for customer-facing chatbots — strict toxicity, PII blocking, aggressive injection defense, topic restrictions",
192
+ "severity": "high",
193
+ "tags": ["chat-assistant", "toxicity", "pii", "injection"],
194
+ "template_ids": ["chat-assistant-security", "chat-assistant-privacy", "chat-assistant-trust-safety"]
195
+ },
196
+ {
197
+ "id": "code-agent",
198
+ "name": "Code Agent",
199
+ "description": "Optimized for coding assistants — tool risk controls, shell blocking, loop detection, exfiltration prevention, budget enforcement",
200
+ "severity": "high",
201
+ "tags": ["code-agent", "tools", "agentic", "exfiltration"],
202
+ "template_ids": ["code-agent-agentic-security", "code-agent-security"]
203
+ },
204
+ {
205
+ "id": "data-pipeline",
206
+ "name": "Data Pipeline",
207
+ "description": "Optimized for RAG and data processing — strict PII/secrets protection, exfiltration detection, pipeline injection defense",
208
+ "severity": "critical",
209
+ "tags": ["data-pipeline", "pii", "secrets", "exfiltration"],
210
+ "template_ids": ["data-pipeline-privacy", "data-pipeline-security", "data-pipeline-agentic-security"]
211
+ }
212
+ ]
213
+ }
package/_schemas/overwatch/context.json CHANGED
@@ -100,61 +100,61 @@
100
100
  {
101
101
  "key": "violence_score",
102
102
  "type": "number",
103
- "required": false,
103
+ "required": true,
104
104
  "description": "Violence content detection score (0-100)"
105
105
  },
106
106
  {
107
107
  "key": "weapons_score",
108
108
  "type": "number",
109
- "required": false,
109
+ "required": true,
110
110
  "description": "Weapons content detection score (0-100)"
111
111
  },
112
112
  {
113
113
  "key": "hate_speech_score",
114
114
  "type": "number",
115
- "required": false,
115
+ "required": true,
116
116
  "description": "Hate speech detection score (0-100)"
117
117
  },
118
118
  {
119
119
  "key": "crime_score",
120
120
  "type": "number",
121
- "required": false,
121
+ "required": true,
122
122
  "description": "Criminal content detection score (0-100)"
123
123
  },
124
124
  {
125
125
  "key": "sexual_score",
126
126
  "type": "number",
127
- "required": false,
127
+ "required": true,
128
128
  "description": "Sexual content detection score (0-100)"
129
129
  },
130
130
  {
131
131
  "key": "profanity_score",
132
132
  "type": "number",
133
- "required": false,
133
+ "required": true,
134
134
  "description": "Profanity detection score (0-100)"
135
135
  },
136
136
  {
137
137
  "key": "pii_confidence",
138
138
  "type": "number",
139
- "required": false,
139
+ "required": true,
140
140
  "description": "PII detection classifier confidence (0-100)"
141
141
  },
142
142
  {
143
143
  "key": "injection_confidence",
144
144
  "type": "number",
145
- "required": false,
145
+ "required": true,
146
146
  "description": "Prompt injection classifier confidence (0-100)"
147
147
  },
148
148
  {
149
149
  "key": "jailbreak_confidence",
150
150
  "type": "number",
151
- "required": false,
151
+ "required": true,
152
152
  "description": "Jailbreak detection classifier confidence (0-100)"
153
153
  },
154
154
  {
155
155
  "key": "indirect_injection_score",
156
156
  "type": "number",
157
- "required": false,
157
+ "required": true,
158
158
  "description": "Indirect prompt injection risk score (0-100)"
159
159
  }
160
160
  ]
@@ -226,44 +226,44 @@
226
226
  {
227
227
  "key": "threat_count",
228
228
  "type": "number",
229
- "required": true,
230
- "description": "Total threats detected"
229
+ "required": false,
230
+ "description": "Total threats detected (if scanning ran)"
231
231
  },
232
232
  {
233
233
  "key": "highest_severity",
234
234
  "type": "string",
235
- "required": true,
236
- "description": "Highest severity: critical, high, medium, low"
235
+ "required": false,
236
+ "description": "Highest severity (if scanning ran)"
237
237
  },
238
238
  {
239
239
  "key": "threat_categories",
240
240
  "type": "array",
241
- "required": true,
242
- "description": "Threat category names"
241
+ "required": false,
242
+ "description": "Threat category names (if scanning ran)"
243
243
  },
244
244
  {
245
245
  "key": "threat_types",
246
246
  "type": "array",
247
- "required": true,
248
- "description": "YARA threat categories"
247
+ "required": false,
248
+ "description": "YARA threat categories (if scanning ran)"
249
249
  },
250
250
  {
251
251
  "key": "yara_threats",
252
252
  "type": "array",
253
- "required": true,
254
- "description": "YARA rule names"
253
+ "required": false,
254
+ "description": "YARA rule names (if scanning ran)"
255
255
  },
256
256
  {
257
257
  "key": "max_threat_severity",
258
258
  "type": "number",
259
- "required": true,
260
- "description": "Numeric severity (0-4)"
259
+ "required": false,
260
+ "description": "Numeric severity 0-4 (if scanning ran)"
261
261
  },
262
262
  {
263
263
  "key": "contains_secrets",
264
264
  "type": "boolean",
265
- "required": true,
266
- "description": "Whether secrets detected"
265
+ "required": false,
266
+ "description": "Whether secrets detected (if scanning ran)"
267
267
  },
268
268
  {
269
269
  "key": "response_content",
@@ -358,8 +358,8 @@
358
358
  {
359
359
  "key": "content",
360
360
  "type": "string",
361
- "required": true,
362
- "description": "Raw content being scanned"
361
+ "required": false,
362
+ "description": "Raw content being scanned (if available)"
363
363
  },
364
364
  {
365
365
  "key": "source",
@@ -388,26 +388,26 @@
388
388
  {
389
389
  "key": "threat_count",
390
390
  "type": "number",
391
- "required": true,
392
- "description": "Total threats detected"
391
+ "required": false,
392
+ "description": "Total threats detected (if scanning ran)"
393
393
  },
394
394
  {
395
395
  "key": "highest_severity",
396
396
  "type": "string",
397
- "required": true,
398
- "description": "Highest severity level"
397
+ "required": false,
398
+ "description": "Highest severity level (if scanning ran)"
399
399
  },
400
400
  {
401
401
  "key": "threat_categories",
402
402
  "type": "array",
403
- "required": true,
404
- "description": "Threat category names"
403
+ "required": false,
404
+ "description": "Threat category names (if scanning ran)"
405
405
  },
406
406
  {
407
407
  "key": "max_threat_severity",
408
408
  "type": "number",
409
- "required": true,
410
- "description": "Numeric severity (0-4)"
409
+ "required": false,
410
+ "description": "Numeric severity 0-4 (if scanning ran)"
411
411
  },
412
412
  {
413
413
  "key": "tool_poisoning_score",
@@ -484,32 +484,32 @@
484
484
  {
485
485
  "key": "threat_count",
486
486
  "type": "number",
487
- "required": true,
488
- "description": "Total threats detected"
487
+ "required": false,
488
+ "description": "Total threats detected (if scanning ran)"
489
489
  },
490
490
  {
491
491
  "key": "highest_severity",
492
492
  "type": "string",
493
- "required": true,
494
- "description": "Highest severity level"
493
+ "required": false,
494
+ "description": "Highest severity level (if scanning ran)"
495
495
  },
496
496
  {
497
497
  "key": "threat_categories",
498
498
  "type": "array",
499
- "required": true,
500
- "description": "Threat categories"
499
+ "required": false,
500
+ "description": "Threat categories (if scanning ran)"
501
501
  },
502
502
  {
503
503
  "key": "max_threat_severity",
504
504
  "type": "number",
505
- "required": true,
506
- "description": "Numeric severity (0-4)"
505
+ "required": false,
506
+ "description": "Numeric severity 0-4 (if scanning ran)"
507
507
  },
508
508
  {
509
509
  "key": "contains_secrets",
510
510
  "type": "boolean",
511
- "required": true,
512
- "description": "Whether secrets detected"
511
+ "required": false,
512
+ "description": "Whether secrets detected (if scanning ran)"
513
513
  }
514
514
  ]
515
515
  },
@@ -562,32 +562,32 @@
562
562
  {
563
563
  "key": "threat_count",
564
564
  "type": "number",
565
- "required": true,
566
- "description": "Total threats detected"
565
+ "required": false,
566
+ "description": "Total threats detected (if scanning ran)"
567
567
  },
568
568
  {
569
569
  "key": "highest_severity",
570
570
  "type": "string",
571
- "required": true,
572
- "description": "Highest severity level"
571
+ "required": false,
572
+ "description": "Highest severity level (if scanning ran)"
573
573
  },
574
574
  {
575
575
  "key": "threat_categories",
576
576
  "type": "array",
577
- "required": true,
578
- "description": "Threat categories"
577
+ "required": false,
578
+ "description": "Threat categories (if scanning ran)"
579
579
  },
580
580
  {
581
581
  "key": "max_threat_severity",
582
582
  "type": "number",
583
- "required": true,
584
- "description": "Numeric severity (0-4)"
583
+ "required": false,
584
+ "description": "Numeric severity 0-4 (if scanning ran)"
585
585
  },
586
586
  {
587
587
  "key": "contains_secrets",
588
588
  "type": "boolean",
589
- "required": true,
590
- "description": "Whether secrets detected"
589
+ "required": false,
590
+ "description": "Whether secrets detected (if scanning ran)"
591
591
  }
592
592
  ]
593
593
  }