@highflame/policy 2.0.9 → 2.1.0

package/dist/guardrails-defaults.gen.js

@@ -0,0 +1,1278 @@
+// Code generated by highflame-policy-codegen. DO NOT EDIT.
+// Source: schemas/guardrails/templates/templates.json
+//
+// Guardrails default policies and templates.
+// Cedar text is embedded at build time. PolicyRule[] can be parsed at runtime
+// using parseCedarToRules().
+// =============================================================================
+// EMBEDDED CEDAR POLICY TEXT
+// =============================================================================
+const GUARDRAILS_BASELINE_DEFAULT_CEDAR = `// =============================================================================
+// Baseline Permit Policy (Default)
+// =============================================================================
+// Permits all actions by default. Threat-specific forbid policies override
+// this to block when detectors find security issues.
+//
+// Cedar is default-deny: without at least one permit rule, every request
+// is denied regardless of forbid rules. This baseline ensures the system
+// is "allow unless blocked" rather than "block everything".
+//
+// Category: organization
+// Namespace: Guardrails
+// =============================================================================
+
+@id("baseline-permit-all")
+@name("Permit all actions by default")
+@description("Baseline permit for all actions — threat-specific forbid policies override this when threats are detected")
+@severity("low")
+@tags("baseline,permit-default,organization")
+permit (
+    principal,
+    action,
+    resource
+);
+`;
+const GUARDRAILS_SECRETS_DEFAULT_CEDAR = `// =============================================================================
+// Secrets Detection Policy
+// =============================================================================
+// Blocks requests containing API keys, tokens, credentials, or other secrets.
+// Applies to both input prompts and output responses.
+//
+// Context keys used (normalized by projection layer):
+// - contains_secrets: bool - Whether secrets were detected
+// - secret_count: Long - Number of secret matches
+// - secret_types: Set<String> - Types of secrets found
+//
+// Category: security
+// Namespace: Guardrails
+// =============================================================================
+
+@id("secrets-block-all")
+@name("Block content containing secrets")
+@description("Forbids requests that contain API keys, tokens, or credentials")
+@severity("critical")
+@tags("secrets,security,data-leak")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    context has contains_secrets && context.contains_secrets == true
+};
+
+@id("secrets-block-high-count")
+@name("Block multiple secrets")
+@description("Forbids requests with multiple secret matches (potential data dump)")
+@severity("critical")
+@tags("secrets,security,data-leak")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    context has secret_count && context.secret_count > 2
+};
+`;
+const GUARDRAILS_INJECTION_DEFAULT_CEDAR = `// =============================================================================
+// Injection & Jailbreak Detection Policy
+// =============================================================================
+// Blocks prompt injection, jailbreak attempts, and command injection.
+// Uses ML-based confidence scores from normalized context.
+//
+// Context keys used (normalized by projection layer):
+// - injection_score: Long (0-100) - Overall injection confidence
+// - jailbreak_score: Long (0-100) - Jailbreak attempt confidence
+// - injection_type: String - Type of injection detected
+// - contains_invisible_chars: Bool - Invisible Unicode characters detected
+// - invisible_chars_score: Long (0-100) - Invisible character density
+//
+// Category: security
+// Namespace: Guardrails
+// =============================================================================
+
+@id("injection-block-high-confidence")
+@name("Block high-confidence injection attempts")
+@description("Forbids requests with injection confidence above 85%")
+@severity("high")
+@tags("injection,jailbreak,security")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    context has injection_score && context.injection_score > 85
+};
+
+@id("jailbreak-block-high-confidence")
+@name("Block high-confidence jailbreak attempts")
+@description("Forbids requests with jailbreak confidence above 80%")
+@severity("high")
+@tags("jailbreak,security")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    context has jailbreak_score && context.jailbreak_score > 80
+};
+
+@id("injection-combined-threshold")
+@name("Block combined injection and jailbreak")
+@description("Forbids requests with moderate scores in both injection and jailbreak")
+@severity("high")
+@tags("injection,jailbreak,security")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    context has injection_score && context has jailbreak_score &&
+    context.injection_score > 60 && context.jailbreak_score > 60
+};
+
+@id("injection-invisible-chars")
+@name("Block invisible character injection")
+@description("Forbids requests containing invisible Unicode characters (zero-width joiners, etc.) commonly used for prompt injection")
+@severity("high")
+@tags("injection,unicode,security")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    context has contains_invisible_chars && context.contains_invisible_chars == true &&
+    context has invisible_chars_score && context.invisible_chars_score > 50
+};
+`;
+const GUARDRAILS_PII_DEFAULT_CEDAR = `// =============================================================================
+// PII (Personally Identifiable Information) Policy
+// =============================================================================
+// Blocks content containing PII in output responses.
+// Typically applied to LLM outputs to prevent data leakage.
+//
+// Context keys used (normalized by projection layer):
+// - pii_detected: bool - Whether PII was found
+// - pii_count: Long - Number of PII matches
+// - pii_types: Set<String> - Types of PII detected
+// - direction: String - "input" or "output"
+//
+// Category: privacy
+// Namespace: Guardrails
+// =============================================================================
+
+@id("pii-block-output")
+@name("Block PII in outputs")
+@description("Forbids LLM responses that contain PII (prevents data leakage)")
+@severity("high")
+@tags("pii,privacy,data-protection")
+forbid (
+    principal,
+    action == Guardrails::Action::"process_prompt",
+    resource
+) when {
+    context has pii_detected && context.pii_detected == true &&
+    context.direction == "output"
+};
+
+@id("pii-block-sensitive-types")
+@name("Block sensitive PII types")
+@description("Forbids outputs containing SSN, credit cards, or passport numbers")
+@severity("critical")
+@tags("pii,privacy,sensitive-data")
+forbid (
+    principal,
+    action == Guardrails::Action::"process_prompt",
+    resource
+) when {
+    context.direction == "output" &&
+    context has pii_types &&
+    (
+        context.pii_types.contains("ssn") ||
+        context.pii_types.contains("credit_card") ||
+        context.pii_types.contains("passport")
+    )
+};
+`;
+const GUARDRAILS_TOXICITY_DEFAULT_CEDAR = `// =============================================================================
+// Toxicity & Content Moderation Policy
+// =============================================================================
+// Blocks toxic, harmful, or inappropriate content.
+// Covers violence, hate speech, sexual content, weapons, crime, and profanity.
+//
+// Context keys used (normalized by projection layer):
+// - violence_score: Long (0-100) - Violence reference score
+// - hate_speech_score: Long (0-100) - Hate speech score
+// - sexual_score: Long (0-100) - Sexual content score
+// - weapons_score: Long (0-100) - Weapons reference score
+// - crime_score: Long (0-100) - Criminal activity score
+// - profanity_score: Long (0-100) - Profanity score
+//
+// Category: trust-safety
+// Namespace: Guardrails
+// =============================================================================
+
+@id("toxicity-block-critical")
+@name("Block critical toxicity")
+@description("Forbids content with any toxicity score above 90")
+@severity("critical")
+@tags("toxicity,trust-safety")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    (context has violence_score && context.violence_score > 90) ||
+    (context has hate_speech_score && context.hate_speech_score > 90) ||
+    (context has sexual_score && context.sexual_score > 90) ||
+    (context has weapons_score && context.weapons_score > 90) ||
+    (context has crime_score && context.crime_score > 90) ||
+    (context has profanity_score && context.profanity_score > 90)
+};
+
+@id("toxicity-block-hate-speech")
+@name("Block hate speech")
+@description("Forbids content with hate speech above 75")
+@severity("high")
+@tags("hate-speech,trust-safety")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    context has hate_speech_score && context.hate_speech_score > 75
+};
+
+@id("toxicity-block-combined")
+@name("Block combined moderate toxicity")
+@description("Forbids content with two or more moderate toxicity scores above 60")
+@severity("high")
+@tags("toxicity,trust-safety")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    // Any 2 of 6 toxicity scores above 60 triggers a block
+    (context has violence_score && context has hate_speech_score && context.violence_score > 60 && context.hate_speech_score > 60) ||
+    (context has violence_score && context has sexual_score && context.violence_score > 60 && context.sexual_score > 60) ||
+    (context has violence_score && context has weapons_score && context.violence_score > 60 && context.weapons_score > 60) ||
+    (context has violence_score && context has crime_score && context.violence_score > 60 && context.crime_score > 60) ||
+    (context has violence_score && context has profanity_score && context.violence_score > 60 && context.profanity_score > 60) ||
+    (context has hate_speech_score && context has sexual_score && context.hate_speech_score > 60 && context.sexual_score > 60) ||
+    (context has hate_speech_score && context has weapons_score && context.hate_speech_score > 60 && context.weapons_score > 60) ||
+    (context has hate_speech_score && context has crime_score && context.hate_speech_score > 60 && context.crime_score > 60) ||
+    (context has hate_speech_score && context has profanity_score && context.hate_speech_score > 60 && context.profanity_score > 60) ||
+    (context has sexual_score && context has weapons_score && context.sexual_score > 60 && context.weapons_score > 60) ||
+    (context has sexual_score && context has crime_score && context.sexual_score > 60 && context.crime_score > 60) ||
+    (context has sexual_score && context has profanity_score && context.sexual_score > 60 && context.profanity_score > 60) ||
+    (context has weapons_score && context has crime_score && context.weapons_score > 60 && context.crime_score > 60) ||
+    (context has weapons_score && context has profanity_score && context.weapons_score > 60 && context.profanity_score > 60) ||
+    (context has crime_score && context has profanity_score && context.crime_score > 60 && context.profanity_score > 60)
+};
+`;
+const GUARDRAILS_TOOL_RISK_DEFAULT_CEDAR = `// =============================================================================
+// Tool Risk Policy
+// =============================================================================
+// Blocks dangerous tool calls based on risk scoring.
+// Considers tool sensitivity, argument patterns, and MCP verification.
+//
+// Context keys used (normalized by projection layer):
+// - tool_name: String - Name of the tool
+// - tool_risk_score: Long (0-100) - Computed risk score
+// - tool_is_sensitive: bool - Whether tool is classified as sensitive
+// - tool_category: String - "safe" | "sensitive" | "dangerous"
+//
+// Category: agentic-security
+// Namespace: Guardrails
+// =============================================================================
+
+@id("tool-block-dangerous")
+@name("Block dangerous tools")
+@description("Forbids tools classified as dangerous (risk > 85)")
+@severity("critical")
+@tags("tools,agentic,security")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+) when {
+    (context has tool_risk_score && context.tool_risk_score > 85) ||
+    (context has tool_category && context.tool_category == "dangerous")
+};
+
+@id("tool-block-shell-commands")
+@name("Block shell command execution")
+@description("Forbids direct shell/execute_command tool calls")
+@severity("high")
+@tags("tools,shell,security")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+) when {
+    context has tool_name &&
+    (context.tool_name == "shell" ||
+     context.tool_name == "execute_command")
+};
+
+@id("tool-block-sensitive-high-risk")
+@name("Block high-risk sensitive tools")
+@description("Forbids sensitive tool calls with elevated risk scores")
+@severity("high")
+@tags("tools,agentic,security")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+) when {
+    context has tool_is_sensitive && context.tool_is_sensitive == true &&
+    context has tool_risk_score && context.tool_risk_score > 70
+};
+`;
+const GUARDRAILS_AGENTIC_SAFETY_DEFAULT_CEDAR = `// =============================================================================
+// Agentic Safety Policy
+// =============================================================================
+// Blocks suspicious agentic behavior patterns:
+// - Infinite loops (repeated tool calls)
+// - Suspicious action sequences (data exfiltration patterns)
+// - Budget violations (token/cost limits)
+//
+// Context keys used (normalized by projection layer):
+// - loop_detected: bool - Whether tool call loop detected
+// - loop_count: Long - Number of consecutive repeated calls
+// - suspicious_pattern: bool - Whether suspicious sequence detected
+// - pattern_type: String - Type of pattern (e.g., "data_exfiltration")
+// - sequence_risk: Long (0-100) - Risk score from sequence analysis
+// - budget_exceeded: bool - Whether token budget exceeded
+// - budget_remaining_pct: Long (0-100) - Remaining budget percentage
+//
+// Category: agentic-security
+// Namespace: Guardrails
+// =============================================================================
+
+@id("agentic-block-loops")
+@name("Block tool call loops")
+@description("Forbids repeated tool calls indicating infinite loop")
+@severity("high")
+@tags("agentic,loops,safety")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+) when {
+    context has loop_detected && context.loop_detected == true &&
+    context has loop_count && context.loop_count > 3
+};
+
+@id("agentic-block-exfiltration")
+@name("Block data exfiltration patterns")
+@description("Forbids suspicious action sequences like read → http_post")
+@severity("critical")
+@tags("agentic,exfiltration,security")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    context has suspicious_pattern && context.suspicious_pattern == true &&
+    context has pattern_type &&
+    (
+        context.pattern_type == "data_exfiltration" ||
+        context.pattern_type == "secret_exfiltration" ||
+        context.pattern_type == "db_exfiltration"
+    )
+};
+
+@id("agentic-block-high-sequence-risk")
+@name("Block high-risk action sequences")
+@description("Forbids action sequences with risk score above 80")
+@severity("high")
+@tags("agentic,patterns,security")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    context has sequence_risk && context.sequence_risk > 80
+};
+
+@id("agentic-block-budget-exceeded")
+@name("Block budget violations")
+@description("Forbids requests when token budget is exceeded")
+@severity("medium")
+@tags("agentic,budget,cost-control")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    context has budget_exceeded && context.budget_exceeded == true
+};
+
+@id("agentic-block-low-budget")
+@name("Block requests when budget critically low")
+@description("Forbids requests when remaining budget falls below 5%")
+@severity("medium")
+@tags("agentic,budget,cost-control")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    context has budget_remaining_pct &&
+    context.budget_remaining_pct < 5 &&
+    context.budget_remaining_pct > 0
+};
+`;
+const GUARDRAILS_MCP_TOOL_PERMISSIONS_CEDAR = `// =============================================================================
+// MCP Tool Permissions Template
+// =============================================================================
+// Per-tool access control for MCP servers. Allows fine-grained permissioning:
+// allow specific tools from a server while denying others.
+//
+// Example: Allow read_issues from GitHub but deny create_issues.
+//
+// Context keys used:
+// - mcp_server: String - MCP server name
+// - mcp_tool: String - Tool name within the server
+// - tool_name: String - Normalized tool name
+// - mcp_server_verified: Bool - Whether server is verified
+//
+// Category: agentic_security
+// Namespace: Guardrails
+// =============================================================================
+
+// -- GitHub MCP: Read-only access -------------------------------------------
+
+@id("mcp-github-allow-read")
+@name("Allow read-only GitHub tools")
+@description("Permit read operations from GitHub MCP server (issues, PRs, code search)")
+@severity("medium")
+@tags("mcp,github,read-only,least-privilege")
+permit (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+) when {
+    context.mcp_server == "github" &&
+    (context.tool_name == "read_issues" ||
+     context.tool_name == "get_issue" ||
+     context.tool_name == "list_repos" ||
+     context.tool_name == "get_pull_request" ||
+     context.tool_name == "search_code" ||
+     context.tool_name == "get_file_contents")
+};
+
+@id("mcp-github-deny-write")
+@name("Deny write GitHub tools")
+@description("Block create/update/delete operations on GitHub MCP server")
+@severity("high")
+@tags("mcp,github,write-block,least-privilege")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+) when {
+    context.mcp_server == "github"
+};
+
+// -- Organization-wide MCP server exclusions --------------------------------
+
+@id("mcp-exclude-server")
+@name("Exclude specific MCP servers")
+@description("Block all tool calls from excluded MCP servers (org-wide exclusion list)")
+@severity("critical")
+@tags("mcp,exclusion,org-wide,block")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+) when {
+    // Add server names to block across the organization.
+    // Modify this list to match your exclusion requirements.
+    context.mcp_server == "untrusted-server" ||
+    context.mcp_server == "deprecated-server"
+};
+
+// -- Block unverified MCP servers -------------------------------------------
+
+@id("mcp-block-unverified")
+@name("Block unverified MCP servers")
+@description("Deny all tool calls from MCP servers not in the verified registry")
+@severity("high")
+@tags("mcp,trust,verification")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+) when {
+    context.mcp_server_verified == false
+};
+`;
+const GUARDRAILS_CHAT_ASSISTANT_SECURITY_CEDAR = `// =============================================================================
+// Chat Assistant — Security
+// =============================================================================
+// Aggressive injection and jailbreak defense for customer-facing chatbots.
+// Lower thresholds than defaults — public-facing chat is high-risk for attacks.
+//
+// Category: security
+// Namespace: Guardrails
+// =============================================================================
+
+@id("chat-injection-lower-threshold")
+@name("Aggressive injection defense for chat")
+@description("Lower injection threshold for public-facing chat — blocks above 70")
+@severity("high")
+@tags("profile,chat-assistant,injection,security")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    context has injection_score && context.injection_score > 70
+};
+
+@id("chat-jailbreak-lower-threshold")
+@name("Aggressive jailbreak defense for chat")
+@description("Lower jailbreak threshold for public-facing chat — blocks above 65")
+@severity("high")
+@tags("profile,chat-assistant,jailbreak,security")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    context has jailbreak_score && context.jailbreak_score > 65
+};
+`;
+const GUARDRAILS_CHAT_ASSISTANT_PRIVACY_CEDAR = `// =============================================================================
+// Chat Assistant — Privacy
+// =============================================================================
+// PII protection for customer-facing chatbots.
+// Blocks PII in both user inputs and assistant outputs.
+//
+// Category: privacy
+// Namespace: Guardrails
+// =============================================================================
+
+@id("chat-pii-block-input-output")
+@name("Block PII in both directions")
+@description("Blocks PII in both user inputs and assistant outputs for chat applications")
+@severity("high")
+@tags("profile,chat-assistant,pii,privacy")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    context has pii_detected && context.pii_detected == true
+};
+`;
+const GUARDRAILS_CHAT_ASSISTANT_TRUST_SAFETY_CEDAR = `// =============================================================================
+// Chat Assistant — Trust & Safety
+// =============================================================================
+// Strict content moderation for customer-facing chatbots.
+// Lower toxicity thresholds and topic restrictions for public-facing content.
+//
+// Category: trust_safety
+// Namespace: Guardrails
+// =============================================================================
+
+@id("chat-toxicity-strict")
+@name("Strict toxicity for chat")
+@description("Lower thresholds for customer-facing content — blocks toxicity above 70")
+@severity("critical")
+@tags("profile,chat-assistant,toxicity,trust-safety")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    (context has violence_score && context.violence_score > 70) ||
+    (context has hate_speech_score && context.hate_speech_score > 70) ||
+    (context has sexual_score && context.sexual_score > 70) ||
+    (context has profanity_score && context.profanity_score > 70)
+};
+
+@id("chat-topic-restriction")
+@name("Block restricted topics in chat")
+@description("Prevents chat assistants from discussing dangerous or regulated topics")
+@severity("high")
+@tags("profile,chat-assistant,semantic,compliance")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    context has topic_confidence && context.topic_confidence > 70 &&
+    context has content_topics &&
+    (context.content_topics.contains("weapons_manufacturing") ||
+     context.content_topics.contains("illegal_activity") ||
+     context.content_topics.contains("controlled_substances") ||
+     context.content_topics.contains("financial_fraud"))
+};
+`;
+const GUARDRAILS_CODE_AGENT_AGENTIC_SECURITY_CEDAR = `// =============================================================================
+// Code Agent — Agentic Security
+// =============================================================================
+// Tool risk controls, shell execution blocking, loop detection,
+// exfiltration prevention, and budget enforcement for coding assistants.
+//
+// Category: agentic_security
+// Namespace: Guardrails
+// =============================================================================
+
+@id("code-block-dangerous-tools")
+@name("Block dangerous tool execution")
+@description("Forbids tools classified as dangerous or with very high risk scores")
+@severity("critical")
+@tags("profile,code-agent,tools,agentic")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+) when {
+    (context has tool_risk_score && context.tool_risk_score > 85) ||
+    (context has tool_category && context.tool_category == "dangerous")
+};
+
+@id("code-block-shell-execution")
+@name("Block direct shell commands")
+@description("Forbids direct shell and command execution tools")
+@severity("high")
+@tags("profile,code-agent,tools,shell")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+) when {
+    context has tool_name &&
+    (context.tool_name == "shell" ||
+     context.tool_name == "execute_command" ||
+     context.tool_name == "bash")
+};
+
+@id("code-block-sensitive-tools")
+@name("Block sensitive tools with elevated risk")
+@description("Forbids sensitive tool calls with risk above 70")
+@severity("high")
+@tags("profile,code-agent,tools,security")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+) when {
+    context has tool_is_sensitive && context.tool_is_sensitive == true &&
+    context has tool_risk_score && context.tool_risk_score > 70
+};
+
+@id("code-block-loops")
+@name("Block tool call loops")
+@description("Stops infinite tool call loops in agentic workflows")
+@severity("high")
+@tags("profile,code-agent,agentic,loops")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+) when {
+    context has loop_detected && context.loop_detected == true &&
+    context has loop_count && context.loop_count > 5
+};
+
+@id("code-block-exfiltration")
+@name("Block data exfiltration patterns")
+@description("Detects and blocks read → send patterns indicating data theft")
+@severity("critical")
+@tags("profile,code-agent,agentic,exfiltration")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    context has suspicious_pattern && context.suspicious_pattern == true &&
+    context has pattern_type &&
+    (context.pattern_type == "data_exfiltration" ||
+     context.pattern_type == "secret_exfiltration")
+};
+
+@id("code-block-high-sequence-risk")
+@name("Block high-risk action sequences")
+@description("Forbids suspicious multi-step tool sequences with risk above 75")
+@severity("high")
+@tags("profile,code-agent,agentic,patterns")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    context has sequence_risk && context.sequence_risk > 75
+};
+
+@id("code-block-budget-exceeded")
+@name("Block on budget exceeded")
+@description("Stops agent execution when token budget is exhausted")
+@severity("medium")
+@tags("profile,code-agent,budget,cost-control")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    context has budget_exceeded && context.budget_exceeded == true
+};
+`;
+const GUARDRAILS_CODE_AGENT_SECURITY_CEDAR = `// =============================================================================
+// Code Agent — Security
+// =============================================================================
+// Secrets protection for coding assistants.
+// Prevents code agents from writing detected secrets to output files.
+//
+// Category: security
+// Namespace: Guardrails
+// =============================================================================
+
+@id("code-block-write-secrets")
+@name("Block writing secrets to files")
+@description("Prevents code agents from writing detected secrets to output files")
+@severity("critical")
+@tags("profile,code-agent,secrets,security")
+forbid (
+    principal,
+    action == Guardrails::Action::"write_file",
+    resource
+) when {
+    context has contains_secrets && context.contains_secrets == true
+};
+`;
+const GUARDRAILS_DATA_PIPELINE_PRIVACY_CEDAR = `// =============================================================================
+// Data Pipeline — Privacy
+// =============================================================================
+// Strict PII protection for RAG pipelines and data processing agents.
+// Zero-tolerance for sensitive PII types — data pipelines must not leak PII.
+//
+// Category: privacy
+// Namespace: Guardrails
+// =============================================================================
+
+@id("data-pii-block-all")
+@name("Block all PII in data pipeline")
+@description("Forbids any PII in both inputs and outputs — data pipelines must not process or leak PII")
+@severity("critical")
+@tags("profile,data-pipeline,pii,privacy")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    context has pii_detected && context.pii_detected == true
+};
+
+@id("data-pii-block-sensitive-types")
+@name("Block sensitive PII types strictly")
+@description("Zero-tolerance for SSN, credit cards, passport numbers, and medical IDs in data pipelines")
+@severity("critical")
+@tags("profile,data-pipeline,pii,compliance")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    context has pii_types &&
+    (context.pii_types.contains("ssn") ||
+     context.pii_types.contains("credit_card") ||
+     context.pii_types.contains("passport") ||
+     context.pii_types.contains("medical_id") ||
+     context.pii_types.contains("tax_id"))
+};
+`;
+const GUARDRAILS_DATA_PIPELINE_SECURITY_CEDAR = `// =============================================================================
+// Data Pipeline — Security
+// =============================================================================
+// Strict secrets detection and injection defense for data pipelines.
+// RAG inputs are high-risk for injection — lower thresholds than defaults.
+//
+// Category: security
+// Namespace: Guardrails
+// =============================================================================
+
+@id("data-secrets-strict")
+@name("Strict secrets detection for data pipeline")
+@description("Blocks any content containing secrets — even a single match")
+@severity("critical")
+@tags("profile,data-pipeline,secrets,security")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    context has contains_secrets && context.contains_secrets == true
+};
+
+@id("data-block-output-secrets")
+@name("Block secrets in pipeline outputs")
+@description("Prevents data pipeline from writing secrets to any output")
+@severity("critical")
+@tags("profile,data-pipeline,secrets,output")
+forbid (
+    principal,
+    action == Guardrails::Action::"write_file",
+    resource
+) when {
+    (context has contains_secrets && context.contains_secrets == true) ||
+    (context has secret_count && context.secret_count > 0)
+};
+
+@id("data-injection-defense")
+@name("Pipeline injection defense")
+@description("Lower injection threshold for data pipelines — RAG inputs are high-risk for injection")
+@severity("high")
+@tags("profile,data-pipeline,injection,security")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    context has injection_score && context.injection_score > 65
+};
+`;
+const GUARDRAILS_DATA_PIPELINE_AGENTIC_SECURITY_CEDAR = `// =============================================================================
+// Data Pipeline — Agentic Security
+// =============================================================================
+// Exfiltration prevention and tool risk controls for data pipelines.
+// Prevents retrieval data from being sent to external endpoints.
+//
+// Category: agentic_security
+// Namespace: Guardrails
+// =============================================================================
+
+@id("data-block-exfiltration")
+@name("Block data exfiltration from pipeline")
+@description("Prevents retrieval data from being sent to external endpoints")
+@severity("critical")
+@tags("profile,data-pipeline,exfiltration,security")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    context has suspicious_pattern && context.suspicious_pattern == true &&
+    context has pattern_type &&
+    (context.pattern_type == "data_exfiltration" ||
+     context.pattern_type == "db_exfiltration")
+};
+
+@id("data-block-high-risk-tools")
+@name("Block high-risk tools in pipeline")
+@description("Forbids tools with elevated risk in data processing context")
+@severity("high")
+@tags("profile,data-pipeline,tools,security")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+) when {
+    context has tool_risk_score && context.tool_risk_score > 60
+};
+`;
+// =============================================================================
+// CATEGORIES
+// =============================================================================
+export const GUARDRAILS_CATEGORIES = [
+    { id: 'security', name: 'Security', description: 'Detect and block prompt injection, jailbreak attempts, and credential leakage' },
+    { id: 'privacy', name: 'Privacy', description: 'Detect and block personally identifiable information (PII) in prompts and responses' },
+    { id: 'trust_safety', name: 'Trust & Safety', description: 'Detect and block toxic, violent, hateful, sexual, or profane content' },
+    { id: 'agentic_security', name: 'Agentic Security', description: 'Detect tool abuse, data exfiltration patterns, infinite loops, and budget violations' },
+    { id: 'organization', name: 'Organization', description: 'Organization-wide baselines and default permit/deny policies' },
+];
+// =============================================================================
+// DEFAULT POLICIES
+// =============================================================================
+export const GUARDRAILS_DEFAULTS = [
+    {
+        id: 'baseline-default',
+        name: 'Baseline Permit',
+        description: 'Permits all actions by default — threat-specific forbid policies override this when threats are detected',
+        category: 'organization',
+        cedarText: GUARDRAILS_BASELINE_DEFAULT_CEDAR,
+        severity: 'low',
+        tags: ['baseline', 'permit-default', 'organization'],
+        isActive: true,
+    },
+    {
+        id: 'secrets-default',
+        name: 'Secrets Detection',
+        description: 'Block content containing API keys, tokens, credentials, or other secrets',
+        category: 'security',
+        cedarText: GUARDRAILS_SECRETS_DEFAULT_CEDAR,
+        severity: 'critical',
+        tags: ['secrets', 'api-keys', 'credentials', 'data-leak'],
+        isActive: true,
+    },
+    {
+        id: 'injection-default',
+        name: 'Injection & Jailbreak Detection',
+        description: 'Block prompt injection, jailbreak attempts, and command injection using ML confidence scores',
+        category: 'security',
+        cedarText: GUARDRAILS_INJECTION_DEFAULT_CEDAR,
+        severity: 'high',
+        tags: ['injection', 'jailbreak', 'security'],
+        isActive: true,
+    },
+    {
+        id: 'pii-default',
+        name: 'PII Detection',
+        description: 'Block content containing PII such as SSN, credit cards, or passport numbers in outputs',
+        category: 'privacy',
+        cedarText: GUARDRAILS_PII_DEFAULT_CEDAR,
+        severity: 'high',
+        tags: ['pii', 'privacy', 'data-protection'],
+        isActive: true,
+    },
+    {
+        id: 'toxicity-default',
+        name: 'Toxicity & Content Moderation',
+        description: 'Block toxic, violent, hateful, sexual, and profane content based on classifier scores',
+        category: 'trust_safety',
+        cedarText: GUARDRAILS_TOXICITY_DEFAULT_CEDAR,
+        severity: 'critical',
+        tags: ['toxicity', 'trust-safety', 'content-moderation'],
+        isActive: true,
+    },
+    {
+        id: 'tool-risk-default',
+        name: 'Tool Risk',
+        description: 'Block dangerous tool calls, shell execution, and sensitive tool usage based on risk scoring',
+        category: 'agentic_security',
+        cedarText: GUARDRAILS_TOOL_RISK_DEFAULT_CEDAR,
+        severity: 'critical',
+        tags: ['tools', 'agentic', 'security'],
+        isActive: true,
+    },
+    {
+        id: 'agentic-safety-default',
+        name: 'Agentic Safety',
+        description: 'Block tool call loops, data exfiltration patterns, high-risk sequences, and budget violations',
+        category: 'agentic_security',
+        cedarText: GUARDRAILS_AGENTIC_SAFETY_DEFAULT_CEDAR,
+        severity: 'high',
+        tags: ['agentic', 'safety', 'loops', 'exfiltration', 'budget'],
+        isActive: true,
+    },
+];
+// =============================================================================
+// ALL TEMPLATES
+// =============================================================================
+export const GUARDRAILS_TEMPLATES = [
+    {
+        id: 'mcp-tool-permissions',
+        name: 'MCP Tool Permissions',
+        description: 'Per-tool access control for MCP servers — allow specific tools while denying others, exclude servers org-wide, block unverified sources',
+        category: 'agentic_security',
+        cedarText: GUARDRAILS_MCP_TOOL_PERMISSIONS_CEDAR,
+        severity: 'high',
+        tags: ['mcp', 'tools', 'least-privilege', 'per-server', 'exclusion'],
+    },
+    {
+        id: 'chat-assistant-security',
+        name: 'Chat Assistant — Security',
+        description: 'Aggressive injection and jailbreak defense for customer-facing chatbots with lower thresholds',
+        category: 'security',
+        cedarText: GUARDRAILS_CHAT_ASSISTANT_SECURITY_CEDAR,
+        severity: 'high',
+        tags: ['profile', 'chat-assistant', 'injection', 'jailbreak', 'security'],
+    },
+    {
+        id: 'chat-assistant-privacy',
+        name: 'Chat Assistant — Privacy',
+        description: 'Block PII in both user inputs and assistant outputs for chat applications',
+        category: 'privacy',
+        cedarText: GUARDRAILS_CHAT_ASSISTANT_PRIVACY_CEDAR,
+        severity: 'high',
+        tags: ['profile', 'chat-assistant', 'pii', 'privacy'],
+    },
+    {
+        id: 'chat-assistant-trust-safety',
+        name: 'Chat Assistant — Trust & Safety',
+        description: 'Strict content moderation with lower toxicity thresholds and topic restrictions for public-facing chat',
+        category: 'trust_safety',
+        cedarText: GUARDRAILS_CHAT_ASSISTANT_TRUST_SAFETY_CEDAR,
+        severity: 'critical',
+        tags: ['profile', 'chat-assistant', 'toxicity', 'trust-safety', 'topics'],
+    },
+    {
+        id: 'code-agent-agentic-security',
+        name: 'Code Agent — Agentic Security',
+        description: 'Tool risk controls, shell blocking, loop detection, exfiltration prevention, and budget enforcement for coding assistants',
+        category: 'agentic_security',
+        cedarText: GUARDRAILS_CODE_AGENT_AGENTIC_SECURITY_CEDAR,
+        severity: 'high',
+        tags: ['profile', 'code-agent', 'tools', 'agentic', 'exfiltration', 'budget'],
+    },
+    {
+        id: 'code-agent-security',
+        name: 'Code Agent — Security',
+        description: 'Prevent code agents from writing detected secrets to output files',
+        category: 'security',
+        cedarText: GUARDRAILS_CODE_AGENT_SECURITY_CEDAR,
+        severity: 'critical',
+        tags: ['profile', 'code-agent', 'secrets', 'security'],
+    },
+    {
+        id: 'data-pipeline-privacy',
+        name: 'Data Pipeline — Privacy',
+        description: 'Strict PII protection with zero-tolerance for sensitive PII types in data pipelines',
+        category: 'privacy',
+        cedarText: GUARDRAILS_DATA_PIPELINE_PRIVACY_CEDAR,
+        severity: 'critical',
+        tags: ['profile', 'data-pipeline', 'pii', 'privacy', 'compliance'],
+    },
+    {
+        id: 'data-pipeline-security',
+        name: 'Data Pipeline — Security',
+        description: 'Strict secrets detection and lower injection thresholds for RAG and data processing pipelines',
+        category: 'security',
+        cedarText: GUARDRAILS_DATA_PIPELINE_SECURITY_CEDAR,
+        severity: 'critical',
+        tags: ['profile', 'data-pipeline', 'secrets', 'injection', 'security'],
+    },
+    {
+        id: 'data-pipeline-agentic-security',
+        name: 'Data Pipeline — Agentic Security',
+        description: 'Exfiltration prevention and tool risk controls for data processing pipelines',
+        category: 'agentic_security',
+        cedarText: GUARDRAILS_DATA_PIPELINE_AGENTIC_SECURITY_CEDAR,
+        severity: 'critical',
+        tags: ['profile', 'data-pipeline', 'exfiltration', 'tools'],
+    },
+];
+// =============================================================================
+// TEMPLATES METADATA
+// =============================================================================
+/** Raw templates.json metadata for the Guardrails service. */
+export const GUARDRAILS_TEMPLATES_JSON = `{
+  "service": "guardrails",
+  "version": "1.0.0",
+  "description": "Guardrails policy templates for LLM application security",
+  "categories": [
+    {
+      "id": "security",
+      "name": "Security",
+      "description": "Detect and block prompt injection, jailbreak attempts, and credential leakage"
+    },
+    {
+      "id": "privacy",
+      "name": "Privacy",
+      "description": "Detect and block personally identifiable information (PII) in prompts and responses"
+    },
+    {
+      "id": "trust_safety",
+      "name": "Trust & Safety",
+      "description": "Detect and block toxic, violent, hateful, sexual, or profane content"
+    },
+    {
+      "id": "agentic_security",
+      "name": "Agentic Security",
+      "description": "Detect tool abuse, data exfiltration patterns, infinite loops, and budget violations"
+    },
+    {
+      "id": "organization",
+      "name": "Organization",
+      "description": "Organization-wide baselines and default permit/deny policies"
+    }
+  ],
+  "defaults": [
+    {
+      "id": "baseline-default",
+      "name": "Baseline Permit",
+      "description": "Permits all actions by default — threat-specific forbid policies override this when threats are detected",
+      "category": "organization",
+      "file": "defaults/baseline.cedar",
+      "severity": "low",
+      "tags": ["baseline", "permit-default", "organization"],
+      "is_active": true
+    },
+    {
+      "id": "secrets-default",
+      "name": "Secrets Detection",
+      "description": "Block content containing API keys, tokens, credentials, or other secrets",
+      "category": "security",
+      "file": "defaults/secrets.cedar",
+      "severity": "critical",
+      "tags": ["secrets", "api-keys", "credentials", "data-leak"],
+      "is_active": true
+    },
+    {
+      "id": "injection-default",
+      "name": "Injection & Jailbreak Detection",
+      "description": "Block prompt injection, jailbreak attempts, and command injection using ML confidence scores",
+      "category": "security",
+      "file": "defaults/injection.cedar",
+      "severity": "high",
+      "tags": ["injection", "jailbreak", "security"],
+      "is_active": true
+    },
+    {
+      "id": "pii-default",
+      "name": "PII Detection",
+      "description": "Block content containing PII such as SSN, credit cards, or passport numbers in outputs",
+      "category": "privacy",
+      "file": "defaults/pii.cedar",
+      "severity": "high",
+      "tags": ["pii", "privacy", "data-protection"],
+      "is_active": true
+    },
+    {
+      "id": "toxicity-default",
+      "name": "Toxicity & Content Moderation",
+      "description": "Block toxic, violent, hateful, sexual, and profane content based on classifier scores",
+      "category": "trust_safety",
+      "file": "defaults/toxicity.cedar",
+      "severity": "critical",
+      "tags": ["toxicity", "trust-safety", "content-moderation"],
+      "is_active": true
+    },
+    {
+      "id": "tool-risk-default",
+      "name": "Tool Risk",
+      "description": "Block dangerous tool calls, shell execution, and sensitive tool usage based on risk scoring",
+      "category": "agentic_security",
+      "file": "defaults/tool_risk.cedar",
+      "severity": "critical",
+      "tags": ["tools", "agentic", "security"],
+      "is_active": true
+    },
+    {
+      "id": "agentic-safety-default",
+      "name": "Agentic Safety",
+      "description": "Block tool call loops, data exfiltration patterns, high-risk sequences, and budget violations",
+      "category": "agentic_security",
+      "file": "defaults/agentic_safety.cedar",
+      "severity": "high",
+      "tags": ["agentic", "safety", "loops", "exfiltration", "budget"],
+      "is_active": true
+    }
+  ],
+  "templates": [
+    {
+      "id": "mcp-tool-permissions",
+      "name": "MCP Tool Permissions",
+      "description": "Per-tool access control for MCP servers — allow specific tools while denying others, exclude servers org-wide, block unverified sources",
+      "category": "agentic_security",
+      "file": "mcp_tool_permissions.cedar",
+      "severity": "high",
+      "tags": ["mcp", "tools", "least-privilege", "per-server", "exclusion"]
+    },
+    {
+      "id": "chat-assistant-security",
+      "name": "Chat Assistant — Security",
+      "description": "Aggressive injection and jailbreak defense for customer-facing chatbots with lower thresholds",
+      "category": "security",
+      "file": "profiles/chat_assistant/security.cedar",
+      "severity": "high",
+      "tags": ["profile", "chat-assistant", "injection", "jailbreak", "security"]
+    },
+    {
+      "id": "chat-assistant-privacy",
+      "name": "Chat Assistant — Privacy",
+      "description": "Block PII in both user inputs and assistant outputs for chat applications",
+      "category": "privacy",
+      "file": "profiles/chat_assistant/privacy.cedar",
+      "severity": "high",
+      "tags": ["profile", "chat-assistant", "pii", "privacy"]
+    },
+    {
+      "id": "chat-assistant-trust-safety",
+      "name": "Chat Assistant — Trust & Safety",
+      "description": "Strict content moderation with lower toxicity thresholds and topic restrictions for public-facing chat",
+      "category": "trust_safety",
+      "file": "profiles/chat_assistant/trust_safety.cedar",
+      "severity": "critical",
+      "tags": ["profile", "chat-assistant", "toxicity", "trust-safety", "topics"]
+    },
+    {
+      "id": "code-agent-agentic-security",
+      "name": "Code Agent — Agentic Security",
+      "description": "Tool risk controls, shell blocking, loop detection, exfiltration prevention, and budget enforcement for coding assistants",
+      "category": "agentic_security",
+      "file": "profiles/code_agent/agentic_security.cedar",
+      "severity": "high",
+      "tags": ["profile", "code-agent", "tools", "agentic", "exfiltration", "budget"]
+    },
+    {
+      "id": "code-agent-security",
+      "name": "Code Agent — Security",
+      "description": "Prevent code agents from writing detected secrets to output files",
+      "category": "security",
+      "file": "profiles/code_agent/security.cedar",
+      "severity": "critical",
+      "tags": ["profile", "code-agent", "secrets", "security"]
+    },
+    {
+      "id": "data-pipeline-privacy",
+      "name": "Data Pipeline — Privacy",
+      "description": "Strict PII protection with zero-tolerance for sensitive PII types in data pipelines",
+      "category": "privacy",
+      "file": "profiles/data_pipeline/privacy.cedar",
+      "severity": "critical",
+      "tags": ["profile", "data-pipeline", "pii", "privacy", "compliance"]
+    },
+    {
+      "id": "data-pipeline-security",
+      "name": "Data Pipeline — Security",
+      "description": "Strict secrets detection and lower injection thresholds for RAG and data processing pipelines",
+      "category": "security",
+      "file": "profiles/data_pipeline/security.cedar",
+      "severity": "critical",
+      "tags": ["profile", "data-pipeline", "secrets", "injection", "security"]
+    },
+    {
+      "id": "data-pipeline-agentic-security",
+      "name": "Data Pipeline — Agentic Security",
+      "description": "Exfiltration prevention and tool risk controls for data processing pipelines",
+      "category": "agentic_security",
+      "file": "profiles/data_pipeline/agentic_security.cedar",
+      "severity": "critical",
+      "tags": ["profile", "data-pipeline", "exfiltration", "tools"]
+    }
+  ],
+  "profiles": [
+    {
+      "id": "chat-assistant",
+      "name": "Chat Assistant",
+      "description": "Optimized for customer-facing chatbots — strict toxicity, PII blocking, aggressive injection defense, topic restrictions",
+      "severity": "high",
+      "tags": ["chat-assistant", "toxicity", "pii", "injection"],
+      "template_ids": ["chat-assistant-security", "chat-assistant-privacy", "chat-assistant-trust-safety"]
+    },
+    {
+      "id": "code-agent",
+      "name": "Code Agent",
+      "description": "Optimized for coding assistants — tool risk controls, shell blocking, loop detection, exfiltration prevention, budget enforcement",
+      "severity": "high",
+      "tags": ["code-agent", "tools", "agentic", "exfiltration"],
+      "template_ids": ["code-agent-agentic-security", "code-agent-security"]
+    },
+    {
+      "id": "data-pipeline",
+      "name": "Data Pipeline",
+      "description": "Optimized for RAG and data processing — strict PII/secrets protection, exfiltration detection, pipeline injection defense",
+      "severity": "critical",
+      "tags": ["data-pipeline", "pii", "secrets", "exfiltration"],
+      "template_ids": ["data-pipeline-privacy", "data-pipeline-security", "data-pipeline-agentic-security"]
+    }
+  ]
+}
+`;
+// =============================================================================
+// HELPER FUNCTIONS
+// =============================================================================
+export function getGuardrailsDefaultsByCategory(category) {
+    return GUARDRAILS_DEFAULTS.filter(d => d.category === category);
+}
+export function getGuardrailsTemplatesByCategory(category) {
+    return GUARDRAILS_TEMPLATES.filter(t => t.category === category);
+}
+export function getGuardrailsTemplateById(id) {
+    return GUARDRAILS_TEMPLATES.find(t => t.id === id);
+}