@highflame/policy 2.1.0 → 2.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (19) hide show
  1. package/_schemas/guardrails/context.json +502 -0
  2. package/_schemas/guardrails/schema.cedarschema +150 -2
  3. package/_schemas/guardrails/templates/defaults/agentic_safety.cedar +45 -0
  4. package/_schemas/guardrails/templates/defaults/security_patterns.cedar +59 -0
  5. package/_schemas/guardrails/templates/templates.json +12 -2
  6. package/_schemas/overwatch/context.json +313 -61
  7. package/_schemas/overwatch/schema.cedarschema +251 -133
  8. package/dist/explain.d.ts +30 -2
  9. package/dist/explain.js +43 -16
  10. package/dist/guardrails-context.gen.d.ts +46 -0
  11. package/dist/guardrails-context.gen.js +46 -0
  12. package/dist/guardrails-defaults.gen.js +129 -4
  13. package/dist/overwatch-context.gen.d.ts +23 -3
  14. package/dist/overwatch-context.gen.js +23 -3
  15. package/dist/overwatch-defaults.gen.d.ts +1 -1
  16. package/dist/overwatch-defaults.gen.js +1042 -299
  17. package/dist/service-schemas.gen.d.ts +2 -2
  18. package/dist/service-schemas.gen.js +579 -191
  19. package/package.json +1 -1
package/_schemas/overwatch/context.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "service": "overwatch",
3
- "version": "2.0.0",
4
- "description": "Overwatch (Guardian) IDE security & policy enforcement",
3
+ "version": "3.0.0",
4
+ "description": "Overwatch IDE agent security & policy enforcement",
5
5
  "actions": [
6
6
  {
7
7
  "name": "process_prompt",
@@ -47,37 +47,31 @@
47
47
  "key": "threat_count",
48
48
  "type": "number",
49
49
  "required": true,
50
- "description": "Total number of threats detected by YARA/Javelin"
50
+ "description": "Total number of threats detected by the detection engine pipeline"
51
51
  },
52
52
  {
53
53
  "key": "highest_severity",
54
54
  "type": "string",
55
55
  "required": true,
56
- "description": "Highest severity level: critical, high, medium, low"
56
+ "description": "Highest severity level: critical, high, medium, low, none"
57
57
  },
58
58
  {
59
59
  "key": "threat_categories",
60
60
  "type": "array",
61
61
  "required": true,
62
- "description": "Threat category names from aggregator"
62
+ "description": "Threat category names from the detection aggregator"
63
63
  },
64
64
  {
65
- "key": "threat_types",
65
+ "key": "detected_threats",
66
66
  "type": "array",
67
67
  "required": true,
68
- "description": "YARA threat category names"
69
- },
70
- {
71
- "key": "yara_threats",
72
- "type": "array",
73
- "required": true,
74
- "description": "YARA rule names that matched"
68
+ "description": "Detection rule names that matched (e.g., prompt_injection, jailbreak, credit_card, secret_exposure)"
75
69
  },
76
70
  {
77
71
  "key": "max_threat_severity",
78
72
  "type": "number",
79
73
  "required": true,
80
- "description": "Numeric severity (0-4, where 4=CRITICAL)"
74
+ "description": "Numeric severity (0=none, 1=low, 2=medium, 3=high, 4=critical)"
81
75
  },
82
76
  {
83
77
  "key": "contains_secrets",
@@ -85,11 +79,53 @@
85
79
  "required": true,
86
80
  "description": "Whether secrets or credentials were detected"
87
81
  },
82
+ {
83
+ "key": "secret_types",
84
+ "type": "array",
85
+ "required": false,
86
+ "description": "Specific secret types found: aws_access_key, github_token, ssh_private_key, api_key, etc."
87
+ },
88
+ {
89
+ "key": "secret_count",
90
+ "type": "number",
91
+ "required": false,
92
+ "description": "Number of distinct secrets detected"
93
+ },
94
+ {
95
+ "key": "pii_detected",
96
+ "type": "boolean",
97
+ "required": false,
98
+ "description": "Whether any PII patterns were matched"
99
+ },
100
+ {
101
+ "key": "pii_types",
102
+ "type": "array",
103
+ "required": false,
104
+ "description": "Specific PII types found: ssn, credit_card, email, phone, medical_record, etc."
105
+ },
106
+ {
107
+ "key": "pii_count",
108
+ "type": "number",
109
+ "required": false,
110
+ "description": "Number of PII pattern matches"
111
+ },
112
+ {
113
+ "key": "contains_invisible_chars",
114
+ "type": "boolean",
115
+ "required": false,
116
+ "description": "Whether invisible Unicode characters (zero-width, bidi overrides, tag chars) were detected"
117
+ },
118
+ {
119
+ "key": "invisible_chars_score",
120
+ "type": "number",
121
+ "required": false,
122
+ "description": "Invisible character attack severity score (0-100)"
123
+ },
88
124
  {
89
125
  "key": "prompt_text",
90
126
  "type": "string",
91
127
  "required": false,
92
- "description": "Same as content (legacy field)"
128
+ "description": "Same as content (backward compatibility)"
93
129
  },
94
130
  {
95
131
  "key": "response_content",
@@ -137,25 +173,25 @@
137
173
  "key": "pii_confidence",
138
174
  "type": "number",
139
175
  "required": true,
140
- "description": "PII detection classifier confidence (0-100)"
176
+ "description": "PII detection ML classifier confidence (0-100)"
141
177
  },
142
178
  {
143
179
  "key": "injection_confidence",
144
180
  "type": "number",
145
181
  "required": true,
146
- "description": "Prompt injection classifier confidence (0-100)"
182
+ "description": "Prompt injection ML classifier confidence (0-100)"
147
183
  },
148
184
  {
149
185
  "key": "jailbreak_confidence",
150
186
  "type": "number",
151
187
  "required": true,
152
- "description": "Jailbreak detection classifier confidence (0-100)"
188
+ "description": "Jailbreak detection ML classifier confidence (0-100)"
153
189
  },
154
190
  {
155
191
  "key": "indirect_injection_score",
156
192
  "type": "number",
157
193
  "required": true,
158
- "description": "Indirect prompt injection risk score (0-100)"
194
+ "description": "Indirect prompt injection risk score (0-100) — injection via tool outputs or retrieved content"
159
195
  }
160
196
  ]
161
197
  },
@@ -167,7 +203,7 @@
167
203
  "key": "content",
168
204
  "type": "string",
169
205
  "required": true,
170
- "description": "Raw content being scanned (e.g., shell command)"
206
+ "description": "Raw content being scanned (e.g., shell command, tool arguments)"
171
207
  },
172
208
  {
173
209
  "key": "source",
@@ -227,49 +263,85 @@
227
263
  "key": "threat_count",
228
264
  "type": "number",
229
265
  "required": false,
230
- "description": "Total threats detected (if scanning ran)"
266
+ "description": "Total threats detected by the detection engine pipeline"
231
267
  },
232
268
  {
233
269
  "key": "highest_severity",
234
270
  "type": "string",
235
271
  "required": false,
236
- "description": "Highest severity (if scanning ran)"
272
+ "description": "Highest severity level: critical, high, medium, low, none"
237
273
  },
238
274
  {
239
275
  "key": "threat_categories",
240
276
  "type": "array",
241
277
  "required": false,
242
- "description": "Threat category names (if scanning ran)"
278
+ "description": "Threat category names from the detection aggregator"
243
279
  },
244
280
  {
245
- "key": "threat_types",
281
+ "key": "detected_threats",
246
282
  "type": "array",
247
283
  "required": false,
248
- "description": "YARA threat categories (if scanning ran)"
284
+ "description": "Detection rule names that matched"
249
285
  },
250
286
  {
251
- "key": "yara_threats",
287
+ "key": "max_threat_severity",
288
+ "type": "number",
289
+ "required": false,
290
+ "description": "Numeric severity (0=none, 1=low, 2=medium, 3=high, 4=critical)"
291
+ },
292
+ {
293
+ "key": "contains_secrets",
294
+ "type": "boolean",
295
+ "required": false,
296
+ "description": "Whether secrets or credentials were detected"
297
+ },
298
+ {
299
+ "key": "secret_types",
252
300
  "type": "array",
253
301
  "required": false,
254
- "description": "YARA rule names (if scanning ran)"
302
+ "description": "Specific secret types found"
255
303
  },
256
304
  {
257
- "key": "max_threat_severity",
305
+ "key": "secret_count",
258
306
  "type": "number",
259
307
  "required": false,
260
- "description": "Numeric severity 0-4 (if scanning ran)"
308
+ "description": "Number of distinct secrets detected"
261
309
  },
262
310
  {
263
- "key": "contains_secrets",
311
+ "key": "pii_detected",
264
312
  "type": "boolean",
265
313
  "required": false,
266
- "description": "Whether secrets detected (if scanning ran)"
314
+ "description": "Whether any PII patterns were matched"
315
+ },
316
+ {
317
+ "key": "pii_types",
318
+ "type": "array",
319
+ "required": false,
320
+ "description": "Specific PII types found"
321
+ },
322
+ {
323
+ "key": "pii_count",
324
+ "type": "number",
325
+ "required": false,
326
+ "description": "Number of PII pattern matches"
327
+ },
328
+ {
329
+ "key": "contains_invisible_chars",
330
+ "type": "boolean",
331
+ "required": false,
332
+ "description": "Whether invisible Unicode characters were detected"
333
+ },
334
+ {
335
+ "key": "invisible_chars_score",
336
+ "type": "number",
337
+ "required": false,
338
+ "description": "Invisible character attack severity score (0-100)"
267
339
  },
268
340
  {
269
341
  "key": "response_content",
270
342
  "type": "string",
271
343
  "required": false,
272
- "description": "Response content (if available)"
344
+ "description": "Response content from AI (if available)"
273
345
  },
274
346
  {
275
347
  "key": "violence_score",
@@ -311,43 +383,115 @@
311
383
  "key": "pii_confidence",
312
384
  "type": "number",
313
385
  "required": false,
314
- "description": "PII detection classifier confidence (0-100)"
386
+ "description": "PII detection ML classifier confidence (0-100)"
315
387
  },
316
388
  {
317
389
  "key": "injection_confidence",
318
390
  "type": "number",
319
391
  "required": false,
320
- "description": "Prompt injection classifier confidence (0-100)"
392
+ "description": "Prompt injection ML classifier confidence (0-100)"
321
393
  },
322
394
  {
323
395
  "key": "jailbreak_confidence",
324
396
  "type": "number",
325
397
  "required": false,
326
- "description": "Jailbreak detection classifier confidence (0-100)"
398
+ "description": "Jailbreak detection ML classifier confidence (0-100)"
327
399
  },
328
400
  {
329
401
  "key": "tool_poisoning_score",
330
402
  "type": "number",
331
403
  "required": false,
332
- "description": "Tool description manipulation risk score (0-100)"
404
+ "description": "Tool description manipulation risk score (0-100) — hidden instructions in tool descriptions or arguments"
405
+ },
406
+ {
407
+ "key": "tool_poisoning_detected",
408
+ "type": "boolean",
409
+ "required": false,
410
+ "description": "Whether tool poisoning patterns were explicitly detected"
333
411
  },
334
412
  {
335
413
  "key": "rug_pull_score",
336
414
  "type": "number",
337
415
  "required": false,
338
- "description": "Tool behavior mismatch risk score (0-100)"
416
+ "description": "Tool behavioral drift score (0-100) — deviation from established tool behavior patterns"
417
+ },
418
+ {
419
+ "key": "rug_pull_detected",
420
+ "type": "boolean",
421
+ "required": false,
422
+ "description": "Whether a rug pull attack was explicitly detected"
339
423
  },
340
424
  {
341
425
  "key": "indirect_injection_score",
342
426
  "type": "number",
343
427
  "required": false,
344
- "description": "Indirect prompt injection risk score (0-100)"
428
+ "description": "Indirect prompt injection risk score (0-100) — injection via tool outputs"
429
+ },
430
+ {
431
+ "key": "tool_risk_score",
432
+ "type": "number",
433
+ "required": false,
434
+ "description": "Computed tool risk score (0-100) combining tool type, arguments, and context"
435
+ },
436
+ {
437
+ "key": "tool_category",
438
+ "type": "string",
439
+ "required": false,
440
+ "description": "Tool risk classification: safe, sensitive, dangerous"
441
+ },
442
+ {
443
+ "key": "tool_is_sensitive",
444
+ "type": "boolean",
445
+ "required": false,
446
+ "description": "Whether the tool is classified as sensitive (shell, file write, network)"
447
+ },
448
+ {
449
+ "key": "tool_is_builtin",
450
+ "type": "boolean",
451
+ "required": false,
452
+ "description": "Whether the tool is a built-in IDE tool (true) or MCP tool (false)"
453
+ },
454
+ {
455
+ "key": "loop_detected",
456
+ "type": "boolean",
457
+ "required": false,
458
+ "description": "Whether a consecutive same-tool call loop was detected"
459
+ },
460
+ {
461
+ "key": "loop_count",
462
+ "type": "number",
463
+ "required": false,
464
+ "description": "Number of consecutive calls to the same tool"
465
+ },
466
+ {
467
+ "key": "loop_tool",
468
+ "type": "string",
469
+ "required": false,
470
+ "description": "The tool name involved in the detected loop"
471
+ },
472
+ {
473
+ "key": "suspicious_pattern",
474
+ "type": "boolean",
475
+ "required": false,
476
+ "description": "Whether a suspicious action sequence was detected (exfiltration, theft, destructive)"
477
+ },
478
+ {
479
+ "key": "pattern_type",
480
+ "type": "string",
481
+ "required": false,
482
+ "description": "Type of suspicious pattern: data_exfiltration, secret_exfiltration, credential_theft, destructive_sequence"
483
+ },
484
+ {
485
+ "key": "sequence_risk",
486
+ "type": "number",
487
+ "required": false,
488
+ "description": "Behavioral sequence risk score (0-100)"
345
489
  },
346
490
  {
347
491
  "key": "mcp_server_verified",
348
492
  "type": "boolean",
349
493
  "required": false,
350
- "description": "Whether MCP server is from a verified registry"
494
+ "description": "Whether the MCP server is from a verified registry"
351
495
  }
352
496
  ]
353
497
  },
@@ -359,13 +503,13 @@
359
503
  "key": "content",
360
504
  "type": "string",
361
505
  "required": false,
362
- "description": "Raw content being scanned (if available)"
506
+ "description": "Server configuration content (if available)"
363
507
  },
364
508
  {
365
509
  "key": "source",
366
510
  "type": "string",
367
511
  "required": true,
368
- "description": "IDE source"
512
+ "description": "IDE source: cursor, claudecode, github_copilot"
369
513
  },
370
514
  {
371
515
  "key": "event",
@@ -389,49 +533,79 @@
389
533
  "key": "threat_count",
390
534
  "type": "number",
391
535
  "required": false,
392
- "description": "Total threats detected (if scanning ran)"
536
+ "description": "Total threats detected by the detection engine pipeline"
393
537
  },
394
538
  {
395
539
  "key": "highest_severity",
396
540
  "type": "string",
397
541
  "required": false,
398
- "description": "Highest severity level (if scanning ran)"
542
+ "description": "Highest severity level: critical, high, medium, low, none"
399
543
  },
400
544
  {
401
545
  "key": "threat_categories",
402
546
  "type": "array",
403
547
  "required": false,
404
- "description": "Threat category names (if scanning ran)"
548
+ "description": "Threat category names from the detection aggregator"
405
549
  },
406
550
  {
407
551
  "key": "max_threat_severity",
408
552
  "type": "number",
409
553
  "required": false,
410
- "description": "Numeric severity 0-4 (if scanning ran)"
554
+ "description": "Numeric severity (0=none, 1=low, 2=medium, 3=high, 4=critical)"
555
+ },
556
+ {
557
+ "key": "contains_invisible_chars",
558
+ "type": "boolean",
559
+ "required": false,
560
+ "description": "Whether invisible Unicode characters were detected in server data"
411
561
  },
412
562
  {
413
563
  "key": "tool_poisoning_score",
414
564
  "type": "number",
415
565
  "required": false,
416
- "description": "Tool description manipulation risk score (0-100)"
566
+ "description": "Tool description manipulation risk score (0-100) — poisoned tool descriptions in server"
567
+ },
568
+ {
569
+ "key": "tool_poisoning_detected",
570
+ "type": "boolean",
571
+ "required": false,
572
+ "description": "Whether tool poisoning patterns were explicitly detected"
417
573
  },
418
574
  {
419
575
  "key": "rug_pull_score",
420
576
  "type": "number",
421
577
  "required": false,
422
- "description": "Tool behavior mismatch risk score (0-100)"
578
+ "description": "Server behavioral drift score (0-100) — behavior change after approval"
579
+ },
580
+ {
581
+ "key": "rug_pull_detected",
582
+ "type": "boolean",
583
+ "required": false,
584
+ "description": "Whether a rug pull attack was explicitly detected"
423
585
  },
424
586
  {
425
587
  "key": "indirect_injection_score",
426
588
  "type": "number",
427
589
  "required": false,
428
- "description": "Indirect prompt injection risk score (0-100)"
590
+ "description": "Indirect injection risk score (0-100) — injection payloads in server responses"
429
591
  },
430
592
  {
431
593
  "key": "mcp_server_verified",
432
594
  "type": "boolean",
433
595
  "required": false,
434
- "description": "Whether MCP server is from a verified registry"
596
+ "description": "Whether the MCP server is from a verified registry"
597
+ },
598
+ {
599
+ "key": "mcp_config_risk",
600
+ "type": "boolean",
601
+ "required": false,
602
+ "description": "Whether risky server configuration was detected (inline code exec, mixed transports)"
603
+ },
604
+ {
605
+ "key": "mcp_risk_score",
606
+ "type": "number",
607
+ "required": false,
608
+ "description": "MCP configuration risk severity score (0-100)"
435
609
  }
436
610
  ]
437
611
  },
@@ -449,7 +623,7 @@
449
623
  "key": "source",
450
624
  "type": "string",
451
625
  "required": true,
452
- "description": "IDE source"
626
+ "description": "IDE source: cursor, claudecode, github_copilot"
453
627
  },
454
628
  {
455
629
  "key": "event",
@@ -485,31 +659,67 @@
485
659
  "key": "threat_count",
486
660
  "type": "number",
487
661
  "required": false,
488
- "description": "Total threats detected (if scanning ran)"
662
+ "description": "Total threats detected by the detection engine pipeline"
489
663
  },
490
664
  {
491
665
  "key": "highest_severity",
492
666
  "type": "string",
493
667
  "required": false,
494
- "description": "Highest severity level (if scanning ran)"
668
+ "description": "Highest severity level: critical, high, medium, low, none"
495
669
  },
496
670
  {
497
671
  "key": "threat_categories",
498
672
  "type": "array",
499
673
  "required": false,
500
- "description": "Threat categories (if scanning ran)"
674
+ "description": "Threat category names from the detection aggregator"
675
+ },
676
+ {
677
+ "key": "detected_threats",
678
+ "type": "array",
679
+ "required": false,
680
+ "description": "Detection rule names that matched"
501
681
  },
502
682
  {
503
683
  "key": "max_threat_severity",
504
684
  "type": "number",
505
685
  "required": false,
506
- "description": "Numeric severity 0-4 (if scanning ran)"
686
+ "description": "Numeric severity (0=none, 1=low, 2=medium, 3=high, 4=critical)"
507
687
  },
508
688
  {
509
689
  "key": "contains_secrets",
510
690
  "type": "boolean",
511
691
  "required": false,
512
- "description": "Whether secrets detected (if scanning ran)"
692
+ "description": "Whether secrets or credentials were detected in file content"
693
+ },
694
+ {
695
+ "key": "secret_types",
696
+ "type": "array",
697
+ "required": false,
698
+ "description": "Specific secret types found in file"
699
+ },
700
+ {
701
+ "key": "secret_count",
702
+ "type": "number",
703
+ "required": false,
704
+ "description": "Number of distinct secrets detected in file"
705
+ },
706
+ {
707
+ "key": "pii_detected",
708
+ "type": "boolean",
709
+ "required": false,
710
+ "description": "Whether any PII patterns were matched in file content"
711
+ },
712
+ {
713
+ "key": "pii_types",
714
+ "type": "array",
715
+ "required": false,
716
+ "description": "Specific PII types found in file"
717
+ },
718
+ {
719
+ "key": "pii_count",
720
+ "type": "number",
721
+ "required": false,
722
+ "description": "Number of PII pattern matches in file"
513
723
  }
514
724
  ]
515
725
  },
@@ -527,7 +737,7 @@
527
737
  "key": "source",
528
738
  "type": "string",
529
739
  "required": true,
530
- "description": "IDE source"
740
+ "description": "IDE source: cursor, claudecode, github_copilot"
531
741
  },
532
742
  {
533
743
  "key": "event",
@@ -563,31 +773,73 @@
563
773
  "key": "threat_count",
564
774
  "type": "number",
565
775
  "required": false,
566
- "description": "Total threats detected (if scanning ran)"
776
+ "description": "Total threats detected by the detection engine pipeline"
567
777
  },
568
778
  {
569
779
  "key": "highest_severity",
570
780
  "type": "string",
571
781
  "required": false,
572
- "description": "Highest severity level (if scanning ran)"
782
+ "description": "Highest severity level: critical, high, medium, low, none"
573
783
  },
574
784
  {
575
785
  "key": "threat_categories",
576
786
  "type": "array",
577
787
  "required": false,
578
- "description": "Threat categories (if scanning ran)"
788
+ "description": "Threat category names from the detection aggregator"
789
+ },
790
+ {
791
+ "key": "detected_threats",
792
+ "type": "array",
793
+ "required": false,
794
+ "description": "Detection rule names that matched"
579
795
  },
580
796
  {
581
797
  "key": "max_threat_severity",
582
798
  "type": "number",
583
799
  "required": false,
584
- "description": "Numeric severity 0-4 (if scanning ran)"
800
+ "description": "Numeric severity (0=none, 1=low, 2=medium, 3=high, 4=critical)"
585
801
  },
586
802
  {
587
803
  "key": "contains_secrets",
588
804
  "type": "boolean",
589
805
  "required": false,
590
- "description": "Whether secrets detected (if scanning ran)"
806
+ "description": "Whether secrets or credentials were detected in content being written"
807
+ },
808
+ {
809
+ "key": "secret_types",
810
+ "type": "array",
811
+ "required": false,
812
+ "description": "Specific secret types found"
813
+ },
814
+ {
815
+ "key": "secret_count",
816
+ "type": "number",
817
+ "required": false,
818
+ "description": "Number of distinct secrets detected"
819
+ },
820
+ {
821
+ "key": "pii_detected",
822
+ "type": "boolean",
823
+ "required": false,
824
+ "description": "Whether any PII patterns were matched in content being written"
825
+ },
826
+ {
827
+ "key": "pii_types",
828
+ "type": "array",
829
+ "required": false,
830
+ "description": "Specific PII types found"
831
+ },
832
+ {
833
+ "key": "pii_count",
834
+ "type": "number",
835
+ "required": false,
836
+ "description": "Number of PII pattern matches"
837
+ },
838
+ {
839
+ "key": "contains_invisible_chars",
840
+ "type": "boolean",
841
+ "required": false,
842
+ "description": "Whether invisible Unicode characters were detected in content being written"
591
843
  }
592
844
  ]
593
845
  }