@highflame/policy 2.1.1 → 2.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (17) hide show
  1. package/_schemas/guardrails/context.json +502 -0
  2. package/_schemas/guardrails/schema.cedarschema +150 -2
  3. package/_schemas/guardrails/templates/defaults/agentic_safety.cedar +45 -0
  4. package/_schemas/guardrails/templates/defaults/security_patterns.cedar +59 -0
  5. package/_schemas/guardrails/templates/templates.json +12 -2
  6. package/_schemas/overwatch/context.json +313 -61
  7. package/_schemas/overwatch/schema.cedarschema +251 -133
  8. package/dist/guardrails-context.gen.d.ts +46 -0
  9. package/dist/guardrails-context.gen.js +46 -0
  10. package/dist/guardrails-defaults.gen.js +129 -4
  11. package/dist/overwatch-context.gen.d.ts +23 -3
  12. package/dist/overwatch-context.gen.js +23 -3
  13. package/dist/overwatch-defaults.gen.d.ts +1 -1
  14. package/dist/overwatch-defaults.gen.js +1189 -458
  15. package/dist/service-schemas.gen.d.ts +2 -2
  16. package/dist/service-schemas.gen.js +579 -191
  17. package/package.json +1 -1
package/_schemas/guardrails/context.json CHANGED
@@ -160,6 +160,239 @@
160
160
  "required": false,
161
161
  "description": "Density score for invisible characters in the content (0-100). Higher scores indicate more invisible characters, suggesting evasion attempts",
162
162
  "range": "0-100"
163
+ },
164
+ {
165
+ "key": "command_injection_detected",
166
+ "type": "boolean",
167
+ "required": false,
168
+ "description": "Whether command injection patterns were detected in the content (reverse shells, privilege escalation, destructive commands)"
169
+ },
170
+ {
171
+ "key": "command_injection_type",
172
+ "type": "string",
173
+ "required": false,
174
+ "description": "Type of command injection: 'reverse_shell', 'privilege_escalation', 'code_execution', 'destructive_command', or 'data_exfiltration'"
175
+ },
176
+ {
177
+ "key": "command_injection_score",
178
+ "type": "number",
179
+ "required": false,
180
+ "description": "Confidence score for command injection detection (0-100). Higher scores indicate stronger pattern matches",
181
+ "range": "0-100"
182
+ },
183
+ {
184
+ "key": "path_traversal_detected",
185
+ "type": "boolean",
186
+ "required": false,
187
+ "description": "Whether path traversal patterns were detected (e.g., ../../../etc/passwd, URL-encoded variants)"
188
+ },
189
+ {
190
+ "key": "path_traversal_severity",
191
+ "type": "string",
192
+ "required": false,
193
+ "description": "Severity of path traversal: 'critical' (sensitive system files), 'high' (deep traversal), 'medium' (moderate traversal), 'low', or 'none'"
194
+ },
195
+ {
196
+ "key": "path_traversal_type",
197
+ "type": "string",
198
+ "required": false,
199
+ "description": "Type of path traversal detected (e.g., 'sensitive_file', 'deep_traversal', 'encoded_traversal')"
200
+ },
201
+ {
202
+ "key": "sql_injection_detected",
203
+ "type": "boolean",
204
+ "required": false,
205
+ "description": "Whether SQL injection patterns were detected (tautologies, UNION-based, destructive queries)"
206
+ },
207
+ {
208
+ "key": "sql_injection_type",
209
+ "type": "string",
210
+ "required": false,
211
+ "description": "Type of SQL injection: 'tautology', 'union_based', 'destructive', 'blind', or 'error_based'"
212
+ },
213
+ {
214
+ "key": "sql_injection_score",
215
+ "type": "number",
216
+ "required": false,
217
+ "description": "Confidence score for SQL injection detection (0-100). Typical threshold: >=75 for blocks",
218
+ "range": "0-100"
219
+ },
220
+ {
221
+ "key": "cross_origin_detected",
222
+ "type": "boolean",
223
+ "required": false,
224
+ "description": "Whether cross-origin escalation patterns were detected (tool calls or references crossing trust boundaries)"
225
+ },
226
+ {
227
+ "key": "cross_origin_type",
228
+ "type": "string",
229
+ "required": false,
230
+ "description": "Type of cross-origin escalation: 'cross_origin_tool', 'cross_origin_server', or 'none'"
231
+ },
232
+ {
233
+ "key": "cross_origin_score",
234
+ "type": "number",
235
+ "required": false,
236
+ "description": "Risk score for cross-origin escalation (0-100). Higher scores indicate more suspicious cross-boundary activity",
237
+ "range": "0-100"
238
+ },
239
+ {
240
+ "key": "encoded_content_detected",
241
+ "type": "boolean",
242
+ "required": false,
243
+ "description": "Whether encoded content was detected (base64, hex, unicode, URL encoding) that may hide malicious payloads"
244
+ },
245
+ {
246
+ "key": "encoded_types",
247
+ "type": "array",
248
+ "required": false,
249
+ "description": "Array of encoding types detected (e.g., ['base64', 'hex', 'unicode', 'url']). Use .contains() to check for specific encoding types"
250
+ },
251
+ {
252
+ "key": "encoded_count",
253
+ "type": "number",
254
+ "required": false,
255
+ "description": "Number of encoded segments found in the content"
256
+ },
257
+ {
258
+ "key": "encoded_score",
259
+ "type": "number",
260
+ "required": false,
261
+ "description": "Risk score for encoded injection attempts (0-100). Considers encoding density and decoded content patterns",
262
+ "range": "0-100"
263
+ },
264
+ {
265
+ "key": "detected_language",
266
+ "type": "string",
267
+ "required": false,
268
+ "description": "ISO language code of the detected language (e.g., 'en', 'fr', 'zh'). Use this for language-specific policy enforcement"
269
+ },
270
+ {
271
+ "key": "is_english",
272
+ "type": "boolean",
273
+ "required": false,
274
+ "description": "Whether the content is in English. Useful for applying English-only policies or flagging non-English content"
275
+ },
276
+ {
277
+ "key": "language_confidence",
278
+ "type": "number",
279
+ "required": false,
280
+ "description": "Confidence score for language detection (0-100). Use with detected_language to tune sensitivity",
281
+ "range": "0-100"
282
+ },
283
+ {
284
+ "key": "detected_script",
285
+ "type": "string",
286
+ "required": false,
287
+ "description": "Writing script detected in content: 'latin', 'cyrillic', 'arabic', 'cjk', 'unknown', etc. Use to detect script-switching attacks"
288
+ },
289
+ {
290
+ "key": "is_latin_script",
291
+ "type": "boolean",
292
+ "required": false,
293
+ "description": "Whether the content uses Latin script. Useful for detecting non-Latin script injection attempts"
294
+ },
295
+ {
296
+ "key": "script_confidence",
297
+ "type": "number",
298
+ "required": false,
299
+ "description": "Confidence score for script detection (0-100)",
300
+ "range": "0-100"
301
+ },
302
+ {
303
+ "key": "hallucination_score",
304
+ "type": "number",
305
+ "required": false,
306
+ "description": "ML-based score for hallucinated or fabricated content (0-100). Higher scores indicate higher likelihood of non-factual claims",
307
+ "range": "0-100"
308
+ },
309
+ {
310
+ "key": "factuality_score",
311
+ "type": "number",
312
+ "required": false,
313
+ "description": "ML-based factuality assessment score (0-100). Higher scores indicate more factually grounded content",
314
+ "range": "0-100"
315
+ },
316
+ {
317
+ "key": "sentiment_score",
318
+ "type": "number",
319
+ "required": false,
320
+ "description": "Sentiment analysis score. Use to detect overly negative or manipulative tone in prompts or responses",
321
+ "range": "0-100"
322
+ },
323
+ {
324
+ "key": "contains_code",
325
+ "type": "boolean",
326
+ "required": false,
327
+ "description": "Whether code snippets were detected in the content"
328
+ },
329
+ {
330
+ "key": "code_languages",
331
+ "type": "array",
332
+ "required": false,
333
+ "description": "Array of programming languages detected in code snippets (e.g., ['python', 'javascript'])"
334
+ },
335
+ {
336
+ "key": "code_ratio",
337
+ "type": "number",
338
+ "required": false,
339
+ "description": "Percentage of content that consists of code (0-100). High values may indicate code dumps or automated content",
340
+ "range": "0-100"
341
+ },
342
+ {
343
+ "key": "keyword_matched",
344
+ "type": "boolean",
345
+ "required": false,
346
+ "description": "Whether any configured keywords or phrases were matched in the content"
347
+ },
348
+ {
349
+ "key": "keyword_categories",
350
+ "type": "array",
351
+ "required": false,
352
+ "description": "Array of keyword categories matched (e.g., ['competitor_names', 'restricted_topics']). Use .contains() for category-specific policies"
353
+ },
354
+ {
355
+ "key": "keyword_count",
356
+ "type": "number",
357
+ "required": false,
358
+ "description": "Number of keyword matches found in the content"
359
+ },
360
+ {
361
+ "key": "contains_non_ascii",
362
+ "type": "boolean",
363
+ "required": false,
364
+ "description": "Whether non-ASCII characters were detected. May indicate obfuscation or encoding-based evasion attempts"
365
+ },
366
+ {
367
+ "key": "phishing_detected",
368
+ "type": "boolean",
369
+ "required": false,
370
+ "description": "Whether phishing patterns were detected in the content (suspicious URLs, impersonation, credential requests)"
371
+ },
372
+ {
373
+ "key": "content_safety_score",
374
+ "type": "number",
375
+ "required": false,
376
+ "description": "Aggregate content safety score (0-100). Combines multiple safety signals into a single risk indicator",
377
+ "range": "0-100"
378
+ },
379
+ {
380
+ "key": "content_safety_blocked",
381
+ "type": "boolean",
382
+ "required": false,
383
+ "description": "Whether content was flagged for blocking by the content safety system"
384
+ },
385
+ {
386
+ "key": "conversation_turn",
387
+ "type": "number",
388
+ "required": false,
389
+ "description": "Current conversation turn number. Use for policies that escalate strictness over long conversations"
390
+ },
391
+ {
392
+ "key": "multi_turn_detection",
393
+ "type": "boolean",
394
+ "required": false,
395
+ "description": "Whether multi-turn injection patterns were detected (attack spread across multiple conversation turns)"
163
396
  }
164
397
  ]
165
398
  },
@@ -314,6 +547,182 @@
314
547
  "type": "array",
315
548
  "required": false,
316
549
  "description": "Array of PII types found in tool arguments"
550
+ },
551
+ {
552
+ "key": "injection_score",
553
+ "type": "number",
554
+ "required": false,
555
+ "description": "ML-based confidence score for prompt injection in tool arguments (0-100)",
556
+ "range": "0-100"
557
+ },
558
+ {
559
+ "key": "command_injection_detected",
560
+ "type": "boolean",
561
+ "required": false,
562
+ "description": "Whether command injection patterns were detected in tool arguments"
563
+ },
564
+ {
565
+ "key": "command_injection_type",
566
+ "type": "string",
567
+ "required": false,
568
+ "description": "Type of command injection detected in tool arguments"
569
+ },
570
+ {
571
+ "key": "command_injection_score",
572
+ "type": "number",
573
+ "required": false,
574
+ "description": "Confidence score for command injection in tool arguments (0-100)",
575
+ "range": "0-100"
576
+ },
577
+ {
578
+ "key": "path_traversal_detected",
579
+ "type": "boolean",
580
+ "required": false,
581
+ "description": "Whether path traversal patterns were detected in tool arguments"
582
+ },
583
+ {
584
+ "key": "path_traversal_severity",
585
+ "type": "string",
586
+ "required": false,
587
+ "description": "Severity of path traversal in tool arguments"
588
+ },
589
+ {
590
+ "key": "path_traversal_type",
591
+ "type": "string",
592
+ "required": false,
593
+ "description": "Type of path traversal detected in tool arguments"
594
+ },
595
+ {
596
+ "key": "sql_injection_detected",
597
+ "type": "boolean",
598
+ "required": false,
599
+ "description": "Whether SQL injection patterns were detected in tool arguments"
600
+ },
601
+ {
602
+ "key": "sql_injection_type",
603
+ "type": "string",
604
+ "required": false,
605
+ "description": "Type of SQL injection detected in tool arguments"
606
+ },
607
+ {
608
+ "key": "sql_injection_score",
609
+ "type": "number",
610
+ "required": false,
611
+ "description": "Confidence score for SQL injection in tool arguments (0-100)",
612
+ "range": "0-100"
613
+ },
614
+ {
615
+ "key": "tool_poisoning_detected",
616
+ "type": "boolean",
617
+ "required": false,
618
+ "description": "Whether tool poisoning was detected (hidden instructions in tool descriptions or arguments designed to manipulate agent behavior)"
619
+ },
620
+ {
621
+ "key": "tool_poisoning_score",
622
+ "type": "number",
623
+ "required": false,
624
+ "description": "Confidence score for tool poisoning detection (0-100). Typical threshold: >=70 for blocks",
625
+ "range": "0-100"
626
+ },
627
+ {
628
+ "key": "tool_poisoning_type",
629
+ "type": "string",
630
+ "required": false,
631
+ "description": "Type of tool poisoning: 'hidden_instructions', 'system_prompt_injection', or 'authority_hijack'"
632
+ },
633
+ {
634
+ "key": "rug_pull_detected",
635
+ "type": "boolean",
636
+ "required": false,
637
+ "description": "Whether a rug pull was detected (tool behavior changed significantly after establishing trust)"
638
+ },
639
+ {
640
+ "key": "rug_pull_score",
641
+ "type": "number",
642
+ "required": false,
643
+ "description": "Confidence score for rug pull detection based on behavioral drift analysis (0-100)",
644
+ "range": "0-100"
645
+ },
646
+ {
647
+ "key": "mcp_config_risk",
648
+ "type": "boolean",
649
+ "required": false,
650
+ "description": "Whether MCP configuration risk was detected (inline code execution, suspicious URLs, cross-origin issues)"
651
+ },
652
+ {
653
+ "key": "mcp_risk_type",
654
+ "type": "string",
655
+ "required": false,
656
+ "description": "Type of MCP risk: 'inline_execution', 'suspicious_url', or 'cross_origin'"
657
+ },
658
+ {
659
+ "key": "mcp_risk_score",
660
+ "type": "number",
661
+ "required": false,
662
+ "description": "Risk score for MCP configuration issues (0-100). Typical threshold: >=70 for blocks",
663
+ "range": "0-100"
664
+ },
665
+ {
666
+ "key": "cross_origin_detected",
667
+ "type": "boolean",
668
+ "required": false,
669
+ "description": "Whether cross-origin escalation patterns were detected in tool calls crossing trust boundaries"
670
+ },
671
+ {
672
+ "key": "cross_origin_type",
673
+ "type": "string",
674
+ "required": false,
675
+ "description": "Type of cross-origin escalation detected in tool call"
676
+ },
677
+ {
678
+ "key": "cross_origin_score",
679
+ "type": "number",
680
+ "required": false,
681
+ "description": "Risk score for cross-origin escalation in tool calls (0-100)",
682
+ "range": "0-100"
683
+ },
684
+ {
685
+ "key": "encoded_content_detected",
686
+ "type": "boolean",
687
+ "required": false,
688
+ "description": "Whether encoded content was detected in tool arguments (base64, hex, unicode encoding hiding payloads)"
689
+ },
690
+ {
691
+ "key": "encoded_types",
692
+ "type": "array",
693
+ "required": false,
694
+ "description": "Array of encoding types detected in tool arguments (e.g., ['base64', 'hex'])"
695
+ },
696
+ {
697
+ "key": "encoded_count",
698
+ "type": "number",
699
+ "required": false,
700
+ "description": "Number of encoded segments found in tool arguments"
701
+ },
702
+ {
703
+ "key": "encoded_score",
704
+ "type": "number",
705
+ "required": false,
706
+ "description": "Risk score for encoded injection in tool arguments (0-100)",
707
+ "range": "0-100"
708
+ },
709
+ {
710
+ "key": "rug_pull_type",
711
+ "type": "string",
712
+ "required": false,
713
+ "description": "Type of rug pull detected: 'risk_spike' (sudden risk increase), 'pattern_change' (behavioral shift), 'combined', or 'none'"
714
+ },
715
+ {
716
+ "key": "conversation_turn",
717
+ "type": "number",
718
+ "required": false,
719
+ "description": "Current conversation turn number for the agentic session"
720
+ },
721
+ {
722
+ "key": "multi_turn_detection",
723
+ "type": "boolean",
724
+ "required": false,
725
+ "description": "Whether multi-turn injection patterns were detected across tool calls in the session"
317
726
  }
318
727
  ]
319
728
  },
@@ -356,6 +765,24 @@
356
765
  "type": "array",
357
766
  "required": false,
358
767
  "description": "Array of PII types found in file content"
768
+ },
769
+ {
770
+ "key": "path_traversal_detected",
771
+ "type": "boolean",
772
+ "required": false,
773
+ "description": "Whether path traversal patterns were detected in the file path being read"
774
+ },
775
+ {
776
+ "key": "path_traversal_severity",
777
+ "type": "string",
778
+ "required": false,
779
+ "description": "Severity of path traversal in the file read path"
780
+ },
781
+ {
782
+ "key": "path_traversal_type",
783
+ "type": "string",
784
+ "required": false,
785
+ "description": "Type of path traversal detected in the file read path"
359
786
  }
360
787
  ]
361
788
  },
@@ -398,6 +825,24 @@
398
825
  "type": "array",
399
826
  "required": false,
400
827
  "description": "Array of PII types found in write content"
828
+ },
829
+ {
830
+ "key": "path_traversal_detected",
831
+ "type": "boolean",
832
+ "required": false,
833
+ "description": "Whether path traversal patterns were detected in the file path being written"
834
+ },
835
+ {
836
+ "key": "path_traversal_severity",
837
+ "type": "string",
838
+ "required": false,
839
+ "description": "Severity of path traversal in the file write path"
840
+ },
841
+ {
842
+ "key": "path_traversal_type",
843
+ "type": "string",
844
+ "required": false,
845
+ "description": "Type of path traversal detected in the file write path"
401
846
  }
402
847
  ]
403
848
  },
@@ -428,6 +873,63 @@
428
873
  "type": "boolean",
429
874
  "required": false,
430
875
  "description": "Whether the MCP server is from a verified/trusted registry. Use this to block connections to unverified servers"
876
+ },
877
+ {
878
+ "key": "tool_poisoning_detected",
879
+ "type": "boolean",
880
+ "required": false,
881
+ "description": "Whether tool poisoning was detected in the MCP server's tool descriptions (hidden instructions designed to manipulate agent behavior)"
882
+ },
883
+ {
884
+ "key": "tool_poisoning_score",
885
+ "type": "number",
886
+ "required": false,
887
+ "description": "Confidence score for tool poisoning in MCP server tools (0-100)",
888
+ "range": "0-100"
889
+ },
890
+ {
891
+ "key": "tool_poisoning_type",
892
+ "type": "string",
893
+ "required": false,
894
+ "description": "Type of tool poisoning detected in MCP server: 'hidden_instructions', 'system_prompt_injection', or 'authority_hijack'"
895
+ },
896
+ {
897
+ "key": "mcp_config_risk",
898
+ "type": "boolean",
899
+ "required": false,
900
+ "description": "Whether MCP configuration risk was detected (inline code execution in server configs, suspicious URLs, cross-origin issues)"
901
+ },
902
+ {
903
+ "key": "mcp_risk_type",
904
+ "type": "string",
905
+ "required": false,
906
+ "description": "Type of MCP configuration risk: 'inline_execution', 'suspicious_url', or 'cross_origin'"
907
+ },
908
+ {
909
+ "key": "mcp_risk_score",
910
+ "type": "number",
911
+ "required": false,
912
+ "description": "Risk score for MCP configuration issues (0-100)",
913
+ "range": "0-100"
914
+ },
915
+ {
916
+ "key": "cross_origin_detected",
917
+ "type": "boolean",
918
+ "required": false,
919
+ "description": "Whether cross-origin escalation patterns were detected in the MCP server connection"
920
+ },
921
+ {
922
+ "key": "cross_origin_type",
923
+ "type": "string",
924
+ "required": false,
925
+ "description": "Type of cross-origin escalation detected in server connection"
926
+ },
927
+ {
928
+ "key": "cross_origin_score",
929
+ "type": "number",
930
+ "required": false,
931
+ "description": "Risk score for cross-origin escalation in server connection (0-100)",
932
+ "range": "0-100"
431
933
  }
432
934
  ]
433
935
  }