npm - @highflame/policy - Versions diffs - 2.1.1 → 2.1.3 - Mend

@highflame/policy 2.1.1 → 2.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/_schemas/guardrails/context.json +502 -0
package/_schemas/guardrails/schema.cedarschema +150 -2
package/_schemas/guardrails/templates/defaults/agentic_safety.cedar +45 -0
package/_schemas/guardrails/templates/defaults/security_patterns.cedar +59 -0
package/_schemas/guardrails/templates/templates.json +12 -2
package/_schemas/overwatch/context.json +313 -61
package/_schemas/overwatch/schema.cedarschema +251 -133
package/dist/guardrails-context.gen.d.ts +46 -0
package/dist/guardrails-context.gen.js +46 -0
package/dist/guardrails-defaults.gen.js +129 -4
package/dist/overwatch-context.gen.d.ts +23 -3
package/dist/overwatch-context.gen.js +23 -3
package/dist/overwatch-defaults.gen.d.ts +1 -1
package/dist/overwatch-defaults.gen.js +1189 -458
package/dist/service-schemas.gen.d.ts +2 -2
package/dist/service-schemas.gen.js +579 -191
package/package.json +1 -1

package/dist/guardrails-context.gen.js CHANGED Viewed

@@ -9,40 +9,86 @@
 export const GuardrailsContextKey = {
     BudgetExceeded: 'budget_exceeded',
     BudgetRemainingPct: 'budget_remaining_pct',
+    CodeLanguages: 'code_languages',
+    CodeRatio: 'code_ratio',
+    CommandInjectionDetected: 'command_injection_detected',
+    CommandInjectionScore: 'command_injection_score',
+    CommandInjectionType: 'command_injection_type',
+    ContainsCode: 'contains_code',
     ContainsInvisibleChars: 'contains_invisible_chars',
+    ContainsNonAscii: 'contains_non_ascii',
     ContainsSecrets: 'contains_secrets',
+    ContentSafetyBlocked: 'content_safety_blocked',
+    ContentSafetyScore: 'content_safety_score',
     ContentTopics: 'content_topics',
     ContentType: 'content_type',
+    ConversationTurn: 'conversation_turn',
     CrimeScore: 'crime_score',
+    CrossOriginDetected: 'cross_origin_detected',
+    CrossOriginScore: 'cross_origin_score',
+    CrossOriginType: 'cross_origin_type',
+    DetectedLanguage: 'detected_language',
+    DetectedScript: 'detected_script',
     DetectorCount: 'detector_count',
     Direction: 'direction',
+    EncodedContentDetected: 'encoded_content_detected',
+    EncodedCount: 'encoded_count',
+    EncodedScore: 'encoded_score',
+    EncodedTypes: 'encoded_types',
+    FactualityScore: 'factuality_score',
+    HallucinationScore: 'hallucination_score',
     HateSpeechScore: 'hate_speech_score',
     InjectionScore: 'injection_score',
     InjectionType: 'injection_type',
     InvisibleCharsScore: 'invisible_chars_score',
+    IsEnglish: 'is_english',
+    IsLatinScript: 'is_latin_script',
     JailbreakScore: 'jailbreak_score',
+    KeywordCategories: 'keyword_categories',
+    KeywordCount: 'keyword_count',
+    KeywordMatched: 'keyword_matched',
+    LanguageConfidence: 'language_confidence',
     LoopCount: 'loop_count',
     LoopDetected: 'loop_detected',
     LoopTool: 'loop_tool',
+    McpConfigRisk: 'mcp_config_risk',
+    McpRiskScore: 'mcp_risk_score',
+    McpRiskType: 'mcp_risk_type',
     McpServer: 'mcp_server',
     McpServerVerified: 'mcp_server_verified',
     McpTool: 'mcp_tool',
+    MultiTurnDetection: 'multi_turn_detection',
+    PathTraversalDetected: 'path_traversal_detected',
+    PathTraversalSeverity: 'path_traversal_severity',
+    PathTraversalType: 'path_traversal_type',
     PatternType: 'pattern_type',
+    PhishingDetected: 'phishing_detected',
     PiiCount: 'pii_count',
     PiiDetected: 'pii_detected',
     PiiTypes: 'pii_types',
     ProfanityScore: 'profanity_score',
     RequestId: 'request_id',
+    RugPullDetected: 'rug_pull_detected',
+    RugPullScore: 'rug_pull_score',
+    RugPullType: 'rug_pull_type',
+    ScriptConfidence: 'script_confidence',
     SecretCount: 'secret_count',
     SecretTypes: 'secret_types',
+    SentimentScore: 'sentiment_score',
     SequenceRisk: 'sequence_risk',
     SexualScore: 'sexual_score',
+    SqlInjectionDetected: 'sql_injection_detected',
+    SqlInjectionScore: 'sql_injection_score',
+    SqlInjectionType: 'sql_injection_type',
     SuspiciousPattern: 'suspicious_pattern',
     Timestamp: 'timestamp',
     ToolCategory: 'tool_category',
     ToolIsBuiltin: 'tool_is_builtin',
     ToolIsSensitive: 'tool_is_sensitive',
     ToolName: 'tool_name',
+    ToolPoisoningDetected: 'tool_poisoning_detected',
+    ToolPoisoningScore: 'tool_poisoning_score',
+    ToolPoisoningType: 'tool_poisoning_type',
     ToolRiskScore: 'tool_risk_score',
     TopicConfidence: 'topic_confidence',
     ViolenceScore: 'violence_score',

package/dist/guardrails-defaults.gen.js CHANGED Viewed

@@ -423,6 +423,111 @@ forbid (
     context.budget_remaining_pct < 5 &&
     context.budget_remaining_pct > 0
 };
+// =============================================================================
+// Agent Security — Supply Chain & Behavioral Drift
+// =============================================================================
+@id("agentic-block-tool-poisoning")
+@name("Block tool poisoning attacks")
+@description("Forbids tool calls or server connections when hidden instructions or authority hijack patterns are detected in tool descriptions or arguments")
+@severity("critical")
+@tags("agentic,tool-poisoning,supply-chain")
+forbid (
+    principal,
+    action in [Guardrails::Action::"call_tool", Guardrails::Action::"connect_server"],
+    resource
+) when {
+    context has tool_poisoning_score && context.tool_poisoning_score >= 70
+};
+@id("agentic-block-rug-pull")
+@name("Block rug pull attacks")
+@description("Forbids tool calls when significant behavioral drift is detected (tool output deviates from established patterns)")
+@severity("high")
+@tags("agentic,rug-pull,behavioral-drift")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+) when {
+    context has rug_pull_detected && context.rug_pull_detected == true &&
+    context has rug_pull_score && context.rug_pull_score >= 70
+};
+@id("agentic-block-mcp-config-risk")
+@name("Block risky MCP configurations")
+@description("Forbids tool calls or server connections when MCP configuration risks are detected (inline execution, suspicious URLs, cross-origin issues)")
+@severity("high")
+@tags("agentic,mcp-risk,supply-chain")
+forbid (
+    principal,
+    action in [Guardrails::Action::"call_tool", Guardrails::Action::"connect_server"],
+    resource
+) when {
+    context has mcp_config_risk && context.mcp_config_risk == true &&
+    context has mcp_risk_score && context.mcp_risk_score >= 70
+};
+`;
+const GUARDRAILS_SECURITY_PATTERNS_DEFAULT_CEDAR = `// =============================================================================
+// Security Pattern Detection Policy
+// =============================================================================
+// Blocks command injection, path traversal, and SQL injection attacks using
+// regex-based pattern detection from Shield's security detectors.
+//
+// Context keys used (normalized by projection layer):
+// - command_injection_detected: Bool - Command injection pattern found
+// - command_injection_score: Long (0-100) - Detection confidence
+// - path_traversal_detected: Bool - Path traversal pattern found
+// - path_traversal_severity: String - Severity level (critical/high/medium/low)
+// - sql_injection_detected: Bool - SQL injection pattern found
+// - sql_injection_score: Long (0-100) - Detection confidence
+//
+// Category: security
+// Namespace: Guardrails
+// =============================================================================
+@id("security-block-command-injection")
+@name("Block command injection")
+@description("Forbids requests containing command injection patterns such as reverse shells, privilege escalation, or destructive commands")
+@severity("critical")
+@tags("command-injection,security")
+forbid (
+    principal,
+    action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool"],
+    resource
+) when {
+    context has command_injection_detected && context.command_injection_detected == true
+};
+@id("security-block-path-traversal")
+@name("Block high-severity path traversal")
+@description("Forbids requests containing path traversal patterns targeting sensitive system files or using deep directory traversal")
+@severity("high")
+@tags("path-traversal,security")
+forbid (
+    principal,
+    action,
+    resource
+) when {
+    context has path_traversal_detected && context.path_traversal_detected == true &&
+    context has path_traversal_severity &&
+    (context.path_traversal_severity == "critical" || context.path_traversal_severity == "high")
+};
+@id("security-block-sql-injection")
+@name("Block high-confidence SQL injection")
+@description("Forbids requests with SQL injection confidence above 75% (tautologies, UNION-based, destructive queries)")
+@severity("high")
+@tags("sql-injection,security")
+forbid (
+    principal,
+    action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool"],
+    resource
+) when {
+    context has sql_injection_detected && context.sql_injection_detected == true &&
+    context has sql_injection_score && context.sql_injection_score >= 75
+};
 `;
 const GUARDRAILS_MCP_TOOL_PERMISSIONS_CEDAR = `// =============================================================================
 // MCP Tool Permissions Template
@@ -952,11 +1057,21 @@ export const GUARDRAILS_DEFAULTS = [
     {
         id: 'agentic-safety-default',
         name: 'Agentic Safety',
-        description: 'Block tool call loops, data exfiltration patterns, high-risk sequences, and budget violations',
+        description: 'Block tool call loops, data exfiltration patterns, high-risk sequences, budget violations, tool poisoning, rug pull attacks, and MCP configuration risks',
         category: 'agentic_security',
         cedarText: GUARDRAILS_AGENTIC_SAFETY_DEFAULT_CEDAR,
         severity: 'high',
-        tags: ['agentic', 'safety', 'loops', 'exfiltration', 'budget'],
+        tags: ['agentic', 'safety', 'loops', 'exfiltration', 'budget', 'tool-poisoning', 'rug-pull', 'mcp-risk'],
+        isActive: true,
+    },
+    {
+        id: 'security-patterns-default',
+        name: 'Security Pattern Detection',
+        description: 'Block command injection, path traversal, and SQL injection attacks using regex-based pattern detection',
+        category: 'security',
+        cedarText: GUARDRAILS_SECURITY_PATTERNS_DEFAULT_CEDAR,
+        severity: 'critical',
+        tags: ['command-injection', 'path-traversal', 'sql-injection', 'security'],
         isActive: true,
     },
 ];
@@ -1145,11 +1260,21 @@ export const GUARDRAILS_TEMPLATES_JSON = `{
     {
       "id": "agentic-safety-default",
       "name": "Agentic Safety",
-      "description": "Block tool call loops, data exfiltration patterns, high-risk sequences, and budget violations",
+      "description": "Block tool call loops, data exfiltration patterns, high-risk sequences, budget violations, tool poisoning, rug pull attacks, and MCP configuration risks",
       "category": "agentic_security",
       "file": "defaults/agentic_safety.cedar",
       "severity": "high",
-      "tags": ["agentic", "safety", "loops", "exfiltration", "budget"],
+      "tags": ["agentic", "safety", "loops", "exfiltration", "budget", "tool-poisoning", "rug-pull", "mcp-risk"],
+      "is_active": true
+    },
+    {
+      "id": "security-patterns-default",
+      "name": "Security Pattern Detection",
+      "description": "Block command injection, path traversal, and SQL injection attacks using regex-based pattern detection",
+      "category": "security",
+      "file": "defaults/security_patterns.cedar",
+      "severity": "critical",
+      "tags": ["command-injection", "path-traversal", "sql-injection", "security"],
       "is_active": true
     }
   ],

package/dist/overwatch-context.gen.d.ts CHANGED Viewed

@@ -1,41 +1,61 @@
 /**
- * Context attribute keys for Overwatch Overwatch (Guardian) IDE security & policy enforcement.
+ * Context attribute keys for Overwatch Overwatch IDE agent security & policy enforcement.
  *
  * These constants correspond to the context attributes defined in the
  * Overwatch Cedar schema and are used at policy evaluation time.
  */
 export declare const OverwatchContextKey: {
+    readonly ContainsInvisibleChars: "contains_invisible_chars";
     readonly ContainsSecrets: "contains_secrets";
     readonly Content: "content";
     readonly CrimeScore: "crime_score";
     readonly Cwd: "cwd";
+    readonly DetectedThreats: "detected_threats";
     readonly Event: "event";
     readonly HateSpeechScore: "hate_speech_score";
     readonly HighestSeverity: "highest_severity";
     readonly IndirectInjectionScore: "indirect_injection_score";
     readonly InjectionConfidence: "injection_confidence";
+    readonly InvisibleCharsScore: "invisible_chars_score";
     readonly JailbreakConfidence: "jailbreak_confidence";
+    readonly LoopCount: "loop_count";
+    readonly LoopDetected: "loop_detected";
+    readonly LoopTool: "loop_tool";
     readonly MaxThreatSeverity: "max_threat_severity";
+    readonly McpConfigRisk: "mcp_config_risk";
+    readonly McpRiskScore: "mcp_risk_score";
     readonly McpServer: "mcp_server";
     readonly McpServerVerified: "mcp_server_verified";
     readonly McpTool: "mcp_tool";
     readonly Path: "path";
+    readonly PatternType: "pattern_type";
     readonly PiiConfidence: "pii_confidence";
+    readonly PiiCount: "pii_count";
+    readonly PiiDetected: "pii_detected";
+    readonly PiiTypes: "pii_types";
     readonly ProfanityScore: "profanity_score";
     readonly PromptText: "prompt_text";
     readonly ResponseContent: "response_content";
+    readonly RugPullDetected: "rug_pull_detected";
     readonly RugPullScore: "rug_pull_score";
+    readonly SecretCount: "secret_count";
+    readonly SecretTypes: "secret_types";
+    readonly SequenceRisk: "sequence_risk";
     readonly SexualScore: "sexual_score";
     readonly Source: "source";
+    readonly SuspiciousPattern: "suspicious_pattern";
     readonly ThreatCategories: "threat_categories";
     readonly ThreatCount: "threat_count";
-    readonly ThreatTypes: "threat_types";
+    readonly ToolCategory: "tool_category";
+    readonly ToolIsBuiltin: "tool_is_builtin";
+    readonly ToolIsSensitive: "tool_is_sensitive";
     readonly ToolName: "tool_name";
+    readonly ToolPoisoningDetected: "tool_poisoning_detected";
     readonly ToolPoisoningScore: "tool_poisoning_score";
+    readonly ToolRiskScore: "tool_risk_score";
     readonly UserEmail: "user_email";
     readonly ViolenceScore: "violence_score";
     readonly WeaponsScore: "weapons_score";
     readonly WorkspaceRoot: "workspace_root";
-    readonly YaraThreats: "yara_threats";
 };
 export type OverwatchContextKey = (typeof OverwatchContextKey)[keyof typeof OverwatchContextKey];

package/dist/overwatch-context.gen.js CHANGED Viewed

@@ -1,42 +1,62 @@
 // Code generated by highflame-policy-codegen. DO NOT EDIT.
 // Source: schemas/overwatch/context.json
 /**
- * Context attribute keys for Overwatch Overwatch (Guardian) IDE security & policy enforcement.
+ * Context attribute keys for Overwatch Overwatch IDE agent security & policy enforcement.
  *
  * These constants correspond to the context attributes defined in the
  * Overwatch Cedar schema and are used at policy evaluation time.
  */
 export const OverwatchContextKey = {
+    ContainsInvisibleChars: 'contains_invisible_chars',
     ContainsSecrets: 'contains_secrets',
     Content: 'content',
     CrimeScore: 'crime_score',
     Cwd: 'cwd',
+    DetectedThreats: 'detected_threats',
     Event: 'event',
     HateSpeechScore: 'hate_speech_score',
     HighestSeverity: 'highest_severity',
     IndirectInjectionScore: 'indirect_injection_score',
     InjectionConfidence: 'injection_confidence',
+    InvisibleCharsScore: 'invisible_chars_score',
     JailbreakConfidence: 'jailbreak_confidence',
+    LoopCount: 'loop_count',
+    LoopDetected: 'loop_detected',
+    LoopTool: 'loop_tool',
     MaxThreatSeverity: 'max_threat_severity',
+    McpConfigRisk: 'mcp_config_risk',
+    McpRiskScore: 'mcp_risk_score',
     McpServer: 'mcp_server',
     McpServerVerified: 'mcp_server_verified',
     McpTool: 'mcp_tool',
     Path: 'path',
+    PatternType: 'pattern_type',
     PiiConfidence: 'pii_confidence',
+    PiiCount: 'pii_count',
+    PiiDetected: 'pii_detected',
+    PiiTypes: 'pii_types',
     ProfanityScore: 'profanity_score',
     PromptText: 'prompt_text',
     ResponseContent: 'response_content',
+    RugPullDetected: 'rug_pull_detected',
     RugPullScore: 'rug_pull_score',
+    SecretCount: 'secret_count',
+    SecretTypes: 'secret_types',
+    SequenceRisk: 'sequence_risk',
     SexualScore: 'sexual_score',
     Source: 'source',
+    SuspiciousPattern: 'suspicious_pattern',
     ThreatCategories: 'threat_categories',
     ThreatCount: 'threat_count',
-    ThreatTypes: 'threat_types',
+    ToolCategory: 'tool_category',
+    ToolIsBuiltin: 'tool_is_builtin',
+    ToolIsSensitive: 'tool_is_sensitive',
     ToolName: 'tool_name',
+    ToolPoisoningDetected: 'tool_poisoning_detected',
     ToolPoisoningScore: 'tool_poisoning_score',
+    ToolRiskScore: 'tool_risk_score',
     UserEmail: 'user_email',
     ViolenceScore: 'violence_score',
     WeaponsScore: 'weapons_score',
     WorkspaceRoot: 'workspace_root',
-    YaraThreats: 'yara_threats',
 };

package/dist/overwatch-defaults.gen.d.ts CHANGED Viewed

@@ -2,7 +2,7 @@
  * Overwatch policy category identifiers.
  * Maps to UI tab names in Studio.
  */
-export type OverwatchCategory = 'secrets' | 'pii' | 'semantic' | 'tools' | 'organization' | 'trust_safety' | 'agent_security';
+export type OverwatchCategory = 'secrets' | 'pii' | 'semantic' | 'tools' | 'organization' | 'trust_safety' | 'agent_security' | 'encoding' | 'behavioral';
 /**
  * Category metadata for UI display.
  */