@highflame/policy 2.1.10 → 2.1.12
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/_schemas/guardrails/schema.cedarschema +21 -13
- package/_schemas/sentry/schema.cedarschema +1 -1
- package/dist/guardrails-entities.gen.js +11 -11
- package/dist/overwatch-entities.gen.js +6 -6
- package/dist/sentry-entities.gen.js +2 -2
- package/dist/service-schemas.gen.d.ts +2 -2
- package/dist/service-schemas.gen.js +22 -14
- package/package.json +1 -1
|
@@ -16,12 +16,16 @@ namespace Guardrails {
|
|
|
16
16
|
// Entity hierarchy enables Cedar's `in` operator for policy scoping:
|
|
17
17
|
// Account (org root)
|
|
18
18
|
// └── Project in [Account]
|
|
19
|
-
//
|
|
20
|
-
//
|
|
19
|
+
// ├── App in [Project]
|
|
20
|
+
// │ └── Session in [App, Agent]
|
|
21
|
+
// └── Agent in [Project]
|
|
22
|
+
// └── Session in [App, Agent]
|
|
21
23
|
//
|
|
22
24
|
// Policy scoping examples:
|
|
23
|
-
// resource == Guardrails::App::"<uuid>" → app-scoped
|
|
24
|
-
// resource
|
|
25
|
+
// resource == Guardrails::App::"<uuid>" → app-scoped (app only)
|
|
26
|
+
// resource == Guardrails::Agent::"<agent_id>" → agent-only (exact match)
|
|
27
|
+
// resource in Guardrails::Agent::"<agent_id>" → agent + its sessions
|
|
28
|
+
// resource in Guardrails::Project::"<uuid>" → project-wide (apps + agents)
|
|
25
29
|
// resource in Guardrails::Account::"<uuid>" → org-wide
|
|
26
30
|
// =========================================================================
|
|
27
31
|
|
|
@@ -34,14 +38,18 @@ namespace Guardrails {
|
|
|
34
38
|
/// User represents a principal (human or service) making requests
|
|
35
39
|
entity User;
|
|
36
40
|
|
|
37
|
-
/// Agent represents an AI agent (Claude, Cursor, Copilot, etc.) making requests
|
|
38
|
-
|
|
41
|
+
/// Agent represents an AI agent (Claude, Cursor, Copilot, etc.) making requests.
|
|
42
|
+
/// Used as both principal (who is acting) and resource (policy scoping target).
|
|
43
|
+
/// Agent + sessions: resource in Guardrails::Agent::"<agent_id>" (hierarchy match)
|
|
44
|
+
/// Agent only: resource == Guardrails::Agent::"<agent_id>" (exact match)
|
|
45
|
+
entity Agent in [Project];
|
|
39
46
|
|
|
40
47
|
/// App represents a protected application (guardrails-enabled LLM app)
|
|
41
48
|
entity App in [Project];
|
|
42
49
|
|
|
43
|
-
/// Session represents an agentic conversation session with state tracking
|
|
44
|
-
|
|
50
|
+
/// Session represents an agentic conversation session with state tracking.
|
|
51
|
+
/// Sessions can belong to either an App or an Agent.
|
|
52
|
+
entity Session in [App, Agent];
|
|
45
53
|
|
|
46
54
|
// =========================================================================
|
|
47
55
|
// Actions
|
|
@@ -50,35 +58,35 @@ namespace Guardrails {
|
|
|
50
58
|
/// Process user prompts and AI responses for security threats and content violations
|
|
51
59
|
action "process_prompt" appliesTo {
|
|
52
60
|
principal: [User, Agent],
|
|
53
|
-
resource: [App, Session],
|
|
61
|
+
resource: [App, Agent, Session],
|
|
54
62
|
context: ProcessPromptContext
|
|
55
63
|
};
|
|
56
64
|
|
|
57
65
|
/// Execute tool calls (shell, file operations, MCP tools)
|
|
58
66
|
action "call_tool" appliesTo {
|
|
59
67
|
principal: [User, Agent],
|
|
60
|
-
resource: [Session],
|
|
68
|
+
resource: [Agent, Session],
|
|
61
69
|
context: CallToolContext
|
|
62
70
|
};
|
|
63
71
|
|
|
64
72
|
/// Read file operations
|
|
65
73
|
action "read_file" appliesTo {
|
|
66
74
|
principal: [User, Agent],
|
|
67
|
-
resource: [Session],
|
|
75
|
+
resource: [Agent, Session],
|
|
68
76
|
context: FileReadContext
|
|
69
77
|
};
|
|
70
78
|
|
|
71
79
|
/// Write file operations
|
|
72
80
|
action "write_file" appliesTo {
|
|
73
81
|
principal: [User, Agent],
|
|
74
|
-
resource: [Session],
|
|
82
|
+
resource: [Agent, Session],
|
|
75
83
|
context: FileWriteContext
|
|
76
84
|
};
|
|
77
85
|
|
|
78
86
|
/// Connect to an MCP server
|
|
79
87
|
action "connect_server" appliesTo {
|
|
80
88
|
principal: [User, Agent],
|
|
81
|
-
resource: [Session],
|
|
89
|
+
resource: [Agent, Session],
|
|
82
90
|
context: ConnectServerContext
|
|
83
91
|
};
|
|
84
92
|
|
|
@@ -229,7 +229,7 @@ action receive_response appliesTo {
|
|
|
229
229
|
// Threat focus: data leakage via cut/paste, injection payloads in pasted content
|
|
230
230
|
action paste_content appliesTo {
|
|
231
231
|
principal: [User],
|
|
232
|
-
resource: [ChatSession],
|
|
232
|
+
resource: [ChatSession, Document],
|
|
233
233
|
context: {
|
|
234
234
|
// --- Core Metadata ---
|
|
235
235
|
content: String, // Pasted content
|
|
@@ -6,7 +6,7 @@
|
|
|
6
6
|
*/
|
|
7
7
|
export const GUARDRAILS_ENTITIES = {
|
|
8
8
|
principals: ['Agent', 'User'],
|
|
9
|
-
resources: ['App', 'Session'],
|
|
9
|
+
resources: ['Agent', 'App', 'Session'],
|
|
10
10
|
actions: ['call_tool', 'connect_server', 'process_prompt', 'read_file', 'write_file'],
|
|
11
11
|
};
|
|
12
12
|
/**
|
|
@@ -15,23 +15,23 @@ export const GUARDRAILS_ENTITIES = {
|
|
|
15
15
|
*/
|
|
16
16
|
export const GUARDRAILS_ACTION_ENTITIES = {
|
|
17
17
|
'call_tool': {
|
|
18
|
-
principals: ['
|
|
19
|
-
resources: ['Session'],
|
|
18
|
+
principals: ['Agent', 'User'],
|
|
19
|
+
resources: ['Agent', 'Session'],
|
|
20
20
|
},
|
|
21
21
|
'connect_server': {
|
|
22
|
-
principals: ['
|
|
23
|
-
resources: ['Session'],
|
|
22
|
+
principals: ['Agent', 'User'],
|
|
23
|
+
resources: ['Agent', 'Session'],
|
|
24
24
|
},
|
|
25
25
|
'process_prompt': {
|
|
26
|
-
principals: ['
|
|
27
|
-
resources: ['App', 'Session'],
|
|
26
|
+
principals: ['Agent', 'User'],
|
|
27
|
+
resources: ['Agent', 'App', 'Session'],
|
|
28
28
|
},
|
|
29
29
|
'read_file': {
|
|
30
|
-
principals: ['
|
|
31
|
-
resources: ['Session'],
|
|
30
|
+
principals: ['Agent', 'User'],
|
|
31
|
+
resources: ['Agent', 'Session'],
|
|
32
32
|
},
|
|
33
33
|
'write_file': {
|
|
34
|
-
principals: ['
|
|
35
|
-
resources: ['Session'],
|
|
34
|
+
principals: ['Agent', 'User'],
|
|
35
|
+
resources: ['Agent', 'Session'],
|
|
36
36
|
},
|
|
37
37
|
};
|
|
@@ -15,23 +15,23 @@ export const OVERWATCH_ENTITIES = {
|
|
|
15
15
|
*/
|
|
16
16
|
export const OVERWATCH_ACTION_ENTITIES = {
|
|
17
17
|
'call_tool': {
|
|
18
|
-
principals: ['
|
|
19
|
-
resources: ['
|
|
18
|
+
principals: ['Agent', 'User'],
|
|
19
|
+
resources: ['FilePath', 'Tool'],
|
|
20
20
|
},
|
|
21
21
|
'connect_server': {
|
|
22
|
-
principals: ['
|
|
22
|
+
principals: ['Agent', 'User'],
|
|
23
23
|
resources: ['Server'],
|
|
24
24
|
},
|
|
25
25
|
'process_prompt': {
|
|
26
|
-
principals: ['
|
|
26
|
+
principals: ['Agent', 'User'],
|
|
27
27
|
resources: ['LlmPrompt'],
|
|
28
28
|
},
|
|
29
29
|
'read_file': {
|
|
30
|
-
principals: ['
|
|
30
|
+
principals: ['Agent', 'User'],
|
|
31
31
|
resources: ['FilePath'],
|
|
32
32
|
},
|
|
33
33
|
'write_file': {
|
|
34
|
-
principals: ['
|
|
34
|
+
principals: ['Agent', 'User'],
|
|
35
35
|
resources: ['FilePath'],
|
|
36
36
|
},
|
|
37
37
|
};
|
|
@@ -16,7 +16,7 @@ export const SENTRY_ENTITIES = {
|
|
|
16
16
|
export const SENTRY_ACTION_ENTITIES = {
|
|
17
17
|
'paste_content': {
|
|
18
18
|
principals: ['User'],
|
|
19
|
-
resources: ['ChatSession'],
|
|
19
|
+
resources: ['ChatSession', 'Document'],
|
|
20
20
|
},
|
|
21
21
|
'receive_response': {
|
|
22
22
|
principals: ['User'],
|
|
@@ -28,6 +28,6 @@ export const SENTRY_ACTION_ENTITIES = {
|
|
|
28
28
|
},
|
|
29
29
|
'upload_file': {
|
|
30
30
|
principals: ['User'],
|
|
31
|
-
resources: ['
|
|
31
|
+
resources: ['ChatSession', 'Document'],
|
|
32
32
|
},
|
|
33
33
|
};
|
|
@@ -3,7 +3,7 @@
|
|
|
3
3
|
*
|
|
4
4
|
* Full Cedar schema for guardrails, embedded at codegen time.
|
|
5
5
|
*/
|
|
6
|
-
export declare const GUARDRAILS_SCHEMA = "// =============================================================================\n// Guardrails Cedar Schema\n// =============================================================================\n// Defines entity types, actions, and context attributes for the highflame-shield\n// guardrails service. This schema enables type-safe policy authoring and\n// validation in both Studio UI and backend.\n//\n// Service: highflame-shield (guardrails)\n// Namespace: Guardrails\n// =============================================================================\n\nnamespace Guardrails {\n // =========================================================================\n // Entity Types \u2014 ReBAC Hierarchy\n // =========================================================================\n // Entity hierarchy enables Cedar's `in` operator for policy scoping:\n // Account (org root)\n // \u2514\u2500\u2500 Project in [Account]\n // \u2514\u2500\u2500 App in [Project]\n // \u2514\u2500\u2500 Session in [App]\n //\n // Policy scoping examples:\n // resource == Guardrails::App::\"<uuid>\" \u2192 app-scoped\n // resource in Guardrails::Project::\"<uuid>\" \u2192 project-wide\n // resource in Guardrails::Account::\"<uuid>\" \u2192 org-wide\n // =========================================================================\n\n /// Account represents an organization (top-level tenant)\n entity Account;\n\n /// Project represents a project within an account\n entity Project in [Account];\n\n /// User represents a principal (human or service) making requests\n entity User;\n\n /// Agent represents an AI agent (Claude, Cursor, Copilot, etc.) making requests\n entity Agent;\n\n /// App represents a protected application (guardrails-enabled LLM app)\n entity App in [Project];\n\n /// Session represents an agentic conversation session with state tracking\n entity Session in [App];\n\n // =========================================================================\n // Actions\n // =========================================================================\n\n /// Process user prompts and AI responses for security threats and content violations\n action \"process_prompt\" appliesTo {\n principal: [User, Agent],\n resource: [App, Session],\n context: ProcessPromptContext\n };\n\n /// Execute tool calls (shell, file operations, MCP tools)\n action \"call_tool\" appliesTo {\n principal: [User, Agent],\n resource: [Session],\n context: CallToolContext\n };\n\n /// Read file operations\n action \"read_file\" appliesTo {\n principal: [User, Agent],\n resource: [Session],\n context: FileReadContext\n };\n\n /// Write file operations\n action \"write_file\" appliesTo {\n principal: [User, Agent],\n resource: [Session],\n context: FileWriteContext\n };\n\n /// Connect to an MCP server\n action \"connect_server\" appliesTo {\n principal: [User, Agent],\n resource: [Session],\n context: ConnectServerContext\n };\n\n // =========================================================================\n // Context Types (Action-Specific)\n // =========================================================================\n\n /// Context for process_prompt action (user prompts & AI responses)\n type ProcessPromptContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n \"direction\": String, // \"input\" | \"output\"\n \"content_type\": String, // \"prompt\" | \"response\" | \"tool_call\" | \"file\"\n \"detector_count\": Long,\n\n // Security - Injection & Jailbreak (optional)\n \"injection_confidence\"?: Long, // Combined injection confidence: MAX(pulse, deep_context)\n \"jailbreak_confidence\"?: Long, // Combined jailbreak confidence: MAX(pulse, deep_context)\n \"injection_pulse_score\"?: Long, // 0-100 Pulse single-turn classifier\n \"injection_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n \"jailbreak_pulse_score\"?: Long, // 0-100 Pulse single-turn classifier\n \"jailbreak_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n \"injection_type\"?: String, // \"prompt\" | \"sql\" | \"command\" | \"none\"\n\n // Privacy - Secrets (optional)\n \"contains_secrets\"?: Bool,\n \"secret_count\"?: Long,\n \"secret_types\"?: Set<String>, // [\"aws_access_key\", \"github_token\", ...]\n\n // Privacy - PII (optional)\n \"pii_detected\"?: Bool,\n \"pii_count\"?: Long,\n \"pii_types\"?: Set<String>, // [\"email\", \"phone\", \"ssn\", \"credit_card\", ...]\n \"pii_confidence\"?: Long, // PII ML classifier confidence (0-100) \u2014 catches novel PII patterns that escape regex detection\n\n // Threat Severity Aggregation (optional)\n \"highest_severity\"?: String, // Highest severity across all detectors: \"critical\" | \"high\" | \"medium\" | \"low\" | \"none\"\n\n // Trust & Safety - Toxicity (optional)\n \"violence_score\"?: Long, // 0-100\n \"hate_speech_score\"?: Long, // 0-100\n \"sexual_score\"?: Long, // 0-100\n \"weapons_score\"?: Long, // 0-100\n \"crime_score\"?: Long, // 0-100\n \"profanity_score\"?: Long, // 0-100\n\n // Semantic - Topic Classification (optional)\n \"content_topics\"?: Set<String>, // [\"controlled_substances\", \"weapons_manufacturing\", ...]\n \"topic_confidence\"?: Long, // 0-100\n\n // Security - Invisible Character Detection (optional)\n \"contains_invisible_chars\"?: Bool,\n \"invisible_chars_score\"?: Long, // 0-100\n\n // Security - Pattern Detection (optional)\n \"command_injection_detected\"?: Bool,\n \"command_injection_type\"?: String, // \"reverse_shell\" | \"privilege_escalation\" | \"code_execution\" | \"destructive_command\" | \"data_exfiltration\"\n \"command_injection_score\"?: Long, // 0-100\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String, // \"critical\" | \"high\" | \"medium\" | \"low\" | \"none\"\n \"path_traversal_type\"?: String,\n \"sql_injection_detected\"?: Bool,\n \"sql_injection_type\"?: String, // \"tautology\" | \"union_based\" | \"destructive\" | \"blind\" | \"error_based\"\n \"sql_injection_score\"?: Long, // 0-100\n\n // Security - Cross-Origin Escalation (optional)\n \"cross_origin_detected\"?: Bool,\n \"cross_origin_type\"?: String, // \"cross_origin_tool\" | \"cross_origin_server\" | \"none\"\n \"cross_origin_score\"?: Long, // 0-100\n\n // Security - Encoded Injection (optional)\n \"encoded_content_detected\"?: Bool,\n \"encoded_types\"?: Set<String>, // [\"base64\", \"hex\", \"unicode\", \"url\", ...]\n \"encoded_count\"?: Long,\n \"encoded_score\"?: Long, // 0-100\n\n // Language & Script Detection (optional)\n \"detected_language\"?: String, // ISO language code\n \"is_english\"?: Bool,\n \"language_confidence\"?: Long, // 0-100\n \"detected_script\"?: String, // \"latin\" | \"cyrillic\" | \"arabic\" | \"unknown\" | ...\n \"is_latin_script\"?: Bool,\n \"script_confidence\"?: Long, // 0-100\n\n // Content Analysis (optional)\n \"hallucination_score\"?: Long,\n \"factuality_score\"?: Long, // 0-100\n \"sentiment_score\"?: Long,\n \"contains_code\"?: Bool,\n \"code_languages\"?: Set<String>,\n \"code_ratio\"?: Long, // 0-100, percentage of content that is code\n \"keyword_matched\"?: Bool,\n \"keyword_categories\"?: Set<String>,\n \"keyword_count\"?: Long,\n \"contains_non_ascii\"?: Bool,\n \"phishing_detected\"?: Bool,\n \"content_safety_score\"?: Long, // 0-100\n \"content_safety_blocked\"?: Bool,\n\n // Agentic - Multi-Turn Context (optional)\n \"conversation_turn\"?: Long,\n \"multi_turn_detection\"?: Bool,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n // Present when the request is made by an AI agent (API key or JWT with agent claims).\n // Empty strings for human user requests. Use these to write agent-specific policies.\n \"agent_id\"?: String, // Unique agent identifier (e.g., \"agent_research_v3\")\n \"agent_type\"?: String, // \"orchestrator\" | \"autonomous\" | \"tool_agent\" | \"human_proxy\"\n \"agent_trust_level\"?: String, // \"first_party\" | \"verified_third_party\" | \"unverified\"\n \"agent_framework\"?: String, // Agent framework (e.g., \"claude-code\", \"langchain\", \"crewai\")\n \"agent_publisher\"?: String, // Organization that published the agent\n\n };\n\n /// Context for call_tool action (agentic tool execution)\n type CallToolContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // Tool Risk (optional)\n \"tool_name\"?: String, // \"shell\", \"write_file\", \"http_post\", etc.\n \"tool_risk_score\"?: Long, // 0-100\n \"tool_is_sensitive\"?: Bool,\n \"tool_category\"?: String, // \"safe\" | \"sensitive\" | \"dangerous\"\n \"tool_is_builtin\"?: Bool,\n\n // MCP context (optional \u2014 only present for MCP tool calls)\n \"mcp_server\"?: String, // MCP server name (e.g., \"github\", \"filesystem\")\n \"mcp_tool\"?: String, // MCP tool name within the server\n \"mcp_server_verified\"?: Bool, // Whether server is from verified registry\n\n // Agentic - Behavioral Patterns (optional)\n \"suspicious_pattern\"?: Bool,\n \"pattern_type\"?: String, // \"data_exfiltration\" | \"secret_exfiltration\" | \"db_exfiltration\" | \"credential_theft\" | \"destructive_sequence\" | \"none\"\n \"sequence_risk\"?: Long, // 0-100\n\n // Agentic - Loop Detection (optional)\n \"loop_detected\"?: Bool,\n \"loop_count\"?: Long,\n \"loop_tool\"?: String,\n\n // Agentic - Budget Control (optional)\n \"budget_remaining_pct\"?: Long, // 0-100\n \"budget_exceeded\"?: Bool,\n\n // Semantic - Topic Classification (optional)\n \"content_topics\"?: Set<String>, // [\"controlled_substances\", \"weapons_manufacturing\", ...]\n \"topic_confidence\"?: Long, // 0-100\n\n // Security checks on tool arguments (optional)\n \"contains_secrets\"?: Bool,\n \"secret_count\"?: Long,\n \"secret_types\"?: Set<String>,\n \"pii_detected\"?: Bool,\n \"pii_types\"?: Set<String>,\n \"pii_count\"?: Long, // Number of PII pattern matches in tool content\n \"pii_confidence\"?: Long, // PII ML classifier confidence (0-100)\n \"injection_confidence\"?: Long,\n \"injection_pulse_score\"?: Long, // 0-100 Pulse single-turn classifier\n \"injection_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n\n // Security - Pattern Detection (optional)\n \"command_injection_detected\"?: Bool,\n \"command_injection_type\"?: String,\n \"command_injection_score\"?: Long, // 0-100\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String,\n \"path_traversal_type\"?: String,\n \"sql_injection_detected\"?: Bool,\n \"sql_injection_type\"?: String,\n \"sql_injection_score\"?: Long, // 0-100\n\n // Security - Cross-Origin Escalation (optional)\n \"cross_origin_detected\"?: Bool,\n \"cross_origin_type\"?: String,\n \"cross_origin_score\"?: Long, // 0-100\n\n // File & Path (optional \u2014 for path-based access control policies)\n \"path\"?: String, // File path when tool operates on files\n\n // Security - Invisible Character Detection in tool args (optional)\n \"contains_invisible_chars\"?: Bool, // Whether invisible Unicode chars detected in tool args\n \"invisible_chars_score\"?: Long, // Invisible character attack severity (0-100)\n\n // Security - Encoded Injection (optional)\n \"encoded_content_detected\"?: Bool,\n \"encoded_types\"?: Set<String>,\n \"encoded_count\"?: Long,\n \"encoded_score\"?: Long, // 0-100\n\n // Agentic - Agent Security (optional)\n \"tool_poisoning_detected\"?: Bool,\n \"tool_poisoning_score\"?: Long, // 0-100\n \"tool_poisoning_type\"?: String, // \"hidden_instructions\" | \"system_prompt_injection\" | \"authority_hijack\"\n \"rug_pull_detected\"?: Bool,\n \"rug_pull_score\"?: Long, // 0-100\n \"rug_pull_type\"?: String, // \"risk_spike\" | \"pattern_change\" | \"combined\" | \"none\"\n\n // Agentic - Indirect Prompt Injection (optional \u2014 injection via tool outputs/retrieved content)\n \"indirect_injection_score\"?: Long, // Indirect injection risk score (0-100)\n \"indirect_injection_type\"?: String, // Type of indirect injection detected\n\n // Agentic - MCP Risk (optional)\n \"mcp_config_risk\"?: Bool,\n \"mcp_risk_type\"?: String, // \"inline_execution\" | \"suspicious_url\" | \"cross_origin\"\n \"mcp_risk_score\"?: Long, // 0-100\n\n // Agentic - Multi-Turn Context (optional)\n \"conversation_turn\"?: Long,\n \"multi_turn_detection\"?: Bool,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n \"agent_id\"?: String,\n \"agent_type\"?: String,\n \"agent_trust_level\"?: String,\n \"agent_framework\"?: String,\n \"agent_publisher\"?: String,\n\n };\n\n /// Context for read_file action\n type FileReadContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // File path (optional \u2014 for path-based access control policies)\n \"path\"?: String, // File path being read\n\n // Security checks on file content (optional)\n \"contains_secrets\"?: Bool,\n \"secret_count\"?: Long,\n \"secret_types\"?: Set<String>,\n \"pii_detected\"?: Bool,\n \"pii_types\"?: Set<String>,\n\n // Security - Path Traversal (optional)\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String,\n \"path_traversal_type\"?: String,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n \"agent_id\"?: String,\n \"agent_type\"?: String,\n \"agent_trust_level\"?: String,\n \"agent_framework\"?: String,\n \"agent_publisher\"?: String,\n\n };\n\n /// Context for write_file action\n type FileWriteContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // File path (optional \u2014 for path-based access control policies)\n \"path\"?: String, // File path being written\n\n // Security - Invisible Character Detection in write content (optional)\n \"contains_invisible_chars\"?: Bool, // Whether invisible Unicode chars detected in write content\n \"invisible_chars_score\"?: Long, // Invisible character attack severity (0-100)\n\n // Security checks on content being written (optional)\n \"contains_secrets\"?: Bool,\n \"secret_count\"?: Long,\n \"secret_types\"?: Set<String>,\n \"pii_detected\"?: Bool,\n \"pii_types\"?: Set<String>,\n\n // Security - Path Traversal (optional)\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String,\n \"path_traversal_type\"?: String,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n \"agent_id\"?: String,\n \"agent_type\"?: String,\n \"agent_trust_level\"?: String,\n \"agent_framework\"?: String,\n \"agent_publisher\"?: String,\n\n };\n\n /// Context for connect_server action (MCP server connections)\n type ConnectServerContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // MCP context (optional)\n \"mcp_server\"?: String, // MCP server name (e.g., \"github\", \"filesystem\")\n \"mcp_server_verified\"?: Bool, // Whether server is from verified registry\n\n // Agentic - Agent Security (optional)\n \"tool_poisoning_detected\"?: Bool,\n \"tool_poisoning_score\"?: Long,\n \"tool_poisoning_type\"?: String,\n\n // Agentic - MCP Risk (optional)\n \"mcp_config_risk\"?: Bool,\n \"mcp_risk_type\"?: String,\n \"mcp_risk_score\"?: Long,\n\n // Security - Cross-Origin Escalation (optional)\n \"cross_origin_detected\"?: Bool,\n \"cross_origin_type\"?: String,\n \"cross_origin_score\"?: Long,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n \"agent_id\"?: String,\n \"agent_type\"?: String,\n \"agent_trust_level\"?: String,\n \"agent_framework\"?: String,\n \"agent_publisher\"?: String,\n\n };\n}\n";
|
|
6
|
+
export declare const GUARDRAILS_SCHEMA = "// =============================================================================\n// Guardrails Cedar Schema\n// =============================================================================\n// Defines entity types, actions, and context attributes for the highflame-shield\n// guardrails service. This schema enables type-safe policy authoring and\n// validation in both Studio UI and backend.\n//\n// Service: highflame-shield (guardrails)\n// Namespace: Guardrails\n// =============================================================================\n\nnamespace Guardrails {\n // =========================================================================\n // Entity Types \u2014 ReBAC Hierarchy\n // =========================================================================\n // Entity hierarchy enables Cedar's `in` operator for policy scoping:\n // Account (org root)\n // \u2514\u2500\u2500 Project in [Account]\n // \u251C\u2500\u2500 App in [Project]\n // \u2502 \u2514\u2500\u2500 Session in [App, Agent]\n // \u2514\u2500\u2500 Agent in [Project]\n // \u2514\u2500\u2500 Session in [App, Agent]\n //\n // Policy scoping examples:\n // resource == Guardrails::App::\"<uuid>\" \u2192 app-scoped (app only)\n // resource == Guardrails::Agent::\"<agent_id>\" \u2192 agent-only (exact match)\n // resource in Guardrails::Agent::\"<agent_id>\" \u2192 agent + its sessions\n // resource in Guardrails::Project::\"<uuid>\" \u2192 project-wide (apps + agents)\n // resource in Guardrails::Account::\"<uuid>\" \u2192 org-wide\n // =========================================================================\n\n /// Account represents an organization (top-level tenant)\n entity Account;\n\n /// Project represents a project within an account\n entity Project in [Account];\n\n /// User represents a principal (human or service) making requests\n entity User;\n\n /// Agent represents an AI agent (Claude, Cursor, Copilot, etc.) making requests.\n /// Used as both principal (who is acting) and resource (policy scoping target).\n /// Agent + sessions: resource in Guardrails::Agent::\"<agent_id>\" (hierarchy match)\n /// Agent only: resource == Guardrails::Agent::\"<agent_id>\" (exact match)\n entity Agent in [Project];\n\n /// App represents a protected application (guardrails-enabled LLM app)\n entity App in [Project];\n\n /// Session represents an agentic conversation session with state tracking.\n /// Sessions can belong to either an App or an Agent.\n entity Session in [App, Agent];\n\n // =========================================================================\n // Actions\n // =========================================================================\n\n /// Process user prompts and AI responses for security threats and content violations\n action \"process_prompt\" appliesTo {\n principal: [User, Agent],\n resource: [App, Agent, Session],\n context: ProcessPromptContext\n };\n\n /// Execute tool calls (shell, file operations, MCP tools)\n action \"call_tool\" appliesTo {\n principal: [User, Agent],\n resource: [Agent, Session],\n context: CallToolContext\n };\n\n /// Read file operations\n action \"read_file\" appliesTo {\n principal: [User, Agent],\n resource: [Agent, Session],\n context: FileReadContext\n };\n\n /// Write file operations\n action \"write_file\" appliesTo {\n principal: [User, Agent],\n resource: [Agent, Session],\n context: FileWriteContext\n };\n\n /// Connect to an MCP server\n action \"connect_server\" appliesTo {\n principal: [User, Agent],\n resource: [Agent, Session],\n context: ConnectServerContext\n };\n\n // =========================================================================\n // Context Types (Action-Specific)\n // =========================================================================\n\n /// Context for process_prompt action (user prompts & AI responses)\n type ProcessPromptContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n \"direction\": String, // \"input\" | \"output\"\n \"content_type\": String, // \"prompt\" | \"response\" | \"tool_call\" | \"file\"\n \"detector_count\": Long,\n\n // Security - Injection & Jailbreak (optional)\n \"injection_confidence\"?: Long, // Combined injection confidence: MAX(pulse, deep_context)\n \"jailbreak_confidence\"?: Long, // Combined jailbreak confidence: MAX(pulse, deep_context)\n \"injection_pulse_score\"?: Long, // 0-100 Pulse single-turn classifier\n \"injection_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n \"jailbreak_pulse_score\"?: Long, // 0-100 Pulse single-turn classifier\n \"jailbreak_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n \"injection_type\"?: String, // \"prompt\" | \"sql\" | \"command\" | \"none\"\n\n // Privacy - Secrets (optional)\n \"contains_secrets\"?: Bool,\n \"secret_count\"?: Long,\n \"secret_types\"?: Set<String>, // [\"aws_access_key\", \"github_token\", ...]\n\n // Privacy - PII (optional)\n \"pii_detected\"?: Bool,\n \"pii_count\"?: Long,\n \"pii_types\"?: Set<String>, // [\"email\", \"phone\", \"ssn\", \"credit_card\", ...]\n \"pii_confidence\"?: Long, // PII ML classifier confidence (0-100) \u2014 catches novel PII patterns that escape regex detection\n\n // Threat Severity Aggregation (optional)\n \"highest_severity\"?: String, // Highest severity across all detectors: \"critical\" | \"high\" | \"medium\" | \"low\" | \"none\"\n\n // Trust & Safety - Toxicity (optional)\n \"violence_score\"?: Long, // 0-100\n \"hate_speech_score\"?: Long, // 0-100\n \"sexual_score\"?: Long, // 0-100\n \"weapons_score\"?: Long, // 0-100\n \"crime_score\"?: Long, // 0-100\n \"profanity_score\"?: Long, // 0-100\n\n // Semantic - Topic Classification (optional)\n \"content_topics\"?: Set<String>, // [\"controlled_substances\", \"weapons_manufacturing\", ...]\n \"topic_confidence\"?: Long, // 0-100\n\n // Security - Invisible Character Detection (optional)\n \"contains_invisible_chars\"?: Bool,\n \"invisible_chars_score\"?: Long, // 0-100\n\n // Security - Pattern Detection (optional)\n \"command_injection_detected\"?: Bool,\n \"command_injection_type\"?: String, // \"reverse_shell\" | \"privilege_escalation\" | \"code_execution\" | \"destructive_command\" | \"data_exfiltration\"\n \"command_injection_score\"?: Long, // 0-100\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String, // \"critical\" | \"high\" | \"medium\" | \"low\" | \"none\"\n \"path_traversal_type\"?: String,\n \"sql_injection_detected\"?: Bool,\n \"sql_injection_type\"?: String, // \"tautology\" | \"union_based\" | \"destructive\" | \"blind\" | \"error_based\"\n \"sql_injection_score\"?: Long, // 0-100\n\n // Security - Cross-Origin Escalation (optional)\n \"cross_origin_detected\"?: Bool,\n \"cross_origin_type\"?: String, // \"cross_origin_tool\" | \"cross_origin_server\" | \"none\"\n \"cross_origin_score\"?: Long, // 0-100\n\n // Security - Encoded Injection (optional)\n \"encoded_content_detected\"?: Bool,\n \"encoded_types\"?: Set<String>, // [\"base64\", \"hex\", \"unicode\", \"url\", ...]\n \"encoded_count\"?: Long,\n \"encoded_score\"?: Long, // 0-100\n\n // Language & Script Detection (optional)\n \"detected_language\"?: String, // ISO language code\n \"is_english\"?: Bool,\n \"language_confidence\"?: Long, // 0-100\n \"detected_script\"?: String, // \"latin\" | \"cyrillic\" | \"arabic\" | \"unknown\" | ...\n \"is_latin_script\"?: Bool,\n \"script_confidence\"?: Long, // 0-100\n\n // Content Analysis (optional)\n \"hallucination_score\"?: Long,\n \"factuality_score\"?: Long, // 0-100\n \"sentiment_score\"?: Long,\n \"contains_code\"?: Bool,\n \"code_languages\"?: Set<String>,\n \"code_ratio\"?: Long, // 0-100, percentage of content that is code\n \"keyword_matched\"?: Bool,\n \"keyword_categories\"?: Set<String>,\n \"keyword_count\"?: Long,\n \"contains_non_ascii\"?: Bool,\n \"phishing_detected\"?: Bool,\n \"content_safety_score\"?: Long, // 0-100\n \"content_safety_blocked\"?: Bool,\n\n // Agentic - Multi-Turn Context (optional)\n \"conversation_turn\"?: Long,\n \"multi_turn_detection\"?: Bool,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n // Present when the request is made by an AI agent (API key or JWT with agent claims).\n // Empty strings for human user requests. Use these to write agent-specific policies.\n \"agent_id\"?: String, // Unique agent identifier (e.g., \"agent_research_v3\")\n \"agent_type\"?: String, // \"orchestrator\" | \"autonomous\" | \"tool_agent\" | \"human_proxy\"\n \"agent_trust_level\"?: String, // \"first_party\" | \"verified_third_party\" | \"unverified\"\n \"agent_framework\"?: String, // Agent framework (e.g., \"claude-code\", \"langchain\", \"crewai\")\n \"agent_publisher\"?: String, // Organization that published the agent\n\n };\n\n /// Context for call_tool action (agentic tool execution)\n type CallToolContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // Tool Risk (optional)\n \"tool_name\"?: String, // \"shell\", \"write_file\", \"http_post\", etc.\n \"tool_risk_score\"?: Long, // 0-100\n \"tool_is_sensitive\"?: Bool,\n \"tool_category\"?: String, // \"safe\" | \"sensitive\" | \"dangerous\"\n \"tool_is_builtin\"?: Bool,\n\n // MCP context (optional \u2014 only present for MCP tool calls)\n \"mcp_server\"?: String, // MCP server name (e.g., \"github\", \"filesystem\")\n \"mcp_tool\"?: String, // MCP tool name within the server\n \"mcp_server_verified\"?: Bool, // Whether server is from verified registry\n\n // Agentic - Behavioral Patterns (optional)\n \"suspicious_pattern\"?: Bool,\n \"pattern_type\"?: String, // \"data_exfiltration\" | \"secret_exfiltration\" | \"db_exfiltration\" | \"credential_theft\" | \"destructive_sequence\" | \"none\"\n \"sequence_risk\"?: Long, // 0-100\n\n // Agentic - Loop Detection (optional)\n \"loop_detected\"?: Bool,\n \"loop_count\"?: Long,\n \"loop_tool\"?: String,\n\n // Agentic - Budget Control (optional)\n \"budget_remaining_pct\"?: Long, // 0-100\n \"budget_exceeded\"?: Bool,\n\n // Semantic - Topic Classification (optional)\n \"content_topics\"?: Set<String>, // [\"controlled_substances\", \"weapons_manufacturing\", ...]\n \"topic_confidence\"?: Long, // 0-100\n\n // Security checks on tool arguments (optional)\n \"contains_secrets\"?: Bool,\n \"secret_count\"?: Long,\n \"secret_types\"?: Set<String>,\n \"pii_detected\"?: Bool,\n \"pii_types\"?: Set<String>,\n \"pii_count\"?: Long, // Number of PII pattern matches in tool content\n \"pii_confidence\"?: Long, // PII ML classifier confidence (0-100)\n \"injection_confidence\"?: Long,\n \"injection_pulse_score\"?: Long, // 0-100 Pulse single-turn classifier\n \"injection_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n\n // Security - Pattern Detection (optional)\n \"command_injection_detected\"?: Bool,\n \"command_injection_type\"?: String,\n \"command_injection_score\"?: Long, // 0-100\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String,\n \"path_traversal_type\"?: String,\n \"sql_injection_detected\"?: Bool,\n \"sql_injection_type\"?: String,\n \"sql_injection_score\"?: Long, // 0-100\n\n // Security - Cross-Origin Escalation (optional)\n \"cross_origin_detected\"?: Bool,\n \"cross_origin_type\"?: String,\n \"cross_origin_score\"?: Long, // 0-100\n\n // File & Path (optional \u2014 for path-based access control policies)\n \"path\"?: String, // File path when tool operates on files\n\n // Security - Invisible Character Detection in tool args (optional)\n \"contains_invisible_chars\"?: Bool, // Whether invisible Unicode chars detected in tool args\n \"invisible_chars_score\"?: Long, // Invisible character attack severity (0-100)\n\n // Security - Encoded Injection (optional)\n \"encoded_content_detected\"?: Bool,\n \"encoded_types\"?: Set<String>,\n \"encoded_count\"?: Long,\n \"encoded_score\"?: Long, // 0-100\n\n // Agentic - Agent Security (optional)\n \"tool_poisoning_detected\"?: Bool,\n \"tool_poisoning_score\"?: Long, // 0-100\n \"tool_poisoning_type\"?: String, // \"hidden_instructions\" | \"system_prompt_injection\" | \"authority_hijack\"\n \"rug_pull_detected\"?: Bool,\n \"rug_pull_score\"?: Long, // 0-100\n \"rug_pull_type\"?: String, // \"risk_spike\" | \"pattern_change\" | \"combined\" | \"none\"\n\n // Agentic - Indirect Prompt Injection (optional \u2014 injection via tool outputs/retrieved content)\n \"indirect_injection_score\"?: Long, // Indirect injection risk score (0-100)\n \"indirect_injection_type\"?: String, // Type of indirect injection detected\n\n // Agentic - MCP Risk (optional)\n \"mcp_config_risk\"?: Bool,\n \"mcp_risk_type\"?: String, // \"inline_execution\" | \"suspicious_url\" | \"cross_origin\"\n \"mcp_risk_score\"?: Long, // 0-100\n\n // Agentic - Multi-Turn Context (optional)\n \"conversation_turn\"?: Long,\n \"multi_turn_detection\"?: Bool,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n \"agent_id\"?: String,\n \"agent_type\"?: String,\n \"agent_trust_level\"?: String,\n \"agent_framework\"?: String,\n \"agent_publisher\"?: String,\n\n };\n\n /// Context for read_file action\n type FileReadContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // File path (optional \u2014 for path-based access control policies)\n \"path\"?: String, // File path being read\n\n // Security checks on file content (optional)\n \"contains_secrets\"?: Bool,\n \"secret_count\"?: Long,\n \"secret_types\"?: Set<String>,\n \"pii_detected\"?: Bool,\n \"pii_types\"?: Set<String>,\n\n // Security - Path Traversal (optional)\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String,\n \"path_traversal_type\"?: String,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n \"agent_id\"?: String,\n \"agent_type\"?: String,\n \"agent_trust_level\"?: String,\n \"agent_framework\"?: String,\n \"agent_publisher\"?: String,\n\n };\n\n /// Context for write_file action\n type FileWriteContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // File path (optional \u2014 for path-based access control policies)\n \"path\"?: String, // File path being written\n\n // Security - Invisible Character Detection in write content (optional)\n \"contains_invisible_chars\"?: Bool, // Whether invisible Unicode chars detected in write content\n \"invisible_chars_score\"?: Long, // Invisible character attack severity (0-100)\n\n // Security checks on content being written (optional)\n \"contains_secrets\"?: Bool,\n \"secret_count\"?: Long,\n \"secret_types\"?: Set<String>,\n \"pii_detected\"?: Bool,\n \"pii_types\"?: Set<String>,\n\n // Security - Path Traversal (optional)\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String,\n \"path_traversal_type\"?: String,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n \"agent_id\"?: String,\n \"agent_type\"?: String,\n \"agent_trust_level\"?: String,\n \"agent_framework\"?: String,\n \"agent_publisher\"?: String,\n\n };\n\n /// Context for connect_server action (MCP server connections)\n type ConnectServerContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // MCP context (optional)\n \"mcp_server\"?: String, // MCP server name (e.g., \"github\", \"filesystem\")\n \"mcp_server_verified\"?: Bool, // Whether server is from verified registry\n\n // Agentic - Agent Security (optional)\n \"tool_poisoning_detected\"?: Bool,\n \"tool_poisoning_score\"?: Long,\n \"tool_poisoning_type\"?: String,\n\n // Agentic - MCP Risk (optional)\n \"mcp_config_risk\"?: Bool,\n \"mcp_risk_type\"?: String,\n \"mcp_risk_score\"?: Long,\n\n // Security - Cross-Origin Escalation (optional)\n \"cross_origin_detected\"?: Bool,\n \"cross_origin_type\"?: String,\n \"cross_origin_score\"?: Long,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n \"agent_id\"?: String,\n \"agent_type\"?: String,\n \"agent_trust_level\"?: String,\n \"agent_framework\"?: String,\n \"agent_publisher\"?: String,\n\n };\n}\n";
|
|
7
7
|
/**
|
|
8
8
|
* Overwatch Cedar schema
|
|
9
9
|
*
|
|
@@ -21,7 +21,7 @@ export declare const PALISADE_SCHEMA = "// Palisade Cedar Schema\n// ===========
|
|
|
21
21
|
*
|
|
22
22
|
* Full Cedar schema for sentry, embedded at codegen time.
|
|
23
23
|
*/
|
|
24
|
-
export declare const SENTRY_SCHEMA = "// =============================================================================\n// Sentry Cedar Schema\n// =============================================================================\n// Browser Security \u2014 monitors AI chat interactions in the browser and enforces\n// data-protection, content-safety, and compliance policies at point of use.\n//\n// Sentry is a lightweight browser extension (JSA) that intercepts:\n// - Messages sent to AI chat services (ChatGPT, Gemini, Claude, Copilot, etc.)\n// - AI responses returned to the user\n// - Cut/paste operations transferring content into AI chats\n// - File/document uploads into AI chat services\n//\n// Architecture:\n// User \u2192 Browser Extension \u2192 Shield Detection Engine \u2192 Cedar Policy \u2192 Allow/Block\n//\n// Threat Coverage:\n// - Data Leakage: PII, PHI, credentials, source code, confidential documents\n// - Content Safety: Violence, hate speech, sexual content, restricted topics\n// - Prompt Injection: Direct and indirect injection via pasted/uploaded content\n// - Document Sensitivity: MIP label enforcement, classification-aware blocking\n// - Compliance: GDPR, HIPAA, PCI DSS, CCPA, EU AI Act\n//\n// Supported AI Services:\n// - ChatGPT (chat.openai.com)\n// - Google Gemini (gemini.google.com)\n// - Claude (claude.ai)\n// - GitHub Copilot Chat\n// - Microsoft Copilot\n// - Custom/enterprise AI chat endpoints\n\nnamespace Sentry {\n\n// =============================================================================\n// ENTITIES - Tenant Hierarchy (ReBAC)\n// =============================================================================\n// Aligned with Guardrails/Overwatch entity hierarchy (Account -> Project).\n//\n// Entity hierarchy enables Cedar's `in` operator for policy scoping:\n// Account (org root)\n// \u2514\u2500\u2500 Project in [Account]\n// \u2514\u2500\u2500 ChatSession in [Project]\n//\n// Policy scoping examples:\n// resource in Sentry::Account::\"<uuid>\" \u2192 org-wide\n// resource in Sentry::Project::\"<uuid>\" \u2192 project-wide\n// resource == Sentry::ChatSession::\"<id>\" \u2192 specific session\n\n/// Account represents an organization (top-level tenant)\nentity Account;\n\n/// Project represents a project within an account\nentity Project in [Account];\n\n// =============================================================================\n// ENTITIES - Principals\n// =============================================================================\n\n/// Human user interacting with AI chat in the browser\nentity User;\n\n// =============================================================================\n// ENTITIES - Resources (scoped under Project)\n// =============================================================================\n\n/// AI chat session \u2014 resource for send_message and receive_response actions\nentity ChatSession in [Project];\n\n/// Document or file being uploaded \u2014 resource for upload_file action\nentity Document in [Project];\n\n// =============================================================================\n// ACTIONS\n// =============================================================================\n\n// User sends a message (prompt) to an AI chat service\n// Threat focus: data leakage (PII, secrets, confidential data), injection, content safety\naction send_message appliesTo {\n principal: [User],\n resource: [ChatSession],\n context: {\n // --- Core Metadata ---\n content: String, // Raw message content being sent\n source: String, // Browser extension identifier: \"sentry\"\n event: String, // Event type: \"send_message\"\n user_email: String, // User identifier (SSO/OAuth verified)\n target_app: String, // AI service: \"chatgpt\", \"gemini\", \"claude\", \"copilot\", \"custom\"\n target_url?: String, // Full URL of the AI chat service\n\n // --- Aggregated Threat Summary (from Shield NormalizeAggregation) ---\n threat_count: Long, // Total threats detected\n highest_severity: String, // \"critical\", \"high\", \"medium\", \"low\", \"none\"\n threat_categories: Set<String>, // Threat category names\n detected_threats: Set<String>, // Detection rule names that matched\n max_threat_severity: Long, // Numeric severity (0=none, 1=low, 2=medium, 3=high, 4=critical)\n\n // --- Secrets Detection (from SecretsDetector) ---\n contains_secrets: Bool, // Whether secrets/credentials detected\n secret_types?: Set<String>, // Types: \"aws_access_key\", \"github_token\", \"ssh_private_key\", etc.\n secret_count?: Long, // Number of distinct secrets found\n\n // --- PII Detection (from PIIRegexDetector, normalized) ---\n pii_detected?: Bool, // Whether any PII patterns matched\n pii_types?: Set<String>, // Types: \"ssn\", \"credit_card\", \"email\", \"phone\", etc.\n pii_count?: Long, // Number of PII matches\n pii_confidence?: Long, // PII detection confidence (0-100)\n\n // --- Content Safety Scores (from ToxicityDetector, 0-100) ---\n violence_score: Long,\n weapons_score: Long,\n hate_speech_score: Long,\n crime_score: Long,\n sexual_score: Long,\n profanity_score: Long,\n\n // --- ML Detector Confidence Scores (0-100) ---\n injection_score: Long, // Prompt injection score (max of InjectionDetector + DeepContextDetector)\n jailbreak_score: Long, // Jailbreak detection score (max of JailbreakDetector + DeepContextDetector)\n\n // --- Topic Classification (from TopicDetector) ---\n content_topics?: Set<String>, // Detected topics: \"controlled_substances\", \"weapons_manufacturing\", etc.\n topic_confidence?: Long, // Topic classifier confidence (0-100)\n\n // --- Encoding & Unicode Attacks (from SecurityFiltersDetector, EncodedInjectionDetector) ---\n contains_invisible_chars?: Bool, // Zero-width chars, bidi overrides, tag chars\n invisible_chars_score?: Long, // Unicode attack severity (0-100)\n encoded_content_detected?: Bool, // Base64, hex, unicode, URL encoded content\n encoded_types?: Set<String>, // Encoding types detected\n encoded_count?: Long, // Number of encoded segments\n encoded_score?: Long, // Encoded injection severity (0-100)\n\n // --- Code Detection (from CodeDetector) ---\n contains_code?: Bool, // Whether content contains source code\n code_languages?: Set<String>, // Detected languages: \"python\", \"javascript\", etc.\n code_ratio?: Long, // Percentage of content that is code (0-100)\n\n // --- Language Detection (from LanguageDetector, ScriptDetector) ---\n detected_language?: String, // ISO language code\n is_english?: Bool,\n language_confidence?: Long, // 0-100\n detected_script?: String, // \"latin\", \"cyrillic\", \"arabic\", \"unknown\"\n is_latin_script?: Bool,\n script_confidence?: Long, // 0-100\n\n // --- Keyword Detection (from KeywordDetector) ---\n keyword_matched?: Bool, // Whether any keywords matched\n keyword_categories?: Set<String>, // Matched keyword categories\n keyword_count?: Long, // Number of keyword matches\n\n // --- Phishing Detection (from CheckPhishDetector) ---\n phishing_detected?: Bool, // Whether phishing URLs detected in content\n\n // --- Session Detection History (cross-turn sticky flags) ---\n session_pii_detected?: Bool,\n session_pii_types?: Set<String>,\n session_secrets_detected?: Bool,\n session_secret_types?: Set<String>,\n session_injection_detected?: Bool,\n session_threat_turns?: Long,\n },\n};\n\n// AI service responds to the user\n// Threat focus: harmful content in responses, hallucination, data leakage in output\naction receive_response appliesTo {\n principal: [User],\n resource: [ChatSession],\n context: {\n // --- Core Metadata ---\n content: String, // AI response content\n source: String,\n event: String, // \"receive_response\"\n user_email: String,\n target_app: String,\n target_url?: String,\n\n // --- Aggregated Threat Summary ---\n threat_count: Long,\n highest_severity: String,\n threat_categories: Set<String>,\n detected_threats: Set<String>,\n max_threat_severity: Long,\n\n // --- Secrets Detection ---\n contains_secrets: Bool,\n secret_types?: Set<String>,\n secret_count?: Long,\n\n // --- PII Detection ---\n pii_detected?: Bool,\n pii_types?: Set<String>,\n pii_count?: Long,\n pii_confidence?: Long,\n\n // --- Content Safety Scores (0-100) ---\n violence_score: Long,\n weapons_score: Long,\n hate_speech_score: Long,\n crime_score: Long,\n sexual_score: Long,\n profanity_score: Long,\n\n // --- ML Detector Scores (0-100) ---\n injection_score: Long, // Indirect injection in response content\n jailbreak_score: Long,\n\n // --- Hallucination Detection (from HallucinationDetector) ---\n hallucination_score?: Long, // Hallucination confidence (0-100)\n factuality_score?: Long, // Factuality score (0-100)\n\n // --- Code in Response ---\n contains_code?: Bool,\n code_languages?: Set<String>,\n code_ratio?: Long,\n\n // --- Phishing ---\n phishing_detected?: Bool,\n\n // --- Session History ---\n session_pii_detected?: Bool,\n session_pii_types?: Set<String>,\n session_secrets_detected?: Bool,\n session_secret_types?: Set<String>,\n session_injection_detected?: Bool,\n session_threat_turns?: Long,\n },\n};\n\n// User pastes content into an AI chat (clipboard, cross-tab, cross-app)\n// Threat focus: data leakage via cut/paste, injection payloads in pasted content\naction paste_content appliesTo {\n principal: [User],\n resource: [ChatSession],\n context: {\n // --- Core Metadata ---\n content: String, // Pasted content\n source: String,\n event: String, // \"paste_content\"\n user_email: String,\n target_app: String,\n target_url?: String,\n\n // --- Paste Context ---\n paste_source_app?: String, // Source application (e.g., \"outlook\", \"excel\", \"vscode\", \"terminal\")\n paste_source_url?: String, // Source URL if from another browser tab\n paste_length?: Long, // Character length of pasted content\n\n // --- Aggregated Threat Summary ---\n threat_count: Long,\n highest_severity: String,\n threat_categories: Set<String>,\n detected_threats: Set<String>,\n max_threat_severity: Long,\n\n // --- Secrets Detection ---\n contains_secrets: Bool,\n secret_types?: Set<String>,\n secret_count?: Long,\n\n // --- PII Detection ---\n pii_detected?: Bool,\n pii_types?: Set<String>,\n pii_count?: Long,\n pii_confidence?: Long,\n\n // --- Content Safety Scores (0-100) ---\n violence_score: Long,\n weapons_score: Long,\n hate_speech_score: Long,\n crime_score: Long,\n sexual_score: Long,\n profanity_score: Long,\n\n // --- ML Detector Scores (0-100) ---\n injection_score: Long,\n jailbreak_score: Long,\n\n // --- Code Detection ---\n contains_code?: Bool,\n code_languages?: Set<String>,\n code_ratio?: Long,\n\n // --- Encoding Attacks ---\n contains_invisible_chars?: Bool,\n invisible_chars_score?: Long,\n encoded_content_detected?: Bool,\n encoded_types?: Set<String>,\n encoded_count?: Long,\n encoded_score?: Long,\n\n // --- Keyword Detection ---\n keyword_matched?: Bool,\n keyword_categories?: Set<String>,\n keyword_count?: Long,\n\n // --- Session History ---\n session_pii_detected?: Bool,\n session_pii_types?: Set<String>,\n session_secrets_detected?: Bool,\n session_secret_types?: Set<String>,\n session_injection_detected?: Bool,\n session_threat_turns?: Long,\n },\n};\n\n// User uploads a file or document into an AI chat\n// Threat focus: document sensitivity (MIP labels), PII/secrets in files, malware\naction upload_file appliesTo {\n principal: [User],\n resource: [Document, ChatSession],\n context: {\n // --- Core Metadata ---\n content: String, // Extracted file text content (for scanning)\n source: String,\n event: String, // \"upload_file\"\n user_email: String,\n target_app: String,\n target_url?: String,\n\n // --- File Metadata ---\n file_name?: String, // Original file name\n file_type?: String, // MIME type: \"application/pdf\", \"text/csv\", etc.\n file_size_bytes?: Long, // File size in bytes\n file_extension?: String, // Extension: \"pdf\", \"docx\", \"xlsx\", \"csv\", \"txt\"\n\n // --- Document Sensitivity (MIP Labels) ---\n mip_label_id?: String, // Microsoft Information Protection label ID\n mip_label_name?: String, // Label display name: \"Public\", \"Internal\", \"Confidential\", \"Highly Confidential\"\n sensitivity_level?: String, // Normalized: \"public\", \"internal\", \"confidential\", \"restricted\"\n is_encrypted?: Bool, // Whether file is encrypted (MIP protection)\n is_rights_managed?: Bool, // Whether file has rights management restrictions\n\n // --- Aggregated Threat Summary ---\n threat_count: Long,\n highest_severity: String,\n threat_categories: Set<String>,\n detected_threats: Set<String>,\n max_threat_severity: Long,\n\n // --- Secrets Detection ---\n contains_secrets: Bool,\n secret_types?: Set<String>,\n secret_count?: Long,\n\n // --- PII Detection ---\n pii_detected?: Bool,\n pii_types?: Set<String>,\n pii_count?: Long,\n pii_confidence?: Long,\n\n // --- Content Safety Scores (0-100) ---\n violence_score: Long,\n weapons_score: Long,\n hate_speech_score: Long,\n crime_score: Long,\n sexual_score: Long,\n profanity_score: Long,\n\n // --- ML Detector Scores (0-100) ---\n injection_score: Long, // Prompt injection payloads hidden in documents\n jailbreak_score: Long,\n\n // --- Code Detection ---\n contains_code?: Bool,\n code_languages?: Set<String>,\n code_ratio?: Long,\n\n // --- Phishing ---\n phishing_detected?: Bool,\n\n // --- Encoding Attacks ---\n contains_invisible_chars?: Bool,\n invisible_chars_score?: Long,\n encoded_content_detected?: Bool,\n encoded_types?: Set<String>,\n encoded_count?: Long,\n encoded_score?: Long,\n\n // --- Session History ---\n session_pii_detected?: Bool,\n session_pii_types?: Set<String>,\n session_secrets_detected?: Bool,\n session_secret_types?: Set<String>,\n session_injection_detected?: Bool,\n session_threat_turns?: Long,\n },\n};\n\n}\n";
|
|
24
|
+
export declare const SENTRY_SCHEMA = "// =============================================================================\n// Sentry Cedar Schema\n// =============================================================================\n// Browser Security \u2014 monitors AI chat interactions in the browser and enforces\n// data-protection, content-safety, and compliance policies at point of use.\n//\n// Sentry is a lightweight browser extension (JSA) that intercepts:\n// - Messages sent to AI chat services (ChatGPT, Gemini, Claude, Copilot, etc.)\n// - AI responses returned to the user\n// - Cut/paste operations transferring content into AI chats\n// - File/document uploads into AI chat services\n//\n// Architecture:\n// User \u2192 Browser Extension \u2192 Shield Detection Engine \u2192 Cedar Policy \u2192 Allow/Block\n//\n// Threat Coverage:\n// - Data Leakage: PII, PHI, credentials, source code, confidential documents\n// - Content Safety: Violence, hate speech, sexual content, restricted topics\n// - Prompt Injection: Direct and indirect injection via pasted/uploaded content\n// - Document Sensitivity: MIP label enforcement, classification-aware blocking\n// - Compliance: GDPR, HIPAA, PCI DSS, CCPA, EU AI Act\n//\n// Supported AI Services:\n// - ChatGPT (chat.openai.com)\n// - Google Gemini (gemini.google.com)\n// - Claude (claude.ai)\n// - GitHub Copilot Chat\n// - Microsoft Copilot\n// - Custom/enterprise AI chat endpoints\n\nnamespace Sentry {\n\n// =============================================================================\n// ENTITIES - Tenant Hierarchy (ReBAC)\n// =============================================================================\n// Aligned with Guardrails/Overwatch entity hierarchy (Account -> Project).\n//\n// Entity hierarchy enables Cedar's `in` operator for policy scoping:\n// Account (org root)\n// \u2514\u2500\u2500 Project in [Account]\n// \u2514\u2500\u2500 ChatSession in [Project]\n//\n// Policy scoping examples:\n// resource in Sentry::Account::\"<uuid>\" \u2192 org-wide\n// resource in Sentry::Project::\"<uuid>\" \u2192 project-wide\n// resource == Sentry::ChatSession::\"<id>\" \u2192 specific session\n\n/// Account represents an organization (top-level tenant)\nentity Account;\n\n/// Project represents a project within an account\nentity Project in [Account];\n\n// =============================================================================\n// ENTITIES - Principals\n// =============================================================================\n\n/// Human user interacting with AI chat in the browser\nentity User;\n\n// =============================================================================\n// ENTITIES - Resources (scoped under Project)\n// =============================================================================\n\n/// AI chat session \u2014 resource for send_message and receive_response actions\nentity ChatSession in [Project];\n\n/// Document or file being uploaded \u2014 resource for upload_file action\nentity Document in [Project];\n\n// =============================================================================\n// ACTIONS\n// =============================================================================\n\n// User sends a message (prompt) to an AI chat service\n// Threat focus: data leakage (PII, secrets, confidential data), injection, content safety\naction send_message appliesTo {\n principal: [User],\n resource: [ChatSession],\n context: {\n // --- Core Metadata ---\n content: String, // Raw message content being sent\n source: String, // Browser extension identifier: \"sentry\"\n event: String, // Event type: \"send_message\"\n user_email: String, // User identifier (SSO/OAuth verified)\n target_app: String, // AI service: \"chatgpt\", \"gemini\", \"claude\", \"copilot\", \"custom\"\n target_url?: String, // Full URL of the AI chat service\n\n // --- Aggregated Threat Summary (from Shield NormalizeAggregation) ---\n threat_count: Long, // Total threats detected\n highest_severity: String, // \"critical\", \"high\", \"medium\", \"low\", \"none\"\n threat_categories: Set<String>, // Threat category names\n detected_threats: Set<String>, // Detection rule names that matched\n max_threat_severity: Long, // Numeric severity (0=none, 1=low, 2=medium, 3=high, 4=critical)\n\n // --- Secrets Detection (from SecretsDetector) ---\n contains_secrets: Bool, // Whether secrets/credentials detected\n secret_types?: Set<String>, // Types: \"aws_access_key\", \"github_token\", \"ssh_private_key\", etc.\n secret_count?: Long, // Number of distinct secrets found\n\n // --- PII Detection (from PIIRegexDetector, normalized) ---\n pii_detected?: Bool, // Whether any PII patterns matched\n pii_types?: Set<String>, // Types: \"ssn\", \"credit_card\", \"email\", \"phone\", etc.\n pii_count?: Long, // Number of PII matches\n pii_confidence?: Long, // PII detection confidence (0-100)\n\n // --- Content Safety Scores (from ToxicityDetector, 0-100) ---\n violence_score: Long,\n weapons_score: Long,\n hate_speech_score: Long,\n crime_score: Long,\n sexual_score: Long,\n profanity_score: Long,\n\n // --- ML Detector Confidence Scores (0-100) ---\n injection_score: Long, // Prompt injection score (max of InjectionDetector + DeepContextDetector)\n jailbreak_score: Long, // Jailbreak detection score (max of JailbreakDetector + DeepContextDetector)\n\n // --- Topic Classification (from TopicDetector) ---\n content_topics?: Set<String>, // Detected topics: \"controlled_substances\", \"weapons_manufacturing\", etc.\n topic_confidence?: Long, // Topic classifier confidence (0-100)\n\n // --- Encoding & Unicode Attacks (from SecurityFiltersDetector, EncodedInjectionDetector) ---\n contains_invisible_chars?: Bool, // Zero-width chars, bidi overrides, tag chars\n invisible_chars_score?: Long, // Unicode attack severity (0-100)\n encoded_content_detected?: Bool, // Base64, hex, unicode, URL encoded content\n encoded_types?: Set<String>, // Encoding types detected\n encoded_count?: Long, // Number of encoded segments\n encoded_score?: Long, // Encoded injection severity (0-100)\n\n // --- Code Detection (from CodeDetector) ---\n contains_code?: Bool, // Whether content contains source code\n code_languages?: Set<String>, // Detected languages: \"python\", \"javascript\", etc.\n code_ratio?: Long, // Percentage of content that is code (0-100)\n\n // --- Language Detection (from LanguageDetector, ScriptDetector) ---\n detected_language?: String, // ISO language code\n is_english?: Bool,\n language_confidence?: Long, // 0-100\n detected_script?: String, // \"latin\", \"cyrillic\", \"arabic\", \"unknown\"\n is_latin_script?: Bool,\n script_confidence?: Long, // 0-100\n\n // --- Keyword Detection (from KeywordDetector) ---\n keyword_matched?: Bool, // Whether any keywords matched\n keyword_categories?: Set<String>, // Matched keyword categories\n keyword_count?: Long, // Number of keyword matches\n\n // --- Phishing Detection (from CheckPhishDetector) ---\n phishing_detected?: Bool, // Whether phishing URLs detected in content\n\n // --- Session Detection History (cross-turn sticky flags) ---\n session_pii_detected?: Bool,\n session_pii_types?: Set<String>,\n session_secrets_detected?: Bool,\n session_secret_types?: Set<String>,\n session_injection_detected?: Bool,\n session_threat_turns?: Long,\n },\n};\n\n// AI service responds to the user\n// Threat focus: harmful content in responses, hallucination, data leakage in output\naction receive_response appliesTo {\n principal: [User],\n resource: [ChatSession],\n context: {\n // --- Core Metadata ---\n content: String, // AI response content\n source: String,\n event: String, // \"receive_response\"\n user_email: String,\n target_app: String,\n target_url?: String,\n\n // --- Aggregated Threat Summary ---\n threat_count: Long,\n highest_severity: String,\n threat_categories: Set<String>,\n detected_threats: Set<String>,\n max_threat_severity: Long,\n\n // --- Secrets Detection ---\n contains_secrets: Bool,\n secret_types?: Set<String>,\n secret_count?: Long,\n\n // --- PII Detection ---\n pii_detected?: Bool,\n pii_types?: Set<String>,\n pii_count?: Long,\n pii_confidence?: Long,\n\n // --- Content Safety Scores (0-100) ---\n violence_score: Long,\n weapons_score: Long,\n hate_speech_score: Long,\n crime_score: Long,\n sexual_score: Long,\n profanity_score: Long,\n\n // --- ML Detector Scores (0-100) ---\n injection_score: Long, // Indirect injection in response content\n jailbreak_score: Long,\n\n // --- Hallucination Detection (from HallucinationDetector) ---\n hallucination_score?: Long, // Hallucination confidence (0-100)\n factuality_score?: Long, // Factuality score (0-100)\n\n // --- Code in Response ---\n contains_code?: Bool,\n code_languages?: Set<String>,\n code_ratio?: Long,\n\n // --- Phishing ---\n phishing_detected?: Bool,\n\n // --- Session History ---\n session_pii_detected?: Bool,\n session_pii_types?: Set<String>,\n session_secrets_detected?: Bool,\n session_secret_types?: Set<String>,\n session_injection_detected?: Bool,\n session_threat_turns?: Long,\n },\n};\n\n// User pastes content into an AI chat (clipboard, cross-tab, cross-app)\n// Threat focus: data leakage via cut/paste, injection payloads in pasted content\naction paste_content appliesTo {\n principal: [User],\n resource: [ChatSession, Document],\n context: {\n // --- Core Metadata ---\n content: String, // Pasted content\n source: String,\n event: String, // \"paste_content\"\n user_email: String,\n target_app: String,\n target_url?: String,\n\n // --- Paste Context ---\n paste_source_app?: String, // Source application (e.g., \"outlook\", \"excel\", \"vscode\", \"terminal\")\n paste_source_url?: String, // Source URL if from another browser tab\n paste_length?: Long, // Character length of pasted content\n\n // --- Aggregated Threat Summary ---\n threat_count: Long,\n highest_severity: String,\n threat_categories: Set<String>,\n detected_threats: Set<String>,\n max_threat_severity: Long,\n\n // --- Secrets Detection ---\n contains_secrets: Bool,\n secret_types?: Set<String>,\n secret_count?: Long,\n\n // --- PII Detection ---\n pii_detected?: Bool,\n pii_types?: Set<String>,\n pii_count?: Long,\n pii_confidence?: Long,\n\n // --- Content Safety Scores (0-100) ---\n violence_score: Long,\n weapons_score: Long,\n hate_speech_score: Long,\n crime_score: Long,\n sexual_score: Long,\n profanity_score: Long,\n\n // --- ML Detector Scores (0-100) ---\n injection_score: Long,\n jailbreak_score: Long,\n\n // --- Code Detection ---\n contains_code?: Bool,\n code_languages?: Set<String>,\n code_ratio?: Long,\n\n // --- Encoding Attacks ---\n contains_invisible_chars?: Bool,\n invisible_chars_score?: Long,\n encoded_content_detected?: Bool,\n encoded_types?: Set<String>,\n encoded_count?: Long,\n encoded_score?: Long,\n\n // --- Keyword Detection ---\n keyword_matched?: Bool,\n keyword_categories?: Set<String>,\n keyword_count?: Long,\n\n // --- Session History ---\n session_pii_detected?: Bool,\n session_pii_types?: Set<String>,\n session_secrets_detected?: Bool,\n session_secret_types?: Set<String>,\n session_injection_detected?: Bool,\n session_threat_turns?: Long,\n },\n};\n\n// User uploads a file or document into an AI chat\n// Threat focus: document sensitivity (MIP labels), PII/secrets in files, malware\naction upload_file appliesTo {\n principal: [User],\n resource: [Document, ChatSession],\n context: {\n // --- Core Metadata ---\n content: String, // Extracted file text content (for scanning)\n source: String,\n event: String, // \"upload_file\"\n user_email: String,\n target_app: String,\n target_url?: String,\n\n // --- File Metadata ---\n file_name?: String, // Original file name\n file_type?: String, // MIME type: \"application/pdf\", \"text/csv\", etc.\n file_size_bytes?: Long, // File size in bytes\n file_extension?: String, // Extension: \"pdf\", \"docx\", \"xlsx\", \"csv\", \"txt\"\n\n // --- Document Sensitivity (MIP Labels) ---\n mip_label_id?: String, // Microsoft Information Protection label ID\n mip_label_name?: String, // Label display name: \"Public\", \"Internal\", \"Confidential\", \"Highly Confidential\"\n sensitivity_level?: String, // Normalized: \"public\", \"internal\", \"confidential\", \"restricted\"\n is_encrypted?: Bool, // Whether file is encrypted (MIP protection)\n is_rights_managed?: Bool, // Whether file has rights management restrictions\n\n // --- Aggregated Threat Summary ---\n threat_count: Long,\n highest_severity: String,\n threat_categories: Set<String>,\n detected_threats: Set<String>,\n max_threat_severity: Long,\n\n // --- Secrets Detection ---\n contains_secrets: Bool,\n secret_types?: Set<String>,\n secret_count?: Long,\n\n // --- PII Detection ---\n pii_detected?: Bool,\n pii_types?: Set<String>,\n pii_count?: Long,\n pii_confidence?: Long,\n\n // --- Content Safety Scores (0-100) ---\n violence_score: Long,\n weapons_score: Long,\n hate_speech_score: Long,\n crime_score: Long,\n sexual_score: Long,\n profanity_score: Long,\n\n // --- ML Detector Scores (0-100) ---\n injection_score: Long, // Prompt injection payloads hidden in documents\n jailbreak_score: Long,\n\n // --- Code Detection ---\n contains_code?: Bool,\n code_languages?: Set<String>,\n code_ratio?: Long,\n\n // --- Phishing ---\n phishing_detected?: Bool,\n\n // --- Encoding Attacks ---\n contains_invisible_chars?: Bool,\n invisible_chars_score?: Long,\n encoded_content_detected?: Bool,\n encoded_types?: Set<String>,\n encoded_count?: Long,\n encoded_score?: Long,\n\n // --- Session History ---\n session_pii_detected?: Bool,\n session_pii_types?: Set<String>,\n session_secrets_detected?: Bool,\n session_secret_types?: Set<String>,\n session_injection_detected?: Bool,\n session_threat_turns?: Long,\n },\n};\n\n}\n";
|
|
25
25
|
/**
|
|
26
26
|
* Context attribute metadata for service actions.
|
|
27
27
|
* Used by PolicyBuilder UI to generate form fields.
|
|
@@ -32,12 +32,16 @@ namespace Guardrails {
|
|
|
32
32
|
// Entity hierarchy enables Cedar's \`in\` operator for policy scoping:
|
|
33
33
|
// Account (org root)
|
|
34
34
|
// └── Project in [Account]
|
|
35
|
-
//
|
|
36
|
-
//
|
|
35
|
+
// ├── App in [Project]
|
|
36
|
+
// │ └── Session in [App, Agent]
|
|
37
|
+
// └── Agent in [Project]
|
|
38
|
+
// └── Session in [App, Agent]
|
|
37
39
|
//
|
|
38
40
|
// Policy scoping examples:
|
|
39
|
-
// resource == Guardrails::App::"<uuid>" → app-scoped
|
|
40
|
-
// resource
|
|
41
|
+
// resource == Guardrails::App::"<uuid>" → app-scoped (app only)
|
|
42
|
+
// resource == Guardrails::Agent::"<agent_id>" → agent-only (exact match)
|
|
43
|
+
// resource in Guardrails::Agent::"<agent_id>" → agent + its sessions
|
|
44
|
+
// resource in Guardrails::Project::"<uuid>" → project-wide (apps + agents)
|
|
41
45
|
// resource in Guardrails::Account::"<uuid>" → org-wide
|
|
42
46
|
// =========================================================================
|
|
43
47
|
|
|
@@ -50,14 +54,18 @@ namespace Guardrails {
|
|
|
50
54
|
/// User represents a principal (human or service) making requests
|
|
51
55
|
entity User;
|
|
52
56
|
|
|
53
|
-
/// Agent represents an AI agent (Claude, Cursor, Copilot, etc.) making requests
|
|
54
|
-
|
|
57
|
+
/// Agent represents an AI agent (Claude, Cursor, Copilot, etc.) making requests.
|
|
58
|
+
/// Used as both principal (who is acting) and resource (policy scoping target).
|
|
59
|
+
/// Agent + sessions: resource in Guardrails::Agent::"<agent_id>" (hierarchy match)
|
|
60
|
+
/// Agent only: resource == Guardrails::Agent::"<agent_id>" (exact match)
|
|
61
|
+
entity Agent in [Project];
|
|
55
62
|
|
|
56
63
|
/// App represents a protected application (guardrails-enabled LLM app)
|
|
57
64
|
entity App in [Project];
|
|
58
65
|
|
|
59
|
-
/// Session represents an agentic conversation session with state tracking
|
|
60
|
-
|
|
66
|
+
/// Session represents an agentic conversation session with state tracking.
|
|
67
|
+
/// Sessions can belong to either an App or an Agent.
|
|
68
|
+
entity Session in [App, Agent];
|
|
61
69
|
|
|
62
70
|
// =========================================================================
|
|
63
71
|
// Actions
|
|
@@ -66,35 +74,35 @@ namespace Guardrails {
|
|
|
66
74
|
/// Process user prompts and AI responses for security threats and content violations
|
|
67
75
|
action "process_prompt" appliesTo {
|
|
68
76
|
principal: [User, Agent],
|
|
69
|
-
resource: [App, Session],
|
|
77
|
+
resource: [App, Agent, Session],
|
|
70
78
|
context: ProcessPromptContext
|
|
71
79
|
};
|
|
72
80
|
|
|
73
81
|
/// Execute tool calls (shell, file operations, MCP tools)
|
|
74
82
|
action "call_tool" appliesTo {
|
|
75
83
|
principal: [User, Agent],
|
|
76
|
-
resource: [Session],
|
|
84
|
+
resource: [Agent, Session],
|
|
77
85
|
context: CallToolContext
|
|
78
86
|
};
|
|
79
87
|
|
|
80
88
|
/// Read file operations
|
|
81
89
|
action "read_file" appliesTo {
|
|
82
90
|
principal: [User, Agent],
|
|
83
|
-
resource: [Session],
|
|
91
|
+
resource: [Agent, Session],
|
|
84
92
|
context: FileReadContext
|
|
85
93
|
};
|
|
86
94
|
|
|
87
95
|
/// Write file operations
|
|
88
96
|
action "write_file" appliesTo {
|
|
89
97
|
principal: [User, Agent],
|
|
90
|
-
resource: [Session],
|
|
98
|
+
resource: [Agent, Session],
|
|
91
99
|
context: FileWriteContext
|
|
92
100
|
};
|
|
93
101
|
|
|
94
102
|
/// Connect to an MCP server
|
|
95
103
|
action "connect_server" appliesTo {
|
|
96
104
|
principal: [User, Agent],
|
|
97
|
-
resource: [Session],
|
|
105
|
+
resource: [Agent, Session],
|
|
98
106
|
context: ConnectServerContext
|
|
99
107
|
};
|
|
100
108
|
|
|
@@ -1316,7 +1324,7 @@ action receive_response appliesTo {
|
|
|
1316
1324
|
// Threat focus: data leakage via cut/paste, injection payloads in pasted content
|
|
1317
1325
|
action paste_content appliesTo {
|
|
1318
1326
|
principal: [User],
|
|
1319
|
-
resource: [ChatSession],
|
|
1327
|
+
resource: [ChatSession, Document],
|
|
1320
1328
|
context: {
|
|
1321
1329
|
// --- Core Metadata ---
|
|
1322
1330
|
content: String, // Pasted content
|