@highflame/policy 2.1.13 → 2.1.15

package/dist/mcp_gateway-entities.gen.js

@@ -0,0 +1,37 @@
+// Code generated by highflame-policy-codegen. DO NOT EDIT.
+// Source: schemas/mcp_gateway/schema.cedarschema
+/**
+ * McpGateway entity metadata for UI components.
+ * Extracted from Cedar schema appliesTo blocks.
+ */
+export const MCP_GATEWAY_ENTITIES = {
+    principals: ['MCP_Client', 'User'],
+    resources: ['FilePath', 'LlmPrompt', 'Server', 'Tool'],
+    actions: ['call_tool', 'connect_server', 'process_prompt', 'read_file', 'write_file'],
+};
+/**
+ * Per-action entity mapping for McpGateway.
+ * Maps action names to their valid principals and resources.
+ */
+export const MCP_GATEWAY_ACTION_ENTITIES = {
+    'call_tool': {
+        principals: ['MCP_Client', 'User'],
+        resources: ['Tool'],
+    },
+    'connect_server': {
+        principals: ['MCP_Client', 'User'],
+        resources: ['Server'],
+    },
+    'process_prompt': {
+        principals: ['MCP_Client', 'User'],
+        resources: ['LlmPrompt'],
+    },
+    'read_file': {
+        principals: ['MCP_Client', 'User'],
+        resources: ['FilePath'],
+    },
+    'write_file': {
+        principals: ['MCP_Client', 'User'],
+        resources: ['FilePath'],
+    },
+};

package/dist/overwatch-defaults.gen.js

@@ -36,17 +36,17 @@ const OVERWATCH_SECRETS_DEFAULT_CEDAR = `// ====================================
 // Secrets Detection Policy (Default)
 // =============================================================================
 // Detects and blocks credential leakage across prompts, tool calls, and file
-// operations using YARA rule name matching and file path patterns.
+// operations using Shield's secrets detector context keys and file path patterns.
 //
-// Detection layers:
-//   1. YARA rule triggers (detected_threats) — pattern-based, always available
-//   2. Sensitive file path blocking (.env, credential directories)
+// Detection:
+//   Shield's secrets detector (Tier Fast) populates:
+//     contains_secrets (bool) — true if any secret found
+//     secret_types (Set<String>) — types found: "aws_access_key", "ssh_key",
+//       "pem_certificate", "environment_variable", "github_token", etc.
+//     secret_count (long) — total secret matches
 //
-// YARA rules matched:
-//   secrets_leakage    — AWS keys, GitHub tokens, private key headers, API keys
-//   ssh_key_exposure   — SSH private key content and key file paths
-//   pem_file_access    — PEM/certificate private keys and key files
-//   environment_variable_leakage — OPENAI_API_KEY, HF_TOKEN, generic *_API_KEY
+//   Policies reference secret_types directly for per-category granularity.
+//   This works with both built-in and user-configured secret types.
 //
 // Compliance:
 //   NIST 800-53 SC-28 (Protection of Information at Rest)
@@ -60,17 +60,17 @@ const OVERWATCH_SECRETS_DEFAULT_CEDAR = `// ====================================
 // =============================================================================
 
 // ---------------------------------------------------------------------------
-// Section 1: YARA Rule — secrets_leakage
+// Section 1: General Secret Leakage
 // Detects AWS access keys, GitHub tokens, private key headers, API key
 // assignments, and bearer tokens in content.
 // ---------------------------------------------------------------------------
 
-// Block prompts containing detected secrets
+// Block prompts containing any detected secrets
 @id("secrets-block-leakage-prompt")
 @name("Block secrets in prompts")
-@description("Block prompts when YARA detects exposed secrets — AWS access keys (AKIA...), GitHub tokens (ghp_...), private key headers, bearer tokens, or API key assignments (api_key=sk-proj-...).")
+@description("Block prompts when secrets are detected — AWS access keys (AKIA...), GitHub tokens (ghp_...), private key headers, bearer tokens, or API key assignments.")
 @severity("high")
-@tags("secrets,credentials,yara,process-prompt,nist-sc-28,nist-ia-5")
+@tags("secrets,credentials,process-prompt,nist-sc-28,nist-ia-5")
 @reject_message("Prompt blocked: exposed secrets detected (AWS keys, tokens, private keys, or API key assignments). Remove sensitive credentials before submitting.")
 forbid (
     principal,
@@ -78,15 +78,15 @@ forbid (
     resource
 )
 when {
-    context.detected_threats.contains("secrets_leakage")
+    context.contains_secrets == true
 };
 
 // Block tool calls containing detected secrets
 @id("secrets-block-leakage-tool")
 @name("Block secrets in tool calls")
-@description("Block tool execution when YARA detects exposed secrets in tool arguments or command content.")
+@description("Block tool execution when secrets are detected in tool arguments or command content.")
 @severity("high")
-@tags("secrets,credentials,yara,call-tool,nist-sc-28,mitre-t1552")
+@tags("secrets,credentials,call-tool,nist-sc-28,mitre-t1552")
 @reject_message("Tool execution blocked: exposed secrets detected in command or arguments. Remove sensitive credentials before executing.")
 forbid (
     principal,
@@ -94,11 +94,11 @@ forbid (
     resource
 )
 when {
-    context has detected_threats && context.detected_threats.contains("secrets_leakage")
+    context has contains_secrets && context.contains_secrets == true
 };
 
 // ---------------------------------------------------------------------------
-// Section 2: YARA Rule — ssh_key_exposure
+// Section 2: SSH Key Exposure
 // Detects SSH private key content (BEGIN OPENSSH/RSA PRIVATE KEY) and
 // SSH key file paths (/.ssh/id_rsa, id_ed25519).
 // ---------------------------------------------------------------------------
@@ -106,9 +106,9 @@ when {
 // Block SSH key exposure across tool calls and file operations
 @id("secrets-block-ssh-keys")
 @name("Block SSH key exposure")
-@description("Block when YARA detects SSH private key content or SSH key file paths. Covers tool calls, file reads, and file writes. AI agents must not access SSH credentials.")
+@description("Block when SSH private key content or SSH key file paths are detected. Covers tool calls, file reads, and file writes. AI agents must not access SSH credentials.")
 @severity("critical")
-@tags("secrets,ssh,credentials,yara,nist-ia-5,mitre-t1552")
+@tags("secrets,ssh,credentials,nist-ia-5,mitre-t1552")
 @reject_message("Blocked: SSH private key content or key file path detected. AI agents must not access SSH credentials.")
 forbid (
     principal,
@@ -116,11 +116,11 @@ forbid (
     resource
 )
 when {
-    context has detected_threats && context.detected_threats.contains("ssh_key_exposure")
+    context has secret_types && context.secret_types.contains("ssh_key")
 };
 
 // ---------------------------------------------------------------------------
-// Section 3: YARA Rule — pem_file_access
+// Section 3: PEM / Certificate Key Exposure
 // Detects PEM private key content (BEGIN ENCRYPTED/RSA/EC/DSA PRIVATE KEY)
 // and key file paths (.pem, .key, .p12, .pfx).
 // ---------------------------------------------------------------------------
@@ -128,9 +128,9 @@ when {
 // Block PEM/certificate key exposure
 @id("secrets-block-pem-keys")
 @name("Block PEM/certificate key exposure")
-@description("Block when YARA detects PEM private key content or certificate key file paths (.pem, .key, .p12, .pfx). AI agents must not access certificate credentials.")
+@description("Block when PEM private key content or certificate key file paths (.pem, .key, .p12, .pfx) are detected. AI agents must not access certificate credentials.")
 @severity("critical")
-@tags("secrets,certificates,pem,yara,nist-ia-5,mitre-t1552")
+@tags("secrets,certificates,pem,nist-ia-5,mitre-t1552")
 @reject_message("Blocked: PEM private key or certificate key file detected. AI agents must not access certificate credentials.")
 forbid (
     principal,
@@ -138,11 +138,11 @@ forbid (
     resource
 )
 when {
-    context has detected_threats && context.detected_threats.contains("pem_file_access")
+    context has secret_types && context.secret_types.contains("pem_certificate")
 };
 
 // ---------------------------------------------------------------------------
-// Section 4: YARA Rule — environment_variable_leakage
+// Section 4: Environment Variable Leakage
 // Detects OPENAI_API_KEY=sk-..., HF_TOKEN=hf_..., and generic
 // <NAME>_API_KEY=<value> (16+ chars) patterns.
 // ---------------------------------------------------------------------------
@@ -150,9 +150,9 @@ when {
 // Block environment variable secret exposure
 @id("secrets-block-env-vars")
 @name("Block environment variable leakage")
-@description("Block when YARA detects environment variable secret assignments — OPENAI_API_KEY, HF_TOKEN, or generic <NAME>_API_KEY=<value> patterns with 16+ character values.")
+@description("Block when environment variable secret assignments are detected — OPENAI_API_KEY, HF_TOKEN, or generic <NAME>_API_KEY=<value> patterns with 16+ character values.")
 @severity("high")
-@tags("secrets,environment,yara,nist-ia-5")
+@tags("secrets,environment,nist-ia-5")
 @reject_message("Blocked: environment variable secret detected (API keys, tokens). Remove sensitive values before proceeding.")
 forbid (
     principal,
@@ -160,7 +160,7 @@ forbid (
     resource
 )
 when {
-    context has detected_threats && context.detected_threats.contains("environment_variable_leakage")
+    context has secret_types && context.secret_types.contains("environment_variable")
 };
 
 // ---------------------------------------------------------------------------
@@ -168,7 +168,7 @@ when {
 // Blocks file read/write access to credential directories and .env files.
 // NOTE: Targets read_file/write_file only — NOT call_tool. The path field
 // is empty for Bash commands (extractor reads tool_input.file_path which is
-// undefined for Bash). SSH key access via Bash is caught by YARA rules above.
+// undefined for Bash). SSH key access via Bash is caught by rules above.
 // ---------------------------------------------------------------------------
 
 // Block access to credential directories
@@ -639,20 +639,16 @@ const OVERWATCH_PII_DEFAULT_CEDAR = `// ========================================
 // PII Detection Policy (Default)
 // =============================================================================
 // Detects and blocks personally identifiable information across prompts, tool
-// calls, and file operations using YARA rule name matching and ML classifiers.
+// calls, and file operations using Shield's PII detector context keys.
 //
-// Detection layers:
-//   1. YARA rule triggers (detected_threats) — pattern-based, always available
+// Detection:
+//   Shield's pii_regex (Tier Fast) and gcp_dlp (Tier Slow) detectors populate:
+//     pii_detected (bool) — true if any PII found
+//     pii_types (Set<String>) — types found: "ssn", "credit_card", "email", etc.
+//     pii_count (long) — total PII matches
 //
-// YARA rules matched:
-//   pii_ssn            — US Social Security Numbers (XXX-XX-XXXX)
-//   pii_credit_card    — Credit card numbers (13-19 digits)
-//   pii_passport       — Passport numbers (1-2 letters + 6-9 digits)
-//   pii_iban           — International Bank Account Numbers
-//   pii_email          — Email addresses
-//   pii_phone_us       — US phone numbers
-//   pii_date_of_birth  — Dates in MM/DD/YYYY format
-//   pii_ip_address     — IPv4 addresses
+//   Policies reference pii_types directly for per-type granularity. This works
+//   with both built-in and user-configured PII types (via ConfigReloader).
 //
 // Compliance:
 //   PCI DSS 3.4, 4.1 (Payment Card Data)
@@ -677,7 +673,7 @@ const OVERWATCH_PII_DEFAULT_CEDAR = `// ========================================
 @name("Block Social Security Numbers")
 @description("Block content containing SSN patterns (XXX-XX-XXXX). SSNs are high-value identity theft targets — exposure through AI agents is a critical privacy violation.")
 @severity("critical")
-@tags("pii,ssn,identity,yara,pci-dss,nist-si-4")
+@tags("pii,ssn,identity,pci-dss,nist-si-4")
 @reject_message("Content blocked: Social Security Number patterns detected. SSNs must never be processed through AI agents.")
 forbid (
     principal,
@@ -685,7 +681,7 @@ forbid (
     resource
 )
 when {
-    context has detected_threats && context.detected_threats.contains("pii_ssn")
+    context has pii_types && context.pii_types.contains("ssn")
 };
 
 // Block credit card numbers (PCI DSS compliance)
@@ -693,7 +689,7 @@ when {
 @name("Block credit card numbers")
 @description("Block content containing credit card number patterns (13-19 digits). PCI DSS 3.4 requires PANs are rendered unreadable — AI agents must never process raw card numbers.")
 @severity("critical")
-@tags("pii,credit-card,payment,yara,pci-dss-3.4,pci-dss-4.1")
+@tags("pii,credit-card,payment,pci-dss-3.4,pci-dss-4.1")
 @reject_message("Content blocked: credit card number patterns detected. Sharing payment card data through AI agents violates PCI DSS. Use tokenized references instead.")
 forbid (
     principal,
@@ -701,7 +697,7 @@ forbid (
     resource
 )
 when {
-    context has detected_threats && context.detected_threats.contains("pii_credit_card")
+    context has pii_types && context.pii_types.contains("credit_card")
 };
 
 // ---------------------------------------------------------------------------
@@ -715,7 +711,7 @@ when {
 @name("Block passport numbers")
 @description("Block content containing passport number patterns (1-2 letters + 6-9 digits). Passport numbers are government-issued identifiers with high identity theft risk.")
 @severity("high")
-@tags("pii,passport,identity,yara,gdpr-art-32")
+@tags("pii,passport,identity,gdpr-art-32")
 @reject_message("Content blocked: passport number patterns detected. Government-issued identifiers must not be processed through AI agents.")
 forbid (
     principal,
@@ -723,7 +719,7 @@ forbid (
     resource
 )
 when {
-    context has detected_threats && context.detected_threats.contains("pii_passport")
+    context has pii_types && context.pii_types.contains("passport")
 };
 
 // Block IBAN (International Bank Account Numbers)
@@ -731,7 +727,7 @@ when {
 @name("Block bank account numbers")
 @description("Block content containing IBAN patterns. Bank account numbers are sensitive financial identifiers that must not be exposed through AI agents.")
 @severity("high")
-@tags("pii,iban,financial,yara,gdpr-art-32,pci-dss")
+@tags("pii,iban,financial,gdpr-art-32,pci-dss")
 @reject_message("Content blocked: bank account number (IBAN) patterns detected. Financial account numbers must not be processed through AI agents.")
 forbid (
     principal,
@@ -739,7 +735,7 @@ forbid (
     resource
 )
 when {
-    context has detected_threats && context.detected_threats.contains("pii_iban")
+    context has pii_types && context.pii_types.contains("iban")
 };
 
 // ---------------------------------------------------------------------------
@@ -753,7 +749,7 @@ when {
 @name("Block email addresses")
 @description("Block prompts and tool calls containing email address patterns. Prevents accidental sharing of personal email addresses with AI agents.")
 @severity("medium")
-@tags("pii,email,contact,yara,gdpr-art-32")
+@tags("pii,email,contact,gdpr-art-32")
 @reject_message("Content blocked: email address patterns detected. Remove personal email addresses before submitting to AI agents.")
 forbid (
     principal,
@@ -761,7 +757,7 @@ forbid (
     resource
 )
 when {
-    context has detected_threats && context.detected_threats.contains("pii_email")
+    context has pii_types && context.pii_types.contains("email")
 };
 
 // Block US phone numbers
@@ -769,7 +765,7 @@ when {
 @name("Block phone numbers")
 @description("Block prompts and tool calls containing US phone number patterns. Prevents accidental sharing of personal phone numbers with AI agents.")
 @severity("medium")
-@tags("pii,phone,contact,yara,ccpa")
+@tags("pii,phone,contact,ccpa")
 @reject_message("Content blocked: phone number patterns detected. Remove personal phone numbers before submitting to AI agents.")
 forbid (
     principal,
@@ -777,7 +773,7 @@ forbid (
     resource
 )
 when {
-    context has detected_threats && context.detected_threats.contains("pii_phone_us")
+    context has pii_types && context.pii_types.contains("phone")
 };
 
 // Block dates of birth
@@ -785,7 +781,7 @@ when {
 @name("Block dates of birth")
 @description("Block prompts and tool calls containing date of birth patterns (MM/DD/YYYY). Date of birth combined with other identifiers enables identity theft.")
 @severity("medium")
-@tags("pii,dob,identity,yara,hipaa-164.312")
+@tags("pii,dob,identity,hipaa-164.312")
 @reject_message("Content blocked: date of birth patterns detected. Remove personal dates before submitting to AI agents.")
 forbid (
     principal,
@@ -793,7 +789,7 @@ forbid (
     resource
 )
 when {
-    context has detected_threats && context.detected_threats.contains("pii_date_of_birth")
+    context has pii_types && context.pii_types.contains("date_of_birth")
 };
 
 // ---------------------------------------------------------------------------
@@ -807,7 +803,7 @@ when {
 @name("Block IP addresses in prompts")
 @description("Block prompts containing IPv4 address patterns. Only targets prompts — IP addresses are too common in source code and config files to block in tool calls or file operations.")
 @severity("low")
-@tags("pii,ip-address,network,yara")
+@tags("pii,ip-address,network")
 @reject_message("Content blocked: IP address patterns detected in prompt. Remove network identifiers before submitting.")
 forbid (
     principal,
@@ -815,9 +811,8 @@ forbid (
     resource
 )
 when {
-    context.detected_threats.contains("pii_ip_address")
+    context has pii_types && context.pii_types.contains("ip_address")
 };
-
 `;
 const OVERWATCH_TOOLS_MCP_ALLOWLIST_CEDAR = `// MCP Server Allowlist Template
 // Only allow specific MCP servers to be used

package/dist/service-schemas.gen.d.ts

@@ -4,6 +4,12 @@
  * Full Cedar schema for guardrails, embedded at codegen time.
  */
 export declare const GUARDRAILS_SCHEMA = "// =============================================================================\n// Guardrails Cedar Schema\n// =============================================================================\n// Defines entity types, actions, and context attributes for the highflame-shield\n// guardrails service. This schema enables type-safe policy authoring and\n// validation in both Studio UI and backend.\n//\n// Service: highflame-shield (guardrails)\n// Namespace: Guardrails\n// =============================================================================\n\nnamespace Guardrails {\n    // =========================================================================\n    // Entity Types \u2014 ReBAC Hierarchy\n    // =========================================================================\n    // Entity hierarchy enables Cedar's `in` operator for policy scoping:\n    //   Account (org root)\n    //     \u2514\u2500\u2500 Project in [Account]\n    //           \u251C\u2500\u2500 App in [Project]\n    //           \u2502     \u2514\u2500\u2500 Session in [App, Agent]\n    //           \u2514\u2500\u2500 Agent in [Project]\n    //                 \u2514\u2500\u2500 Session in [App, Agent]\n    //\n    // Policy scoping examples:\n    //   resource == Guardrails::App::\"<uuid>\"              \u2192 app-scoped (app only)\n    //   resource == Guardrails::Agent::\"<agent_id>\"        \u2192 agent-only (exact match)\n    //   resource in Guardrails::Agent::\"<agent_id>\"        \u2192 agent + its sessions\n    //   resource in Guardrails::Project::\"<uuid>\"          \u2192 project-wide (apps + agents)\n    //   resource in Guardrails::Account::\"<uuid>\"          \u2192 org-wide\n    // =========================================================================\n\n    /// Account represents an organization (top-level tenant)\n    entity Account;\n\n    /// Project represents a project within an account\n    entity Project in [Account];\n\n    /// User represents a principal (human or service) making requests\n    entity User;\n\n    /// Agent represents an AI agent (Claude, Cursor, Copilot, etc.) making requests.\n    /// Used as both principal (who is acting) and resource (policy scoping target).\n    /// Agent + sessions: resource in Guardrails::Agent::\"<agent_id>\" (hierarchy match)\n    /// Agent only:       resource == Guardrails::Agent::\"<agent_id>\" (exact match)\n    entity Agent in [Project];\n\n    /// App represents a protected application (guardrails-enabled LLM app)\n    entity App in [Project];\n\n    /// Session represents an agentic conversation session with state tracking.\n    /// Sessions can belong to either an App or an Agent.\n    entity Session in [App, Agent];\n\n    // =========================================================================\n    // Actions\n    // =========================================================================\n\n    /// Process user prompts and AI responses for security threats and content violations\n    action \"process_prompt\" appliesTo {\n        principal: [User, Agent],\n        resource: [App, Agent, Session],\n        context: ProcessPromptContext\n    };\n\n    /// Execute tool calls (shell, file operations, MCP tools)\n    action \"call_tool\" appliesTo {\n        principal: [User, Agent],\n        resource: [Agent, Session],\n        context: CallToolContext\n    };\n\n    /// Read file operations\n    action \"read_file\" appliesTo {\n        principal: [User, Agent],\n        resource: [Agent, Session],\n        context: FileReadContext\n    };\n\n    /// Write file operations\n    action \"write_file\" appliesTo {\n        principal: [User, Agent],\n        resource: [Agent, Session],\n        context: FileWriteContext\n    };\n\n    /// Connect to an MCP server\n    action \"connect_server\" appliesTo {\n        principal: [User, Agent],\n        resource: [Agent, Session],\n        context: ConnectServerContext\n    };\n\n    // =========================================================================\n    // Context Types (Action-Specific)\n    // =========================================================================\n\n    /// Context for process_prompt action (user prompts & AI responses)\n    type ProcessPromptContext = {\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n        \"direction\": String,        // \"input\" | \"output\"\n        \"content_type\": String,     // \"prompt\" | \"response\" | \"tool_call\" | \"file\"\n        \"detector_count\": Long,\n\n        // Security - Injection & Jailbreak (optional)\n        \"injection_confidence\"?: Long,  // Combined injection confidence: MAX(pulse, deep_context)\n        \"jailbreak_confidence\"?: Long,  // Combined jailbreak confidence: MAX(pulse, deep_context)\n        \"injection_pulse_score\"?: Long,  // 0-100 Pulse single-turn classifier\n        \"injection_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n        \"jailbreak_pulse_score\"?: Long,  // 0-100 Pulse single-turn classifier\n        \"jailbreak_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n        \"injection_type\"?: String,       // \"prompt\" | \"sql\" | \"command\" | \"none\"\n\n        // Privacy - Secrets (optional)\n        \"contains_secrets\"?: Bool,\n        \"secret_count\"?: Long,\n        \"secret_types\"?: Set<String>,    // [\"aws_access_key\", \"github_token\", ...]\n\n        // Privacy - PII (optional)\n        \"pii_detected\"?: Bool,\n        \"pii_count\"?: Long,\n        \"pii_types\"?: Set<String>,       // [\"email\", \"phone\", \"ssn\", \"credit_card\", ...]\n        \"pii_confidence\"?: Long,         // PII ML classifier confidence (0-100) \u2014 catches novel PII patterns that escape regex detection\n\n        // Threat Severity Aggregation (optional)\n        \"highest_severity\"?: String,     // Highest severity across all detectors: \"critical\" | \"high\" | \"medium\" | \"low\" | \"none\"\n\n        // Trust & Safety - Toxicity (optional)\n        \"violence_score\"?: Long,         // 0-100\n        \"hate_speech_score\"?: Long,      // 0-100\n        \"sexual_score\"?: Long,           // 0-100\n        \"weapons_score\"?: Long,          // 0-100\n        \"crime_score\"?: Long,            // 0-100\n        \"profanity_score\"?: Long,        // 0-100\n\n        // Semantic - Topic Classification (optional)\n        \"content_topics\"?: Set<String>,      // [\"controlled_substances\", \"weapons_manufacturing\", ...]\n        \"topic_confidence\"?: Long,           // 0-100\n\n        // Security - Invisible Character Detection (optional)\n        \"contains_invisible_chars\"?: Bool,\n        \"invisible_chars_score\"?: Long,      // 0-100\n\n        // Security - Pattern Detection (optional)\n        \"command_injection_detected\"?: Bool,\n        \"command_injection_type\"?: String,       // \"reverse_shell\" | \"privilege_escalation\" | \"code_execution\" | \"destructive_command\" | \"data_exfiltration\"\n        \"command_injection_score\"?: Long,        // 0-100\n        \"path_traversal_detected\"?: Bool,\n        \"path_traversal_severity\"?: String,      // \"critical\" | \"high\" | \"medium\" | \"low\" | \"none\"\n        \"path_traversal_type\"?: String,\n        \"sql_injection_detected\"?: Bool,\n        \"sql_injection_type\"?: String,           // \"tautology\" | \"union_based\" | \"destructive\" | \"blind\" | \"error_based\"\n        \"sql_injection_score\"?: Long,            // 0-100\n\n        // Security - Cross-Origin Escalation (optional)\n        \"cross_origin_detected\"?: Bool,\n        \"cross_origin_type\"?: String,            // \"cross_origin_tool\" | \"cross_origin_server\" | \"none\"\n        \"cross_origin_score\"?: Long,             // 0-100\n\n        // Security - Encoded Injection (optional)\n        \"encoded_content_detected\"?: Bool,\n        \"encoded_types\"?: Set<String>,           // [\"base64\", \"hex\", \"unicode\", \"url\", ...]\n        \"encoded_count\"?: Long,\n        \"encoded_score\"?: Long,                  // 0-100\n\n        // Language & Script Detection (optional)\n        \"detected_language\"?: String,            // ISO language code\n        \"is_english\"?: Bool,\n        \"language_confidence\"?: Long,            // 0-100\n        \"detected_script\"?: String,              // \"latin\" | \"cyrillic\" | \"arabic\" | \"unknown\" | ...\n        \"is_latin_script\"?: Bool,\n        \"script_confidence\"?: Long,              // 0-100\n\n        // Content Analysis (optional)\n        \"hallucination_score\"?: Long,\n        \"factuality_score\"?: Long,               // 0-100\n        \"sentiment_score\"?: Long,\n        \"contains_code\"?: Bool,\n        \"code_languages\"?: Set<String>,\n        \"code_ratio\"?: Long,                     // 0-100, percentage of content that is code\n        \"keyword_matched\"?: Bool,\n        \"keyword_categories\"?: Set<String>,\n        \"keyword_count\"?: Long,\n        \"contains_non_ascii\"?: Bool,\n        \"phishing_detected\"?: Bool,\n        \"content_safety_score\"?: Long,           // 0-100\n        \"content_safety_blocked\"?: Bool,\n\n        // Agentic - Multi-Turn Context (optional)\n        \"conversation_turn\"?: Long,\n        \"multi_turn_detection\"?: Bool,\n\n        // Session Detection History \u2014 cross-turn sticky flags (optional)\n        \"session_pii_detected\"?: Bool,\n        \"session_pii_types\"?: Set<String>,\n        \"session_secrets_detected\"?: Bool,\n        \"session_secret_types\"?: Set<String>,\n        \"session_injection_detected\"?: Bool,\n        \"session_command_injection\"?: Bool,\n        \"session_threat_turns\"?: Long,\n        \"session_max_injection_score\"?: Long,\n        \"session_max_jailbreak_score\"?: Long,\n        \"session_max_command_injection_score\"?: Long,\n        \"session_max_pii_score\"?: Long,\n        \"session_max_secret_score\"?: Long,\n        \"session_cumulative_risk_score\"?: Long,\n\n        // Agent Identity \u2014 authenticated agent principal metadata (optional)\n        // Present when the request is made by an AI agent (API key or JWT with agent claims).\n        // Empty strings for human user requests. Use these to write agent-specific policies.\n        \"agent_id\"?: String,             // Unique agent identifier (e.g., \"agent_research_v3\")\n        \"agent_type\"?: String,           // \"orchestrator\" | \"autonomous\" | \"tool_agent\" | \"human_proxy\"\n        \"agent_trust_level\"?: String,    // \"first_party\" | \"verified_third_party\" | \"unverified\"\n        \"agent_framework\"?: String,      // Agent framework (e.g., \"claude-code\", \"langchain\", \"crewai\")\n        \"agent_publisher\"?: String,      // Organization that published the agent\n\n    };\n\n    /// Context for call_tool action (agentic tool execution)\n    type CallToolContext = {\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n\n        // Tool Risk (optional)\n        \"tool_name\"?: String,            // \"shell\", \"write_file\", \"http_post\", etc.\n        \"tool_risk_score\"?: Long,        // 0-100\n        \"tool_is_sensitive\"?: Bool,\n        \"tool_category\"?: String,        // \"safe\" | \"sensitive\" | \"dangerous\"\n        \"tool_is_builtin\"?: Bool,\n\n        // MCP context (optional \u2014 only present for MCP tool calls)\n        \"mcp_server\"?: String,           // MCP server name (e.g., \"github\", \"filesystem\")\n        \"mcp_tool\"?: String,             // MCP tool name within the server\n        \"mcp_server_verified\"?: Bool,    // Whether server is from verified registry\n\n        // Agentic - Behavioral Patterns (optional)\n        \"suspicious_pattern\"?: Bool,\n        \"pattern_type\"?: String,         // \"data_exfiltration\" | \"secret_exfiltration\" | \"db_exfiltration\" | \"credential_theft\" | \"destructive_sequence\" | \"none\"\n        \"sequence_risk\"?: Long,          // 0-100\n\n        // Agentic - Loop Detection (optional)\n        \"loop_detected\"?: Bool,\n        \"loop_count\"?: Long,\n        \"loop_tool\"?: String,\n\n        // Agentic - Budget Control (optional)\n        \"budget_remaining_pct\"?: Long,   // 0-100\n        \"budget_exceeded\"?: Bool,\n\n        // Semantic - Topic Classification (optional)\n        \"content_topics\"?: Set<String>,      // [\"controlled_substances\", \"weapons_manufacturing\", ...]\n        \"topic_confidence\"?: Long,           // 0-100\n\n        // Security checks on tool arguments (optional)\n        \"contains_secrets\"?: Bool,\n        \"secret_count\"?: Long,\n        \"secret_types\"?: Set<String>,\n        \"pii_detected\"?: Bool,\n        \"pii_types\"?: Set<String>,\n        \"pii_count\"?: Long,              // Number of PII pattern matches in tool content\n        \"pii_confidence\"?: Long,         // PII ML classifier confidence (0-100)\n        \"injection_confidence\"?: Long,\n        \"injection_pulse_score\"?: Long,  // 0-100 Pulse single-turn classifier\n        \"injection_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n\n        // Security - Pattern Detection (optional)\n        \"command_injection_detected\"?: Bool,\n        \"command_injection_type\"?: String,\n        \"command_injection_score\"?: Long,        // 0-100\n        \"path_traversal_detected\"?: Bool,\n        \"path_traversal_severity\"?: String,\n        \"path_traversal_type\"?: String,\n        \"sql_injection_detected\"?: Bool,\n        \"sql_injection_type\"?: String,\n        \"sql_injection_score\"?: Long,            // 0-100\n\n        // Security - Cross-Origin Escalation (optional)\n        \"cross_origin_detected\"?: Bool,\n        \"cross_origin_type\"?: String,\n        \"cross_origin_score\"?: Long,             // 0-100\n\n        // File & Path (optional \u2014 for path-based access control policies)\n        \"path\"?: String,                         // File path when tool operates on files\n\n        // Security - Invisible Character Detection in tool args (optional)\n        \"contains_invisible_chars\"?: Bool,       // Whether invisible Unicode chars detected in tool args\n        \"invisible_chars_score\"?: Long,          // Invisible character attack severity (0-100)\n\n        // Security - Encoded Injection (optional)\n        \"encoded_content_detected\"?: Bool,\n        \"encoded_types\"?: Set<String>,\n        \"encoded_count\"?: Long,\n        \"encoded_score\"?: Long,                  // 0-100\n\n        // Agentic - Agent Security (optional)\n        \"tool_poisoning_detected\"?: Bool,\n        \"tool_poisoning_score\"?: Long,           // 0-100\n        \"tool_poisoning_type\"?: String,          // \"hidden_instructions\" | \"system_prompt_injection\" | \"authority_hijack\"\n        \"rug_pull_detected\"?: Bool,\n        \"rug_pull_score\"?: Long,                 // 0-100\n        \"rug_pull_type\"?: String,                // \"risk_spike\" | \"pattern_change\" | \"combined\" | \"none\"\n\n        // Agentic - Indirect Prompt Injection (optional \u2014 injection via tool outputs/retrieved content)\n        \"indirect_injection_score\"?: Long,       // Indirect injection risk score (0-100)\n        \"indirect_injection_type\"?: String,      // Type of indirect injection detected\n\n        // Agentic - MCP Risk (optional)\n        \"mcp_config_risk\"?: Bool,\n        \"mcp_risk_type\"?: String,                // \"inline_execution\" | \"suspicious_url\" | \"cross_origin\"\n        \"mcp_risk_score\"?: Long,                 // 0-100\n\n        // Agentic - Multi-Turn Context (optional)\n        \"conversation_turn\"?: Long,\n        \"multi_turn_detection\"?: Bool,\n\n        // Session Detection History \u2014 cross-turn sticky flags (optional)\n        \"session_pii_detected\"?: Bool,\n        \"session_pii_types\"?: Set<String>,\n        \"session_secrets_detected\"?: Bool,\n        \"session_secret_types\"?: Set<String>,\n        \"session_injection_detected\"?: Bool,\n        \"session_command_injection\"?: Bool,\n        \"session_threat_turns\"?: Long,\n        \"session_max_injection_score\"?: Long,\n        \"session_max_jailbreak_score\"?: Long,\n        \"session_max_command_injection_score\"?: Long,\n        \"session_max_pii_score\"?: Long,\n        \"session_max_secret_score\"?: Long,\n        \"session_cumulative_risk_score\"?: Long,\n\n        // Agent Identity \u2014 authenticated agent principal metadata (optional)\n        \"agent_id\"?: String,\n        \"agent_type\"?: String,\n        \"agent_trust_level\"?: String,\n        \"agent_framework\"?: String,\n        \"agent_publisher\"?: String,\n\n    };\n\n    /// Context for read_file action\n    type FileReadContext = {\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n\n        // File path (optional \u2014 for path-based access control policies)\n        \"path\"?: String,                 // File path being read\n\n        // Security checks on file content (optional)\n        \"contains_secrets\"?: Bool,\n        \"secret_count\"?: Long,\n        \"secret_types\"?: Set<String>,\n        \"pii_detected\"?: Bool,\n        \"pii_types\"?: Set<String>,\n\n        // Security - Path Traversal (optional)\n        \"path_traversal_detected\"?: Bool,\n        \"path_traversal_severity\"?: String,\n        \"path_traversal_type\"?: String,\n\n        // Session Detection History \u2014 cross-turn sticky flags (optional)\n        \"session_pii_detected\"?: Bool,\n        \"session_pii_types\"?: Set<String>,\n        \"session_secrets_detected\"?: Bool,\n        \"session_secret_types\"?: Set<String>,\n        \"session_injection_detected\"?: Bool,\n        \"session_command_injection\"?: Bool,\n        \"session_threat_turns\"?: Long,\n        \"session_max_injection_score\"?: Long,\n        \"session_max_jailbreak_score\"?: Long,\n        \"session_max_command_injection_score\"?: Long,\n        \"session_max_pii_score\"?: Long,\n        \"session_max_secret_score\"?: Long,\n        \"session_cumulative_risk_score\"?: Long,\n\n        // Agent Identity \u2014 authenticated agent principal metadata (optional)\n        \"agent_id\"?: String,\n        \"agent_type\"?: String,\n        \"agent_trust_level\"?: String,\n        \"agent_framework\"?: String,\n        \"agent_publisher\"?: String,\n\n    };\n\n    /// Context for write_file action\n    type FileWriteContext = {\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n\n        // File path (optional \u2014 for path-based access control policies)\n        \"path\"?: String,                         // File path being written\n\n        // Security - Invisible Character Detection in write content (optional)\n        \"contains_invisible_chars\"?: Bool,       // Whether invisible Unicode chars detected in write content\n        \"invisible_chars_score\"?: Long,          // Invisible character attack severity (0-100)\n\n        // Security checks on content being written (optional)\n        \"contains_secrets\"?: Bool,\n        \"secret_count\"?: Long,\n        \"secret_types\"?: Set<String>,\n        \"pii_detected\"?: Bool,\n        \"pii_types\"?: Set<String>,\n\n        // Security - Path Traversal (optional)\n        \"path_traversal_detected\"?: Bool,\n        \"path_traversal_severity\"?: String,\n        \"path_traversal_type\"?: String,\n\n        // Session Detection History \u2014 cross-turn sticky flags (optional)\n        \"session_pii_detected\"?: Bool,\n        \"session_pii_types\"?: Set<String>,\n        \"session_secrets_detected\"?: Bool,\n        \"session_secret_types\"?: Set<String>,\n        \"session_injection_detected\"?: Bool,\n        \"session_command_injection\"?: Bool,\n        \"session_threat_turns\"?: Long,\n        \"session_max_injection_score\"?: Long,\n        \"session_max_jailbreak_score\"?: Long,\n        \"session_max_command_injection_score\"?: Long,\n        \"session_max_pii_score\"?: Long,\n        \"session_max_secret_score\"?: Long,\n        \"session_cumulative_risk_score\"?: Long,\n\n        // Agent Identity \u2014 authenticated agent principal metadata (optional)\n        \"agent_id\"?: String,\n        \"agent_type\"?: String,\n        \"agent_trust_level\"?: String,\n        \"agent_framework\"?: String,\n        \"agent_publisher\"?: String,\n\n    };\n\n    /// Context for connect_server action (MCP server connections)\n    type ConnectServerContext = {\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n\n        // MCP context (optional)\n        \"mcp_server\"?: String,           // MCP server name (e.g., \"github\", \"filesystem\")\n        \"mcp_server_verified\"?: Bool,    // Whether server is from verified registry\n\n        // Agentic - Agent Security (optional)\n        \"tool_poisoning_detected\"?: Bool,\n        \"tool_poisoning_score\"?: Long,\n        \"tool_poisoning_type\"?: String,\n\n        // Agentic - MCP Risk (optional)\n        \"mcp_config_risk\"?: Bool,\n        \"mcp_risk_type\"?: String,\n        \"mcp_risk_score\"?: Long,\n\n        // Security - Cross-Origin Escalation (optional)\n        \"cross_origin_detected\"?: Bool,\n        \"cross_origin_type\"?: String,\n        \"cross_origin_score\"?: Long,\n\n        // Session Detection History \u2014 cross-turn sticky flags (optional)\n        \"session_pii_detected\"?: Bool,\n        \"session_pii_types\"?: Set<String>,\n        \"session_secrets_detected\"?: Bool,\n        \"session_secret_types\"?: Set<String>,\n        \"session_injection_detected\"?: Bool,\n        \"session_command_injection\"?: Bool,\n        \"session_threat_turns\"?: Long,\n        \"session_max_injection_score\"?: Long,\n        \"session_max_jailbreak_score\"?: Long,\n        \"session_max_command_injection_score\"?: Long,\n        \"session_max_pii_score\"?: Long,\n        \"session_max_secret_score\"?: Long,\n        \"session_cumulative_risk_score\"?: Long,\n\n        // Agent Identity \u2014 authenticated agent principal metadata (optional)\n        \"agent_id\"?: String,\n        \"agent_type\"?: String,\n        \"agent_trust_level\"?: String,\n        \"agent_framework\"?: String,\n        \"agent_publisher\"?: String,\n\n    };\n}\n";
+/**
+ * McpGateway Cedar schema
+ *
+ * Full Cedar schema for mcp_gateway, embedded at codegen time.
+ */
+export declare const MCP_GATEWAY_SCHEMA = "// MCPGateway Cedar Schema\n// ===================================\n// MCP Gateway Security & Policy Enforcement\n//\n// MCPGateway protects MCP proxy operations (tool calls, server connections)\n// by evaluating threats detected by the Shield detection engine pipeline\n// against Cedar policies.\n//\n// Architecture:\n//   MCP Client -> Firehog Proxy -> Shield (detection + Cedar) -> Allow/Deny\n//\n// Threat Coverage:\n//   - OWASP Top 10 for LLM Applications 2025 (LLM01, LLM06)\n//   - OWASP Top 10 for Agentic Applications (ASI01, ASI02, ASI04)\n//   - OWASP MCP Top 10 (MCP01-MCP05)\n\nnamespace MCPGateway {\n\n// =============================================================================\n// ENTITIES - Tenant Hierarchy (ReBAC)\n// =============================================================================\n// MCPGateway does not use App/Session hierarchy.\n//\n// Entity hierarchy:\n//   Account (org root)\n//     -> Project in [Account]\n//          -> Tool/Server in [Project]\n//\n// Policy scoping examples:\n//   resource == MCPGateway::Tool::\"get_me\"            -> specific tool\n//   resource in MCPGateway::Project::\"<uuid>\"          -> project-wide\n//   resource in MCPGateway::Account::\"<uuid>\"          -> org-wide\n\n/// Account represents an organization (top-level tenant)\nentity Account;\n\n/// Project represents a project within an account\nentity Project in [Account];\n\n// =============================================================================\n// ENTITIES - Principals\n// =============================================================================\n\n/// Human user authenticated via JWT or API key\nentity User;\n\n/// MCP client (default principal for unauthenticated requests)\nentity MCP_Client;\n\n// =============================================================================\n// ENTITIES - Resources (scoped under Project)\n// =============================================================================\n\n/// MCP tool -- resource for call_tool action\nentity Tool in [Project];\n\n/// MCP server -- resource for connect_server action\nentity Server in [Project];\n\n/// MCP prompt -- resource for process_prompt action\nentity LlmPrompt in [Project];\n\n/// File/resource path -- resource for read_file/write_file actions\nentity FilePath in [Project];\n\n// =============================================================================\n// ACTIONS\n// =============================================================================\n\n// Call an MCP tool\n// Threat focus: command injection, tool poisoning, rug pull, secrets, PII\naction call_tool appliesTo {\n  principal: [User, MCP_Client],\n  resource: [Tool],\n  context: {\n    // --- Content ---\n    content: String,                  // Raw content being scanned\n\n    // --- Tool & MCP ---\n    tool_name?: String,               // Tool name\n    mcp_server?: String,              // MCP server name\n    mcp_tool?: String,                // MCP tool name\n\n    // --- Threat Detection (from Shield detection pipeline) ---\n    threat_count?: Long,              // Total threats detected\n    highest_severity?: String,        // \"critical\", \"high\", \"medium\", \"low\", \"none\"\n    threat_categories?: Set<String>,  // Threat category names\n    detected_threats?: Set<String>,   // Detection rule names that matched\n    max_threat_severity?: Long,       // Numeric severity (0=none, 1=low, 2=medium, 3=high, 4=critical)\n    contains_secrets?: Bool,          // Whether secrets/credentials detected\n\n    // --- Secrets (granular) ---\n    secret_types?: Set<String>,\n    secret_count?: Long,\n\n    // --- PII Detection ---\n    pii_detected?: Bool,\n    pii_types?: Set<String>,\n    pii_count?: Long,\n\n    // --- ML Detector Confidence Scores (0-100) ---\n    injection_confidence?: Long,      // Prompt injection classifier confidence\n    jailbreak_confidence?: Long,      // Jailbreak detection classifier confidence\n\n    // --- Agent Security (0-100) ---\n    tool_poisoning_score?: Long,      // Hidden instructions in tool description/args\n    tool_poisoning_detected?: Bool,\n    rug_pull_score?: Long,            // Tool behavior drift after trust establishment\n    rug_pull_detected?: Bool,\n    indirect_injection_score?: Long,  // Indirect injection via tool output\n\n    // --- Tool Risk Assessment ---\n    tool_risk_score?: Long,           // Computed tool risk (0-100)\n    tool_category?: String,           // \"safe\", \"sensitive\", \"dangerous\"\n    tool_is_sensitive?: Bool,\n    tool_is_builtin?: Bool,\n\n    // --- MCP Trust ---\n    mcp_server_verified?: Bool,       // Whether server is from verified registry\n\n    // --- Content Safety Scores (0-100) ---\n    violence_score?: Long,\n    weapons_score?: Long,\n    hate_speech_score?: Long,\n    crime_score?: Long,\n    sexual_score?: Long,\n    profanity_score?: Long,\n\n    // --- Encoding & Unicode Attacks ---\n    contains_invisible_chars?: Bool,\n    invisible_chars_score?: Long,\n\n    // --- Behavioral Analysis ---\n    loop_detected?: Bool,\n    loop_count?: Long,\n    loop_tool?: String,\n    suspicious_pattern?: Bool,\n    pattern_type?: String,\n    sequence_risk?: Long,\n  },\n};\n\n// Connect to an MCP server\n// Threat focus: supply chain, tool poisoning, rug pull, config risk\naction connect_server appliesTo {\n  principal: [User, MCP_Client],\n  resource: [Server],\n  context: {\n    content?: String,                 // Server config content (if available)\n    mcp_server?: String,\n\n    // --- Threat Detection ---\n    threat_count?: Long,\n    highest_severity?: String,\n    threat_categories?: Set<String>,\n    max_threat_severity?: Long,\n\n    // --- Agent Security (0-100) ---\n    tool_poisoning_score?: Long,\n    tool_poisoning_detected?: Bool,\n    rug_pull_score?: Long,\n    rug_pull_detected?: Bool,\n    indirect_injection_score?: Long,\n\n    // --- MCP Trust & Config Risk ---\n    mcp_server_verified?: Bool,\n    mcp_config_risk?: Bool,\n    mcp_risk_score?: Long,\n  },\n};\n\n// Process an MCP prompt (prompts/get, prompts/list)\n// Threat focus: injection, jailbreak, secrets, PII, content safety\naction process_prompt appliesTo {\n  principal: [User, MCP_Client],\n  resource: [LlmPrompt],\n  context: {\n    content: String,\n    mcp_server?: String,\n\n    // --- Threat Detection ---\n    threat_count?: Long,\n    highest_severity?: String,\n    threat_categories?: Set<String>,\n    detected_threats?: Set<String>,\n    max_threat_severity?: Long,\n    contains_secrets?: Bool,\n\n    // --- Secrets ---\n    secret_types?: Set<String>,\n    secret_count?: Long,\n\n    // --- PII Detection ---\n    pii_detected?: Bool,\n    pii_types?: Set<String>,\n    pii_count?: Long,\n\n    // --- ML Detector Confidence Scores (0-100) ---\n    injection_confidence?: Long,\n    jailbreak_confidence?: Long,\n\n    // --- Content Safety Scores (0-100) ---\n    violence_score?: Long,\n    weapons_score?: Long,\n    hate_speech_score?: Long,\n    crime_score?: Long,\n    sexual_score?: Long,\n    profanity_score?: Long,\n\n    // --- Encoding ---\n    contains_invisible_chars?: Bool,\n    invisible_chars_score?: Long,\n  },\n};\n\n// Read an MCP resource (resources/read, resources/list)\n// Threat focus: secrets exposure, PII exposure, sensitive paths\naction read_file appliesTo {\n  principal: [User, MCP_Client],\n  resource: [FilePath],\n  context: {\n    content: String,\n    mcp_server?: String,\n\n    // --- Threat Detection ---\n    threat_count?: Long,\n    highest_severity?: String,\n    threat_categories?: Set<String>,\n    detected_threats?: Set<String>,\n    max_threat_severity?: Long,\n    contains_secrets?: Bool,\n\n    // --- Secrets ---\n    secret_types?: Set<String>,\n    secret_count?: Long,\n\n    // --- PII Detection ---\n    pii_detected?: Bool,\n    pii_types?: Set<String>,\n    pii_count?: Long,\n  },\n};\n\n// Write an MCP resource (resources/write)\n// Threat focus: secrets in output, PII in output\naction write_file appliesTo {\n  principal: [User, MCP_Client],\n  resource: [FilePath],\n  context: {\n    content: String,\n    mcp_server?: String,\n\n    // --- Threat Detection ---\n    threat_count?: Long,\n    highest_severity?: String,\n    threat_categories?: Set<String>,\n    detected_threats?: Set<String>,\n    max_threat_severity?: Long,\n    contains_secrets?: Bool,\n\n    // --- Secrets ---\n    secret_types?: Set<String>,\n    secret_count?: Long,\n\n    // --- PII Detection ---\n    pii_detected?: Bool,\n    pii_types?: Set<String>,\n    pii_count?: Long,\n  },\n};\n\n}\n";
 /**
  * Overwatch Cedar schema
  *
@@ -47,6 +53,10 @@ export interface ServiceContext {
  * Guardrails context metadata (parsed JSON)
  */
 export declare const GUARDRAILS_CONTEXT: ServiceContext;
+/**
+ * McpGateway context metadata (parsed JSON)
+ */
+export declare const MCP_GATEWAY_CONTEXT: ServiceContext;
 /**
  * Overwatch context metadata (parsed JSON)
  */