@highflame/policy 2.1.15 → 2.1.16

package/_schemas/ai_gateway/schema.cedarschema

@@ -0,0 +1,286 @@
+// AIGateway Cedar Schema
+// ===================================
+// AI Gateway Security & Policy Enforcement
+//
+// AIGateway protects both MCP proxy operations (tool calls, server connections)
+// and LLM chat completions (prompt processing) by evaluating threats detected
+// by the Shield detection engine pipeline against Cedar policies.
+//
+// Architecture:
+//   MCP/LLM Client -> Firehog Proxy -> Shield (detection + Cedar) -> Allow/Deny
+//
+// Threat Coverage:
+//   - OWASP Top 10 for LLM Applications 2025 (LLM01, LLM06)
+//   - OWASP Top 10 for Agentic Applications (ASI01, ASI02, ASI04)
+//   - OWASP MCP Top 10 (MCP01-MCP05)
+
+namespace AIGateway {
+
+// =============================================================================
+// ENTITIES - Tenant Hierarchy (ReBAC)
+// =============================================================================
+// AIGateway does not use App/Session hierarchy.
+//
+// Entity hierarchy:
+//   Account (org root)
+//     -> Project in [Account]
+//          -> Tool/Server in [Project]
+//
+// Policy scoping examples:
+//   resource == AIGateway::Tool::"get_me"            -> specific tool
+//   resource in AIGateway::Project::"<uuid>"          -> project-wide
+//   resource in AIGateway::Account::"<uuid>"          -> org-wide
+
+/// Account represents an organization (top-level tenant)
+entity Account;
+
+/// Project represents a project within an account
+entity Project in [Account];
+
+// =============================================================================
+// ENTITIES - Principals
+// =============================================================================
+
+/// Human user authenticated via JWT or API key
+entity User;
+
+/// MCP client (default principal for unauthenticated requests)
+entity MCP_Client;
+
+// =============================================================================
+// ENTITIES - Resources (scoped under Project)
+// =============================================================================
+
+/// MCP tool -- resource for call_tool action
+entity Tool in [Project];
+
+/// MCP server -- resource for connect_server action
+entity Server in [Project];
+
+/// MCP prompt -- resource for process_prompt action
+entity LlmPrompt in [Project];
+
+/// File/resource path -- resource for read_file/write_file actions
+entity FilePath in [Project];
+
+// =============================================================================
+// ACTIONS
+// =============================================================================
+
+// Call an MCP tool
+// Threat focus: command injection, tool poisoning, rug pull, secrets, PII
+action call_tool appliesTo {
+  principal: [User, MCP_Client],
+  resource: [Tool],
+  context: {
+    // --- Content ---
+    content: String,                  // Raw content being scanned
+
+    // --- Tool & MCP ---
+    tool_name?: String,               // Tool name
+    mcp_server?: String,              // MCP server name
+    mcp_tool?: String,                // MCP tool name
+
+    // --- Threat Detection (from Shield detection pipeline) ---
+    threat_count?: Long,              // Total threats detected
+    highest_severity?: String,        // "critical", "high", "medium", "low", "none"
+    threat_categories?: Set<String>,  // Threat category names
+    detected_threats?: Set<String>,   // Detection rule names that matched
+    max_threat_severity?: Long,       // Numeric severity (0=none, 1=low, 2=medium, 3=high, 4=critical)
+    contains_secrets?: Bool,          // Whether secrets/credentials detected
+
+    // --- Secrets (granular) ---
+    secret_types?: Set<String>,
+    secret_count?: Long,
+
+    // --- PII Detection ---
+    pii_detected?: Bool,
+    pii_types?: Set<String>,
+    pii_count?: Long,
+
+    // --- ML Detector Confidence Scores (0-100) ---
+    injection_confidence?: Long,      // Prompt injection classifier confidence
+    jailbreak_confidence?: Long,      // Jailbreak detection classifier confidence
+
+    // --- Agent Security (0-100) ---
+    tool_poisoning_score?: Long,      // Hidden instructions in tool description/args
+    tool_poisoning_detected?: Bool,
+    rug_pull_score?: Long,            // Tool behavior drift after trust establishment
+    rug_pull_detected?: Bool,
+    indirect_injection_score?: Long,  // Indirect injection via tool output
+
+    // --- Tool Risk Assessment ---
+    tool_risk_score?: Long,           // Computed tool risk (0-100)
+    tool_category?: String,           // "safe", "sensitive", "dangerous"
+    tool_is_sensitive?: Bool,
+    tool_is_builtin?: Bool,
+
+    // --- MCP Trust ---
+    mcp_server_verified?: Bool,       // Whether server is from verified registry
+
+    // --- Content Safety Scores (0-100) ---
+    violence_score?: Long,
+    weapons_score?: Long,
+    hate_speech_score?: Long,
+    crime_score?: Long,
+    sexual_score?: Long,
+    profanity_score?: Long,
+
+    // --- Encoding & Unicode Attacks ---
+    contains_invisible_chars?: Bool,
+    invisible_chars_score?: Long,
+
+    // --- Behavioral Analysis ---
+    loop_detected?: Bool,
+    loop_count?: Long,
+    loop_tool?: String,
+    suspicious_pattern?: Bool,
+    pattern_type?: String,
+    sequence_risk?: Long,
+  },
+};
+
+// Connect to an MCP server
+// Threat focus: supply chain, tool poisoning, rug pull, config risk
+action connect_server appliesTo {
+  principal: [User, MCP_Client],
+  resource: [Server],
+  context: {
+    content?: String,                 // Server config content (if available)
+    mcp_server?: String,
+
+    // --- Threat Detection ---
+    threat_count?: Long,
+    highest_severity?: String,
+    threat_categories?: Set<String>,
+    max_threat_severity?: Long,
+
+    // --- Agent Security (0-100) ---
+    tool_poisoning_score?: Long,
+    tool_poisoning_detected?: Bool,
+    rug_pull_score?: Long,
+    rug_pull_detected?: Bool,
+    indirect_injection_score?: Long,
+
+    // --- Secrets ---
+    contains_secrets?: Bool,
+    secret_types?: Set<String>,
+    secret_count?: Long,
+
+    // --- PII Detection ---
+    pii_detected?: Bool,
+    pii_types?: Set<String>,
+    pii_count?: Long,
+
+    // --- MCP Trust & Config Risk ---
+    mcp_server_verified?: Bool,
+    mcp_config_risk?: Bool,
+    mcp_risk_score?: Long,
+  },
+};
+
+// Process a prompt (MCP prompts/get or LLM chat completions)
+// Threat focus: injection, jailbreak, secrets, PII, content safety
+action process_prompt appliesTo {
+  principal: [User, MCP_Client],
+  resource: [LlmPrompt],
+  context: {
+    content: String,
+    mcp_server?: String,
+
+    // --- Threat Detection ---
+    threat_count?: Long,
+    highest_severity?: String,
+    threat_categories?: Set<String>,
+    detected_threats?: Set<String>,
+    max_threat_severity?: Long,
+    contains_secrets?: Bool,
+
+    // --- Secrets ---
+    secret_types?: Set<String>,
+    secret_count?: Long,
+
+    // --- PII Detection ---
+    pii_detected?: Bool,
+    pii_types?: Set<String>,
+    pii_count?: Long,
+
+    // --- ML Detector Confidence Scores (0-100) ---
+    injection_confidence?: Long,
+    jailbreak_confidence?: Long,
+
+    // --- Content Safety Scores (0-100) ---
+    violence_score?: Long,
+    weapons_score?: Long,
+    hate_speech_score?: Long,
+    crime_score?: Long,
+    sexual_score?: Long,
+    profanity_score?: Long,
+
+    // --- Encoding ---
+    contains_invisible_chars?: Bool,
+    invisible_chars_score?: Long,
+
+    // --- LLM-specific ---
+    model_name?: String,              // Target model name (e.g., "gpt-4", "claude-3-opus")
+    model_provider?: String,          // Provider name (e.g., "openai", "anthropic", "bedrock")
+  },
+};
+
+// Read an MCP resource (resources/read, resources/list)
+// Threat focus: secrets exposure, PII exposure, sensitive paths
+action read_file appliesTo {
+  principal: [User, MCP_Client],
+  resource: [FilePath],
+  context: {
+    content: String,
+    mcp_server?: String,
+
+    // --- Threat Detection ---
+    threat_count?: Long,
+    highest_severity?: String,
+    threat_categories?: Set<String>,
+    detected_threats?: Set<String>,
+    max_threat_severity?: Long,
+    contains_secrets?: Bool,
+
+    // --- Secrets ---
+    secret_types?: Set<String>,
+    secret_count?: Long,
+
+    // --- PII Detection ---
+    pii_detected?: Bool,
+    pii_types?: Set<String>,
+    pii_count?: Long,
+  },
+};
+
+// Write an MCP resource (resources/write)
+// Threat focus: secrets in output, PII in output
+action write_file appliesTo {
+  principal: [User, MCP_Client],
+  resource: [FilePath],
+  context: {
+    content: String,
+    mcp_server?: String,
+
+    // --- Threat Detection ---
+    threat_count?: Long,
+    highest_severity?: String,
+    threat_categories?: Set<String>,
+    detected_threats?: Set<String>,
+    max_threat_severity?: Long,
+    contains_secrets?: Bool,
+
+    // --- Secrets ---
+    secret_types?: Set<String>,
+    secret_count?: Long,
+
+    // --- PII Detection ---
+    pii_detected?: Bool,
+    pii_types?: Set<String>,
+    pii_count?: Long,
+  },
+};
+
+}

package/_schemas/ai_gateway/templates/defaults/agent_security.cedar

@@ -0,0 +1,140 @@
+// =============================================================================
+// Agent Security Policy (Default)
+// =============================================================================
+// Detects and blocks tool poisoning, rug pull attacks, indirect prompt injection,
+// and MCP supply chain threats.
+//
+// Category: agent_security
+// Namespace: AIGateway
+// =============================================================================
+
+// Block tool calls with tool poisoning risk
+@id("as-block-tool-poisoning")
+@name("Block tool poisoning")
+@description("Block tool execution when hidden instructions are detected in tool descriptions or arguments (score >= 70)")
+@severity("critical")
+@tags("tool-poisoning,agent-security,owasp-asi01")
+@reject_message("Tool execution blocked: hidden manipulation instructions detected in tool description or arguments (OWASP ASI01).")
+forbid (
+    principal,
+    action == AIGateway::Action::"call_tool",
+    resource
+)
+when {
+    context has tool_poisoning_score && context.tool_poisoning_score >= 70
+};
+
+// Block MCP server connections with poisoning risk
+@id("as-block-server-poisoning")
+@name("Block poisoned MCP servers")
+@description("Block connections to MCP servers when tool poisoning patterns are detected (score >= 60)")
+@severity("critical")
+@tags("tool-poisoning,mcp-security,owasp-asi04,owasp-mcp02")
+@reject_message("MCP server connection blocked: tool poisoning patterns detected in server tool descriptions.")
+forbid (
+    principal,
+    action == AIGateway::Action::"connect_server",
+    resource
+)
+when {
+    context has tool_poisoning_score && context.tool_poisoning_score >= 60
+};
+
+// Block tool calls with behavioral drift (rug pull)
+@id("as-block-rug-pull")
+@name("Block rug pull attacks")
+@description("Block tool execution when behavioral drift is detected (score >= 70)")
+@severity("critical")
+@tags("rug-pull,agent-security,owasp-asi04")
+@reject_message("Tool execution blocked: tool behavior has changed significantly from its established pattern.")
+forbid (
+    principal,
+    action in [AIGateway::Action::"call_tool", AIGateway::Action::"connect_server"],
+    resource
+)
+when {
+    context has rug_pull_score && context.rug_pull_score >= 70
+};
+
+// Block with indirect injection from tool outputs
+@id("as-block-indirect-injection")
+@name("Block indirect prompt injection")
+@description("Block when indirect prompt injection is detected in tool outputs (score >= 70)")
+@severity("critical")
+@tags("indirect-injection,owasp-llm01,owasp-asi01")
+@reject_message("Content blocked: indirect prompt injection detected in tool output or retrieved content.")
+forbid (
+    principal,
+    action in [AIGateway::Action::"call_tool", AIGateway::Action::"connect_server"],
+    resource
+)
+when {
+    context has indirect_injection_score && context.indirect_injection_score >= 70
+};
+
+// Strict indirect injection for sensitive tool calls
+@id("as-block-indirect-injection-sensitive-tools")
+@name("Block indirect injection on sensitive tools")
+@description("Lower threshold (>= 50) for indirect injection when the tool is classified as sensitive")
+@severity("critical")
+@tags("indirect-injection,sensitive-tools,owasp-asi02")
+@reject_message("Sensitive tool execution blocked: moderate indirect injection risk detected.")
+forbid (
+    principal,
+    action == AIGateway::Action::"call_tool",
+    resource
+)
+when {
+    context has indirect_injection_score && context.indirect_injection_score >= 50 &&
+    context has tool_is_sensitive && context.tool_is_sensitive
+};
+
+// Block unverified MCP server tool calls with detected threats
+@id("as-block-unverified-threats")
+@name("Block unverified server threats")
+@description("Block tool calls from unverified MCP servers when any threat is detected")
+@severity("high")
+@tags("mcp-trust,owasp-asi04,supply-chain")
+@reject_message("Tool execution blocked: the MCP server is unverified and security threats were detected.")
+forbid (
+    principal,
+    action == AIGateway::Action::"call_tool",
+    resource
+)
+when {
+    context has mcp_server_verified && context.mcp_server_verified == false &&
+    context has threat_count && context.threat_count > 0
+};
+
+// Block connections to MCP servers with risky configurations
+@id("as-block-mcp-config-risk")
+@name("Block risky MCP server configs")
+@description("Block MCP server connections when risky configuration patterns are detected (score >= 70)")
+@severity("high")
+@tags("mcp-config,owasp-mcp03,supply-chain")
+@reject_message("MCP server connection blocked: risky server configuration detected.")
+forbid (
+    principal,
+    action == AIGateway::Action::"connect_server",
+    resource
+)
+when {
+    context has mcp_config_risk && context.mcp_config_risk &&
+    context has mcp_risk_score && context.mcp_risk_score >= 70
+};
+
+// Block connections to unverified MCP servers
+@id("as-block-unverified-server-connect")
+@name("Block unverified MCP server connections")
+@description("Block connections to MCP servers that are not from a verified registry")
+@severity("high")
+@tags("mcp-trust,owasp-asi04,owasp-mcp05,supply-chain")
+@reject_message("MCP server connection blocked: server is not from a verified registry.")
+forbid (
+    principal,
+    action == AIGateway::Action::"connect_server",
+    resource
+)
+when {
+    context has mcp_server_verified && context.mcp_server_verified == false
+};

package/_schemas/ai_gateway/templates/defaults/baseline.cedar

@@ -0,0 +1,23 @@
+// =============================================================================
+// Baseline Permit Policy (Default)
+// =============================================================================
+// Permits all actions by default. Threat-specific forbid policies override
+// this to block when detection engines identify issues.
+//
+// Cedar is default-deny: without at least one permit rule, every request
+// is denied regardless of forbid rules.
+//
+// Category: organization
+// Namespace: AIGateway
+// =============================================================================
+
+@id("baseline-permit-all")
+@name("Permit all actions by default")
+@description("Baseline permit for all actions -- threat-specific forbid policies override this when threats are detected")
+@severity("low")
+@tags("baseline,permit-default,organization")
+permit (
+    principal,
+    action,
+    resource
+);

package/_schemas/ai_gateway/templates/defaults/semantic.cedar

@@ -0,0 +1,105 @@
+// =============================================================================
+// Semantic Threat Detection Policy (Default)
+// =============================================================================
+// Detects and blocks prompt injection, jailbreak attempts, and high-severity
+// threats in MCP tool calls and server connections.
+//
+// Category: semantic
+// Namespace: AIGateway
+// =============================================================================
+
+// Block content with prompt injection patterns detected by rules
+@id("semantic-block-injection")
+@name("Block prompt injection")
+@description("Block tool calls when detection engine rules identify prompt injection patterns in tool arguments or content")
+@severity("critical")
+@tags("injection,security,owasp-llm01,baseline")
+@reject_message("Tool call was blocked because prompt injection patterns were detected in the content (OWASP LLM01).")
+forbid (
+    principal,
+    action == AIGateway::Action::"call_tool",
+    resource
+)
+when {
+    context has detected_threats && context.detected_threats.contains("prompt_injection")
+};
+
+// Block content with high ML injection confidence
+@id("semantic-block-injection-score")
+@name("Block high-confidence injection")
+@description("Block tool calls when the ML injection classifier confidence exceeds 75/100")
+@severity("critical")
+@tags("injection,ml-classifier,security,owasp-llm01")
+@reject_message("Tool call was blocked because the ML classifier detected prompt injection with high confidence.")
+forbid (
+    principal,
+    action == AIGateway::Action::"call_tool",
+    resource
+)
+when {
+    context has injection_confidence && context.injection_confidence >= 75
+};
+
+// Block content with jailbreak patterns
+@id("semantic-block-jailbreak")
+@name("Block jailbreak attempts")
+@description("Block tool calls when jailbreak patterns are detected in content")
+@severity("critical")
+@tags("jailbreak,security,owasp-llm02,baseline")
+@reject_message("Tool call was blocked because jailbreak patterns were detected.")
+forbid (
+    principal,
+    action == AIGateway::Action::"call_tool",
+    resource
+)
+when {
+    context has detected_threats && context.detected_threats.contains("jailbreak")
+};
+
+// Block content with high ML jailbreak confidence
+@id("semantic-block-jailbreak-score")
+@name("Block high-confidence jailbreak")
+@description("Block tool calls when the ML jailbreak classifier confidence exceeds 75/100")
+@severity("critical")
+@tags("jailbreak,ml-classifier,security,owasp-llm02")
+@reject_message("Tool call was blocked because the ML classifier detected a jailbreak attempt with high confidence.")
+forbid (
+    principal,
+    action == AIGateway::Action::"call_tool",
+    resource
+)
+when {
+    context has jailbreak_confidence && context.jailbreak_confidence >= 75
+};
+
+// Block any content with critical severity threats
+@id("semantic-block-critical")
+@name("Block critical threats")
+@description("Block all MCP operations when any detection engine reports critical severity")
+@severity("critical")
+@tags("critical,baseline,security,catch-all")
+@reject_message("MCP operation was blocked because security scanners detected a critical-severity threat.")
+forbid (
+    principal,
+    action,
+    resource
+)
+when {
+    context has highest_severity && context.highest_severity == "critical"
+};
+
+// Block tool calls with multiple concurrent threats
+@id("semantic-block-multi-threat-tools")
+@name("Block multi-threat tool calls")
+@description("Block tool execution when 3+ distinct threats are detected simultaneously")
+@severity("high")
+@tags("multi-threat,tools,security,defense-in-depth")
+@reject_message("Tool execution was blocked because multiple security threats were detected simultaneously.")
+forbid (
+    principal,
+    action == AIGateway::Action::"call_tool",
+    resource
+)
+when {
+    context has threat_count && context.threat_count >= 3
+};

package/_schemas/ai_gateway/templates/defaults/tools.cedar

@@ -0,0 +1,92 @@
+// =============================================================================
+// Tool Permissioning Policy (Default)
+// =============================================================================
+// Controls access to MCP tools based on risk scoring, threat detection,
+// and tool classification.
+//
+// Category: tools
+// Namespace: AIGateway
+// =============================================================================
+
+// Block tools with very high computed risk
+@id("tools-block-high-risk-score")
+@name("Block high-risk tool operations")
+@description("Block tool operations when the computed risk score exceeds 90/100")
+@severity("critical")
+@tags("tool-risk,security,owasp-llm06,owasp-asi02")
+@reject_message("Tool execution blocked: this operation scored 90+ on the risk assessment.")
+forbid (
+    principal,
+    action == AIGateway::Action::"call_tool",
+    resource
+)
+when {
+    context has tool_risk_score && context.tool_risk_score >= 90
+};
+
+// Block tools classified as dangerous
+@id("tools-block-dangerous-category")
+@name("Block dangerous tool category")
+@description("Block all tools classified as dangerous by the detection engine")
+@severity("critical")
+@tags("tool-category,dangerous,security,owasp-llm06")
+@reject_message("Tool execution blocked: this tool is classified as dangerous.")
+forbid (
+    principal,
+    action == AIGateway::Action::"call_tool",
+    resource
+)
+when {
+    context has tool_category && context.tool_category == "dangerous"
+};
+
+// Block sensitive tools when threats are detected
+@id("tools-block-sensitive-with-threats")
+@name("Block sensitive tools with threats")
+@description("Block sensitive tools when any threats are detected concurrently")
+@severity("high")
+@tags("tool-category,sensitive,security,defense-in-depth")
+@reject_message("Sensitive tool execution blocked: threats were detected alongside a sensitive tool operation.")
+forbid (
+    principal,
+    action == AIGateway::Action::"call_tool",
+    resource
+)
+when {
+    context has tool_is_sensitive && context.tool_is_sensitive &&
+    context has threat_count && context.threat_count > 0
+};
+
+// Block tool calls with high severity threats
+@id("tools-block-high-severity-threats")
+@name("Block tool calls with high severity threats")
+@description("Prevent tool execution when high or critical severity threats are detected")
+@severity("high")
+@tags("tools,threats,severity,security")
+@reject_message("Tool execution was blocked because high or critical severity threats were detected.")
+forbid (
+    principal,
+    action == AIGateway::Action::"call_tool",
+    resource
+)
+when {
+    context has threat_count && context has max_threat_severity &&
+    context.threat_count > 0 && context.max_threat_severity >= 3
+};
+
+// Block detected command injection patterns
+@id("tools-block-command-injection")
+@name("Block command injection in tool calls")
+@description("Block tool calls when command injection patterns are detected in arguments")
+@severity("critical")
+@tags("command-injection,security,mitre-t1059,owasp-asi02")
+@reject_message("Tool execution blocked: command injection pattern detected in tool arguments.")
+forbid (
+    principal,
+    action == AIGateway::Action::"call_tool",
+    resource
+)
+when {
+    context has detected_threats &&
+    context.detected_threats.contains("command_injection")
+};

package/_schemas/ai_gateway/templates/llm_default_allow.cedar

@@ -0,0 +1,22 @@
+// =============================================================================
+// Default Allow LLM Proxy Calls
+// =============================================================================
+// Permits all LLM prompt processing by default. Deploy this alongside
+// threat-specific forbid policies to create a "default allow, block on threat"
+// posture for LLM chat completions.
+//
+// Category: organization
+// Namespace: AIGateway
+// =============================================================================
+
+// Allow all LLM prompt processing by default
+@id("llm-permit-all-prompts")
+@name("Allow all LLM proxy calls")
+@description("Permits all LLM chat completion requests by default -- threat-specific forbid policies override this when threats are detected")
+@severity("low")
+@tags("llm,permit-default,organization,proxy")
+permit (
+    principal,
+    action == AIGateway::Action::"process_prompt",
+    resource
+);