npm - @highflame/policy - Versions diffs - 2.1.24 → 2.1.25 - Mend

@highflame/policy 2.1.24 → 2.1.25

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/_schemas/ai_gateway/schema.cedarschema +70 -0
package/_schemas/guardrails/schema.cedarschema +75 -3
package/_schemas/mcp_gateway/schema.cedarschema +70 -0
package/dist/engine.d.ts +37 -0
package/dist/engine.js +56 -0
package/dist/service-schemas.gen.d.ts +2 -2
package/dist/service-schemas.gen.js +145 -3
package/package.json +1 -1

package/_schemas/ai_gateway/schema.cedarschema CHANGED Viewed

@@ -137,6 +137,20 @@ action call_tool appliesTo {
     suspicious_pattern?: Bool,
     pattern_type?: String,
     sequence_risk?: Long,
+    // --- Usage Budget (multi-window, multi-dimension) ---
+    budget_remaining_pct?: Long,
+    budget_exceeded?: Bool,
+    budget_cost_micros_this_turn?: Long,
+    budget_model?: String,
+    budget_tokens_pct_session?: Long,
+    budget_tokens_pct_daily?: Long,
+    budget_tokens_pct_monthly?: Long,
+    budget_cost_pct_daily?: Long,
+    budget_cost_pct_monthly?: Long,
+    budget_exceeded_session?: Bool,
+    budget_exceeded_daily?: Bool,
+    budget_exceeded_monthly?: Bool,
   },
 };
@@ -176,6 +190,20 @@ action connect_server appliesTo {
     mcp_server_verified?: Bool,
     mcp_config_risk?: Bool,
     mcp_risk_score?: Long,
+    // --- Usage Budget (multi-window, multi-dimension) ---
+    budget_remaining_pct?: Long,
+    budget_exceeded?: Bool,
+    budget_cost_micros_this_turn?: Long,
+    budget_model?: String,
+    budget_tokens_pct_session?: Long,
+    budget_tokens_pct_daily?: Long,
+    budget_tokens_pct_monthly?: Long,
+    budget_cost_pct_daily?: Long,
+    budget_cost_pct_monthly?: Long,
+    budget_exceeded_session?: Bool,
+    budget_exceeded_daily?: Bool,
+    budget_exceeded_monthly?: Bool,
   },
 };
@@ -224,6 +252,20 @@ action process_prompt appliesTo {
     // --- LLM-specific ---
     model_name?: String,              // Target model name (e.g., "gpt-4", "claude-3-opus")
     model_provider?: String,          // Provider name (e.g., "openai", "anthropic", "bedrock")
+    // --- Usage Budget (multi-window, multi-dimension) ---
+    budget_remaining_pct?: Long,
+    budget_exceeded?: Bool,
+    budget_cost_micros_this_turn?: Long,
+    budget_model?: String,
+    budget_tokens_pct_session?: Long,
+    budget_tokens_pct_daily?: Long,
+    budget_tokens_pct_monthly?: Long,
+    budget_cost_pct_daily?: Long,
+    budget_cost_pct_monthly?: Long,
+    budget_exceeded_session?: Bool,
+    budget_exceeded_daily?: Bool,
+    budget_exceeded_monthly?: Bool,
   },
 };
@@ -252,6 +294,20 @@ action read_file appliesTo {
     pii_detected?: Bool,
     pii_types?: Set<String>,
     pii_count?: Long,
+    // --- Usage Budget (multi-window, multi-dimension) ---
+    budget_remaining_pct?: Long,
+    budget_exceeded?: Bool,
+    budget_cost_micros_this_turn?: Long,
+    budget_model?: String,
+    budget_tokens_pct_session?: Long,
+    budget_tokens_pct_daily?: Long,
+    budget_tokens_pct_monthly?: Long,
+    budget_cost_pct_daily?: Long,
+    budget_cost_pct_monthly?: Long,
+    budget_exceeded_session?: Bool,
+    budget_exceeded_daily?: Bool,
+    budget_exceeded_monthly?: Bool,
   },
 };
@@ -280,6 +336,20 @@ action write_file appliesTo {
     pii_detected?: Bool,
     pii_types?: Set<String>,
     pii_count?: Long,
+    // --- Usage Budget (multi-window, multi-dimension) ---
+    budget_remaining_pct?: Long,
+    budget_exceeded?: Bool,
+    budget_cost_micros_this_turn?: Long,
+    budget_model?: String,
+    budget_tokens_pct_session?: Long,
+    budget_tokens_pct_daily?: Long,
+    budget_tokens_pct_monthly?: Long,
+    budget_cost_pct_daily?: Long,
+    budget_cost_pct_monthly?: Long,
+    budget_exceeded_session?: Bool,
+    budget_exceeded_daily?: Bool,
+    budget_exceeded_monthly?: Bool,
   },
 };

package/_schemas/guardrails/schema.cedarschema CHANGED Viewed

@@ -206,6 +206,22 @@ namespace Guardrails {
         "session_max_secret_score"?: Long,
         "session_cumulative_risk_score"?: Long,
+        // Usage Budget — multi-window token & cost enforcement (optional)
+        // Emitted by usage_budget detector. Enforced across session/daily/monthly windows
+        // and user/app/project/account dimensions. Percentages are 0-100.
+        "budget_remaining_pct"?: Long,          // Min remaining % across all windows
+        "budget_exceeded"?: Bool,               // Any window limit exceeded
+        "budget_cost_micros_this_turn"?: Long,  // Cost of this request in microdollars (USD * 1e6)
+        "budget_model"?: String,                // Model name used for cost calculation
+        "budget_tokens_pct_session"?: Long,     // Session token usage % (0-100)
+        "budget_tokens_pct_daily"?: Long,       // Daily token usage % (0-100)
+        "budget_tokens_pct_monthly"?: Long,     // Monthly token usage % (0-100)
+        "budget_cost_pct_daily"?: Long,         // Daily cost usage % (0-100)
+        "budget_cost_pct_monthly"?: Long,       // Monthly cost usage % (0-100)
+        "budget_exceeded_session"?: Bool,       // Session-scoped budget exceeded
+        "budget_exceeded_daily"?: Bool,         // Any daily-scoped budget exceeded
+        "budget_exceeded_monthly"?: Bool,       // Any monthly-scoped budget exceeded
         // Agent Identity — authenticated agent principal metadata (optional)
         // Present when the request is made by an AI agent (API key or JWT with agent claims).
         // Empty strings for human user requests. Use these to write agent-specific policies.
@@ -245,9 +261,20 @@ namespace Guardrails {
         "loop_count"?: Long,
         "loop_tool"?: String,
-        // Agentic - Budget Control (optional)
-        "budget_remaining_pct"?: Long,   // 0-100
-        "budget_exceeded"?: Bool,
+        // Usage Budget — multi-window token & cost enforcement (optional)
+        // See ProcessPromptContext for full documentation.
+        "budget_remaining_pct"?: Long,          // Min remaining % across all windows
+        "budget_exceeded"?: Bool,               // Any window limit exceeded
+        "budget_cost_micros_this_turn"?: Long,  // Cost of this request in microdollars
+        "budget_model"?: String,
+        "budget_tokens_pct_session"?: Long,
+        "budget_tokens_pct_daily"?: Long,
+        "budget_tokens_pct_monthly"?: Long,
+        "budget_cost_pct_daily"?: Long,
+        "budget_cost_pct_monthly"?: Long,
+        "budget_exceeded_session"?: Bool,
+        "budget_exceeded_daily"?: Bool,
+        "budget_exceeded_monthly"?: Bool,
         // Semantic - Topic Classification (optional)
         "content_topics"?: Set<String>,      // ["controlled_substances", "weapons_manufacturing", ...]
@@ -375,6 +402,21 @@ namespace Guardrails {
         "session_max_secret_score"?: Long,
         "session_cumulative_risk_score"?: Long,
+        // Usage Budget — multi-window token & cost enforcement (optional)
+        // See ProcessPromptContext for full documentation.
+        "budget_remaining_pct"?: Long,
+        "budget_exceeded"?: Bool,
+        "budget_cost_micros_this_turn"?: Long,
+        "budget_model"?: String,
+        "budget_tokens_pct_session"?: Long,
+        "budget_tokens_pct_daily"?: Long,
+        "budget_tokens_pct_monthly"?: Long,
+        "budget_cost_pct_daily"?: Long,
+        "budget_cost_pct_monthly"?: Long,
+        "budget_exceeded_session"?: Bool,
+        "budget_exceeded_daily"?: Bool,
+        "budget_exceeded_monthly"?: Bool,
         // Agent Identity — authenticated agent principal metadata (optional)
         "agent_id"?: String,
         "agent_type"?: String,
@@ -424,6 +466,21 @@ namespace Guardrails {
         "session_max_secret_score"?: Long,
         "session_cumulative_risk_score"?: Long,
+        // Usage Budget — multi-window token & cost enforcement (optional)
+        // See ProcessPromptContext for full documentation.
+        "budget_remaining_pct"?: Long,
+        "budget_exceeded"?: Bool,
+        "budget_cost_micros_this_turn"?: Long,
+        "budget_model"?: String,
+        "budget_tokens_pct_session"?: Long,
+        "budget_tokens_pct_daily"?: Long,
+        "budget_tokens_pct_monthly"?: Long,
+        "budget_cost_pct_daily"?: Long,
+        "budget_cost_pct_monthly"?: Long,
+        "budget_exceeded_session"?: Bool,
+        "budget_exceeded_daily"?: Bool,
+        "budget_exceeded_monthly"?: Bool,
         // Agent Identity — authenticated agent principal metadata (optional)
         "agent_id"?: String,
         "agent_type"?: String,
@@ -473,6 +530,21 @@ namespace Guardrails {
         "session_max_secret_score"?: Long,
         "session_cumulative_risk_score"?: Long,
+        // Usage Budget — multi-window token & cost enforcement (optional)
+        // See ProcessPromptContext for full documentation.
+        "budget_remaining_pct"?: Long,
+        "budget_exceeded"?: Bool,
+        "budget_cost_micros_this_turn"?: Long,
+        "budget_model"?: String,
+        "budget_tokens_pct_session"?: Long,
+        "budget_tokens_pct_daily"?: Long,
+        "budget_tokens_pct_monthly"?: Long,
+        "budget_cost_pct_daily"?: Long,
+        "budget_cost_pct_monthly"?: Long,
+        "budget_exceeded_session"?: Bool,
+        "budget_exceeded_daily"?: Bool,
+        "budget_exceeded_monthly"?: Bool,
         // Agent Identity — authenticated agent principal metadata (optional)
         "agent_id"?: String,
         "agent_type"?: String,

package/_schemas/mcp_gateway/schema.cedarschema CHANGED Viewed

@@ -137,6 +137,20 @@ action call_tool appliesTo {
     suspicious_pattern?: Bool,
     pattern_type?: String,
     sequence_risk?: Long,
+    // --- Usage Budget (multi-window, multi-dimension) ---
+    budget_remaining_pct?: Long,
+    budget_exceeded?: Bool,
+    budget_cost_micros_this_turn?: Long,
+    budget_model?: String,
+    budget_tokens_pct_session?: Long,
+    budget_tokens_pct_daily?: Long,
+    budget_tokens_pct_monthly?: Long,
+    budget_cost_pct_daily?: Long,
+    budget_cost_pct_monthly?: Long,
+    budget_exceeded_session?: Bool,
+    budget_exceeded_daily?: Bool,
+    budget_exceeded_monthly?: Bool,
   },
 };
@@ -166,6 +180,20 @@ action connect_server appliesTo {
     mcp_server_verified?: Bool,
     mcp_config_risk?: Bool,
     mcp_risk_score?: Long,
+    // --- Usage Budget (multi-window, multi-dimension) ---
+    budget_remaining_pct?: Long,
+    budget_exceeded?: Bool,
+    budget_cost_micros_this_turn?: Long,
+    budget_model?: String,
+    budget_tokens_pct_session?: Long,
+    budget_tokens_pct_daily?: Long,
+    budget_tokens_pct_monthly?: Long,
+    budget_cost_pct_daily?: Long,
+    budget_cost_pct_monthly?: Long,
+    budget_exceeded_session?: Bool,
+    budget_exceeded_daily?: Bool,
+    budget_exceeded_monthly?: Bool,
   },
 };
@@ -210,6 +238,20 @@ action process_prompt appliesTo {
     // --- Encoding ---
     contains_invisible_chars?: Bool,
     invisible_chars_score?: Long,
+    // --- Usage Budget (multi-window, multi-dimension) ---
+    budget_remaining_pct?: Long,
+    budget_exceeded?: Bool,
+    budget_cost_micros_this_turn?: Long,
+    budget_model?: String,
+    budget_tokens_pct_session?: Long,
+    budget_tokens_pct_daily?: Long,
+    budget_tokens_pct_monthly?: Long,
+    budget_cost_pct_daily?: Long,
+    budget_cost_pct_monthly?: Long,
+    budget_exceeded_session?: Bool,
+    budget_exceeded_daily?: Bool,
+    budget_exceeded_monthly?: Bool,
   },
 };
@@ -238,6 +280,20 @@ action read_file appliesTo {
     pii_detected?: Bool,
     pii_types?: Set<String>,
     pii_count?: Long,
+    // --- Usage Budget (multi-window, multi-dimension) ---
+    budget_remaining_pct?: Long,
+    budget_exceeded?: Bool,
+    budget_cost_micros_this_turn?: Long,
+    budget_model?: String,
+    budget_tokens_pct_session?: Long,
+    budget_tokens_pct_daily?: Long,
+    budget_tokens_pct_monthly?: Long,
+    budget_cost_pct_daily?: Long,
+    budget_cost_pct_monthly?: Long,
+    budget_exceeded_session?: Bool,
+    budget_exceeded_daily?: Bool,
+    budget_exceeded_monthly?: Bool,
   },
 };
@@ -266,6 +322,20 @@ action write_file appliesTo {
     pii_detected?: Bool,
     pii_types?: Set<String>,
     pii_count?: Long,
+    // --- Usage Budget (multi-window, multi-dimension) ---
+    budget_remaining_pct?: Long,
+    budget_exceeded?: Bool,
+    budget_cost_micros_this_turn?: Long,
+    budget_model?: String,
+    budget_tokens_pct_session?: Long,
+    budget_tokens_pct_daily?: Long,
+    budget_tokens_pct_monthly?: Long,
+    budget_cost_pct_daily?: Long,
+    budget_cost_pct_monthly?: Long,
+    budget_exceeded_session?: Bool,
+    budget_exceeded_daily?: Bool,
+    budget_exceeded_monthly?: Bool,
   },
 };

package/dist/engine.d.ts CHANGED Viewed

@@ -48,6 +48,19 @@ export interface DeterminingPolicy {
     /** All annotations from this policy as key-value pairs */
     annotations: Record<string, string>;
 }
+/**
+ * Pairs a Cedar policy text with a globally-unique identifier (typically the
+ * originating database row's UUID) used as the cedar PolicySet key.
+ *
+ * Use with {@link PolicyEngine.loadPoliciesWithIds} to safely load policies
+ * from multiple tenants whose @id annotations may collide.
+ */
+export interface PolicyTextWithID {
+    /** Cedar policy text (may contain @id and other annotations) */
+    text: string;
+    /** Unique identifier — must be unique across the input set */
+    id: string;
+}
 export declare class Decision {
     readonly effect: "Allow" | "Deny";
     readonly determining_policies: DeterminingPolicy[];
@@ -92,8 +105,32 @@ export declare class PolicyEngine {
      * Load multiple Cedar policy texts (concatenated with newlines).
      * Uses @id annotations as policy IDs when available.
      * Stores all annotations per policy for enriching evaluation results.
+     *
+     * @deprecated Use {@link loadPoliciesWithIds} for any code that may load
+     * policies from multiple tenants. This method's @id-as-PolicyID behavior
+     * silently overwrites the cedar PolicySet entry when later policies share
+     * an @id with earlier ones (e.g., every tenant's `baseline-permit-all`).
+     * Kept for ad-hoc and test usage where uniqueness is guaranteed by the
+     * caller.
      */
     loadPolicies(policies: string[]): void;
+    /**
+     * Load Cedar policies using caller-supplied unique IDs as the cedar
+     * PolicySet key, preventing cross-tenant @id collisions that occur when
+     * multiple tenants author policies from a shared template (e.g., each
+     * tenant's `baseline-permit-all` sharing the same @id annotation).
+     *
+     * Each input is parsed independently so the supplied id maps
+     * deterministically to its policy. If a single text contains multiple
+     * Cedar policies, each is stored under `"<id>#<index>"`. The original
+     * @id annotation remains accessible via {@link getPolicyAnnotations}.
+     *
+     * When `item.id` is empty, the method falls back to @id-annotation-based
+     * id assignment (matching {@link loadPolicies} semantics) — useful for
+     * tests and ad-hoc loaders. Production multi-tenant callers MUST supply
+     * a non-empty id per policy or they reintroduce the collision risk.
+     */
+    loadPoliciesWithIds(policies: PolicyTextWithID[]): void;
     /**
      * Load schema from a Cedar schema string.
      */

package/dist/engine.js CHANGED Viewed

@@ -226,12 +226,68 @@ export class PolicyEngine {
      * Load multiple Cedar policy texts (concatenated with newlines).
      * Uses @id annotations as policy IDs when available.
      * Stores all annotations per policy for enriching evaluation results.
+     *
+     * @deprecated Use {@link loadPoliciesWithIds} for any code that may load
+     * policies from multiple tenants. This method's @id-as-PolicyID behavior
+     * silently overwrites the cedar PolicySet entry when later policies share
+     * an @id with earlier ones (e.g., every tenant's `baseline-permit-all`).
+     * Kept for ad-hoc and test usage where uniqueness is guaranteed by the
+     * caller.
      */
     loadPolicies(policies) {
         const extracted = extractPolicies(policies.join("\n"));
         this.policySet = extracted.policySet;
         this.policyAnnotations = extracted.annotations;
     }
+    /**
+     * Load Cedar policies using caller-supplied unique IDs as the cedar
+     * PolicySet key, preventing cross-tenant @id collisions that occur when
+     * multiple tenants author policies from a shared template (e.g., each
+     * tenant's `baseline-permit-all` sharing the same @id annotation).
+     *
+     * Each input is parsed independently so the supplied id maps
+     * deterministically to its policy. If a single text contains multiple
+     * Cedar policies, each is stored under `"<id>#<index>"`. The original
+     * @id annotation remains accessible via {@link getPolicyAnnotations}.
+     *
+     * When `item.id` is empty, the method falls back to @id-annotation-based
+     * id assignment (matching {@link loadPolicies} semantics) — useful for
+     * tests and ad-hoc loaders. Production multi-tenant callers MUST supply
+     * a non-empty id per policy or they reintroduce the collision risk.
+     */
+    loadPoliciesWithIds(policies) {
+        const policyMap = {};
+        const annotationsMap = new Map();
+        let posIdx = 0;
+        for (const item of policies) {
+            const parts = cedar.policySetTextToParts(item.text);
+            if (parts.type !== "success" || parts.policies.length === 0) {
+                continue;
+            }
+            for (let subIdx = 0; subIdx < parts.policies.length; subIdx++) {
+                const policy = parts.policies[subIdx];
+                const policyAnnotations = extractAnnotationsFromText(policy);
+                let id;
+                if (item.id !== "") {
+                    id = subIdx === 0 ? item.id : `${item.id}#${subIdx}`;
+                }
+                else if (policyAnnotations["id"]) {
+                    id = policyAnnotations["id"];
+                }
+                else {
+                    id = `policy${posIdx}`;
+                }
+                if (annotationsMap.has(id)) {
+                    throw new Error(`duplicate policy ID detected: ${id}`);
+                }
+                policyMap[id] = policy;
+                annotationsMap.set(id, policyAnnotations);
+                posIdx++;
+            }
+        }
+        this.policySet = policyMap;
+        this.policyAnnotations = annotationsMap;
+    }
     /**
      * Load schema from a Cedar schema string.
      */

package/dist/service-schemas.gen.d.ts CHANGED Viewed

@@ -3,13 +3,13 @@
  *
  * Full Cedar schema for ai_gateway, embedded at codegen time.
  */
-export declare const AI_GATEWAY_SCHEMA = "// AIGateway Cedar Schema\n// ===================================\n// AI Gateway Security & Policy Enforcement\n//\n// AIGateway protects both MCP proxy operations (tool calls, server connections)\n// and LLM chat completions (prompt processing) by evaluating threats detected\n// by the Shield detection engine pipeline against Cedar policies.\n//\n// Architecture:\n//   MCP/LLM Client -> Firehog Proxy -> Shield (detection + Cedar) -> Allow/Deny\n//\n// Threat Coverage:\n//   - OWASP Top 10 for LLM Applications 2025 (LLM01, LLM06)\n//   - OWASP Top 10 for Agentic Applications (ASI01, ASI02, ASI04)\n//   - OWASP MCP Top 10 (MCP01-MCP05)\n\nnamespace AIGateway {\n\n// =============================================================================\n// ENTITIES - Tenant Hierarchy (ReBAC)\n// =============================================================================\n// AIGateway does not use App/Session hierarchy.\n//\n// Entity hierarchy:\n//   Account (org root)\n//     -> Project in [Account]\n//          -> Tool/Server in [Project]\n//\n// Policy scoping examples:\n//   resource == AIGateway::Tool::\"get_me\"            -> specific tool\n//   resource in AIGateway::Project::\"<uuid>\"          -> project-wide\n//   resource in AIGateway::Account::\"<uuid>\"          -> org-wide\n\n/// Account represents an organization (top-level tenant)\nentity Account;\n\n/// Project represents a project within an account\nentity Project in [Account];\n\n// =============================================================================\n// ENTITIES - Principals\n// =============================================================================\n\n/// Human user authenticated via JWT or API key\nentity User;\n\n/// MCP client (default principal for unauthenticated requests)\nentity MCP_Client;\n\n// =============================================================================\n// ENTITIES - Resources (scoped under Project)\n// =============================================================================\n\n/// MCP tool -- resource for call_tool action\nentity Tool in [Project];\n\n/// MCP server -- resource for connect_server action\nentity Server in [Project];\n\n/// MCP prompt -- resource for process_prompt action\nentity LlmPrompt in [Project];\n\n/// File/resource path -- resource for read_file/write_file actions\nentity FilePath in [Project];\n\n// =============================================================================\n// ACTIONS\n// =============================================================================\n\n// Call an MCP tool\n// Threat focus: command injection, tool poisoning, rug pull, secrets, PII\naction call_tool appliesTo {\n  principal: [User, MCP_Client],\n  resource: [Tool],\n  context: {\n    // --- Content ---\n    content: String,                  // Raw content being scanned\n\n    // --- Tool & MCP ---\n    tool_name?: String,               // Tool name\n    mcp_server?: String,              // MCP server name\n    mcp_tool?: String,                // MCP tool name\n\n    // --- Threat Detection (from Shield detection pipeline) ---\n    threat_count?: Long,              // Total threats detected\n    highest_severity?: String,        // \"critical\", \"high\", \"medium\", \"low\", \"none\"\n    threat_categories?: Set<String>,  // Threat category names\n    detected_threats?: Set<String>,   // Detection rule names that matched\n    max_threat_severity?: Long,       // Numeric severity (0=none, 1=low, 2=medium, 3=high, 4=critical)\n    contains_secrets?: Bool,          // Whether secrets/credentials detected\n\n    // --- Secrets (granular) ---\n    secret_types?: Set<String>,\n    secret_count?: Long,\n\n    // --- PII Detection ---\n    pii_detected?: Bool,\n    pii_types?: Set<String>,\n    pii_count?: Long,\n\n    // --- ML Detector Confidence Scores (0-100) ---\n    injection_confidence?: Long,      // Prompt injection classifier confidence\n    jailbreak_confidence?: Long,      // Jailbreak detection classifier confidence\n\n    // --- Agent Security (0-100) ---\n    tool_poisoning_score?: Long,      // Hidden instructions in tool description/args\n    tool_poisoning_detected?: Bool,\n    rug_pull_score?: Long,            // Tool behavior drift after trust establishment\n    rug_pull_detected?: Bool,\n    indirect_injection_score?: Long,  // Indirect injection via tool output\n\n    // --- Tool Risk Assessment ---\n    tool_risk_score?: Long,           // Computed tool risk (0-100)\n    tool_category?: String,           // \"safe\", \"sensitive\", \"dangerous\"\n    tool_is_sensitive?: Bool,\n    tool_is_builtin?: Bool,\n\n    // --- MCP Trust ---\n    mcp_server_verified?: Bool,       // Whether server is from verified registry\n\n    // --- Content Safety Scores (0-100) ---\n    violence_score?: Long,\n    weapons_score?: Long,\n    hate_speech_score?: Long,\n    crime_score?: Long,\n    sexual_score?: Long,\n    profanity_score?: Long,\n\n    // --- Encoding & Unicode Attacks ---\n    contains_invisible_chars?: Bool,\n    invisible_chars_score?: Long,\n\n    // --- Behavioral Analysis ---\n    loop_detected?: Bool,\n    loop_count?: Long,\n    loop_tool?: String,\n    suspicious_pattern?: Bool,\n    pattern_type?: String,\n    sequence_risk?: Long,\n  },\n};\n\n// Connect to an MCP server\n// Threat focus: supply chain, tool poisoning, rug pull, config risk\naction connect_server appliesTo {\n  principal: [User, MCP_Client],\n  resource: [Server],\n  context: {\n    content?: String,                 // Server config content (if available)\n    mcp_server?: String,\n\n    // --- Threat Detection ---\n    threat_count?: Long,\n    highest_severity?: String,\n    threat_categories?: Set<String>,\n    max_threat_severity?: Long,\n\n    // --- Agent Security (0-100) ---\n    tool_poisoning_score?: Long,\n    tool_poisoning_detected?: Bool,\n    rug_pull_score?: Long,\n    rug_pull_detected?: Bool,\n    indirect_injection_score?: Long,\n\n    // --- Secrets ---\n    contains_secrets?: Bool,\n    secret_types?: Set<String>,\n    secret_count?: Long,\n\n    // --- PII Detection ---\n    pii_detected?: Bool,\n    pii_types?: Set<String>,\n    pii_count?: Long,\n\n    // --- MCP Trust & Config Risk ---\n    mcp_server_verified?: Bool,\n    mcp_config_risk?: Bool,\n    mcp_risk_score?: Long,\n  },\n};\n\n// Process a prompt (MCP prompts/get or LLM chat completions)\n// Threat focus: injection, jailbreak, secrets, PII, content safety\naction process_prompt appliesTo {\n  principal: [User, MCP_Client],\n  resource: [LlmPrompt],\n  context: {\n    content: String,\n    mcp_server?: String,\n\n    // --- Threat Detection ---\n    threat_count?: Long,\n    highest_severity?: String,\n    threat_categories?: Set<String>,\n    detected_threats?: Set<String>,\n    max_threat_severity?: Long,\n    contains_secrets?: Bool,\n\n    // --- Secrets ---\n    secret_types?: Set<String>,\n    secret_count?: Long,\n\n    // --- PII Detection ---\n    pii_detected?: Bool,\n    pii_types?: Set<String>,\n    pii_count?: Long,\n\n    // --- ML Detector Confidence Scores (0-100) ---\n    injection_confidence?: Long,\n    jailbreak_confidence?: Long,\n\n    // --- Content Safety Scores (0-100) ---\n    violence_score?: Long,\n    weapons_score?: Long,\n    hate_speech_score?: Long,\n    crime_score?: Long,\n    sexual_score?: Long,\n    profanity_score?: Long,\n\n    // --- Encoding ---\n    contains_invisible_chars?: Bool,\n    invisible_chars_score?: Long,\n\n    // --- LLM-specific ---\n    model_name?: String,              // Target model name (e.g., \"gpt-4\", \"claude-3-opus\")\n    model_provider?: String,          // Provider name (e.g., \"openai\", \"anthropic\", \"bedrock\")\n  },\n};\n\n// Read an MCP resource (resources/read, resources/list)\n// Threat focus: secrets exposure, PII exposure, sensitive paths\naction read_file appliesTo {\n  principal: [User, MCP_Client],\n  resource: [FilePath],\n  context: {\n    content: String,\n    mcp_server?: String,\n\n    // --- Threat Detection ---\n    threat_count?: Long,\n    highest_severity?: String,\n    threat_categories?: Set<String>,\n    detected_threats?: Set<String>,\n    max_threat_severity?: Long,\n    contains_secrets?: Bool,\n\n    // --- Secrets ---\n    secret_types?: Set<String>,\n    secret_count?: Long,\n\n    // --- PII Detection ---\n    pii_detected?: Bool,\n    pii_types?: Set<String>,\n    pii_count?: Long,\n  },\n};\n\n// Write an MCP resource (resources/write)\n// Threat focus: secrets in output, PII in output\naction write_file appliesTo {\n  principal: [User, MCP_Client],\n  resource: [FilePath],\n  context: {\n    content: String,\n    mcp_server?: String,\n\n    // --- Threat Detection ---\n    threat_count?: Long,\n    highest_severity?: String,\n    threat_categories?: Set<String>,\n    detected_threats?: Set<String>,\n    max_threat_severity?: Long,\n    contains_secrets?: Bool,\n\n    // --- Secrets ---\n    secret_types?: Set<String>,\n    secret_count?: Long,\n\n    // --- PII Detection ---\n    pii_detected?: Bool,\n    pii_types?: Set<String>,\n    pii_count?: Long,\n  },\n};\n\n}\n";
+export declare const AI_GATEWAY_SCHEMA = "// AIGateway Cedar Schema\n// ===================================\n// AI Gateway Security & Policy Enforcement\n//\n// AIGateway protects both MCP proxy operations (tool calls, server connections)\n// and LLM chat completions (prompt processing) by evaluating threats detected\n// by the Shield detection engine pipeline against Cedar policies.\n//\n// Architecture:\n//   MCP/LLM Client -> Firehog Proxy -> Shield (detection + Cedar) -> Allow/Deny\n//\n// Threat Coverage:\n//   - OWASP Top 10 for LLM Applications 2025 (LLM01, LLM06)\n//   - OWASP Top 10 for Agentic Applications (ASI01, ASI02, ASI04)\n//   - OWASP MCP Top 10 (MCP01-MCP05)\n\nnamespace AIGateway {\n\n// =============================================================================\n// ENTITIES - Tenant Hierarchy (ReBAC)\n// =============================================================================\n// AIGateway does not use App/Session hierarchy.\n//\n// Entity hierarchy:\n//   Account (org root)\n//     -> Project in [Account]\n//          -> Tool/Server in [Project]\n//\n// Policy scoping examples:\n//   resource == AIGateway::Tool::\"get_me\"            -> specific tool\n//   resource in AIGateway::Project::\"<uuid>\"          -> project-wide\n//   resource in AIGateway::Account::\"<uuid>\"          -> org-wide\n\n/// Account represents an organization (top-level tenant)\nentity Account;\n\n/// Project represents a project within an account\nentity Project in [Account];\n\n// =============================================================================\n// ENTITIES - Principals\n// =============================================================================\n\n/// Human user authenticated via JWT or API key\nentity User;\n\n/// MCP client (default principal for unauthenticated requests)\nentity MCP_Client;\n\n// =============================================================================\n// ENTITIES - Resources (scoped under Project)\n// =============================================================================\n\n/// MCP tool -- resource for call_tool action\nentity Tool in [Project];\n\n/// MCP server -- resource for connect_server action\nentity Server in [Project];\n\n/// MCP prompt -- resource for process_prompt action\nentity LlmPrompt in [Project];\n\n/// File/resource path -- resource for read_file/write_file actions\nentity FilePath in [Project];\n\n// =============================================================================\n// ACTIONS\n// =============================================================================\n\n// Call an MCP tool\n// Threat focus: command injection, tool poisoning, rug pull, secrets, PII\naction call_tool appliesTo {\n  principal: [User, MCP_Client],\n  resource: [Tool],\n  context: {\n    // --- Content ---\n    content: String,                  // Raw content being scanned\n\n    // --- Tool & MCP ---\n    tool_name?: String,               // Tool name\n    mcp_server?: String,              // MCP server name\n    mcp_tool?: String,                // MCP tool name\n\n    // --- Threat Detection (from Shield detection pipeline) ---\n    threat_count?: Long,              // Total threats detected\n    highest_severity?: String,        // \"critical\", \"high\", \"medium\", \"low\", \"none\"\n    threat_categories?: Set<String>,  // Threat category names\n    detected_threats?: Set<String>,   // Detection rule names that matched\n    max_threat_severity?: Long,       // Numeric severity (0=none, 1=low, 2=medium, 3=high, 4=critical)\n    contains_secrets?: Bool,          // Whether secrets/credentials detected\n\n    // --- Secrets (granular) ---\n    secret_types?: Set<String>,\n    secret_count?: Long,\n\n    // --- PII Detection ---\n    pii_detected?: Bool,\n    pii_types?: Set<String>,\n    pii_count?: Long,\n\n    // --- ML Detector Confidence Scores (0-100) ---\n    injection_confidence?: Long,      // Prompt injection classifier confidence\n    jailbreak_confidence?: Long,      // Jailbreak detection classifier confidence\n\n    // --- Agent Security (0-100) ---\n    tool_poisoning_score?: Long,      // Hidden instructions in tool description/args\n    tool_poisoning_detected?: Bool,\n    rug_pull_score?: Long,            // Tool behavior drift after trust establishment\n    rug_pull_detected?: Bool,\n    indirect_injection_score?: Long,  // Indirect injection via tool output\n\n    // --- Tool Risk Assessment ---\n    tool_risk_score?: Long,           // Computed tool risk (0-100)\n    tool_category?: String,           // \"safe\", \"sensitive\", \"dangerous\"\n    tool_is_sensitive?: Bool,\n    tool_is_builtin?: Bool,\n\n    // --- MCP Trust ---\n    mcp_server_verified?: Bool,       // Whether server is from verified registry\n\n    // --- Content Safety Scores (0-100) ---\n    violence_score?: Long,\n    weapons_score?: Long,\n    hate_speech_score?: Long,\n    crime_score?: Long,\n    sexual_score?: Long,\n    profanity_score?: Long,\n\n    // --- Encoding & Unicode Attacks ---\n    contains_invisible_chars?: Bool,\n    invisible_chars_score?: Long,\n\n    // --- Behavioral Analysis ---\n    loop_detected?: Bool,\n    loop_count?: Long,\n    loop_tool?: String,\n    suspicious_pattern?: Bool,\n    pattern_type?: String,\n    sequence_risk?: Long,\n\n    // --- Usage Budget (multi-window, multi-dimension) ---\n    budget_remaining_pct?: Long,\n    budget_exceeded?: Bool,\n    budget_cost_micros_this_turn?: Long,\n    budget_model?: String,\n    budget_tokens_pct_session?: Long,\n    budget_tokens_pct_daily?: Long,\n    budget_tokens_pct_monthly?: Long,\n    budget_cost_pct_daily?: Long,\n    budget_cost_pct_monthly?: Long,\n    budget_exceeded_session?: Bool,\n    budget_exceeded_daily?: Bool,\n    budget_exceeded_monthly?: Bool,\n  },\n};\n\n// Connect to an MCP server\n// Threat focus: supply chain, tool poisoning, rug pull, config risk\naction connect_server appliesTo {\n  principal: [User, MCP_Client],\n  resource: [Server],\n  context: {\n    content?: String,                 // Server config content (if available)\n    mcp_server?: String,\n\n    // --- Threat Detection ---\n    threat_count?: Long,\n    highest_severity?: String,\n    threat_categories?: Set<String>,\n    max_threat_severity?: Long,\n\n    // --- Agent Security (0-100) ---\n    tool_poisoning_score?: Long,\n    tool_poisoning_detected?: Bool,\n    rug_pull_score?: Long,\n    rug_pull_detected?: Bool,\n    indirect_injection_score?: Long,\n\n    // --- Secrets ---\n    contains_secrets?: Bool,\n    secret_types?: Set<String>,\n    secret_count?: Long,\n\n    // --- PII Detection ---\n    pii_detected?: Bool,\n    pii_types?: Set<String>,\n    pii_count?: Long,\n\n    // --- MCP Trust & Config Risk ---\n    mcp_server_verified?: Bool,\n    mcp_config_risk?: Bool,\n    mcp_risk_score?: Long,\n\n    // --- Usage Budget (multi-window, multi-dimension) ---\n    budget_remaining_pct?: Long,\n    budget_exceeded?: Bool,\n    budget_cost_micros_this_turn?: Long,\n    budget_model?: String,\n    budget_tokens_pct_session?: Long,\n    budget_tokens_pct_daily?: Long,\n    budget_tokens_pct_monthly?: Long,\n    budget_cost_pct_daily?: Long,\n    budget_cost_pct_monthly?: Long,\n    budget_exceeded_session?: Bool,\n    budget_exceeded_daily?: Bool,\n    budget_exceeded_monthly?: Bool,\n  },\n};\n\n// Process a prompt (MCP prompts/get or LLM chat completions)\n// Threat focus: injection, jailbreak, secrets, PII, content safety\naction process_prompt appliesTo {\n  principal: [User, MCP_Client],\n  resource: [LlmPrompt],\n  context: {\n    content: String,\n    mcp_server?: String,\n\n    // --- Threat Detection ---\n    threat_count?: Long,\n    highest_severity?: String,\n    threat_categories?: Set<String>,\n    detected_threats?: Set<String>,\n    max_threat_severity?: Long,\n    contains_secrets?: Bool,\n\n    // --- Secrets ---\n    secret_types?: Set<String>,\n    secret_count?: Long,\n\n    // --- PII Detection ---\n    pii_detected?: Bool,\n    pii_types?: Set<String>,\n    pii_count?: Long,\n\n    // --- ML Detector Confidence Scores (0-100) ---\n    injection_confidence?: Long,\n    jailbreak_confidence?: Long,\n\n    // --- Content Safety Scores (0-100) ---\n    violence_score?: Long,\n    weapons_score?: Long,\n    hate_speech_score?: Long,\n    crime_score?: Long,\n    sexual_score?: Long,\n    profanity_score?: Long,\n\n    // --- Encoding ---\n    contains_invisible_chars?: Bool,\n    invisible_chars_score?: Long,\n\n    // --- LLM-specific ---\n    model_name?: String,              // Target model name (e.g., \"gpt-4\", \"claude-3-opus\")\n    model_provider?: String,          // Provider name (e.g., \"openai\", \"anthropic\", \"bedrock\")\n\n    // --- Usage Budget (multi-window, multi-dimension) ---\n    budget_remaining_pct?: Long,\n    budget_exceeded?: Bool,\n    budget_cost_micros_this_turn?: Long,\n    budget_model?: String,\n    budget_tokens_pct_session?: Long,\n    budget_tokens_pct_daily?: Long,\n    budget_tokens_pct_monthly?: Long,\n    budget_cost_pct_daily?: Long,\n    budget_cost_pct_monthly?: Long,\n    budget_exceeded_session?: Bool,\n    budget_exceeded_daily?: Bool,\n    budget_exceeded_monthly?: Bool,\n  },\n};\n\n// Read an MCP resource (resources/read, resources/list)\n// Threat focus: secrets exposure, PII exposure, sensitive paths\naction read_file appliesTo {\n  principal: [User, MCP_Client],\n  resource: [FilePath],\n  context: {\n    content: String,\n    mcp_server?: String,\n\n    // --- Threat Detection ---\n    threat_count?: Long,\n    highest_severity?: String,\n    threat_categories?: Set<String>,\n    detected_threats?: Set<String>,\n    max_threat_severity?: Long,\n    contains_secrets?: Bool,\n\n    // --- Secrets ---\n    secret_types?: Set<String>,\n    secret_count?: Long,\n\n    // --- PII Detection ---\n    pii_detected?: Bool,\n    pii_types?: Set<String>,\n    pii_count?: Long,\n\n    // --- Usage Budget (multi-window, multi-dimension) ---\n    budget_remaining_pct?: Long,\n    budget_exceeded?: Bool,\n    budget_cost_micros_this_turn?: Long,\n    budget_model?: String,\n    budget_tokens_pct_session?: Long,\n    budget_tokens_pct_daily?: Long,\n    budget_tokens_pct_monthly?: Long,\n    budget_cost_pct_daily?: Long,\n    budget_cost_pct_monthly?: Long,\n    budget_exceeded_session?: Bool,\n    budget_exceeded_daily?: Bool,\n    budget_exceeded_monthly?: Bool,\n  },\n};\n\n// Write an MCP resource (resources/write)\n// Threat focus: secrets in output, PII in output\naction write_file appliesTo {\n  principal: [User, MCP_Client],\n  resource: [FilePath],\n  context: {\n    content: String,\n    mcp_server?: String,\n\n    // --- Threat Detection ---\n    threat_count?: Long,\n    highest_severity?: String,\n    threat_categories?: Set<String>,\n    detected_threats?: Set<String>,\n    max_threat_severity?: Long,\n    contains_secrets?: Bool,\n\n    // --- Secrets ---\n    secret_types?: Set<String>,\n    secret_count?: Long,\n\n    // --- PII Detection ---\n    pii_detected?: Bool,\n    pii_types?: Set<String>,\n    pii_count?: Long,\n\n    // --- Usage Budget (multi-window, multi-dimension) ---\n    budget_remaining_pct?: Long,\n    budget_exceeded?: Bool,\n    budget_cost_micros_this_turn?: Long,\n    budget_model?: String,\n    budget_tokens_pct_session?: Long,\n    budget_tokens_pct_daily?: Long,\n    budget_tokens_pct_monthly?: Long,\n    budget_cost_pct_daily?: Long,\n    budget_cost_pct_monthly?: Long,\n    budget_exceeded_session?: Bool,\n    budget_exceeded_daily?: Bool,\n    budget_exceeded_monthly?: Bool,\n  },\n};\n\n}\n";
 /**
  * Guardrails Cedar schema
  *
  * Full Cedar schema for guardrails, embedded at codegen time.
  */
-export declare const GUARDRAILS_SCHEMA = "// =============================================================================\n// Guardrails Cedar Schema\n// =============================================================================\n// Defines entity types, actions, and context attributes for the highflame-shield\n// guardrails service. This schema enables type-safe policy authoring and\n// validation in both Studio UI and backend.\n//\n// Service: highflame-shield (guardrails)\n// Namespace: Guardrails\n// =============================================================================\n\nnamespace Guardrails {\n    // =========================================================================\n    // Entity Types \u2014 ReBAC Hierarchy\n    // =========================================================================\n    // Entity hierarchy enables Cedar's `in` operator for policy scoping:\n    //   Account (org root)\n    //     \u2514\u2500\u2500 Project in [Account]\n    //           \u251C\u2500\u2500 App in [Project]\n    //           \u2502     \u2514\u2500\u2500 Session in [App, Agent]\n    //           \u2514\u2500\u2500 Agent in [Project]\n    //                 \u2514\u2500\u2500 Session in [App, Agent]\n    //\n    // Policy scoping examples:\n    //   resource == Guardrails::App::\"<uuid>\"              \u2192 app-scoped (app only)\n    //   resource == Guardrails::Agent::\"<agent_id>\"        \u2192 agent-only (exact match)\n    //   resource in Guardrails::Agent::\"<agent_id>\"        \u2192 agent + its sessions\n    //   resource in Guardrails::Project::\"<uuid>\"          \u2192 project-wide (apps + agents)\n    //   resource in Guardrails::Account::\"<uuid>\"          \u2192 org-wide\n    // =========================================================================\n\n    /// Account represents an organization (top-level tenant)\n    entity Account;\n\n    /// Project represents a project within an account\n    entity Project in [Account];\n\n    /// User represents a principal (human or service) making requests\n    entity User;\n\n    /// Agent represents an AI agent (Claude, Cursor, Copilot, etc.) making requests.\n    /// Used as both principal (who is acting) and resource (policy scoping target).\n    /// Agent + sessions: resource in Guardrails::Agent::\"<agent_id>\" (hierarchy match)\n    /// Agent only:       resource == Guardrails::Agent::\"<agent_id>\" (exact match)\n    entity Agent in [Project];\n\n    /// App represents a protected application (guardrails-enabled LLM app)\n    entity App in [Project];\n\n    /// Session represents an agentic conversation session with state tracking.\n    /// Sessions can belong to either an App or an Agent.\n    entity Session in [App, Agent];\n\n    // =========================================================================\n    // Actions\n    // =========================================================================\n\n    /// Process user prompts and AI responses for security threats and content violations\n    action \"process_prompt\" appliesTo {\n        principal: [User, Agent],\n        resource: [App, Agent, Session],\n        context: ProcessPromptContext\n    };\n\n    /// Execute tool calls (shell, file operations, MCP tools)\n    action \"call_tool\" appliesTo {\n        principal: [User, Agent],\n        resource: [Agent, Session],\n        context: CallToolContext\n    };\n\n    /// Read file operations\n    action \"read_file\" appliesTo {\n        principal: [User, Agent],\n        resource: [Agent, Session],\n        context: FileReadContext\n    };\n\n    /// Write file operations\n    action \"write_file\" appliesTo {\n        principal: [User, Agent],\n        resource: [Agent, Session],\n        context: FileWriteContext\n    };\n\n    /// Connect to an MCP server\n    action \"connect_server\" appliesTo {\n        principal: [User, Agent],\n        resource: [Agent, Session],\n        context: ConnectServerContext\n    };\n\n    // =========================================================================\n    // Context Types (Action-Specific)\n    // =========================================================================\n\n    /// Context for process_prompt action (user prompts & AI responses)\n    type ProcessPromptContext = {\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n        \"direction\": String,        // \"input\" | \"output\"\n        \"content_type\": String,     // \"prompt\" | \"response\" | \"tool_call\" | \"file\"\n        \"detector_count\": Long,\n\n        // Security - Injection & Jailbreak (optional)\n        \"injection_confidence\"?: Long,  // Combined injection confidence: MAX(pulse, deep_context)\n        \"jailbreak_confidence\"?: Long,  // Combined jailbreak confidence: MAX(pulse, deep_context)\n        \"injection_pulse_score\"?: Long,  // 0-100 Pulse single-turn classifier\n        \"injection_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n        \"jailbreak_pulse_score\"?: Long,  // 0-100 Pulse single-turn classifier\n        \"jailbreak_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n        \"injection_type\"?: String,       // \"prompt\" | \"sql\" | \"command\" | \"none\"\n\n        // Privacy - Secrets (optional)\n        \"contains_secrets\"?: Bool,\n        \"secret_count\"?: Long,\n        \"secret_types\"?: Set<String>,    // [\"aws_access_key\", \"github_token\", ...]\n\n        // Privacy - PII (optional)\n        \"pii_detected\"?: Bool,\n        \"pii_count\"?: Long,\n        \"pii_types\"?: Set<String>,       // [\"email\", \"phone\", \"ssn\", \"credit_card\", ...]\n        \"pii_confidence\"?: Long,         // PII ML classifier confidence (0-100) \u2014 catches novel PII patterns that escape regex detection\n\n        // Threat Severity Aggregation (optional)\n        \"highest_severity\"?: String,     // Highest severity across all detectors: \"critical\" | \"high\" | \"medium\" | \"low\" | \"none\"\n\n        // Trust & Safety - Toxicity (optional)\n        \"violence_score\"?: Long,         // 0-100\n        \"hate_speech_score\"?: Long,      // 0-100\n        \"sexual_score\"?: Long,           // 0-100\n        \"weapons_score\"?: Long,          // 0-100\n        \"crime_score\"?: Long,            // 0-100\n        \"profanity_score\"?: Long,        // 0-100\n\n        // Semantic - Topic Classification (optional)\n        \"content_topics\"?: Set<String>,      // [\"controlled_substances\", \"weapons_manufacturing\", ...]\n        \"topic_confidence\"?: Long,           // 0-100\n\n        // Security - Invisible Character Detection (optional)\n        \"contains_invisible_chars\"?: Bool,\n        \"invisible_chars_score\"?: Long,      // 0-100\n\n        // Security - Pattern Detection (optional)\n        \"command_injection_detected\"?: Bool,\n        \"command_injection_type\"?: String,       // \"reverse_shell\" | \"privilege_escalation\" | \"code_execution\" | \"destructive_command\" | \"data_exfiltration\"\n        \"command_injection_score\"?: Long,        // 0-100\n        \"path_traversal_detected\"?: Bool,\n        \"path_traversal_severity\"?: String,      // \"critical\" | \"high\" | \"medium\" | \"low\" | \"none\"\n        \"path_traversal_type\"?: String,\n        \"sql_injection_detected\"?: Bool,\n        \"sql_injection_type\"?: String,           // \"tautology\" | \"union_based\" | \"destructive\" | \"blind\" | \"error_based\"\n        \"sql_injection_score\"?: Long,            // 0-100\n\n        // Security - Cross-Origin Escalation (optional)\n        \"cross_origin_detected\"?: Bool,\n        \"cross_origin_type\"?: String,            // \"cross_origin_tool\" | \"cross_origin_server\" | \"none\"\n        \"cross_origin_score\"?: Long,             // 0-100\n\n        // Security - Encoded Injection (optional)\n        \"encoded_content_detected\"?: Bool,\n        \"encoded_types\"?: Set<String>,           // [\"base64\", \"hex\", \"unicode\", \"url\", ...]\n        \"encoded_count\"?: Long,\n        \"encoded_score\"?: Long,                  // 0-100\n\n        // Language & Script Detection (optional)\n        \"detected_language\"?: String,            // ISO language code\n        \"is_english\"?: Bool,\n        \"language_confidence\"?: Long,            // 0-100\n        \"detected_script\"?: String,              // \"latin\" | \"cyrillic\" | \"arabic\" | \"unknown\" | ...\n        \"is_latin_script\"?: Bool,\n        \"script_confidence\"?: Long,              // 0-100\n\n        // Content Analysis (optional)\n        \"hallucination_score\"?: Long,\n        \"factuality_score\"?: Long,               // 0-100\n        \"sentiment_score\"?: Long,\n        \"contains_code\"?: Bool,\n        \"code_languages\"?: Set<String>,\n        \"code_ratio\"?: Long,                     // 0-100, percentage of content that is code\n        \"keyword_matched\"?: Bool,\n        \"keyword_categories\"?: Set<String>,\n        \"keyword_count\"?: Long,\n        \"contains_non_ascii\"?: Bool,\n        \"phishing_detected\"?: Bool,\n        \"content_safety_score\"?: Long,           // 0-100\n        \"content_safety_blocked\"?: Bool,\n\n        // Agentic - Multi-Turn Context (optional)\n        \"conversation_turn\"?: Long,\n        \"multi_turn_detection\"?: Bool,\n\n        // Session Detection History \u2014 cross-turn sticky flags (optional)\n        \"session_pii_detected\"?: Bool,\n        \"session_pii_types\"?: Set<String>,\n        \"session_secrets_detected\"?: Bool,\n        \"session_secret_types\"?: Set<String>,\n        \"session_injection_detected\"?: Bool,\n        \"session_command_injection\"?: Bool,\n        \"session_threat_turns\"?: Long,\n        \"session_max_injection_score\"?: Long,\n        \"session_max_jailbreak_score\"?: Long,\n        \"session_max_command_injection_score\"?: Long,\n        \"session_max_pii_score\"?: Long,\n        \"session_max_secret_score\"?: Long,\n        \"session_cumulative_risk_score\"?: Long,\n\n        // Agent Identity \u2014 authenticated agent principal metadata (optional)\n        // Present when the request is made by an AI agent (API key or JWT with agent claims).\n        // Empty strings for human user requests. Use these to write agent-specific policies.\n        \"agent_id\"?: String,             // Unique agent identifier (e.g., \"agent_research_v3\")\n        \"agent_type\"?: String,           // \"orchestrator\" | \"autonomous\" | \"tool_agent\" | \"human_proxy\"\n        \"agent_trust_level\"?: String,    // \"first_party\" | \"verified_third_party\" | \"unverified\"\n        \"agent_framework\"?: String,      // Agent framework (e.g., \"claude-code\", \"langchain\", \"crewai\")\n        \"agent_publisher\"?: String,      // Organization that published the agent\n\n    };\n\n    /// Context for call_tool action (agentic tool execution)\n    type CallToolContext = {\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n\n        // Tool Risk (optional)\n        \"tool_name\"?: String,            // \"shell\", \"write_file\", \"http_post\", etc.\n        \"tool_risk_score\"?: Long,        // 0-100\n        \"tool_is_sensitive\"?: Bool,\n        \"tool_category\"?: String,        // \"safe\" | \"sensitive\" | \"dangerous\"\n        \"tool_is_builtin\"?: Bool,\n\n        // MCP context (optional \u2014 only present for MCP tool calls)\n        \"mcp_server\"?: String,           // MCP server name (e.g., \"github\", \"filesystem\")\n        \"mcp_tool\"?: String,             // MCP tool name within the server\n        \"mcp_server_verified\"?: Bool,    // Whether server is from verified registry\n\n        // Agentic - Behavioral Patterns (optional)\n        \"suspicious_pattern\"?: Bool,\n        \"pattern_type\"?: String,         // \"data_exfiltration\" | \"secret_exfiltration\" | \"db_exfiltration\" | \"credential_theft\" | \"destructive_sequence\" | \"none\"\n        \"sequence_risk\"?: Long,          // 0-100\n\n        // Agentic - Loop Detection (optional)\n        \"loop_detected\"?: Bool,\n        \"loop_count\"?: Long,\n        \"loop_tool\"?: String,\n\n        // Agentic - Budget Control (optional)\n        \"budget_remaining_pct\"?: Long,   // 0-100\n        \"budget_exceeded\"?: Bool,\n\n        // Semantic - Topic Classification (optional)\n        \"content_topics\"?: Set<String>,      // [\"controlled_substances\", \"weapons_manufacturing\", ...]\n        \"topic_confidence\"?: Long,           // 0-100\n\n        // Security checks on tool arguments (optional)\n        \"contains_secrets\"?: Bool,\n        \"secret_count\"?: Long,\n        \"secret_types\"?: Set<String>,\n        \"pii_detected\"?: Bool,\n        \"pii_types\"?: Set<String>,\n        \"pii_count\"?: Long,              // Number of PII pattern matches in tool content\n        \"pii_confidence\"?: Long,         // PII ML classifier confidence (0-100)\n        \"injection_confidence\"?: Long,\n        \"injection_pulse_score\"?: Long,  // 0-100 Pulse single-turn classifier\n        \"injection_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n\n        // Security - Pattern Detection (optional)\n        \"command_injection_detected\"?: Bool,\n        \"command_injection_type\"?: String,\n        \"command_injection_score\"?: Long,        // 0-100\n        \"path_traversal_detected\"?: Bool,\n        \"path_traversal_severity\"?: String,\n        \"path_traversal_type\"?: String,\n        \"sql_injection_detected\"?: Bool,\n        \"sql_injection_type\"?: String,\n        \"sql_injection_score\"?: Long,            // 0-100\n\n        // Security - Cross-Origin Escalation (optional)\n        \"cross_origin_detected\"?: Bool,\n        \"cross_origin_type\"?: String,\n        \"cross_origin_score\"?: Long,             // 0-100\n\n        // File & Path (optional \u2014 for path-based access control policies)\n        \"path\"?: String,                         // File path when tool operates on files\n\n        // Security - Invisible Character Detection in tool args (optional)\n        \"contains_invisible_chars\"?: Bool,       // Whether invisible Unicode chars detected in tool args\n        \"invisible_chars_score\"?: Long,          // Invisible character attack severity (0-100)\n\n        // Security - Encoded Injection (optional)\n        \"encoded_content_detected\"?: Bool,\n        \"encoded_types\"?: Set<String>,\n        \"encoded_count\"?: Long,\n        \"encoded_score\"?: Long,                  // 0-100\n\n        // Agentic - Agent Security (optional)\n        \"tool_poisoning_detected\"?: Bool,\n        \"tool_poisoning_score\"?: Long,           // 0-100\n        \"tool_poisoning_type\"?: String,          // \"hidden_instructions\" | \"system_prompt_injection\" | \"authority_hijack\"\n        \"rug_pull_detected\"?: Bool,\n        \"rug_pull_score\"?: Long,                 // 0-100\n        \"rug_pull_type\"?: String,                // \"risk_spike\" | \"pattern_change\" | \"combined\" | \"none\"\n\n        // Agentic - Indirect Prompt Injection (optional \u2014 injection via tool outputs/retrieved content)\n        \"indirect_injection_score\"?: Long,       // Indirect injection risk score (0-100)\n        \"indirect_injection_type\"?: String,      // Type of indirect injection detected\n\n        // Agentic - MCP Risk (optional)\n        \"mcp_config_risk\"?: Bool,\n        \"mcp_risk_type\"?: String,                // \"inline_execution\" | \"suspicious_url\" | \"cross_origin\"\n        \"mcp_risk_score\"?: Long,                 // 0-100\n\n        // Agentic - Multi-Turn Context (optional)\n        \"conversation_turn\"?: Long,\n        \"multi_turn_detection\"?: Bool,\n\n        // Session Detection History \u2014 cross-turn sticky flags (optional)\n        \"session_pii_detected\"?: Bool,\n        \"session_pii_types\"?: Set<String>,\n        \"session_secrets_detected\"?: Bool,\n        \"session_secret_types\"?: Set<String>,\n        \"session_injection_detected\"?: Bool,\n        \"session_command_injection\"?: Bool,\n        \"session_threat_turns\"?: Long,\n        \"session_max_injection_score\"?: Long,\n        \"session_max_jailbreak_score\"?: Long,\n        \"session_max_command_injection_score\"?: Long,\n        \"session_max_pii_score\"?: Long,\n        \"session_max_secret_score\"?: Long,\n        \"session_cumulative_risk_score\"?: Long,\n\n        // Agent Identity \u2014 authenticated agent principal metadata (optional)\n        \"agent_id\"?: String,\n        \"agent_type\"?: String,\n        \"agent_trust_level\"?: String,\n        \"agent_framework\"?: String,\n        \"agent_publisher\"?: String,\n\n    };\n\n    /// Context for read_file action\n    type FileReadContext = {\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n\n        // File path (optional \u2014 for path-based access control policies)\n        \"path\"?: String,                 // File path being read\n\n        // Security checks on file content (optional)\n        \"contains_secrets\"?: Bool,\n        \"secret_count\"?: Long,\n        \"secret_types\"?: Set<String>,\n        \"pii_detected\"?: Bool,\n        \"pii_types\"?: Set<String>,\n\n        // Security - Path Traversal (optional)\n        \"path_traversal_detected\"?: Bool,\n        \"path_traversal_severity\"?: String,\n        \"path_traversal_type\"?: String,\n\n        // Session Detection History \u2014 cross-turn sticky flags (optional)\n        \"session_pii_detected\"?: Bool,\n        \"session_pii_types\"?: Set<String>,\n        \"session_secrets_detected\"?: Bool,\n        \"session_secret_types\"?: Set<String>,\n        \"session_injection_detected\"?: Bool,\n        \"session_command_injection\"?: Bool,\n        \"session_threat_turns\"?: Long,\n        \"session_max_injection_score\"?: Long,\n        \"session_max_jailbreak_score\"?: Long,\n        \"session_max_command_injection_score\"?: Long,\n        \"session_max_pii_score\"?: Long,\n        \"session_max_secret_score\"?: Long,\n        \"session_cumulative_risk_score\"?: Long,\n\n        // Agent Identity \u2014 authenticated agent principal metadata (optional)\n        \"agent_id\"?: String,\n        \"agent_type\"?: String,\n        \"agent_trust_level\"?: String,\n        \"agent_framework\"?: String,\n        \"agent_publisher\"?: String,\n\n    };\n\n    /// Context for write_file action\n    type FileWriteContext = {\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n\n        // File path (optional \u2014 for path-based access control policies)\n        \"path\"?: String,                         // File path being written\n\n        // Security - Invisible Character Detection in write content (optional)\n        \"contains_invisible_chars\"?: Bool,       // Whether invisible Unicode chars detected in write content\n        \"invisible_chars_score\"?: Long,          // Invisible character attack severity (0-100)\n\n        // Security checks on content being written (optional)\n        \"contains_secrets\"?: Bool,\n        \"secret_count\"?: Long,\n        \"secret_types\"?: Set<String>,\n        \"pii_detected\"?: Bool,\n        \"pii_types\"?: Set<String>,\n\n        // Security - Path Traversal (optional)\n        \"path_traversal_detected\"?: Bool,\n        \"path_traversal_severity\"?: String,\n        \"path_traversal_type\"?: String,\n\n        // Session Detection History \u2014 cross-turn sticky flags (optional)\n        \"session_pii_detected\"?: Bool,\n        \"session_pii_types\"?: Set<String>,\n        \"session_secrets_detected\"?: Bool,\n        \"session_secret_types\"?: Set<String>,\n        \"session_injection_detected\"?: Bool,\n        \"session_command_injection\"?: Bool,\n        \"session_threat_turns\"?: Long,\n        \"session_max_injection_score\"?: Long,\n        \"session_max_jailbreak_score\"?: Long,\n        \"session_max_command_injection_score\"?: Long,\n        \"session_max_pii_score\"?: Long,\n        \"session_max_secret_score\"?: Long,\n        \"session_cumulative_risk_score\"?: Long,\n\n        // Agent Identity \u2014 authenticated agent principal metadata (optional)\n        \"agent_id\"?: String,\n        \"agent_type\"?: String,\n        \"agent_trust_level\"?: String,\n        \"agent_framework\"?: String,\n        \"agent_publisher\"?: String,\n\n    };\n\n    /// Context for connect_server action (MCP server connections)\n    type ConnectServerContext = {\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n\n        // MCP context (optional)\n        \"mcp_server\"?: String,           // MCP server name (e.g., \"github\", \"filesystem\")\n        \"mcp_server_verified\"?: Bool,    // Whether server is from verified registry\n\n        // Agentic - Agent Security (optional)\n        \"tool_poisoning_detected\"?: Bool,\n        \"tool_poisoning_score\"?: Long,\n        \"tool_poisoning_type\"?: String,\n\n        // Agentic - MCP Risk (optional)\n        \"mcp_config_risk\"?: Bool,\n        \"mcp_risk_type\"?: String,\n        \"mcp_risk_score\"?: Long,\n\n        // Security - Cross-Origin Escalation (optional)\n        \"cross_origin_detected\"?: Bool,\n        \"cross_origin_type\"?: String,\n        \"cross_origin_score\"?: Long,\n\n        // Session Detection History \u2014 cross-turn sticky flags (optional)\n        \"session_pii_detected\"?: Bool,\n        \"session_pii_types\"?: Set<String>,\n        \"session_secrets_detected\"?: Bool,\n        \"session_secret_types\"?: Set<String>,\n        \"session_injection_detected\"?: Bool,\n        \"session_command_injection\"?: Bool,\n        \"session_threat_turns\"?: Long,\n        \"session_max_injection_score\"?: Long,\n        \"session_max_jailbreak_score\"?: Long,\n        \"session_max_command_injection_score\"?: Long,\n        \"session_max_pii_score\"?: Long,\n        \"session_max_secret_score\"?: Long,\n        \"session_cumulative_risk_score\"?: Long,\n\n        // Agent Identity \u2014 authenticated agent principal metadata (optional)\n        \"agent_id\"?: String,\n        \"agent_type\"?: String,\n        \"agent_trust_level\"?: String,\n        \"agent_framework\"?: String,\n        \"agent_publisher\"?: String,\n\n    };\n}\n";
+export declare const GUARDRAILS_SCHEMA = "// =============================================================================\n// Guardrails Cedar Schema\n// =============================================================================\n// Defines entity types, actions, and context attributes for the highflame-shield\n// guardrails service. This schema enables type-safe policy authoring and\n// validation in both Studio UI and backend.\n//\n// Service: highflame-shield (guardrails)\n// Namespace: Guardrails\n// =============================================================================\n\nnamespace Guardrails {\n    // =========================================================================\n    // Entity Types \u2014 ReBAC Hierarchy\n    // =========================================================================\n    // Entity hierarchy enables Cedar's `in` operator for policy scoping:\n    //   Account (org root)\n    //     \u2514\u2500\u2500 Project in [Account]\n    //           \u251C\u2500\u2500 App in [Project]\n    //           \u2502     \u2514\u2500\u2500 Session in [App, Agent]\n    //           \u2514\u2500\u2500 Agent in [Project]\n    //                 \u2514\u2500\u2500 Session in [App, Agent]\n    //\n    // Policy scoping examples:\n    //   resource == Guardrails::App::\"<uuid>\"              \u2192 app-scoped (app only)\n    //   resource == Guardrails::Agent::\"<agent_id>\"        \u2192 agent-only (exact match)\n    //   resource in Guardrails::Agent::\"<agent_id>\"        \u2192 agent + its sessions\n    //   resource in Guardrails::Project::\"<uuid>\"          \u2192 project-wide (apps + agents)\n    //   resource in Guardrails::Account::\"<uuid>\"          \u2192 org-wide\n    // =========================================================================\n\n    /// Account represents an organization (top-level tenant)\n    entity Account;\n\n    /// Project represents a project within an account\n    entity Project in [Account];\n\n    /// User represents a principal (human or service) making requests\n    entity User;\n\n    /// Agent represents an AI agent (Claude, Cursor, Copilot, etc.) making requests.\n    /// Used as both principal (who is acting) and resource (policy scoping target).\n    /// Agent + sessions: resource in Guardrails::Agent::\"<agent_id>\" (hierarchy match)\n    /// Agent only:       resource == Guardrails::Agent::\"<agent_id>\" (exact match)\n    entity Agent in [Project];\n\n    /// App represents a protected application (guardrails-enabled LLM app)\n    entity App in [Project];\n\n    /// Session represents an agentic conversation session with state tracking.\n    /// Sessions can belong to either an App or an Agent.\n    entity Session in [App, Agent];\n\n    // =========================================================================\n    // Actions\n    // =========================================================================\n\n    /// Process user prompts and AI responses for security threats and content violations\n    action \"process_prompt\" appliesTo {\n        principal: [User, Agent],\n        resource: [App, Agent, Session],\n        context: ProcessPromptContext\n    };\n\n    /// Execute tool calls (shell, file operations, MCP tools)\n    action \"call_tool\" appliesTo {\n        principal: [User, Agent],\n        resource: [Agent, Session],\n        context: CallToolContext\n    };\n\n    /// Read file operations\n    action \"read_file\" appliesTo {\n        principal: [User, Agent],\n        resource: [Agent, Session],\n        context: FileReadContext\n    };\n\n    /// Write file operations\n    action \"write_file\" appliesTo {\n        principal: [User, Agent],\n        resource: [Agent, Session],\n        context: FileWriteContext\n    };\n\n    /// Connect to an MCP server\n    action \"connect_server\" appliesTo {\n        principal: [User, Agent],\n        resource: [Agent, Session],\n        context: ConnectServerContext\n    };\n\n    // =========================================================================\n    // Context Types (Action-Specific)\n    // =========================================================================\n\n    /// Context for process_prompt action (user prompts & AI responses)\n    type ProcessPromptContext = {\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n        \"direction\": String,        // \"input\" | \"output\"\n        \"content_type\": String,     // \"prompt\" | \"response\" | \"tool_call\" | \"file\"\n        \"detector_count\": Long,\n\n        // Security - Injection & Jailbreak (optional)\n        \"injection_confidence\"?: Long,  // Combined injection confidence: MAX(pulse, deep_context)\n        \"jailbreak_confidence\"?: Long,  // Combined jailbreak confidence: MAX(pulse, deep_context)\n        \"injection_pulse_score\"?: Long,  // 0-100 Pulse single-turn classifier\n        \"injection_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n        \"jailbreak_pulse_score\"?: Long,  // 0-100 Pulse single-turn classifier\n        \"jailbreak_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n        \"injection_type\"?: String,       // \"prompt\" | \"sql\" | \"command\" | \"none\"\n\n        // Privacy - Secrets (optional)\n        \"contains_secrets\"?: Bool,\n        \"secret_count\"?: Long,\n        \"secret_types\"?: Set<String>,    // [\"aws_access_key\", \"github_token\", ...]\n\n        // Privacy - PII (optional)\n        \"pii_detected\"?: Bool,\n        \"pii_count\"?: Long,\n        \"pii_types\"?: Set<String>,       // [\"email\", \"phone\", \"ssn\", \"credit_card\", ...]\n        \"pii_confidence\"?: Long,         // PII ML classifier confidence (0-100) \u2014 catches novel PII patterns that escape regex detection\n\n        // Threat Severity Aggregation (optional)\n        \"highest_severity\"?: String,     // Highest severity across all detectors: \"critical\" | \"high\" | \"medium\" | \"low\" | \"none\"\n\n        // Trust & Safety - Toxicity (optional)\n        \"violence_score\"?: Long,         // 0-100\n        \"hate_speech_score\"?: Long,      // 0-100\n        \"sexual_score\"?: Long,           // 0-100\n        \"weapons_score\"?: Long,          // 0-100\n        \"crime_score\"?: Long,            // 0-100\n        \"profanity_score\"?: Long,        // 0-100\n\n        // Semantic - Topic Classification (optional)\n        \"content_topics\"?: Set<String>,      // [\"controlled_substances\", \"weapons_manufacturing\", ...]\n        \"topic_confidence\"?: Long,           // 0-100\n\n        // Security - Invisible Character Detection (optional)\n        \"contains_invisible_chars\"?: Bool,\n        \"invisible_chars_score\"?: Long,      // 0-100\n\n        // Security - Pattern Detection (optional)\n        \"command_injection_detected\"?: Bool,\n        \"command_injection_type\"?: String,       // \"reverse_shell\" | \"privilege_escalation\" | \"code_execution\" | \"destructive_command\" | \"data_exfiltration\"\n        \"command_injection_score\"?: Long,        // 0-100\n        \"path_traversal_detected\"?: Bool,\n        \"path_traversal_severity\"?: String,      // \"critical\" | \"high\" | \"medium\" | \"low\" | \"none\"\n        \"path_traversal_type\"?: String,\n        \"sql_injection_detected\"?: Bool,\n        \"sql_injection_type\"?: String,           // \"tautology\" | \"union_based\" | \"destructive\" | \"blind\" | \"error_based\"\n        \"sql_injection_score\"?: Long,            // 0-100\n\n        // Security - Cross-Origin Escalation (optional)\n        \"cross_origin_detected\"?: Bool,\n        \"cross_origin_type\"?: String,            // \"cross_origin_tool\" | \"cross_origin_server\" | \"none\"\n        \"cross_origin_score\"?: Long,             // 0-100\n\n        // Security - Encoded Injection (optional)\n        \"encoded_content_detected\"?: Bool,\n        \"encoded_types\"?: Set<String>,           // [\"base64\", \"hex\", \"unicode\", \"url\", ...]\n        \"encoded_count\"?: Long,\n        \"encoded_score\"?: Long,                  // 0-100\n\n        // Language & Script Detection (optional)\n        \"detected_language\"?: String,            // ISO language code\n        \"is_english\"?: Bool,\n        \"language_confidence\"?: Long,            // 0-100\n        \"detected_script\"?: String,              // \"latin\" | \"cyrillic\" | \"arabic\" | \"unknown\" | ...\n        \"is_latin_script\"?: Bool,\n        \"script_confidence\"?: Long,              // 0-100\n\n        // Content Analysis (optional)\n        \"hallucination_score\"?: Long,\n        \"factuality_score\"?: Long,               // 0-100\n        \"sentiment_score\"?: Long,\n        \"contains_code\"?: Bool,\n        \"code_languages\"?: Set<String>,\n        \"code_ratio\"?: Long,                     // 0-100, percentage of content that is code\n        \"keyword_matched\"?: Bool,\n        \"keyword_categories\"?: Set<String>,\n        \"keyword_count\"?: Long,\n        \"contains_non_ascii\"?: Bool,\n        \"phishing_detected\"?: Bool,\n        \"content_safety_score\"?: Long,           // 0-100\n        \"content_safety_blocked\"?: Bool,\n\n        // Agentic - Multi-Turn Context (optional)\n        \"conversation_turn\"?: Long,\n        \"multi_turn_detection\"?: Bool,\n\n        // Session Detection History \u2014 cross-turn sticky flags (optional)\n        \"session_pii_detected\"?: Bool,\n        \"session_pii_types\"?: Set<String>,\n        \"session_secrets_detected\"?: Bool,\n        \"session_secret_types\"?: Set<String>,\n        \"session_injection_detected\"?: Bool,\n        \"session_command_injection\"?: Bool,\n        \"session_threat_turns\"?: Long,\n        \"session_max_injection_score\"?: Long,\n        \"session_max_jailbreak_score\"?: Long,\n        \"session_max_command_injection_score\"?: Long,\n        \"session_max_pii_score\"?: Long,\n        \"session_max_secret_score\"?: Long,\n        \"session_cumulative_risk_score\"?: Long,\n\n        // Usage Budget \u2014 multi-window token & cost enforcement (optional)\n        // Emitted by usage_budget detector. Enforced across session/daily/monthly windows\n        // and user/app/project/account dimensions. Percentages are 0-100.\n        \"budget_remaining_pct\"?: Long,          // Min remaining % across all windows\n        \"budget_exceeded\"?: Bool,               // Any window limit exceeded\n        \"budget_cost_micros_this_turn\"?: Long,  // Cost of this request in microdollars (USD * 1e6)\n        \"budget_model\"?: String,                // Model name used for cost calculation\n        \"budget_tokens_pct_session\"?: Long,     // Session token usage % (0-100)\n        \"budget_tokens_pct_daily\"?: Long,       // Daily token usage % (0-100)\n        \"budget_tokens_pct_monthly\"?: Long,     // Monthly token usage % (0-100)\n        \"budget_cost_pct_daily\"?: Long,         // Daily cost usage % (0-100)\n        \"budget_cost_pct_monthly\"?: Long,       // Monthly cost usage % (0-100)\n        \"budget_exceeded_session\"?: Bool,       // Session-scoped budget exceeded\n        \"budget_exceeded_daily\"?: Bool,         // Any daily-scoped budget exceeded\n        \"budget_exceeded_monthly\"?: Bool,       // Any monthly-scoped budget exceeded\n\n        // Agent Identity \u2014 authenticated agent principal metadata (optional)\n        // Present when the request is made by an AI agent (API key or JWT with agent claims).\n        // Empty strings for human user requests. Use these to write agent-specific policies.\n        \"agent_id\"?: String,             // Unique agent identifier (e.g., \"agent_research_v3\")\n        \"agent_type\"?: String,           // \"orchestrator\" | \"autonomous\" | \"tool_agent\" | \"human_proxy\"\n        \"agent_trust_level\"?: String,    // \"first_party\" | \"verified_third_party\" | \"unverified\"\n        \"agent_framework\"?: String,      // Agent framework (e.g., \"claude-code\", \"langchain\", \"crewai\")\n        \"agent_publisher\"?: String,      // Organization that published the agent\n\n    };\n\n    /// Context for call_tool action (agentic tool execution)\n    type CallToolContext = {\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n\n        // Tool Risk (optional)\n        \"tool_name\"?: String,            // \"shell\", \"write_file\", \"http_post\", etc.\n        \"tool_risk_score\"?: Long,        // 0-100\n        \"tool_is_sensitive\"?: Bool,\n        \"tool_category\"?: String,        // \"safe\" | \"sensitive\" | \"dangerous\"\n        \"tool_is_builtin\"?: Bool,\n\n        // MCP context (optional \u2014 only present for MCP tool calls)\n        \"mcp_server\"?: String,           // MCP server name (e.g., \"github\", \"filesystem\")\n        \"mcp_tool\"?: String,             // MCP tool name within the server\n        \"mcp_server_verified\"?: Bool,    // Whether server is from verified registry\n\n        // Agentic - Behavioral Patterns (optional)\n        \"suspicious_pattern\"?: Bool,\n        \"pattern_type\"?: String,         // \"data_exfiltration\" | \"secret_exfiltration\" | \"db_exfiltration\" | \"credential_theft\" | \"destructive_sequence\" | \"none\"\n        \"sequence_risk\"?: Long,          // 0-100\n\n        // Agentic - Loop Detection (optional)\n        \"loop_detected\"?: Bool,\n        \"loop_count\"?: Long,\n        \"loop_tool\"?: String,\n\n        // Usage Budget \u2014 multi-window token & cost enforcement (optional)\n        // See ProcessPromptContext for full documentation.\n        \"budget_remaining_pct\"?: Long,          // Min remaining % across all windows\n        \"budget_exceeded\"?: Bool,               // Any window limit exceeded\n        \"budget_cost_micros_this_turn\"?: Long,  // Cost of this request in microdollars\n        \"budget_model\"?: String,\n        \"budget_tokens_pct_session\"?: Long,\n        \"budget_tokens_pct_daily\"?: Long,\n        \"budget_tokens_pct_monthly\"?: Long,\n        \"budget_cost_pct_daily\"?: Long,\n        \"budget_cost_pct_monthly\"?: Long,\n        \"budget_exceeded_session\"?: Bool,\n        \"budget_exceeded_daily\"?: Bool,\n        \"budget_exceeded_monthly\"?: Bool,\n\n        // Semantic - Topic Classification (optional)\n        \"content_topics\"?: Set<String>,      // [\"controlled_substances\", \"weapons_manufacturing\", ...]\n        \"topic_confidence\"?: Long,           // 0-100\n\n        // Security checks on tool arguments (optional)\n        \"contains_secrets\"?: Bool,\n        \"secret_count\"?: Long,\n        \"secret_types\"?: Set<String>,\n        \"pii_detected\"?: Bool,\n        \"pii_types\"?: Set<String>,\n        \"pii_count\"?: Long,              // Number of PII pattern matches in tool content\n        \"pii_confidence\"?: Long,         // PII ML classifier confidence (0-100)\n        \"injection_confidence\"?: Long,\n        \"injection_pulse_score\"?: Long,  // 0-100 Pulse single-turn classifier\n        \"injection_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n\n        // Security - Pattern Detection (optional)\n        \"command_injection_detected\"?: Bool,\n        \"command_injection_type\"?: String,\n        \"command_injection_score\"?: Long,        // 0-100\n        \"path_traversal_detected\"?: Bool,\n        \"path_traversal_severity\"?: String,\n        \"path_traversal_type\"?: String,\n        \"sql_injection_detected\"?: Bool,\n        \"sql_injection_type\"?: String,\n        \"sql_injection_score\"?: Long,            // 0-100\n\n        // Security - Cross-Origin Escalation (optional)\n        \"cross_origin_detected\"?: Bool,\n        \"cross_origin_type\"?: String,\n        \"cross_origin_score\"?: Long,             // 0-100\n\n        // File & Path (optional \u2014 for path-based access control policies)\n        \"path\"?: String,                         // File path when tool operates on files\n\n        // Security - Invisible Character Detection in tool args (optional)\n        \"contains_invisible_chars\"?: Bool,       // Whether invisible Unicode chars detected in tool args\n        \"invisible_chars_score\"?: Long,          // Invisible character attack severity (0-100)\n\n        // Security - Encoded Injection (optional)\n        \"encoded_content_detected\"?: Bool,\n        \"encoded_types\"?: Set<String>,\n        \"encoded_count\"?: Long,\n        \"encoded_score\"?: Long,                  // 0-100\n\n        // Agentic - Agent Security (optional)\n        \"tool_poisoning_detected\"?: Bool,\n        \"tool_poisoning_score\"?: Long,           // 0-100\n        \"tool_poisoning_type\"?: String,          // \"hidden_instructions\" | \"system_prompt_injection\" | \"authority_hijack\"\n        \"rug_pull_detected\"?: Bool,\n        \"rug_pull_score\"?: Long,                 // 0-100\n        \"rug_pull_type\"?: String,                // \"risk_spike\" | \"pattern_change\" | \"combined\" | \"none\"\n\n        // Agentic - Indirect Prompt Injection (optional \u2014 injection via tool outputs/retrieved content)\n        \"indirect_injection_score\"?: Long,       // Indirect injection risk score (0-100)\n        \"indirect_injection_type\"?: String,      // Type of indirect injection detected\n\n        // Agentic - MCP Risk (optional)\n        \"mcp_config_risk\"?: Bool,\n        \"mcp_risk_type\"?: String,                // \"inline_execution\" | \"suspicious_url\" | \"cross_origin\"\n        \"mcp_risk_score\"?: Long,                 // 0-100\n\n        // Agentic - Multi-Turn Context (optional)\n        \"conversation_turn\"?: Long,\n        \"multi_turn_detection\"?: Bool,\n\n        // Session Detection History \u2014 cross-turn sticky flags (optional)\n        \"session_pii_detected\"?: Bool,\n        \"session_pii_types\"?: Set<String>,\n        \"session_secrets_detected\"?: Bool,\n        \"session_secret_types\"?: Set<String>,\n        \"session_injection_detected\"?: Bool,\n        \"session_command_injection\"?: Bool,\n        \"session_threat_turns\"?: Long,\n        \"session_max_injection_score\"?: Long,\n        \"session_max_jailbreak_score\"?: Long,\n        \"session_max_command_injection_score\"?: Long,\n        \"session_max_pii_score\"?: Long,\n        \"session_max_secret_score\"?: Long,\n        \"session_cumulative_risk_score\"?: Long,\n\n        // Agent Identity \u2014 authenticated agent principal metadata (optional)\n        \"agent_id\"?: String,\n        \"agent_type\"?: String,\n        \"agent_trust_level\"?: String,\n        \"agent_framework\"?: String,\n        \"agent_publisher\"?: String,\n\n    };\n\n    /// Context for read_file action\n    type FileReadContext = {\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n\n        // File path (optional \u2014 for path-based access control policies)\n        \"path\"?: String,                 // File path being read\n\n        // Security checks on file content (optional)\n        \"contains_secrets\"?: Bool,\n        \"secret_count\"?: Long,\n        \"secret_types\"?: Set<String>,\n        \"pii_detected\"?: Bool,\n        \"pii_types\"?: Set<String>,\n\n        // Security - Path Traversal (optional)\n        \"path_traversal_detected\"?: Bool,\n        \"path_traversal_severity\"?: String,\n        \"path_traversal_type\"?: String,\n\n        // Session Detection History \u2014 cross-turn sticky flags (optional)\n        \"session_pii_detected\"?: Bool,\n        \"session_pii_types\"?: Set<String>,\n        \"session_secrets_detected\"?: Bool,\n        \"session_secret_types\"?: Set<String>,\n        \"session_injection_detected\"?: Bool,\n        \"session_command_injection\"?: Bool,\n        \"session_threat_turns\"?: Long,\n        \"session_max_injection_score\"?: Long,\n        \"session_max_jailbreak_score\"?: Long,\n        \"session_max_command_injection_score\"?: Long,\n        \"session_max_pii_score\"?: Long,\n        \"session_max_secret_score\"?: Long,\n        \"session_cumulative_risk_score\"?: Long,\n\n        // Usage Budget \u2014 multi-window token & cost enforcement (optional)\n        // See ProcessPromptContext for full documentation.\n        \"budget_remaining_pct\"?: Long,\n        \"budget_exceeded\"?: Bool,\n        \"budget_cost_micros_this_turn\"?: Long,\n        \"budget_model\"?: String,\n        \"budget_tokens_pct_session\"?: Long,\n        \"budget_tokens_pct_daily\"?: Long,\n        \"budget_tokens_pct_monthly\"?: Long,\n        \"budget_cost_pct_daily\"?: Long,\n        \"budget_cost_pct_monthly\"?: Long,\n        \"budget_exceeded_session\"?: Bool,\n        \"budget_exceeded_daily\"?: Bool,\n        \"budget_exceeded_monthly\"?: Bool,\n\n        // Agent Identity \u2014 authenticated agent principal metadata (optional)\n        \"agent_id\"?: String,\n        \"agent_type\"?: String,\n        \"agent_trust_level\"?: String,\n        \"agent_framework\"?: String,\n        \"agent_publisher\"?: String,\n\n    };\n\n    /// Context for write_file action\n    type FileWriteContext = {\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n\n        // File path (optional \u2014 for path-based access control policies)\n        \"path\"?: String,                         // File path being written\n\n        // Security - Invisible Character Detection in write content (optional)\n        \"contains_invisible_chars\"?: Bool,       // Whether invisible Unicode chars detected in write content\n        \"invisible_chars_score\"?: Long,          // Invisible character attack severity (0-100)\n\n        // Security checks on content being written (optional)\n        \"contains_secrets\"?: Bool,\n        \"secret_count\"?: Long,\n        \"secret_types\"?: Set<String>,\n        \"pii_detected\"?: Bool,\n        \"pii_types\"?: Set<String>,\n\n        // Security - Path Traversal (optional)\n        \"path_traversal_detected\"?: Bool,\n        \"path_traversal_severity\"?: String,\n        \"path_traversal_type\"?: String,\n\n        // Session Detection History \u2014 cross-turn sticky flags (optional)\n        \"session_pii_detected\"?: Bool,\n        \"session_pii_types\"?: Set<String>,\n        \"session_secrets_detected\"?: Bool,\n        \"session_secret_types\"?: Set<String>,\n        \"session_injection_detected\"?: Bool,\n        \"session_command_injection\"?: Bool,\n        \"session_threat_turns\"?: Long,\n        \"session_max_injection_score\"?: Long,\n        \"session_max_jailbreak_score\"?: Long,\n        \"session_max_command_injection_score\"?: Long,\n        \"session_max_pii_score\"?: Long,\n        \"session_max_secret_score\"?: Long,\n        \"session_cumulative_risk_score\"?: Long,\n\n        // Usage Budget \u2014 multi-window token & cost enforcement (optional)\n        // See ProcessPromptContext for full documentation.\n        \"budget_remaining_pct\"?: Long,\n        \"budget_exceeded\"?: Bool,\n        \"budget_cost_micros_this_turn\"?: Long,\n        \"budget_model\"?: String,\n        \"budget_tokens_pct_session\"?: Long,\n        \"budget_tokens_pct_daily\"?: Long,\n        \"budget_tokens_pct_monthly\"?: Long,\n        \"budget_cost_pct_daily\"?: Long,\n        \"budget_cost_pct_monthly\"?: Long,\n        \"budget_exceeded_session\"?: Bool,\n        \"budget_exceeded_daily\"?: Bool,\n        \"budget_exceeded_monthly\"?: Bool,\n\n        // Agent Identity \u2014 authenticated agent principal metadata (optional)\n        \"agent_id\"?: String,\n        \"agent_type\"?: String,\n        \"agent_trust_level\"?: String,\n        \"agent_framework\"?: String,\n        \"agent_publisher\"?: String,\n\n    };\n\n    /// Context for connect_server action (MCP server connections)\n    type ConnectServerContext = {\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n\n        // MCP context (optional)\n        \"mcp_server\"?: String,           // MCP server name (e.g., \"github\", \"filesystem\")\n        \"mcp_server_verified\"?: Bool,    // Whether server is from verified registry\n\n        // Agentic - Agent Security (optional)\n        \"tool_poisoning_detected\"?: Bool,\n        \"tool_poisoning_score\"?: Long,\n        \"tool_poisoning_type\"?: String,\n\n        // Agentic - MCP Risk (optional)\n        \"mcp_config_risk\"?: Bool,\n        \"mcp_risk_type\"?: String,\n        \"mcp_risk_score\"?: Long,\n\n        // Security - Cross-Origin Escalation (optional)\n        \"cross_origin_detected\"?: Bool,\n        \"cross_origin_type\"?: String,\n        \"cross_origin_score\"?: Long,\n\n        // Session Detection History \u2014 cross-turn sticky flags (optional)\n        \"session_pii_detected\"?: Bool,\n        \"session_pii_types\"?: Set<String>,\n        \"session_secrets_detected\"?: Bool,\n        \"session_secret_types\"?: Set<String>,\n        \"session_injection_detected\"?: Bool,\n        \"session_command_injection\"?: Bool,\n        \"session_threat_turns\"?: Long,\n        \"session_max_injection_score\"?: Long,\n        \"session_max_jailbreak_score\"?: Long,\n        \"session_max_command_injection_score\"?: Long,\n        \"session_max_pii_score\"?: Long,\n        \"session_max_secret_score\"?: Long,\n        \"session_cumulative_risk_score\"?: Long,\n\n        // Usage Budget \u2014 multi-window token & cost enforcement (optional)\n        // See ProcessPromptContext for full documentation.\n        \"budget_remaining_pct\"?: Long,\n        \"budget_exceeded\"?: Bool,\n        \"budget_cost_micros_this_turn\"?: Long,\n        \"budget_model\"?: String,\n        \"budget_tokens_pct_session\"?: Long,\n        \"budget_tokens_pct_daily\"?: Long,\n        \"budget_tokens_pct_monthly\"?: Long,\n        \"budget_cost_pct_daily\"?: Long,\n        \"budget_cost_pct_monthly\"?: Long,\n        \"budget_exceeded_session\"?: Bool,\n        \"budget_exceeded_daily\"?: Bool,\n        \"budget_exceeded_monthly\"?: Bool,\n\n        // Agent Identity \u2014 authenticated agent principal metadata (optional)\n        \"agent_id\"?: String,\n        \"agent_type\"?: String,\n        \"agent_trust_level\"?: String,\n        \"agent_framework\"?: String,\n        \"agent_publisher\"?: String,\n\n    };\n}\n";
 /**
  * Overwatch Cedar schema
  *

package/dist/service-schemas.gen.js CHANGED Viewed

@@ -154,6 +154,20 @@ action call_tool appliesTo {
     suspicious_pattern?: Bool,
     pattern_type?: String,
     sequence_risk?: Long,
+    // --- Usage Budget (multi-window, multi-dimension) ---
+    budget_remaining_pct?: Long,
+    budget_exceeded?: Bool,
+    budget_cost_micros_this_turn?: Long,
+    budget_model?: String,
+    budget_tokens_pct_session?: Long,
+    budget_tokens_pct_daily?: Long,
+    budget_tokens_pct_monthly?: Long,
+    budget_cost_pct_daily?: Long,
+    budget_cost_pct_monthly?: Long,
+    budget_exceeded_session?: Bool,
+    budget_exceeded_daily?: Bool,
+    budget_exceeded_monthly?: Bool,
   },
 };
@@ -193,6 +207,20 @@ action connect_server appliesTo {
     mcp_server_verified?: Bool,
     mcp_config_risk?: Bool,
     mcp_risk_score?: Long,
+    // --- Usage Budget (multi-window, multi-dimension) ---
+    budget_remaining_pct?: Long,
+    budget_exceeded?: Bool,
+    budget_cost_micros_this_turn?: Long,
+    budget_model?: String,
+    budget_tokens_pct_session?: Long,
+    budget_tokens_pct_daily?: Long,
+    budget_tokens_pct_monthly?: Long,
+    budget_cost_pct_daily?: Long,
+    budget_cost_pct_monthly?: Long,
+    budget_exceeded_session?: Bool,
+    budget_exceeded_daily?: Bool,
+    budget_exceeded_monthly?: Bool,
   },
 };
@@ -241,6 +269,20 @@ action process_prompt appliesTo {
     // --- LLM-specific ---
     model_name?: String,              // Target model name (e.g., "gpt-4", "claude-3-opus")
     model_provider?: String,          // Provider name (e.g., "openai", "anthropic", "bedrock")
+    // --- Usage Budget (multi-window, multi-dimension) ---
+    budget_remaining_pct?: Long,
+    budget_exceeded?: Bool,
+    budget_cost_micros_this_turn?: Long,
+    budget_model?: String,
+    budget_tokens_pct_session?: Long,
+    budget_tokens_pct_daily?: Long,
+    budget_tokens_pct_monthly?: Long,
+    budget_cost_pct_daily?: Long,
+    budget_cost_pct_monthly?: Long,
+    budget_exceeded_session?: Bool,
+    budget_exceeded_daily?: Bool,
+    budget_exceeded_monthly?: Bool,
   },
 };
@@ -269,6 +311,20 @@ action read_file appliesTo {
     pii_detected?: Bool,
     pii_types?: Set<String>,
     pii_count?: Long,
+    // --- Usage Budget (multi-window, multi-dimension) ---
+    budget_remaining_pct?: Long,
+    budget_exceeded?: Bool,
+    budget_cost_micros_this_turn?: Long,
+    budget_model?: String,
+    budget_tokens_pct_session?: Long,
+    budget_tokens_pct_daily?: Long,
+    budget_tokens_pct_monthly?: Long,
+    budget_cost_pct_daily?: Long,
+    budget_cost_pct_monthly?: Long,
+    budget_exceeded_session?: Bool,
+    budget_exceeded_daily?: Bool,
+    budget_exceeded_monthly?: Bool,
   },
 };
@@ -297,6 +353,20 @@ action write_file appliesTo {
     pii_detected?: Bool,
     pii_types?: Set<String>,
     pii_count?: Long,
+    // --- Usage Budget (multi-window, multi-dimension) ---
+    budget_remaining_pct?: Long,
+    budget_exceeded?: Bool,
+    budget_cost_micros_this_turn?: Long,
+    budget_model?: String,
+    budget_tokens_pct_session?: Long,
+    budget_tokens_pct_daily?: Long,
+    budget_tokens_pct_monthly?: Long,
+    budget_cost_pct_daily?: Long,
+    budget_cost_pct_monthly?: Long,
+    budget_exceeded_session?: Bool,
+    budget_exceeded_daily?: Bool,
+    budget_exceeded_monthly?: Bool,
   },
 };
@@ -515,6 +585,22 @@ namespace Guardrails {
         "session_max_secret_score"?: Long,
         "session_cumulative_risk_score"?: Long,
+        // Usage Budget — multi-window token & cost enforcement (optional)
+        // Emitted by usage_budget detector. Enforced across session/daily/monthly windows
+        // and user/app/project/account dimensions. Percentages are 0-100.
+        "budget_remaining_pct"?: Long,          // Min remaining % across all windows
+        "budget_exceeded"?: Bool,               // Any window limit exceeded
+        "budget_cost_micros_this_turn"?: Long,  // Cost of this request in microdollars (USD * 1e6)
+        "budget_model"?: String,                // Model name used for cost calculation
+        "budget_tokens_pct_session"?: Long,     // Session token usage % (0-100)
+        "budget_tokens_pct_daily"?: Long,       // Daily token usage % (0-100)
+        "budget_tokens_pct_monthly"?: Long,     // Monthly token usage % (0-100)
+        "budget_cost_pct_daily"?: Long,         // Daily cost usage % (0-100)
+        "budget_cost_pct_monthly"?: Long,       // Monthly cost usage % (0-100)
+        "budget_exceeded_session"?: Bool,       // Session-scoped budget exceeded
+        "budget_exceeded_daily"?: Bool,         // Any daily-scoped budget exceeded
+        "budget_exceeded_monthly"?: Bool,       // Any monthly-scoped budget exceeded
         // Agent Identity — authenticated agent principal metadata (optional)
         // Present when the request is made by an AI agent (API key or JWT with agent claims).
         // Empty strings for human user requests. Use these to write agent-specific policies.
@@ -554,9 +640,20 @@ namespace Guardrails {
         "loop_count"?: Long,
         "loop_tool"?: String,
-        // Agentic - Budget Control (optional)
-        "budget_remaining_pct"?: Long,   // 0-100
-        "budget_exceeded"?: Bool,
+        // Usage Budget — multi-window token & cost enforcement (optional)
+        // See ProcessPromptContext for full documentation.
+        "budget_remaining_pct"?: Long,          // Min remaining % across all windows
+        "budget_exceeded"?: Bool,               // Any window limit exceeded
+        "budget_cost_micros_this_turn"?: Long,  // Cost of this request in microdollars
+        "budget_model"?: String,
+        "budget_tokens_pct_session"?: Long,
+        "budget_tokens_pct_daily"?: Long,
+        "budget_tokens_pct_monthly"?: Long,
+        "budget_cost_pct_daily"?: Long,
+        "budget_cost_pct_monthly"?: Long,
+        "budget_exceeded_session"?: Bool,
+        "budget_exceeded_daily"?: Bool,
+        "budget_exceeded_monthly"?: Bool,
         // Semantic - Topic Classification (optional)
         "content_topics"?: Set<String>,      // ["controlled_substances", "weapons_manufacturing", ...]
@@ -684,6 +781,21 @@ namespace Guardrails {
         "session_max_secret_score"?: Long,
         "session_cumulative_risk_score"?: Long,
+        // Usage Budget — multi-window token & cost enforcement (optional)
+        // See ProcessPromptContext for full documentation.
+        "budget_remaining_pct"?: Long,
+        "budget_exceeded"?: Bool,
+        "budget_cost_micros_this_turn"?: Long,
+        "budget_model"?: String,
+        "budget_tokens_pct_session"?: Long,
+        "budget_tokens_pct_daily"?: Long,
+        "budget_tokens_pct_monthly"?: Long,
+        "budget_cost_pct_daily"?: Long,
+        "budget_cost_pct_monthly"?: Long,
+        "budget_exceeded_session"?: Bool,
+        "budget_exceeded_daily"?: Bool,
+        "budget_exceeded_monthly"?: Bool,
         // Agent Identity — authenticated agent principal metadata (optional)
         "agent_id"?: String,
         "agent_type"?: String,
@@ -733,6 +845,21 @@ namespace Guardrails {
         "session_max_secret_score"?: Long,
         "session_cumulative_risk_score"?: Long,
+        // Usage Budget — multi-window token & cost enforcement (optional)
+        // See ProcessPromptContext for full documentation.
+        "budget_remaining_pct"?: Long,
+        "budget_exceeded"?: Bool,
+        "budget_cost_micros_this_turn"?: Long,
+        "budget_model"?: String,
+        "budget_tokens_pct_session"?: Long,
+        "budget_tokens_pct_daily"?: Long,
+        "budget_tokens_pct_monthly"?: Long,
+        "budget_cost_pct_daily"?: Long,
+        "budget_cost_pct_monthly"?: Long,
+        "budget_exceeded_session"?: Bool,
+        "budget_exceeded_daily"?: Bool,
+        "budget_exceeded_monthly"?: Bool,
         // Agent Identity — authenticated agent principal metadata (optional)
         "agent_id"?: String,
         "agent_type"?: String,
@@ -782,6 +909,21 @@ namespace Guardrails {
         "session_max_secret_score"?: Long,
         "session_cumulative_risk_score"?: Long,
+        // Usage Budget — multi-window token & cost enforcement (optional)
+        // See ProcessPromptContext for full documentation.
+        "budget_remaining_pct"?: Long,
+        "budget_exceeded"?: Bool,
+        "budget_cost_micros_this_turn"?: Long,
+        "budget_model"?: String,
+        "budget_tokens_pct_session"?: Long,
+        "budget_tokens_pct_daily"?: Long,
+        "budget_tokens_pct_monthly"?: Long,
+        "budget_cost_pct_daily"?: Long,
+        "budget_cost_pct_monthly"?: Long,
+        "budget_exceeded_session"?: Bool,
+        "budget_exceeded_daily"?: Bool,
+        "budget_exceeded_monthly"?: Bool,
         // Agent Identity — authenticated agent principal metadata (optional)
         "agent_id"?: String,
         "agent_type"?: String,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@highflame/policy",
-  "version": "2.1.24",
+  "version": "2.1.25",
   "engines": {
     "node": ">=18"
   },