@highflame/policy 2.1.3 → 2.1.5

package/dist/sentry-entities.gen.d.ts

@@ -0,0 +1,11 @@
+import type { ServiceEntityMetadata, ActionEntityMetadata } from './entity-metadata-types.gen.js';
+/**
+ * Sentry entity metadata for UI components.
+ * Extracted from Cedar schema appliesTo blocks.
+ */
+export declare const SENTRY_ENTITIES: ServiceEntityMetadata;
+/**
+ * Per-action entity mapping for Sentry.
+ * Maps action names to their valid principals and resources.
+ */
+export declare const SENTRY_ACTION_ENTITIES: Record<string, ActionEntityMetadata>;

package/dist/sentry-entities.gen.js

@@ -0,0 +1,33 @@
+// Code generated by highflame-policy-codegen. DO NOT EDIT.
+// Source: schemas/sentry/schema.cedarschema
+/**
+ * Sentry entity metadata for UI components.
+ * Extracted from Cedar schema appliesTo blocks.
+ */
+export const SENTRY_ENTITIES = {
+    principals: ['User'],
+    resources: ['ChatSession', 'Document'],
+    actions: ['paste_content', 'receive_response', 'send_message', 'upload_file'],
+};
+/**
+ * Per-action entity mapping for Sentry.
+ * Maps action names to their valid principals and resources.
+ */
+export const SENTRY_ACTION_ENTITIES = {
+    'paste_content': {
+        principals: ['User'],
+        resources: ['ChatSession'],
+    },
+    'receive_response': {
+        principals: ['User'],
+        resources: ['ChatSession'],
+    },
+    'send_message': {
+        principals: ['User'],
+        resources: ['ChatSession'],
+    },
+    'upload_file': {
+        principals: ['User'],
+        resources: ['Document', 'ChatSession'],
+    },
+};

package/dist/service-schemas.gen.d.ts

@@ -3,19 +3,25 @@
  *
  * Full Cedar schema for guardrails, embedded at codegen time.
  */
-export declare const GUARDRAILS_SCHEMA = "// =============================================================================\n// Guardrails Cedar Schema\n// =============================================================================\n// Defines entity types, actions, and context attributes for the highflame-shield\n// guardrails service. This schema enables type-safe policy authoring and\n// validation in both Studio UI and backend.\n//\n// Service: highflame-shield (guardrails)\n// Namespace: Guardrails\n// =============================================================================\n\nnamespace Guardrails {\n    // =========================================================================\n    // Entity Types \u2014 ReBAC Hierarchy\n    // =========================================================================\n    // Entity hierarchy enables Cedar's `in` operator for policy scoping:\n    //   Account (org root)\n    //     \u2514\u2500\u2500 Project in [Account]\n    //           \u2514\u2500\u2500 App in [Project]\n    //                 \u2514\u2500\u2500 Session in [App]\n    //\n    // Policy scoping examples:\n    //   resource == Guardrails::App::\"<uuid>\"              \u2192 app-scoped\n    //   resource in Guardrails::Project::\"<uuid>\"          \u2192 project-wide\n    //   resource in Guardrails::Account::\"<uuid>\"          \u2192 org-wide\n    // =========================================================================\n\n    /// Account represents an organization (top-level tenant)\n    entity Account;\n\n    /// Project represents a project within an account\n    entity Project in [Account];\n\n    /// User represents a principal (human or service) making requests\n    entity User;\n\n    /// Agent represents an AI agent (Claude, Cursor, Copilot, etc.) making requests\n    entity Agent;\n\n    /// App represents a protected application (guardrails-enabled LLM app)\n    entity App in [Project];\n\n    /// Session represents an agentic conversation session with state tracking\n    entity Session in [App];\n\n    // =========================================================================\n    // Actions\n    // =========================================================================\n\n    /// Process user prompts and AI responses for security threats and content violations\n    action \"process_prompt\" appliesTo {\n        principal: [User, Agent],\n        resource: [App, Session],\n        context: ProcessPromptContext\n    };\n\n    /// Execute tool calls (shell, file operations, MCP tools)\n    action \"call_tool\" appliesTo {\n        principal: [User, Agent],\n        resource: [Session],\n        context: CallToolContext\n    };\n\n    /// Read file operations\n    action \"read_file\" appliesTo {\n        principal: [User, Agent],\n        resource: [Session],\n        context: FileReadContext\n    };\n\n    /// Write file operations\n    action \"write_file\" appliesTo {\n        principal: [User, Agent],\n        resource: [Session],\n        context: FileWriteContext\n    };\n\n    /// Connect to an MCP server\n    action \"connect_server\" appliesTo {\n        principal: [User, Agent],\n        resource: [Session],\n        context: ConnectServerContext\n    };\n\n    // =========================================================================\n    // Context Types (Action-Specific)\n    // =========================================================================\n\n    /// Context for process_prompt action (user prompts & AI responses)\n    type ProcessPromptContext = {\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n        \"direction\": String,        // \"input\" | \"output\"\n        \"content_type\": String,     // \"prompt\" | \"response\" | \"tool_call\" | \"file\"\n        \"detector_count\": Long,\n\n        // Security - Injection & Jailbreak (optional)\n        \"injection_score\"?: Long,        // 0-100\n        \"jailbreak_score\"?: Long,        // 0-100\n        \"injection_type\"?: String,       // \"prompt\" | \"sql\" | \"command\" | \"none\"\n\n        // Privacy - Secrets (optional)\n        \"contains_secrets\"?: Bool,\n        \"secret_count\"?: Long,\n        \"secret_types\"?: Set<String>,    // [\"aws_access_key\", \"github_token\", ...]\n\n        // Privacy - PII (optional)\n        \"pii_detected\"?: Bool,\n        \"pii_count\"?: Long,\n        \"pii_types\"?: Set<String>,       // [\"email\", \"phone\", \"ssn\", \"credit_card\", ...]\n\n        // Trust & Safety - Toxicity (optional)\n        \"violence_score\"?: Long,         // 0-100\n        \"hate_speech_score\"?: Long,      // 0-100\n        \"sexual_score\"?: Long,           // 0-100\n        \"weapons_score\"?: Long,          // 0-100\n        \"crime_score\"?: Long,            // 0-100\n        \"profanity_score\"?: Long,        // 0-100\n\n        // Semantic - Topic Classification (optional)\n        \"content_topics\"?: Set<String>,      // [\"controlled_substances\", \"weapons_manufacturing\", ...]\n        \"topic_confidence\"?: Long,           // 0-100\n\n        // Security - Invisible Character Detection (optional)\n        \"contains_invisible_chars\"?: Bool,\n        \"invisible_chars_score\"?: Long,      // 0-100\n\n        // Security - Pattern Detection (optional)\n        \"command_injection_detected\"?: Bool,\n        \"command_injection_type\"?: String,       // \"reverse_shell\" | \"privilege_escalation\" | \"code_execution\" | \"destructive_command\" | \"data_exfiltration\"\n        \"command_injection_score\"?: Long,        // 0-100\n        \"path_traversal_detected\"?: Bool,\n        \"path_traversal_severity\"?: String,      // \"critical\" | \"high\" | \"medium\" | \"low\" | \"none\"\n        \"path_traversal_type\"?: String,\n        \"sql_injection_detected\"?: Bool,\n        \"sql_injection_type\"?: String,           // \"tautology\" | \"union_based\" | \"destructive\" | \"blind\" | \"error_based\"\n        \"sql_injection_score\"?: Long,            // 0-100\n\n        // Security - Cross-Origin Escalation (optional)\n        \"cross_origin_detected\"?: Bool,\n        \"cross_origin_type\"?: String,            // \"cross_origin_tool\" | \"cross_origin_server\" | \"none\"\n        \"cross_origin_score\"?: Long,             // 0-100\n\n        // Security - Encoded Injection (optional)\n        \"encoded_content_detected\"?: Bool,\n        \"encoded_types\"?: Set<String>,           // [\"base64\", \"hex\", \"unicode\", \"url\", ...]\n        \"encoded_count\"?: Long,\n        \"encoded_score\"?: Long,                  // 0-100\n\n        // Language & Script Detection (optional)\n        \"detected_language\"?: String,            // ISO language code\n        \"is_english\"?: Bool,\n        \"language_confidence\"?: Long,            // 0-100\n        \"detected_script\"?: String,              // \"latin\" | \"cyrillic\" | \"arabic\" | \"unknown\" | ...\n        \"is_latin_script\"?: Bool,\n        \"script_confidence\"?: Long,              // 0-100\n\n        // Content Analysis (optional)\n        \"hallucination_score\"?: Long,\n        \"factuality_score\"?: Long,               // 0-100\n        \"sentiment_score\"?: Long,\n        \"contains_code\"?: Bool,\n        \"code_languages\"?: Set<String>,\n        \"code_ratio\"?: Long,                     // 0-100, percentage of content that is code\n        \"keyword_matched\"?: Bool,\n        \"keyword_categories\"?: Set<String>,\n        \"keyword_count\"?: Long,\n        \"contains_non_ascii\"?: Bool,\n        \"phishing_detected\"?: Bool,\n        \"content_safety_score\"?: Long,           // 0-100\n        \"content_safety_blocked\"?: Bool,\n\n        // Agentic - Multi-Turn Context (optional)\n        \"conversation_turn\"?: Long,\n        \"multi_turn_detection\"?: Bool,\n\n        // Session Detection History \u2014 cross-turn sticky flags (optional)\n        \"session_pii_detected\"?: Bool,\n        \"session_pii_types\"?: Set<String>,\n        \"session_secrets_detected\"?: Bool,\n        \"session_secret_types\"?: Set<String>,\n        \"session_injection_detected\"?: Bool,\n        \"session_command_injection\"?: Bool,\n        \"session_threat_turns\"?: Long,\n\n    };\n\n    /// Context for call_tool action (agentic tool execution)\n    type CallToolContext = {\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n\n        // Tool Risk (optional)\n        \"tool_name\"?: String,            // \"shell\", \"write_file\", \"http_post\", etc.\n        \"tool_risk_score\"?: Long,        // 0-100\n        \"tool_is_sensitive\"?: Bool,\n        \"tool_category\"?: String,        // \"safe\" | \"sensitive\" | \"dangerous\"\n        \"tool_is_builtin\"?: Bool,\n\n        // MCP context (optional \u2014 only present for MCP tool calls)\n        \"mcp_server\"?: String,           // MCP server name (e.g., \"github\", \"filesystem\")\n        \"mcp_tool\"?: String,             // MCP tool name within the server\n        \"mcp_server_verified\"?: Bool,    // Whether server is from verified registry\n\n        // Agentic - Behavioral Patterns (optional)\n        \"suspicious_pattern\"?: Bool,\n        \"pattern_type\"?: String,         // \"data_exfiltration\" | \"secret_exfiltration\" | \"db_exfiltration\" | \"none\"\n        \"sequence_risk\"?: Long,          // 0-100\n\n        // Agentic - Loop Detection (optional)\n        \"loop_detected\"?: Bool,\n        \"loop_count\"?: Long,\n        \"loop_tool\"?: String,\n\n        // Agentic - Budget Control (optional)\n        \"budget_remaining_pct\"?: Long,   // 0-100\n        \"budget_exceeded\"?: Bool,\n\n        // Semantic - Topic Classification (optional)\n        \"content_topics\"?: Set<String>,      // [\"controlled_substances\", \"weapons_manufacturing\", ...]\n        \"topic_confidence\"?: Long,           // 0-100\n\n        // Security checks on tool arguments (optional)\n        \"contains_secrets\"?: Bool,\n        \"secret_types\"?: Set<String>,\n        \"pii_detected\"?: Bool,\n        \"pii_types\"?: Set<String>,\n        \"injection_score\"?: Long,\n\n        // Security - Pattern Detection (optional)\n        \"command_injection_detected\"?: Bool,\n        \"command_injection_type\"?: String,\n        \"command_injection_score\"?: Long,        // 0-100\n        \"path_traversal_detected\"?: Bool,\n        \"path_traversal_severity\"?: String,\n        \"path_traversal_type\"?: String,\n        \"sql_injection_detected\"?: Bool,\n        \"sql_injection_type\"?: String,\n        \"sql_injection_score\"?: Long,            // 0-100\n\n        // Security - Cross-Origin Escalation (optional)\n        \"cross_origin_detected\"?: Bool,\n        \"cross_origin_type\"?: String,\n        \"cross_origin_score\"?: Long,             // 0-100\n\n        // Security - Encoded Injection (optional)\n        \"encoded_content_detected\"?: Bool,\n        \"encoded_types\"?: Set<String>,\n        \"encoded_count\"?: Long,\n        \"encoded_score\"?: Long,                  // 0-100\n\n        // Agentic - Agent Security (optional)\n        \"tool_poisoning_detected\"?: Bool,\n        \"tool_poisoning_score\"?: Long,           // 0-100\n        \"tool_poisoning_type\"?: String,          // \"hidden_instructions\" | \"system_prompt_injection\" | \"authority_hijack\"\n        \"rug_pull_detected\"?: Bool,\n        \"rug_pull_score\"?: Long,                 // 0-100\n        \"rug_pull_type\"?: String,                // \"risk_spike\" | \"pattern_change\" | \"combined\" | \"none\"\n\n        // Agentic - MCP Risk (optional)\n        \"mcp_config_risk\"?: Bool,\n        \"mcp_risk_type\"?: String,                // \"inline_execution\" | \"suspicious_url\" | \"cross_origin\"\n        \"mcp_risk_score\"?: Long,                 // 0-100\n\n        // Agentic - Multi-Turn Context (optional)\n        \"conversation_turn\"?: Long,\n        \"multi_turn_detection\"?: Bool,\n\n        // Session Detection History \u2014 cross-turn sticky flags (optional)\n        \"session_pii_detected\"?: Bool,\n        \"session_pii_types\"?: Set<String>,\n        \"session_secrets_detected\"?: Bool,\n        \"session_secret_types\"?: Set<String>,\n        \"session_injection_detected\"?: Bool,\n        \"session_command_injection\"?: Bool,\n        \"session_threat_turns\"?: Long,\n\n    };\n\n    /// Context for read_file action\n    type FileReadContext = {\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n\n        // Security checks on file content (optional)\n        \"contains_secrets\"?: Bool,\n        \"secret_types\"?: Set<String>,\n        \"pii_detected\"?: Bool,\n        \"pii_types\"?: Set<String>,\n\n        // Security - Path Traversal (optional)\n        \"path_traversal_detected\"?: Bool,\n        \"path_traversal_severity\"?: String,\n        \"path_traversal_type\"?: String,\n\n        // Session Detection History \u2014 cross-turn sticky flags (optional)\n        \"session_pii_detected\"?: Bool,\n        \"session_pii_types\"?: Set<String>,\n        \"session_secrets_detected\"?: Bool,\n        \"session_secret_types\"?: Set<String>,\n        \"session_injection_detected\"?: Bool,\n        \"session_command_injection\"?: Bool,\n        \"session_threat_turns\"?: Long,\n\n    };\n\n    /// Context for write_file action\n    type FileWriteContext = {\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n\n        // Security checks on content being written (optional)\n        \"contains_secrets\"?: Bool,\n        \"secret_types\"?: Set<String>,\n        \"pii_detected\"?: Bool,\n        \"pii_types\"?: Set<String>,\n\n        // Security - Path Traversal (optional)\n        \"path_traversal_detected\"?: Bool,\n        \"path_traversal_severity\"?: String,\n        \"path_traversal_type\"?: String,\n\n        // Session Detection History \u2014 cross-turn sticky flags (optional)\n        \"session_pii_detected\"?: Bool,\n        \"session_pii_types\"?: Set<String>,\n        \"session_secrets_detected\"?: Bool,\n        \"session_secret_types\"?: Set<String>,\n        \"session_injection_detected\"?: Bool,\n        \"session_command_injection\"?: Bool,\n        \"session_threat_turns\"?: Long,\n\n    };\n\n    /// Context for connect_server action (MCP server connections)\n    type ConnectServerContext = {\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n\n        // MCP context (optional)\n        \"mcp_server\"?: String,           // MCP server name (e.g., \"github\", \"filesystem\")\n        \"mcp_server_verified\"?: Bool,    // Whether server is from verified registry\n\n        // Agentic - Agent Security (optional)\n        \"tool_poisoning_detected\"?: Bool,\n        \"tool_poisoning_score\"?: Long,\n        \"tool_poisoning_type\"?: String,\n\n        // Agentic - MCP Risk (optional)\n        \"mcp_config_risk\"?: Bool,\n        \"mcp_risk_type\"?: String,\n        \"mcp_risk_score\"?: Long,\n\n        // Security - Cross-Origin Escalation (optional)\n        \"cross_origin_detected\"?: Bool,\n        \"cross_origin_type\"?: String,\n        \"cross_origin_score\"?: Long,\n\n        // Session Detection History \u2014 cross-turn sticky flags (optional)\n        \"session_pii_detected\"?: Bool,\n        \"session_pii_types\"?: Set<String>,\n        \"session_secrets_detected\"?: Bool,\n        \"session_secret_types\"?: Set<String>,\n        \"session_injection_detected\"?: Bool,\n        \"session_command_injection\"?: Bool,\n        \"session_threat_turns\"?: Long,\n\n    };\n}\n";
+export declare const GUARDRAILS_SCHEMA = "// =============================================================================\n// Guardrails Cedar Schema\n// =============================================================================\n// Defines entity types, actions, and context attributes for the highflame-shield\n// guardrails service. This schema enables type-safe policy authoring and\n// validation in both Studio UI and backend.\n//\n// Service: highflame-shield (guardrails)\n// Namespace: Guardrails\n// =============================================================================\n\nnamespace Guardrails {\n    // =========================================================================\n    // Entity Types \u2014 ReBAC Hierarchy\n    // =========================================================================\n    // Entity hierarchy enables Cedar's `in` operator for policy scoping:\n    //   Account (org root)\n    //     \u2514\u2500\u2500 Project in [Account]\n    //           \u2514\u2500\u2500 App in [Project]\n    //                 \u2514\u2500\u2500 Session in [App]\n    //\n    // Policy scoping examples:\n    //   resource == Guardrails::App::\"<uuid>\"              \u2192 app-scoped\n    //   resource in Guardrails::Project::\"<uuid>\"          \u2192 project-wide\n    //   resource in Guardrails::Account::\"<uuid>\"          \u2192 org-wide\n    // =========================================================================\n\n    /// Account represents an organization (top-level tenant)\n    entity Account;\n\n    /// Project represents a project within an account\n    entity Project in [Account];\n\n    /// User represents a principal (human or service) making requests\n    entity User;\n\n    /// Agent represents an AI agent (Claude, Cursor, Copilot, etc.) making requests\n    entity Agent;\n\n    /// App represents a protected application (guardrails-enabled LLM app)\n    entity App in [Project];\n\n    /// Session represents an agentic conversation session with state tracking\n    entity Session in [App];\n\n    // =========================================================================\n    // Actions\n    // =========================================================================\n\n    /// Process user prompts and AI responses for security threats and content violations\n    action \"process_prompt\" appliesTo {\n        principal: [User, Agent],\n        resource: [App, Session],\n        context: ProcessPromptContext\n    };\n\n    /// Execute tool calls (shell, file operations, MCP tools)\n    action \"call_tool\" appliesTo {\n        principal: [User, Agent],\n        resource: [Session],\n        context: CallToolContext\n    };\n\n    /// Read file operations\n    action \"read_file\" appliesTo {\n        principal: [User, Agent],\n        resource: [Session],\n        context: FileReadContext\n    };\n\n    /// Write file operations\n    action \"write_file\" appliesTo {\n        principal: [User, Agent],\n        resource: [Session],\n        context: FileWriteContext\n    };\n\n    /// Connect to an MCP server\n    action \"connect_server\" appliesTo {\n        principal: [User, Agent],\n        resource: [Session],\n        context: ConnectServerContext\n    };\n\n    // =========================================================================\n    // Context Types (Action-Specific)\n    // =========================================================================\n\n    /// Context for process_prompt action (user prompts & AI responses)\n    type ProcessPromptContext = {\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n        \"direction\": String,        // \"input\" | \"output\"\n        \"content_type\": String,     // \"prompt\" | \"response\" | \"tool_call\" | \"file\"\n        \"detector_count\": Long,\n\n        // Security - Injection & Jailbreak (optional)\n        \"injection_confidence\"?: Long,  // Combined injection confidence: MAX(pulse, deep_context)\n        \"jailbreak_confidence\"?: Long,  // Combined jailbreak confidence: MAX(pulse, deep_context)\n        \"injection_pulse_score\"?: Long,  // 0-100 Pulse single-turn classifier\n        \"injection_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n        \"jailbreak_pulse_score\"?: Long,  // 0-100 Pulse single-turn classifier\n        \"jailbreak_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n        \"injection_type\"?: String,       // \"prompt\" | \"sql\" | \"command\" | \"none\"\n\n        // Privacy - Secrets (optional)\n        \"contains_secrets\"?: Bool,\n        \"secret_count\"?: Long,\n        \"secret_types\"?: Set<String>,    // [\"aws_access_key\", \"github_token\", ...]\n\n        // Privacy - PII (optional)\n        \"pii_detected\"?: Bool,\n        \"pii_count\"?: Long,\n        \"pii_types\"?: Set<String>,       // [\"email\", \"phone\", \"ssn\", \"credit_card\", ...]\n\n        // Trust & Safety - Toxicity (optional)\n        \"violence_score\"?: Long,         // 0-100\n        \"hate_speech_score\"?: Long,      // 0-100\n        \"sexual_score\"?: Long,           // 0-100\n        \"weapons_score\"?: Long,          // 0-100\n        \"crime_score\"?: Long,            // 0-100\n        \"profanity_score\"?: Long,        // 0-100\n\n        // Semantic - Topic Classification (optional)\n        \"content_topics\"?: Set<String>,      // [\"controlled_substances\", \"weapons_manufacturing\", ...]\n        \"topic_confidence\"?: Long,           // 0-100\n\n        // Security - Invisible Character Detection (optional)\n        \"contains_invisible_chars\"?: Bool,\n        \"invisible_chars_score\"?: Long,      // 0-100\n\n        // Security - Pattern Detection (optional)\n        \"command_injection_detected\"?: Bool,\n        \"command_injection_type\"?: String,       // \"reverse_shell\" | \"privilege_escalation\" | \"code_execution\" | \"destructive_command\" | \"data_exfiltration\"\n        \"command_injection_score\"?: Long,        // 0-100\n        \"path_traversal_detected\"?: Bool,\n        \"path_traversal_severity\"?: String,      // \"critical\" | \"high\" | \"medium\" | \"low\" | \"none\"\n        \"path_traversal_type\"?: String,\n        \"sql_injection_detected\"?: Bool,\n        \"sql_injection_type\"?: String,           // \"tautology\" | \"union_based\" | \"destructive\" | \"blind\" | \"error_based\"\n        \"sql_injection_score\"?: Long,            // 0-100\n\n        // Security - Cross-Origin Escalation (optional)\n        \"cross_origin_detected\"?: Bool,\n        \"cross_origin_type\"?: String,            // \"cross_origin_tool\" | \"cross_origin_server\" | \"none\"\n        \"cross_origin_score\"?: Long,             // 0-100\n\n        // Security - Encoded Injection (optional)\n        \"encoded_content_detected\"?: Bool,\n        \"encoded_types\"?: Set<String>,           // [\"base64\", \"hex\", \"unicode\", \"url\", ...]\n        \"encoded_count\"?: Long,\n        \"encoded_score\"?: Long,                  // 0-100\n\n        // Language & Script Detection (optional)\n        \"detected_language\"?: String,            // ISO language code\n        \"is_english\"?: Bool,\n        \"language_confidence\"?: Long,            // 0-100\n        \"detected_script\"?: String,              // \"latin\" | \"cyrillic\" | \"arabic\" | \"unknown\" | ...\n        \"is_latin_script\"?: Bool,\n        \"script_confidence\"?: Long,              // 0-100\n\n        // Content Analysis (optional)\n        \"hallucination_score\"?: Long,\n        \"factuality_score\"?: Long,               // 0-100\n        \"sentiment_score\"?: Long,\n        \"contains_code\"?: Bool,\n        \"code_languages\"?: Set<String>,\n        \"code_ratio\"?: Long,                     // 0-100, percentage of content that is code\n        \"keyword_matched\"?: Bool,\n        \"keyword_categories\"?: Set<String>,\n        \"keyword_count\"?: Long,\n        \"contains_non_ascii\"?: Bool,\n        \"phishing_detected\"?: Bool,\n        \"content_safety_score\"?: Long,           // 0-100\n        \"content_safety_blocked\"?: Bool,\n\n        // Agentic - Multi-Turn Context (optional)\n        \"conversation_turn\"?: Long,\n        \"multi_turn_detection\"?: Bool,\n\n        // Session Detection History \u2014 cross-turn sticky flags (optional)\n        \"session_pii_detected\"?: Bool,\n        \"session_pii_types\"?: Set<String>,\n        \"session_secrets_detected\"?: Bool,\n        \"session_secret_types\"?: Set<String>,\n        \"session_injection_detected\"?: Bool,\n        \"session_command_injection\"?: Bool,\n        \"session_threat_turns\"?: Long,\n        \"session_max_injection_score\"?: Long,\n        \"session_max_jailbreak_score\"?: Long,\n        \"session_max_command_injection_score\"?: Long,\n        \"session_max_pii_score\"?: Long,\n        \"session_max_secret_score\"?: Long,\n        \"session_cumulative_risk_score\"?: Long,\n\n    };\n\n    /// Context for call_tool action (agentic tool execution)\n    type CallToolContext = {\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n\n        // Tool Risk (optional)\n        \"tool_name\"?: String,            // \"shell\", \"write_file\", \"http_post\", etc.\n        \"tool_risk_score\"?: Long,        // 0-100\n        \"tool_is_sensitive\"?: Bool,\n        \"tool_category\"?: String,        // \"safe\" | \"sensitive\" | \"dangerous\"\n        \"tool_is_builtin\"?: Bool,\n\n        // MCP context (optional \u2014 only present for MCP tool calls)\n        \"mcp_server\"?: String,           // MCP server name (e.g., \"github\", \"filesystem\")\n        \"mcp_tool\"?: String,             // MCP tool name within the server\n        \"mcp_server_verified\"?: Bool,    // Whether server is from verified registry\n\n        // Agentic - Behavioral Patterns (optional)\n        \"suspicious_pattern\"?: Bool,\n        \"pattern_type\"?: String,         // \"data_exfiltration\" | \"secret_exfiltration\" | \"db_exfiltration\" | \"none\"\n        \"sequence_risk\"?: Long,          // 0-100\n\n        // Agentic - Loop Detection (optional)\n        \"loop_detected\"?: Bool,\n        \"loop_count\"?: Long,\n        \"loop_tool\"?: String,\n\n        // Agentic - Budget Control (optional)\n        \"budget_remaining_pct\"?: Long,   // 0-100\n        \"budget_exceeded\"?: Bool,\n\n        // Semantic - Topic Classification (optional)\n        \"content_topics\"?: Set<String>,      // [\"controlled_substances\", \"weapons_manufacturing\", ...]\n        \"topic_confidence\"?: Long,           // 0-100\n\n        // Security checks on tool arguments (optional)\n        \"contains_secrets\"?: Bool,\n        \"secret_types\"?: Set<String>,\n        \"pii_detected\"?: Bool,\n        \"pii_types\"?: Set<String>,\n        \"injection_confidence\"?: Long,\n        \"injection_pulse_score\"?: Long,  // 0-100 Pulse single-turn classifier\n        \"injection_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n\n        // Security - Pattern Detection (optional)\n        \"command_injection_detected\"?: Bool,\n        \"command_injection_type\"?: String,\n        \"command_injection_score\"?: Long,        // 0-100\n        \"path_traversal_detected\"?: Bool,\n        \"path_traversal_severity\"?: String,\n        \"path_traversal_type\"?: String,\n        \"sql_injection_detected\"?: Bool,\n        \"sql_injection_type\"?: String,\n        \"sql_injection_score\"?: Long,            // 0-100\n\n        // Security - Cross-Origin Escalation (optional)\n        \"cross_origin_detected\"?: Bool,\n        \"cross_origin_type\"?: String,\n        \"cross_origin_score\"?: Long,             // 0-100\n\n        // Security - Encoded Injection (optional)\n        \"encoded_content_detected\"?: Bool,\n        \"encoded_types\"?: Set<String>,\n        \"encoded_count\"?: Long,\n        \"encoded_score\"?: Long,                  // 0-100\n\n        // Agentic - Agent Security (optional)\n        \"tool_poisoning_detected\"?: Bool,\n        \"tool_poisoning_score\"?: Long,           // 0-100\n        \"tool_poisoning_type\"?: String,          // \"hidden_instructions\" | \"system_prompt_injection\" | \"authority_hijack\"\n        \"rug_pull_detected\"?: Bool,\n        \"rug_pull_score\"?: Long,                 // 0-100\n        \"rug_pull_type\"?: String,                // \"risk_spike\" | \"pattern_change\" | \"combined\" | \"none\"\n\n        // Agentic - MCP Risk (optional)\n        \"mcp_config_risk\"?: Bool,\n        \"mcp_risk_type\"?: String,                // \"inline_execution\" | \"suspicious_url\" | \"cross_origin\"\n        \"mcp_risk_score\"?: Long,                 // 0-100\n\n        // Agentic - Multi-Turn Context (optional)\n        \"conversation_turn\"?: Long,\n        \"multi_turn_detection\"?: Bool,\n\n        // Session Detection History \u2014 cross-turn sticky flags (optional)\n        \"session_pii_detected\"?: Bool,\n        \"session_pii_types\"?: Set<String>,\n        \"session_secrets_detected\"?: Bool,\n        \"session_secret_types\"?: Set<String>,\n        \"session_injection_detected\"?: Bool,\n        \"session_command_injection\"?: Bool,\n        \"session_threat_turns\"?: Long,\n        \"session_max_injection_score\"?: Long,\n        \"session_max_jailbreak_score\"?: Long,\n        \"session_max_command_injection_score\"?: Long,\n        \"session_max_pii_score\"?: Long,\n        \"session_max_secret_score\"?: Long,\n        \"session_cumulative_risk_score\"?: Long,\n\n    };\n\n    /// Context for read_file action\n    type FileReadContext = {\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n\n        // Security checks on file content (optional)\n        \"contains_secrets\"?: Bool,\n        \"secret_types\"?: Set<String>,\n        \"pii_detected\"?: Bool,\n        \"pii_types\"?: Set<String>,\n\n        // Security - Path Traversal (optional)\n        \"path_traversal_detected\"?: Bool,\n        \"path_traversal_severity\"?: String,\n        \"path_traversal_type\"?: String,\n\n        // Session Detection History \u2014 cross-turn sticky flags (optional)\n        \"session_pii_detected\"?: Bool,\n        \"session_pii_types\"?: Set<String>,\n        \"session_secrets_detected\"?: Bool,\n        \"session_secret_types\"?: Set<String>,\n        \"session_injection_detected\"?: Bool,\n        \"session_command_injection\"?: Bool,\n        \"session_threat_turns\"?: Long,\n        \"session_max_injection_score\"?: Long,\n        \"session_max_jailbreak_score\"?: Long,\n        \"session_max_command_injection_score\"?: Long,\n        \"session_max_pii_score\"?: Long,\n        \"session_max_secret_score\"?: Long,\n        \"session_cumulative_risk_score\"?: Long,\n\n    };\n\n    /// Context for write_file action\n    type FileWriteContext = {\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n\n        // Security checks on content being written (optional)\n        \"contains_secrets\"?: Bool,\n        \"secret_types\"?: Set<String>,\n        \"pii_detected\"?: Bool,\n        \"pii_types\"?: Set<String>,\n\n        // Security - Path Traversal (optional)\n        \"path_traversal_detected\"?: Bool,\n        \"path_traversal_severity\"?: String,\n        \"path_traversal_type\"?: String,\n\n        // Session Detection History \u2014 cross-turn sticky flags (optional)\n        \"session_pii_detected\"?: Bool,\n        \"session_pii_types\"?: Set<String>,\n        \"session_secrets_detected\"?: Bool,\n        \"session_secret_types\"?: Set<String>,\n        \"session_injection_detected\"?: Bool,\n        \"session_command_injection\"?: Bool,\n        \"session_threat_turns\"?: Long,\n        \"session_max_injection_score\"?: Long,\n        \"session_max_jailbreak_score\"?: Long,\n        \"session_max_command_injection_score\"?: Long,\n        \"session_max_pii_score\"?: Long,\n        \"session_max_secret_score\"?: Long,\n        \"session_cumulative_risk_score\"?: Long,\n\n    };\n\n    /// Context for connect_server action (MCP server connections)\n    type ConnectServerContext = {\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n\n        // MCP context (optional)\n        \"mcp_server\"?: String,           // MCP server name (e.g., \"github\", \"filesystem\")\n        \"mcp_server_verified\"?: Bool,    // Whether server is from verified registry\n\n        // Agentic - Agent Security (optional)\n        \"tool_poisoning_detected\"?: Bool,\n        \"tool_poisoning_score\"?: Long,\n        \"tool_poisoning_type\"?: String,\n\n        // Agentic - MCP Risk (optional)\n        \"mcp_config_risk\"?: Bool,\n        \"mcp_risk_type\"?: String,\n        \"mcp_risk_score\"?: Long,\n\n        // Security - Cross-Origin Escalation (optional)\n        \"cross_origin_detected\"?: Bool,\n        \"cross_origin_type\"?: String,\n        \"cross_origin_score\"?: Long,\n\n        // Session Detection History \u2014 cross-turn sticky flags (optional)\n        \"session_pii_detected\"?: Bool,\n        \"session_pii_types\"?: Set<String>,\n        \"session_secrets_detected\"?: Bool,\n        \"session_secret_types\"?: Set<String>,\n        \"session_injection_detected\"?: Bool,\n        \"session_command_injection\"?: Bool,\n        \"session_threat_turns\"?: Long,\n        \"session_max_injection_score\"?: Long,\n        \"session_max_jailbreak_score\"?: Long,\n        \"session_max_command_injection_score\"?: Long,\n        \"session_max_pii_score\"?: Long,\n        \"session_max_secret_score\"?: Long,\n        \"session_cumulative_risk_score\"?: Long,\n\n    };\n}\n";
 /**
  * Overwatch Cedar schema
  *
  * Full Cedar schema for overwatch, embedded at codegen time.
  */
-export declare const OVERWATCH_SCHEMA = "// Overwatch Cedar Schema\n// ===================================\n// IDE Agent Security & Policy Enforcement\n//\n// Overwatch protects IDE agent operations (prompts, tool calls, file access, MCP connections)\n// by evaluating threats detected by the detection engine pipeline against Cedar policies.\n//\n// Architecture:\n//   User/Agent \u2192 IDE Hook \u2192 Detection Engine \u2192 Cedar Policy \u2192 Allow/Deny\n//\n// Supported IDEs:\n//   - Cursor (beforeSubmitPrompt, beforeShellExecution, beforeMCPExecution, etc.)\n//   - Claude Code (UserPromptSubmit, PreToolUse)\n//   - GitHub Copilot (userPromptSubmitted, preToolUse)\n//\n// Threat Coverage:\n//   - OWASP Top 10 for LLM Applications 2025 (LLM01-LLM10)\n//   - OWASP Top 10 for Agentic Applications (ASI01-ASI10)\n//   - OWASP MCP Top 10 (MCP01-MCP05)\n//   - MITRE ATLAS Agent Techniques (AML.T0051, AML.T0080-T0082)\n\nnamespace Overwatch {\n\n// =============================================================================\n// ENTITIES - Tenant Hierarchy (ReBAC)\n// =============================================================================\n// Aligned with Guardrails entity hierarchy (Account \u2192 Project).\n// Overwatch does not have app-specific policies, so App is omitted.\n//\n// Entity hierarchy enables Cedar's `in` operator for policy scoping:\n//   Account (org root)\n//     \u2514\u2500\u2500 Project in [Account]\n//           \u2514\u2500\u2500 Tool/Server/FilePath/LlmPrompt in [Project]\n//\n// Policy scoping examples:\n//   resource == Overwatch::Tool::\"shell\"               \u2192 specific tool\n//   resource in Overwatch::Project::\"<uuid>\"            \u2192 project-wide\n//   resource in Overwatch::Account::\"<uuid>\"            \u2192 org-wide\n\n/// Account represents an organization (top-level tenant)\nentity Account;\n\n/// Project represents a project within an account\nentity Project in [Account];\n\n// =============================================================================\n// ENTITIES - Principals\n// =============================================================================\n\n/// Human user or service account making requests to the IDE\nentity User;\n\n/// AI agent (Claude, GitHub Copilot, etc.)\nentity Agent;\n\n// =============================================================================\n// ENTITIES - Resources (scoped under Project)\n// =============================================================================\n\n/// LLM prompt or session \u2014 resource for process_prompt action\nentity LlmPrompt in [Project];\n\n/// MCP tool or native IDE tool \u2014 resource for call_tool action\nentity Tool in [Project];\n\n/// MCP server \u2014 resource for connect_server action\nentity Server in [Project];\n\n/// File system path \u2014 resource for read_file/write_file/call_tool actions\nentity FilePath in [Project];\n\n// =============================================================================\n// ACTIONS\n// =============================================================================\n\n// User submits a prompt or receives AI response\n// Threat focus: injection, jailbreak, secrets, PII, content safety, invisible chars\naction process_prompt appliesTo {\n  principal: [User, Agent],\n  resource: [LlmPrompt],\n  context: {\n    // --- Event & Source ---\n    content: String,                  // Raw content being scanned\n    source: String,                   // IDE source: \"cursor\", \"claudecode\", \"github_copilot\"\n    event: String,                    // Hook event name\n    user_email: String,               // User identifier\n\n    // --- Workspace ---\n    cwd?: String,                     // Current working directory\n    workspace_root?: String,          // Workspace/repository root\n\n    // --- Threat Detection (from detection engine pipeline) ---\n    threat_count: Long,               // Total threats detected\n    highest_severity: String,         // \"critical\", \"high\", \"medium\", \"low\", \"none\"\n    threat_categories: Set<String>,   // Threat category names\n    detected_threats: Set<String>,    // Detection rule names that matched\n    max_threat_severity: Long,        // Numeric severity (0=none, 1=low, 2=medium, 3=high, 4=critical)\n    contains_secrets: Bool,           // Whether secrets/credentials detected\n\n    // --- Secrets (granular) ---\n    secret_types?: Set<String>,       // Types: \"aws_access_key\", \"github_token\", \"ssh_private_key\", etc.\n    secret_count?: Long,              // Number of distinct secrets found\n\n    // --- PII Detection ---\n    pii_detected?: Bool,              // Whether any PII patterns matched\n    pii_types?: Set<String>,          // Types: \"ssn\", \"credit_card\", \"email\", \"phone\", etc.\n    pii_count?: Long,                 // Number of PII matches\n\n    // --- Encoding & Unicode Attacks ---\n    contains_invisible_chars?: Bool,  // Zero-width chars, bidi overrides, tag chars detected\n    invisible_chars_score?: Long,     // Unicode attack severity (0-100)\n\n    // --- Content Safety Scores (0-100, from ML classifiers) ---\n    violence_score: Long,\n    weapons_score: Long,\n    hate_speech_score: Long,\n    crime_score: Long,\n    sexual_score: Long,\n    profanity_score: Long,\n\n    // --- ML Detector Confidence Scores (0-100) ---\n    pii_confidence: Long,             // PII detection classifier confidence\n    injection_confidence: Long,       // Prompt injection classifier confidence\n    jailbreak_confidence: Long,       // Jailbreak detection classifier confidence\n\n    // --- Agent Security (0-100) ---\n    indirect_injection_score: Long,   // Indirect prompt injection risk (OWASP LLM01, ASI01)\n\n    // --- Session Detection History (cross-turn sticky flags) ---\n    session_pii_detected?: Bool,\n    session_pii_types?: Set<String>,\n    session_secrets_detected?: Bool,\n    session_secret_types?: Set<String>,\n    session_injection_detected?: Bool,\n    session_command_injection?: Bool,\n    session_threat_turns?: Long,\n\n    // --- Legacy ---\n    prompt_text?: String,             // Same as content (backward compatibility)\n    response_content?: String,        // Response content (if available)\n  },\n};\n\n// User calls a tool (native IDE tool or MCP tool)\n// Threat focus: command injection, tool poisoning, rug pull, data exfiltration, loops\naction call_tool appliesTo {\n  principal: [User, Agent],\n  resource: [Tool, FilePath],\n  context: {\n    // --- Event & Source ---\n    content: String,                  // Raw content being scanned (e.g., shell command, tool args)\n    source: String,                   // IDE source\n    event: String,                    // Hook event name\n    user_email: String,               // User identifier\n\n    // --- Tool & MCP ---\n    tool_name?: String,               // Normalized tool name (\"shell\", \"read_file\", etc.)\n    mcp_server?: String,              // MCP server name\n    mcp_tool?: String,                // MCP tool name\n\n    // --- File & Path ---\n    path?: String,                    // File path (if file operation)\n\n    // --- Workspace ---\n    cwd?: String,\n    workspace_root?: String,\n\n    // --- Threat Detection ---\n    threat_count?: Long,\n    highest_severity?: String,\n    threat_categories?: Set<String>,\n    detected_threats?: Set<String>,\n    max_threat_severity?: Long,\n    contains_secrets?: Bool,\n\n    // --- Secrets (granular) ---\n    secret_types?: Set<String>,\n    secret_count?: Long,\n\n    // --- PII Detection ---\n    pii_detected?: Bool,\n    pii_types?: Set<String>,\n    pii_count?: Long,\n\n    // --- Encoding & Unicode Attacks ---\n    contains_invisible_chars?: Bool,\n    invisible_chars_score?: Long,\n\n    // --- Content Safety Scores (0-100) ---\n    violence_score?: Long,\n    weapons_score?: Long,\n    hate_speech_score?: Long,\n    crime_score?: Long,\n    sexual_score?: Long,\n    profanity_score?: Long,\n\n    // --- ML Detector Confidence Scores (0-100) ---\n    pii_confidence?: Long,\n    injection_confidence?: Long,\n    jailbreak_confidence?: Long,\n\n    // --- Agent Security (0-100) --- (OWASP ASI01, ASI02, ASI04; MITRE AML.T0051)\n    tool_poisoning_score?: Long,      // Hidden instructions in tool description/args\n    tool_poisoning_detected?: Bool,   // Boolean flag for tool poisoning\n    rug_pull_score?: Long,            // Tool behavior drift after trust establishment\n    rug_pull_detected?: Bool,         // Boolean flag for rug pull\n    indirect_injection_score?: Long,  // Indirect injection via tool output\n\n    // --- Tool Risk Assessment ---\n    tool_risk_score?: Long,           // Computed tool risk (0-100)\n    tool_category?: String,           // \"safe\", \"sensitive\", \"dangerous\"\n    tool_is_sensitive?: Bool,         // Sensitivity classification\n    tool_is_builtin?: Bool,           // Built-in IDE tool vs MCP tool\n\n    // --- Behavioral Analysis --- (OWASP LLM10, ASI02, ASI08)\n    loop_detected?: Bool,             // Consecutive same-tool call loop\n    loop_count?: Long,                // Number of consecutive repeat calls\n    loop_tool?: String,               // Tool name in loop\n    suspicious_pattern?: Bool,        // Data exfiltration or attack sequence detected\n    pattern_type?: String,            // \"data_exfiltration\", \"secret_exfiltration\", \"credential_theft\", \"destructive_sequence\"\n    sequence_risk?: Long,             // Sequence risk score (0-100)\n\n    // --- MCP Trust ---\n    mcp_server_verified?: Bool,       // Whether server is from verified registry\n\n    // --- Session Detection History (cross-turn sticky flags) ---\n    session_pii_detected?: Bool,\n    session_pii_types?: Set<String>,\n    session_secrets_detected?: Bool,\n    session_secret_types?: Set<String>,\n    session_injection_detected?: Bool,\n    session_command_injection?: Bool,\n    session_threat_turns?: Long,\n\n    // --- Legacy ---\n    response_content?: String,\n  },\n};\n\n// Connect to an MCP server\n// Threat focus: supply chain, tool poisoning, rug pull, config risk\naction connect_server appliesTo {\n  principal: [User, Agent],\n  resource: [Server],\n  context: {\n    content?: String,                 // Server config content (if available)\n    source: String,\n    event: String,\n    user_email: String,\n    mcp_server?: String,\n\n    // --- Threat Detection ---\n    threat_count?: Long,\n    highest_severity?: String,\n    threat_categories?: Set<String>,\n    max_threat_severity?: Long,\n\n    // --- Agent Security (0-100) --- (OWASP ASI04, MCP01-MCP05)\n    tool_poisoning_score?: Long,      // Poisoned tool descriptions in server\n    tool_poisoning_detected?: Bool,\n    rug_pull_score?: Long,            // Server behavior change after approval\n    rug_pull_detected?: Bool,\n    indirect_injection_score?: Long,  // Injection payloads in server responses\n\n    // --- MCP Trust & Config Risk ---\n    mcp_server_verified?: Bool,       // Verified registry status\n    mcp_config_risk?: Bool,           // Risky server config detected (inline code exec, etc.)\n    mcp_risk_score?: Long,            // Config risk severity (0-100)\n\n    // --- Session Detection History (cross-turn sticky flags) ---\n    session_pii_detected?: Bool,\n    session_pii_types?: Set<String>,\n    session_secrets_detected?: Bool,\n    session_secret_types?: Set<String>,\n    session_injection_detected?: Bool,\n    session_command_injection?: Bool,\n    session_threat_turns?: Long,\n  },\n};\n\n// Read a file from disk\n// Threat focus: secrets exposure, PII exposure, path traversal, sensitive paths\naction read_file appliesTo {\n  principal: [User, Agent],\n  resource: [FilePath],\n  context: {\n    content: String,\n    source: String,\n    event: String,\n    user_email: String,\n    path?: String,\n    cwd?: String,\n    workspace_root?: String,\n\n    // --- Threat Detection ---\n    threat_count?: Long,\n    highest_severity?: String,\n    threat_categories?: Set<String>,\n    detected_threats?: Set<String>,\n    max_threat_severity?: Long,\n    contains_secrets?: Bool,\n\n    // --- Secrets (granular) ---\n    secret_types?: Set<String>,\n    secret_count?: Long,\n\n    // --- PII Detection ---\n    pii_detected?: Bool,\n    pii_types?: Set<String>,\n    pii_count?: Long,\n\n    // --- Session Detection History (cross-turn sticky flags) ---\n    session_pii_detected?: Bool,\n    session_pii_types?: Set<String>,\n    session_secrets_detected?: Bool,\n    session_secret_types?: Set<String>,\n    session_injection_detected?: Bool,\n    session_command_injection?: Bool,\n    session_threat_turns?: Long,\n  },\n};\n\n// Write a file to disk\n// Threat focus: secrets in output, PII in output, sensitive paths, malicious code\naction write_file appliesTo {\n  principal: [User, Agent],\n  resource: [FilePath],\n  context: {\n    content: String,\n    source: String,\n    event: String,\n    user_email: String,\n    path?: String,\n    cwd?: String,\n    workspace_root?: String,\n\n    // --- Threat Detection ---\n    threat_count?: Long,\n    highest_severity?: String,\n    threat_categories?: Set<String>,\n    detected_threats?: Set<String>,\n    max_threat_severity?: Long,\n    contains_secrets?: Bool,\n\n    // --- Secrets (granular) ---\n    secret_types?: Set<String>,\n    secret_count?: Long,\n\n    // --- PII Detection ---\n    pii_detected?: Bool,\n    pii_types?: Set<String>,\n    pii_count?: Long,\n\n    // --- Session Detection History (cross-turn sticky flags) ---\n    session_pii_detected?: Bool,\n    session_pii_types?: Set<String>,\n    session_secrets_detected?: Bool,\n    session_secret_types?: Set<String>,\n    session_injection_detected?: Bool,\n    session_command_injection?: Bool,\n    session_threat_turns?: Long,\n  },\n};\n\n}\n";
+export declare const OVERWATCH_SCHEMA = "// Overwatch Cedar Schema\n// ===================================\n// IDE Agent Security & Policy Enforcement\n//\n// Overwatch protects IDE agent operations (prompts, tool calls, file access, MCP connections)\n// by evaluating threats detected by the detection engine pipeline against Cedar policies.\n//\n// Architecture:\n//   User/Agent \u2192 IDE Hook \u2192 Detection Engine \u2192 Cedar Policy \u2192 Allow/Deny\n//\n// Supported IDEs:\n//   - Cursor (beforeSubmitPrompt, beforeShellExecution, beforeMCPExecution, etc.)\n//   - Claude Code (UserPromptSubmit, PreToolUse)\n//   - GitHub Copilot (userPromptSubmitted, preToolUse)\n//\n// Threat Coverage:\n//   - OWASP Top 10 for LLM Applications 2025 (LLM01-LLM10)\n//   - OWASP Top 10 for Agentic Applications (ASI01-ASI10)\n//   - OWASP MCP Top 10 (MCP01-MCP05)\n//   - MITRE ATLAS Agent Techniques (AML.T0051, AML.T0080-T0082)\n\nnamespace Overwatch {\n\n// =============================================================================\n// ENTITIES - Tenant Hierarchy (ReBAC)\n// =============================================================================\n// Aligned with Guardrails entity hierarchy (Account \u2192 Project).\n// Overwatch does not have app-specific policies, so App is omitted.\n//\n// Entity hierarchy enables Cedar's `in` operator for policy scoping:\n//   Account (org root)\n//     \u2514\u2500\u2500 Project in [Account]\n//           \u2514\u2500\u2500 Tool/Server/FilePath/LlmPrompt in [Project]\n//\n// Policy scoping examples:\n//   resource == Overwatch::Tool::\"shell\"               \u2192 specific tool\n//   resource in Overwatch::Project::\"<uuid>\"            \u2192 project-wide\n//   resource in Overwatch::Account::\"<uuid>\"            \u2192 org-wide\n\n/// Account represents an organization (top-level tenant)\nentity Account;\n\n/// Project represents a project within an account\nentity Project in [Account];\n\n// =============================================================================\n// ENTITIES - Principals\n// =============================================================================\n\n/// Human user or service account making requests to the IDE\nentity User;\n\n/// AI agent (Claude, GitHub Copilot, etc.)\nentity Agent;\n\n// =============================================================================\n// ENTITIES - Resources (scoped under Project)\n// =============================================================================\n\n/// LLM prompt or session \u2014 resource for process_prompt action\nentity LlmPrompt in [Project];\n\n/// MCP tool or native IDE tool \u2014 resource for call_tool action\nentity Tool in [Project];\n\n/// MCP server \u2014 resource for connect_server action\nentity Server in [Project];\n\n/// File system path \u2014 resource for read_file/write_file/call_tool actions\nentity FilePath in [Project];\n\n// =============================================================================\n// ACTIONS\n// =============================================================================\n\n// User submits a prompt or receives AI response\n// Threat focus: injection, jailbreak, secrets, PII, content safety, invisible chars\naction process_prompt appliesTo {\n  principal: [User, Agent],\n  resource: [LlmPrompt],\n  context: {\n    // --- Event & Source ---\n    content: String,                  // Raw content being scanned\n    source: String,                   // IDE source: \"cursor\", \"claudecode\", \"github_copilot\"\n    event: String,                    // Hook event name\n    user_email: String,               // User identifier\n\n    // --- Workspace ---\n    cwd?: String,                     // Current working directory\n    workspace_root?: String,          // Workspace/repository root\n\n    // --- Threat Detection (from detection engine pipeline) ---\n    threat_count: Long,               // Total threats detected\n    highest_severity: String,         // \"critical\", \"high\", \"medium\", \"low\", \"none\"\n    threat_categories: Set<String>,   // Threat category names\n    detected_threats: Set<String>,    // Detection rule names that matched\n    max_threat_severity: Long,        // Numeric severity (0=none, 1=low, 2=medium, 3=high, 4=critical)\n    contains_secrets: Bool,           // Whether secrets/credentials detected\n\n    // --- Secrets (granular) ---\n    secret_types?: Set<String>,       // Types: \"aws_access_key\", \"github_token\", \"ssh_private_key\", etc.\n    secret_count?: Long,              // Number of distinct secrets found\n\n    // --- PII Detection ---\n    pii_detected?: Bool,              // Whether any PII patterns matched\n    pii_types?: Set<String>,          // Types: \"ssn\", \"credit_card\", \"email\", \"phone\", etc.\n    pii_count?: Long,                 // Number of PII matches\n\n    // --- Encoding & Unicode Attacks ---\n    contains_invisible_chars?: Bool,  // Zero-width chars, bidi overrides, tag chars detected\n    invisible_chars_score?: Long,     // Unicode attack severity (0-100)\n\n    // --- Content Safety Scores (0-100, from ML classifiers) ---\n    violence_score: Long,\n    weapons_score: Long,\n    hate_speech_score: Long,\n    crime_score: Long,\n    sexual_score: Long,\n    profanity_score: Long,\n\n    // --- ML Detector Confidence Scores (0-100) ---\n    pii_confidence: Long,             // PII detection classifier confidence\n    injection_confidence: Long,       // Combined injection confidence: MAX(pulse, deep_context)\n    jailbreak_confidence: Long,       // Combined jailbreak confidence: MAX(pulse, deep_context)\n    injection_pulse_score?: Long,     // 0-100 Pulse single-turn classifier\n    injection_deep_context_score?: Long, // 0-100 DeepContext multi-turn\n    jailbreak_pulse_score?: Long,     // 0-100 Pulse single-turn classifier\n    jailbreak_deep_context_score?: Long, // 0-100 DeepContext multi-turn\n\n    // --- Agent Security (0-100) ---\n    indirect_injection_score: Long,   // Indirect prompt injection risk (OWASP LLM01, ASI01)\n\n    // --- Session Detection History (cross-turn sticky flags) ---\n    session_pii_detected?: Bool,\n    session_pii_types?: Set<String>,\n    session_secrets_detected?: Bool,\n    session_secret_types?: Set<String>,\n    session_injection_detected?: Bool,\n    session_command_injection?: Bool,\n    session_threat_turns?: Long,\n    session_max_injection_score?: Long,\n    session_max_jailbreak_score?: Long,\n    session_max_command_injection_score?: Long,\n    session_max_pii_score?: Long,\n    session_max_secret_score?: Long,\n    session_cumulative_risk_score?: Long,\n\n    // --- Legacy ---\n    prompt_text?: String,             // Same as content (backward compatibility)\n    response_content?: String,        // Response content (if available)\n  },\n};\n\n// User calls a tool (native IDE tool or MCP tool)\n// Threat focus: command injection, tool poisoning, rug pull, data exfiltration, loops\naction call_tool appliesTo {\n  principal: [User, Agent],\n  resource: [Tool, FilePath],\n  context: {\n    // --- Event & Source ---\n    content: String,                  // Raw content being scanned (e.g., shell command, tool args)\n    source: String,                   // IDE source\n    event: String,                    // Hook event name\n    user_email: String,               // User identifier\n\n    // --- Tool & MCP ---\n    tool_name?: String,               // Normalized tool name (\"shell\", \"read_file\", etc.)\n    mcp_server?: String,              // MCP server name\n    mcp_tool?: String,                // MCP tool name\n\n    // --- File & Path ---\n    path?: String,                    // File path (if file operation)\n\n    // --- Workspace ---\n    cwd?: String,\n    workspace_root?: String,\n\n    // --- Threat Detection ---\n    threat_count?: Long,\n    highest_severity?: String,\n    threat_categories?: Set<String>,\n    detected_threats?: Set<String>,\n    max_threat_severity?: Long,\n    contains_secrets?: Bool,\n\n    // --- Secrets (granular) ---\n    secret_types?: Set<String>,\n    secret_count?: Long,\n\n    // --- PII Detection ---\n    pii_detected?: Bool,\n    pii_types?: Set<String>,\n    pii_count?: Long,\n\n    // --- Encoding & Unicode Attacks ---\n    contains_invisible_chars?: Bool,\n    invisible_chars_score?: Long,\n\n    // --- Content Safety Scores (0-100) ---\n    violence_score?: Long,\n    weapons_score?: Long,\n    hate_speech_score?: Long,\n    crime_score?: Long,\n    sexual_score?: Long,\n    profanity_score?: Long,\n\n    // --- ML Detector Confidence Scores (0-100) ---\n    pii_confidence?: Long,\n    injection_confidence?: Long,      // Combined injection confidence: MAX(pulse, deep_context)\n    jailbreak_confidence?: Long,      // Combined jailbreak confidence: MAX(pulse, deep_context)\n    injection_pulse_score?: Long,     // 0-100 Pulse single-turn classifier\n    injection_deep_context_score?: Long, // 0-100 DeepContext multi-turn\n    jailbreak_pulse_score?: Long,     // 0-100 Pulse single-turn classifier\n    jailbreak_deep_context_score?: Long, // 0-100 DeepContext multi-turn\n\n    // --- Agent Security (0-100) --- (OWASP ASI01, ASI02, ASI04; MITRE AML.T0051)\n    tool_poisoning_score?: Long,      // Hidden instructions in tool description/args\n    tool_poisoning_detected?: Bool,   // Boolean flag for tool poisoning\n    rug_pull_score?: Long,            // Tool behavior drift after trust establishment\n    rug_pull_detected?: Bool,         // Boolean flag for rug pull\n    indirect_injection_score?: Long,  // Indirect injection via tool output\n\n    // --- Tool Risk Assessment ---\n    tool_risk_score?: Long,           // Computed tool risk (0-100)\n    tool_category?: String,           // \"safe\", \"sensitive\", \"dangerous\"\n    tool_is_sensitive?: Bool,         // Sensitivity classification\n    tool_is_builtin?: Bool,           // Built-in IDE tool vs MCP tool\n\n    // --- Behavioral Analysis --- (OWASP LLM10, ASI02, ASI08)\n    loop_detected?: Bool,             // Consecutive same-tool call loop\n    loop_count?: Long,                // Number of consecutive repeat calls\n    loop_tool?: String,               // Tool name in loop\n    suspicious_pattern?: Bool,        // Data exfiltration or attack sequence detected\n    pattern_type?: String,            // \"data_exfiltration\", \"secret_exfiltration\", \"credential_theft\", \"destructive_sequence\"\n    sequence_risk?: Long,             // Sequence risk score (0-100)\n\n    // --- MCP Trust ---\n    mcp_server_verified?: Bool,       // Whether server is from verified registry\n\n    // --- Session Detection History (cross-turn sticky flags) ---\n    session_pii_detected?: Bool,\n    session_pii_types?: Set<String>,\n    session_secrets_detected?: Bool,\n    session_secret_types?: Set<String>,\n    session_injection_detected?: Bool,\n    session_command_injection?: Bool,\n    session_threat_turns?: Long,\n    session_max_injection_score?: Long,\n    session_max_jailbreak_score?: Long,\n    session_max_command_injection_score?: Long,\n    session_max_pii_score?: Long,\n    session_max_secret_score?: Long,\n    session_cumulative_risk_score?: Long,\n\n    // --- Legacy ---\n    response_content?: String,\n  },\n};\n\n// Connect to an MCP server\n// Threat focus: supply chain, tool poisoning, rug pull, config risk\naction connect_server appliesTo {\n  principal: [User, Agent],\n  resource: [Server],\n  context: {\n    content?: String,                 // Server config content (if available)\n    source: String,\n    event: String,\n    user_email: String,\n    mcp_server?: String,\n\n    // --- Threat Detection ---\n    threat_count?: Long,\n    highest_severity?: String,\n    threat_categories?: Set<String>,\n    max_threat_severity?: Long,\n\n    // --- Agent Security (0-100) --- (OWASP ASI04, MCP01-MCP05)\n    tool_poisoning_score?: Long,      // Poisoned tool descriptions in server\n    tool_poisoning_detected?: Bool,\n    rug_pull_score?: Long,            // Server behavior change after approval\n    rug_pull_detected?: Bool,\n    indirect_injection_score?: Long,  // Injection payloads in server responses\n\n    // --- MCP Trust & Config Risk ---\n    mcp_server_verified?: Bool,       // Verified registry status\n    mcp_config_risk?: Bool,           // Risky server config detected (inline code exec, etc.)\n    mcp_risk_score?: Long,            // Config risk severity (0-100)\n\n    // --- Session Detection History (cross-turn sticky flags) ---\n    session_pii_detected?: Bool,\n    session_pii_types?: Set<String>,\n    session_secrets_detected?: Bool,\n    session_secret_types?: Set<String>,\n    session_injection_detected?: Bool,\n    session_command_injection?: Bool,\n    session_threat_turns?: Long,\n    session_max_injection_score?: Long,\n    session_max_jailbreak_score?: Long,\n    session_max_command_injection_score?: Long,\n    session_max_pii_score?: Long,\n    session_max_secret_score?: Long,\n    session_cumulative_risk_score?: Long,\n  },\n};\n\n// Read a file from disk\n// Threat focus: secrets exposure, PII exposure, path traversal, sensitive paths\naction read_file appliesTo {\n  principal: [User, Agent],\n  resource: [FilePath],\n  context: {\n    content: String,\n    source: String,\n    event: String,\n    user_email: String,\n    path?: String,\n    cwd?: String,\n    workspace_root?: String,\n\n    // --- Threat Detection ---\n    threat_count?: Long,\n    highest_severity?: String,\n    threat_categories?: Set<String>,\n    detected_threats?: Set<String>,\n    max_threat_severity?: Long,\n    contains_secrets?: Bool,\n\n    // --- Secrets (granular) ---\n    secret_types?: Set<String>,\n    secret_count?: Long,\n\n    // --- PII Detection ---\n    pii_detected?: Bool,\n    pii_types?: Set<String>,\n    pii_count?: Long,\n\n    // --- Session Detection History (cross-turn sticky flags) ---\n    session_pii_detected?: Bool,\n    session_pii_types?: Set<String>,\n    session_secrets_detected?: Bool,\n    session_secret_types?: Set<String>,\n    session_injection_detected?: Bool,\n    session_command_injection?: Bool,\n    session_threat_turns?: Long,\n    session_max_injection_score?: Long,\n    session_max_jailbreak_score?: Long,\n    session_max_command_injection_score?: Long,\n    session_max_pii_score?: Long,\n    session_max_secret_score?: Long,\n    session_cumulative_risk_score?: Long,\n  },\n};\n\n// Write a file to disk\n// Threat focus: secrets in output, PII in output, sensitive paths, malicious code\naction write_file appliesTo {\n  principal: [User, Agent],\n  resource: [FilePath],\n  context: {\n    content: String,\n    source: String,\n    event: String,\n    user_email: String,\n    path?: String,\n    cwd?: String,\n    workspace_root?: String,\n\n    // --- Threat Detection ---\n    threat_count?: Long,\n    highest_severity?: String,\n    threat_categories?: Set<String>,\n    detected_threats?: Set<String>,\n    max_threat_severity?: Long,\n    contains_secrets?: Bool,\n\n    // --- Secrets (granular) ---\n    secret_types?: Set<String>,\n    secret_count?: Long,\n\n    // --- PII Detection ---\n    pii_detected?: Bool,\n    pii_types?: Set<String>,\n    pii_count?: Long,\n\n    // --- Session Detection History (cross-turn sticky flags) ---\n    session_pii_detected?: Bool,\n    session_pii_types?: Set<String>,\n    session_secrets_detected?: Bool,\n    session_secret_types?: Set<String>,\n    session_injection_detected?: Bool,\n    session_command_injection?: Bool,\n    session_threat_turns?: Long,\n    session_max_injection_score?: Long,\n    session_max_jailbreak_score?: Long,\n    session_max_command_injection_score?: Long,\n    session_max_pii_score?: Long,\n    session_max_secret_score?: Long,\n    session_cumulative_risk_score?: Long,\n  },\n};\n\n}\n";
 /**
  * Palisade Cedar schema
  *
  * Full Cedar schema for palisade, embedded at codegen time.
  */
 export declare const PALISADE_SCHEMA = "// Palisade Cedar Schema\n// =====================\n// ML Supply Chain Security & Artifact Scanning\n//\n// Palisade scans ML model artifacts (safetensors, GGUF, pickle, PyTorch) for\n// security vulnerabilities and enforces policies based on findings.\n//\n// Architecture:\n//   Scanner \u2192 Validators (Pickle, SafeTensors, GGUF, etc.) \u2192 Cedar Policy \u2192 Allow/Deny/Quarantine\n//\n// Supported Formats:\n//   - SafeTensors (.safetensors)\n//   - GGUF (.gguf)\n//   - Pickle (.pkl, .pickle, .pt)\n//   - PyTorch (.pth, .pt)\n//   - ONNX (.onnx)\n\nnamespace Palisade {\n\n// =============================================================================\n// ENTITIES\n// =============================================================================\n\n// Security scanner service\nentity Scanner {\n  scanner_type: String,    // \"palisade\", \"redteam\", etc.\n};\n\n// ML model artifact\nentity Artifact {\n  artifact_format: String, // \"safetensors\", \"gguf\", \"pickle\", \"pytorch\", \"onnx\"\n  path: String,            // File path\n  signed: Bool,            // Whether digitally signed\n  signer: String,          // Who signed (if applicable)\n};\n\n// Software package (npm, PyPI, etc.)\nentity Package {\n  package_name: String,\n  package_version: String,\n};\n\n// =============================================================================\n// ACTIONS\n// =============================================================================\n\n// Scan an ML artifact for security issues\naction scan_artifact appliesTo {\n  principal: [Scanner],\n  resource: [Artifact],\n  context: {\n    // Core Finding & Severity\n    finding_type: String,              // Type of finding (e.g., \"backdoor_detected\", \"safetensors_integrity_violation\")\n    severity: String,                  // \"CRITICAL\", \"HIGH\", \"MEDIUM\", \"LOW\", \"INFO\"\n    environment: String,               // \"production\", \"strict_production\", \"development\", \"permissive_development\", \"research\"\n\n    // Artifact Metadata\n    artifact_format: String,           // \"safetensors\", \"gguf\", \"pickle\", \"pytorch\", \"onnx\"\n    path: String,                      // File path to artifact\n    artifact_signed: Bool,             // Whether artifact is digitally signed\n    provenance_signer: String,         // \"unknown\", \"unsigned\", or signer name\n\n    // Pickle Security\n    pickle_exec_path_detected: Bool,  // Pickle RCE execution path detected (CRITICAL)\n\n    // Tokenizer Security\n    tokenizer_added_tokens_count: Long, // Number of added tokens (0-5000+)\n\n    // LoRA Security\n    adapter_base_digest_mismatch: Bool, // LoRA adapter base model digest mismatch\n\n    // GGUF Security\n    gguf_suspicious_metadata: Bool,   // GGUF metadata contains suspicious patterns\n\n    // SafeTensors Security\n    safetensors_integrity_violation: Bool, // SafeTensors file integrity violated\n\n    // General Metadata Security\n    metadata_malicious_pattern: Bool, // Metadata contains malicious patterns\n\n    // CoSAI Maturity\n    metadata_cosai_level_numeric: Long, // CoSAI maturity level (0-5, higher = more trustworthy)\n\n    // Backdoor Detection\n    match_count: Long,                // Number of behavioral backdoor indicator matches\n  },\n};\n\n// Validate artifact integrity (checksum, signature)\naction validate_integrity appliesTo {\n  principal: [Scanner],\n  resource: [Artifact],\n  context: {\n    artifact_format: String,\n    path: String,\n    artifact_signed: Bool,\n    provenance_signer: String,\n    safetensors_integrity_violation: Bool,\n    finding_type: String,\n    severity: String,\n  },\n};\n\n// Validate artifact provenance (signer, origin)\naction validate_provenance appliesTo {\n  principal: [Scanner],\n  resource: [Artifact],\n  context: {\n    artifact_format: String,\n    path: String,\n    artifact_signed: Bool,\n    provenance_signer: String,\n    metadata_cosai_level_numeric: Long,\n    finding_type: String,\n    severity: String,\n  },\n};\n\n// Quarantine a malicious artifact\naction quarantine_artifact appliesTo {\n  principal: [Scanner],\n  resource: [Artifact],\n  context: {\n    finding_type: String,\n    severity: String,\n    environment: String,\n    artifact_format: String,\n    path: String,\n  },\n};\n\n// Load an ML model into memory\naction load_model appliesTo {\n  principal: [Scanner],\n  resource: [Artifact],\n  context: {\n    artifact_format: String,\n    environment: String,\n    artifact_signed: Bool,\n    severity: String,\n  },\n};\n\n// Deploy an ML model to production\naction deploy_model appliesTo {\n  principal: [Scanner],\n  resource: [Artifact],\n  context: {\n    artifact_format: String,\n    environment: String,\n    artifact_signed: Bool,\n    provenance_signer: String,\n    severity: String,\n  },\n};\n\n// Scan a software package\naction scan_package appliesTo {\n  principal: [Scanner],\n  resource: [Package],\n  context: {\n    finding_type: String,\n    severity: String,\n    environment: String,\n  },\n};\n\n}\n";
+/**
+ * Sentry Cedar schema
+ *
+ * Full Cedar schema for sentry, embedded at codegen time.
+ */
+export declare const SENTRY_SCHEMA = "// =============================================================================\n// Sentry Cedar Schema\n// =============================================================================\n// Browser Security \u2014 monitors AI chat interactions in the browser and enforces\n// data-protection, content-safety, and compliance policies at point of use.\n//\n// Sentry is a lightweight browser extension (JSA) that intercepts:\n//   - Messages sent to AI chat services (ChatGPT, Gemini, Claude, Copilot, etc.)\n//   - AI responses returned to the user\n//   - Cut/paste operations transferring content into AI chats\n//   - File/document uploads into AI chat services\n//\n// Architecture:\n//   User \u2192 Browser Extension \u2192 Shield Detection Engine \u2192 Cedar Policy \u2192 Allow/Block\n//\n// Threat Coverage:\n//   - Data Leakage: PII, PHI, credentials, source code, confidential documents\n//   - Content Safety: Violence, hate speech, sexual content, restricted topics\n//   - Prompt Injection: Direct and indirect injection via pasted/uploaded content\n//   - Document Sensitivity: MIP label enforcement, classification-aware blocking\n//   - Compliance: GDPR, HIPAA, PCI DSS, CCPA, EU AI Act\n//\n// Supported AI Services:\n//   - ChatGPT (chat.openai.com)\n//   - Google Gemini (gemini.google.com)\n//   - Claude (claude.ai)\n//   - GitHub Copilot Chat\n//   - Microsoft Copilot\n//   - Custom/enterprise AI chat endpoints\n\nnamespace Sentry {\n\n// =============================================================================\n// ENTITIES - Tenant Hierarchy (ReBAC)\n// =============================================================================\n// Aligned with Guardrails/Overwatch entity hierarchy (Account -> Project).\n//\n// Entity hierarchy enables Cedar's `in` operator for policy scoping:\n//   Account (org root)\n//     \u2514\u2500\u2500 Project in [Account]\n//           \u2514\u2500\u2500 ChatSession in [Project]\n//\n// Policy scoping examples:\n//   resource in Sentry::Account::\"<uuid>\"    \u2192 org-wide\n//   resource in Sentry::Project::\"<uuid>\"    \u2192 project-wide\n//   resource == Sentry::ChatSession::\"<id>\"  \u2192 specific session\n\n/// Account represents an organization (top-level tenant)\nentity Account;\n\n/// Project represents a project within an account\nentity Project in [Account];\n\n// =============================================================================\n// ENTITIES - Principals\n// =============================================================================\n\n/// Human user interacting with AI chat in the browser\nentity User;\n\n// =============================================================================\n// ENTITIES - Resources (scoped under Project)\n// =============================================================================\n\n/// AI chat session \u2014 resource for send_message and receive_response actions\nentity ChatSession in [Project];\n\n/// Document or file being uploaded \u2014 resource for upload_file action\nentity Document in [Project];\n\n// =============================================================================\n// ACTIONS\n// =============================================================================\n\n// User sends a message (prompt) to an AI chat service\n// Threat focus: data leakage (PII, secrets, confidential data), injection, content safety\naction send_message appliesTo {\n  principal: [User],\n  resource: [ChatSession],\n  context: {\n    // --- Core Metadata ---\n    content: String,                  // Raw message content being sent\n    source: String,                   // Browser extension identifier: \"sentry\"\n    event: String,                    // Event type: \"send_message\"\n    user_email: String,               // User identifier (SSO/OAuth verified)\n    target_app: String,               // AI service: \"chatgpt\", \"gemini\", \"claude\", \"copilot\", \"custom\"\n    target_url?: String,              // Full URL of the AI chat service\n\n    // --- Aggregated Threat Summary (from Shield NormalizeAggregation) ---\n    threat_count: Long,               // Total threats detected\n    highest_severity: String,         // \"critical\", \"high\", \"medium\", \"low\", \"none\"\n    threat_categories: Set<String>,   // Threat category names\n    detected_threats: Set<String>,    // Detection rule names that matched\n    max_threat_severity: Long,        // Numeric severity (0=none, 1=low, 2=medium, 3=high, 4=critical)\n\n    // --- Secrets Detection (from SecretsDetector) ---\n    contains_secrets: Bool,           // Whether secrets/credentials detected\n    secret_types?: Set<String>,       // Types: \"aws_access_key\", \"github_token\", \"ssh_private_key\", etc.\n    secret_count?: Long,              // Number of distinct secrets found\n\n    // --- PII Detection (from PIIRegexDetector, normalized) ---\n    pii_detected?: Bool,              // Whether any PII patterns matched\n    pii_types?: Set<String>,          // Types: \"ssn\", \"credit_card\", \"email\", \"phone\", etc.\n    pii_count?: Long,                 // Number of PII matches\n    pii_confidence?: Long,            // PII detection confidence (0-100)\n\n    // --- Content Safety Scores (from ToxicityDetector, 0-100) ---\n    violence_score: Long,\n    weapons_score: Long,\n    hate_speech_score: Long,\n    crime_score: Long,\n    sexual_score: Long,\n    profanity_score: Long,\n\n    // --- ML Detector Confidence Scores (0-100) ---\n    injection_score: Long,            // Prompt injection score (max of InjectionDetector + DeepContextDetector)\n    jailbreak_score: Long,            // Jailbreak detection score (max of JailbreakDetector + DeepContextDetector)\n\n    // --- Topic Classification (from TopicDetector) ---\n    content_topics?: Set<String>,     // Detected topics: \"controlled_substances\", \"weapons_manufacturing\", etc.\n    topic_confidence?: Long,          // Topic classifier confidence (0-100)\n\n    // --- Encoding & Unicode Attacks (from SecurityFiltersDetector, EncodedInjectionDetector) ---\n    contains_invisible_chars?: Bool,  // Zero-width chars, bidi overrides, tag chars\n    invisible_chars_score?: Long,     // Unicode attack severity (0-100)\n    encoded_content_detected?: Bool,  // Base64, hex, unicode, URL encoded content\n    encoded_types?: Set<String>,      // Encoding types detected\n    encoded_count?: Long,             // Number of encoded segments\n    encoded_score?: Long,             // Encoded injection severity (0-100)\n\n    // --- Code Detection (from CodeDetector) ---\n    contains_code?: Bool,             // Whether content contains source code\n    code_languages?: Set<String>,     // Detected languages: \"python\", \"javascript\", etc.\n    code_ratio?: Long,                // Percentage of content that is code (0-100)\n\n    // --- Language Detection (from LanguageDetector, ScriptDetector) ---\n    detected_language?: String,       // ISO language code\n    is_english?: Bool,\n    language_confidence?: Long,       // 0-100\n    detected_script?: String,         // \"latin\", \"cyrillic\", \"arabic\", \"unknown\"\n    is_latin_script?: Bool,\n    script_confidence?: Long,         // 0-100\n\n    // --- Keyword Detection (from KeywordDetector) ---\n    keyword_matched?: Bool,           // Whether any keywords matched\n    keyword_categories?: Set<String>, // Matched keyword categories\n    keyword_count?: Long,             // Number of keyword matches\n\n    // --- Phishing Detection (from CheckPhishDetector) ---\n    phishing_detected?: Bool,         // Whether phishing URLs detected in content\n\n    // --- Session Detection History (cross-turn sticky flags) ---\n    session_pii_detected?: Bool,\n    session_pii_types?: Set<String>,\n    session_secrets_detected?: Bool,\n    session_secret_types?: Set<String>,\n    session_injection_detected?: Bool,\n    session_threat_turns?: Long,\n  },\n};\n\n// AI service responds to the user\n// Threat focus: harmful content in responses, hallucination, data leakage in output\naction receive_response appliesTo {\n  principal: [User],\n  resource: [ChatSession],\n  context: {\n    // --- Core Metadata ---\n    content: String,                  // AI response content\n    source: String,\n    event: String,                    // \"receive_response\"\n    user_email: String,\n    target_app: String,\n    target_url?: String,\n\n    // --- Aggregated Threat Summary ---\n    threat_count: Long,\n    highest_severity: String,\n    threat_categories: Set<String>,\n    detected_threats: Set<String>,\n    max_threat_severity: Long,\n\n    // --- Secrets Detection ---\n    contains_secrets: Bool,\n    secret_types?: Set<String>,\n    secret_count?: Long,\n\n    // --- PII Detection ---\n    pii_detected?: Bool,\n    pii_types?: Set<String>,\n    pii_count?: Long,\n    pii_confidence?: Long,\n\n    // --- Content Safety Scores (0-100) ---\n    violence_score: Long,\n    weapons_score: Long,\n    hate_speech_score: Long,\n    crime_score: Long,\n    sexual_score: Long,\n    profanity_score: Long,\n\n    // --- ML Detector Scores (0-100) ---\n    injection_score: Long,            // Indirect injection in response content\n    jailbreak_score: Long,\n\n    // --- Hallucination Detection (from HallucinationDetector) ---\n    hallucination_score?: Long,       // Hallucination confidence (0-100)\n    factuality_score?: Long,          // Factuality score (0-100)\n\n    // --- Code in Response ---\n    contains_code?: Bool,\n    code_languages?: Set<String>,\n    code_ratio?: Long,\n\n    // --- Phishing ---\n    phishing_detected?: Bool,\n\n    // --- Session History ---\n    session_pii_detected?: Bool,\n    session_pii_types?: Set<String>,\n    session_secrets_detected?: Bool,\n    session_secret_types?: Set<String>,\n    session_injection_detected?: Bool,\n    session_threat_turns?: Long,\n  },\n};\n\n// User pastes content into an AI chat (clipboard, cross-tab, cross-app)\n// Threat focus: data leakage via cut/paste, injection payloads in pasted content\naction paste_content appliesTo {\n  principal: [User],\n  resource: [ChatSession],\n  context: {\n    // --- Core Metadata ---\n    content: String,                  // Pasted content\n    source: String,\n    event: String,                    // \"paste_content\"\n    user_email: String,\n    target_app: String,\n    target_url?: String,\n\n    // --- Paste Context ---\n    paste_source_app?: String,        // Source application (e.g., \"outlook\", \"excel\", \"vscode\", \"terminal\")\n    paste_source_url?: String,        // Source URL if from another browser tab\n    paste_length?: Long,              // Character length of pasted content\n\n    // --- Aggregated Threat Summary ---\n    threat_count: Long,\n    highest_severity: String,\n    threat_categories: Set<String>,\n    detected_threats: Set<String>,\n    max_threat_severity: Long,\n\n    // --- Secrets Detection ---\n    contains_secrets: Bool,\n    secret_types?: Set<String>,\n    secret_count?: Long,\n\n    // --- PII Detection ---\n    pii_detected?: Bool,\n    pii_types?: Set<String>,\n    pii_count?: Long,\n    pii_confidence?: Long,\n\n    // --- Content Safety Scores (0-100) ---\n    violence_score: Long,\n    weapons_score: Long,\n    hate_speech_score: Long,\n    crime_score: Long,\n    sexual_score: Long,\n    profanity_score: Long,\n\n    // --- ML Detector Scores (0-100) ---\n    injection_score: Long,\n    jailbreak_score: Long,\n\n    // --- Code Detection ---\n    contains_code?: Bool,\n    code_languages?: Set<String>,\n    code_ratio?: Long,\n\n    // --- Encoding Attacks ---\n    contains_invisible_chars?: Bool,\n    invisible_chars_score?: Long,\n    encoded_content_detected?: Bool,\n    encoded_types?: Set<String>,\n    encoded_count?: Long,\n    encoded_score?: Long,\n\n    // --- Keyword Detection ---\n    keyword_matched?: Bool,\n    keyword_categories?: Set<String>,\n    keyword_count?: Long,\n\n    // --- Session History ---\n    session_pii_detected?: Bool,\n    session_pii_types?: Set<String>,\n    session_secrets_detected?: Bool,\n    session_secret_types?: Set<String>,\n    session_injection_detected?: Bool,\n    session_threat_turns?: Long,\n  },\n};\n\n// User uploads a file or document into an AI chat\n// Threat focus: document sensitivity (MIP labels), PII/secrets in files, malware\naction upload_file appliesTo {\n  principal: [User],\n  resource: [Document, ChatSession],\n  context: {\n    // --- Core Metadata ---\n    content: String,                  // Extracted file text content (for scanning)\n    source: String,\n    event: String,                    // \"upload_file\"\n    user_email: String,\n    target_app: String,\n    target_url?: String,\n\n    // --- File Metadata ---\n    file_name?: String,               // Original file name\n    file_type?: String,               // MIME type: \"application/pdf\", \"text/csv\", etc.\n    file_size_bytes?: Long,           // File size in bytes\n    file_extension?: String,          // Extension: \"pdf\", \"docx\", \"xlsx\", \"csv\", \"txt\"\n\n    // --- Document Sensitivity (MIP Labels) ---\n    mip_label_id?: String,            // Microsoft Information Protection label ID\n    mip_label_name?: String,          // Label display name: \"Public\", \"Internal\", \"Confidential\", \"Highly Confidential\"\n    sensitivity_level?: String,       // Normalized: \"public\", \"internal\", \"confidential\", \"restricted\"\n    is_encrypted?: Bool,              // Whether file is encrypted (MIP protection)\n    is_rights_managed?: Bool,         // Whether file has rights management restrictions\n\n    // --- Aggregated Threat Summary ---\n    threat_count: Long,\n    highest_severity: String,\n    threat_categories: Set<String>,\n    detected_threats: Set<String>,\n    max_threat_severity: Long,\n\n    // --- Secrets Detection ---\n    contains_secrets: Bool,\n    secret_types?: Set<String>,\n    secret_count?: Long,\n\n    // --- PII Detection ---\n    pii_detected?: Bool,\n    pii_types?: Set<String>,\n    pii_count?: Long,\n    pii_confidence?: Long,\n\n    // --- Content Safety Scores (0-100) ---\n    violence_score: Long,\n    weapons_score: Long,\n    hate_speech_score: Long,\n    crime_score: Long,\n    sexual_score: Long,\n    profanity_score: Long,\n\n    // --- ML Detector Scores (0-100) ---\n    injection_score: Long,            // Prompt injection payloads hidden in documents\n    jailbreak_score: Long,\n\n    // --- Code Detection ---\n    contains_code?: Bool,\n    code_languages?: Set<String>,\n    code_ratio?: Long,\n\n    // --- Phishing ---\n    phishing_detected?: Bool,\n\n    // --- Encoding Attacks ---\n    contains_invisible_chars?: Bool,\n    invisible_chars_score?: Long,\n    encoded_content_detected?: Bool,\n    encoded_types?: Set<String>,\n    encoded_count?: Long,\n    encoded_score?: Long,\n\n    // --- Session History ---\n    session_pii_detected?: Bool,\n    session_pii_types?: Set<String>,\n    session_secrets_detected?: Bool,\n    session_secret_types?: Set<String>,\n    session_injection_detected?: Bool,\n    session_threat_turns?: Long,\n  },\n};\n\n}\n";
 /**
  * Context attribute metadata for service actions.
  * Used by PolicyBuilder UI to generate form fields.
@@ -49,3 +55,7 @@ export declare const OVERWATCH_CONTEXT: ServiceContext;
  * Palisade context metadata (parsed JSON)
  */
 export declare const PALISADE_CONTEXT: ServiceContext;
+/**
+ * Sentry context metadata (parsed JSON)
+ */
+export declare const SENTRY_CONTEXT: ServiceContext;