@highflame/policy 2.1.3 → 2.1.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +41 -0
- package/_schemas/guardrails/context.json +466 -76
- package/_schemas/guardrails/schema.cedarschema +39 -3
- package/_schemas/guardrails/templates/defaults/injection.cedar +6 -6
- package/_schemas/guardrails/templates/profiles/chat_assistant/security.cedar +2 -2
- package/_schemas/guardrails/templates/profiles/data_pipeline/security.cedar +1 -1
- package/_schemas/overwatch/context.json +443 -5
- package/_schemas/overwatch/schema.cedarschema +42 -4
- package/_schemas/palisade/context.json +1 -1
- package/_schemas/sentry/context.json +1165 -0
- package/_schemas/sentry/schema.cedarschema +388 -0
- package/_schemas/sentry/templates/defaults/baseline.cedar +24 -0
- package/_schemas/sentry/templates/defaults/content_safety.cedar +232 -0
- package/_schemas/sentry/templates/defaults/file_safety.cedar +174 -0
- package/_schemas/sentry/templates/defaults/organization.cedar +207 -0
- package/_schemas/sentry/templates/defaults/pii.cedar +229 -0
- package/_schemas/sentry/templates/defaults/semantic.cedar +167 -0
- package/_schemas/sentry/templates/templates.json +93 -0
- package/dist/builder.d.ts +32 -0
- package/dist/builder.js +6 -6
- package/dist/condition-groups.d.ts +69 -0
- package/dist/condition-groups.js +305 -0
- package/dist/guardrails-context.gen.d.ts +19 -2
- package/dist/guardrails-context.gen.js +19 -2
- package/dist/guardrails-defaults.gen.js +9 -9
- package/dist/index.d.ts +6 -1
- package/dist/index.js +6 -1
- package/dist/overwatch-context.gen.d.ts +17 -0
- package/dist/overwatch-context.gen.js +17 -0
- package/dist/sentry-context.gen.d.ts +76 -0
- package/dist/sentry-context.gen.js +77 -0
- package/dist/sentry-defaults.gen.d.ts +61 -0
- package/dist/sentry-defaults.gen.js +1235 -0
- package/dist/sentry-entities.gen.d.ts +11 -0
- package/dist/sentry-entities.gen.js +33 -0
- package/dist/service-schemas.gen.d.ts +12 -2
- package/dist/service-schemas.gen.js +861 -25
- package/dist/types.d.ts +6 -1
- package/dist/types.js +6 -1
- package/package.json +1 -1
- package/_schemas/guardrails/templates/profiles/chat_assistant.cedar +0 -85
- package/_schemas/guardrails/templates/profiles/code_agent.cedar +0 -125
- package/_schemas/guardrails/templates/profiles/data_pipeline.cedar +0 -111
|
@@ -38,18 +38,40 @@
|
|
|
38
38
|
"description": "Number of detectors that were executed for this request"
|
|
39
39
|
},
|
|
40
40
|
{
|
|
41
|
-
"key": "
|
|
41
|
+
"key": "injection_confidence",
|
|
42
42
|
"type": "number",
|
|
43
43
|
"required": false,
|
|
44
|
-
"description": "
|
|
45
|
-
"range": "0-100"
|
|
44
|
+
"description": "Combined prompt injection confidence (0-100). MAX of all detector scores (Pulse + DeepContext). Use injection_pulse_score / injection_deep_context_score for individual detector control"
|
|
46
45
|
},
|
|
47
46
|
{
|
|
48
|
-
"key": "
|
|
47
|
+
"key": "jailbreak_confidence",
|
|
49
48
|
"type": "number",
|
|
50
49
|
"required": false,
|
|
51
|
-
"description": "
|
|
52
|
-
|
|
50
|
+
"description": "Combined jailbreak detection confidence (0-100). MAX of all detector scores (Pulse + DeepContext). Use jailbreak_pulse_score / jailbreak_deep_context_score for individual detector control"
|
|
51
|
+
},
|
|
52
|
+
{
|
|
53
|
+
"key": "injection_pulse_score",
|
|
54
|
+
"type": "number",
|
|
55
|
+
"required": false,
|
|
56
|
+
"description": "Highflame single-turn classifier score for prompt injection (0-100). Raw score from Pulse detector before combination with deep-context. Use for per-detector policy control"
|
|
57
|
+
},
|
|
58
|
+
{
|
|
59
|
+
"key": "injection_deep_context_score",
|
|
60
|
+
"type": "number",
|
|
61
|
+
"required": false,
|
|
62
|
+
"description": "DeepContext multi-turn analyzer score for prompt injection (0-100). Tracks injection patterns across conversation history. Generally higher confidence than single-turn"
|
|
63
|
+
},
|
|
64
|
+
{
|
|
65
|
+
"key": "jailbreak_pulse_score",
|
|
66
|
+
"type": "number",
|
|
67
|
+
"required": false,
|
|
68
|
+
"description": "Highflame single-turn classifier score for jailbreak attempts (0-100). Raw score from Pulse detector before combination with deep-context"
|
|
69
|
+
},
|
|
70
|
+
{
|
|
71
|
+
"key": "jailbreak_deep_context_score",
|
|
72
|
+
"type": "number",
|
|
73
|
+
"required": false,
|
|
74
|
+
"description": "DeepContext multi-turn analyzer score for jailbreak attempts (0-100). Detects jailbreak escalation patterns across conversation turns"
|
|
53
75
|
},
|
|
54
76
|
{
|
|
55
77
|
"key": "injection_type",
|
|
@@ -97,43 +119,37 @@
|
|
|
97
119
|
"key": "violence_score",
|
|
98
120
|
"type": "number",
|
|
99
121
|
"required": false,
|
|
100
|
-
"description": "ML-based score for violent content references (0-100). Typical threshold: >90 for critical blocks, >60 for warnings"
|
|
101
|
-
"range": "0-100"
|
|
122
|
+
"description": "ML-based score for violent content references (0-100). Typical threshold: >90 for critical blocks, >60 for warnings"
|
|
102
123
|
},
|
|
103
124
|
{
|
|
104
125
|
"key": "hate_speech_score",
|
|
105
126
|
"type": "number",
|
|
106
127
|
"required": false,
|
|
107
|
-
"description": "ML-based score for hate speech, discriminatory language, or targeted harassment (0-100). Typical threshold: >75 for blocks"
|
|
108
|
-
"range": "0-100"
|
|
128
|
+
"description": "ML-based score for hate speech, discriminatory language, or targeted harassment (0-100). Typical threshold: >75 for blocks"
|
|
109
129
|
},
|
|
110
130
|
{
|
|
111
131
|
"key": "sexual_score",
|
|
112
132
|
"type": "number",
|
|
113
133
|
"required": false,
|
|
114
|
-
"description": "ML-based score for sexual or adult content (0-100). Adjust thresholds based on your application's audience"
|
|
115
|
-
"range": "0-100"
|
|
134
|
+
"description": "ML-based score for sexual or adult content (0-100). Adjust thresholds based on your application's audience"
|
|
116
135
|
},
|
|
117
136
|
{
|
|
118
137
|
"key": "weapons_score",
|
|
119
138
|
"type": "number",
|
|
120
139
|
"required": false,
|
|
121
|
-
"description": "ML-based score for weapons references or violent imagery (0-100)"
|
|
122
|
-
"range": "0-100"
|
|
140
|
+
"description": "ML-based score for weapons references or violent imagery (0-100)"
|
|
123
141
|
},
|
|
124
142
|
{
|
|
125
143
|
"key": "crime_score",
|
|
126
144
|
"type": "number",
|
|
127
145
|
"required": false,
|
|
128
|
-
"description": "ML-based score for criminal activity discussions (0-100)"
|
|
129
|
-
"range": "0-100"
|
|
146
|
+
"description": "ML-based score for criminal activity discussions (0-100)"
|
|
130
147
|
},
|
|
131
148
|
{
|
|
132
149
|
"key": "profanity_score",
|
|
133
150
|
"type": "number",
|
|
134
151
|
"required": false,
|
|
135
|
-
"description": "ML-based score for profanity and vulgar language (0-100)"
|
|
136
|
-
"range": "0-100"
|
|
152
|
+
"description": "ML-based score for profanity and vulgar language (0-100)"
|
|
137
153
|
},
|
|
138
154
|
{
|
|
139
155
|
"key": "content_topics",
|
|
@@ -145,8 +161,7 @@
|
|
|
145
161
|
"key": "topic_confidence",
|
|
146
162
|
"type": "number",
|
|
147
163
|
"required": false,
|
|
148
|
-
"description": "Confidence score from topic classifier (0-100). Use with content_topics to tune sensitivity — higher thresholds reduce false positives"
|
|
149
|
-
"range": "0-100"
|
|
164
|
+
"description": "Confidence score from topic classifier (0-100). Use with content_topics to tune sensitivity — higher thresholds reduce false positives"
|
|
150
165
|
},
|
|
151
166
|
{
|
|
152
167
|
"key": "contains_invisible_chars",
|
|
@@ -158,8 +173,7 @@
|
|
|
158
173
|
"key": "invisible_chars_score",
|
|
159
174
|
"type": "number",
|
|
160
175
|
"required": false,
|
|
161
|
-
"description": "Density score for invisible characters in the content (0-100). Higher scores indicate more invisible characters, suggesting evasion attempts"
|
|
162
|
-
"range": "0-100"
|
|
176
|
+
"description": "Density score for invisible characters in the content (0-100). Higher scores indicate more invisible characters, suggesting evasion attempts"
|
|
163
177
|
},
|
|
164
178
|
{
|
|
165
179
|
"key": "command_injection_detected",
|
|
@@ -177,8 +191,7 @@
|
|
|
177
191
|
"key": "command_injection_score",
|
|
178
192
|
"type": "number",
|
|
179
193
|
"required": false,
|
|
180
|
-
"description": "Confidence score for command injection detection (0-100). Higher scores indicate stronger pattern matches"
|
|
181
|
-
"range": "0-100"
|
|
194
|
+
"description": "Confidence score for command injection detection (0-100). Higher scores indicate stronger pattern matches"
|
|
182
195
|
},
|
|
183
196
|
{
|
|
184
197
|
"key": "path_traversal_detected",
|
|
@@ -214,8 +227,7 @@
|
|
|
214
227
|
"key": "sql_injection_score",
|
|
215
228
|
"type": "number",
|
|
216
229
|
"required": false,
|
|
217
|
-
"description": "Confidence score for SQL injection detection (0-100). Typical threshold: >=75 for blocks"
|
|
218
|
-
"range": "0-100"
|
|
230
|
+
"description": "Confidence score for SQL injection detection (0-100). Typical threshold: >=75 for blocks"
|
|
219
231
|
},
|
|
220
232
|
{
|
|
221
233
|
"key": "cross_origin_detected",
|
|
@@ -233,8 +245,7 @@
|
|
|
233
245
|
"key": "cross_origin_score",
|
|
234
246
|
"type": "number",
|
|
235
247
|
"required": false,
|
|
236
|
-
"description": "Risk score for cross-origin escalation (0-100). Higher scores indicate more suspicious cross-boundary activity"
|
|
237
|
-
"range": "0-100"
|
|
248
|
+
"description": "Risk score for cross-origin escalation (0-100). Higher scores indicate more suspicious cross-boundary activity"
|
|
238
249
|
},
|
|
239
250
|
{
|
|
240
251
|
"key": "encoded_content_detected",
|
|
@@ -258,8 +269,7 @@
|
|
|
258
269
|
"key": "encoded_score",
|
|
259
270
|
"type": "number",
|
|
260
271
|
"required": false,
|
|
261
|
-
"description": "Risk score for encoded injection attempts (0-100). Considers encoding density and decoded content patterns"
|
|
262
|
-
"range": "0-100"
|
|
272
|
+
"description": "Risk score for encoded injection attempts (0-100). Considers encoding density and decoded content patterns"
|
|
263
273
|
},
|
|
264
274
|
{
|
|
265
275
|
"key": "detected_language",
|
|
@@ -277,8 +287,7 @@
|
|
|
277
287
|
"key": "language_confidence",
|
|
278
288
|
"type": "number",
|
|
279
289
|
"required": false,
|
|
280
|
-
"description": "Confidence score for language detection (0-100). Use with detected_language to tune sensitivity"
|
|
281
|
-
"range": "0-100"
|
|
290
|
+
"description": "Confidence score for language detection (0-100). Use with detected_language to tune sensitivity"
|
|
282
291
|
},
|
|
283
292
|
{
|
|
284
293
|
"key": "detected_script",
|
|
@@ -296,29 +305,25 @@
|
|
|
296
305
|
"key": "script_confidence",
|
|
297
306
|
"type": "number",
|
|
298
307
|
"required": false,
|
|
299
|
-
"description": "Confidence score for script detection (0-100)"
|
|
300
|
-
"range": "0-100"
|
|
308
|
+
"description": "Confidence score for script detection (0-100)"
|
|
301
309
|
},
|
|
302
310
|
{
|
|
303
311
|
"key": "hallucination_score",
|
|
304
312
|
"type": "number",
|
|
305
313
|
"required": false,
|
|
306
|
-
"description": "ML-based score for hallucinated or fabricated content (0-100). Higher scores indicate higher likelihood of non-factual claims"
|
|
307
|
-
"range": "0-100"
|
|
314
|
+
"description": "ML-based score for hallucinated or fabricated content (0-100). Higher scores indicate higher likelihood of non-factual claims"
|
|
308
315
|
},
|
|
309
316
|
{
|
|
310
317
|
"key": "factuality_score",
|
|
311
318
|
"type": "number",
|
|
312
319
|
"required": false,
|
|
313
|
-
"description": "ML-based factuality assessment score (0-100). Higher scores indicate more factually grounded content"
|
|
314
|
-
"range": "0-100"
|
|
320
|
+
"description": "ML-based factuality assessment score (0-100). Higher scores indicate more factually grounded content"
|
|
315
321
|
},
|
|
316
322
|
{
|
|
317
323
|
"key": "sentiment_score",
|
|
318
324
|
"type": "number",
|
|
319
325
|
"required": false,
|
|
320
|
-
"description": "Sentiment analysis score. Use to detect overly negative or manipulative tone in prompts or responses"
|
|
321
|
-
"range": "0-100"
|
|
326
|
+
"description": "Sentiment analysis score. Use to detect overly negative or manipulative tone in prompts or responses"
|
|
322
327
|
},
|
|
323
328
|
{
|
|
324
329
|
"key": "contains_code",
|
|
@@ -336,8 +341,7 @@
|
|
|
336
341
|
"key": "code_ratio",
|
|
337
342
|
"type": "number",
|
|
338
343
|
"required": false,
|
|
339
|
-
"description": "Percentage of content that consists of code (0-100). High values may indicate code dumps or automated content"
|
|
340
|
-
"range": "0-100"
|
|
344
|
+
"description": "Percentage of content that consists of code (0-100). High values may indicate code dumps or automated content"
|
|
341
345
|
},
|
|
342
346
|
{
|
|
343
347
|
"key": "keyword_matched",
|
|
@@ -373,8 +377,7 @@
|
|
|
373
377
|
"key": "content_safety_score",
|
|
374
378
|
"type": "number",
|
|
375
379
|
"required": false,
|
|
376
|
-
"description": "Aggregate content safety score (0-100). Combines multiple safety signals into a single risk indicator"
|
|
377
|
-
"range": "0-100"
|
|
380
|
+
"description": "Aggregate content safety score (0-100). Combines multiple safety signals into a single risk indicator"
|
|
378
381
|
},
|
|
379
382
|
{
|
|
380
383
|
"key": "content_safety_blocked",
|
|
@@ -393,6 +396,84 @@
|
|
|
393
396
|
"type": "boolean",
|
|
394
397
|
"required": false,
|
|
395
398
|
"description": "Whether multi-turn injection patterns were detected (attack spread across multiple conversation turns)"
|
|
399
|
+
},
|
|
400
|
+
{
|
|
401
|
+
"key": "session_pii_detected",
|
|
402
|
+
"type": "boolean",
|
|
403
|
+
"required": false,
|
|
404
|
+
"description": "Whether PII was detected in any previous turn of the session"
|
|
405
|
+
},
|
|
406
|
+
{
|
|
407
|
+
"key": "session_pii_types",
|
|
408
|
+
"type": "array",
|
|
409
|
+
"required": false,
|
|
410
|
+
"description": "PII types detected across the session (accumulated)"
|
|
411
|
+
},
|
|
412
|
+
{
|
|
413
|
+
"key": "session_secrets_detected",
|
|
414
|
+
"type": "boolean",
|
|
415
|
+
"required": false,
|
|
416
|
+
"description": "Whether secrets were detected in any previous turn of the session"
|
|
417
|
+
},
|
|
418
|
+
{
|
|
419
|
+
"key": "session_secret_types",
|
|
420
|
+
"type": "array",
|
|
421
|
+
"required": false,
|
|
422
|
+
"description": "Secret types detected across the session (accumulated)"
|
|
423
|
+
},
|
|
424
|
+
{
|
|
425
|
+
"key": "session_injection_detected",
|
|
426
|
+
"type": "boolean",
|
|
427
|
+
"required": false,
|
|
428
|
+
"description": "Whether prompt injection was detected in any previous turn of the session"
|
|
429
|
+
},
|
|
430
|
+
{
|
|
431
|
+
"key": "session_command_injection",
|
|
432
|
+
"type": "boolean",
|
|
433
|
+
"required": false,
|
|
434
|
+
"description": "Whether command injection was detected in any previous turn of the session"
|
|
435
|
+
},
|
|
436
|
+
{
|
|
437
|
+
"key": "session_threat_turns",
|
|
438
|
+
"type": "number",
|
|
439
|
+
"required": false,
|
|
440
|
+
"description": "Number of turns in the session where threats were detected"
|
|
441
|
+
},
|
|
442
|
+
{
|
|
443
|
+
"key": "session_max_injection_score",
|
|
444
|
+
"type": "number",
|
|
445
|
+
"required": false,
|
|
446
|
+
"description": "Highest prompt injection score seen in any turn of the session (0-100). Use for tiered responses: >75 hard block, >50 restrict permissions"
|
|
447
|
+
},
|
|
448
|
+
{
|
|
449
|
+
"key": "session_max_jailbreak_score",
|
|
450
|
+
"type": "number",
|
|
451
|
+
"required": false,
|
|
452
|
+
"description": "Highest jailbreak detection score seen in any turn of the session (0-100)"
|
|
453
|
+
},
|
|
454
|
+
{
|
|
455
|
+
"key": "session_max_command_injection_score",
|
|
456
|
+
"type": "number",
|
|
457
|
+
"required": false,
|
|
458
|
+
"description": "Highest command injection score seen in any turn of the session (0-100)"
|
|
459
|
+
},
|
|
460
|
+
{
|
|
461
|
+
"key": "session_max_pii_score",
|
|
462
|
+
"type": "number",
|
|
463
|
+
"required": false,
|
|
464
|
+
"description": "Highest PII risk score seen in any turn of the session (0-100)"
|
|
465
|
+
},
|
|
466
|
+
{
|
|
467
|
+
"key": "session_max_secret_score",
|
|
468
|
+
"type": "number",
|
|
469
|
+
"required": false,
|
|
470
|
+
"description": "Highest secret detection score seen in any turn of the session (0-100)"
|
|
471
|
+
},
|
|
472
|
+
{
|
|
473
|
+
"key": "session_cumulative_risk_score",
|
|
474
|
+
"type": "number",
|
|
475
|
+
"required": false,
|
|
476
|
+
"description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant"
|
|
396
477
|
}
|
|
397
478
|
]
|
|
398
479
|
},
|
|
@@ -422,8 +503,7 @@
|
|
|
422
503
|
"key": "tool_risk_score",
|
|
423
504
|
"type": "number",
|
|
424
505
|
"required": false,
|
|
425
|
-
"description": "Computed risk score for this tool call (0-100). Considers tool sensitivity, argument patterns, and MCP verification status. Typical threshold: >85 for dangerous tools"
|
|
426
|
-
"range": "0-100"
|
|
506
|
+
"description": "Computed risk score for this tool call (0-100). Considers tool sensitivity, argument patterns, and MCP verification status. Typical threshold: >85 for dangerous tools"
|
|
427
507
|
},
|
|
428
508
|
{
|
|
429
509
|
"key": "tool_is_sensitive",
|
|
@@ -477,8 +557,7 @@
|
|
|
477
557
|
"key": "sequence_risk",
|
|
478
558
|
"type": "number",
|
|
479
559
|
"required": false,
|
|
480
|
-
"description": "Risk score from action sequence analysis (0-100). Analyzes history of tool calls to detect attack patterns. Typical threshold: >80 for blocks"
|
|
481
|
-
"range": "0-100"
|
|
560
|
+
"description": "Risk score from action sequence analysis (0-100). Analyzes history of tool calls to detect attack patterns. Typical threshold: >80 for blocks"
|
|
482
561
|
},
|
|
483
562
|
{
|
|
484
563
|
"key": "loop_detected",
|
|
@@ -502,8 +581,7 @@
|
|
|
502
581
|
"key": "budget_remaining_pct",
|
|
503
582
|
"type": "number",
|
|
504
583
|
"required": false,
|
|
505
|
-
"description": "Remaining token budget as percentage (0-100). Use this to warn or block when budget is low. Requires session with token budget configuration"
|
|
506
|
-
"range": "0-100"
|
|
584
|
+
"description": "Remaining token budget as percentage (0-100). Use this to warn or block when budget is low. Requires session with token budget configuration"
|
|
507
585
|
},
|
|
508
586
|
{
|
|
509
587
|
"key": "budget_exceeded",
|
|
@@ -521,8 +599,7 @@
|
|
|
521
599
|
"key": "topic_confidence",
|
|
522
600
|
"type": "number",
|
|
523
601
|
"required": false,
|
|
524
|
-
"description": "Confidence score from topic classifier for tool content (0-100)"
|
|
525
|
-
"range": "0-100"
|
|
602
|
+
"description": "Confidence score from topic classifier for tool content (0-100)"
|
|
526
603
|
},
|
|
527
604
|
{
|
|
528
605
|
"key": "contains_secrets",
|
|
@@ -549,11 +626,22 @@
|
|
|
549
626
|
"description": "Array of PII types found in tool arguments"
|
|
550
627
|
},
|
|
551
628
|
{
|
|
552
|
-
"key": "
|
|
629
|
+
"key": "injection_confidence",
|
|
630
|
+
"type": "number",
|
|
631
|
+
"required": false,
|
|
632
|
+
"description": "Combined prompt injection confidence in tool arguments (0-100). MAX of all detector scores (Pulse + DeepContext). Use injection_pulse_score / injection_deep_context_score for individual detector control"
|
|
633
|
+
},
|
|
634
|
+
{
|
|
635
|
+
"key": "injection_pulse_score",
|
|
636
|
+
"type": "number",
|
|
637
|
+
"required": false,
|
|
638
|
+
"description": "Highflame single-turn classifier score for prompt injection in tool arguments (0-100). Raw score from Pulse detector before combination with deep-context"
|
|
639
|
+
},
|
|
640
|
+
{
|
|
641
|
+
"key": "injection_deep_context_score",
|
|
553
642
|
"type": "number",
|
|
554
643
|
"required": false,
|
|
555
|
-
"description": "
|
|
556
|
-
"range": "0-100"
|
|
644
|
+
"description": "DeepContext multi-turn analyzer score for prompt injection in tool arguments (0-100). Tracks injection patterns across tool call history"
|
|
557
645
|
},
|
|
558
646
|
{
|
|
559
647
|
"key": "command_injection_detected",
|
|
@@ -571,8 +659,7 @@
|
|
|
571
659
|
"key": "command_injection_score",
|
|
572
660
|
"type": "number",
|
|
573
661
|
"required": false,
|
|
574
|
-
"description": "Confidence score for command injection in tool arguments (0-100)"
|
|
575
|
-
"range": "0-100"
|
|
662
|
+
"description": "Confidence score for command injection in tool arguments (0-100)"
|
|
576
663
|
},
|
|
577
664
|
{
|
|
578
665
|
"key": "path_traversal_detected",
|
|
@@ -608,8 +695,7 @@
|
|
|
608
695
|
"key": "sql_injection_score",
|
|
609
696
|
"type": "number",
|
|
610
697
|
"required": false,
|
|
611
|
-
"description": "Confidence score for SQL injection in tool arguments (0-100)"
|
|
612
|
-
"range": "0-100"
|
|
698
|
+
"description": "Confidence score for SQL injection in tool arguments (0-100)"
|
|
613
699
|
},
|
|
614
700
|
{
|
|
615
701
|
"key": "tool_poisoning_detected",
|
|
@@ -621,8 +707,7 @@
|
|
|
621
707
|
"key": "tool_poisoning_score",
|
|
622
708
|
"type": "number",
|
|
623
709
|
"required": false,
|
|
624
|
-
"description": "Confidence score for tool poisoning detection (0-100). Typical threshold: >=70 for blocks"
|
|
625
|
-
"range": "0-100"
|
|
710
|
+
"description": "Confidence score for tool poisoning detection (0-100). Typical threshold: >=70 for blocks"
|
|
626
711
|
},
|
|
627
712
|
{
|
|
628
713
|
"key": "tool_poisoning_type",
|
|
@@ -640,8 +725,7 @@
|
|
|
640
725
|
"key": "rug_pull_score",
|
|
641
726
|
"type": "number",
|
|
642
727
|
"required": false,
|
|
643
|
-
"description": "Confidence score for rug pull detection based on behavioral drift analysis (0-100)"
|
|
644
|
-
"range": "0-100"
|
|
728
|
+
"description": "Confidence score for rug pull detection based on behavioral drift analysis (0-100)"
|
|
645
729
|
},
|
|
646
730
|
{
|
|
647
731
|
"key": "mcp_config_risk",
|
|
@@ -659,8 +743,7 @@
|
|
|
659
743
|
"key": "mcp_risk_score",
|
|
660
744
|
"type": "number",
|
|
661
745
|
"required": false,
|
|
662
|
-
"description": "Risk score for MCP configuration issues (0-100). Typical threshold: >=70 for blocks"
|
|
663
|
-
"range": "0-100"
|
|
746
|
+
"description": "Risk score for MCP configuration issues (0-100). Typical threshold: >=70 for blocks"
|
|
664
747
|
},
|
|
665
748
|
{
|
|
666
749
|
"key": "cross_origin_detected",
|
|
@@ -678,8 +761,7 @@
|
|
|
678
761
|
"key": "cross_origin_score",
|
|
679
762
|
"type": "number",
|
|
680
763
|
"required": false,
|
|
681
|
-
"description": "Risk score for cross-origin escalation in tool calls (0-100)"
|
|
682
|
-
"range": "0-100"
|
|
764
|
+
"description": "Risk score for cross-origin escalation in tool calls (0-100)"
|
|
683
765
|
},
|
|
684
766
|
{
|
|
685
767
|
"key": "encoded_content_detected",
|
|
@@ -703,8 +785,7 @@
|
|
|
703
785
|
"key": "encoded_score",
|
|
704
786
|
"type": "number",
|
|
705
787
|
"required": false,
|
|
706
|
-
"description": "Risk score for encoded injection in tool arguments (0-100)"
|
|
707
|
-
"range": "0-100"
|
|
788
|
+
"description": "Risk score for encoded injection in tool arguments (0-100)"
|
|
708
789
|
},
|
|
709
790
|
{
|
|
710
791
|
"key": "rug_pull_type",
|
|
@@ -723,6 +804,84 @@
|
|
|
723
804
|
"type": "boolean",
|
|
724
805
|
"required": false,
|
|
725
806
|
"description": "Whether multi-turn injection patterns were detected across tool calls in the session"
|
|
807
|
+
},
|
|
808
|
+
{
|
|
809
|
+
"key": "session_pii_detected",
|
|
810
|
+
"type": "boolean",
|
|
811
|
+
"required": false,
|
|
812
|
+
"description": "Whether PII was detected in any previous turn of the session"
|
|
813
|
+
},
|
|
814
|
+
{
|
|
815
|
+
"key": "session_pii_types",
|
|
816
|
+
"type": "array",
|
|
817
|
+
"required": false,
|
|
818
|
+
"description": "PII types detected across the session (accumulated)"
|
|
819
|
+
},
|
|
820
|
+
{
|
|
821
|
+
"key": "session_secrets_detected",
|
|
822
|
+
"type": "boolean",
|
|
823
|
+
"required": false,
|
|
824
|
+
"description": "Whether secrets were detected in any previous turn of the session"
|
|
825
|
+
},
|
|
826
|
+
{
|
|
827
|
+
"key": "session_secret_types",
|
|
828
|
+
"type": "array",
|
|
829
|
+
"required": false,
|
|
830
|
+
"description": "Secret types detected across the session (accumulated)"
|
|
831
|
+
},
|
|
832
|
+
{
|
|
833
|
+
"key": "session_injection_detected",
|
|
834
|
+
"type": "boolean",
|
|
835
|
+
"required": false,
|
|
836
|
+
"description": "Whether prompt injection was detected in any previous turn of the session"
|
|
837
|
+
},
|
|
838
|
+
{
|
|
839
|
+
"key": "session_command_injection",
|
|
840
|
+
"type": "boolean",
|
|
841
|
+
"required": false,
|
|
842
|
+
"description": "Whether command injection was detected in any previous turn of the session"
|
|
843
|
+
},
|
|
844
|
+
{
|
|
845
|
+
"key": "session_threat_turns",
|
|
846
|
+
"type": "number",
|
|
847
|
+
"required": false,
|
|
848
|
+
"description": "Number of turns in the session where threats were detected"
|
|
849
|
+
},
|
|
850
|
+
{
|
|
851
|
+
"key": "session_max_injection_score",
|
|
852
|
+
"type": "number",
|
|
853
|
+
"required": false,
|
|
854
|
+
"description": "Highest prompt injection score seen in any turn of the session (0-100). Use for tiered responses: >75 hard block, >50 restrict permissions"
|
|
855
|
+
},
|
|
856
|
+
{
|
|
857
|
+
"key": "session_max_jailbreak_score",
|
|
858
|
+
"type": "number",
|
|
859
|
+
"required": false,
|
|
860
|
+
"description": "Highest jailbreak detection score seen in any turn of the session (0-100)"
|
|
861
|
+
},
|
|
862
|
+
{
|
|
863
|
+
"key": "session_max_command_injection_score",
|
|
864
|
+
"type": "number",
|
|
865
|
+
"required": false,
|
|
866
|
+
"description": "Highest command injection score seen in any turn of the session (0-100)"
|
|
867
|
+
},
|
|
868
|
+
{
|
|
869
|
+
"key": "session_max_pii_score",
|
|
870
|
+
"type": "number",
|
|
871
|
+
"required": false,
|
|
872
|
+
"description": "Highest PII risk score seen in any turn of the session (0-100)"
|
|
873
|
+
},
|
|
874
|
+
{
|
|
875
|
+
"key": "session_max_secret_score",
|
|
876
|
+
"type": "number",
|
|
877
|
+
"required": false,
|
|
878
|
+
"description": "Highest secret detection score seen in any turn of the session (0-100)"
|
|
879
|
+
},
|
|
880
|
+
{
|
|
881
|
+
"key": "session_cumulative_risk_score",
|
|
882
|
+
"type": "number",
|
|
883
|
+
"required": false,
|
|
884
|
+
"description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant"
|
|
726
885
|
}
|
|
727
886
|
]
|
|
728
887
|
},
|
|
@@ -783,6 +942,84 @@
|
|
|
783
942
|
"type": "string",
|
|
784
943
|
"required": false,
|
|
785
944
|
"description": "Type of path traversal detected in the file read path"
|
|
945
|
+
},
|
|
946
|
+
{
|
|
947
|
+
"key": "session_pii_detected",
|
|
948
|
+
"type": "boolean",
|
|
949
|
+
"required": false,
|
|
950
|
+
"description": "Whether PII was detected in any previous turn of the session"
|
|
951
|
+
},
|
|
952
|
+
{
|
|
953
|
+
"key": "session_pii_types",
|
|
954
|
+
"type": "array",
|
|
955
|
+
"required": false,
|
|
956
|
+
"description": "PII types detected across the session (accumulated)"
|
|
957
|
+
},
|
|
958
|
+
{
|
|
959
|
+
"key": "session_secrets_detected",
|
|
960
|
+
"type": "boolean",
|
|
961
|
+
"required": false,
|
|
962
|
+
"description": "Whether secrets were detected in any previous turn of the session"
|
|
963
|
+
},
|
|
964
|
+
{
|
|
965
|
+
"key": "session_secret_types",
|
|
966
|
+
"type": "array",
|
|
967
|
+
"required": false,
|
|
968
|
+
"description": "Secret types detected across the session (accumulated)"
|
|
969
|
+
},
|
|
970
|
+
{
|
|
971
|
+
"key": "session_injection_detected",
|
|
972
|
+
"type": "boolean",
|
|
973
|
+
"required": false,
|
|
974
|
+
"description": "Whether prompt injection was detected in any previous turn of the session"
|
|
975
|
+
},
|
|
976
|
+
{
|
|
977
|
+
"key": "session_command_injection",
|
|
978
|
+
"type": "boolean",
|
|
979
|
+
"required": false,
|
|
980
|
+
"description": "Whether command injection was detected in any previous turn of the session"
|
|
981
|
+
},
|
|
982
|
+
{
|
|
983
|
+
"key": "session_threat_turns",
|
|
984
|
+
"type": "number",
|
|
985
|
+
"required": false,
|
|
986
|
+
"description": "Number of turns in the session where threats were detected"
|
|
987
|
+
},
|
|
988
|
+
{
|
|
989
|
+
"key": "session_max_injection_score",
|
|
990
|
+
"type": "number",
|
|
991
|
+
"required": false,
|
|
992
|
+
"description": "Highest prompt injection score seen in any turn of the session (0-100). Use for tiered responses: >75 hard block, >50 restrict permissions"
|
|
993
|
+
},
|
|
994
|
+
{
|
|
995
|
+
"key": "session_max_jailbreak_score",
|
|
996
|
+
"type": "number",
|
|
997
|
+
"required": false,
|
|
998
|
+
"description": "Highest jailbreak detection score seen in any turn of the session (0-100)"
|
|
999
|
+
},
|
|
1000
|
+
{
|
|
1001
|
+
"key": "session_max_command_injection_score",
|
|
1002
|
+
"type": "number",
|
|
1003
|
+
"required": false,
|
|
1004
|
+
"description": "Highest command injection score seen in any turn of the session (0-100)"
|
|
1005
|
+
},
|
|
1006
|
+
{
|
|
1007
|
+
"key": "session_max_pii_score",
|
|
1008
|
+
"type": "number",
|
|
1009
|
+
"required": false,
|
|
1010
|
+
"description": "Highest PII risk score seen in any turn of the session (0-100)"
|
|
1011
|
+
},
|
|
1012
|
+
{
|
|
1013
|
+
"key": "session_max_secret_score",
|
|
1014
|
+
"type": "number",
|
|
1015
|
+
"required": false,
|
|
1016
|
+
"description": "Highest secret detection score seen in any turn of the session (0-100)"
|
|
1017
|
+
},
|
|
1018
|
+
{
|
|
1019
|
+
"key": "session_cumulative_risk_score",
|
|
1020
|
+
"type": "number",
|
|
1021
|
+
"required": false,
|
|
1022
|
+
"description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant"
|
|
786
1023
|
}
|
|
787
1024
|
]
|
|
788
1025
|
},
|
|
@@ -843,6 +1080,84 @@
|
|
|
843
1080
|
"type": "string",
|
|
844
1081
|
"required": false,
|
|
845
1082
|
"description": "Type of path traversal detected in the file write path"
|
|
1083
|
+
},
|
|
1084
|
+
{
|
|
1085
|
+
"key": "session_pii_detected",
|
|
1086
|
+
"type": "boolean",
|
|
1087
|
+
"required": false,
|
|
1088
|
+
"description": "Whether PII was detected in any previous turn of the session"
|
|
1089
|
+
},
|
|
1090
|
+
{
|
|
1091
|
+
"key": "session_pii_types",
|
|
1092
|
+
"type": "array",
|
|
1093
|
+
"required": false,
|
|
1094
|
+
"description": "PII types detected across the session (accumulated)"
|
|
1095
|
+
},
|
|
1096
|
+
{
|
|
1097
|
+
"key": "session_secrets_detected",
|
|
1098
|
+
"type": "boolean",
|
|
1099
|
+
"required": false,
|
|
1100
|
+
"description": "Whether secrets were detected in any previous turn of the session"
|
|
1101
|
+
},
|
|
1102
|
+
{
|
|
1103
|
+
"key": "session_secret_types",
|
|
1104
|
+
"type": "array",
|
|
1105
|
+
"required": false,
|
|
1106
|
+
"description": "Secret types detected across the session (accumulated)"
|
|
1107
|
+
},
|
|
1108
|
+
{
|
|
1109
|
+
"key": "session_injection_detected",
|
|
1110
|
+
"type": "boolean",
|
|
1111
|
+
"required": false,
|
|
1112
|
+
"description": "Whether prompt injection was detected in any previous turn of the session"
|
|
1113
|
+
},
|
|
1114
|
+
{
|
|
1115
|
+
"key": "session_command_injection",
|
|
1116
|
+
"type": "boolean",
|
|
1117
|
+
"required": false,
|
|
1118
|
+
"description": "Whether command injection was detected in any previous turn of the session"
|
|
1119
|
+
},
|
|
1120
|
+
{
|
|
1121
|
+
"key": "session_threat_turns",
|
|
1122
|
+
"type": "number",
|
|
1123
|
+
"required": false,
|
|
1124
|
+
"description": "Number of turns in the session where threats were detected"
|
|
1125
|
+
},
|
|
1126
|
+
{
|
|
1127
|
+
"key": "session_max_injection_score",
|
|
1128
|
+
"type": "number",
|
|
1129
|
+
"required": false,
|
|
1130
|
+
"description": "Highest prompt injection score seen in any turn of the session (0-100). Use for tiered responses: >75 hard block, >50 restrict permissions"
|
|
1131
|
+
},
|
|
1132
|
+
{
|
|
1133
|
+
"key": "session_max_jailbreak_score",
|
|
1134
|
+
"type": "number",
|
|
1135
|
+
"required": false,
|
|
1136
|
+
"description": "Highest jailbreak detection score seen in any turn of the session (0-100)"
|
|
1137
|
+
},
|
|
1138
|
+
{
|
|
1139
|
+
"key": "session_max_command_injection_score",
|
|
1140
|
+
"type": "number",
|
|
1141
|
+
"required": false,
|
|
1142
|
+
"description": "Highest command injection score seen in any turn of the session (0-100)"
|
|
1143
|
+
},
|
|
1144
|
+
{
|
|
1145
|
+
"key": "session_max_pii_score",
|
|
1146
|
+
"type": "number",
|
|
1147
|
+
"required": false,
|
|
1148
|
+
"description": "Highest PII risk score seen in any turn of the session (0-100)"
|
|
1149
|
+
},
|
|
1150
|
+
{
|
|
1151
|
+
"key": "session_max_secret_score",
|
|
1152
|
+
"type": "number",
|
|
1153
|
+
"required": false,
|
|
1154
|
+
"description": "Highest secret detection score seen in any turn of the session (0-100)"
|
|
1155
|
+
},
|
|
1156
|
+
{
|
|
1157
|
+
"key": "session_cumulative_risk_score",
|
|
1158
|
+
"type": "number",
|
|
1159
|
+
"required": false,
|
|
1160
|
+
"description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant"
|
|
846
1161
|
}
|
|
847
1162
|
]
|
|
848
1163
|
},
|
|
@@ -884,8 +1199,7 @@
|
|
|
884
1199
|
"key": "tool_poisoning_score",
|
|
885
1200
|
"type": "number",
|
|
886
1201
|
"required": false,
|
|
887
|
-
"description": "Confidence score for tool poisoning in MCP server tools (0-100)"
|
|
888
|
-
"range": "0-100"
|
|
1202
|
+
"description": "Confidence score for tool poisoning in MCP server tools (0-100)"
|
|
889
1203
|
},
|
|
890
1204
|
{
|
|
891
1205
|
"key": "tool_poisoning_type",
|
|
@@ -909,8 +1223,7 @@
|
|
|
909
1223
|
"key": "mcp_risk_score",
|
|
910
1224
|
"type": "number",
|
|
911
1225
|
"required": false,
|
|
912
|
-
"description": "Risk score for MCP configuration issues (0-100)"
|
|
913
|
-
"range": "0-100"
|
|
1226
|
+
"description": "Risk score for MCP configuration issues (0-100)"
|
|
914
1227
|
},
|
|
915
1228
|
{
|
|
916
1229
|
"key": "cross_origin_detected",
|
|
@@ -928,10 +1241,87 @@
|
|
|
928
1241
|
"key": "cross_origin_score",
|
|
929
1242
|
"type": "number",
|
|
930
1243
|
"required": false,
|
|
931
|
-
"description": "Risk score for cross-origin escalation in server connection (0-100)"
|
|
932
|
-
|
|
1244
|
+
"description": "Risk score for cross-origin escalation in server connection (0-100)"
|
|
1245
|
+
},
|
|
1246
|
+
{
|
|
1247
|
+
"key": "session_pii_detected",
|
|
1248
|
+
"type": "boolean",
|
|
1249
|
+
"required": false,
|
|
1250
|
+
"description": "Whether PII was detected in any previous turn of the session"
|
|
1251
|
+
},
|
|
1252
|
+
{
|
|
1253
|
+
"key": "session_pii_types",
|
|
1254
|
+
"type": "array",
|
|
1255
|
+
"required": false,
|
|
1256
|
+
"description": "PII types detected across the session (accumulated)"
|
|
1257
|
+
},
|
|
1258
|
+
{
|
|
1259
|
+
"key": "session_secrets_detected",
|
|
1260
|
+
"type": "boolean",
|
|
1261
|
+
"required": false,
|
|
1262
|
+
"description": "Whether secrets were detected in any previous turn of the session"
|
|
1263
|
+
},
|
|
1264
|
+
{
|
|
1265
|
+
"key": "session_secret_types",
|
|
1266
|
+
"type": "array",
|
|
1267
|
+
"required": false,
|
|
1268
|
+
"description": "Secret types detected across the session (accumulated)"
|
|
1269
|
+
},
|
|
1270
|
+
{
|
|
1271
|
+
"key": "session_injection_detected",
|
|
1272
|
+
"type": "boolean",
|
|
1273
|
+
"required": false,
|
|
1274
|
+
"description": "Whether prompt injection was detected in any previous turn of the session"
|
|
1275
|
+
},
|
|
1276
|
+
{
|
|
1277
|
+
"key": "session_command_injection",
|
|
1278
|
+
"type": "boolean",
|
|
1279
|
+
"required": false,
|
|
1280
|
+
"description": "Whether command injection was detected in any previous turn of the session"
|
|
1281
|
+
},
|
|
1282
|
+
{
|
|
1283
|
+
"key": "session_threat_turns",
|
|
1284
|
+
"type": "number",
|
|
1285
|
+
"required": false,
|
|
1286
|
+
"description": "Number of turns in the session where threats were detected"
|
|
1287
|
+
},
|
|
1288
|
+
{
|
|
1289
|
+
"key": "session_max_injection_score",
|
|
1290
|
+
"type": "number",
|
|
1291
|
+
"required": false,
|
|
1292
|
+
"description": "Highest prompt injection score seen in any turn of the session (0-100). Use for tiered responses: >75 hard block, >50 restrict permissions"
|
|
1293
|
+
},
|
|
1294
|
+
{
|
|
1295
|
+
"key": "session_max_jailbreak_score",
|
|
1296
|
+
"type": "number",
|
|
1297
|
+
"required": false,
|
|
1298
|
+
"description": "Highest jailbreak detection score seen in any turn of the session (0-100)"
|
|
1299
|
+
},
|
|
1300
|
+
{
|
|
1301
|
+
"key": "session_max_command_injection_score",
|
|
1302
|
+
"type": "number",
|
|
1303
|
+
"required": false,
|
|
1304
|
+
"description": "Highest command injection score seen in any turn of the session (0-100)"
|
|
1305
|
+
},
|
|
1306
|
+
{
|
|
1307
|
+
"key": "session_max_pii_score",
|
|
1308
|
+
"type": "number",
|
|
1309
|
+
"required": false,
|
|
1310
|
+
"description": "Highest PII risk score seen in any turn of the session (0-100)"
|
|
1311
|
+
},
|
|
1312
|
+
{
|
|
1313
|
+
"key": "session_max_secret_score",
|
|
1314
|
+
"type": "number",
|
|
1315
|
+
"required": false,
|
|
1316
|
+
"description": "Highest secret detection score seen in any turn of the session (0-100)"
|
|
1317
|
+
},
|
|
1318
|
+
{
|
|
1319
|
+
"key": "session_cumulative_risk_score",
|
|
1320
|
+
"type": "number",
|
|
1321
|
+
"required": false,
|
|
1322
|
+
"description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant"
|
|
933
1323
|
}
|
|
934
1324
|
]
|
|
935
1325
|
}
|
|
936
1326
|
]
|
|
937
|
-
}
|
|
1327
|
+
}
|