@highflame/policy 2.1.3 → 2.1.5

package/_schemas/guardrails/schema.cedarschema

@@ -96,8 +96,12 @@ namespace Guardrails {
         "detector_count": Long,
 
         // Security - Injection & Jailbreak (optional)
-        "injection_score"?: Long,        // 0-100
-        "jailbreak_score"?: Long,        // 0-100
+        "injection_confidence"?: Long,  // Combined injection confidence: MAX(pulse, deep_context)
+        "jailbreak_confidence"?: Long,  // Combined jailbreak confidence: MAX(pulse, deep_context)
+        "injection_pulse_score"?: Long,  // 0-100 Pulse single-turn classifier
+        "injection_deep_context_score"?: Long, // 0-100 DeepContext multi-turn
+        "jailbreak_pulse_score"?: Long,  // 0-100 Pulse single-turn classifier
+        "jailbreak_deep_context_score"?: Long, // 0-100 DeepContext multi-turn
         "injection_type"?: String,       // "prompt" | "sql" | "command" | "none"
 
         // Privacy - Secrets (optional)
@@ -183,6 +187,12 @@ namespace Guardrails {
         "session_injection_detected"?: Bool,
         "session_command_injection"?: Bool,
         "session_threat_turns"?: Long,
+        "session_max_injection_score"?: Long,
+        "session_max_jailbreak_score"?: Long,
+        "session_max_command_injection_score"?: Long,
+        "session_max_pii_score"?: Long,
+        "session_max_secret_score"?: Long,
+        "session_cumulative_risk_score"?: Long,
 
     };
 
@@ -227,7 +237,9 @@ namespace Guardrails {
         "secret_types"?: Set<String>,
         "pii_detected"?: Bool,
         "pii_types"?: Set<String>,
-        "injection_score"?: Long,
+        "injection_confidence"?: Long,
+        "injection_pulse_score"?: Long,  // 0-100 Pulse single-turn classifier
+        "injection_deep_context_score"?: Long, // 0-100 DeepContext multi-turn
 
         // Security - Pattern Detection (optional)
         "command_injection_detected"?: Bool,
@@ -276,6 +288,12 @@ namespace Guardrails {
         "session_injection_detected"?: Bool,
         "session_command_injection"?: Bool,
         "session_threat_turns"?: Long,
+        "session_max_injection_score"?: Long,
+        "session_max_jailbreak_score"?: Long,
+        "session_max_command_injection_score"?: Long,
+        "session_max_pii_score"?: Long,
+        "session_max_secret_score"?: Long,
+        "session_cumulative_risk_score"?: Long,
 
     };
 
@@ -304,6 +322,12 @@ namespace Guardrails {
         "session_injection_detected"?: Bool,
         "session_command_injection"?: Bool,
         "session_threat_turns"?: Long,
+        "session_max_injection_score"?: Long,
+        "session_max_jailbreak_score"?: Long,
+        "session_max_command_injection_score"?: Long,
+        "session_max_pii_score"?: Long,
+        "session_max_secret_score"?: Long,
+        "session_cumulative_risk_score"?: Long,
 
     };
 
@@ -332,6 +356,12 @@ namespace Guardrails {
         "session_injection_detected"?: Bool,
         "session_command_injection"?: Bool,
         "session_threat_turns"?: Long,
+        "session_max_injection_score"?: Long,
+        "session_max_jailbreak_score"?: Long,
+        "session_max_command_injection_score"?: Long,
+        "session_max_pii_score"?: Long,
+        "session_max_secret_score"?: Long,
+        "session_cumulative_risk_score"?: Long,
 
     };
 
@@ -368,6 +398,12 @@ namespace Guardrails {
         "session_injection_detected"?: Bool,
         "session_command_injection"?: Bool,
         "session_threat_turns"?: Long,
+        "session_max_injection_score"?: Long,
+        "session_max_jailbreak_score"?: Long,
+        "session_max_command_injection_score"?: Long,
+        "session_max_pii_score"?: Long,
+        "session_max_secret_score"?: Long,
+        "session_cumulative_risk_score"?: Long,
 
     };
 }

package/_schemas/guardrails/templates/defaults/injection.cedar

@@ -5,8 +5,8 @@
 // Uses ML-based confidence scores from normalized context.
 //
 // Context keys used (normalized by projection layer):
-// - injection_score: Long (0-100) - Overall injection confidence
-// - jailbreak_score: Long (0-100) - Jailbreak attempt confidence
+// - injection_confidence: Long (0-100) - Overall injection confidence
+// - jailbreak_confidence: Long (0-100) - Jailbreak attempt confidence
 // - injection_type: String - Type of injection detected
 // - contains_invisible_chars: Bool - Invisible Unicode characters detected
 // - invisible_chars_score: Long (0-100) - Invisible character density
@@ -25,7 +25,7 @@ forbid (
     action,
     resource
 ) when {
-    context has injection_score && context.injection_score > 85
+    context has injection_confidence && context.injection_confidence > 85
 };
 
 @id("jailbreak-block-high-confidence")
@@ -38,7 +38,7 @@ forbid (
     action,
     resource
 ) when {
-    context has jailbreak_score && context.jailbreak_score > 80
+    context has jailbreak_confidence && context.jailbreak_confidence > 80
 };
 
 @id("injection-combined-threshold")
@@ -51,8 +51,8 @@ forbid (
     action,
     resource
 ) when {
-    context has injection_score && context has jailbreak_score &&
-    context.injection_score > 60 && context.jailbreak_score > 60
+    context has injection_confidence && context has jailbreak_confidence &&
+    context.injection_confidence > 60 && context.jailbreak_confidence > 60
 };
 
 @id("injection-invisible-chars")

package/_schemas/guardrails/templates/profiles/chat_assistant/security.cedar

@@ -18,7 +18,7 @@ forbid (
     action,
     resource
 ) when {
-    context has injection_score && context.injection_score > 70
+    context has injection_confidence && context.injection_confidence > 70
 };
 
 @id("chat-jailbreak-lower-threshold")
@@ -31,5 +31,5 @@ forbid (
     action,
     resource
 ) when {
-    context has jailbreak_score && context.jailbreak_score > 65
+    context has jailbreak_confidence && context.jailbreak_confidence > 65
 };

package/_schemas/guardrails/templates/profiles/data_pipeline/security.cedar

@@ -45,5 +45,5 @@ forbid (
     action,
     resource
 ) when {
-    context has injection_score && context.injection_score > 65
+    context has injection_confidence && context.injection_confidence > 65
 };

package/_schemas/overwatch/context.json

@@ -179,19 +179,121 @@
           "key": "injection_confidence",
           "type": "number",
           "required": true,
-          "description": "Prompt injection ML classifier confidence (0-100)"
+          "description": "Combined prompt injection confidence (0-100). MAX of all detector scores (Pulse + DeepContext). Use injection_pulse_score / injection_deep_context_score for individual detector control"
         },
         {
           "key": "jailbreak_confidence",
           "type": "number",
           "required": true,
-          "description": "Jailbreak detection ML classifier confidence (0-100)"
+          "description": "Combined jailbreak detection confidence (0-100). MAX of all detector scores (Pulse + DeepContext). Use jailbreak_pulse_score / jailbreak_deep_context_score for individual detector control"
+        },
+        {
+          "key": "injection_pulse_score",
+          "type": "number",
+          "required": false,
+          "description": "Highflame single-turn classifier score for prompt injection (0-100). Raw score from Pulse detector before combination with deep-context. Use for per-detector policy control"
+        },
+        {
+          "key": "injection_deep_context_score",
+          "type": "number",
+          "required": false,
+          "description": "DeepContext multi-turn analyzer score for prompt injection (0-100). Tracks injection patterns across conversation history. Generally higher confidence than single-turn"
+        },
+        {
+          "key": "jailbreak_pulse_score",
+          "type": "number",
+          "required": false,
+          "description": "Highflame single-turn classifier score for jailbreak attempts (0-100). Raw score from Pulse detector before combination with deep-context"
+        },
+        {
+          "key": "jailbreak_deep_context_score",
+          "type": "number",
+          "required": false,
+          "description": "DeepContext multi-turn analyzer score for jailbreak attempts (0-100). Detects jailbreak escalation patterns across conversation turns"
         },
         {
           "key": "indirect_injection_score",
           "type": "number",
           "required": true,
           "description": "Indirect prompt injection risk score (0-100) — injection via tool outputs or retrieved content"
+        },
+        {
+          "key": "session_pii_detected",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether PII was detected in any previous turn of the session"
+        },
+        {
+          "key": "session_pii_types",
+          "type": "array",
+          "required": false,
+          "description": "PII types detected across the session (accumulated)"
+        },
+        {
+          "key": "session_secrets_detected",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether secrets were detected in any previous turn of the session"
+        },
+        {
+          "key": "session_secret_types",
+          "type": "array",
+          "required": false,
+          "description": "Secret types detected across the session (accumulated)"
+        },
+        {
+          "key": "session_injection_detected",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether prompt injection was detected in any previous turn of the session"
+        },
+        {
+          "key": "session_command_injection",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether command injection was detected in any previous turn of the session"
+        },
+        {
+          "key": "session_threat_turns",
+          "type": "number",
+          "required": false,
+          "description": "Number of turns in the session where threats were detected"
+        },
+        {
+          "key": "session_max_injection_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest prompt injection score seen in any turn of the session (0-100). Use for tiered responses: >75 hard block, >50 restrict permissions"
+        },
+        {
+          "key": "session_max_jailbreak_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest jailbreak detection score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_max_command_injection_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest command injection score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_max_pii_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest PII risk score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_max_secret_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest secret detection score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_cumulative_risk_score",
+          "type": "number",
+          "required": false,
+          "description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant"
         }
       ]
     },
@@ -389,13 +491,37 @@
           "key": "injection_confidence",
           "type": "number",
           "required": false,
-          "description": "Prompt injection ML classifier confidence (0-100)"
+          "description": "Combined prompt injection confidence (0-100). MAX of all detector scores (Pulse + DeepContext). Use injection_pulse_score / injection_deep_context_score for individual detector control"
         },
         {
           "key": "jailbreak_confidence",
           "type": "number",
           "required": false,
-          "description": "Jailbreak detection ML classifier confidence (0-100)"
+          "description": "Combined jailbreak detection confidence (0-100). MAX of all detector scores (Pulse + DeepContext). Use jailbreak_pulse_score / jailbreak_deep_context_score for individual detector control"
+        },
+        {
+          "key": "injection_pulse_score",
+          "type": "number",
+          "required": false,
+          "description": "Highflame single-turn classifier score for prompt injection in tool arguments (0-100). Raw score from Pulse detector before combination with deep-context"
+        },
+        {
+          "key": "injection_deep_context_score",
+          "type": "number",
+          "required": false,
+          "description": "DeepContext multi-turn analyzer score for prompt injection in tool arguments (0-100). Tracks injection patterns across tool call history"
+        },
+        {
+          "key": "jailbreak_pulse_score",
+          "type": "number",
+          "required": false,
+          "description": "Highflame single-turn classifier score for jailbreak in tool arguments (0-100). Raw score from Pulse detector before combination with deep-context"
+        },
+        {
+          "key": "jailbreak_deep_context_score",
+          "type": "number",
+          "required": false,
+          "description": "DeepContext multi-turn analyzer score for jailbreak in tool arguments (0-100). Detects jailbreak escalation patterns across tool call turns"
         },
         {
           "key": "tool_poisoning_score",
@@ -492,6 +618,84 @@
           "type": "boolean",
           "required": false,
           "description": "Whether the MCP server is from a verified registry"
+        },
+        {
+          "key": "session_pii_detected",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether PII was detected in any previous turn of the session"
+        },
+        {
+          "key": "session_pii_types",
+          "type": "array",
+          "required": false,
+          "description": "PII types detected across the session (accumulated)"
+        },
+        {
+          "key": "session_secrets_detected",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether secrets were detected in any previous turn of the session"
+        },
+        {
+          "key": "session_secret_types",
+          "type": "array",
+          "required": false,
+          "description": "Secret types detected across the session (accumulated)"
+        },
+        {
+          "key": "session_injection_detected",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether prompt injection was detected in any previous turn of the session"
+        },
+        {
+          "key": "session_command_injection",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether command injection was detected in any previous turn of the session"
+        },
+        {
+          "key": "session_threat_turns",
+          "type": "number",
+          "required": false,
+          "description": "Number of turns in the session where threats were detected"
+        },
+        {
+          "key": "session_max_injection_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest prompt injection score seen in any turn of the session (0-100). Use for tiered responses: >75 hard block, >50 restrict permissions"
+        },
+        {
+          "key": "session_max_jailbreak_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest jailbreak detection score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_max_command_injection_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest command injection score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_max_pii_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest PII risk score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_max_secret_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest secret detection score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_cumulative_risk_score",
+          "type": "number",
+          "required": false,
+          "description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant"
         }
       ]
     },
@@ -606,6 +810,84 @@
           "type": "number",
           "required": false,
           "description": "MCP configuration risk severity score (0-100)"
+        },
+        {
+          "key": "session_pii_detected",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether PII was detected in any previous turn of the session"
+        },
+        {
+          "key": "session_pii_types",
+          "type": "array",
+          "required": false,
+          "description": "PII types detected across the session (accumulated)"
+        },
+        {
+          "key": "session_secrets_detected",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether secrets were detected in any previous turn of the session"
+        },
+        {
+          "key": "session_secret_types",
+          "type": "array",
+          "required": false,
+          "description": "Secret types detected across the session (accumulated)"
+        },
+        {
+          "key": "session_injection_detected",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether prompt injection was detected in any previous turn of the session"
+        },
+        {
+          "key": "session_command_injection",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether command injection was detected in any previous turn of the session"
+        },
+        {
+          "key": "session_threat_turns",
+          "type": "number",
+          "required": false,
+          "description": "Number of turns in the session where threats were detected"
+        },
+        {
+          "key": "session_max_injection_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest prompt injection score seen in any turn of the session (0-100). Use for tiered responses: >75 hard block, >50 restrict permissions"
+        },
+        {
+          "key": "session_max_jailbreak_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest jailbreak detection score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_max_command_injection_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest command injection score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_max_pii_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest PII risk score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_max_secret_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest secret detection score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_cumulative_risk_score",
+          "type": "number",
+          "required": false,
+          "description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant"
         }
       ]
     },
@@ -720,6 +1002,84 @@
           "type": "number",
           "required": false,
           "description": "Number of PII pattern matches in file"
+        },
+        {
+          "key": "session_pii_detected",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether PII was detected in any previous turn of the session"
+        },
+        {
+          "key": "session_pii_types",
+          "type": "array",
+          "required": false,
+          "description": "PII types detected across the session (accumulated)"
+        },
+        {
+          "key": "session_secrets_detected",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether secrets were detected in any previous turn of the session"
+        },
+        {
+          "key": "session_secret_types",
+          "type": "array",
+          "required": false,
+          "description": "Secret types detected across the session (accumulated)"
+        },
+        {
+          "key": "session_injection_detected",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether prompt injection was detected in any previous turn of the session"
+        },
+        {
+          "key": "session_command_injection",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether command injection was detected in any previous turn of the session"
+        },
+        {
+          "key": "session_threat_turns",
+          "type": "number",
+          "required": false,
+          "description": "Number of turns in the session where threats were detected"
+        },
+        {
+          "key": "session_max_injection_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest prompt injection score seen in any turn of the session (0-100). Use for tiered responses: >75 hard block, >50 restrict permissions"
+        },
+        {
+          "key": "session_max_jailbreak_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest jailbreak detection score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_max_command_injection_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest command injection score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_max_pii_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest PII risk score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_max_secret_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest secret detection score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_cumulative_risk_score",
+          "type": "number",
+          "required": false,
+          "description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant"
         }
       ]
     },
@@ -840,8 +1200,86 @@
           "type": "boolean",
           "required": false,
           "description": "Whether invisible Unicode characters were detected in content being written"
+        },
+        {
+          "key": "session_pii_detected",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether PII was detected in any previous turn of the session"
+        },
+        {
+          "key": "session_pii_types",
+          "type": "array",
+          "required": false,
+          "description": "PII types detected across the session (accumulated)"
+        },
+        {
+          "key": "session_secrets_detected",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether secrets were detected in any previous turn of the session"
+        },
+        {
+          "key": "session_secret_types",
+          "type": "array",
+          "required": false,
+          "description": "Secret types detected across the session (accumulated)"
+        },
+        {
+          "key": "session_injection_detected",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether prompt injection was detected in any previous turn of the session"
+        },
+        {
+          "key": "session_command_injection",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether command injection was detected in any previous turn of the session"
+        },
+        {
+          "key": "session_threat_turns",
+          "type": "number",
+          "required": false,
+          "description": "Number of turns in the session where threats were detected"
+        },
+        {
+          "key": "session_max_injection_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest prompt injection score seen in any turn of the session (0-100). Use for tiered responses: >75 hard block, >50 restrict permissions"
+        },
+        {
+          "key": "session_max_jailbreak_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest jailbreak detection score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_max_command_injection_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest command injection score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_max_pii_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest PII risk score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_max_secret_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest secret detection score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_cumulative_risk_score",
+          "type": "number",
+          "required": false,
+          "description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant"
         }
       ]
     }
   ]
-}
+}