@highflame/policy 2.1.35 → 2.1.37

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (81) hide show
  1. package/_schemas/ai_gateway/context.json +431 -11
  2. package/_schemas/ai_gateway/schema.cedarschema +91 -11
  3. package/_schemas/ai_gateway/templates/defaults/agent_security.cedar +66 -43
  4. package/_schemas/ai_gateway/templates/defaults/baseline.cedar +9 -11
  5. package/_schemas/ai_gateway/templates/defaults/semantic.cedar +63 -40
  6. package/_schemas/ai_gateway/templates/defaults/tools.cedar +48 -36
  7. package/_schemas/ai_gateway/templates/llm_default_allow.cedar +9 -10
  8. package/_schemas/ai_gateway/templates/mcp_server_allowlist.cedar +22 -14
  9. package/_schemas/ai_gateway/templates/mcp_tool_permissions.cedar +29 -27
  10. package/_schemas/ai_gateway/templates/pii_redaction.cedar +38 -33
  11. package/_schemas/ai_gateway/templates/templates.json +52 -50
  12. package/_schemas/guardrails/context.json +12 -12
  13. package/_schemas/guardrails/schema.cedarschema +12 -12
  14. package/_schemas/guardrails/templates/defaults/agent_identity.cedar +60 -56
  15. package/_schemas/guardrails/templates/defaults/agentic_safety.cedar +83 -58
  16. package/_schemas/guardrails/templates/defaults/baseline.cedar +9 -12
  17. package/_schemas/guardrails/templates/defaults/injection.cedar +48 -36
  18. package/_schemas/guardrails/templates/defaults/pii.cedar +27 -20
  19. package/_schemas/guardrails/templates/defaults/secrets.cedar +39 -22
  20. package/_schemas/guardrails/templates/defaults/security_patterns.cedar +38 -25
  21. package/_schemas/guardrails/templates/defaults/semantic.cedar +47 -31
  22. package/_schemas/guardrails/templates/defaults/tool_risk.cedar +34 -26
  23. package/_schemas/guardrails/templates/defaults/toxicity.cedar +57 -47
  24. package/_schemas/guardrails/templates/mcp_tool_permissions.cedar +60 -43
  25. package/_schemas/guardrails/templates/profiles/a2a_security/cross_origin.cedar +29 -42
  26. package/_schemas/guardrails/templates/profiles/a2a_security/escalation_detection.cedar +43 -57
  27. package/_schemas/guardrails/templates/profiles/a2a_security/identity_enforcement.cedar +40 -57
  28. package/_schemas/guardrails/templates/profiles/a2a_security/inter_agent_injection.cedar +48 -62
  29. package/_schemas/guardrails/templates/profiles/a2a_security/supply_chain.cedar +40 -56
  30. package/_schemas/guardrails/templates/profiles/advanced_detection/pii.cedar +24 -34
  31. package/_schemas/guardrails/templates/profiles/advanced_detection/secrets.cedar +45 -37
  32. package/_schemas/guardrails/templates/profiles/advanced_detection/threat_severity.cedar +11 -16
  33. package/_schemas/guardrails/templates/profiles/chat_assistant/privacy.cedar +22 -9
  34. package/_schemas/guardrails/templates/profiles/chat_assistant/security.cedar +27 -15
  35. package/_schemas/guardrails/templates/profiles/chat_assistant/trust_safety.cedar +37 -22
  36. package/_schemas/guardrails/templates/profiles/code_agent/agentic_security.cedar +68 -47
  37. package/_schemas/guardrails/templates/profiles/code_agent/encoding.cedar +17 -21
  38. package/_schemas/guardrails/templates/profiles/code_agent/path_security.cedar +74 -73
  39. package/_schemas/guardrails/templates/profiles/code_agent/security.cedar +13 -9
  40. package/_schemas/guardrails/templates/profiles/code_agent/supply_chain.cedar +36 -58
  41. package/_schemas/guardrails/templates/profiles/data_pipeline/agentic_security.cedar +22 -15
  42. package/_schemas/guardrails/templates/profiles/data_pipeline/data_protection.cedar +52 -0
  43. package/_schemas/guardrails/templates/profiles/data_pipeline/privacy.cedar +41 -18
  44. package/_schemas/guardrails/templates/profiles/data_pipeline/security.cedar +18 -36
  45. package/_schemas/guardrails/templates/profiles/multi_agent/agent_safety.cedar +86 -79
  46. package/_schemas/guardrails/templates/profiles/multi_agent/agent_trust.cedar +73 -70
  47. package/_schemas/guardrails/templates/templates.json +198 -217
  48. package/_schemas/overwatch/context.json +14 -14
  49. package/_schemas/overwatch/schema.cedarschema +12 -12
  50. package/_schemas/sentry/context.json +11 -11
  51. package/_schemas/sentry/schema.cedarschema +11 -11
  52. package/_schemas/sentry/templates/defaults/baseline.cedar +8 -12
  53. package/_schemas/sentry/templates/defaults/clipboard.cedar +43 -42
  54. package/_schemas/sentry/templates/defaults/content_safety.cedar +38 -68
  55. package/_schemas/sentry/templates/defaults/file_safety.cedar +18 -26
  56. package/_schemas/sentry/templates/defaults/organization.cedar +10 -17
  57. package/_schemas/sentry/templates/defaults/pii.cedar +52 -73
  58. package/_schemas/sentry/templates/defaults/secrets.cedar +65 -58
  59. package/_schemas/sentry/templates/defaults/semantic.cedar +40 -59
  60. package/_schemas/sentry/templates/templates.json +53 -43
  61. package/dist/ai_gateway-context.gen.d.ts +18 -4
  62. package/dist/ai_gateway-context.gen.js +18 -4
  63. package/dist/ai_gateway-defaults.gen.d.ts +4 -1
  64. package/dist/ai_gateway-defaults.gen.js +398 -320
  65. package/dist/builder.d.ts +2 -1
  66. package/dist/builder.js +5 -2
  67. package/dist/guardrails-context.gen.d.ts +5 -5
  68. package/dist/guardrails-context.gen.js +5 -5
  69. package/dist/guardrails-defaults.gen.d.ts +4 -1
  70. package/dist/guardrails-defaults.gen.js +2130 -1903
  71. package/dist/overwatch-context.gen.d.ts +5 -5
  72. package/dist/overwatch-context.gen.js +5 -5
  73. package/dist/overwatch-defaults.gen.d.ts +4 -1
  74. package/dist/overwatch-defaults.gen.js +560 -566
  75. package/dist/sentry-context.gen.d.ts +3 -3
  76. package/dist/sentry-context.gen.js +3 -3
  77. package/dist/sentry-defaults.gen.d.ts +4 -1
  78. package/dist/sentry-defaults.gen.js +392 -453
  79. package/dist/service-schemas.gen.d.ts +4 -4
  80. package/dist/service-schemas.gen.js +249 -99
  81. package/package.json +1 -1
package/_schemas/guardrails/templates/templates.json CHANGED
@@ -1,378 +1,359 @@
1
1
  {
2
2
  "service": "guardrails",
3
- "version": "1.0.0",
3
+ "version": "2.0.0",
4
4
  "description": "Guardrails policy templates for LLM application security",
5
5
  "categories": [
6
6
  {
7
7
  "id": "security",
8
8
  "name": "Security",
9
- "description": "Detect and block prompt injection, jailbreak attempts, and credential leakage"
9
+ "description": "Block prompt injection, jailbreak attempts, command injection, path traversal, and SQL injection."
10
10
  },
11
11
  {
12
12
  "id": "privacy",
13
13
  "name": "Privacy",
14
- "description": "Detect and block personally identifiable information (PII) in prompts and responses"
14
+ "description": "Block personally identifiable information (PII) in prompts and responses."
15
15
  },
16
16
  {
17
- "id": "trust_safety",
17
+ "id": "data-protection",
18
+ "name": "Data Protection",
19
+ "description": "Block secrets, API keys, tokens, and bulk credential exposure."
20
+ },
21
+ {
22
+ "id": "trust-safety",
18
23
  "name": "Trust & Safety",
19
- "description": "Detect and block toxic, violent, hateful, sexual, or profane content"
24
+ "description": "Block toxic, violent, hateful, sexual, or profane content; restrict regulated topics."
25
+ },
26
+ {
27
+ "id": "tools",
28
+ "name": "Tools",
29
+ "description": "Per-tool MCP access control, org-wide server exclusions, unverified server blocks."
20
30
  },
21
31
  {
22
- "id": "agentic_security",
23
- "name": "Agentic Security",
24
- "description": "Detect tool abuse, data exfiltration patterns, infinite loops, and budget violations"
32
+ "id": "agent-security",
33
+ "name": "Agent Security",
34
+ "description": "Block tool abuse, exfiltration patterns, loops, budget violations, tool poisoning, rug pull, and risky MCP configs."
25
35
  },
26
36
  {
27
- "id": "agent_identity",
28
- "name": "Agent-to-Agent Security",
29
- "description": "Trust-based access control for AI agents — tiered permissions by trust level, agent type restrictions, cross-turn session lockdowns for multi-agent orchestration"
37
+ "id": "agent-identity",
38
+ "name": "Agent Identity",
39
+ "description": "Trust-based access control for AI agents — tiered permissions by trust level, autonomous agent restrictions, cross-turn session lockdowns."
30
40
  },
31
41
  {
32
42
  "id": "organization",
33
43
  "name": "Organization",
34
- "description": "Organization-wide baselines and default permit/deny policies"
44
+ "description": "Organization-wide baselines and default permit/deny policies."
35
45
  }
36
46
  ],
37
47
  "defaults": [
38
48
  {
39
- "id": "baseline-default",
49
+ "id": "organization.permit-baseline",
40
50
  "name": "Baseline Permit",
41
- "description": "Permits all actions by default threat-specific forbid policies override this when threats are detected",
51
+ "description": "Permits all actions by default; threat-specific forbid policies override this when detectors fire.",
42
52
  "category": "organization",
43
53
  "file": "defaults/baseline.cedar",
44
54
  "severity": "low",
45
- "tags": ["baseline", "permit-default", "organization"],
55
+ "tags": ["category:organization", "posture:permit-default"],
46
56
  "is_active": true
57
+ }
58
+ ],
59
+ "templates": [
60
+ {
61
+ "id": "organization.permit-baseline",
62
+ "name": "Baseline Permit",
63
+ "description": "Permits all actions by default; threat-specific forbid policies override this when detectors fire.",
64
+ "category": "organization",
65
+ "file": "defaults/baseline.cedar",
66
+ "severity": "low",
67
+ "tags": ["category:organization", "posture:permit-default"],
68
+ "auto_deploy": true
47
69
  },
48
70
  {
49
- "id": "secrets-default",
71
+ "id": "data-protection.defaults",
50
72
  "name": "Secrets Detection",
51
- "description": "Block content containing API keys, tokens, credentials, or other secrets",
52
- "category": "security",
73
+ "description": "Block content containing API keys, tokens, credentials, or other secrets across prompts, tool calls, and file operations.",
74
+ "category": "data-protection",
53
75
  "file": "defaults/secrets.cedar",
54
76
  "severity": "critical",
55
- "tags": ["secrets", "api-keys", "credentials", "data-leak"],
56
- "is_active": true
77
+ "tags": ["category:data-protection", "threat:secrets", "owasp:llm06"]
57
78
  },
58
79
  {
59
- "id": "injection-default",
80
+ "id": "security.injection",
60
81
  "name": "Injection & Jailbreak Detection",
61
- "description": "Block prompt injection, jailbreak attempts, and command injection using ML confidence scores",
82
+ "description": "Block prompt injection and jailbreak attempts using ML classifier confidence plus invisible-character defence.",
62
83
  "category": "security",
63
84
  "file": "defaults/injection.cedar",
64
85
  "severity": "high",
65
- "tags": ["injection", "jailbreak", "security"],
66
- "is_active": true
86
+ "tags": ["category:security", "threat:injection", "threat:jailbreak", "detection:ml", "owasp:llm01", "owasp:llm02"]
67
87
  },
68
88
  {
69
- "id": "pii-default",
89
+ "id": "privacy.defaults",
70
90
  "name": "PII Detection",
71
- "description": "Block content containing PII such as SSN, credit cards, or passport numbers in outputs",
91
+ "description": "Block LLM outputs containing PII, with a stricter rule for SSN, credit card, and passport numbers.",
72
92
  "category": "privacy",
73
93
  "file": "defaults/pii.cedar",
74
- "severity": "high",
75
- "tags": ["pii", "privacy", "data-protection"],
76
- "is_active": true
94
+ "severity": "critical",
95
+ "tags": ["category:privacy", "threat:pii", "compliance:gdpr", "compliance:hipaa", "compliance:pci-dss"]
77
96
  },
78
97
  {
79
- "id": "toxicity-default",
98
+ "id": "trust-safety.toxicity",
80
99
  "name": "Toxicity & Content Moderation",
81
- "description": "Block toxic, violent, hateful, sexual, and profane content based on classifier scores",
82
- "category": "trust_safety",
100
+ "description": "Block toxic, violent, hateful, sexual, and profane content using classifier scores with a combined-toxicity catch-all.",
101
+ "category": "trust-safety",
83
102
  "file": "defaults/toxicity.cedar",
84
103
  "severity": "critical",
85
- "tags": ["toxicity", "trust-safety", "content-moderation"],
86
- "is_active": true
104
+ "tags": ["category:trust-safety", "threat:harmful", "threat:hate-speech", "detection:ml", "compliance:eu-ai-act"]
87
105
  },
88
106
  {
89
- "id": "tool-risk-default",
107
+ "id": "agent-security.tool-risk",
90
108
  "name": "Tool Risk",
91
- "description": "Block dangerous tool calls, shell execution, and sensitive tool usage based on risk scoring",
92
- "category": "agentic_security",
109
+ "description": "Block dangerous tool calls, shell execution, and sensitive tools with elevated risk scores.",
110
+ "category": "agent-security",
93
111
  "file": "defaults/tool_risk.cedar",
94
112
  "severity": "critical",
95
- "tags": ["tools", "agentic", "security"],
96
- "is_active": true
113
+ "tags": ["category:agent-security", "threat:command-injection", "owasp:llm06", "owasp:asi02"]
97
114
  },
98
115
  {
99
- "id": "agentic-safety-default",
116
+ "id": "agent-security.defaults",
100
117
  "name": "Agentic Safety",
101
- "description": "Block tool call loops, data exfiltration patterns, high-risk sequences, budget violations, tool poisoning, rug pull attacks, and MCP configuration risks",
102
- "category": "agentic_security",
118
+ "description": "Block tool-call loops, exfiltration patterns, budget violations, tool poisoning, rug pull, and MCP configuration risks.",
119
+ "category": "agent-security",
103
120
  "file": "defaults/agentic_safety.cedar",
104
- "severity": "high",
105
- "tags": ["agentic", "safety", "loops", "exfiltration", "budget", "tool-poisoning", "rug-pull", "mcp-risk"],
106
- "is_active": true
121
+ "severity": "critical",
122
+ "tags": ["category:agent-security", "threat:loop", "threat:exfiltration", "threat:tool-poisoning", "threat:rug-pull", "owasp:asi01", "owasp:asi04"]
107
123
  },
108
124
  {
109
- "id": "security-patterns-default",
125
+ "id": "security.patterns",
110
126
  "name": "Security Pattern Detection",
111
- "description": "Block command injection, path traversal, and SQL injection attacks using regex-based pattern detection",
127
+ "description": "Block command injection, path traversal, and SQL injection using regex-based pattern detection.",
112
128
  "category": "security",
113
129
  "file": "defaults/security_patterns.cedar",
114
130
  "severity": "critical",
115
- "tags": ["command-injection", "path-traversal", "sql-injection", "security"],
116
- "is_active": true
117
- }
118
- ],
119
- "templates": [
131
+ "tags": ["category:security", "threat:command-injection", "threat:sql-injection", "threat:path-traversal", "detection:pattern", "mitre:t1059"]
132
+ },
120
133
  {
121
- "id": "agent-identity-trust",
134
+ "id": "trust-safety.semantic",
135
+ "name": "Semantic Topic Enforcement",
136
+ "description": "Block content classified into dangerous topics (weapons, controlled substances, illegal activity).",
137
+ "category": "trust-safety",
138
+ "file": "defaults/semantic.cedar",
139
+ "severity": "critical",
140
+ "tags": ["category:trust-safety", "threat:harmful", "detection:ml", "compliance:eu-ai-act", "compliance:iso-42001"]
141
+ },
142
+ {
143
+ "id": "agent-identity.defaults",
122
144
  "name": "Agent Identity & Trust",
123
- "description": "Trust-based access control for AI agents: block unverified agents from dangerous/sensitive tools, apply stricter thresholds for autonomous agents, restrict unverified agents after session threats",
124
- "category": "agent_identity",
145
+ "description": "Trust-based access control: block unverified agents from dangerous/sensitive tools, stricter thresholds for autonomous agents, cross-turn lockdown after session threats.",
146
+ "category": "agent-identity",
125
147
  "file": "defaults/agent_identity.cedar",
126
148
  "severity": "critical",
127
- "tags": ["agent-identity", "trust", "a2a", "autonomous", "cross-turn"]
149
+ "tags": ["category:agent-identity", "scope:per-agent", "owasp:llm01"]
128
150
  },
129
151
  {
130
- "id": "mcp-tool-permissions",
152
+ "id": "tools.mcp-tool-permissions",
131
153
  "name": "MCP Tool Permissions",
132
- "description": "Per-tool access control for MCP servers — allow specific tools while denying others, exclude servers org-wide, block unverified sources",
133
- "category": "agentic_security",
154
+ "description": "Per-tool MCP access control: example GitHub read/write split, org-wide exclusion list, unverified server block.",
155
+ "category": "tools",
134
156
  "file": "mcp_tool_permissions.cedar",
135
- "severity": "high",
136
- "tags": ["mcp", "tools", "least-privilege", "per-server", "exclusion"]
157
+ "severity": "critical",
158
+ "tags": ["category:tools", "threat:supply-chain", "posture:deny-default"]
137
159
  },
138
160
  {
139
- "id": "chat-assistant-security",
161
+ "id": "security.chat-assistant",
140
162
  "name": "Chat Assistant — Security",
141
- "description": "Aggressive injection and jailbreak defense for customer-facing chatbots with lower thresholds",
163
+ "description": "Aggressive injection and jailbreak defence for customer-facing chatbots (lower thresholds than defaults).",
142
164
  "category": "security",
143
165
  "file": "profiles/chat_assistant/security.cedar",
144
166
  "severity": "high",
145
- "tags": ["profile", "chat-assistant", "injection", "jailbreak", "security"]
167
+ "tags": ["category:security", "threat:injection", "threat:jailbreak", "detection:ml"]
146
168
  },
147
169
  {
148
- "id": "chat-assistant-privacy",
170
+ "id": "privacy.chat-block-pii",
149
171
  "name": "Chat Assistant — Privacy",
150
- "description": "Block PII in both user inputs and assistant outputs for chat applications",
172
+ "description": "Block PII in both user inputs and assistant outputs for chat applications.",
151
173
  "category": "privacy",
152
174
  "file": "profiles/chat_assistant/privacy.cedar",
153
175
  "severity": "high",
154
- "tags": ["profile", "chat-assistant", "pii", "privacy"]
176
+ "tags": ["category:privacy", "threat:pii", "compliance:gdpr"]
155
177
  },
156
178
  {
157
- "id": "chat-assistant-trust-safety",
179
+ "id": "trust-safety.chat-assistant",
158
180
  "name": "Chat Assistant — Trust & Safety",
159
- "description": "Strict content moderation with lower toxicity thresholds and topic restrictions for public-facing chat",
160
- "category": "trust_safety",
181
+ "description": "Strict content moderation and topic restrictions for public-facing chat (lower toxicity thresholds).",
182
+ "category": "trust-safety",
161
183
  "file": "profiles/chat_assistant/trust_safety.cedar",
162
184
  "severity": "critical",
163
- "tags": ["profile", "chat-assistant", "toxicity", "trust-safety", "topics"]
185
+ "tags": ["category:trust-safety", "threat:harmful", "compliance:eu-ai-act"]
164
186
  },
165
187
  {
166
- "id": "code-agent-agentic-security",
167
- "name": "Code Agent — Agentic Security",
168
- "description": "Tool risk controls, shell blocking, loop detection, exfiltration prevention, and budget enforcement for coding assistants",
169
- "category": "agentic_security",
170
- "file": "profiles/code_agent/agentic_security.cedar",
171
- "severity": "high",
172
- "tags": ["profile", "code-agent", "tools", "agentic", "exfiltration", "budget"]
173
- },
174
- {
175
- "id": "code-agent-security",
176
- "name": "Code Agent — Security",
177
- "description": "Prevent code agents from writing detected secrets to output files",
178
- "category": "security",
188
+ "id": "data-protection.code-block-write-secrets",
189
+ "name": "Code Agent — Secrets Protection",
190
+ "description": "Prevent code agents from writing detected secrets to output files.",
191
+ "category": "data-protection",
179
192
  "file": "profiles/code_agent/security.cedar",
180
193
  "severity": "critical",
181
- "tags": ["profile", "code-agent", "secrets", "security"]
194
+ "tags": ["category:data-protection", "threat:secrets"]
182
195
  },
183
196
  {
184
- "id": "data-pipeline-privacy",
185
- "name": "Data PipelinePrivacy",
186
- "description": "Strict PII protection with zero-tolerance for sensitive PII types in data pipelines",
187
- "category": "privacy",
188
- "file": "profiles/data_pipeline/privacy.cedar",
197
+ "id": "security.code-agent-encoding",
198
+ "name": "Code AgentEncoding Attacks",
199
+ "description": "Block invisible Unicode characters in tool arguments and file writes for coding agents.",
200
+ "category": "security",
201
+ "file": "profiles/code_agent/encoding.cedar",
189
202
  "severity": "critical",
190
- "tags": ["profile", "data-pipeline", "pii", "privacy", "compliance"]
203
+ "tags": ["category:security", "threat:invisible-chars", "threat:injection"]
191
204
  },
192
205
  {
193
- "id": "data-pipeline-security",
194
- "name": "Data Pipeline — Security",
195
- "description": "Strict secrets detection and lower injection thresholds for RAG and data processing pipelines",
206
+ "id": "security.code-agent-path-security",
207
+ "name": "Code AgentPath Security",
208
+ "description": "Block .env files, credential files, system directories, key material, and destructive file operations for coding agents.",
196
209
  "category": "security",
197
- "file": "profiles/data_pipeline/security.cedar",
210
+ "file": "profiles/code_agent/path_security.cedar",
198
211
  "severity": "critical",
199
- "tags": ["profile", "data-pipeline", "secrets", "injection", "security"]
212
+ "tags": ["category:security", "threat:secrets", "threat:path-traversal"]
200
213
  },
201
214
  {
202
- "id": "data-pipeline-agentic-security",
203
- "name": "Data Pipeline — Agentic Security",
204
- "description": "Exfiltration prevention and tool risk controls for data processing pipelines",
205
- "category": "agentic_security",
206
- "file": "profiles/data_pipeline/agentic_security.cedar",
215
+ "id": "agent-security.code-agent",
216
+ "name": "Code Agent — Agentic Security",
217
+ "description": "Tool risk controls, shell blocking, loop detection, exfiltration prevention, and budget enforcement for coding assistants.",
218
+ "category": "agent-security",
219
+ "file": "profiles/code_agent/agentic_security.cedar",
207
220
  "severity": "critical",
208
- "tags": ["profile", "data-pipeline", "exfiltration", "tools"]
221
+ "tags": ["category:agent-security", "threat:exfiltration", "threat:loop", "owasp:llm06"]
209
222
  },
210
223
  {
211
- "id": "multi-agent-trust",
212
- "name": "Multi-Agent Orchestration Agent Trust",
213
- "description": "Tiered trust policies for multi-agent systems: only first-party agents can use dangerous tools, unverified agents restricted to safe tools, autonomous agents have lower risk ceilings, MCP server connection trust enforcement",
214
- "category": "agent_identity",
215
- "file": "profiles/multi_agent/agent_trust.cedar",
224
+ "id": "agent-security.code-agent-supply-chain",
225
+ "name": "Code Agent — Supply Chain",
226
+ "description": "Block MCP server poisoning, indirect prompt injection, credential theft chains, and destructive sequences for coding agents.",
227
+ "category": "agent-security",
228
+ "file": "profiles/code_agent/supply_chain.cedar",
216
229
  "severity": "critical",
217
- "tags": ["profile", "multi-agent", "trust", "a2a", "autonomous", "mcp"]
230
+ "tags": ["category:agent-security", "threat:tool-poisoning", "threat:indirect-injection", "threat:exfiltration", "owasp:asi01", "owasp:asi04"]
218
231
  },
219
232
  {
220
- "id": "multi-agent-safety",
221
- "name": "Multi-Agent OrchestrationCross-Turn Safety",
222
- "description": "Session-aware agent safety policies: PII containment across agents, secrets lockdown, injection escalation response, cumulative risk circuit breakers for multi-agent sessions",
223
- "category": "agent_identity",
224
- "file": "profiles/multi_agent/agent_safety.cedar",
233
+ "id": "privacy.data-pipeline",
234
+ "name": "Data PipelinePrivacy",
235
+ "description": "Strict PII protection with zero tolerance for sensitive PII types in data pipelines.",
236
+ "category": "privacy",
237
+ "file": "profiles/data_pipeline/privacy.cedar",
225
238
  "severity": "critical",
226
- "tags": ["profile", "multi-agent", "cross-turn", "a2a", "pii", "secrets", "injection", "circuit-breaker"]
227
- },
228
- {
229
- "id": "code-agent-path-security",
230
- "name": "Code Agent — Path Security",
231
- "description": "Block access to .env files, credential files, system directories, credential directories, and destructive file operations for coding agents",
232
- "category": "security",
233
- "file": "profiles/code_agent/path_security.cedar",
234
- "severity": "high",
235
- "tags": ["profile", "code-agent", "path-security", "credentials", "system-paths"]
239
+ "tags": ["category:privacy", "threat:pii", "compliance:gdpr", "compliance:hipaa"]
236
240
  },
237
241
  {
238
- "id": "code-agent-supply-chain",
239
- "name": "Code AgentSupply Chain Security",
240
- "description": "Block MCP server poisoning, indirect prompt injection from tool outputs, credential theft patterns, and destructive operation sequences for coding agents",
241
- "category": "agentic_security",
242
- "file": "profiles/code_agent/supply_chain.cedar",
242
+ "id": "data-protection.data-pipeline",
243
+ "name": "Data PipelineSecrets",
244
+ "description": "Strict secrets detection for data pipelines and zero-tolerance secret writes.",
245
+ "category": "data-protection",
246
+ "file": "profiles/data_pipeline/data_protection.cedar",
243
247
  "severity": "critical",
244
- "tags": ["profile", "code-agent", "supply-chain", "tool-poisoning", "indirect-injection"]
248
+ "tags": ["category:data-protection", "threat:secrets", "owasp:llm06"]
245
249
  },
246
250
  {
247
- "id": "code-agent-encoding",
248
- "name": "Code AgentEncoding Attacks",
249
- "description": "Block invisible Unicode characters in tool arguments and file writes to prevent encoding-based prompt injection for coding agents",
251
+ "id": "security.data-pipeline-block-injection",
252
+ "name": "Data PipelineInjection Defence",
253
+ "description": "Lower injection threshold for RAG and data processing pipelines.",
250
254
  "category": "security",
251
- "file": "profiles/code_agent/encoding.cedar",
255
+ "file": "profiles/data_pipeline/security.cedar",
252
256
  "severity": "high",
253
- "tags": ["profile", "code-agent", "encoding", "unicode", "invisible-chars"]
257
+ "tags": ["category:security", "threat:injection", "owasp:llm01"]
254
258
  },
255
259
  {
256
- "id": "advanced-detection-secrets",
257
- "name": "Advanced DetectionGranular Secrets",
258
- "description": "Granular secret type blocking for high-risk credentials (cloud provider keys, GitHub tokens, SSH keys, database URLs) and API keys/tokens",
259
- "category": "security",
260
- "file": "profiles/advanced_detection/secrets.cedar",
260
+ "id": "agent-security.data-pipeline",
261
+ "name": "Data PipelineAgentic Security",
262
+ "description": "Exfiltration prevention and tool risk controls for data processing pipelines.",
263
+ "category": "agent-security",
264
+ "file": "profiles/data_pipeline/agentic_security.cedar",
261
265
  "severity": "critical",
262
- "tags": ["profile", "advanced-detection", "secrets", "credentials", "cloud-keys"]
266
+ "tags": ["category:agent-security", "threat:exfiltration"]
263
267
  },
264
268
  {
265
- "id": "advanced-detection-pii",
266
- "name": "Advanced DetectionPII",
267
- "description": "Bulk PII exposure blocking, high-confidence ML PII detection, and PII in file operations for advanced threat detection",
268
- "category": "privacy",
269
- "file": "profiles/advanced_detection/pii.cedar",
269
+ "id": "agent-identity.multi-agent-trust",
270
+ "name": "Multi-Agent OrchestrationAgent Trust",
271
+ "description": "Tiered trust access control: only first-party agents can use dangerous tools, unverified restricted to safe tools, lower risk ceilings for autonomous agents.",
272
+ "category": "agent-identity",
273
+ "file": "profiles/multi_agent/agent_trust.cedar",
270
274
  "severity": "critical",
271
- "tags": ["profile", "advanced-detection", "pii", "privacy", "ml-classifier"]
275
+ "tags": ["category:agent-identity", "scope:per-agent", "owasp:llm01", "owasp:llm02"]
272
276
  },
273
277
  {
274
- "id": "advanced-detection-threat-severity",
275
- "name": "Advanced DetectionThreat Severity",
276
- "description": "Block any content flagged with critical severity by detection engines as a catch-all safety net",
277
- "category": "security",
278
- "file": "profiles/advanced_detection/threat_severity.cedar",
278
+ "id": "agent-identity.multi-agent-safety",
279
+ "name": "Multi-Agent OrchestrationCross-Turn Safety",
280
+ "description": "Session-aware policies: PII/secrets containment, injection lockdown, cumulative risk circuit breakers for multi-agent sessions.",
281
+ "category": "agent-identity",
282
+ "file": "profiles/multi_agent/agent_safety.cedar",
279
283
  "severity": "critical",
280
- "tags": ["profile", "advanced-detection", "severity", "critical", "catch-all"]
284
+ "tags": ["category:agent-identity", "scope:per-agent", "threat:pii", "threat:secrets", "threat:injection"]
281
285
  },
282
286
  {
283
- "id": "a2a-cross-origin",
284
- "name": "A2A Security — Cross-Origin Trust Boundaries",
285
- "description": "Block confused deputy attacks and trust boundary violations from cross-system agent communication — critical cross-origin blocking, unverified agent restrictions, sensitive tool protection",
286
- "category": "agent_identity",
287
+ "id": "agent-identity.a2a-cross-origin",
288
+ "name": "A2A Security — Cross-Origin Trust",
289
+ "description": "Block confused-deputy attacks and trust-boundary violations from cross-system agent communication.",
290
+ "category": "agent-identity",
287
291
  "file": "profiles/a2a_security/cross_origin.cedar",
288
292
  "severity": "critical",
289
- "tags": ["profile", "a2a-security", "cross-origin", "confused-deputy", "trust-boundary"]
293
+ "tags": ["category:agent-identity", "threat:supply-chain", "owasp:llm08", "owasp:asi03"]
290
294
  },
291
295
  {
292
- "id": "a2a-inter-agent-injection",
293
- "name": "A2A Security — Inter-Agent Injection Defense",
294
- "description": "Block indirect prompt injection via tool outputs, multi-turn progressive attacks using deep context models, and encoded payload delivery between independent agents",
295
- "category": "agent_identity",
296
+ "id": "agent-identity.a2a-inter-agent-injection",
297
+ "name": "A2A Security — Inter-Agent Injection Defence",
298
+ "description": "Block indirect injection via tool outputs, multi-turn progressive attacks via deep-context detection, and encoded payload delivery between agents.",
299
+ "category": "agent-identity",
296
300
  "file": "profiles/a2a_security/inter_agent_injection.cedar",
297
301
  "severity": "critical",
298
- "tags": ["profile", "a2a-security", "indirect-injection", "multi-turn", "encoded-injection", "deep-context"]
302
+ "tags": ["category:agent-identity", "threat:indirect-injection", "threat:encoded-payload", "owasp:llm01"]
299
303
  },
300
304
  {
301
- "id": "a2a-supply-chain",
302
- "name": "A2A Security — Supply Chain & Behavioral Drift",
303
- "description": "Block tool poisoning from external agent ecosystems, rug pull behavioral drift, and credential theft chains initiated by compromised agents",
304
- "category": "agent_identity",
305
+ "id": "agent-identity.a2a-supply-chain",
306
+ "name": "A2A Security — Supply Chain & Behavioural Drift",
307
+ "description": "Block tool poisoning from external agent ecosystems, rug pull behavioural drift, and credential theft chains.",
308
+ "category": "agent-identity",
305
309
  "file": "profiles/a2a_security/supply_chain.cedar",
306
310
  "severity": "critical",
307
- "tags": ["profile", "a2a-security", "supply-chain", "tool-poisoning", "rug-pull", "credential-theft"]
311
+ "tags": ["category:agent-identity", "threat:tool-poisoning", "threat:rug-pull", "threat:exfiltration", "owasp:asi04"]
308
312
  },
309
313
  {
310
- "id": "a2a-identity-enforcement",
314
+ "id": "agent-identity.a2a-identity-enforcement",
311
315
  "name": "A2A Security — Agent Identity Enforcement",
312
- "description": "Enforce strict identity requirements for cross-system agents block anonymous agents, require framework registration, prevent unverified autonomous agents",
313
- "category": "agent_identity",
316
+ "description": "Enforce strict identity requirements for cross-system agents: block anonymous, require framework registration, prevent unverified autonomous.",
317
+ "category": "agent-identity",
314
318
  "file": "profiles/a2a_security/identity_enforcement.cedar",
315
319
  "severity": "critical",
316
- "tags": ["profile", "a2a-security", "identity", "spoofing", "framework", "autonomous"]
320
+ "tags": ["category:agent-identity", "threat:spoofing", "scope:per-agent", "owasp:asi04"]
317
321
  },
318
322
  {
319
- "id": "a2a-escalation-detection",
320
- "name": "A2A Security — Escalation Detection & Circuit Breakers",
321
- "description": "Detect progressive capability escalation across turns with session peak score monitoring and cumulative risk circuit breakers tuned for adversarial A2A communication",
322
- "category": "agent_identity",
323
+ "id": "agent-identity.a2a-escalation",
324
+ "name": "A2A Security — Escalation Detection",
325
+ "description": "Detect progressive capability escalation across turns with session peak monitoring and cumulative risk circuit breakers.",
326
+ "category": "agent-identity",
323
327
  "file": "profiles/a2a_security/escalation_detection.cedar",
324
328
  "severity": "critical",
325
- "tags": ["profile", "a2a-security", "escalation", "circuit-breaker", "session-peak", "cumulative-risk"]
326
- }
327
- ],
328
- "profiles": [
329
- {
330
- "id": "chat-assistant",
331
- "name": "Chat Assistant",
332
- "description": "Optimized for customer-facing chatbots — strict toxicity, PII blocking, aggressive injection defense, topic restrictions",
333
- "severity": "high",
334
- "tags": ["chat-assistant", "toxicity", "pii", "injection"],
335
- "template_ids": ["chat-assistant-security", "chat-assistant-privacy", "chat-assistant-trust-safety"]
329
+ "tags": ["category:agent-identity", "threat:escalation", "scope:per-agent", "owasp:llm01"]
336
330
  },
337
331
  {
338
- "id": "code-agent",
339
- "name": "Code Agent",
340
- "description": "Optimized for coding assistants — tool risk controls, shell blocking, loop detection, exfiltration prevention, budget enforcement, path security, supply chain defense, and encoding attack protection",
341
- "severity": "high",
342
- "tags": ["code-agent", "tools", "agentic", "exfiltration", "path-security", "supply-chain", "encoding"],
343
- "template_ids": ["code-agent-agentic-security", "code-agent-security", "code-agent-path-security", "code-agent-supply-chain", "code-agent-encoding"]
344
- },
345
- {
346
- "id": "data-pipeline",
347
- "name": "Data Pipeline",
348
- "description": "Optimized for RAG and data processing — strict PII/secrets protection, exfiltration detection, pipeline injection defense",
349
- "severity": "critical",
350
- "tags": ["data-pipeline", "pii", "secrets", "exfiltration"],
351
- "template_ids": ["data-pipeline-privacy", "data-pipeline-security", "data-pipeline-agentic-security"]
352
- },
353
- {
354
- "id": "multi-agent",
355
- "name": "Multi-Agent Orchestration (MAS)",
356
- "description": "Production-grade guardrails for multi-agent systems with shared orchestration — tiered trust access control, autonomous agent safeguards, cross-turn PII/secrets containment, injection escalation response, cumulative risk circuit breakers. For independent agent-to-agent communication across separate trust domains, use the A2A Security profile",
332
+ "id": "data-protection.advanced-secrets",
333
+ "name": "Advanced Detection — Granular Secrets",
334
+ "description": "Block specific high-risk credential types (cloud, GitHub, SSH, database) and general API tokens.",
335
+ "category": "data-protection",
336
+ "file": "profiles/advanced_detection/secrets.cedar",
357
337
  "severity": "critical",
358
- "tags": ["multi-agent", "mas", "trust", "cross-turn", "circuit-breaker"],
359
- "template_ids": ["agent-identity-trust", "multi-agent-trust", "multi-agent-safety"]
338
+ "tags": ["category:data-protection", "threat:secrets", "owasp:llm06"]
360
339
  },
361
340
  {
362
- "id": "a2a-security",
363
- "name": "A2A Security",
364
- "description": "Production-grade security for independent agent-to-agent communication across separate trust domains — cross-origin trust enforcement, inter-agent injection defense (indirect, multi-turn, encoded), supply chain protection (tool poisoning, rug pull), identity enforcement, and escalation circuit breakers",
341
+ "id": "privacy.advanced-pii",
342
+ "name": "Advanced Detection — PII",
343
+ "description": "Bulk PII exposure threshold, ML classifier confidence, and file-operation blocking.",
344
+ "category": "privacy",
345
+ "file": "profiles/advanced_detection/pii.cedar",
365
346
  "severity": "critical",
366
- "tags": ["a2a-security", "cross-origin", "injection", "supply-chain", "identity", "escalation"],
367
- "template_ids": ["a2a-cross-origin", "a2a-inter-agent-injection", "a2a-supply-chain", "a2a-identity-enforcement", "a2a-escalation-detection"]
347
+ "tags": ["category:privacy", "threat:pii", "threat:exfiltration", "detection:ml", "compliance:gdpr"]
368
348
  },
369
349
  {
370
- "id": "advanced-detection",
371
- "name": "Advanced Detection",
372
- "description": "Production-grade advanced threat detection granular secret type blocking, ML-based PII detection, bulk exposure prevention, and critical severity catch-all for high-security environments",
350
+ "id": "security.advanced-block-critical-severity",
351
+ "name": "Advanced Detection — Threat Severity",
352
+ "description": "Catch-all that blocks any content flagged as critical severity by any detector.",
353
+ "category": "security",
354
+ "file": "profiles/advanced_detection/threat_severity.cedar",
373
355
  "severity": "critical",
374
- "tags": ["advanced-detection", "secrets", "pii", "severity", "ml-detection"],
375
- "template_ids": ["advanced-detection-secrets", "advanced-detection-pii", "advanced-detection-threat-severity"]
356
+ "tags": ["category:security", "detection:aggregate", "posture:catch-all"]
376
357
  }
377
358
  ]
378
359
  }