@highflame/policy 2.1.35 → 2.1.37

package/_schemas/guardrails/templates/profiles/advanced_detection/secrets.cedar

@@ -1,66 +1,74 @@
 // =============================================================================
 // Advanced Detection — Granular Secrets
 // =============================================================================
-// Blocks specific high-risk credential types and API tokens using granular
-// secret_types matching. Goes beyond the boolean contains_secrets detection
-// to identify and block cloud provider keys, GitHub tokens, SSH keys,
-// database credentials, and API tokens.
+// Blocks specific high-risk credential types using granular secret_types
+// matching. Goes beyond the boolean secrets_detected flag to identify
+// cloud provider keys, GitHub tokens, SSH keys, database credentials,
+// and general API tokens.
 //
-// These policies benefit any Guardrails deployment — not just coding agents.
-//
-// Adapted from Overwatch granular secret type policies for Guardrails namespace.
+// Context keys consumed:
+//   - secret_types: Set<String>
 //
 // Compliance:
-//   NIST 800-53 IA-5 (Authenticator Management)
-//   NIST 800-53 SC-28 (Protection of Information at Rest)
-//   MITRE ATT&CK T1552 (Unsecured Credentials)
-//   CIS Benchmark 1.4 (Secrets Management)
+//   - NIST 800-53 IA-5, SC-28; MITRE ATT&CK T1552; CIS 1.4
 //
-// Category: security
+// Category:  data-protection
 // Namespace: Guardrails
 // =============================================================================
 
-// Block high-risk credential types across all actions
-@id("detection-block-high-risk-secret-types")
+@id("data-protection.advanced-block-high-risk-secrets")
 @name("Block high-risk credential types")
-@description("Block content containing cloud provider keys (AWS, GCP, Azure), GitHub tokens, SSH private keys, or database connection strings. These credential types pose the highest exfiltration risk and must never pass through AI agents.")
+@description("Blocks process_prompt, call_tool, read_file, and write_file when secret_types contains a cloud, GitHub, SSH, or database credential.")
 @severity("critical")
-@tags("profile,advanced-detection,secrets,aws,gcp,azure,github,ssh,database,nist-ia-5,mitre-t1552")
-@reject_message("Content blocked: high-risk credentials detected (cloud provider keys, GitHub tokens, SSH keys, or database credentials). Use a secrets manager — never pass credentials through AI agents.")
+@tags("category:data-protection,threat:secrets,detection:rule,owasp:llm06")
+@reject_message("Content blocked: high-risk credentials detected (cloud keys, GitHub tokens, SSH keys, or database URLs).")
 forbid (
     principal,
-    action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool", Guardrails::Action::"read_file", Guardrails::Action::"write_file"],
+    action in [
+        Guardrails::Action::"process_prompt",
+        Guardrails::Action::"call_tool",
+        Guardrails::Action::"read_file",
+        Guardrails::Action::"write_file"
+    ],
     resource
 )
 when {
     context has secret_types &&
-    (context.secret_types.contains("aws_access_key") ||
-     context.secret_types.contains("aws_secret_key") ||
-     context.secret_types.contains("gcp_service_account") ||
-     context.secret_types.contains("azure_client_secret") ||
-     context.secret_types.contains("github_token") ||
-     context.secret_types.contains("github_pat") ||
-     context.secret_types.contains("ssh_private_key") ||
-     context.secret_types.contains("database_url"))
+    (
+        context.secret_types.contains("aws_access_key") ||
+        context.secret_types.contains("aws_secret_key") ||
+        context.secret_types.contains("gcp_service_account") ||
+        context.secret_types.contains("azure_client_secret") ||
+        context.secret_types.contains("github_token") ||
+        context.secret_types.contains("github_pat") ||
+        context.secret_types.contains("ssh_private_key") ||
+        context.secret_types.contains("database_url")
+    )
 };
 
-// Block API keys and bearer tokens across all actions
-@id("detection-block-api-keys")
+@id("data-protection.advanced-block-api-tokens")
 @name("Block API keys and bearer tokens")
-@description("Block content containing generic API keys, bearer tokens, JWT tokens, and OAuth credentials. These are the most commonly leaked credential types in AI agent interactions.")
+@description("Blocks process_prompt, call_tool, read_file, and write_file when secret_types contains api_key, bearer_token, jwt_token, or OAuth credentials.")
 @severity("high")
-@tags("profile,advanced-detection,secrets,api-key,bearer,jwt,oauth,nist-ia-5")
-@reject_message("Content blocked: API keys, bearer tokens, or OAuth credentials detected. These must never be passed through AI agent prompts or tool calls.")
+@tags("category:data-protection,threat:secrets,detection:rule,owasp:llm06")
+@reject_message("Content blocked: API keys, bearer tokens, or OAuth credentials detected.")
 forbid (
     principal,
-    action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool", Guardrails::Action::"read_file", Guardrails::Action::"write_file"],
+    action in [
+        Guardrails::Action::"process_prompt",
+        Guardrails::Action::"call_tool",
+        Guardrails::Action::"read_file",
+        Guardrails::Action::"write_file"
+    ],
     resource
 )
 when {
     context has secret_types &&
-    (context.secret_types.contains("api_key") ||
-     context.secret_types.contains("bearer_token") ||
-     context.secret_types.contains("jwt_token") ||
-     context.secret_types.contains("oauth_token") ||
-     context.secret_types.contains("oauth_secret"))
+    (
+        context.secret_types.contains("api_key") ||
+        context.secret_types.contains("bearer_token") ||
+        context.secret_types.contains("jwt_token") ||
+        context.secret_types.contains("oauth_token") ||
+        context.secret_types.contains("oauth_secret")
+    )
 };

package/_schemas/guardrails/templates/profiles/advanced_detection/threat_severity.cedar

@@ -1,30 +1,25 @@
 // =============================================================================
 // Advanced Detection — Threat Severity
 // =============================================================================
-// Severity-based catch-all policy that blocks any content flagged as critical
-// severity by detection engines. Acts as a safety net behind all other policies
-// — if any detector reports critical severity, the content is blocked regardless
-// of whether a specific category policy caught it.
+// Catch-all that blocks any content flagged as critical severity by any
+// detector. Acts as a safety net behind all other policies.
 //
-// This policy benefits any Guardrails deployment — not just coding agents.
-//
-// Adapted from Overwatch threat severity aggregation for Guardrails namespace.
+// Context keys consumed:
+//   - highest_severity: String
 //
 // Compliance:
-//   NIST 800-53 SI-3 (Malicious Code Protection)
-//   NIST 800-53 SI-4 (Information System Monitoring)
+//   - NIST 800-53 SI-3, SI-4
 //
-// Category: security
+// Category:  security
 // Namespace: Guardrails
 // =============================================================================
 
-// Block any content with critical severity threats
-@id("detection-block-critical-severity")
-@name("Block critical severity threats")
-@description("Block all content when any detection engine reports critical severity. This is the ultimate catch-all — critical threats are blocked regardless of type or source. Acts as a safety net behind all other policies.")
+@id("security.advanced-block-critical-severity")
+@name("Block critical-severity threats")
+@description("Blocks process_prompt when highest_severity equals \"critical\".")
 @severity("critical")
-@tags("profile,advanced-detection,severity,critical,catch-all,nist-si-3")
-@reject_message("Your content was blocked because security scanners detected a critical-severity threat. This content cannot be processed.")
+@tags("category:security,detection:aggregate,surface:process-prompt,posture:catch-all,compliance:nist-si-3")
+@reject_message("Prompt blocked: a critical-severity threat was reported by at least one detector.")
 forbid (
     principal,
     action == Guardrails::Action::"process_prompt",

package/_schemas/guardrails/templates/profiles/chat_assistant/privacy.cedar

@@ -1,22 +1,35 @@
 // =============================================================================
 // Chat Assistant — Privacy
 // =============================================================================
-// PII protection for customer-facing chatbots.
-// Blocks PII in both user inputs and assistant outputs.
+// PII protection for customer-facing chatbots. Blocks PII in both directions
+// (input + output) across prompts, tool calls, and file operations.
 //
-// Category: privacy
+// Context keys consumed:
+//   - pii_detected: Bool
+//
+// Compliance:
+//   - GDPR Art. 32, HIPAA, PCI-DSS
+//
+// Category:  privacy
 // Namespace: Guardrails
 // =============================================================================
 
-@id("chat-pii-block-input-output")
-@name("Block PII in both directions")
-@description("Blocks PII in both user inputs and assistant outputs for chat applications")
+@id("privacy.chat-block-pii")
+@name("Block PII in chat (both directions)")
+@description("Blocks process_prompt, call_tool, read_file, and write_file when pii_detected is true.")
 @severity("high")
-@tags("profile,chat-assistant,pii,privacy")
+@tags("category:privacy,threat:pii,detection:rule,compliance:gdpr,compliance:hipaa")
+@reject_message("Request blocked: personally identifiable information was detected.")
 forbid (
     principal,
-    action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool", Guardrails::Action::"read_file", Guardrails::Action::"write_file"],
+    action in [
+        Guardrails::Action::"process_prompt",
+        Guardrails::Action::"call_tool",
+        Guardrails::Action::"read_file",
+        Guardrails::Action::"write_file"
+    ],
     resource
-) when {
+)
+when {
     context has pii_detected && context.pii_detected == true
 };

package/_schemas/guardrails/templates/profiles/chat_assistant/security.cedar

@@ -1,35 +1,47 @@
 // =============================================================================
 // Chat Assistant — Security
 // =============================================================================
-// Aggressive injection and jailbreak defense for customer-facing chatbots.
-// Lower thresholds than defaults — public-facing chat is high-risk for attacks.
+// Aggressive injection and jailbreak defence for customer-facing chatbots.
+// Lower thresholds than the org-wide defaults — public-facing chat has the
+// highest adversarial surface.
 //
-// Category: security
+// Context keys consumed:
+//   - injection_score:  Long (0-100)
+//   - jailbreak_score:  Long (0-100)
+//
+// Compliance:
+//   - OWASP LLM01, OWASP LLM02
+//
+// Category:  security
 // Namespace: Guardrails
 // =============================================================================
 
-@id("chat-injection-lower-threshold")
-@name("Aggressive injection defense for chat")
-@description("Lower injection threshold for public-facing chat — blocks above 70")
+@id("security.chat-block-injection")
+@name("Block injection (chat profile)")
+@description("Blocks process_prompt and call_tool when injection_score >= 71 (lower threshold for public chat).")
 @severity("high")
-@tags("profile,chat-assistant,injection,security")
+@tags("category:security,threat:injection,detection:ml,owasp:llm01")
+@reject_message("Prompt blocked: prompt injection detected with high confidence (chat profile).")
 forbid (
     principal,
     action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool"],
     resource
-) when {
-    context has injection_confidence && context.injection_confidence > 70
+)
+when {
+    context has injection_score && context.injection_score >= 71
 };
 
-@id("chat-jailbreak-lower-threshold")
-@name("Aggressive jailbreak defense for chat")
-@description("Lower jailbreak threshold for public-facing chat — blocks above 65")
+@id("security.chat-block-jailbreak")
+@name("Block jailbreak (chat profile)")
+@description("Blocks process_prompt when jailbreak_score >= 66 (lower threshold for public chat).")
 @severity("high")
-@tags("profile,chat-assistant,jailbreak,security")
+@tags("category:security,threat:jailbreak,detection:ml,owasp:llm02")
+@reject_message("Prompt blocked: jailbreak attempt detected with high confidence (chat profile).")
 forbid (
     principal,
     action == Guardrails::Action::"process_prompt",
     resource
-) when {
-    context has jailbreak_confidence && context.jailbreak_confidence > 65
+)
+when {
+    context has jailbreak_score && context.jailbreak_score >= 66
 };

package/_schemas/guardrails/templates/profiles/chat_assistant/trust_safety.cedar

@@ -1,43 +1,58 @@
 // =============================================================================
 // Chat Assistant — Trust & Safety
 // =============================================================================
-// Strict content moderation for customer-facing chatbots.
-// Lower toxicity thresholds and topic restrictions for public-facing content.
+// Strict content moderation for customer-facing chatbots. Lower toxicity
+// thresholds than defaults plus topic restrictions for public-facing
+// content.
 //
-// Category: trust_safety
+// Context keys consumed:
+//   - violence_score, hate_speech_score, sexual_score, profanity_score: Long
+//   - content_topics:   Set<String>
+//   - topic_confidence: Long (0-100)
+//
+// Compliance:
+//   - EU AI Act, ISO 42001
+//
+// Category:  trust-safety
 // Namespace: Guardrails
 // =============================================================================
 
-@id("chat-toxicity-strict")
-@name("Strict toxicity for chat")
-@description("Lower thresholds for customer-facing content — blocks toxicity above 70")
+@id("trust-safety.chat-block-toxicity")
+@name("Block toxicity (chat profile)")
+@description("Blocks process_prompt when any toxicity score is >= 71 (lower threshold for public chat).")
 @severity("critical")
-@tags("profile,chat-assistant,toxicity,trust-safety")
+@tags("category:trust-safety,threat:harmful,threat:hate-speech,detection:ml,compliance:eu-ai-act")
+@reject_message("Prompt blocked: toxic content detected at the chat-profile threshold.")
 forbid (
     principal,
     action == Guardrails::Action::"process_prompt",
     resource
-) when {
-    (context has violence_score && context.violence_score > 70) ||
-    (context has hate_speech_score && context.hate_speech_score > 70) ||
-    (context has sexual_score && context.sexual_score > 70) ||
-    (context has profanity_score && context.profanity_score > 70)
+)
+when {
+    (context has violence_score    && context.violence_score    >= 71) ||
+    (context has hate_speech_score && context.hate_speech_score >= 71) ||
+    (context has sexual_score      && context.sexual_score      >= 71) ||
+    (context has profanity_score   && context.profanity_score   >= 71)
 };
 
-@id("chat-topic-restriction")
-@name("Block restricted topics in chat")
-@description("Prevents chat assistants from discussing dangerous or regulated topics")
+@id("trust-safety.chat-block-restricted-topics")
+@name("Block restricted topics (chat profile)")
+@description("Blocks process_prompt and call_tool when topic_confidence >= 71 and content_topics contains a restricted category.")
 @severity("high")
-@tags("profile,chat-assistant,semantic,compliance")
+@tags("category:trust-safety,threat:harmful,detection:ml,compliance:eu-ai-act")
+@reject_message("Prompt blocked: content discusses a topic restricted for chat assistants.")
 forbid (
     principal,
     action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool"],
     resource
-) when {
-    context has topic_confidence && context.topic_confidence > 70 &&
+)
+when {
+    context has topic_confidence && context.topic_confidence >= 71 &&
     context has content_topics &&
-    (context.content_topics.contains("weapons_manufacturing") ||
-     context.content_topics.contains("illegal_activity") ||
-     context.content_topics.contains("controlled_substances") ||
-     context.content_topics.contains("financial_fraud"))
+    (
+        context.content_topics.contains("weapons_manufacturing") ||
+        context.content_topics.contains("illegal_activity") ||
+        context.content_topics.contains("controlled_substances") ||
+        context.content_topics.contains("financial_fraud")
+    )
 };

package/_schemas/guardrails/templates/profiles/code_agent/agentic_security.cedar

@@ -1,109 +1,130 @@
 // =============================================================================
 // Code Agent — Agentic Security
 // =============================================================================
-// Tool risk controls, shell execution blocking, loop detection,
-// exfiltration prevention, and budget enforcement for coding assistants.
+// Tool risk controls, shell execution blocking, loop detection, exfiltration
+// prevention, and budget enforcement for coding assistants.
 //
-// Category: agentic_security
+// Context keys consumed:
+//   - tool_risk_score, tool_category, tool_is_sensitive, tool_name
+//   - loop_detected, loop_count
+//   - suspicious_pattern, pattern_type
+//   - sequence_risk:    Long (0-100)
+//   - budget_exceeded:  Bool
+//
+// Compliance:
+//   - OWASP LLM06, OWASP ASI02, MITRE T1059
+//
+// Category:  agent-security
 // Namespace: Guardrails
 // =============================================================================
 
-@id("code-block-dangerous-tools")
-@name("Block dangerous tool execution")
-@description("Forbids tools classified as dangerous or with very high risk scores")
+@id("agent-security.code-block-dangerous-tools")
+@name("Block dangerous tools (code profile)")
+@description("Blocks call_tool when tool_risk_score >= 86 or tool_category equals \"dangerous\".")
 @severity("critical")
-@tags("profile,code-agent,tools,agentic")
+@tags("category:agent-security,detection:aggregate,surface:call-tool,owasp:llm06")
+@reject_message("Tool execution blocked: tool is classified as dangerous or scored high risk (code profile).")
 forbid (
     principal,
     action == Guardrails::Action::"call_tool",
     resource
-) when {
-    (context has tool_risk_score && context.tool_risk_score > 85) ||
+)
+when {
+    (context has tool_risk_score && context.tool_risk_score >= 86) ||
     (context has tool_category && context.tool_category == "dangerous")
 };
 
-@id("code-block-shell-execution")
-@name("Block direct shell commands")
-@description("Forbids direct shell and command execution tools")
+@id("agent-security.code-block-shell-execution")
+@name("Block shell commands (code profile)")
+@description("Blocks call_tool when tool_name is a shell tool.")
 @severity("high")
-@tags("profile,code-agent,tools,shell")
+@tags("category:agent-security,threat:command-injection,detection:rule,surface:call-tool,mitre:t1059")
+@reject_message("Tool execution blocked: direct shell or command execution is not permitted for the code profile.")
 forbid (
     principal,
     action == Guardrails::Action::"call_tool",
     resource
-) when {
+)
+when {
     context has tool_name &&
-    (context.tool_name == "shell" ||
-     context.tool_name == "execute_command" ||
-     context.tool_name == "bash")
+    (context.tool_name == "shell" || context.tool_name == "execute_command" || context.tool_name == "bash")
 };
 
-@id("code-block-sensitive-tools")
-@name("Block sensitive tools with elevated risk")
-@description("Forbids sensitive tool calls with risk above 70")
+@id("agent-security.code-block-sensitive-tools")
+@name("Block sensitive tools with elevated risk (code profile)")
+@description("Blocks call_tool when tool_is_sensitive is true and tool_risk_score >= 71.")
 @severity("high")
-@tags("profile,code-agent,tools,security")
+@tags("category:agent-security,detection:aggregate,surface:call-tool,owasp:llm06")
+@reject_message("Tool execution blocked: sensitive tool with elevated risk (code profile).")
 forbid (
     principal,
     action == Guardrails::Action::"call_tool",
     resource
-) when {
+)
+when {
     context has tool_is_sensitive && context.tool_is_sensitive == true &&
-    context has tool_risk_score && context.tool_risk_score > 70
+    context has tool_risk_score && context.tool_risk_score >= 71
 };
 
-@id("code-block-loops")
-@name("Block tool call loops")
-@description("Stops infinite tool call loops in agentic workflows")
+@id("agent-security.code-block-loops")
+@name("Block tool call loops (code profile)")
+@description("Blocks call_tool when loop_detected is true and loop_count >= 6.")
 @severity("high")
-@tags("profile,code-agent,agentic,loops")
+@tags("category:agent-security,threat:loop,detection:aggregate,surface:call-tool")
+@reject_message("Tool execution blocked: infinite tool-call loop detected (code profile).")
 forbid (
     principal,
     action == Guardrails::Action::"call_tool",
     resource
-) when {
+)
+when {
     context has loop_detected && context.loop_detected == true &&
-    context has loop_count && context.loop_count > 5
+    context has loop_count && context.loop_count >= 6
 };
 
-@id("code-block-exfiltration")
-@name("Block data exfiltration patterns")
-@description("Detects and blocks read → send patterns indicating data theft")
+@id("agent-security.code-block-exfiltration")
+@name("Block data exfiltration patterns (code profile)")
+@description("Blocks call_tool when suspicious_pattern is true and pattern_type matches an exfiltration class.")
 @severity("critical")
-@tags("profile,code-agent,agentic,exfiltration")
+@tags("category:agent-security,threat:exfiltration,detection:rule,surface:call-tool")
+@reject_message("Tool execution blocked: data exfiltration pattern detected (code profile).")
 forbid (
     principal,
     action == Guardrails::Action::"call_tool",
     resource
-) when {
+)
+when {
     context has suspicious_pattern && context.suspicious_pattern == true &&
     context has pattern_type &&
-    (context.pattern_type == "data_exfiltration" ||
-     context.pattern_type == "secret_exfiltration")
+    (context.pattern_type == "data_exfiltration" || context.pattern_type == "secret_exfiltration")
 };
 
-@id("code-block-high-sequence-risk")
-@name("Block high-risk action sequences")
-@description("Forbids suspicious multi-step tool sequences with risk above 75")
+@id("agent-security.code-block-sequence-risk")
+@name("Block high-risk action sequences (code profile)")
+@description("Blocks call_tool when sequence_risk >= 76.")
 @severity("high")
-@tags("profile,code-agent,agentic,patterns")
+@tags("category:agent-security,detection:aggregate,surface:call-tool")
+@reject_message("Tool execution blocked: action sequence scored a high cumulative risk (code profile).")
 forbid (
     principal,
     action == Guardrails::Action::"call_tool",
     resource
-) when {
-    context has sequence_risk && context.sequence_risk > 75
+)
+when {
+    context has sequence_risk && context.sequence_risk >= 76
 };
 
-@id("code-block-budget-exceeded")
-@name("Block on budget exceeded")
-@description("Stops agent execution when token budget is exhausted")
+@id("agent-security.code-block-budget-exceeded")
+@name("Block when budget exceeded (code profile)")
+@description("Blocks call_tool when budget_exceeded is true.")
 @severity("medium")
-@tags("profile,code-agent,budget,cost-control")
+@tags("category:agent-security,threat:budget-violation,detection:rule,surface:call-tool")
+@reject_message("Tool execution blocked: agent has exhausted its token or cost budget (code profile).")
 forbid (
     principal,
     action == Guardrails::Action::"call_tool",
     resource
-) when {
+)
+when {
     context has budget_exceeded && context.budget_exceeded == true
 };

package/_schemas/guardrails/templates/profiles/code_agent/encoding.cedar

@@ -8,48 +8,44 @@
 // (zero-width joiners, bidirectional overrides, tag characters) indicate
 // payload injection or encoding evasion attempts.
 //
-// Adapted from Overwatch encoding attack policies for Guardrails namespace.
+// Ref: EchoLeak CVE-2025-32711, Rules File Backdoor (Pillar Security)
 //
-// Ref: EchoLeak CVE-2025-32711 (invisible prompt injection via Unicode)
-//      Rules File Backdoor (Pillar Security, March 2025)
+// Context keys consumed:
+//   - invisible_chars_detected: Bool
 //
 // Compliance:
-//   OWASP LLM01 (Prompt Injection) — encoding evasion
-//   OWASP ASI01 (Agent Goal Hijack) — hidden instructions
-//   NIST 800-53 SI-10 (Information Input Validation)
+//   - OWASP LLM01 (encoding evasion), OWASP ASI01, NIST 800-53 SI-10
 //
-// Category: security
+// Category:  security
 // Namespace: Guardrails
 // =============================================================================
 
-// Block tool calls with invisible characters in arguments
-@id("code-block-invisible-tool-args")
-@name("Block invisible characters in tool calls")
-@description("Block tool execution when invisible Unicode characters are detected in tool arguments or content. Tool arguments should be plain text/JSON — invisible characters in tool calls are almost certainly malicious payload injection.")
+@id("security.code-block-invisible-tool-args")
+@name("Block invisible characters in tool calls (code profile)")
+@description("Blocks call_tool when invisible_chars_detected is true.")
 @severity("critical")
-@tags("profile,code-agent,encoding,unicode,invisible-chars,tools,owasp-asi01")
-@reject_message("Tool execution blocked: invisible Unicode characters detected in tool arguments. Tool calls should contain only plain text — invisible characters indicate payload injection or encoding evasion.")
+@tags("category:security,threat:invisible-chars,threat:injection,detection:pattern,surface:call-tool,owasp:asi01")
+@reject_message("Tool execution blocked: invisible Unicode characters detected in tool arguments — encoding evasion or payload injection.")
 forbid (
     principal,
     action == Guardrails::Action::"call_tool",
     resource
 )
 when {
-    context has contains_invisible_chars && context.contains_invisible_chars == true
+    context has invisible_chars_detected && context.invisible_chars_detected == true
 };
 
-// Block file writes with invisible characters
-@id("code-block-invisible-file-write")
-@name("Block invisible characters in file writes")
-@description("Block file writes when invisible Unicode characters are detected. Prevents persistence of invisible payloads in source code, config files, or documentation where they could later be processed by AI agents.")
+@id("security.code-block-invisible-file-write")
+@name("Block invisible characters in file writes (code profile)")
+@description("Blocks write_file when invisible_chars_detected is true.")
 @severity("high")
-@tags("profile,code-agent,encoding,unicode,invisible-chars,file-write,owasp-asi01")
-@reject_message("File write blocked: invisible Unicode characters detected in content. Writing invisible characters to files can create persistent backdoors that affect AI agents processing those files later.")
+@tags("category:security,threat:invisible-chars,detection:pattern,surface:write-file,owasp:asi01")
+@reject_message("File write blocked: invisible Unicode characters detected — persistent invisible payloads can backdoor downstream agents.")
 forbid (
     principal,
     action == Guardrails::Action::"write_file",
     resource
 )
 when {
-    context has contains_invisible_chars && context.contains_invisible_chars == true
+    context has invisible_chars_detected && context.invisible_chars_detected == true
 };