npm - @highflame/policy - Versions diffs - 2.1.35 → 2.1.37 - Mend

@highflame/policy 2.1.35 → 2.1.37

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (81) hide show

package/_schemas/guardrails/templates/profiles/code_agent/path_security.cedar CHANGED Viewed

@@ -1,34 +1,31 @@
 // =============================================================================
 // Code Agent — Path Security
 // =============================================================================
-// Blocks access to sensitive file paths including environment files, credential
-// files, system directories, and credential directories. Also blocks destructive
+// Blocks access to sensitive file paths: environment files, credential files,
+// system directories, and credential/key directories. Also blocks destructive
 // file operations (delete, rmdir, unlink) by default.
 //
-// Adapted from Overwatch IDE security policies for Guardrails namespace.
+// Context keys consumed:
+//   - path:      String
+//   - tool_name: String
 //
 // Compliance:
-//   NIST 800-53 AC-6 (Least Privilege)
-//   NIST 800-53 SC-28 (Protection of Information at Rest)
-//   MITRE ATT&CK T1552 (Unsecured Credentials)
-//   MITRE ATT&CK T1005 (Data from Local System)
-//   CIS Benchmark 1.4 (Secrets Management)
+//   - NIST 800-53 AC-6, SC-28; MITRE ATT&CK T1552, T1005; CIS 1.4
 //
-// Category: security
+// Category:  security
 // Namespace: Guardrails
 // =============================================================================
 // ---------------------------------------------------------------------------
-// Section 1: Environment File Protection
-// Environment files are the #1 source of accidental credential exposure.
+// Section 1: Environment files (.env*)
 // ---------------------------------------------------------------------------
-@id("code-block-env-files")
-@name("Block .env file access")
-@description("Block access to .env files that commonly contain secrets, API keys, and database credentials. Environment files are the #1 source of accidental credential exposure in development workflows.")
+@id("security.code-block-env-files")
+@name("Block dotenv file access (code profile)")
+@description("Blocks read_file, write_file, and call_tool when path matches *.env*.")
 @severity("high")
-@tags("profile,code-agent,path-security,env-files,secrets,nist-sc-28,mitre-t1552")
-@reject_message("Access to .env files is blocked because they commonly contain secrets, API keys, and database credentials. Use a secrets manager instead of .env files.")
+@tags("category:security,threat:secrets,detection:pattern,compliance:nist-si-3")
+@reject_message("File access blocked: .env files commonly contain secrets and API keys — use a secrets manager instead.")
 forbid (
     principal,
     action in [Guardrails::Action::"read_file", Guardrails::Action::"write_file", Guardrails::Action::"call_tool"],
@@ -39,16 +36,15 @@ when {
 };
 // ---------------------------------------------------------------------------
-// Section 2: Credential File Protection
-// Blocks access to common credential and configuration files.
+// Section 2: Credential files
 // ---------------------------------------------------------------------------
-@id("code-block-credential-files")
-@name("Block credential file access")
-@description("Block access to common credential files: .netrc, .npmrc, .pypirc, Docker config, Kubernetes config, cloud provider credentials, and service account files.")
+@id("security.code-block-credential-files")
+@name("Block credential files (code profile)")
+@description("Blocks read_file, write_file, and call_tool when path matches a common credential file.")
 @severity("high")
-@tags("profile,code-agent,path-security,credential-files,secrets,nist-sc-28,mitre-t1555")
-@reject_message("Access to this credential file is blocked. Files like .netrc, .npmrc, .pypirc, and cloud provider config files commonly contain hardcoded credentials.")
+@tags("category:security,threat:secrets,detection:pattern,compliance:nist-si-3")
+@reject_message("File access blocked: .netrc, .npmrc, .pypirc, cloud config, and service-account files commonly contain hardcoded credentials.")
 forbid (
     principal,
     action in [Guardrails::Action::"read_file", Guardrails::Action::"write_file", Guardrails::Action::"call_tool"],
@@ -56,27 +52,28 @@ forbid (
 )
 when {
     context has path &&
-    (context.path like "*/.netrc" ||
-     context.path like "*/.npmrc" ||
-     context.path like "*/.pypirc" ||
-     context.path like "*/.docker/config.json" ||
-     context.path like "*/.kube/config" ||
-     context.path like "*/.config/gcloud/*" ||
-     context.path like "*/credentials.json" ||
-     context.path like "*/service-account*.json")
+    (
+        context.path like "*/.netrc" ||
+        context.path like "*/.npmrc" ||
+        context.path like "*/.pypirc" ||
+        context.path like "*/.docker/config.json" ||
+        context.path like "*/.kube/config" ||
+        context.path like "*/.config/gcloud/*" ||
+        context.path like "*/credentials.json" ||
+        context.path like "*/service-account*.json"
+    )
 };
 // ---------------------------------------------------------------------------
-// Section 3: System Directory Protection
-// Blocks access to sensitive system directories.
+// Section 3: System directories
 // ---------------------------------------------------------------------------
-@id("code-block-system-paths")
-@name("Block system directory access")
-@description("Prevent access to sensitive system directories (/etc, /proc, /sys, /root, /var). These directories contain system configuration, process information, and credentials that agents must never access.")
+@id("security.code-block-system-paths")
+@name("Block system directory access (code profile)")
+@description("Blocks read_file, write_file, and call_tool on /etc, /proc, /sys, /root, /var/log, /var/run paths.")
 @severity("high")
-@tags("profile,code-agent,path-security,system-paths,nist-ac-6,mitre-t1005")
-@reject_message("Access blocked: this path targets a sensitive system directory. AI agents are restricted from accessing /etc, /proc, /sys, /root, and /var directories.")
+@tags("category:security,threat:path-traversal,detection:pattern,mitre:t1005")
+@reject_message("File access blocked: sensitive system directory targeted — agents may not access /etc, /proc, /sys, /root, or /var.")
 forbid (
     principal,
     action in [Guardrails::Action::"read_file", Guardrails::Action::"write_file", Guardrails::Action::"call_tool"],
@@ -84,25 +81,26 @@ forbid (
 )
 when {
     context has path &&
-    (context.path like "/etc/*" ||
-     context.path like "/proc/*" ||
-     context.path like "/sys/*" ||
-     context.path like "/root/*" ||
-     context.path like "/var/log/*" ||
-     context.path like "/var/run/*")
+    (
+        context.path like "/etc/*" ||
+        context.path like "/proc/*" ||
+        context.path like "/sys/*" ||
+        context.path like "/root/*" ||
+        context.path like "/var/log/*" ||
+        context.path like "/var/run/*"
+    )
 };
 // ---------------------------------------------------------------------------
-// Section 4: Credential Directory Protection
-// Blocks access to SSH keys, cloud credentials, and key material.
+// Section 4: Credential and key directories
 // ---------------------------------------------------------------------------
-@id("code-block-credential-paths")
-@name("Block credential directory access")
-@description("Prevent access to SSH keys, cloud provider credentials, GPG keys, and other authentication material directories. These are primary targets for credential theft (MITRE T1552).")
+@id("security.code-block-credential-paths")
+@name("Block credential directories (code profile)")
+@description("Blocks read_file, write_file, and call_tool on .ssh, .aws, .gnupg, .azure, .config/gcloud, .pem, and id_* paths.")
 @severity("critical")
-@tags("profile,code-agent,path-security,credentials,ssh,aws,mitre-t1552")
-@reject_message("Access blocked: this path targets a credential or key directory (.ssh, .aws, .gnupg, .config/gcloud). AI agents must never access authentication material.")
+@tags("category:security,threat:secrets,detection:pattern,compliance:nist-si-3")
+@reject_message("File access blocked: SSH, cloud, or GPG key material targeted — agents must never access authentication material.")
 forbid (
     principal,
     action in [Guardrails::Action::"read_file", Guardrails::Action::"write_file", Guardrails::Action::"call_tool"],
@@ -110,28 +108,29 @@ forbid (
 )
 when {
     context has path &&
-    (context.path like "*/.ssh/*" ||
-     context.path like "*/.aws/*" ||
-     context.path like "*/.gnupg/*" ||
-     context.path like "*/.config/gcloud/*" ||
-     context.path like "*/.azure/*" ||
-     context.path like "*.pem" ||
-     context.path like "*/id_rsa*" ||
-     context.path like "*/id_ed25519*" ||
-     context.path like "*/id_ecdsa*")
+    (
+        context.path like "*/.ssh/*" ||
+        context.path like "*/.aws/*" ||
+        context.path like "*/.gnupg/*" ||
+        context.path like "*/.config/gcloud/*" ||
+        context.path like "*/.azure/*" ||
+        context.path like "*.pem" ||
+        context.path like "*/id_rsa*" ||
+        context.path like "*/id_ed25519*" ||
+        context.path like "*/id_ecdsa*"
+    )
 };
 // ---------------------------------------------------------------------------
-// Section 5: Destructive File Operations
-// Blocks destructive file operations by default.
+// Section 5: Destructive file operations
 // ---------------------------------------------------------------------------
-@id("code-block-destructive-ops")
-@name("Block destructive file operations")
-@description("Block file deletion, directory removal, and other destructive operations. Agents should not have delete access by default — destructive operations require explicit human approval.")
+@id("security.code-block-destructive-ops")
+@name("Block destructive file operations (code profile)")
+@description("Blocks call_tool when tool_name is a destructive file operation.")
 @severity("high")
-@tags("profile,code-agent,path-security,destructive,file-ops,nist-ac-3")
-@reject_message("Tool execution was blocked: destructive file operations (delete, rmdir, unlink) are restricted to prevent data loss. Request explicit human approval for destructive actions.")
+@tags("category:security,detection:rule,surface:call-tool,compliance:nist-si-3")
+@reject_message("Tool execution blocked: destructive file operations (delete, rmdir, unlink) require explicit human approval.")
 forbid (
     principal,
     action == Guardrails::Action::"call_tool",
@@ -139,10 +138,12 @@ forbid (
 )
 when {
     context has tool_name &&
-    (context.tool_name == "fs.delete" ||
-     context.tool_name == "fs.rmdir" ||
-     context.tool_name == "fs.unlink" ||
-     context.tool_name == "fs.remove" ||
-     context.tool_name == "delete_file" ||
-     context.tool_name == "remove_directory")
+    (
+        context.tool_name == "fs.delete" ||
+        context.tool_name == "fs.rmdir" ||
+        context.tool_name == "fs.unlink" ||
+        context.tool_name == "fs.remove" ||
+        context.tool_name == "delete_file" ||
+        context.tool_name == "remove_directory"
+    )
 };

package/_schemas/guardrails/templates/profiles/code_agent/security.cedar CHANGED Viewed

@@ -1,22 +1,26 @@
 // =============================================================================
-// Code Agent — Security
+// Code Agent — Secrets Protection
 // =============================================================================
-// Secrets protection for coding assistants.
 // Prevents code agents from writing detected secrets to output files.
 //
-// Category: security
+// Context keys consumed:
+//   - secrets_detected: Bool
+//
+// Category:  data-protection
 // Namespace: Guardrails
 // =============================================================================
-@id("code-block-write-secrets")
-@name("Block writing secrets to files")
-@description("Prevents code agents from writing detected secrets to output files")
+@id("data-protection.code-block-write-secrets")
+@name("Block writing secrets to files (code profile)")
+@description("Blocks write_file when secrets_detected is true.")
 @severity("critical")
-@tags("profile,code-agent,secrets,security")
+@tags("category:data-protection,threat:secrets,detection:rule,surface:write-file,owasp:llm06")
+@reject_message("File write blocked: secrets detected in content — code agents must not persist credentials.")
 forbid (
     principal,
     action == Guardrails::Action::"write_file",
     resource
-) when {
-    context has contains_secrets && context.contains_secrets == true
+)
+when {
+    context has secrets_detected && context.secrets_detected == true
 };

package/_schemas/guardrails/templates/profiles/code_agent/supply_chain.cedar CHANGED Viewed

@@ -1,40 +1,30 @@
 // =============================================================================
 // Code Agent — Supply Chain Security
 // =============================================================================
-// Detects and blocks MCP server poisoning, indirect prompt injection from tool
-// outputs, credential theft chains, and destructive operation sequences.
+// Detects and blocks MCP server poisoning, indirect prompt injection from
+// tool outputs, credential theft chains, and destructive operation sequences.
 //
-// These are agentic AI-specific attack vectors where tool descriptions, server
-// responses, or behavioral drift manipulate agent behavior.
-//
-// Adapted from Overwatch agent security and behavioral analysis policies for
-// the Guardrails namespace.
+// Context keys consumed:
+//   - tool_poisoning_score:      Long (0-100)
+//   - indirect_injection_score:  Long (0-100)
+//   - tool_is_sensitive:         Bool
+//   - suspicious_pattern:        Bool
+//   - pattern_type:              String
 //
 // Compliance:
-//   OWASP ASI01 (Agent Goal Hijack)
-//   OWASP ASI02 (Tool Misuse)
-//   OWASP ASI04 (Supply Chain)
-//   OWASP LLM01 (Prompt Injection) — indirect variant
-//   OWASP MCP01-05
-//   MITRE ATLAS AML.T0051 (Prompt Injection)
-//   MITRE ATT&CK T1552 (Unsecured Credentials)
+//   - OWASP ASI01, ASI02, ASI04, LLM01 (indirect), MCP01–05
+//   - MITRE ATLAS AML.T0051, MITRE ATT&CK T1552
 //
-// Category: agentic_security
+// Category:  agent-security
 // Namespace: Guardrails
 // =============================================================================
-// ---------------------------------------------------------------------------
-// Section 1: MCP Server Poisoning
-// Blocks connections to MCP servers with poisoned tool descriptions.
-// Lower threshold than tool-level poisoning since it affects all tools.
-// ---------------------------------------------------------------------------
-@id("code-block-server-poisoning")
-@name("Block poisoned MCP servers")
-@description("Block connections to MCP servers when tool poisoning patterns are detected in tool descriptions (score >= 60). Lower threshold than tool-level poisoning since server-level poisoning affects all tools on the server.")
+@id("agent-security.code-block-server-poisoning")
+@name("Block poisoned MCP servers (code profile)")
+@description("Blocks connect_server when tool_poisoning_score >= 60.")
 @severity("critical")
-@tags("profile,code-agent,supply-chain,tool-poisoning,mcp-security,owasp-asi04")
-@reject_message("MCP server connection blocked: tool poisoning patterns detected in server tool descriptions. Review server tools before connecting.")
+@tags("category:agent-security,threat:tool-poisoning,detection:ml,surface:connect-server,owasp:asi04")
+@reject_message("MCP server connection blocked: tool poisoning patterns detected in server tool descriptions.")
 forbid (
     principal,
     action == Guardrails::Action::"connect_server",
@@ -44,19 +34,12 @@ when {
     context has tool_poisoning_score && context.tool_poisoning_score >= 60
 };
-// ---------------------------------------------------------------------------
-// Section 2: Indirect Prompt Injection
-// Blocks injection from tool outputs and retrieved content — not direct
-// user input but external content that manipulates agent behavior.
-// Ref: EchoLeak CVE-2025-32711, IDEsaster (30+ CVEs)
-// ---------------------------------------------------------------------------
-@id("code-block-indirect-injection")
-@name("Block indirect prompt injection")
-@description("Block tool execution when indirect prompt injection is detected in tool outputs, file contents, or retrieved documents (score >= 70). Defends against injection via external content that manipulates agent behavior.")
+@id("agent-security.code-block-indirect-injection")
+@name("Block indirect injection (code profile)")
+@description("Blocks call_tool when indirect_injection_score >= 70.")
 @severity("critical")
-@tags("profile,code-agent,supply-chain,indirect-injection,owasp-llm01,owasp-asi01")
-@reject_message("Content blocked: indirect prompt injection detected in tool output or retrieved content. An external source may be attempting to hijack agent behavior.")
+@tags("category:agent-security,threat:indirect-injection,detection:ml,surface:call-tool,owasp:llm01,owasp:asi01")
+@reject_message("Content blocked: indirect prompt injection detected in tool output or retrieved content.")
 forbid (
     principal,
     action == Guardrails::Action::"call_tool",
@@ -66,12 +49,12 @@ when {
     context has indirect_injection_score && context.indirect_injection_score >= 70
 };
-@id("code-block-indirect-injection-sensitive")
-@name("Block indirect injection on sensitive tools")
-@description("Lower threshold (>= 50) for indirect injection when the tool is classified as sensitive. Even moderate injection risk on sensitive tools (shell, file write, network) warrants blocking.")
+@id("agent-security.code-block-indirect-injection-sensitive")
+@name("Block indirect injection on sensitive tools (code profile)")
+@description("Blocks call_tool when indirect_injection_score >= 50 and tool_is_sensitive is true.")
 @severity("critical")
-@tags("profile,code-agent,supply-chain,indirect-injection,sensitive-tools,owasp-asi02")
-@reject_message("Sensitive tool execution blocked: moderate indirect injection risk detected. Sensitive tools require higher confidence that content is safe.")
+@tags("category:agent-security,threat:indirect-injection,detection:ml,surface:call-tool,owasp:asi02")
+@reject_message("Sensitive tool execution blocked: moderate indirect-injection risk detected (code profile).")
 forbid (
     principal,
     action == Guardrails::Action::"call_tool",
@@ -82,17 +65,12 @@ when {
     context has tool_is_sensitive && context.tool_is_sensitive == true
 };
-// ---------------------------------------------------------------------------
-// Section 3: Behavioral Attack Patterns
-// Detects multi-step attack chains targeting credentials and workspace integrity.
-// ---------------------------------------------------------------------------
-@id("code-block-credential-theft")
-@name("Block credential theft chains")
-@description("Block tool execution when a credential theft chain is detected — accessing SSH keys, cloud credentials, or API tokens followed by encoding, compression, or transfer operations. Multi-step attack pattern for autonomous credential harvesting.")
+@id("agent-security.code-block-credential-theft")
+@name("Block credential theft chains (code profile)")
+@description("Blocks call_tool when suspicious_pattern is true and pattern_type equals \"credential_theft\".")
 @severity("critical")
-@tags("profile,code-agent,supply-chain,credential-theft,behavioral,mitre-t1552")
-@reject_message("Tool execution blocked: credential theft chain detected. The agent is performing a multi-step operation to harvest and exfiltrate credentials.")
+@tags("category:agent-security,threat:exfiltration,detection:rule,surface:call-tool,mitre:t1059")
+@reject_message("Tool execution blocked: credential theft chain detected — multi-step credential harvesting pattern.")
 forbid (
     principal,
     action == Guardrails::Action::"call_tool",
@@ -103,12 +81,12 @@ when {
     context has pattern_type && context.pattern_type == "credential_theft"
 };
-@id("code-block-destructive-sequence")
-@name("Block destructive operation sequences")
-@description("Block tool execution when a destructive operation sequence is detected — bulk file deletions, permission changes, config overwrites, or repository manipulation patterns. Prevents agent-initiated workspace damage.")
+@id("agent-security.code-block-destructive-sequence")
+@name("Block destructive operation sequences (code profile)")
+@description("Blocks call_tool when suspicious_pattern is true and pattern_type equals \"destructive_sequence\".")
 @severity("critical")
-@tags("profile,code-agent,supply-chain,destructive,behavioral,owasp-asi02")
-@reject_message("Tool execution blocked: destructive operation sequence detected. The agent is performing a pattern of destructive operations that could damage the workspace.")
+@tags("category:agent-security,detection:rule,surface:call-tool,owasp:asi02")
+@reject_message("Tool execution blocked: destructive operation sequence detected — bulk deletions, config overwrites, or repo manipulation.")
 forbid (
     principal,
     action == Guardrails::Action::"call_tool",

package/_schemas/guardrails/templates/profiles/data_pipeline/agentic_security.cedar CHANGED Viewed

@@ -2,37 +2,44 @@
 // Data Pipeline — Agentic Security
 // =============================================================================
 // Exfiltration prevention and tool risk controls for data pipelines.
-// Prevents retrieval data from being sent to external endpoints.
 //
-// Category: agentic_security
+// Context keys consumed:
+//   - suspicious_pattern: Bool
+//   - pattern_type:       String
+//   - tool_risk_score:    Long (0-100)
+//
+// Category:  agent-security
 // Namespace: Guardrails
 // =============================================================================
-@id("data-block-exfiltration")
-@name("Block data exfiltration from pipeline")
-@description("Prevents retrieval data from being sent to external endpoints")
+@id("agent-security.data-pipeline-block-exfiltration")
+@name("Block data exfiltration (data-pipeline profile)")
+@description("Blocks call_tool when suspicious_pattern is true and pattern_type matches an exfiltration class.")
 @severity("critical")
-@tags("profile,data-pipeline,exfiltration,security")
+@tags("category:agent-security,threat:exfiltration,detection:rule,surface:call-tool")
+@reject_message("Tool execution blocked: data exfiltration pattern detected in a data pipeline.")
 forbid (
     principal,
     action == Guardrails::Action::"call_tool",
     resource
-) when {
+)
+when {
     context has suspicious_pattern && context.suspicious_pattern == true &&
     context has pattern_type &&
-    (context.pattern_type == "data_exfiltration" ||
-     context.pattern_type == "db_exfiltration")
+    (context.pattern_type == "data_exfiltration" || context.pattern_type == "db_exfiltration")
 };
-@id("data-block-high-risk-tools")
-@name("Block high-risk tools in pipeline")
-@description("Forbids tools with elevated risk in data processing context")
+@id("agent-security.data-pipeline-block-high-risk-tools")
+@name("Block high-risk tools (data-pipeline profile)")
+@description("Blocks call_tool when tool_risk_score >= 61.")
 @severity("high")
-@tags("profile,data-pipeline,tools,security")
+@tags("category:agent-security,detection:aggregate,surface:call-tool,owasp:llm06")
+@reject_message("Tool execution blocked: elevated tool risk in a data pipeline.")
 forbid (
     principal,
     action == Guardrails::Action::"call_tool",
     resource
-) when {
-    context has tool_risk_score && context.tool_risk_score > 60
+)
+when {
+    context has tool_risk_score && context.tool_risk_score >= 61
 };

package/_schemas/guardrails/templates/profiles/data_pipeline/data_protection.cedar ADDED Viewed

@@ -0,0 +1,52 @@
+// =============================================================================
+// Data Pipeline — Data Protection (Secrets)
+// =============================================================================
+// Strict secrets detection for data pipelines. Any secret triggers a block;
+// secrets in writes are blocked unconditionally to prevent persistence.
+//
+// Context keys consumed:
+//   - secrets_detected: Bool
+//   - secret_count:     Long
+//
+// Compliance:
+//   - OWASP LLM06
+//
+// Category:  data-protection
+// Namespace: Guardrails
+// =============================================================================
+@id("data-protection.data-pipeline-block-secrets")
+@name("Block secrets in data pipeline")
+@description("Blocks process_prompt, call_tool, read_file, and write_file when secrets_detected is true.")
+@severity("critical")
+@tags("category:data-protection,threat:secrets,detection:rule,owasp:llm06")
+@reject_message("Request blocked: secrets detected in a data pipeline — any credential exposure is unacceptable here.")
+forbid (
+    principal,
+    action in [
+        Guardrails::Action::"process_prompt",
+        Guardrails::Action::"call_tool",
+        Guardrails::Action::"read_file",
+        Guardrails::Action::"write_file"
+    ],
+    resource
+)
+when {
+    context has secrets_detected && context.secrets_detected == true
+};
+@id("data-protection.data-pipeline-block-secrets-output")
+@name("Block secrets in pipeline outputs")
+@description("Blocks write_file when secrets_detected is true or secret_count >= 1.")
+@severity("critical")
+@tags("category:data-protection,threat:secrets,detection:rule,surface:write-file,owasp:llm06")
+@reject_message("File write blocked: secrets detected in pipeline output — credentials must not be persisted.")
+forbid (
+    principal,
+    action == Guardrails::Action::"write_file",
+    resource
+)
+when {
+    (context has secrets_detected && context.secrets_detected == true) ||
+    (context has secret_count && context.secret_count >= 1)
+};

package/_schemas/guardrails/templates/profiles/data_pipeline/privacy.cedar CHANGED Viewed

@@ -4,37 +4,60 @@
 // Strict PII protection for RAG pipelines and data processing agents.
 // Zero-tolerance for sensitive PII types — data pipelines must not leak PII.
 //
-// Category: privacy
+// Context keys consumed:
+//   - pii_detected: Bool
+//   - pii_types:    Set<String>
+//
+// Compliance:
+//   - GDPR Art. 32, HIPAA §164.312, PCI DSS 3.4
+//
+// Category:  privacy
 // Namespace: Guardrails
 // =============================================================================
-@id("data-pii-block-all")
-@name("Block all PII in data pipeline")
-@description("Forbids any PII in both inputs and outputs — data pipelines must not process or leak PII")
+@id("privacy.data-pipeline-block-pii")
+@name("Block PII in data pipeline")
+@description("Blocks process_prompt, call_tool, read_file, and write_file when pii_detected is true.")
 @severity("critical")
-@tags("profile,data-pipeline,pii,privacy")
+@tags("category:privacy,threat:pii,detection:rule,compliance:gdpr,compliance:hipaa")
+@reject_message("Request blocked: PII detected in a data pipeline — pipelines must not process or leak personal data.")
 forbid (
     principal,
-    action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool", Guardrails::Action::"read_file", Guardrails::Action::"write_file"],
+    action in [
+        Guardrails::Action::"process_prompt",
+        Guardrails::Action::"call_tool",
+        Guardrails::Action::"read_file",
+        Guardrails::Action::"write_file"
+    ],
     resource
-) when {
+)
+when {
     context has pii_detected && context.pii_detected == true
 };
-@id("data-pii-block-sensitive-types")
-@name("Block sensitive PII types strictly")
-@description("Zero-tolerance for SSN, credit cards, passport numbers, and medical IDs in data pipelines")
+@id("privacy.data-pipeline-block-pii-sensitive")
+@name("Block sensitive PII types in data pipeline")
+@description("Blocks process_prompt, call_tool, read_file, and write_file when pii_types contains SSN, credit_card, passport, medical_id, or tax_id.")
 @severity("critical")
-@tags("profile,data-pipeline,pii,compliance")
+@tags("category:privacy,threat:pii,detection:rule,compliance:gdpr,compliance:hipaa,compliance:pci-dss")
+@reject_message("Request blocked: highly sensitive PII (SSN, credit card, passport, medical ID, or tax ID) detected in a data pipeline.")
 forbid (
     principal,
-    action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool", Guardrails::Action::"read_file", Guardrails::Action::"write_file"],
+    action in [
+        Guardrails::Action::"process_prompt",
+        Guardrails::Action::"call_tool",
+        Guardrails::Action::"read_file",
+        Guardrails::Action::"write_file"
+    ],
     resource
-) when {
+)
+when {
     context has pii_types &&
-    (context.pii_types.contains("ssn") ||
-     context.pii_types.contains("credit_card") ||
-     context.pii_types.contains("passport") ||
-     context.pii_types.contains("medical_id") ||
-     context.pii_types.contains("tax_id"))
+    (
+        context.pii_types.contains("ssn") ||
+        context.pii_types.contains("credit_card") ||
+        context.pii_types.contains("passport") ||
+        context.pii_types.contains("medical_id") ||
+        context.pii_types.contains("tax_id")
+    )
 };