@highflame/policy 2.1.36 → 2.1.37

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (79) hide show
  1. package/_schemas/ai_gateway/context.json +431 -11
  2. package/_schemas/ai_gateway/schema.cedarschema +91 -11
  3. package/_schemas/ai_gateway/templates/defaults/agent_security.cedar +66 -43
  4. package/_schemas/ai_gateway/templates/defaults/baseline.cedar +9 -11
  5. package/_schemas/ai_gateway/templates/defaults/semantic.cedar +63 -40
  6. package/_schemas/ai_gateway/templates/defaults/tools.cedar +48 -36
  7. package/_schemas/ai_gateway/templates/llm_default_allow.cedar +9 -10
  8. package/_schemas/ai_gateway/templates/mcp_server_allowlist.cedar +22 -14
  9. package/_schemas/ai_gateway/templates/mcp_tool_permissions.cedar +29 -27
  10. package/_schemas/ai_gateway/templates/pii_redaction.cedar +38 -33
  11. package/_schemas/ai_gateway/templates/templates.json +42 -47
  12. package/_schemas/guardrails/context.json +12 -12
  13. package/_schemas/guardrails/schema.cedarschema +12 -12
  14. package/_schemas/guardrails/templates/defaults/agent_identity.cedar +60 -56
  15. package/_schemas/guardrails/templates/defaults/agentic_safety.cedar +83 -58
  16. package/_schemas/guardrails/templates/defaults/baseline.cedar +9 -12
  17. package/_schemas/guardrails/templates/defaults/injection.cedar +48 -36
  18. package/_schemas/guardrails/templates/defaults/pii.cedar +27 -20
  19. package/_schemas/guardrails/templates/defaults/secrets.cedar +39 -22
  20. package/_schemas/guardrails/templates/defaults/security_patterns.cedar +38 -25
  21. package/_schemas/guardrails/templates/defaults/semantic.cedar +47 -31
  22. package/_schemas/guardrails/templates/defaults/tool_risk.cedar +34 -26
  23. package/_schemas/guardrails/templates/defaults/toxicity.cedar +57 -47
  24. package/_schemas/guardrails/templates/mcp_tool_permissions.cedar +60 -43
  25. package/_schemas/guardrails/templates/profiles/a2a_security/cross_origin.cedar +29 -42
  26. package/_schemas/guardrails/templates/profiles/a2a_security/escalation_detection.cedar +43 -57
  27. package/_schemas/guardrails/templates/profiles/a2a_security/identity_enforcement.cedar +40 -57
  28. package/_schemas/guardrails/templates/profiles/a2a_security/inter_agent_injection.cedar +48 -62
  29. package/_schemas/guardrails/templates/profiles/a2a_security/supply_chain.cedar +40 -56
  30. package/_schemas/guardrails/templates/profiles/advanced_detection/pii.cedar +24 -34
  31. package/_schemas/guardrails/templates/profiles/advanced_detection/secrets.cedar +45 -37
  32. package/_schemas/guardrails/templates/profiles/advanced_detection/threat_severity.cedar +11 -16
  33. package/_schemas/guardrails/templates/profiles/chat_assistant/privacy.cedar +22 -9
  34. package/_schemas/guardrails/templates/profiles/chat_assistant/security.cedar +27 -15
  35. package/_schemas/guardrails/templates/profiles/chat_assistant/trust_safety.cedar +37 -22
  36. package/_schemas/guardrails/templates/profiles/code_agent/agentic_security.cedar +68 -47
  37. package/_schemas/guardrails/templates/profiles/code_agent/encoding.cedar +17 -21
  38. package/_schemas/guardrails/templates/profiles/code_agent/path_security.cedar +74 -73
  39. package/_schemas/guardrails/templates/profiles/code_agent/security.cedar +13 -9
  40. package/_schemas/guardrails/templates/profiles/code_agent/supply_chain.cedar +36 -58
  41. package/_schemas/guardrails/templates/profiles/data_pipeline/agentic_security.cedar +22 -15
  42. package/_schemas/guardrails/templates/profiles/data_pipeline/data_protection.cedar +52 -0
  43. package/_schemas/guardrails/templates/profiles/data_pipeline/privacy.cedar +41 -18
  44. package/_schemas/guardrails/templates/profiles/data_pipeline/security.cedar +18 -36
  45. package/_schemas/guardrails/templates/profiles/multi_agent/agent_safety.cedar +86 -79
  46. package/_schemas/guardrails/templates/profiles/multi_agent/agent_trust.cedar +73 -70
  47. package/_schemas/guardrails/templates/templates.json +188 -210
  48. package/_schemas/overwatch/context.json +14 -14
  49. package/_schemas/overwatch/schema.cedarschema +12 -12
  50. package/_schemas/sentry/context.json +11 -11
  51. package/_schemas/sentry/schema.cedarschema +11 -11
  52. package/_schemas/sentry/templates/defaults/baseline.cedar +8 -12
  53. package/_schemas/sentry/templates/defaults/clipboard.cedar +43 -42
  54. package/_schemas/sentry/templates/defaults/content_safety.cedar +38 -68
  55. package/_schemas/sentry/templates/defaults/file_safety.cedar +18 -26
  56. package/_schemas/sentry/templates/defaults/organization.cedar +10 -17
  57. package/_schemas/sentry/templates/defaults/pii.cedar +52 -73
  58. package/_schemas/sentry/templates/defaults/secrets.cedar +65 -58
  59. package/_schemas/sentry/templates/defaults/semantic.cedar +40 -59
  60. package/_schemas/sentry/templates/templates.json +46 -46
  61. package/dist/ai_gateway-context.gen.d.ts +18 -4
  62. package/dist/ai_gateway-context.gen.js +18 -4
  63. package/dist/ai_gateway-defaults.gen.d.ts +1 -1
  64. package/dist/ai_gateway-defaults.gen.js +377 -313
  65. package/dist/guardrails-context.gen.d.ts +5 -5
  66. package/dist/guardrails-context.gen.js +5 -5
  67. package/dist/guardrails-defaults.gen.d.ts +1 -1
  68. package/dist/guardrails-defaults.gen.js +2070 -1849
  69. package/dist/overwatch-context.gen.d.ts +5 -5
  70. package/dist/overwatch-context.gen.js +5 -5
  71. package/dist/overwatch-defaults.gen.d.ts +1 -1
  72. package/dist/overwatch-defaults.gen.js +547 -573
  73. package/dist/sentry-context.gen.d.ts +3 -3
  74. package/dist/sentry-context.gen.js +3 -3
  75. package/dist/sentry-defaults.gen.d.ts +1 -1
  76. package/dist/sentry-defaults.gen.js +379 -460
  77. package/dist/service-schemas.gen.d.ts +4 -4
  78. package/dist/service-schemas.gen.js +249 -99
  79. package/package.json +1 -1
package/_schemas/guardrails/templates/templates.json CHANGED
@@ -1,381 +1,359 @@
1
1
  {
2
2
  "service": "guardrails",
3
- "version": "1.0.0",
3
+ "version": "2.0.0",
4
4
  "description": "Guardrails policy templates for LLM application security",
5
5
  "categories": [
6
6
  {
7
7
  "id": "security",
8
8
  "name": "Security",
9
- "description": "Detect and block prompt injection, jailbreak attempts, and credential leakage"
9
+ "description": "Block prompt injection, jailbreak attempts, command injection, path traversal, and SQL injection."
10
10
  },
11
11
  {
12
12
  "id": "privacy",
13
13
  "name": "Privacy",
14
- "description": "Detect and block personally identifiable information (PII) in prompts and responses"
14
+ "description": "Block personally identifiable information (PII) in prompts and responses."
15
15
  },
16
16
  {
17
- "id": "trust_safety",
17
+ "id": "data-protection",
18
+ "name": "Data Protection",
19
+ "description": "Block secrets, API keys, tokens, and bulk credential exposure."
20
+ },
21
+ {
22
+ "id": "trust-safety",
18
23
  "name": "Trust & Safety",
19
- "description": "Detect and block toxic, violent, hateful, sexual, or profane content"
24
+ "description": "Block toxic, violent, hateful, sexual, or profane content; restrict regulated topics."
25
+ },
26
+ {
27
+ "id": "tools",
28
+ "name": "Tools",
29
+ "description": "Per-tool MCP access control, org-wide server exclusions, unverified server blocks."
20
30
  },
21
31
  {
22
- "id": "agentic_security",
23
- "name": "Agentic Security",
24
- "description": "Detect tool abuse, data exfiltration patterns, infinite loops, and budget violations"
32
+ "id": "agent-security",
33
+ "name": "Agent Security",
34
+ "description": "Block tool abuse, exfiltration patterns, loops, budget violations, tool poisoning, rug pull, and risky MCP configs."
25
35
  },
26
36
  {
27
- "id": "agent_identity",
28
- "name": "Agent-to-Agent Security",
29
- "description": "Trust-based access control for AI agents — tiered permissions by trust level, agent type restrictions, cross-turn session lockdowns for multi-agent orchestration"
37
+ "id": "agent-identity",
38
+ "name": "Agent Identity",
39
+ "description": "Trust-based access control for AI agents — tiered permissions by trust level, autonomous agent restrictions, cross-turn session lockdowns."
30
40
  },
31
41
  {
32
42
  "id": "organization",
33
43
  "name": "Organization",
34
- "description": "Organization-wide baselines and default permit/deny policies"
44
+ "description": "Organization-wide baselines and default permit/deny policies."
35
45
  }
36
46
  ],
37
47
  "defaults": [
38
48
  {
39
- "id": "baseline-default",
49
+ "id": "organization.permit-baseline",
40
50
  "name": "Baseline Permit",
41
- "description": "Permits all actions by default threat-specific forbid policies override this when threats are detected",
51
+ "description": "Permits all actions by default; threat-specific forbid policies override this when detectors fire.",
42
52
  "category": "organization",
43
53
  "file": "defaults/baseline.cedar",
44
54
  "severity": "low",
45
- "tags": ["baseline", "permit-default", "organization"],
55
+ "tags": ["category:organization", "posture:permit-default"],
46
56
  "is_active": true
47
57
  }
48
58
  ],
49
59
  "templates": [
50
60
  {
51
- "id": "baseline-default",
61
+ "id": "organization.permit-baseline",
52
62
  "name": "Baseline Permit",
53
- "description": "Permits all actions by default threat-specific forbid policies override this when threats are detected",
63
+ "description": "Permits all actions by default; threat-specific forbid policies override this when detectors fire.",
54
64
  "category": "organization",
55
65
  "file": "defaults/baseline.cedar",
56
66
  "severity": "low",
57
- "tags": ["baseline", "permit-default", "organization"],
67
+ "tags": ["category:organization", "posture:permit-default"],
58
68
  "auto_deploy": true
59
69
  },
60
70
  {
61
- "id": "secrets-default",
71
+ "id": "data-protection.defaults",
62
72
  "name": "Secrets Detection",
63
- "description": "Block content containing API keys, tokens, credentials, or other secrets",
64
- "category": "security",
73
+ "description": "Block content containing API keys, tokens, credentials, or other secrets across prompts, tool calls, and file operations.",
74
+ "category": "data-protection",
65
75
  "file": "defaults/secrets.cedar",
66
76
  "severity": "critical",
67
- "tags": ["secrets", "api-keys", "credentials", "data-leak"]
77
+ "tags": ["category:data-protection", "threat:secrets", "owasp:llm06"]
68
78
  },
69
79
  {
70
- "id": "injection-default",
80
+ "id": "security.injection",
71
81
  "name": "Injection & Jailbreak Detection",
72
- "description": "Block prompt injection, jailbreak attempts, and command injection using ML confidence scores",
82
+ "description": "Block prompt injection and jailbreak attempts using ML classifier confidence plus invisible-character defence.",
73
83
  "category": "security",
74
84
  "file": "defaults/injection.cedar",
75
85
  "severity": "high",
76
- "tags": ["injection", "jailbreak", "security"]
86
+ "tags": ["category:security", "threat:injection", "threat:jailbreak", "detection:ml", "owasp:llm01", "owasp:llm02"]
77
87
  },
78
88
  {
79
- "id": "pii-default",
89
+ "id": "privacy.defaults",
80
90
  "name": "PII Detection",
81
- "description": "Block content containing PII such as SSN, credit cards, or passport numbers in outputs",
91
+ "description": "Block LLM outputs containing PII, with a stricter rule for SSN, credit card, and passport numbers.",
82
92
  "category": "privacy",
83
93
  "file": "defaults/pii.cedar",
84
- "severity": "high",
85
- "tags": ["pii", "privacy", "data-protection"]
94
+ "severity": "critical",
95
+ "tags": ["category:privacy", "threat:pii", "compliance:gdpr", "compliance:hipaa", "compliance:pci-dss"]
86
96
  },
87
97
  {
88
- "id": "toxicity-default",
98
+ "id": "trust-safety.toxicity",
89
99
  "name": "Toxicity & Content Moderation",
90
- "description": "Block toxic, violent, hateful, sexual, and profane content based on classifier scores",
91
- "category": "trust_safety",
100
+ "description": "Block toxic, violent, hateful, sexual, and profane content using classifier scores with a combined-toxicity catch-all.",
101
+ "category": "trust-safety",
92
102
  "file": "defaults/toxicity.cedar",
93
103
  "severity": "critical",
94
- "tags": ["toxicity", "trust-safety", "content-moderation"]
104
+ "tags": ["category:trust-safety", "threat:harmful", "threat:hate-speech", "detection:ml", "compliance:eu-ai-act"]
95
105
  },
96
106
  {
97
- "id": "tool-risk-default",
107
+ "id": "agent-security.tool-risk",
98
108
  "name": "Tool Risk",
99
- "description": "Block dangerous tool calls, shell execution, and sensitive tool usage based on risk scoring",
100
- "category": "agentic_security",
109
+ "description": "Block dangerous tool calls, shell execution, and sensitive tools with elevated risk scores.",
110
+ "category": "agent-security",
101
111
  "file": "defaults/tool_risk.cedar",
102
112
  "severity": "critical",
103
- "tags": ["tools", "agentic", "security"]
113
+ "tags": ["category:agent-security", "threat:command-injection", "owasp:llm06", "owasp:asi02"]
104
114
  },
105
115
  {
106
- "id": "agentic-safety-default",
116
+ "id": "agent-security.defaults",
107
117
  "name": "Agentic Safety",
108
- "description": "Block tool call loops, data exfiltration patterns, high-risk sequences, budget violations, tool poisoning, rug pull attacks, and MCP configuration risks",
109
- "category": "agentic_security",
118
+ "description": "Block tool-call loops, exfiltration patterns, budget violations, tool poisoning, rug pull, and MCP configuration risks.",
119
+ "category": "agent-security",
110
120
  "file": "defaults/agentic_safety.cedar",
111
- "severity": "high",
112
- "tags": ["agentic", "safety", "loops", "exfiltration", "budget", "tool-poisoning", "rug-pull", "mcp-risk"]
121
+ "severity": "critical",
122
+ "tags": ["category:agent-security", "threat:loop", "threat:exfiltration", "threat:tool-poisoning", "threat:rug-pull", "owasp:asi01", "owasp:asi04"]
113
123
  },
114
124
  {
115
- "id": "security-patterns-default",
125
+ "id": "security.patterns",
116
126
  "name": "Security Pattern Detection",
117
- "description": "Block command injection, path traversal, and SQL injection attacks using regex-based pattern detection",
127
+ "description": "Block command injection, path traversal, and SQL injection using regex-based pattern detection.",
118
128
  "category": "security",
119
129
  "file": "defaults/security_patterns.cedar",
120
130
  "severity": "critical",
121
- "tags": ["command-injection", "path-traversal", "sql-injection", "security"]
131
+ "tags": ["category:security", "threat:command-injection", "threat:sql-injection", "threat:path-traversal", "detection:pattern", "mitre:t1059"]
122
132
  },
123
133
  {
124
- "id": "agent-identity-trust",
134
+ "id": "trust-safety.semantic",
135
+ "name": "Semantic Topic Enforcement",
136
+ "description": "Block content classified into dangerous topics (weapons, controlled substances, illegal activity).",
137
+ "category": "trust-safety",
138
+ "file": "defaults/semantic.cedar",
139
+ "severity": "critical",
140
+ "tags": ["category:trust-safety", "threat:harmful", "detection:ml", "compliance:eu-ai-act", "compliance:iso-42001"]
141
+ },
142
+ {
143
+ "id": "agent-identity.defaults",
125
144
  "name": "Agent Identity & Trust",
126
- "description": "Trust-based access control for AI agents: block unverified agents from dangerous/sensitive tools, apply stricter thresholds for autonomous agents, restrict unverified agents after session threats",
127
- "category": "agent_identity",
145
+ "description": "Trust-based access control: block unverified agents from dangerous/sensitive tools, stricter thresholds for autonomous agents, cross-turn lockdown after session threats.",
146
+ "category": "agent-identity",
128
147
  "file": "defaults/agent_identity.cedar",
129
148
  "severity": "critical",
130
- "tags": ["agent-identity", "trust", "a2a", "autonomous", "cross-turn"]
149
+ "tags": ["category:agent-identity", "scope:per-agent", "owasp:llm01"]
131
150
  },
132
151
  {
133
- "id": "mcp-tool-permissions",
152
+ "id": "tools.mcp-tool-permissions",
134
153
  "name": "MCP Tool Permissions",
135
- "description": "Per-tool access control for MCP servers — allow specific tools while denying others, exclude servers org-wide, block unverified sources",
136
- "category": "agentic_security",
154
+ "description": "Per-tool MCP access control: example GitHub read/write split, org-wide exclusion list, unverified server block.",
155
+ "category": "tools",
137
156
  "file": "mcp_tool_permissions.cedar",
138
- "severity": "high",
139
- "tags": ["mcp", "tools", "least-privilege", "per-server", "exclusion"]
157
+ "severity": "critical",
158
+ "tags": ["category:tools", "threat:supply-chain", "posture:deny-default"]
140
159
  },
141
160
  {
142
- "id": "chat-assistant-security",
161
+ "id": "security.chat-assistant",
143
162
  "name": "Chat Assistant — Security",
144
- "description": "Aggressive injection and jailbreak defense for customer-facing chatbots with lower thresholds",
163
+ "description": "Aggressive injection and jailbreak defence for customer-facing chatbots (lower thresholds than defaults).",
145
164
  "category": "security",
146
165
  "file": "profiles/chat_assistant/security.cedar",
147
166
  "severity": "high",
148
- "tags": ["profile", "chat-assistant", "injection", "jailbreak", "security"]
167
+ "tags": ["category:security", "threat:injection", "threat:jailbreak", "detection:ml"]
149
168
  },
150
169
  {
151
- "id": "chat-assistant-privacy",
170
+ "id": "privacy.chat-block-pii",
152
171
  "name": "Chat Assistant — Privacy",
153
- "description": "Block PII in both user inputs and assistant outputs for chat applications",
172
+ "description": "Block PII in both user inputs and assistant outputs for chat applications.",
154
173
  "category": "privacy",
155
174
  "file": "profiles/chat_assistant/privacy.cedar",
156
175
  "severity": "high",
157
- "tags": ["profile", "chat-assistant", "pii", "privacy"]
176
+ "tags": ["category:privacy", "threat:pii", "compliance:gdpr"]
158
177
  },
159
178
  {
160
- "id": "chat-assistant-trust-safety",
179
+ "id": "trust-safety.chat-assistant",
161
180
  "name": "Chat Assistant — Trust & Safety",
162
- "description": "Strict content moderation with lower toxicity thresholds and topic restrictions for public-facing chat",
163
- "category": "trust_safety",
181
+ "description": "Strict content moderation and topic restrictions for public-facing chat (lower toxicity thresholds).",
182
+ "category": "trust-safety",
164
183
  "file": "profiles/chat_assistant/trust_safety.cedar",
165
184
  "severity": "critical",
166
- "tags": ["profile", "chat-assistant", "toxicity", "trust-safety", "topics"]
167
- },
168
- {
169
- "id": "code-agent-agentic-security",
170
- "name": "Code Agent — Agentic Security",
171
- "description": "Tool risk controls, shell blocking, loop detection, exfiltration prevention, and budget enforcement for coding assistants",
172
- "category": "agentic_security",
173
- "file": "profiles/code_agent/agentic_security.cedar",
174
- "severity": "high",
175
- "tags": ["profile", "code-agent", "tools", "agentic", "exfiltration", "budget"]
185
+ "tags": ["category:trust-safety", "threat:harmful", "compliance:eu-ai-act"]
176
186
  },
177
187
  {
178
- "id": "code-agent-security",
179
- "name": "Code Agent — Security",
180
- "description": "Prevent code agents from writing detected secrets to output files",
181
- "category": "security",
188
+ "id": "data-protection.code-block-write-secrets",
189
+ "name": "Code Agent — Secrets Protection",
190
+ "description": "Prevent code agents from writing detected secrets to output files.",
191
+ "category": "data-protection",
182
192
  "file": "profiles/code_agent/security.cedar",
183
193
  "severity": "critical",
184
- "tags": ["profile", "code-agent", "secrets", "security"]
194
+ "tags": ["category:data-protection", "threat:secrets"]
185
195
  },
186
196
  {
187
- "id": "data-pipeline-privacy",
188
- "name": "Data PipelinePrivacy",
189
- "description": "Strict PII protection with zero-tolerance for sensitive PII types in data pipelines",
190
- "category": "privacy",
191
- "file": "profiles/data_pipeline/privacy.cedar",
197
+ "id": "security.code-agent-encoding",
198
+ "name": "Code AgentEncoding Attacks",
199
+ "description": "Block invisible Unicode characters in tool arguments and file writes for coding agents.",
200
+ "category": "security",
201
+ "file": "profiles/code_agent/encoding.cedar",
192
202
  "severity": "critical",
193
- "tags": ["profile", "data-pipeline", "pii", "privacy", "compliance"]
203
+ "tags": ["category:security", "threat:invisible-chars", "threat:injection"]
194
204
  },
195
205
  {
196
- "id": "data-pipeline-security",
197
- "name": "Data Pipeline — Security",
198
- "description": "Strict secrets detection and lower injection thresholds for RAG and data processing pipelines",
206
+ "id": "security.code-agent-path-security",
207
+ "name": "Code AgentPath Security",
208
+ "description": "Block .env files, credential files, system directories, key material, and destructive file operations for coding agents.",
199
209
  "category": "security",
200
- "file": "profiles/data_pipeline/security.cedar",
210
+ "file": "profiles/code_agent/path_security.cedar",
201
211
  "severity": "critical",
202
- "tags": ["profile", "data-pipeline", "secrets", "injection", "security"]
212
+ "tags": ["category:security", "threat:secrets", "threat:path-traversal"]
203
213
  },
204
214
  {
205
- "id": "data-pipeline-agentic-security",
206
- "name": "Data Pipeline — Agentic Security",
207
- "description": "Exfiltration prevention and tool risk controls for data processing pipelines",
208
- "category": "agentic_security",
209
- "file": "profiles/data_pipeline/agentic_security.cedar",
215
+ "id": "agent-security.code-agent",
216
+ "name": "Code Agent — Agentic Security",
217
+ "description": "Tool risk controls, shell blocking, loop detection, exfiltration prevention, and budget enforcement for coding assistants.",
218
+ "category": "agent-security",
219
+ "file": "profiles/code_agent/agentic_security.cedar",
210
220
  "severity": "critical",
211
- "tags": ["profile", "data-pipeline", "exfiltration", "tools"]
221
+ "tags": ["category:agent-security", "threat:exfiltration", "threat:loop", "owasp:llm06"]
212
222
  },
213
223
  {
214
- "id": "multi-agent-trust",
215
- "name": "Multi-Agent Orchestration Agent Trust",
216
- "description": "Tiered trust policies for multi-agent systems: only first-party agents can use dangerous tools, unverified agents restricted to safe tools, autonomous agents have lower risk ceilings, MCP server connection trust enforcement",
217
- "category": "agent_identity",
218
- "file": "profiles/multi_agent/agent_trust.cedar",
224
+ "id": "agent-security.code-agent-supply-chain",
225
+ "name": "Code Agent — Supply Chain",
226
+ "description": "Block MCP server poisoning, indirect prompt injection, credential theft chains, and destructive sequences for coding agents.",
227
+ "category": "agent-security",
228
+ "file": "profiles/code_agent/supply_chain.cedar",
219
229
  "severity": "critical",
220
- "tags": ["profile", "multi-agent", "trust", "a2a", "autonomous", "mcp"]
230
+ "tags": ["category:agent-security", "threat:tool-poisoning", "threat:indirect-injection", "threat:exfiltration", "owasp:asi01", "owasp:asi04"]
221
231
  },
222
232
  {
223
- "id": "multi-agent-safety",
224
- "name": "Multi-Agent OrchestrationCross-Turn Safety",
225
- "description": "Session-aware agent safety policies: PII containment across agents, secrets lockdown, injection escalation response, cumulative risk circuit breakers for multi-agent sessions",
226
- "category": "agent_identity",
227
- "file": "profiles/multi_agent/agent_safety.cedar",
233
+ "id": "privacy.data-pipeline",
234
+ "name": "Data PipelinePrivacy",
235
+ "description": "Strict PII protection with zero tolerance for sensitive PII types in data pipelines.",
236
+ "category": "privacy",
237
+ "file": "profiles/data_pipeline/privacy.cedar",
228
238
  "severity": "critical",
229
- "tags": ["profile", "multi-agent", "cross-turn", "a2a", "pii", "secrets", "injection", "circuit-breaker"]
230
- },
231
- {
232
- "id": "code-agent-path-security",
233
- "name": "Code Agent — Path Security",
234
- "description": "Block access to .env files, credential files, system directories, credential directories, and destructive file operations for coding agents",
235
- "category": "security",
236
- "file": "profiles/code_agent/path_security.cedar",
237
- "severity": "high",
238
- "tags": ["profile", "code-agent", "path-security", "credentials", "system-paths"]
239
+ "tags": ["category:privacy", "threat:pii", "compliance:gdpr", "compliance:hipaa"]
239
240
  },
240
241
  {
241
- "id": "code-agent-supply-chain",
242
- "name": "Code AgentSupply Chain Security",
243
- "description": "Block MCP server poisoning, indirect prompt injection from tool outputs, credential theft patterns, and destructive operation sequences for coding agents",
244
- "category": "agentic_security",
245
- "file": "profiles/code_agent/supply_chain.cedar",
242
+ "id": "data-protection.data-pipeline",
243
+ "name": "Data PipelineSecrets",
244
+ "description": "Strict secrets detection for data pipelines and zero-tolerance secret writes.",
245
+ "category": "data-protection",
246
+ "file": "profiles/data_pipeline/data_protection.cedar",
246
247
  "severity": "critical",
247
- "tags": ["profile", "code-agent", "supply-chain", "tool-poisoning", "indirect-injection"]
248
+ "tags": ["category:data-protection", "threat:secrets", "owasp:llm06"]
248
249
  },
249
250
  {
250
- "id": "code-agent-encoding",
251
- "name": "Code AgentEncoding Attacks",
252
- "description": "Block invisible Unicode characters in tool arguments and file writes to prevent encoding-based prompt injection for coding agents",
251
+ "id": "security.data-pipeline-block-injection",
252
+ "name": "Data PipelineInjection Defence",
253
+ "description": "Lower injection threshold for RAG and data processing pipelines.",
253
254
  "category": "security",
254
- "file": "profiles/code_agent/encoding.cedar",
255
+ "file": "profiles/data_pipeline/security.cedar",
255
256
  "severity": "high",
256
- "tags": ["profile", "code-agent", "encoding", "unicode", "invisible-chars"]
257
+ "tags": ["category:security", "threat:injection", "owasp:llm01"]
257
258
  },
258
259
  {
259
- "id": "advanced-detection-secrets",
260
- "name": "Advanced DetectionGranular Secrets",
261
- "description": "Granular secret type blocking for high-risk credentials (cloud provider keys, GitHub tokens, SSH keys, database URLs) and API keys/tokens",
262
- "category": "security",
263
- "file": "profiles/advanced_detection/secrets.cedar",
260
+ "id": "agent-security.data-pipeline",
261
+ "name": "Data PipelineAgentic Security",
262
+ "description": "Exfiltration prevention and tool risk controls for data processing pipelines.",
263
+ "category": "agent-security",
264
+ "file": "profiles/data_pipeline/agentic_security.cedar",
264
265
  "severity": "critical",
265
- "tags": ["profile", "advanced-detection", "secrets", "credentials", "cloud-keys"]
266
+ "tags": ["category:agent-security", "threat:exfiltration"]
266
267
  },
267
268
  {
268
- "id": "advanced-detection-pii",
269
- "name": "Advanced DetectionPII",
270
- "description": "Bulk PII exposure blocking, high-confidence ML PII detection, and PII in file operations for advanced threat detection",
271
- "category": "privacy",
272
- "file": "profiles/advanced_detection/pii.cedar",
269
+ "id": "agent-identity.multi-agent-trust",
270
+ "name": "Multi-Agent OrchestrationAgent Trust",
271
+ "description": "Tiered trust access control: only first-party agents can use dangerous tools, unverified restricted to safe tools, lower risk ceilings for autonomous agents.",
272
+ "category": "agent-identity",
273
+ "file": "profiles/multi_agent/agent_trust.cedar",
273
274
  "severity": "critical",
274
- "tags": ["profile", "advanced-detection", "pii", "privacy", "ml-classifier"]
275
+ "tags": ["category:agent-identity", "scope:per-agent", "owasp:llm01", "owasp:llm02"]
275
276
  },
276
277
  {
277
- "id": "advanced-detection-threat-severity",
278
- "name": "Advanced DetectionThreat Severity",
279
- "description": "Block any content flagged with critical severity by detection engines as a catch-all safety net",
280
- "category": "security",
281
- "file": "profiles/advanced_detection/threat_severity.cedar",
278
+ "id": "agent-identity.multi-agent-safety",
279
+ "name": "Multi-Agent OrchestrationCross-Turn Safety",
280
+ "description": "Session-aware policies: PII/secrets containment, injection lockdown, cumulative risk circuit breakers for multi-agent sessions.",
281
+ "category": "agent-identity",
282
+ "file": "profiles/multi_agent/agent_safety.cedar",
282
283
  "severity": "critical",
283
- "tags": ["profile", "advanced-detection", "severity", "critical", "catch-all"]
284
+ "tags": ["category:agent-identity", "scope:per-agent", "threat:pii", "threat:secrets", "threat:injection"]
284
285
  },
285
286
  {
286
- "id": "a2a-cross-origin",
287
- "name": "A2A Security — Cross-Origin Trust Boundaries",
288
- "description": "Block confused deputy attacks and trust boundary violations from cross-system agent communication — critical cross-origin blocking, unverified agent restrictions, sensitive tool protection",
289
- "category": "agent_identity",
287
+ "id": "agent-identity.a2a-cross-origin",
288
+ "name": "A2A Security — Cross-Origin Trust",
289
+ "description": "Block confused-deputy attacks and trust-boundary violations from cross-system agent communication.",
290
+ "category": "agent-identity",
290
291
  "file": "profiles/a2a_security/cross_origin.cedar",
291
292
  "severity": "critical",
292
- "tags": ["profile", "a2a-security", "cross-origin", "confused-deputy", "trust-boundary"]
293
+ "tags": ["category:agent-identity", "threat:supply-chain", "owasp:llm08", "owasp:asi03"]
293
294
  },
294
295
  {
295
- "id": "a2a-inter-agent-injection",
296
- "name": "A2A Security — Inter-Agent Injection Defense",
297
- "description": "Block indirect prompt injection via tool outputs, multi-turn progressive attacks using deep context models, and encoded payload delivery between independent agents",
298
- "category": "agent_identity",
296
+ "id": "agent-identity.a2a-inter-agent-injection",
297
+ "name": "A2A Security — Inter-Agent Injection Defence",
298
+ "description": "Block indirect injection via tool outputs, multi-turn progressive attacks via deep-context detection, and encoded payload delivery between agents.",
299
+ "category": "agent-identity",
299
300
  "file": "profiles/a2a_security/inter_agent_injection.cedar",
300
301
  "severity": "critical",
301
- "tags": ["profile", "a2a-security", "indirect-injection", "multi-turn", "encoded-injection", "deep-context"]
302
+ "tags": ["category:agent-identity", "threat:indirect-injection", "threat:encoded-payload", "owasp:llm01"]
302
303
  },
303
304
  {
304
- "id": "a2a-supply-chain",
305
- "name": "A2A Security — Supply Chain & Behavioral Drift",
306
- "description": "Block tool poisoning from external agent ecosystems, rug pull behavioral drift, and credential theft chains initiated by compromised agents",
307
- "category": "agent_identity",
305
+ "id": "agent-identity.a2a-supply-chain",
306
+ "name": "A2A Security — Supply Chain & Behavioural Drift",
307
+ "description": "Block tool poisoning from external agent ecosystems, rug pull behavioural drift, and credential theft chains.",
308
+ "category": "agent-identity",
308
309
  "file": "profiles/a2a_security/supply_chain.cedar",
309
310
  "severity": "critical",
310
- "tags": ["profile", "a2a-security", "supply-chain", "tool-poisoning", "rug-pull", "credential-theft"]
311
+ "tags": ["category:agent-identity", "threat:tool-poisoning", "threat:rug-pull", "threat:exfiltration", "owasp:asi04"]
311
312
  },
312
313
  {
313
- "id": "a2a-identity-enforcement",
314
+ "id": "agent-identity.a2a-identity-enforcement",
314
315
  "name": "A2A Security — Agent Identity Enforcement",
315
- "description": "Enforce strict identity requirements for cross-system agents block anonymous agents, require framework registration, prevent unverified autonomous agents",
316
- "category": "agent_identity",
316
+ "description": "Enforce strict identity requirements for cross-system agents: block anonymous, require framework registration, prevent unverified autonomous.",
317
+ "category": "agent-identity",
317
318
  "file": "profiles/a2a_security/identity_enforcement.cedar",
318
319
  "severity": "critical",
319
- "tags": ["profile", "a2a-security", "identity", "spoofing", "framework", "autonomous"]
320
+ "tags": ["category:agent-identity", "threat:spoofing", "scope:per-agent", "owasp:asi04"]
320
321
  },
321
322
  {
322
- "id": "a2a-escalation-detection",
323
- "name": "A2A Security — Escalation Detection & Circuit Breakers",
324
- "description": "Detect progressive capability escalation across turns with session peak score monitoring and cumulative risk circuit breakers tuned for adversarial A2A communication",
325
- "category": "agent_identity",
323
+ "id": "agent-identity.a2a-escalation",
324
+ "name": "A2A Security — Escalation Detection",
325
+ "description": "Detect progressive capability escalation across turns with session peak monitoring and cumulative risk circuit breakers.",
326
+ "category": "agent-identity",
326
327
  "file": "profiles/a2a_security/escalation_detection.cedar",
327
328
  "severity": "critical",
328
- "tags": ["profile", "a2a-security", "escalation", "circuit-breaker", "session-peak", "cumulative-risk"]
329
- }
330
- ],
331
- "profiles": [
332
- {
333
- "id": "chat-assistant",
334
- "name": "Chat Assistant",
335
- "description": "Optimized for customer-facing chatbots — strict toxicity, PII blocking, aggressive injection defense, topic restrictions",
336
- "severity": "high",
337
- "tags": ["chat-assistant", "toxicity", "pii", "injection"],
338
- "template_ids": ["chat-assistant-security", "chat-assistant-privacy", "chat-assistant-trust-safety"]
329
+ "tags": ["category:agent-identity", "threat:escalation", "scope:per-agent", "owasp:llm01"]
339
330
  },
340
331
  {
341
- "id": "code-agent",
342
- "name": "Code Agent",
343
- "description": "Optimized for coding assistants — tool risk controls, shell blocking, loop detection, exfiltration prevention, budget enforcement, path security, supply chain defense, and encoding attack protection",
344
- "severity": "high",
345
- "tags": ["code-agent", "tools", "agentic", "exfiltration", "path-security", "supply-chain", "encoding"],
346
- "template_ids": ["code-agent-agentic-security", "code-agent-security", "code-agent-path-security", "code-agent-supply-chain", "code-agent-encoding"]
347
- },
348
- {
349
- "id": "data-pipeline",
350
- "name": "Data Pipeline",
351
- "description": "Optimized for RAG and data processing — strict PII/secrets protection, exfiltration detection, pipeline injection defense",
352
- "severity": "critical",
353
- "tags": ["data-pipeline", "pii", "secrets", "exfiltration"],
354
- "template_ids": ["data-pipeline-privacy", "data-pipeline-security", "data-pipeline-agentic-security"]
355
- },
356
- {
357
- "id": "multi-agent",
358
- "name": "Multi-Agent Orchestration (MAS)",
359
- "description": "Production-grade guardrails for multi-agent systems with shared orchestration — tiered trust access control, autonomous agent safeguards, cross-turn PII/secrets containment, injection escalation response, cumulative risk circuit breakers. For independent agent-to-agent communication across separate trust domains, use the A2A Security profile",
332
+ "id": "data-protection.advanced-secrets",
333
+ "name": "Advanced Detection — Granular Secrets",
334
+ "description": "Block specific high-risk credential types (cloud, GitHub, SSH, database) and general API tokens.",
335
+ "category": "data-protection",
336
+ "file": "profiles/advanced_detection/secrets.cedar",
360
337
  "severity": "critical",
361
- "tags": ["multi-agent", "mas", "trust", "cross-turn", "circuit-breaker"],
362
- "template_ids": ["agent-identity-trust", "multi-agent-trust", "multi-agent-safety"]
338
+ "tags": ["category:data-protection", "threat:secrets", "owasp:llm06"]
363
339
  },
364
340
  {
365
- "id": "a2a-security",
366
- "name": "A2A Security",
367
- "description": "Production-grade security for independent agent-to-agent communication across separate trust domains — cross-origin trust enforcement, inter-agent injection defense (indirect, multi-turn, encoded), supply chain protection (tool poisoning, rug pull), identity enforcement, and escalation circuit breakers",
341
+ "id": "privacy.advanced-pii",
342
+ "name": "Advanced Detection — PII",
343
+ "description": "Bulk PII exposure threshold, ML classifier confidence, and file-operation blocking.",
344
+ "category": "privacy",
345
+ "file": "profiles/advanced_detection/pii.cedar",
368
346
  "severity": "critical",
369
- "tags": ["a2a-security", "cross-origin", "injection", "supply-chain", "identity", "escalation"],
370
- "template_ids": ["a2a-cross-origin", "a2a-inter-agent-injection", "a2a-supply-chain", "a2a-identity-enforcement", "a2a-escalation-detection"]
347
+ "tags": ["category:privacy", "threat:pii", "threat:exfiltration", "detection:ml", "compliance:gdpr"]
371
348
  },
372
349
  {
373
- "id": "advanced-detection",
374
- "name": "Advanced Detection",
375
- "description": "Production-grade advanced threat detection granular secret type blocking, ML-based PII detection, bulk exposure prevention, and critical severity catch-all for high-security environments",
350
+ "id": "security.advanced-block-critical-severity",
351
+ "name": "Advanced Detection — Threat Severity",
352
+ "description": "Catch-all that blocks any content flagged as critical severity by any detector.",
353
+ "category": "security",
354
+ "file": "profiles/advanced_detection/threat_severity.cedar",
376
355
  "severity": "critical",
377
- "tags": ["advanced-detection", "secrets", "pii", "severity", "ml-detection"],
378
- "template_ids": ["advanced-detection-secrets", "advanced-detection-pii", "advanced-detection-threat-severity"]
356
+ "tags": ["category:security", "detection:aggregate", "posture:catch-all"]
379
357
  }
380
358
  ]
381
359
  }