@highflame/policy 2.1.36 → 2.1.37

package/_schemas/guardrails/templates/profiles/code_agent/path_security.cedar

@@ -1,34 +1,31 @@
 // =============================================================================
 // Code Agent — Path Security
 // =============================================================================
-// Blocks access to sensitive file paths including environment files, credential
-// files, system directories, and credential directories. Also blocks destructive
+// Blocks access to sensitive file paths: environment files, credential files,
+// system directories, and credential/key directories. Also blocks destructive
 // file operations (delete, rmdir, unlink) by default.
 //
-// Adapted from Overwatch IDE security policies for Guardrails namespace.
+// Context keys consumed:
+//   - path:      String
+//   - tool_name: String
 //
 // Compliance:
-//   NIST 800-53 AC-6 (Least Privilege)
-//   NIST 800-53 SC-28 (Protection of Information at Rest)
-//   MITRE ATT&CK T1552 (Unsecured Credentials)
-//   MITRE ATT&CK T1005 (Data from Local System)
-//   CIS Benchmark 1.4 (Secrets Management)
+//   - NIST 800-53 AC-6, SC-28; MITRE ATT&CK T1552, T1005; CIS 1.4
 //
-// Category: security
+// Category:  security
 // Namespace: Guardrails
 // =============================================================================
 
 // ---------------------------------------------------------------------------
-// Section 1: Environment File Protection
-// Environment files are the #1 source of accidental credential exposure.
+// Section 1: Environment files (.env*)
 // ---------------------------------------------------------------------------
 
-@id("code-block-env-files")
-@name("Block .env file access")
-@description("Block access to .env files that commonly contain secrets, API keys, and database credentials. Environment files are the #1 source of accidental credential exposure in development workflows.")
+@id("security.code-block-env-files")
+@name("Block dotenv file access (code profile)")
+@description("Blocks read_file, write_file, and call_tool when path matches *.env*.")
 @severity("high")
-@tags("profile,code-agent,path-security,env-files,secrets,nist-sc-28,mitre-t1552")
-@reject_message("Access to .env files is blocked because they commonly contain secrets, API keys, and database credentials. Use a secrets manager instead of .env files.")
+@tags("category:security,threat:secrets,detection:pattern,compliance:nist-si-3")
+@reject_message("File access blocked: .env files commonly contain secrets and API keys — use a secrets manager instead.")
 forbid (
     principal,
     action in [Guardrails::Action::"read_file", Guardrails::Action::"write_file", Guardrails::Action::"call_tool"],
@@ -39,16 +36,15 @@ when {
 };
 
 // ---------------------------------------------------------------------------
-// Section 2: Credential File Protection
-// Blocks access to common credential and configuration files.
+// Section 2: Credential files
 // ---------------------------------------------------------------------------
 
-@id("code-block-credential-files")
-@name("Block credential file access")
-@description("Block access to common credential files: .netrc, .npmrc, .pypirc, Docker config, Kubernetes config, cloud provider credentials, and service account files.")
+@id("security.code-block-credential-files")
+@name("Block credential files (code profile)")
+@description("Blocks read_file, write_file, and call_tool when path matches a common credential file.")
 @severity("high")
-@tags("profile,code-agent,path-security,credential-files,secrets,nist-sc-28,mitre-t1555")
-@reject_message("Access to this credential file is blocked. Files like .netrc, .npmrc, .pypirc, and cloud provider config files commonly contain hardcoded credentials.")
+@tags("category:security,threat:secrets,detection:pattern,compliance:nist-si-3")
+@reject_message("File access blocked: .netrc, .npmrc, .pypirc, cloud config, and service-account files commonly contain hardcoded credentials.")
 forbid (
     principal,
     action in [Guardrails::Action::"read_file", Guardrails::Action::"write_file", Guardrails::Action::"call_tool"],
@@ -56,27 +52,28 @@ forbid (
 )
 when {
     context has path &&
-    (context.path like "*/.netrc" ||
-     context.path like "*/.npmrc" ||
-     context.path like "*/.pypirc" ||
-     context.path like "*/.docker/config.json" ||
-     context.path like "*/.kube/config" ||
-     context.path like "*/.config/gcloud/*" ||
-     context.path like "*/credentials.json" ||
-     context.path like "*/service-account*.json")
+    (
+        context.path like "*/.netrc" ||
+        context.path like "*/.npmrc" ||
+        context.path like "*/.pypirc" ||
+        context.path like "*/.docker/config.json" ||
+        context.path like "*/.kube/config" ||
+        context.path like "*/.config/gcloud/*" ||
+        context.path like "*/credentials.json" ||
+        context.path like "*/service-account*.json"
+    )
 };
 
 // ---------------------------------------------------------------------------
-// Section 3: System Directory Protection
-// Blocks access to sensitive system directories.
+// Section 3: System directories
 // ---------------------------------------------------------------------------
 
-@id("code-block-system-paths")
-@name("Block system directory access")
-@description("Prevent access to sensitive system directories (/etc, /proc, /sys, /root, /var). These directories contain system configuration, process information, and credentials that agents must never access.")
+@id("security.code-block-system-paths")
+@name("Block system directory access (code profile)")
+@description("Blocks read_file, write_file, and call_tool on /etc, /proc, /sys, /root, /var/log, /var/run paths.")
 @severity("high")
-@tags("profile,code-agent,path-security,system-paths,nist-ac-6,mitre-t1005")
-@reject_message("Access blocked: this path targets a sensitive system directory. AI agents are restricted from accessing /etc, /proc, /sys, /root, and /var directories.")
+@tags("category:security,threat:path-traversal,detection:pattern,mitre:t1005")
+@reject_message("File access blocked: sensitive system directory targeted — agents may not access /etc, /proc, /sys, /root, or /var.")
 forbid (
     principal,
     action in [Guardrails::Action::"read_file", Guardrails::Action::"write_file", Guardrails::Action::"call_tool"],
@@ -84,25 +81,26 @@ forbid (
 )
 when {
     context has path &&
-    (context.path like "/etc/*" ||
-     context.path like "/proc/*" ||
-     context.path like "/sys/*" ||
-     context.path like "/root/*" ||
-     context.path like "/var/log/*" ||
-     context.path like "/var/run/*")
+    (
+        context.path like "/etc/*" ||
+        context.path like "/proc/*" ||
+        context.path like "/sys/*" ||
+        context.path like "/root/*" ||
+        context.path like "/var/log/*" ||
+        context.path like "/var/run/*"
+    )
 };
 
 // ---------------------------------------------------------------------------
-// Section 4: Credential Directory Protection
-// Blocks access to SSH keys, cloud credentials, and key material.
+// Section 4: Credential and key directories
 // ---------------------------------------------------------------------------
 
-@id("code-block-credential-paths")
-@name("Block credential directory access")
-@description("Prevent access to SSH keys, cloud provider credentials, GPG keys, and other authentication material directories. These are primary targets for credential theft (MITRE T1552).")
+@id("security.code-block-credential-paths")
+@name("Block credential directories (code profile)")
+@description("Blocks read_file, write_file, and call_tool on .ssh, .aws, .gnupg, .azure, .config/gcloud, .pem, and id_* paths.")
 @severity("critical")
-@tags("profile,code-agent,path-security,credentials,ssh,aws,mitre-t1552")
-@reject_message("Access blocked: this path targets a credential or key directory (.ssh, .aws, .gnupg, .config/gcloud). AI agents must never access authentication material.")
+@tags("category:security,threat:secrets,detection:pattern,compliance:nist-si-3")
+@reject_message("File access blocked: SSH, cloud, or GPG key material targeted — agents must never access authentication material.")
 forbid (
     principal,
     action in [Guardrails::Action::"read_file", Guardrails::Action::"write_file", Guardrails::Action::"call_tool"],
@@ -110,28 +108,29 @@ forbid (
 )
 when {
     context has path &&
-    (context.path like "*/.ssh/*" ||
-     context.path like "*/.aws/*" ||
-     context.path like "*/.gnupg/*" ||
-     context.path like "*/.config/gcloud/*" ||
-     context.path like "*/.azure/*" ||
-     context.path like "*.pem" ||
-     context.path like "*/id_rsa*" ||
-     context.path like "*/id_ed25519*" ||
-     context.path like "*/id_ecdsa*")
+    (
+        context.path like "*/.ssh/*" ||
+        context.path like "*/.aws/*" ||
+        context.path like "*/.gnupg/*" ||
+        context.path like "*/.config/gcloud/*" ||
+        context.path like "*/.azure/*" ||
+        context.path like "*.pem" ||
+        context.path like "*/id_rsa*" ||
+        context.path like "*/id_ed25519*" ||
+        context.path like "*/id_ecdsa*"
+    )
 };
 
 // ---------------------------------------------------------------------------
-// Section 5: Destructive File Operations
-// Blocks destructive file operations by default.
+// Section 5: Destructive file operations
 // ---------------------------------------------------------------------------
 
-@id("code-block-destructive-ops")
-@name("Block destructive file operations")
-@description("Block file deletion, directory removal, and other destructive operations. Agents should not have delete access by default — destructive operations require explicit human approval.")
+@id("security.code-block-destructive-ops")
+@name("Block destructive file operations (code profile)")
+@description("Blocks call_tool when tool_name is a destructive file operation.")
 @severity("high")
-@tags("profile,code-agent,path-security,destructive,file-ops,nist-ac-3")
-@reject_message("Tool execution was blocked: destructive file operations (delete, rmdir, unlink) are restricted to prevent data loss. Request explicit human approval for destructive actions.")
+@tags("category:security,detection:rule,surface:call-tool,compliance:nist-si-3")
+@reject_message("Tool execution blocked: destructive file operations (delete, rmdir, unlink) require explicit human approval.")
 forbid (
     principal,
     action == Guardrails::Action::"call_tool",
@@ -139,10 +138,12 @@ forbid (
 )
 when {
     context has tool_name &&
-    (context.tool_name == "fs.delete" ||
-     context.tool_name == "fs.rmdir" ||
-     context.tool_name == "fs.unlink" ||
-     context.tool_name == "fs.remove" ||
-     context.tool_name == "delete_file" ||
-     context.tool_name == "remove_directory")
+    (
+        context.tool_name == "fs.delete" ||
+        context.tool_name == "fs.rmdir" ||
+        context.tool_name == "fs.unlink" ||
+        context.tool_name == "fs.remove" ||
+        context.tool_name == "delete_file" ||
+        context.tool_name == "remove_directory"
+    )
 };

package/_schemas/guardrails/templates/profiles/code_agent/security.cedar

@@ -1,22 +1,26 @@
 // =============================================================================
-// Code Agent — Security
+// Code Agent — Secrets Protection
 // =============================================================================
-// Secrets protection for coding assistants.
 // Prevents code agents from writing detected secrets to output files.
 //
-// Category: security
+// Context keys consumed:
+//   - secrets_detected: Bool
+//
+// Category:  data-protection
 // Namespace: Guardrails
 // =============================================================================
 
-@id("code-block-write-secrets")
-@name("Block writing secrets to files")
-@description("Prevents code agents from writing detected secrets to output files")
+@id("data-protection.code-block-write-secrets")
+@name("Block writing secrets to files (code profile)")
+@description("Blocks write_file when secrets_detected is true.")
 @severity("critical")
-@tags("profile,code-agent,secrets,security")
+@tags("category:data-protection,threat:secrets,detection:rule,surface:write-file,owasp:llm06")
+@reject_message("File write blocked: secrets detected in content — code agents must not persist credentials.")
 forbid (
     principal,
     action == Guardrails::Action::"write_file",
     resource
-) when {
-    context has contains_secrets && context.contains_secrets == true
+)
+when {
+    context has secrets_detected && context.secrets_detected == true
 };

package/_schemas/guardrails/templates/profiles/code_agent/supply_chain.cedar

@@ -1,40 +1,30 @@
 // =============================================================================
 // Code Agent — Supply Chain Security
 // =============================================================================
-// Detects and blocks MCP server poisoning, indirect prompt injection from tool
-// outputs, credential theft chains, and destructive operation sequences.
+// Detects and blocks MCP server poisoning, indirect prompt injection from
+// tool outputs, credential theft chains, and destructive operation sequences.
 //
-// These are agentic AI-specific attack vectors where tool descriptions, server
-// responses, or behavioral drift manipulate agent behavior.
-//
-// Adapted from Overwatch agent security and behavioral analysis policies for
-// the Guardrails namespace.
+// Context keys consumed:
+//   - tool_poisoning_score:      Long (0-100)
+//   - indirect_injection_score:  Long (0-100)
+//   - tool_is_sensitive:         Bool
+//   - suspicious_pattern:        Bool
+//   - pattern_type:              String
 //
 // Compliance:
-//   OWASP ASI01 (Agent Goal Hijack)
-//   OWASP ASI02 (Tool Misuse)
-//   OWASP ASI04 (Supply Chain)
-//   OWASP LLM01 (Prompt Injection) — indirect variant
-//   OWASP MCP01-05
-//   MITRE ATLAS AML.T0051 (Prompt Injection)
-//   MITRE ATT&CK T1552 (Unsecured Credentials)
+//   - OWASP ASI01, ASI02, ASI04, LLM01 (indirect), MCP01–05
+//   - MITRE ATLAS AML.T0051, MITRE ATT&CK T1552
 //
-// Category: agentic_security
+// Category:  agent-security
 // Namespace: Guardrails
 // =============================================================================
 
-// ---------------------------------------------------------------------------
-// Section 1: MCP Server Poisoning
-// Blocks connections to MCP servers with poisoned tool descriptions.
-// Lower threshold than tool-level poisoning since it affects all tools.
-// ---------------------------------------------------------------------------
-
-@id("code-block-server-poisoning")
-@name("Block poisoned MCP servers")
-@description("Block connections to MCP servers when tool poisoning patterns are detected in tool descriptions (score >= 60). Lower threshold than tool-level poisoning since server-level poisoning affects all tools on the server.")
+@id("agent-security.code-block-server-poisoning")
+@name("Block poisoned MCP servers (code profile)")
+@description("Blocks connect_server when tool_poisoning_score >= 60.")
 @severity("critical")
-@tags("profile,code-agent,supply-chain,tool-poisoning,mcp-security,owasp-asi04")
-@reject_message("MCP server connection blocked: tool poisoning patterns detected in server tool descriptions. Review server tools before connecting.")
+@tags("category:agent-security,threat:tool-poisoning,detection:ml,surface:connect-server,owasp:asi04")
+@reject_message("MCP server connection blocked: tool poisoning patterns detected in server tool descriptions.")
 forbid (
     principal,
     action == Guardrails::Action::"connect_server",
@@ -44,19 +34,12 @@ when {
     context has tool_poisoning_score && context.tool_poisoning_score >= 60
 };
 
-// ---------------------------------------------------------------------------
-// Section 2: Indirect Prompt Injection
-// Blocks injection from tool outputs and retrieved content — not direct
-// user input but external content that manipulates agent behavior.
-// Ref: EchoLeak CVE-2025-32711, IDEsaster (30+ CVEs)
-// ---------------------------------------------------------------------------
-
-@id("code-block-indirect-injection")
-@name("Block indirect prompt injection")
-@description("Block tool execution when indirect prompt injection is detected in tool outputs, file contents, or retrieved documents (score >= 70). Defends against injection via external content that manipulates agent behavior.")
+@id("agent-security.code-block-indirect-injection")
+@name("Block indirect injection (code profile)")
+@description("Blocks call_tool when indirect_injection_score >= 70.")
 @severity("critical")
-@tags("profile,code-agent,supply-chain,indirect-injection,owasp-llm01,owasp-asi01")
-@reject_message("Content blocked: indirect prompt injection detected in tool output or retrieved content. An external source may be attempting to hijack agent behavior.")
+@tags("category:agent-security,threat:indirect-injection,detection:ml,surface:call-tool,owasp:llm01,owasp:asi01")
+@reject_message("Content blocked: indirect prompt injection detected in tool output or retrieved content.")
 forbid (
     principal,
     action == Guardrails::Action::"call_tool",
@@ -66,12 +49,12 @@ when {
     context has indirect_injection_score && context.indirect_injection_score >= 70
 };
 
-@id("code-block-indirect-injection-sensitive")
-@name("Block indirect injection on sensitive tools")
-@description("Lower threshold (>= 50) for indirect injection when the tool is classified as sensitive. Even moderate injection risk on sensitive tools (shell, file write, network) warrants blocking.")
+@id("agent-security.code-block-indirect-injection-sensitive")
+@name("Block indirect injection on sensitive tools (code profile)")
+@description("Blocks call_tool when indirect_injection_score >= 50 and tool_is_sensitive is true.")
 @severity("critical")
-@tags("profile,code-agent,supply-chain,indirect-injection,sensitive-tools,owasp-asi02")
-@reject_message("Sensitive tool execution blocked: moderate indirect injection risk detected. Sensitive tools require higher confidence that content is safe.")
+@tags("category:agent-security,threat:indirect-injection,detection:ml,surface:call-tool,owasp:asi02")
+@reject_message("Sensitive tool execution blocked: moderate indirect-injection risk detected (code profile).")
 forbid (
     principal,
     action == Guardrails::Action::"call_tool",
@@ -82,17 +65,12 @@ when {
     context has tool_is_sensitive && context.tool_is_sensitive == true
 };
 
-// ---------------------------------------------------------------------------
-// Section 3: Behavioral Attack Patterns
-// Detects multi-step attack chains targeting credentials and workspace integrity.
-// ---------------------------------------------------------------------------
-
-@id("code-block-credential-theft")
-@name("Block credential theft chains")
-@description("Block tool execution when a credential theft chain is detected — accessing SSH keys, cloud credentials, or API tokens followed by encoding, compression, or transfer operations. Multi-step attack pattern for autonomous credential harvesting.")
+@id("agent-security.code-block-credential-theft")
+@name("Block credential theft chains (code profile)")
+@description("Blocks call_tool when suspicious_pattern is true and pattern_type equals \"credential_theft\".")
 @severity("critical")
-@tags("profile,code-agent,supply-chain,credential-theft,behavioral,mitre-t1552")
-@reject_message("Tool execution blocked: credential theft chain detected. The agent is performing a multi-step operation to harvest and exfiltrate credentials.")
+@tags("category:agent-security,threat:exfiltration,detection:rule,surface:call-tool,mitre:t1059")
+@reject_message("Tool execution blocked: credential theft chain detected — multi-step credential harvesting pattern.")
 forbid (
     principal,
     action == Guardrails::Action::"call_tool",
@@ -103,12 +81,12 @@ when {
     context has pattern_type && context.pattern_type == "credential_theft"
 };
 
-@id("code-block-destructive-sequence")
-@name("Block destructive operation sequences")
-@description("Block tool execution when a destructive operation sequence is detected — bulk file deletions, permission changes, config overwrites, or repository manipulation patterns. Prevents agent-initiated workspace damage.")
+@id("agent-security.code-block-destructive-sequence")
+@name("Block destructive operation sequences (code profile)")
+@description("Blocks call_tool when suspicious_pattern is true and pattern_type equals \"destructive_sequence\".")
 @severity("critical")
-@tags("profile,code-agent,supply-chain,destructive,behavioral,owasp-asi02")
-@reject_message("Tool execution blocked: destructive operation sequence detected. The agent is performing a pattern of destructive operations that could damage the workspace.")
+@tags("category:agent-security,detection:rule,surface:call-tool,owasp:asi02")
+@reject_message("Tool execution blocked: destructive operation sequence detected — bulk deletions, config overwrites, or repo manipulation.")
 forbid (
     principal,
     action == Guardrails::Action::"call_tool",

package/_schemas/guardrails/templates/profiles/data_pipeline/agentic_security.cedar

@@ -2,37 +2,44 @@
 // Data Pipeline — Agentic Security
 // =============================================================================
 // Exfiltration prevention and tool risk controls for data pipelines.
-// Prevents retrieval data from being sent to external endpoints.
 //
-// Category: agentic_security
+// Context keys consumed:
+//   - suspicious_pattern: Bool
+//   - pattern_type:       String
+//   - tool_risk_score:    Long (0-100)
+//
+// Category:  agent-security
 // Namespace: Guardrails
 // =============================================================================
 
-@id("data-block-exfiltration")
-@name("Block data exfiltration from pipeline")
-@description("Prevents retrieval data from being sent to external endpoints")
+@id("agent-security.data-pipeline-block-exfiltration")
+@name("Block data exfiltration (data-pipeline profile)")
+@description("Blocks call_tool when suspicious_pattern is true and pattern_type matches an exfiltration class.")
 @severity("critical")
-@tags("profile,data-pipeline,exfiltration,security")
+@tags("category:agent-security,threat:exfiltration,detection:rule,surface:call-tool")
+@reject_message("Tool execution blocked: data exfiltration pattern detected in a data pipeline.")
 forbid (
     principal,
     action == Guardrails::Action::"call_tool",
     resource
-) when {
+)
+when {
     context has suspicious_pattern && context.suspicious_pattern == true &&
     context has pattern_type &&
-    (context.pattern_type == "data_exfiltration" ||
-     context.pattern_type == "db_exfiltration")
+    (context.pattern_type == "data_exfiltration" || context.pattern_type == "db_exfiltration")
 };
 
-@id("data-block-high-risk-tools")
-@name("Block high-risk tools in pipeline")
-@description("Forbids tools with elevated risk in data processing context")
+@id("agent-security.data-pipeline-block-high-risk-tools")
+@name("Block high-risk tools (data-pipeline profile)")
+@description("Blocks call_tool when tool_risk_score >= 61.")
 @severity("high")
-@tags("profile,data-pipeline,tools,security")
+@tags("category:agent-security,detection:aggregate,surface:call-tool,owasp:llm06")
+@reject_message("Tool execution blocked: elevated tool risk in a data pipeline.")
 forbid (
     principal,
     action == Guardrails::Action::"call_tool",
     resource
-) when {
-    context has tool_risk_score && context.tool_risk_score > 60
+)
+when {
+    context has tool_risk_score && context.tool_risk_score >= 61
 };

package/_schemas/guardrails/templates/profiles/data_pipeline/data_protection.cedar

@@ -0,0 +1,52 @@
+// =============================================================================
+// Data Pipeline — Data Protection (Secrets)
+// =============================================================================
+// Strict secrets detection for data pipelines. Any secret triggers a block;
+// secrets in writes are blocked unconditionally to prevent persistence.
+//
+// Context keys consumed:
+//   - secrets_detected: Bool
+//   - secret_count:     Long
+//
+// Compliance:
+//   - OWASP LLM06
+//
+// Category:  data-protection
+// Namespace: Guardrails
+// =============================================================================
+
+@id("data-protection.data-pipeline-block-secrets")
+@name("Block secrets in data pipeline")
+@description("Blocks process_prompt, call_tool, read_file, and write_file when secrets_detected is true.")
+@severity("critical")
+@tags("category:data-protection,threat:secrets,detection:rule,owasp:llm06")
+@reject_message("Request blocked: secrets detected in a data pipeline — any credential exposure is unacceptable here.")
+forbid (
+    principal,
+    action in [
+        Guardrails::Action::"process_prompt",
+        Guardrails::Action::"call_tool",
+        Guardrails::Action::"read_file",
+        Guardrails::Action::"write_file"
+    ],
+    resource
+)
+when {
+    context has secrets_detected && context.secrets_detected == true
+};
+
+@id("data-protection.data-pipeline-block-secrets-output")
+@name("Block secrets in pipeline outputs")
+@description("Blocks write_file when secrets_detected is true or secret_count >= 1.")
+@severity("critical")
+@tags("category:data-protection,threat:secrets,detection:rule,surface:write-file,owasp:llm06")
+@reject_message("File write blocked: secrets detected in pipeline output — credentials must not be persisted.")
+forbid (
+    principal,
+    action == Guardrails::Action::"write_file",
+    resource
+)
+when {
+    (context has secrets_detected && context.secrets_detected == true) ||
+    (context has secret_count && context.secret_count >= 1)
+};

package/_schemas/guardrails/templates/profiles/data_pipeline/privacy.cedar

@@ -4,37 +4,60 @@
 // Strict PII protection for RAG pipelines and data processing agents.
 // Zero-tolerance for sensitive PII types — data pipelines must not leak PII.
 //
-// Category: privacy
+// Context keys consumed:
+//   - pii_detected: Bool
+//   - pii_types:    Set<String>
+//
+// Compliance:
+//   - GDPR Art. 32, HIPAA §164.312, PCI DSS 3.4
+//
+// Category:  privacy
 // Namespace: Guardrails
 // =============================================================================
 
-@id("data-pii-block-all")
-@name("Block all PII in data pipeline")
-@description("Forbids any PII in both inputs and outputs — data pipelines must not process or leak PII")
+@id("privacy.data-pipeline-block-pii")
+@name("Block PII in data pipeline")
+@description("Blocks process_prompt, call_tool, read_file, and write_file when pii_detected is true.")
 @severity("critical")
-@tags("profile,data-pipeline,pii,privacy")
+@tags("category:privacy,threat:pii,detection:rule,compliance:gdpr,compliance:hipaa")
+@reject_message("Request blocked: PII detected in a data pipeline — pipelines must not process or leak personal data.")
 forbid (
     principal,
-    action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool", Guardrails::Action::"read_file", Guardrails::Action::"write_file"],
+    action in [
+        Guardrails::Action::"process_prompt",
+        Guardrails::Action::"call_tool",
+        Guardrails::Action::"read_file",
+        Guardrails::Action::"write_file"
+    ],
     resource
-) when {
+)
+when {
     context has pii_detected && context.pii_detected == true
 };
 
-@id("data-pii-block-sensitive-types")
-@name("Block sensitive PII types strictly")
-@description("Zero-tolerance for SSN, credit cards, passport numbers, and medical IDs in data pipelines")
+@id("privacy.data-pipeline-block-pii-sensitive")
+@name("Block sensitive PII types in data pipeline")
+@description("Blocks process_prompt, call_tool, read_file, and write_file when pii_types contains SSN, credit_card, passport, medical_id, or tax_id.")
 @severity("critical")
-@tags("profile,data-pipeline,pii,compliance")
+@tags("category:privacy,threat:pii,detection:rule,compliance:gdpr,compliance:hipaa,compliance:pci-dss")
+@reject_message("Request blocked: highly sensitive PII (SSN, credit card, passport, medical ID, or tax ID) detected in a data pipeline.")
 forbid (
     principal,
-    action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool", Guardrails::Action::"read_file", Guardrails::Action::"write_file"],
+    action in [
+        Guardrails::Action::"process_prompt",
+        Guardrails::Action::"call_tool",
+        Guardrails::Action::"read_file",
+        Guardrails::Action::"write_file"
+    ],
     resource
-) when {
+)
+when {
     context has pii_types &&
-    (context.pii_types.contains("ssn") ||
-     context.pii_types.contains("credit_card") ||
-     context.pii_types.contains("passport") ||
-     context.pii_types.contains("medical_id") ||
-     context.pii_types.contains("tax_id"))
+    (
+        context.pii_types.contains("ssn") ||
+        context.pii_types.contains("credit_card") ||
+        context.pii_types.contains("passport") ||
+        context.pii_types.contains("medical_id") ||
+        context.pii_types.contains("tax_id")
+    )
 };