@highflame/policy 2.1.36 → 2.1.38

package/_schemas/guardrails/templates/profiles/data_pipeline/security.cedar

@@ -1,49 +1,31 @@
 // =============================================================================
 // Data Pipeline — Security
 // =============================================================================
-// Strict secrets detection and injection defense for data pipelines.
-// RAG inputs are high-risk for injection — lower thresholds than defaults.
+// Aggressive injection defence for RAG inputs and data processing — these
+// pipelines consume external content as trusted input and have the highest
+// adversarial surface for indirect injection.
 //
-// Category: security
+// Context keys consumed:
+//   - injection_score: Long (0-100)
+//
+// Compliance:
+//   - OWASP LLM01
+//
+// Category:  security
 // Namespace: Guardrails
 // =============================================================================
 
-@id("data-secrets-strict")
-@name("Strict secrets detection for data pipeline")
-@description("Blocks any content containing secrets — even a single match")
-@severity("critical")
-@tags("profile,data-pipeline,secrets,security")
-forbid (
-    principal,
-    action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool", Guardrails::Action::"read_file", Guardrails::Action::"write_file"],
-    resource
-) when {
-    context has contains_secrets && context.contains_secrets == true
-};
-
-@id("data-block-output-secrets")
-@name("Block secrets in pipeline outputs")
-@description("Prevents data pipeline from writing secrets to any output")
-@severity("critical")
-@tags("profile,data-pipeline,secrets,output")
-forbid (
-    principal,
-    action == Guardrails::Action::"write_file",
-    resource
-) when {
-    (context has contains_secrets && context.contains_secrets == true) ||
-    (context has secret_count && context.secret_count > 0)
-};
-
-@id("data-injection-defense")
-@name("Pipeline injection defense")
-@description("Lower injection threshold for data pipelines — RAG inputs are high-risk for injection")
+@id("security.data-pipeline-block-injection")
+@name("Block pipeline injection (data-pipeline profile)")
+@description("Blocks process_prompt and call_tool when injection_score >= 66 (lower threshold for data pipelines).")
 @severity("high")
-@tags("profile,data-pipeline,injection,security")
+@tags("category:security,threat:injection,detection:ml,owasp:llm01")
+@reject_message("Request blocked: prompt injection detected at the data-pipeline threshold — RAG inputs are high-risk for indirect injection.")
 forbid (
     principal,
     action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool"],
     resource
-) when {
-    context has injection_confidence && context.injection_confidence > 65
+)
+when {
+    context has injection_score && context.injection_score >= 66
 };

package/_schemas/guardrails/templates/profiles/multi_agent/agent_safety.cedar

@@ -1,157 +1,164 @@
 // =============================================================================
 // Multi-Agent Orchestration — Cross-Turn Agent Safety
 // =============================================================================
-// Session-aware policies that use cross-turn detection history combined with
-// agent identity for defense-in-depth. These policies handle the scenario
-// where one agent in a multi-agent session detects a threat, and subsequent
-// agents in the same session must be restricted accordingly.
+// Session-aware policies that combine cross-turn detection history with
+// agent identity for defense-in-depth. When one agent in a multi-agent
+// session detects a threat, subsequent agents in the same session are
+// restricted accordingly.
 //
-// Key insight: In multi-agent orchestration, Agent A may detect PII in turn 3,
-// and Agent B (a different agent) arrives in turn 5 wanting to call http_post.
-// Cross-turn session flags + agent trust level enable this policy:
-//   "If PII was seen AND this agent is unverified → block network tools."
+// Context keys consumed:
+//   - agent_trust_level, agent_type, tool_name, tool_is_sensitive
+//   - session_pii_detected, session_pii_types
+//   - session_secrets_detected, session_injection_detected
+//   - session_command_injection
+//   - session_threat_turns:            Long
+//   - session_cumulative_risk_score:   Long
+//   - suspicious_pattern:              Bool
 //
-// Context keys used:
-// - agent_trust_level: String - Trust tier of the current agent
-// - agent_type: String - Agent classification
-// - session_pii_detected: Bool - PII seen in any prior turn
-// - session_pii_types: Set<String> - PII types accumulated
-// - session_secrets_detected: Bool - Secrets seen in any prior turn
-// - session_injection_detected: Bool - Injection seen in any prior turn
-// - session_command_injection: Bool - Command injection in any prior turn
-// - session_threat_turns: Long - Count of turns with threats
-// - session_cumulative_risk_score: Long - Total accumulated risk
-// - tool_name: String - Tool being called
-// - tool_is_sensitive: Bool - Whether tool is sensitive
-// - suspicious_pattern: Bool - Whether exfiltration pattern detected
+// Compliance:
+//   - OWASP LLM01, LLM08
 //
-// Category: agent_identity
+// Category:  agent-identity
 // Namespace: Guardrails
 // =============================================================================
 
-// -----------------------------------------------------------------------------
-// PII Containment — Prevent Agent Data Leakage
-// -----------------------------------------------------------------------------
+// ---------------------------------------------------------------------------
+// Section 1: PII containment
+// ---------------------------------------------------------------------------
 
-@id("multi-agent-pii-block-network-tools")
-@name("Block network tools after PII detection for non-first-party agents")
-@description("If PII was detected in any prior turn, block non-first-party agents from calling network-facing tools. Prevents data exfiltration by untrusted agents in sessions containing sensitive data")
+@id("agent-identity.multi-agent-pii-block-network-tools")
+@name("Block network tools for non-first-party agents after PII")
+@description("Blocks call_tool when agent_trust_level is not \"first_party\", session_pii_detected is true, and tool_name is a network tool.")
 @severity("critical")
-@tags("profile,multi-agent,pii,exfiltration,cross-turn,a2a")
+@tags("category:agent-identity,threat:exfiltration,scope:per-agent,detection:aggregate,surface:call-tool")
+@reject_message("Tool execution blocked: PII was detected earlier in this session and non-first-party agents cannot use network tools afterwards.")
 forbid (
     principal is Guardrails::Agent,
     action == Guardrails::Action::"call_tool",
     resource
-) when {
+)
+when {
     context has agent_trust_level && context.agent_trust_level != "first_party" &&
     context has session_pii_detected && context.session_pii_detected == true &&
     context has tool_name &&
-    (context.tool_name == "http_post" ||
-     context.tool_name == "send_email" ||
-     context.tool_name == "http_request" ||
-     context.tool_name == "webhook")
+    (
+        context.tool_name == "http_post" ||
+        context.tool_name == "send_email" ||
+        context.tool_name == "http_request" ||
+        context.tool_name == "webhook"
+    )
 };
 
-@id("multi-agent-pii-block-unverified-file-write")
-@name("Block unverified agents from writing files after PII detection")
-@description("If PII was detected in the session, unverified agents cannot write files. Prevents PII persistence by untrusted agents")
+@id("agent-identity.multi-agent-pii-block-unverified-write")
+@name("Block unverified agents from writing files after PII")
+@description("Blocks write_file when agent_trust_level is \"unverified\" and session_pii_detected is true.")
 @severity("high")
-@tags("profile,multi-agent,pii,file-write,cross-turn,a2a")
+@tags("category:agent-identity,threat:pii,scope:per-agent,detection:aggregate,surface:write-file")
+@reject_message("File write blocked: PII was detected earlier in this session and unverified agents cannot persist files.")
 forbid (
     principal is Guardrails::Agent,
     action == Guardrails::Action::"write_file",
     resource
-) when {
+)
+when {
     context has agent_trust_level && context.agent_trust_level == "unverified" &&
     context has session_pii_detected && context.session_pii_detected == true
 };
 
-// -----------------------------------------------------------------------------
-// Secrets Containment — Lock Down After Credential Exposure
-// -----------------------------------------------------------------------------
+// ---------------------------------------------------------------------------
+// Section 2: Secrets containment
+// ---------------------------------------------------------------------------
 
-@id("multi-agent-secrets-lockdown")
-@name("Lock down sensitive tools after secrets detection")
-@description("If secrets (API keys, tokens) were detected in any prior turn, block all non-first-party agents from sensitive tool calls. Prevents credential exfiltration in compromised sessions")
+@id("agent-identity.multi-agent-secrets-lockdown")
+@name("Block sensitive tools after secrets in session")
+@description("Blocks call_tool when agent_trust_level is not \"first_party\", session_secrets_detected is true, and tool_is_sensitive is true.")
 @severity("critical")
-@tags("profile,multi-agent,secrets,lockdown,cross-turn,a2a")
+@tags("category:agent-identity,threat:secrets,scope:per-agent,detection:aggregate,surface:call-tool")
+@reject_message("Tool execution blocked: secrets were detected earlier in this session and non-first-party agents cannot call sensitive tools afterwards.")
 forbid (
     principal is Guardrails::Agent,
     action == Guardrails::Action::"call_tool",
     resource
-) when {
+)
+when {
     context has agent_trust_level && context.agent_trust_level != "first_party" &&
     context has session_secrets_detected && context.session_secrets_detected == true &&
     context has tool_is_sensitive && context.tool_is_sensitive == true
 };
 
-// -----------------------------------------------------------------------------
-// Injection Escalation — Tighten After Prior Attacks
-// -----------------------------------------------------------------------------
+// ---------------------------------------------------------------------------
+// Section 3: Injection escalation
+// ---------------------------------------------------------------------------
 
-@id("multi-agent-post-injection-lockdown")
-@name("Restrict unverified agents after injection detection")
-@description("If injection was detected in any prior turn, block unverified agents from all tool calls. An injection in a prior turn may have poisoned the context, making subsequent unverified agent actions high risk")
+@id("agent-identity.multi-agent-post-injection-lockdown")
+@name("Block unverified agents after injection in session")
+@description("Blocks call_tool when agent_trust_level is \"unverified\" and session_injection_detected is true.")
 @severity("critical")
-@tags("profile,multi-agent,injection,lockdown,cross-turn,a2a")
+@tags("category:agent-identity,threat:injection,scope:per-agent,detection:aggregate,surface:call-tool")
+@reject_message("Tool execution blocked: injection was detected earlier in this session — unverified agents cannot continue.")
 forbid (
     principal is Guardrails::Agent,
     action == Guardrails::Action::"call_tool",
     resource
-) when {
+)
+when {
     context has agent_trust_level && context.agent_trust_level == "unverified" &&
     context has session_injection_detected && context.session_injection_detected == true
 };
 
-@id("multi-agent-post-command-injection-block-shell")
-@name("Block all agent shell access after command injection")
-@description("If command injection was detected in any prior turn, no agent (regardless of trust) can execute shell commands. Defense against persistent shell compromise")
+@id("agent-identity.multi-agent-post-command-injection-shell")
+@name("Block shell after command injection in session")
+@description("Blocks call_tool when session_command_injection is true and tool_name is a shell tool.")
 @severity("critical")
-@tags("profile,multi-agent,command-injection,shell,cross-turn,a2a")
+@tags("category:agent-identity,threat:command-injection,scope:per-agent,detection:aggregate,surface:call-tool,mitre:t1059")
+@reject_message("Tool execution blocked: command injection was detected earlier in this session — no agent may execute shell commands afterwards.")
 forbid (
     principal is Guardrails::Agent,
     action == Guardrails::Action::"call_tool",
     resource
-) when {
+)
+when {
     context has session_command_injection && context.session_command_injection == true &&
     context has tool_name &&
-    (context.tool_name == "shell" ||
-     context.tool_name == "execute_command" ||
-     context.tool_name == "bash")
+    (context.tool_name == "shell" || context.tool_name == "execute_command" || context.tool_name == "bash")
 };
 
-// -----------------------------------------------------------------------------
-// Cumulative Risk — Session-Level Circuit Breaker
-// -----------------------------------------------------------------------------
+// ---------------------------------------------------------------------------
+// Section 4: Cumulative risk circuit breakers
+// ---------------------------------------------------------------------------
 
-@id("multi-agent-high-cumulative-risk-restrict")
-@name("Restrict non-first-party agents in high-risk sessions")
-@description("When cumulative session risk exceeds 200, restrict non-first-party agents to safe tools only. Acts as a circuit breaker for sessions that have accumulated multiple risk signals across turns")
+@id("agent-identity.multi-agent-high-cumulative-risk")
+@name("Block non-first-party sensitive tools at cumulative risk")
+@description("Blocks call_tool when agent_trust_level is not \"first_party\", session_cumulative_risk_score >= 201, and tool_is_sensitive is true.")
 @severity("high")
-@tags("profile,multi-agent,cumulative-risk,circuit-breaker,a2a")
+@tags("category:agent-identity,scope:per-agent,detection:aggregate,surface:call-tool,posture:catch-all")
+@reject_message("Tool execution blocked: cumulative session risk exceeded the multi-agent threshold for sensitive tools.")
 forbid (
     principal is Guardrails::Agent,
     action == Guardrails::Action::"call_tool",
     resource
-) when {
+)
+when {
     context has agent_trust_level && context.agent_trust_level != "first_party" &&
-    context has session_cumulative_risk_score && context.session_cumulative_risk_score > 200 &&
+    context has session_cumulative_risk_score && context.session_cumulative_risk_score >= 201 &&
     context has tool_is_sensitive && context.tool_is_sensitive == true
 };
 
-@id("multi-agent-extreme-risk-full-lockdown")
-@name("Full lockdown for unverified agents in extreme-risk sessions")
-@description("When cumulative session risk exceeds 500 or more than 5 threat turns are detected, block ALL tool calls from unverified agents. Emergency circuit breaker for compromised sessions")
+@id("agent-identity.multi-agent-extreme-risk-lockdown")
+@name("Block unverified agents at extreme cumulative risk")
+@description("Blocks call_tool when agent_trust_level is \"unverified\" and session_cumulative_risk_score >= 501 or session_threat_turns >= 6.")
 @severity("critical")
-@tags("profile,multi-agent,extreme-risk,lockdown,a2a")
+@tags("category:agent-identity,scope:per-agent,detection:aggregate,surface:call-tool,posture:catch-all")
+@reject_message("Tool execution blocked: this session has accumulated extreme risk — unverified agents are locked out.")
 forbid (
     principal is Guardrails::Agent,
     action == Guardrails::Action::"call_tool",
     resource
-) when {
+)
+when {
     context has agent_trust_level && context.agent_trust_level == "unverified" &&
     (
-        (context has session_cumulative_risk_score && context.session_cumulative_risk_score > 500) ||
-        (context has session_threat_turns && context.session_threat_turns > 5)
+        (context has session_cumulative_risk_score && context.session_cumulative_risk_score >= 501) ||
+        (context has session_threat_turns && context.session_threat_turns >= 6)
     )
 };

package/_schemas/guardrails/templates/profiles/multi_agent/agent_trust.cedar

@@ -1,140 +1,143 @@
 // =============================================================================
-// Multi-Agent Orchestration — Agent Trust Policies
+// Multi-Agent Orchestration — Agent Trust
 // =============================================================================
-// Production-grade trust policies for multi-agent systems where an orchestrator
-// coordinates sub-agents with varying trust levels. These policies enforce
-// least-privilege access: each agent gets only the permissions its trust level
-// and type warrant.
+// Production-grade trust policies for multi-agent systems where an
+// orchestrator coordinates sub-agents with varying trust levels. Enforces
+// least-privilege access: each agent gets only the permissions its trust
+// level and type warrant.
 //
-// Architecture supported:
-//   Orchestrator (first_party)
-//     ├── Research Agent (verified_third_party, autonomous)
-//     ├── Code Agent (first_party, tool_agent)
-//     └── External Plugin (unverified, tool_agent)
+// Context keys consumed:
+//   - agent_id, agent_type, agent_trust_level, agent_framework, agent_publisher
+//   - tool_name, tool_category, tool_is_sensitive, tool_risk_score
+//   - mcp_server_verified
+//   - injection_score, jailbreak_score
 //
-// Context keys used:
-// - agent_id: String - Unique agent identifier
-// - agent_type: String - orchestrator | autonomous | tool_agent | human_proxy
-// - agent_trust_level: String - first_party | verified_third_party | unverified
-// - agent_framework: String - Agent framework/SDK
-// - agent_publisher: String - Publishing organization
-// - tool_name: String - Tool being called
-// - tool_category: String - safe | sensitive | dangerous
-// - tool_risk_score: Long (0-100) - Computed risk score
-// - tool_is_sensitive: Bool - Whether tool is sensitive
-// - mcp_server_verified: Bool - Whether MCP server is verified
-// - injection_confidence: Long (0-100) - Injection detection score
-// - jailbreak_confidence: Long (0-100) - Jailbreak detection score
+// Compliance:
+//   - OWASP LLM01, LLM08; OWASP ASI03, ASI05
 //
-// Category: agent_identity
+// Category:  agent-identity
 // Namespace: Guardrails
 // =============================================================================
 
-// -----------------------------------------------------------------------------
-// Tiered Tool Access — The Core A2A Trust Model
-// -----------------------------------------------------------------------------
+// ---------------------------------------------------------------------------
+// Section 1: Tiered tool access
+// ---------------------------------------------------------------------------
 
-@id("multi-agent-only-first-party-dangerous")
-@name("Only first-party agents can use dangerous tools")
-@description("Dangerous tools (shell, delete_file, run_sql) are restricted to first-party agents only. Third-party and unverified agents are blocked regardless of other signals")
+@id("agent-identity.multi-agent-block-non-first-party-dangerous")
+@name("Block non-first-party agents from dangerous tools")
+@description("Blocks call_tool when agent_trust_level is not \"first_party\" and tool_category is \"dangerous\".")
 @severity("critical")
-@tags("profile,multi-agent,trust,tools,a2a")
+@tags("category:agent-identity,scope:per-agent,detection:rule,surface:call-tool")
+@reject_message("Tool execution blocked: dangerous tools are restricted to first-party agents.")
 forbid (
     principal is Guardrails::Agent,
     action == Guardrails::Action::"call_tool",
     resource
-) when {
+)
+when {
     context has agent_trust_level && context.agent_trust_level != "first_party" &&
     context has tool_category && context.tool_category == "dangerous"
 };
 
-@id("multi-agent-block-unverified-sensitive")
-@name("Block unverified agents from all sensitive tools")
-@description("Unverified agents can only use tools classified as safe. Sensitive tools (write_file, http_post, send_email) require at least verified_third_party trust")
+@id("agent-identity.multi-agent-block-unverified-sensitive")
+@name("Block unverified agents from sensitive tools")
+@description("Blocks call_tool when agent_trust_level is \"unverified\" and tool_is_sensitive is true.")
 @severity("high")
-@tags("profile,multi-agent,trust,tools,a2a")
+@tags("category:agent-identity,scope:per-agent,detection:rule,surface:call-tool")
+@reject_message("Tool execution blocked: unverified agents may only use tools classified as safe.")
 forbid (
     principal is Guardrails::Agent,
     action == Guardrails::Action::"call_tool",
     resource
-) when {
+)
+when {
     context has agent_trust_level && context.agent_trust_level == "unverified" &&
     context has tool_is_sensitive && context.tool_is_sensitive == true
 };
 
-@id("multi-agent-block-unverified-mcp")
-@name("Block unverified agents from unverified MCP servers")
-@description("Unverified agents cannot call tools from unverified MCP servers. Double-unverified (agent + server) presents unacceptable supply chain risk")
+@id("agent-identity.multi-agent-block-unverified-mcp")
+@name("Block unverified agents on unverified MCP servers")
+@description("Blocks call_tool when agent_trust_level is \"unverified\" and mcp_server_verified is false.")
 @severity("critical")
-@tags("profile,multi-agent,trust,mcp,a2a")
+@tags("category:agent-identity,threat:supply-chain,scope:per-agent,detection:rule,surface:call-tool")
+@reject_message("Tool execution blocked: unverified agents cannot use unverified MCP servers — supply-chain risk too high.")
 forbid (
     principal is Guardrails::Agent,
     action == Guardrails::Action::"call_tool",
     resource
-) when {
+)
+when {
     context has agent_trust_level && context.agent_trust_level == "unverified" &&
     context has mcp_server_verified && context.mcp_server_verified == false
 };
 
-// -----------------------------------------------------------------------------
-// Autonomous Agent Safeguards
-// -----------------------------------------------------------------------------
+// ---------------------------------------------------------------------------
+// Section 2: Autonomous-agent safeguards
+// ---------------------------------------------------------------------------
 
-@id("multi-agent-autonomous-tool-risk-cap")
-@name("Cap tool risk for autonomous agents")
-@description("Autonomous agents (no human in the loop) have a lower tool risk ceiling. Tools with risk > 70 require human oversight that autonomous agents lack")
+@id("agent-identity.multi-agent-cap-autonomous-tool-risk")
+@name("Block high-risk tools for autonomous agents")
+@description("Blocks call_tool when agent_type is \"autonomous\" and tool_risk_score >= 71.")
 @severity("high")
-@tags("profile,multi-agent,autonomous,tools,a2a")
+@tags("category:agent-identity,scope:per-agent,detection:aggregate,surface:call-tool")
+@reject_message("Tool execution blocked: autonomous agents require human oversight for high-risk tools.")
 forbid (
     principal is Guardrails::Agent,
     action == Guardrails::Action::"call_tool",
     resource
-) when {
+)
+when {
     context has agent_type && context.agent_type == "autonomous" &&
-    context has tool_risk_score && context.tool_risk_score > 70
+    context has tool_risk_score && context.tool_risk_score >= 71
 };
 
-@id("multi-agent-autonomous-injection-defense")
-@name("Enhanced injection defense for autonomous agents")
-@description("Autonomous agents are high-value targets for injection. Lower the threshold to 50 (vs 80 standard) since there is no human to catch false negatives")
+@id("agent-identity.multi-agent-autonomous-injection")
+@name("Block injection on autonomous agents (stricter)")
+@description("Blocks process_prompt when agent_type is \"autonomous\" and injection_score >= 51.")
 @severity("high")
-@tags("profile,multi-agent,autonomous,injection,a2a")
+@tags("category:agent-identity,threat:injection,detection:ml,surface:process-prompt,owasp:llm01")
+@reject_message("Prompt blocked: lower injection threshold applies to autonomous agents and was exceeded.")
 forbid (
     principal is Guardrails::Agent,
     action == Guardrails::Action::"process_prompt",
     resource
-) when {
+)
+when {
     context has agent_type && context.agent_type == "autonomous" &&
-    context has injection_confidence && context.injection_confidence > 50
+    context has injection_score && context.injection_score >= 51
 };
 
-@id("multi-agent-autonomous-jailbreak-defense")
-@name("Enhanced jailbreak defense for autonomous agents")
-@description("Lower jailbreak threshold for autonomous agents. Without human review, we must be more conservative")
+@id("agent-identity.multi-agent-autonomous-jailbreak")
+@name("Block jailbreak on autonomous agents (stricter)")
+@description("Blocks process_prompt when agent_type is \"autonomous\" and jailbreak_score >= 51.")
 @severity("high")
-@tags("profile,multi-agent,autonomous,jailbreak,a2a")
+@tags("category:agent-identity,threat:jailbreak,detection:ml,surface:process-prompt,owasp:llm02")
+@reject_message("Prompt blocked: lower jailbreak threshold applies to autonomous agents and was exceeded.")
 forbid (
     principal is Guardrails::Agent,
     action == Guardrails::Action::"process_prompt",
     resource
-) when {
+)
+when {
     context has agent_type && context.agent_type == "autonomous" &&
-    context has jailbreak_confidence && context.jailbreak_confidence > 50
+    context has jailbreak_score && context.jailbreak_score >= 51
 };
 
-// -----------------------------------------------------------------------------
-// MCP Server Connection Trust
-// -----------------------------------------------------------------------------
+// ---------------------------------------------------------------------------
+// Section 3: MCP server-connection trust
+// ---------------------------------------------------------------------------
 
-@id("multi-agent-block-unverified-server-connect")
+@id("agent-identity.multi-agent-block-unverified-server-connect")
 @name("Block unverified agents from connecting to MCP servers")
-@description("Unverified agents cannot establish new MCP server connections. Limits blast radius of compromised or rogue agents")
+@description("Blocks connect_server when agent_trust_level is \"unverified\".")
 @severity("high")
-@tags("profile,multi-agent,trust,mcp,connect,a2a")
+@tags("category:agent-identity,threat:supply-chain,scope:per-agent,detection:rule,surface:connect-server")
+@reject_message("MCP server connection blocked: unverified agents cannot establish new server connections.")
 forbid (
     principal is Guardrails::Agent,
     action == Guardrails::Action::"connect_server",
     resource
-) when {
+)
+when {
     context has agent_trust_level && context.agent_trust_level == "unverified"
 };