npm - @highflame/policy - Versions diffs - 2.1.36 → 2.1.38 - Mend

@highflame/policy 2.1.36 → 2.1.38

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (79) hide show

package/_schemas/guardrails/templates/defaults/injection.cedar CHANGED Viewed

@@ -1,70 +1,82 @@
 // =============================================================================
-// Injection & Jailbreak Detection Policy
+// Injection & Jailbreak Detection (Default)
 // =============================================================================
-// Blocks prompt injection, jailbreak attempts, and command injection.
-// Uses ML-based confidence scores from normalized context.
+// Blocks prompt injection and jailbreak attempts using ML classifier
+// confidence scores plus an invisible-character defence for encoded
+// injection payloads.
 //
-// Context keys used (normalized by projection layer):
-// - injection_confidence: Long (0-100) - Overall injection confidence
-// - jailbreak_confidence: Long (0-100) - Jailbreak attempt confidence
-// - injection_type: String - Type of injection detected
-// - contains_invisible_chars: Bool - Invisible Unicode characters detected
-// - invisible_chars_score: Long (0-100) - Invisible character density
+// Context keys consumed:
+//   - injection_score:           Long (0-100)
+//   - jailbreak_score:           Long (0-100)
+//   - invisible_chars_detected:  Bool
+//   - invisible_chars_score:     Long (0-100)
 //
-// Category: security
+// Compliance:
+//   - OWASP LLM01, OWASP LLM02
+//   - MITRE ATLAS AML.T0051, AML.T0054
+//
+// Category:  security
 // Namespace: Guardrails
 // =============================================================================
-@id("injection-block-high-confidence")
-@name("Block high-confidence injection attempts")
-@description("Forbids requests with injection confidence above 85%")
+@id("security.block-injection-ml")
+@name("Block injection (ML)")
+@description("Blocks process_prompt and call_tool when injection_score >= 86.")
 @severity("high")
-@tags("injection,jailbreak,security")
+@tags("category:security,threat:injection,detection:ml,owasp:llm01,mitre:atlas-t0051")
+@reject_message("Prompt blocked: the ML classifier detected prompt injection with high confidence.")
 forbid (
     principal,
     action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool"],
     resource
-) when {
-    context has injection_confidence && context.injection_confidence > 85
+)
+when {
+    context has injection_score && context.injection_score >= 86
 };
-@id("jailbreak-block-high-confidence")
-@name("Block high-confidence jailbreak attempts")
-@description("Forbids requests with jailbreak confidence above 80%")
+@id("security.block-jailbreak-ml")
+@name("Block jailbreak (ML)")
+@description("Blocks process_prompt when jailbreak_score >= 81.")
 @severity("high")
-@tags("jailbreak,security")
+@tags("category:security,threat:jailbreak,detection:ml,owasp:llm02,mitre:atlas-t0054")
+@reject_message("Prompt blocked: the ML classifier detected a jailbreak attempt with high confidence.")
 forbid (
     principal,
     action == Guardrails::Action::"process_prompt",
     resource
-) when {
-    context has jailbreak_confidence && context.jailbreak_confidence > 80
+)
+when {
+    context has jailbreak_score && context.jailbreak_score >= 81
 };
-@id("injection-combined-threshold")
-@name("Block combined injection and jailbreak")
-@description("Forbids requests with moderate scores in both injection and jailbreak")
+@id("security.block-injection-combined")
+@name("Block injection + jailbreak (combined)")
+@description("Blocks process_prompt when injection_score >= 61 and jailbreak_score >= 61.")
 @severity("high")
-@tags("injection,jailbreak,security")
+@tags("category:security,threat:injection,threat:jailbreak,detection:ml")
+@reject_message("Prompt blocked: moderate injection and jailbreak signals were detected together.")
 forbid (
     principal,
     action == Guardrails::Action::"process_prompt",
     resource
-) when {
-    context has injection_confidence && context has jailbreak_confidence &&
-    context.injection_confidence > 60 && context.jailbreak_confidence > 60
+)
+when {
+    context has injection_score && context has jailbreak_score &&
+    context.injection_score >= 61 && context.jailbreak_score >= 61
 };
-@id("injection-invisible-chars")
-@name("Block invisible character injection")
-@description("Forbids requests containing invisible Unicode characters (zero-width joiners, etc.) commonly used for prompt injection")
+@id("security.block-invisible-chars")
+@name("Block invisible-character injection")
+@description("Blocks process_prompt when invisible_chars_detected is true and invisible_chars_score >= 51.")
 @severity("high")
-@tags("injection,unicode,security")
+@tags("category:security,threat:invisible-chars,threat:injection,detection:pattern")
+@reject_message("Prompt blocked: invisible Unicode characters often used for injection were detected.")
 forbid (
     principal,
     action == Guardrails::Action::"process_prompt",
     resource
-) when {
-    context has contains_invisible_chars && context.contains_invisible_chars == true &&
-    context has invisible_chars_score && context.invisible_chars_score > 50
+)
+when {
+    context has invisible_chars_detected && context.invisible_chars_detected == true &&
+    context has invisible_chars_score && context.invisible_chars_score >= 51
 };

package/_schemas/guardrails/templates/defaults/pii.cedar CHANGED Viewed

@@ -1,44 +1,51 @@
 // =============================================================================
-// PII (Personally Identifiable Information) Policy
+// PII Detection (Default)
 // =============================================================================
-// Blocks content containing PII in output responses.
-// Typically applied to LLM outputs to prevent data leakage.
+// Blocks LLM responses that contain personally identifiable information,
+// with a stricter rule for the most sensitive PII types (SSN, credit card,
+// passport).
 //
-// Context keys used (normalized by projection layer):
-// - pii_detected: bool - Whether PII was found
-// - pii_count: Long - Number of PII matches
-// - pii_types: Set<String> - Types of PII detected
-// - direction: String - "input" or "output"
+// Context keys consumed:
+//   - pii_detected:  Bool
+//   - pii_types:     Set<String>
+//   - direction:     String ("input" | "output")
 //
-// Category: privacy
+// Compliance:
+//   - GDPR, HIPAA, PCI-DSS (depending on data classification)
+//
+// Category:  privacy
 // Namespace: Guardrails
 // =============================================================================
-@id("pii-block-output")
+@id("privacy.block-pii-output")
 @name("Block PII in outputs")
-@description("Forbids LLM responses that contain PII (prevents data leakage)")
+@description("Blocks process_prompt outputs when pii_detected is true.")
 @severity("high")
-@tags("pii,privacy,data-protection")
+@tags("category:privacy,threat:pii,detection:rule,surface:process-prompt,compliance:gdpr")
+@reject_message("Response blocked: personally identifiable information was detected in the output.")
 forbid (
     principal,
     action == Guardrails::Action::"process_prompt",
     resource
-) when {
+)
+when {
     context has pii_detected && context.pii_detected == true &&
-    context.direction == "output"
+    context has direction && context.direction == "output"
 };
-@id("pii-block-sensitive-types")
-@name("Block sensitive PII types")
-@description("Forbids outputs containing SSN, credit cards, or passport numbers")
+@id("privacy.block-pii-sensitive")
+@name("Block sensitive PII types in outputs")
+@description("Blocks process_prompt outputs when pii_types contains SSN, credit_card, or passport.")
 @severity("critical")
-@tags("pii,privacy,sensitive-data")
+@tags("category:privacy,threat:pii,detection:rule,surface:process-prompt,compliance:gdpr,compliance:hipaa,compliance:pci-dss")
+@reject_message("Response blocked: highly sensitive PII (SSN, credit card, or passport) was detected.")
 forbid (
     principal,
     action == Guardrails::Action::"process_prompt",
     resource
-) when {
-    context.direction == "output" &&
+)
+when {
+    context has direction && context.direction == "output" &&
     context has pii_types &&
     (
         context.pii_types.contains("ssn") ||

package/_schemas/guardrails/templates/defaults/secrets.cedar CHANGED Viewed

@@ -1,40 +1,57 @@
 // =============================================================================
-// Secrets Detection Policy
+// Secrets Detection (Default)
 // =============================================================================
-// Blocks requests containing API keys, tokens, credentials, or other secrets.
-// Applies to both input prompts and output responses.
+// Blocks content containing API keys, tokens, credentials, or other secrets
+// across LLM prompts, tool calls, and file operations.
 //
-// Context keys used (normalized by projection layer):
-// - contains_secrets: bool - Whether secrets were detected
-// - secret_count: Long - Number of secret matches
-// - secret_types: Set<String> - Types of secrets found
+// Context keys consumed:
+//   - secrets_detected: Bool
+//   - secret_count:     Long
+//   - secret_types:     Set<String>
 //
-// Category: security
+// Compliance:
+//   - OWASP LLM06
+//
+// Category:  data-protection
 // Namespace: Guardrails
 // =============================================================================
-@id("secrets-block-all")
-@name("Block content containing secrets")
-@description("Forbids requests that contain API keys, tokens, or credentials")
+@id("data-protection.block-secrets")
+@name("Block secrets")
+@description("Blocks process_prompt, call_tool, read_file, and write_file when secrets_detected is true.")
 @severity("critical")
-@tags("secrets,security,data-leak")
+@tags("category:data-protection,threat:secrets,detection:rule,owasp:llm06")
+@reject_message("Request blocked: secrets or credentials were detected in the content.")
 forbid (
     principal,
-    action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool", Guardrails::Action::"read_file", Guardrails::Action::"write_file"],
+    action in [
+        Guardrails::Action::"process_prompt",
+        Guardrails::Action::"call_tool",
+        Guardrails::Action::"read_file",
+        Guardrails::Action::"write_file"
+    ],
     resource
-) when {
-    context has contains_secrets && context.contains_secrets == true
+)
+when {
+    context has secrets_detected && context.secrets_detected == true
 };
-@id("secrets-block-high-count")
-@name("Block multiple secrets")
-@description("Forbids requests with multiple secret matches (potential data dump)")
+@id("data-protection.block-secrets-bulk")
+@name("Block secrets (bulk)")
+@description("Blocks process_prompt, call_tool, read_file, and write_file when secret_count >= 3.")
 @severity("critical")
-@tags("secrets,security,data-leak")
+@tags("category:data-protection,threat:secrets,threat:exfiltration,detection:aggregate,owasp:llm06")
+@reject_message("Request blocked: multiple distinct secrets were detected — possible credential dump.")
 forbid (
     principal,
-    action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool", Guardrails::Action::"read_file", Guardrails::Action::"write_file"],
+    action in [
+        Guardrails::Action::"process_prompt",
+        Guardrails::Action::"call_tool",
+        Guardrails::Action::"read_file",
+        Guardrails::Action::"write_file"
+    ],
     resource
-) when {
-    context has secret_count && context.secret_count > 2
+)
+when {
+    context has secret_count && context.secret_count >= 3
 };

package/_schemas/guardrails/templates/defaults/security_patterns.cedar CHANGED Viewed

@@ -1,59 +1,72 @@
 // =============================================================================
-// Security Pattern Detection Policy
+// Security Pattern Detection (Default)
 // =============================================================================
-// Blocks command injection, path traversal, and SQL injection attacks using
+// Blocks command injection, path traversal, and SQL injection using
 // regex-based pattern detection from Shield's security detectors.
 //
-// Context keys used (normalized by projection layer):
-// - command_injection_detected: Bool - Command injection pattern found
-// - command_injection_score: Long (0-100) - Detection confidence
-// - path_traversal_detected: Bool - Path traversal pattern found
-// - path_traversal_severity: String - Severity level (critical/high/medium/low)
-// - sql_injection_detected: Bool - SQL injection pattern found
-// - sql_injection_score: Long (0-100) - Detection confidence
+// Context keys consumed:
+//   - command_injection_detected:  Bool
+//   - path_traversal_detected:     Bool
+//   - path_traversal_severity:     String
+//   - sql_injection_detected:      Bool
+//   - sql_injection_score:         Long (0-100)
 //
-// Category: security
+// Compliance:
+//   - MITRE T1059 (Command Injection), T1005 (Data from Local System)
+//
+// Category:  security
 // Namespace: Guardrails
 // =============================================================================
-@id("security-block-command-injection")
+@id("security.block-command-injection")
 @name("Block command injection")
-@description("Forbids requests containing command injection patterns such as reverse shells, privilege escalation, or destructive commands")
+@description("Blocks process_prompt and call_tool when command_injection_detected is true.")
 @severity("critical")
-@tags("command-injection,security")
+@tags("category:security,threat:command-injection,detection:pattern,mitre:t1059")
+@reject_message("Request blocked: command injection pattern detected — reverse shell, destructive command, or privilege escalation.")
 forbid (
     principal,
     action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool"],
     resource
-) when {
+)
+when {
     context has command_injection_detected && context.command_injection_detected == true
 };
-@id("security-block-path-traversal")
-@name("Block high-severity path traversal")
-@description("Forbids requests containing path traversal patterns targeting sensitive system files or using deep directory traversal")
+@id("security.block-path-traversal")
+@name("Block path traversal")
+@description("Blocks process_prompt, call_tool, read_file, and write_file when path_traversal_detected is true and severity is high or critical.")
 @severity("high")
-@tags("path-traversal,security")
+@tags("category:security,threat:path-traversal,detection:pattern,mitre:t1005")
+@reject_message("Request blocked: path traversal pattern detected — sensitive system files or deep directory traversal.")
 forbid (
     principal,
-    action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool", Guardrails::Action::"read_file", Guardrails::Action::"write_file"],
+    action in [
+        Guardrails::Action::"process_prompt",
+        Guardrails::Action::"call_tool",
+        Guardrails::Action::"read_file",
+        Guardrails::Action::"write_file"
+    ],
     resource
-) when {
+)
+when {
     context has path_traversal_detected && context.path_traversal_detected == true &&
     context has path_traversal_severity &&
     (context.path_traversal_severity == "critical" || context.path_traversal_severity == "high")
 };
-@id("security-block-sql-injection")
-@name("Block high-confidence SQL injection")
-@description("Forbids requests with SQL injection confidence above 75% (tautologies, UNION-based, destructive queries)")
+@id("security.block-sql-injection")
+@name("Block SQL injection")
+@description("Blocks process_prompt and call_tool when sql_injection_detected is true and sql_injection_score >= 75.")
 @severity("high")
-@tags("sql-injection,security")
+@tags("category:security,threat:sql-injection,detection:pattern")
+@reject_message("Request blocked: SQL injection pattern detected — tautology, UNION attack, or destructive query.")
 forbid (
     principal,
     action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool"],
     resource
-) when {
+)
+when {
     context has sql_injection_detected && context.sql_injection_detected == true &&
     context has sql_injection_score && context.sql_injection_score >= 75
 };

package/_schemas/guardrails/templates/defaults/semantic.cedar CHANGED Viewed

@@ -1,62 +1,78 @@
 // =============================================================================
-// Semantic Topic Enforcement Policy
+// Semantic Topic Enforcement (Default)
 // =============================================================================
-// Blocks content based on semantic topic classification. Enables per-application
-// content restrictions (e.g., medical agent cannot discuss controlled substances).
+// Blocks content based on semantic topic classification — used for
+// application-specific topic restrictions (medical, weapons, illegal
+// activity, etc.).
 //
-// Context keys used (populated by topic classifier detector):
-// - content_topics: Set<String> - Semantic topics detected in content
-// - topic_confidence: Long (0-100) - Classifier confidence score
+// Context keys consumed:
+//   - content_topics:    Set<String>
+//   - topic_confidence:  Long (0-100)
 //
-// Category: semantic
+// Compliance:
+//   - EU AI Act, ISO 42001
+//
+// Category:  trust-safety
 // Namespace: Guardrails
 // =============================================================================
-@id("semantic-block-dangerous-topics")
-@name("Block dangerous content topics")
-@description("Forbids content classified under dangerous topics such as weapons manufacturing, explosives, or illegal synthesis")
+@id("trust-safety.block-dangerous-topics")
+@name("Block dangerous topics")
+@description("Blocks process_prompt when content_topics contains weapons or explosives categories.")
 @severity("critical")
-@tags("semantic,compliance,safety")
+@tags("category:trust-safety,threat:harmful,detection:ml,compliance:eu-ai-act")
+@reject_message("Prompt blocked: content classified under a dangerous topic (weapons, explosives, illegal synthesis).")
 forbid (
     principal,
     action == Guardrails::Action::"process_prompt",
     resource
-) when {
+)
+when {
     context has content_topics &&
-    (context.content_topics.contains("weapons_manufacturing") ||
-     context.content_topics.contains("explosive_materials") ||
-     context.content_topics.contains("illegal_synthesis"))
+    (
+        context.content_topics.contains("weapons_manufacturing") ||
+        context.content_topics.contains("explosive_materials") ||
+        context.content_topics.contains("illegal_synthesis")
+    )
 };
-@id("semantic-block-controlled-substances")
-@name("Block controlled substance content")
-@description("Forbids content discussing controlled substances, drug manufacturing, or precursor chemicals")
+@id("trust-safety.block-controlled-substances")
+@name("Block controlled substances")
+@description("Blocks process_prompt when content_topics contains controlled substances or precursor chemicals.")
 @severity("high")
-@tags("semantic,compliance,medical")
+@tags("category:trust-safety,threat:harmful,detection:ml,compliance:eu-ai-act")
+@reject_message("Prompt blocked: content discusses controlled substances or precursor chemicals.")
 forbid (
     principal,
     action == Guardrails::Action::"process_prompt",
     resource
-) when {
+)
+when {
     context has content_topics &&
-    (context.content_topics.contains("controlled_substances") ||
-     context.content_topics.contains("drug_manufacturing") ||
-     context.content_topics.contains("precursor_chemicals"))
+    (
+        context.content_topics.contains("controlled_substances") ||
+        context.content_topics.contains("drug_manufacturing") ||
+        context.content_topics.contains("precursor_chemicals")
+    )
 };
-@id("semantic-block-high-confidence-restricted")
+@id("trust-safety.block-restricted-topics")
 @name("Block high-confidence restricted topics")
-@description("Forbids content with high-confidence classification in any restricted topic category")
+@description("Blocks process_prompt when topic_confidence >= 81 and content_topics contains a restricted category.")
 @severity("high")
-@tags("semantic,compliance")
+@tags("category:trust-safety,threat:harmful,detection:ml")
+@reject_message("Prompt blocked: content high-confidence classified into a restricted topic (illegal activity, fraud, social engineering).")
 forbid (
     principal,
     action == Guardrails::Action::"process_prompt",
     resource
-) when {
-    context has topic_confidence && context.topic_confidence > 80 &&
+)
+when {
+    context has topic_confidence && context.topic_confidence >= 81 &&
     context has content_topics &&
-    (context.content_topics.contains("illegal_activity") ||
-     context.content_topics.contains("financial_fraud") ||
-     context.content_topics.contains("social_engineering"))
+    (
+        context.content_topics.contains("illegal_activity") ||
+        context.content_topics.contains("financial_fraud") ||
+        context.content_topics.contains("social_engineering")
+    )
 };

package/_schemas/guardrails/templates/defaults/tool_risk.cedar CHANGED Viewed

@@ -1,58 +1,66 @@
 // =============================================================================
-// Tool Risk Policy
+// Tool Risk (Default)
 // =============================================================================
-// Blocks dangerous tool calls based on risk scoring.
-// Considers tool sensitivity, argument patterns, and MCP verification.
+// Blocks dangerous tool calls based on risk scoring, tool classification,
+// and well-known dangerous tool names (shell, execute_command).
 //
-// Context keys used (normalized by projection layer):
-// - tool_name: String - Name of the tool
-// - tool_risk_score: Long (0-100) - Computed risk score
-// - tool_is_sensitive: bool - Whether tool is classified as sensitive
-// - tool_category: String - "safe" | "sensitive" | "dangerous"
+// Context keys consumed:
+//   - tool_name:         String
+//   - tool_risk_score:   Long (0-100)
+//   - tool_is_sensitive: Bool
+//   - tool_category:     String ("safe" | "sensitive" | "dangerous")
 //
-// Category: agentic-security
+// Compliance:
+//   - OWASP LLM06, OWASP ASI02
+//
+// Category:  agent-security
 // Namespace: Guardrails
 // =============================================================================
-@id("tool-block-dangerous")
+@id("agent-security.block-dangerous-tool")
 @name("Block dangerous tools")
-@description("Forbids tools classified as dangerous (risk > 85)")
+@description("Blocks call_tool when tool_risk_score >= 86 or tool_category equals \"dangerous\".")
 @severity("critical")
-@tags("tools,agentic,security")
+@tags("category:agent-security,detection:aggregate,surface:call-tool,owasp:llm06,owasp:asi02")
+@reject_message("Tool execution blocked: tool is classified as dangerous or scored a high risk.")
 forbid (
     principal,
     action == Guardrails::Action::"call_tool",
     resource
-) when {
-    (context has tool_risk_score && context.tool_risk_score > 85) ||
+)
+when {
+    (context has tool_risk_score && context.tool_risk_score >= 86) ||
     (context has tool_category && context.tool_category == "dangerous")
 };
-@id("tool-block-shell-commands")
+@id("agent-security.block-shell-commands")
 @name("Block shell command execution")
-@description("Forbids direct shell/execute_command tool calls")
+@description("Blocks call_tool when tool_name equals \"shell\" or \"execute_command\".")
 @severity("high")
-@tags("tools,shell,security")
+@tags("category:agent-security,threat:command-injection,detection:rule,surface:call-tool,mitre:t1059")
+@reject_message("Tool execution blocked: direct shell or command execution is not permitted.")
 forbid (
     principal,
     action == Guardrails::Action::"call_tool",
     resource
-) when {
+)
+when {
     context has tool_name &&
-    (context.tool_name == "shell" ||
-     context.tool_name == "execute_command")
+    (context.tool_name == "shell" || context.tool_name == "execute_command")
 };
-@id("tool-block-sensitive-high-risk")
-@name("Block high-risk sensitive tools")
-@description("Forbids sensitive tool calls with elevated risk scores")
+@id("agent-security.block-sensitive-high-risk")
+@name("Block sensitive high-risk tools")
+@description("Blocks call_tool when tool_is_sensitive is true and tool_risk_score >= 71.")
 @severity("high")
-@tags("tools,agentic,security")
+@tags("category:agent-security,detection:aggregate,surface:call-tool,owasp:llm06")
+@reject_message("Tool execution blocked: a sensitive tool was called with elevated risk score.")
 forbid (
     principal,
     action == Guardrails::Action::"call_tool",
     resource
-) when {
+)
+when {
     context has tool_is_sensitive && context.tool_is_sensitive == true &&
-    context has tool_risk_score && context.tool_risk_score > 70
+    context has tool_risk_score && context.tool_risk_score >= 71
 };