@highflame/policy 2.1.39 → 2.1.41

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (21) hide show
  1. package/_schemas/ai_gateway/context.json +6 -0
  2. package/_schemas/ai_gateway/schema.cedarschema +3 -0
  3. package/_schemas/guardrails/context.json +6 -0
  4. package/_schemas/guardrails/schema.cedarschema +3 -0
  5. package/_schemas/overwatch/context.json +6 -0
  6. package/_schemas/overwatch/schema.cedarschema +3 -0
  7. package/dist/ai_gateway-context.gen.d.ts +1 -0
  8. package/dist/ai_gateway-context.gen.js +1 -0
  9. package/dist/decision-effects.gen.d.ts +8 -0
  10. package/dist/decision-effects.gen.js +17 -0
  11. package/dist/guardrails-context.gen.d.ts +1 -0
  12. package/dist/guardrails-context.gen.js +1 -0
  13. package/dist/index.d.ts +1 -0
  14. package/dist/index.js +3 -0
  15. package/dist/overwatch-context.gen.d.ts +1 -0
  16. package/dist/overwatch-context.gen.js +1 -0
  17. package/dist/service-schemas.gen.d.ts +3 -3
  18. package/dist/service-schemas.gen.js +12 -0
  19. package/dist/types.d.ts +1 -0
  20. package/dist/types.js +3 -0
  21. package/package.json +1 -1
package/_schemas/ai_gateway/context.json CHANGED
@@ -169,6 +169,12 @@
169
169
  "required": false,
170
170
  "description": "Built-in tool flag"
171
171
  },
172
+ {
173
+ "key": "tool_operation_classes",
174
+ "type": "array",
175
+ "required": false,
176
+ "description": "All operation classes observed in the tool call. Subset of: 'readonly', 'write_enabling', 'execute_enabling', 'network_access', 'unknown'. 'unknown' appears when any unrecognized or variable-expanded command was seen."
177
+ },
172
178
  {
173
179
  "key": "mcp_server_verified",
174
180
  "type": "boolean",
package/_schemas/ai_gateway/schema.cedarschema CHANGED
@@ -116,6 +116,9 @@ action call_tool appliesTo {
116
116
  tool_is_sensitive?: Bool,
117
117
  tool_is_builtin?: Bool,
118
118
 
119
+ // --- Tool Operation Classifier ---
120
+ tool_operation_classes?: Set<String>, // subset of {"readonly", "write_enabling", "execute_enabling", "network_access", "unknown"}
121
+
119
122
  // --- MCP Trust ---
120
123
  mcp_server_verified?: Bool, // Whether server is from verified registry
121
124
 
package/_schemas/guardrails/context.json CHANGED
@@ -805,6 +805,12 @@
805
805
  "required": false,
806
806
  "description": "Risk score for MCP configuration issues (0-100). Typical threshold: >=70 for blocks"
807
807
  },
808
+ {
809
+ "key": "tool_operation_classes",
810
+ "type": "array",
811
+ "required": false,
812
+ "description": "All operation classes observed in the tool call. Subset of: 'readonly', 'write_enabling', 'execute_enabling', 'network_access', 'unknown'. 'unknown' appears when any unrecognized or variable-expanded command was seen."
813
+ },
808
814
  {
809
815
  "key": "cross_origin_detected",
810
816
  "type": "boolean",
package/_schemas/guardrails/schema.cedarschema CHANGED
@@ -338,6 +338,9 @@ namespace Guardrails {
338
338
  "mcp_risk_type"?: String, // "inline_execution" | "suspicious_url" | "cross_origin"
339
339
  "mcp_risk_score"?: Long, // 0-100
340
340
 
341
+ // Tool Operation Classifier (optional) — populated by AST-based classifiers (bash, python, etc.)
342
+ "tool_operation_classes"?: Set<String>, // subset of {"readonly", "write_enabling", "execute_enabling", "network_access", "unknown"}
343
+
341
344
  // Agentic - Multi-Turn Context (optional)
342
345
  "conversation_turn"?: Long,
343
346
  "multi_turn_detection"?: Bool,
package/_schemas/overwatch/context.json CHANGED
@@ -619,6 +619,12 @@
619
619
  "required": false,
620
620
  "description": "Whether the MCP server is from a verified registry"
621
621
  },
622
+ {
623
+ "key": "tool_operation_classes",
624
+ "type": "array",
625
+ "required": false,
626
+ "description": "All operation classes observed in the tool call. Subset of: 'readonly', 'write_enabling', 'execute_enabling', 'network_access', 'unknown'. 'unknown' appears when any unrecognized or variable-expanded command was seen."
627
+ },
622
628
  {
623
629
  "key": "session_pii_detected",
624
630
  "type": "boolean",
package/_schemas/overwatch/schema.cedarschema CHANGED
@@ -237,6 +237,9 @@ action call_tool appliesTo {
237
237
  // --- MCP Trust ---
238
238
  mcp_server_verified?: Bool, // Whether server is from verified registry
239
239
 
240
+ // --- Tool Operation Classifier ---
241
+ tool_operation_classes?: Set<String>, // subset of {"readonly", "write_enabling", "execute_enabling", "network_access", "unknown"}
242
+
240
243
  // --- Session Detection History (cross-turn sticky flags) ---
241
244
  session_pii_detected?: Bool,
242
245
  session_pii_types?: Set<String>,
package/dist/ai_gateway-context.gen.d.ts CHANGED
@@ -58,6 +58,7 @@ export declare const AiGatewayContextKey: {
58
58
  readonly ToolIsBuiltin: "tool_is_builtin";
59
59
  readonly ToolIsSensitive: "tool_is_sensitive";
60
60
  readonly ToolName: "tool_name";
61
+ readonly ToolOperationClasses: "tool_operation_classes";
61
62
  readonly ToolPoisoningDetected: "tool_poisoning_detected";
62
63
  readonly ToolPoisoningScore: "tool_poisoning_score";
63
64
  readonly ToolRiskScore: "tool_risk_score";
package/dist/ai_gateway-context.gen.js CHANGED
@@ -60,6 +60,7 @@ export const AiGatewayContextKey = {
60
60
  ToolIsBuiltin: 'tool_is_builtin',
61
61
  ToolIsSensitive: 'tool_is_sensitive',
62
62
  ToolName: 'tool_name',
63
+ ToolOperationClasses: 'tool_operation_classes',
63
64
  ToolPoisoningDetected: 'tool_poisoning_detected',
64
65
  ToolPoisoningScore: 'tool_poisoning_score',
65
66
  ToolRiskScore: 'tool_risk_score',
package/dist/decision-effects.gen.d.ts ADDED
@@ -0,0 +1,8 @@
1
+ export declare const DecisionEffect: {
2
+ readonly StepUp: "step_up";
3
+ readonly Defer: "defer";
4
+ readonly Modify: "modify";
5
+ };
6
+ export type DecisionEffect = (typeof DecisionEffect)[keyof typeof DecisionEffect];
7
+ /** Every legal decision effect, in canonical order. */
8
+ export declare const AllDecisionEffects: DecisionEffect[];
package/dist/decision-effects.gen.js ADDED
@@ -0,0 +1,17 @@
1
+ // Code generated by highflame-policy-codegen. DO NOT EDIT.
2
+ // Source: ALLOWED_DECISION_EFFECTS in codegen/src/lib.rs
3
+ //
4
+ // Canonical decision-effect vocabulary. Studio's policy editor and any
5
+ // other TypeScript consumer should import these symbols rather than
6
+ // hard-coding the string literals.
7
+ export const DecisionEffect = {
8
+ StepUp: "step_up",
9
+ Defer: "defer",
10
+ Modify: "modify",
11
+ };
12
+ /** Every legal decision effect, in canonical order. */
13
+ export const AllDecisionEffects = [
14
+ DecisionEffect.StepUp,
15
+ DecisionEffect.Defer,
16
+ DecisionEffect.Modify,
17
+ ];
package/dist/guardrails-context.gen.d.ts CHANGED
@@ -111,6 +111,7 @@ export declare const GuardrailsContextKey: {
111
111
  readonly ToolIsBuiltin: "tool_is_builtin";
112
112
  readonly ToolIsSensitive: "tool_is_sensitive";
113
113
  readonly ToolName: "tool_name";
114
+ readonly ToolOperationClasses: "tool_operation_classes";
114
115
  readonly ToolPoisoningDetected: "tool_poisoning_detected";
115
116
  readonly ToolPoisoningScore: "tool_poisoning_score";
116
117
  readonly ToolPoisoningType: "tool_poisoning_type";
package/dist/guardrails-context.gen.js CHANGED
@@ -113,6 +113,7 @@ export const GuardrailsContextKey = {
113
113
  ToolIsBuiltin: 'tool_is_builtin',
114
114
  ToolIsSensitive: 'tool_is_sensitive',
115
115
  ToolName: 'tool_name',
116
+ ToolOperationClasses: 'tool_operation_classes',
116
117
  ToolPoisoningDetected: 'tool_poisoning_detected',
117
118
  ToolPoisoningScore: 'tool_poisoning_score',
118
119
  ToolPoisoningType: 'tool_poisoning_type',
package/dist/index.d.ts CHANGED
@@ -2,6 +2,7 @@ export * from './entities.gen.js';
2
2
  export * from './actions.gen.js';
3
3
  export * from './context.gen.js';
4
4
  export * from './schema.gen.js';
5
+ export * from './decision-effects.gen.js';
5
6
  export * from './aarm-annotations.gen.js';
6
7
  export * from './engine.js';
7
8
  export * from './builder.js';
package/dist/index.js CHANGED
@@ -7,6 +7,9 @@ export * from './entities.gen.js';
7
7
  export * from './actions.gen.js';
8
8
  export * from './context.gen.js';
9
9
  export * from './schema.gen.js';
10
+ // Canonical decision-effect vocabulary (AARM R4 Wave A). Always emitted —
11
+ // source is ALLOWED_DECISION_EFFECTS in codegen/src/lib.rs, not annotations.json.
12
+ export * from './decision-effects.gen.js';
10
13
  // AARM-aware annotation registry (typed Cedar annotation vocabulary
11
14
  // Shield interprets at decision time; Studio/Admin use for lint).
12
15
  export * from './aarm-annotations.gen.js';
package/dist/overwatch-context.gen.d.ts CHANGED
@@ -67,6 +67,7 @@ export declare const OverwatchContextKey: {
67
67
  readonly ToolIsBuiltin: "tool_is_builtin";
68
68
  readonly ToolIsSensitive: "tool_is_sensitive";
69
69
  readonly ToolName: "tool_name";
70
+ readonly ToolOperationClasses: "tool_operation_classes";
70
71
  readonly ToolPoisoningDetected: "tool_poisoning_detected";
71
72
  readonly ToolPoisoningScore: "tool_poisoning_score";
72
73
  readonly ToolRiskScore: "tool_risk_score";
package/dist/overwatch-context.gen.js CHANGED
@@ -69,6 +69,7 @@ export const OverwatchContextKey = {
69
69
  ToolIsBuiltin: 'tool_is_builtin',
70
70
  ToolIsSensitive: 'tool_is_sensitive',
71
71
  ToolName: 'tool_name',
72
+ ToolOperationClasses: 'tool_operation_classes',
72
73
  ToolPoisoningDetected: 'tool_poisoning_detected',
73
74
  ToolPoisoningScore: 'tool_poisoning_score',
74
75
  ToolRiskScore: 'tool_risk_score',
package/dist/service-schemas.gen.d.ts CHANGED
@@ -3,19 +3,19 @@
3
3
  *
4
4
  * Full Cedar schema for ai_gateway, embedded at codegen time.
5
5
  */
6
- export declare const AI_GATEWAY_SCHEMA = "// AIGateway Cedar Schema\n// ===================================\n// AI Gateway Security & Policy Enforcement\n//\n// AIGateway protects both MCP proxy operations (tool calls, server connections)\n// and LLM chat completions (prompt processing) by evaluating threats detected\n// by the Shield detection engine pipeline against Cedar policies.\n//\n// Architecture:\n// MCP/LLM Client -> Firehog Proxy -> Shield (detection + Cedar) -> Allow/Deny\n//\n// Threat Coverage:\n// - OWASP Top 10 for LLM Applications 2025 (LLM01, LLM06)\n// - OWASP Top 10 for Agentic Applications (ASI01, ASI02, ASI04)\n// - OWASP MCP Top 10 (MCP01-MCP05)\n\nnamespace AIGateway {\n\n// =============================================================================\n// ENTITIES - Tenant Hierarchy (ReBAC)\n// =============================================================================\n// AIGateway does not use App/Session hierarchy.\n//\n// Entity hierarchy:\n// Account (org root)\n// -> Project in [Account]\n// -> Tool/Server in [Project]\n//\n// Policy scoping examples:\n// resource == AIGateway::Tool::\"get_me\" -> specific tool\n// resource in AIGateway::Project::\"<uuid>\" -> project-wide\n// resource in AIGateway::Account::\"<uuid>\" -> org-wide\n\n/// Account represents an organization (top-level tenant)\nentity Account;\n\n/// Project represents a project within an account\nentity Project in [Account];\n\n// =============================================================================\n// ENTITIES - Principals\n// =============================================================================\n\n/// Human user authenticated via JWT or API key\nentity User;\n\n/// MCP client (default principal for unauthenticated requests)\nentity MCP_Client;\n\n// =============================================================================\n// ENTITIES - Resources (scoped under Project)\n// =============================================================================\n\n/// MCP tool -- resource for call_tool action\nentity Tool in [Project];\n\n/// MCP server -- resource for connect_server action\nentity Server in [Project];\n\n/// MCP prompt -- resource for process_prompt action\nentity LlmPrompt in [Project];\n\n/// File/resource path -- resource for read_file/write_file actions\nentity FilePath in [Project];\n\n// =============================================================================\n// ACTIONS\n// =============================================================================\n\n// Call an MCP tool\n// Threat focus: command injection, tool poisoning, rug pull, secrets, PII\naction call_tool appliesTo {\n principal: [User, MCP_Client],\n resource: [Tool],\n context: {\n // --- Content ---\n content: String, // Raw content being scanned\n\n // --- Tool & MCP ---\n tool_name?: String, // Tool name\n mcp_server?: String, // MCP server name\n mcp_tool?: String, // MCP tool name\n\n // --- Threat Detection (from Shield detection pipeline) ---\n threat_count?: Long, // Total threats detected\n highest_severity?: String, // \"critical\", \"high\", \"medium\", \"low\", \"none\"\n threat_categories?: Set<String>, // Threat category names\n detected_threats?: Set<String>, // Detection rule names that matched\n max_threat_severity?: Long, // Numeric severity (0=none, 1=low, 2=medium, 3=high, 4=critical)\n secrets_detected?: Bool, // Whether secrets/credentials detected\n\n // --- Secrets (granular) ---\n secret_types?: Set<String>,\n secret_count?: Long,\n\n // --- PII Detection ---\n pii_detected?: Bool,\n pii_types?: Set<String>,\n pii_count?: Long,\n pii_score?: Long,\n\n // --- ML Detector Confidence Scores (0-100) ---\n injection_score?: Long, // Prompt injection classifier confidence\n jailbreak_score?: Long, // Jailbreak detection classifier confidence\n\n // --- Agent Security (0-100) ---\n tool_poisoning_score?: Long, // Hidden instructions in tool description/args\n tool_poisoning_detected?: Bool,\n rug_pull_score?: Long, // Tool behavior drift after trust establishment\n rug_pull_detected?: Bool,\n indirect_injection_score?: Long, // Indirect injection via tool output\n\n // --- Tool Risk Assessment ---\n tool_risk_score?: Long, // Computed tool risk (0-100)\n tool_category?: String, // \"safe\", \"sensitive\", \"dangerous\"\n tool_is_sensitive?: Bool,\n tool_is_builtin?: Bool,\n\n // --- MCP Trust ---\n mcp_server_verified?: Bool, // Whether server is from verified registry\n\n // --- Content Safety Scores (0-100) ---\n violence_score?: Long,\n weapons_score?: Long,\n hate_speech_score?: Long,\n crime_score?: Long,\n sexual_score?: Long,\n profanity_score?: Long,\n\n // --- Encoding & Unicode Attacks ---\n invisible_chars_detected?: Bool,\n invisible_chars_score?: Long,\n\n // --- Behavioral Analysis ---\n loop_detected?: Bool,\n loop_count?: Long,\n loop_tool?: String,\n suspicious_pattern?: Bool,\n pattern_type?: String,\n sequence_risk?: Long,\n\n // --- Session-Aware Threat Aggregation ---\n session_threat_turns?: Long, // Count of turns with detected threats\n session_cumulative_risk_score?: Long, // Accumulated risk across turns\n session_injection_detected?: Bool, // Injection seen in any prior turn\n session_command_injection?: Bool, // Command injection seen in any prior turn\n session_pii_detected?: Bool, // PII seen in any prior turn\n session_pii_types?: Set<String>, // PII types accumulated across session\n session_secrets_detected?: Bool, // Secrets seen in any prior turn\n session_secret_types?: Set<String>, // Secret types accumulated across session\n session_max_injection_score?: Long, // Max injection score across session turns\n session_max_jailbreak_score?: Long, // Max jailbreak score across session turns\n session_max_command_injection_score?: Long, // Max command-injection score across session turns\n session_max_pii_score?: Long, // Max pii score across session turns\n session_max_secret_score?: Long, // Max secret score across session turns\n\n // --- Usage Budget (multi-window, multi-dimension) ---\n budget_remaining_pct?: Long,\n budget_exceeded?: Bool,\n budget_cost_micros_this_turn?: Long,\n budget_model?: String,\n budget_tokens_pct_session?: Long,\n budget_tokens_pct_daily?: Long,\n budget_tokens_pct_monthly?: Long,\n budget_cost_pct_daily?: Long,\n budget_cost_pct_monthly?: Long,\n budget_exceeded_session?: Bool,\n budget_exceeded_daily?: Bool,\n budget_exceeded_monthly?: Bool,\n },\n};\n\n// Connect to an MCP server\n// Threat focus: supply chain, tool poisoning, rug pull, config risk\naction connect_server appliesTo {\n principal: [User, MCP_Client],\n resource: [Server],\n context: {\n content?: String, // Server config content (if available)\n mcp_server?: String,\n\n // --- Threat Detection ---\n threat_count?: Long,\n highest_severity?: String,\n threat_categories?: Set<String>,\n max_threat_severity?: Long,\n\n // --- Agent Security (0-100) ---\n tool_poisoning_score?: Long,\n tool_poisoning_detected?: Bool,\n rug_pull_score?: Long,\n rug_pull_detected?: Bool,\n indirect_injection_score?: Long,\n\n // --- Secrets ---\n secrets_detected?: Bool,\n secret_types?: Set<String>,\n secret_count?: Long,\n\n // --- PII Detection ---\n pii_detected?: Bool,\n pii_types?: Set<String>,\n pii_count?: Long,\n pii_score?: Long,\n\n // --- MCP Trust & Config Risk ---\n mcp_server_verified?: Bool,\n mcp_config_risk?: Bool,\n mcp_risk_score?: Long,\n\n // --- Session-Aware Threat Aggregation ---\n session_threat_turns?: Long, // Count of turns with detected threats\n session_cumulative_risk_score?: Long, // Accumulated risk across turns\n session_injection_detected?: Bool, // Injection seen in any prior turn\n session_command_injection?: Bool, // Command injection seen in any prior turn\n session_pii_detected?: Bool, // PII seen in any prior turn\n session_pii_types?: Set<String>, // PII types accumulated across session\n session_secrets_detected?: Bool, // Secrets seen in any prior turn\n session_secret_types?: Set<String>, // Secret types accumulated across session\n session_max_injection_score?: Long, // Max injection score across session turns\n session_max_jailbreak_score?: Long, // Max jailbreak score across session turns\n session_max_command_injection_score?: Long, // Max command-injection score across session turns\n session_max_pii_score?: Long, // Max pii score across session turns\n session_max_secret_score?: Long, // Max secret score across session turns\n\n // --- Usage Budget (multi-window, multi-dimension) ---\n budget_remaining_pct?: Long,\n budget_exceeded?: Bool,\n budget_cost_micros_this_turn?: Long,\n budget_model?: String,\n budget_tokens_pct_session?: Long,\n budget_tokens_pct_daily?: Long,\n budget_tokens_pct_monthly?: Long,\n budget_cost_pct_daily?: Long,\n budget_cost_pct_monthly?: Long,\n budget_exceeded_session?: Bool,\n budget_exceeded_daily?: Bool,\n budget_exceeded_monthly?: Bool,\n },\n};\n\n// Process a prompt (MCP prompts/get or LLM chat completions)\n// Threat focus: injection, jailbreak, secrets, PII, content safety\naction process_prompt appliesTo {\n principal: [User, MCP_Client],\n resource: [LlmPrompt],\n context: {\n content: String,\n mcp_server?: String,\n\n // --- Threat Detection ---\n threat_count?: Long,\n highest_severity?: String,\n threat_categories?: Set<String>,\n detected_threats?: Set<String>,\n max_threat_severity?: Long,\n secrets_detected?: Bool,\n\n // --- Secrets ---\n secret_types?: Set<String>,\n secret_count?: Long,\n\n // --- PII Detection ---\n pii_detected?: Bool,\n pii_types?: Set<String>,\n pii_count?: Long,\n pii_score?: Long,\n\n // --- ML Detector Confidence Scores (0-100) ---\n injection_score?: Long,\n jailbreak_score?: Long,\n\n // --- Content Safety Scores (0-100) ---\n violence_score?: Long,\n weapons_score?: Long,\n hate_speech_score?: Long,\n crime_score?: Long,\n sexual_score?: Long,\n profanity_score?: Long,\n\n // --- Encoding ---\n invisible_chars_detected?: Bool,\n invisible_chars_score?: Long,\n\n // --- LLM-specific ---\n model_name?: String, // Target model name (e.g., \"gpt-4\", \"claude-3-opus\")\n model_provider?: String, // Provider name (e.g., \"openai\", \"anthropic\", \"bedrock\")\n\n // --- Session-Aware Threat Aggregation ---\n session_threat_turns?: Long, // Count of turns with detected threats\n session_cumulative_risk_score?: Long, // Accumulated risk across turns\n session_injection_detected?: Bool, // Injection seen in any prior turn\n session_command_injection?: Bool, // Command injection seen in any prior turn\n session_pii_detected?: Bool, // PII seen in any prior turn\n session_pii_types?: Set<String>, // PII types accumulated across session\n session_secrets_detected?: Bool, // Secrets seen in any prior turn\n session_secret_types?: Set<String>, // Secret types accumulated across session\n session_max_injection_score?: Long, // Max injection score across session turns\n session_max_jailbreak_score?: Long, // Max jailbreak score across session turns\n session_max_command_injection_score?: Long, // Max command-injection score across session turns\n session_max_pii_score?: Long, // Max pii score across session turns\n session_max_secret_score?: Long, // Max secret score across session turns\n\n // --- Usage Budget (multi-window, multi-dimension) ---\n budget_remaining_pct?: Long,\n budget_exceeded?: Bool,\n budget_cost_micros_this_turn?: Long,\n budget_model?: String,\n budget_tokens_pct_session?: Long,\n budget_tokens_pct_daily?: Long,\n budget_tokens_pct_monthly?: Long,\n budget_cost_pct_daily?: Long,\n budget_cost_pct_monthly?: Long,\n budget_exceeded_session?: Bool,\n budget_exceeded_daily?: Bool,\n budget_exceeded_monthly?: Bool,\n },\n};\n\n// Read an MCP resource (resources/read, resources/list)\n// Threat focus: secrets exposure, PII exposure, sensitive paths\naction read_file appliesTo {\n principal: [User, MCP_Client],\n resource: [FilePath],\n context: {\n content: String,\n mcp_server?: String,\n\n // --- Threat Detection ---\n threat_count?: Long,\n highest_severity?: String,\n threat_categories?: Set<String>,\n detected_threats?: Set<String>,\n max_threat_severity?: Long,\n secrets_detected?: Bool,\n\n // --- Secrets ---\n secret_types?: Set<String>,\n secret_count?: Long,\n\n // --- PII Detection ---\n pii_detected?: Bool,\n pii_types?: Set<String>,\n pii_count?: Long,\n pii_score?: Long,\n\n // --- Session-Aware Threat Aggregation ---\n session_threat_turns?: Long, // Count of turns with detected threats\n session_cumulative_risk_score?: Long, // Accumulated risk across turns\n session_injection_detected?: Bool, // Injection seen in any prior turn\n session_command_injection?: Bool, // Command injection seen in any prior turn\n session_pii_detected?: Bool, // PII seen in any prior turn\n session_pii_types?: Set<String>, // PII types accumulated across session\n session_secrets_detected?: Bool, // Secrets seen in any prior turn\n session_secret_types?: Set<String>, // Secret types accumulated across session\n session_max_injection_score?: Long, // Max injection score across session turns\n session_max_jailbreak_score?: Long, // Max jailbreak score across session turns\n session_max_command_injection_score?: Long, // Max command-injection score across session turns\n session_max_pii_score?: Long, // Max pii score across session turns\n session_max_secret_score?: Long, // Max secret score across session turns\n\n // --- Usage Budget (multi-window, multi-dimension) ---\n budget_remaining_pct?: Long,\n budget_exceeded?: Bool,\n budget_cost_micros_this_turn?: Long,\n budget_model?: String,\n budget_tokens_pct_session?: Long,\n budget_tokens_pct_daily?: Long,\n budget_tokens_pct_monthly?: Long,\n budget_cost_pct_daily?: Long,\n budget_cost_pct_monthly?: Long,\n budget_exceeded_session?: Bool,\n budget_exceeded_daily?: Bool,\n budget_exceeded_monthly?: Bool,\n },\n};\n\n// Write an MCP resource (resources/write)\n// Threat focus: secrets in output, PII in output\naction write_file appliesTo {\n principal: [User, MCP_Client],\n resource: [FilePath],\n context: {\n content: String,\n mcp_server?: String,\n\n // --- Threat Detection ---\n threat_count?: Long,\n highest_severity?: String,\n threat_categories?: Set<String>,\n detected_threats?: Set<String>,\n max_threat_severity?: Long,\n secrets_detected?: Bool,\n\n // --- Secrets ---\n secret_types?: Set<String>,\n secret_count?: Long,\n\n // --- PII Detection ---\n pii_detected?: Bool,\n pii_types?: Set<String>,\n pii_count?: Long,\n pii_score?: Long,\n\n // --- Session-Aware Threat Aggregation ---\n session_threat_turns?: Long, // Count of turns with detected threats\n session_cumulative_risk_score?: Long, // Accumulated risk across turns\n session_injection_detected?: Bool, // Injection seen in any prior turn\n session_command_injection?: Bool, // Command injection seen in any prior turn\n session_pii_detected?: Bool, // PII seen in any prior turn\n session_pii_types?: Set<String>, // PII types accumulated across session\n session_secrets_detected?: Bool, // Secrets seen in any prior turn\n session_secret_types?: Set<String>, // Secret types accumulated across session\n session_max_injection_score?: Long, // Max injection score across session turns\n session_max_jailbreak_score?: Long, // Max jailbreak score across session turns\n session_max_command_injection_score?: Long, // Max command-injection score across session turns\n session_max_pii_score?: Long, // Max pii score across session turns\n session_max_secret_score?: Long, // Max secret score across session turns\n\n // --- Usage Budget (multi-window, multi-dimension) ---\n budget_remaining_pct?: Long,\n budget_exceeded?: Bool,\n budget_cost_micros_this_turn?: Long,\n budget_model?: String,\n budget_tokens_pct_session?: Long,\n budget_tokens_pct_daily?: Long,\n budget_tokens_pct_monthly?: Long,\n budget_cost_pct_daily?: Long,\n budget_cost_pct_monthly?: Long,\n budget_exceeded_session?: Bool,\n budget_exceeded_daily?: Bool,\n budget_exceeded_monthly?: Bool,\n },\n};\n\n}\n";
6
+ export declare const AI_GATEWAY_SCHEMA = "// AIGateway Cedar Schema\n// ===================================\n// AI Gateway Security & Policy Enforcement\n//\n// AIGateway protects both MCP proxy operations (tool calls, server connections)\n// and LLM chat completions (prompt processing) by evaluating threats detected\n// by the Shield detection engine pipeline against Cedar policies.\n//\n// Architecture:\n// MCP/LLM Client -> Firehog Proxy -> Shield (detection + Cedar) -> Allow/Deny\n//\n// Threat Coverage:\n// - OWASP Top 10 for LLM Applications 2025 (LLM01, LLM06)\n// - OWASP Top 10 for Agentic Applications (ASI01, ASI02, ASI04)\n// - OWASP MCP Top 10 (MCP01-MCP05)\n\nnamespace AIGateway {\n\n// =============================================================================\n// ENTITIES - Tenant Hierarchy (ReBAC)\n// =============================================================================\n// AIGateway does not use App/Session hierarchy.\n//\n// Entity hierarchy:\n// Account (org root)\n// -> Project in [Account]\n// -> Tool/Server in [Project]\n//\n// Policy scoping examples:\n// resource == AIGateway::Tool::\"get_me\" -> specific tool\n// resource in AIGateway::Project::\"<uuid>\" -> project-wide\n// resource in AIGateway::Account::\"<uuid>\" -> org-wide\n\n/// Account represents an organization (top-level tenant)\nentity Account;\n\n/// Project represents a project within an account\nentity Project in [Account];\n\n// =============================================================================\n// ENTITIES - Principals\n// =============================================================================\n\n/// Human user authenticated via JWT or API key\nentity User;\n\n/// MCP client (default principal for unauthenticated requests)\nentity MCP_Client;\n\n// =============================================================================\n// ENTITIES - Resources (scoped under Project)\n// =============================================================================\n\n/// MCP tool -- resource for call_tool action\nentity Tool in [Project];\n\n/// MCP server -- resource for connect_server action\nentity Server in [Project];\n\n/// MCP prompt -- resource for process_prompt action\nentity LlmPrompt in [Project];\n\n/// File/resource path -- resource for read_file/write_file actions\nentity FilePath in [Project];\n\n// =============================================================================\n// ACTIONS\n// =============================================================================\n\n// Call an MCP tool\n// Threat focus: command injection, tool poisoning, rug pull, secrets, PII\naction call_tool appliesTo {\n principal: [User, MCP_Client],\n resource: [Tool],\n context: {\n // --- Content ---\n content: String, // Raw content being scanned\n\n // --- Tool & MCP ---\n tool_name?: String, // Tool name\n mcp_server?: String, // MCP server name\n mcp_tool?: String, // MCP tool name\n\n // --- Threat Detection (from Shield detection pipeline) ---\n threat_count?: Long, // Total threats detected\n highest_severity?: String, // \"critical\", \"high\", \"medium\", \"low\", \"none\"\n threat_categories?: Set<String>, // Threat category names\n detected_threats?: Set<String>, // Detection rule names that matched\n max_threat_severity?: Long, // Numeric severity (0=none, 1=low, 2=medium, 3=high, 4=critical)\n secrets_detected?: Bool, // Whether secrets/credentials detected\n\n // --- Secrets (granular) ---\n secret_types?: Set<String>,\n secret_count?: Long,\n\n // --- PII Detection ---\n pii_detected?: Bool,\n pii_types?: Set<String>,\n pii_count?: Long,\n pii_score?: Long,\n\n // --- ML Detector Confidence Scores (0-100) ---\n injection_score?: Long, // Prompt injection classifier confidence\n jailbreak_score?: Long, // Jailbreak detection classifier confidence\n\n // --- Agent Security (0-100) ---\n tool_poisoning_score?: Long, // Hidden instructions in tool description/args\n tool_poisoning_detected?: Bool,\n rug_pull_score?: Long, // Tool behavior drift after trust establishment\n rug_pull_detected?: Bool,\n indirect_injection_score?: Long, // Indirect injection via tool output\n\n // --- Tool Risk Assessment ---\n tool_risk_score?: Long, // Computed tool risk (0-100)\n tool_category?: String, // \"safe\", \"sensitive\", \"dangerous\"\n tool_is_sensitive?: Bool,\n tool_is_builtin?: Bool,\n\n // --- Tool Operation Classifier ---\n tool_operation_classes?: Set<String>, // subset of {\"readonly\", \"write_enabling\", \"execute_enabling\", \"network_access\", \"unknown\"}\n\n // --- MCP Trust ---\n mcp_server_verified?: Bool, // Whether server is from verified registry\n\n // --- Content Safety Scores (0-100) ---\n violence_score?: Long,\n weapons_score?: Long,\n hate_speech_score?: Long,\n crime_score?: Long,\n sexual_score?: Long,\n profanity_score?: Long,\n\n // --- Encoding & Unicode Attacks ---\n invisible_chars_detected?: Bool,\n invisible_chars_score?: Long,\n\n // --- Behavioral Analysis ---\n loop_detected?: Bool,\n loop_count?: Long,\n loop_tool?: String,\n suspicious_pattern?: Bool,\n pattern_type?: String,\n sequence_risk?: Long,\n\n // --- Session-Aware Threat Aggregation ---\n session_threat_turns?: Long, // Count of turns with detected threats\n session_cumulative_risk_score?: Long, // Accumulated risk across turns\n session_injection_detected?: Bool, // Injection seen in any prior turn\n session_command_injection?: Bool, // Command injection seen in any prior turn\n session_pii_detected?: Bool, // PII seen in any prior turn\n session_pii_types?: Set<String>, // PII types accumulated across session\n session_secrets_detected?: Bool, // Secrets seen in any prior turn\n session_secret_types?: Set<String>, // Secret types accumulated across session\n session_max_injection_score?: Long, // Max injection score across session turns\n session_max_jailbreak_score?: Long, // Max jailbreak score across session turns\n session_max_command_injection_score?: Long, // Max command-injection score across session turns\n session_max_pii_score?: Long, // Max pii score across session turns\n session_max_secret_score?: Long, // Max secret score across session turns\n\n // --- Usage Budget (multi-window, multi-dimension) ---\n budget_remaining_pct?: Long,\n budget_exceeded?: Bool,\n budget_cost_micros_this_turn?: Long,\n budget_model?: String,\n budget_tokens_pct_session?: Long,\n budget_tokens_pct_daily?: Long,\n budget_tokens_pct_monthly?: Long,\n budget_cost_pct_daily?: Long,\n budget_cost_pct_monthly?: Long,\n budget_exceeded_session?: Bool,\n budget_exceeded_daily?: Bool,\n budget_exceeded_monthly?: Bool,\n },\n};\n\n// Connect to an MCP server\n// Threat focus: supply chain, tool poisoning, rug pull, config risk\naction connect_server appliesTo {\n principal: [User, MCP_Client],\n resource: [Server],\n context: {\n content?: String, // Server config content (if available)\n mcp_server?: String,\n\n // --- Threat Detection ---\n threat_count?: Long,\n highest_severity?: String,\n threat_categories?: Set<String>,\n max_threat_severity?: Long,\n\n // --- Agent Security (0-100) ---\n tool_poisoning_score?: Long,\n tool_poisoning_detected?: Bool,\n rug_pull_score?: Long,\n rug_pull_detected?: Bool,\n indirect_injection_score?: Long,\n\n // --- Secrets ---\n secrets_detected?: Bool,\n secret_types?: Set<String>,\n secret_count?: Long,\n\n // --- PII Detection ---\n pii_detected?: Bool,\n pii_types?: Set<String>,\n pii_count?: Long,\n pii_score?: Long,\n\n // --- MCP Trust & Config Risk ---\n mcp_server_verified?: Bool,\n mcp_config_risk?: Bool,\n mcp_risk_score?: Long,\n\n // --- Session-Aware Threat Aggregation ---\n session_threat_turns?: Long, // Count of turns with detected threats\n session_cumulative_risk_score?: Long, // Accumulated risk across turns\n session_injection_detected?: Bool, // Injection seen in any prior turn\n session_command_injection?: Bool, // Command injection seen in any prior turn\n session_pii_detected?: Bool, // PII seen in any prior turn\n session_pii_types?: Set<String>, // PII types accumulated across session\n session_secrets_detected?: Bool, // Secrets seen in any prior turn\n session_secret_types?: Set<String>, // Secret types accumulated across session\n session_max_injection_score?: Long, // Max injection score across session turns\n session_max_jailbreak_score?: Long, // Max jailbreak score across session turns\n session_max_command_injection_score?: Long, // Max command-injection score across session turns\n session_max_pii_score?: Long, // Max pii score across session turns\n session_max_secret_score?: Long, // Max secret score across session turns\n\n // --- Usage Budget (multi-window, multi-dimension) ---\n budget_remaining_pct?: Long,\n budget_exceeded?: Bool,\n budget_cost_micros_this_turn?: Long,\n budget_model?: String,\n budget_tokens_pct_session?: Long,\n budget_tokens_pct_daily?: Long,\n budget_tokens_pct_monthly?: Long,\n budget_cost_pct_daily?: Long,\n budget_cost_pct_monthly?: Long,\n budget_exceeded_session?: Bool,\n budget_exceeded_daily?: Bool,\n budget_exceeded_monthly?: Bool,\n },\n};\n\n// Process a prompt (MCP prompts/get or LLM chat completions)\n// Threat focus: injection, jailbreak, secrets, PII, content safety\naction process_prompt appliesTo {\n principal: [User, MCP_Client],\n resource: [LlmPrompt],\n context: {\n content: String,\n mcp_server?: String,\n\n // --- Threat Detection ---\n threat_count?: Long,\n highest_severity?: String,\n threat_categories?: Set<String>,\n detected_threats?: Set<String>,\n max_threat_severity?: Long,\n secrets_detected?: Bool,\n\n // --- Secrets ---\n secret_types?: Set<String>,\n secret_count?: Long,\n\n // --- PII Detection ---\n pii_detected?: Bool,\n pii_types?: Set<String>,\n pii_count?: Long,\n pii_score?: Long,\n\n // --- ML Detector Confidence Scores (0-100) ---\n injection_score?: Long,\n jailbreak_score?: Long,\n\n // --- Content Safety Scores (0-100) ---\n violence_score?: Long,\n weapons_score?: Long,\n hate_speech_score?: Long,\n crime_score?: Long,\n sexual_score?: Long,\n profanity_score?: Long,\n\n // --- Encoding ---\n invisible_chars_detected?: Bool,\n invisible_chars_score?: Long,\n\n // --- LLM-specific ---\n model_name?: String, // Target model name (e.g., \"gpt-4\", \"claude-3-opus\")\n model_provider?: String, // Provider name (e.g., \"openai\", \"anthropic\", \"bedrock\")\n\n // --- Session-Aware Threat Aggregation ---\n session_threat_turns?: Long, // Count of turns with detected threats\n session_cumulative_risk_score?: Long, // Accumulated risk across turns\n session_injection_detected?: Bool, // Injection seen in any prior turn\n session_command_injection?: Bool, // Command injection seen in any prior turn\n session_pii_detected?: Bool, // PII seen in any prior turn\n session_pii_types?: Set<String>, // PII types accumulated across session\n session_secrets_detected?: Bool, // Secrets seen in any prior turn\n session_secret_types?: Set<String>, // Secret types accumulated across session\n session_max_injection_score?: Long, // Max injection score across session turns\n session_max_jailbreak_score?: Long, // Max jailbreak score across session turns\n session_max_command_injection_score?: Long, // Max command-injection score across session turns\n session_max_pii_score?: Long, // Max pii score across session turns\n session_max_secret_score?: Long, // Max secret score across session turns\n\n // --- Usage Budget (multi-window, multi-dimension) ---\n budget_remaining_pct?: Long,\n budget_exceeded?: Bool,\n budget_cost_micros_this_turn?: Long,\n budget_model?: String,\n budget_tokens_pct_session?: Long,\n budget_tokens_pct_daily?: Long,\n budget_tokens_pct_monthly?: Long,\n budget_cost_pct_daily?: Long,\n budget_cost_pct_monthly?: Long,\n budget_exceeded_session?: Bool,\n budget_exceeded_daily?: Bool,\n budget_exceeded_monthly?: Bool,\n },\n};\n\n// Read an MCP resource (resources/read, resources/list)\n// Threat focus: secrets exposure, PII exposure, sensitive paths\naction read_file appliesTo {\n principal: [User, MCP_Client],\n resource: [FilePath],\n context: {\n content: String,\n mcp_server?: String,\n\n // --- Threat Detection ---\n threat_count?: Long,\n highest_severity?: String,\n threat_categories?: Set<String>,\n detected_threats?: Set<String>,\n max_threat_severity?: Long,\n secrets_detected?: Bool,\n\n // --- Secrets ---\n secret_types?: Set<String>,\n secret_count?: Long,\n\n // --- PII Detection ---\n pii_detected?: Bool,\n pii_types?: Set<String>,\n pii_count?: Long,\n pii_score?: Long,\n\n // --- Session-Aware Threat Aggregation ---\n session_threat_turns?: Long, // Count of turns with detected threats\n session_cumulative_risk_score?: Long, // Accumulated risk across turns\n session_injection_detected?: Bool, // Injection seen in any prior turn\n session_command_injection?: Bool, // Command injection seen in any prior turn\n session_pii_detected?: Bool, // PII seen in any prior turn\n session_pii_types?: Set<String>, // PII types accumulated across session\n session_secrets_detected?: Bool, // Secrets seen in any prior turn\n session_secret_types?: Set<String>, // Secret types accumulated across session\n session_max_injection_score?: Long, // Max injection score across session turns\n session_max_jailbreak_score?: Long, // Max jailbreak score across session turns\n session_max_command_injection_score?: Long, // Max command-injection score across session turns\n session_max_pii_score?: Long, // Max pii score across session turns\n session_max_secret_score?: Long, // Max secret score across session turns\n\n // --- Usage Budget (multi-window, multi-dimension) ---\n budget_remaining_pct?: Long,\n budget_exceeded?: Bool,\n budget_cost_micros_this_turn?: Long,\n budget_model?: String,\n budget_tokens_pct_session?: Long,\n budget_tokens_pct_daily?: Long,\n budget_tokens_pct_monthly?: Long,\n budget_cost_pct_daily?: Long,\n budget_cost_pct_monthly?: Long,\n budget_exceeded_session?: Bool,\n budget_exceeded_daily?: Bool,\n budget_exceeded_monthly?: Bool,\n },\n};\n\n// Write an MCP resource (resources/write)\n// Threat focus: secrets in output, PII in output\naction write_file appliesTo {\n principal: [User, MCP_Client],\n resource: [FilePath],\n context: {\n content: String,\n mcp_server?: String,\n\n // --- Threat Detection ---\n threat_count?: Long,\n highest_severity?: String,\n threat_categories?: Set<String>,\n detected_threats?: Set<String>,\n max_threat_severity?: Long,\n secrets_detected?: Bool,\n\n // --- Secrets ---\n secret_types?: Set<String>,\n secret_count?: Long,\n\n // --- PII Detection ---\n pii_detected?: Bool,\n pii_types?: Set<String>,\n pii_count?: Long,\n pii_score?: Long,\n\n // --- Session-Aware Threat Aggregation ---\n session_threat_turns?: Long, // Count of turns with detected threats\n session_cumulative_risk_score?: Long, // Accumulated risk across turns\n session_injection_detected?: Bool, // Injection seen in any prior turn\n session_command_injection?: Bool, // Command injection seen in any prior turn\n session_pii_detected?: Bool, // PII seen in any prior turn\n session_pii_types?: Set<String>, // PII types accumulated across session\n session_secrets_detected?: Bool, // Secrets seen in any prior turn\n session_secret_types?: Set<String>, // Secret types accumulated across session\n session_max_injection_score?: Long, // Max injection score across session turns\n session_max_jailbreak_score?: Long, // Max jailbreak score across session turns\n session_max_command_injection_score?: Long, // Max command-injection score across session turns\n session_max_pii_score?: Long, // Max pii score across session turns\n session_max_secret_score?: Long, // Max secret score across session turns\n\n // --- Usage Budget (multi-window, multi-dimension) ---\n budget_remaining_pct?: Long,\n budget_exceeded?: Bool,\n budget_cost_micros_this_turn?: Long,\n budget_model?: String,\n budget_tokens_pct_session?: Long,\n budget_tokens_pct_daily?: Long,\n budget_tokens_pct_monthly?: Long,\n budget_cost_pct_daily?: Long,\n budget_cost_pct_monthly?: Long,\n budget_exceeded_session?: Bool,\n budget_exceeded_daily?: Bool,\n budget_exceeded_monthly?: Bool,\n },\n};\n\n}\n";
7
7
  /**
8
8
  * Guardrails Cedar schema
9
9
  *
10
10
  * Full Cedar schema for guardrails, embedded at codegen time.
11
11
  */
12
- export declare const GUARDRAILS_SCHEMA = "// =============================================================================\n// Guardrails Cedar Schema\n// =============================================================================\n// Defines entity types, actions, and context attributes for the highflame-shield\n// guardrails service. This schema enables type-safe policy authoring and\n// validation in both Studio UI and backend.\n//\n// Service: highflame-shield (guardrails)\n// Namespace: Guardrails\n// =============================================================================\n\nnamespace Guardrails {\n // =========================================================================\n // Entity Types \u2014 ReBAC Hierarchy\n // =========================================================================\n // Entity hierarchy enables Cedar's `in` operator for policy scoping:\n // Account (org root)\n // \u2514\u2500\u2500 Project in [Account]\n // \u251C\u2500\u2500 App in [Project]\n // \u2502 \u2514\u2500\u2500 Session in [App, Agent]\n // \u2514\u2500\u2500 Agent in [Project]\n // \u2514\u2500\u2500 Session in [App, Agent]\n //\n // Policy scoping examples:\n // resource == Guardrails::App::\"<uuid>\" \u2192 app-scoped (app only)\n // resource == Guardrails::Agent::\"<agent_id>\" \u2192 agent-only (exact match)\n // resource in Guardrails::Agent::\"<agent_id>\" \u2192 agent + its sessions\n // resource in Guardrails::Project::\"<uuid>\" \u2192 project-wide (apps + agents)\n // resource in Guardrails::Account::\"<uuid>\" \u2192 org-wide\n // =========================================================================\n\n /// Account represents an organization (top-level tenant)\n entity Account;\n\n /// Project represents a project within an account\n entity Project in [Account];\n\n /// User represents a principal (human or service) making requests\n entity User;\n\n /// Agent represents an AI agent (Claude, Cursor, Copilot, etc.) making requests.\n /// Used as both principal (who is acting) and resource (policy scoping target).\n /// Agent + sessions: resource in Guardrails::Agent::\"<agent_id>\" (hierarchy match)\n /// Agent only: resource == Guardrails::Agent::\"<agent_id>\" (exact match)\n entity Agent in [Project];\n\n /// App represents a protected application (guardrails-enabled LLM app)\n entity App in [Project];\n\n /// Session represents an agentic conversation session with state tracking.\n /// Sessions can belong to either an App or an Agent.\n entity Session in [App, Agent];\n\n // =========================================================================\n // Actions\n // =========================================================================\n\n /// Process user prompts and AI responses for security threats and content violations\n action \"process_prompt\" appliesTo {\n principal: [User, Agent],\n resource: [App, Agent, Session],\n context: ProcessPromptContext\n };\n\n /// Execute tool calls (shell, file operations, MCP tools)\n action \"call_tool\" appliesTo {\n principal: [User, Agent],\n resource: [Agent, Session],\n context: CallToolContext\n };\n\n /// Read file operations\n action \"read_file\" appliesTo {\n principal: [User, Agent],\n resource: [Agent, Session],\n context: FileReadContext\n };\n\n /// Write file operations\n action \"write_file\" appliesTo {\n principal: [User, Agent],\n resource: [Agent, Session],\n context: FileWriteContext\n };\n\n /// Connect to an MCP server\n action \"connect_server\" appliesTo {\n principal: [User, Agent],\n resource: [Agent, Session],\n context: ConnectServerContext\n };\n\n // =========================================================================\n // Context Types (Action-Specific)\n // =========================================================================\n\n /// Context for process_prompt action (user prompts & AI responses)\n type ProcessPromptContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n \"direction\": String, // \"input\" | \"output\"\n \"content_type\": String, // \"prompt\" | \"response\" | \"tool_call\" | \"file\"\n \"detector_count\": Long,\n\n // Security - Injection & Jailbreak (optional)\n \"injection_score\"?: Long, // Combined injection confidence: MAX(pulse, deep_context)\n \"jailbreak_score\"?: Long, // Combined jailbreak confidence: MAX(pulse, deep_context)\n \"injection_pulse_score\"?: Long, // 0-100 Pulse single-turn classifier\n \"injection_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n \"jailbreak_pulse_score\"?: Long, // 0-100 Pulse single-turn classifier\n \"jailbreak_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n \"injection_type\"?: String, // \"prompt\" | \"sql\" | \"command\" | \"none\"\n\n // Privacy - Secrets (optional)\n \"secrets_detected\"?: Bool,\n \"secret_count\"?: Long,\n \"secret_types\"?: Set<String>, // [\"aws_access_key\", \"github_token\", ...]\n\n // Privacy - PII (optional)\n \"pii_detected\"?: Bool,\n \"pii_count\"?: Long,\n \"pii_types\"?: Set<String>, // [\"email\", \"phone\", \"ssn\", \"credit_card\", ...]\n \"pii_score\"?: Long, // PII ML classifier confidence (0-100) \u2014 catches novel PII patterns that escape regex detection\n\n // Threat Severity Aggregation (optional)\n \"highest_severity\"?: String, // Highest severity across all detectors: \"critical\" | \"high\" | \"medium\" | \"low\" | \"none\"\n\n // Trust & Safety - Toxicity (optional)\n \"violence_score\"?: Long, // 0-100\n \"hate_speech_score\"?: Long, // 0-100\n \"sexual_score\"?: Long, // 0-100\n \"weapons_score\"?: Long, // 0-100\n \"crime_score\"?: Long, // 0-100\n \"profanity_score\"?: Long, // 0-100\n\n // Semantic - Topic Classification (optional)\n \"content_topics\"?: Set<String>, // [\"controlled_substances\", \"weapons_manufacturing\", ...]\n \"topic_confidence\"?: Long, // 0-100\n\n // Security - Invisible Character Detection (optional)\n \"invisible_chars_detected\"?: Bool,\n \"invisible_chars_score\"?: Long, // 0-100\n\n // Security - Pattern Detection (optional)\n \"command_injection_detected\"?: Bool,\n \"command_injection_type\"?: String, // \"reverse_shell\" | \"privilege_escalation\" | \"code_execution\" | \"destructive_command\" | \"data_exfiltration\"\n \"command_injection_score\"?: Long, // 0-100\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String, // \"critical\" | \"high\" | \"medium\" | \"low\" | \"none\"\n \"path_traversal_type\"?: String,\n \"sql_injection_detected\"?: Bool,\n \"sql_injection_type\"?: String, // \"tautology\" | \"union_based\" | \"destructive\" | \"blind\" | \"error_based\"\n \"sql_injection_score\"?: Long, // 0-100\n\n // Security - Cross-Origin Escalation (optional)\n \"cross_origin_detected\"?: Bool,\n \"cross_origin_type\"?: String, // \"cross_origin_tool\" | \"cross_origin_server\" | \"none\"\n \"cross_origin_score\"?: Long, // 0-100\n\n // Security - Encoded Injection (optional)\n \"encoded_content_detected\"?: Bool,\n \"encoded_types\"?: Set<String>, // [\"base64\", \"hex\", \"unicode\", \"url\", ...]\n \"encoded_count\"?: Long,\n \"encoded_score\"?: Long, // 0-100\n\n // Language & Script Detection (optional)\n \"detected_language\"?: String, // ISO language code\n \"is_english\"?: Bool,\n \"language_confidence\"?: Long, // 0-100\n \"detected_script\"?: String, // \"latin\" | \"cyrillic\" | \"arabic\" | \"unknown\" | ...\n \"is_latin_script\"?: Bool,\n \"script_confidence\"?: Long, // 0-100\n\n // Content Analysis (optional)\n \"hallucination_score\"?: Long,\n \"factuality_score\"?: Long, // 0-100\n \"sentiment_score\"?: Long,\n \"contains_code\"?: Bool,\n \"code_languages\"?: Set<String>,\n \"code_ratio\"?: Long, // 0-100, percentage of content that is code\n \"keyword_matched\"?: Bool,\n \"keyword_categories\"?: Set<String>,\n \"keyword_count\"?: Long,\n \"contains_non_ascii\"?: Bool,\n \"phishing_detected\"?: Bool,\n \"content_safety_score\"?: Long, // 0-100\n \"content_safety_blocked\"?: Bool,\n\n // Agentic - Multi-Turn Context (optional)\n \"conversation_turn\"?: Long,\n \"multi_turn_detection\"?: Bool,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Usage Budget \u2014 multi-window token & cost enforcement (optional)\n // Emitted by usage_budget detector. Enforced across session/daily/monthly windows\n // and user/app/project/account dimensions. Percentages are 0-100.\n \"budget_remaining_pct\"?: Long, // Min remaining % across all windows\n \"budget_exceeded\"?: Bool, // Any window limit exceeded\n \"budget_cost_micros_this_turn\"?: Long, // Cost of this request in microdollars (USD * 1e6)\n \"budget_model\"?: String, // Model name used for cost calculation\n \"budget_tokens_pct_session\"?: Long, // Session token usage % (0-100)\n \"budget_tokens_pct_daily\"?: Long, // Daily token usage % (0-100)\n \"budget_tokens_pct_monthly\"?: Long, // Monthly token usage % (0-100)\n \"budget_cost_pct_daily\"?: Long, // Daily cost usage % (0-100)\n \"budget_cost_pct_monthly\"?: Long, // Monthly cost usage % (0-100)\n \"budget_exceeded_session\"?: Bool, // Session-scoped budget exceeded\n \"budget_exceeded_daily\"?: Bool, // Any daily-scoped budget exceeded\n \"budget_exceeded_monthly\"?: Bool, // Any monthly-scoped budget exceeded\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n // Present when the request is made by an AI agent (API key or JWT with agent claims).\n // Empty strings for human user requests. Use these to write agent-specific policies.\n \"agent_id\"?: String, // Unique agent identifier (e.g., \"agent_research_v3\")\n \"agent_type\"?: String, // \"orchestrator\" | \"autonomous\" | \"tool_agent\" | \"human_proxy\"\n \"agent_trust_level\"?: String, // \"first_party\" | \"verified_third_party\" | \"unverified\"\n \"agent_framework\"?: String, // Agent framework (e.g., \"claude-code\", \"langchain\", \"crewai\")\n \"agent_publisher\"?: String, // Organization that published the agent\n\n };\n\n /// Context for call_tool action (agentic tool execution)\n type CallToolContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // Tool Risk (optional)\n \"tool_name\"?: String, // \"shell\", \"write_file\", \"http_post\", etc.\n \"tool_risk_score\"?: Long, // 0-100\n \"tool_is_sensitive\"?: Bool,\n \"tool_category\"?: String, // \"safe\" | \"sensitive\" | \"dangerous\"\n \"tool_is_builtin\"?: Bool,\n\n // MCP context (optional \u2014 only present for MCP tool calls)\n \"mcp_server\"?: String, // MCP server name (e.g., \"github\", \"filesystem\")\n \"mcp_tool\"?: String, // MCP tool name within the server\n \"mcp_server_verified\"?: Bool, // Whether server is from verified registry\n\n // Agentic - Behavioral Patterns (optional)\n \"suspicious_pattern\"?: Bool,\n \"pattern_type\"?: String, // \"data_exfiltration\" | \"secret_exfiltration\" | \"db_exfiltration\" | \"credential_theft\" | \"destructive_sequence\" | \"none\"\n \"sequence_risk\"?: Long, // 0-100\n\n // Agentic - Loop Detection (optional)\n \"loop_detected\"?: Bool,\n \"loop_count\"?: Long,\n \"loop_tool\"?: String,\n\n // Usage Budget \u2014 multi-window token & cost enforcement (optional)\n // See ProcessPromptContext for full documentation.\n \"budget_remaining_pct\"?: Long, // Min remaining % across all windows\n \"budget_exceeded\"?: Bool, // Any window limit exceeded\n \"budget_cost_micros_this_turn\"?: Long, // Cost of this request in microdollars\n \"budget_model\"?: String,\n \"budget_tokens_pct_session\"?: Long,\n \"budget_tokens_pct_daily\"?: Long,\n \"budget_tokens_pct_monthly\"?: Long,\n \"budget_cost_pct_daily\"?: Long,\n \"budget_cost_pct_monthly\"?: Long,\n \"budget_exceeded_session\"?: Bool,\n \"budget_exceeded_daily\"?: Bool,\n \"budget_exceeded_monthly\"?: Bool,\n\n // Semantic - Topic Classification (optional)\n \"content_topics\"?: Set<String>, // [\"controlled_substances\", \"weapons_manufacturing\", ...]\n \"topic_confidence\"?: Long, // 0-100\n\n // Security checks on tool arguments (optional)\n \"secrets_detected\"?: Bool,\n \"secret_count\"?: Long,\n \"secret_types\"?: Set<String>,\n \"pii_detected\"?: Bool,\n \"pii_types\"?: Set<String>,\n \"pii_count\"?: Long, // Number of PII pattern matches in tool content\n \"pii_score\"?: Long, // PII ML classifier confidence (0-100)\n \"injection_score\"?: Long,\n \"injection_pulse_score\"?: Long, // 0-100 Pulse single-turn classifier\n \"injection_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n\n // Security - Pattern Detection (optional)\n \"command_injection_detected\"?: Bool,\n \"command_injection_type\"?: String,\n \"command_injection_score\"?: Long, // 0-100\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String,\n \"path_traversal_type\"?: String,\n \"sql_injection_detected\"?: Bool,\n \"sql_injection_type\"?: String,\n \"sql_injection_score\"?: Long, // 0-100\n\n // Security - Cross-Origin Escalation (optional)\n \"cross_origin_detected\"?: Bool,\n \"cross_origin_type\"?: String,\n \"cross_origin_score\"?: Long, // 0-100\n\n // File & Path (optional \u2014 for path-based access control policies)\n \"path\"?: String, // File path when tool operates on files\n\n // Security - Invisible Character Detection in tool args (optional)\n \"invisible_chars_detected\"?: Bool, // Whether invisible Unicode chars detected in tool args\n \"invisible_chars_score\"?: Long, // Invisible character attack severity (0-100)\n\n // Security - Encoded Injection (optional)\n \"encoded_content_detected\"?: Bool,\n \"encoded_types\"?: Set<String>,\n \"encoded_count\"?: Long,\n \"encoded_score\"?: Long, // 0-100\n\n // Agentic - Agent Security (optional)\n \"tool_poisoning_detected\"?: Bool,\n \"tool_poisoning_score\"?: Long, // 0-100\n \"tool_poisoning_type\"?: String, // \"hidden_instructions\" | \"system_prompt_injection\" | \"authority_hijack\"\n \"rug_pull_detected\"?: Bool,\n \"rug_pull_score\"?: Long, // 0-100\n \"rug_pull_type\"?: String, // \"risk_spike\" | \"pattern_change\" | \"combined\" | \"none\"\n\n // Agentic - Indirect Prompt Injection (optional \u2014 injection via tool outputs/retrieved content)\n \"indirect_injection_score\"?: Long, // Indirect injection risk score (0-100)\n \"indirect_injection_type\"?: String, // Type of indirect injection detected\n\n // Agentic - MCP Risk (optional)\n \"mcp_config_risk\"?: Bool,\n \"mcp_risk_type\"?: String, // \"inline_execution\" | \"suspicious_url\" | \"cross_origin\"\n \"mcp_risk_score\"?: Long, // 0-100\n\n // Agentic - Multi-Turn Context (optional)\n \"conversation_turn\"?: Long,\n \"multi_turn_detection\"?: Bool,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n \"agent_id\"?: String,\n \"agent_type\"?: String,\n \"agent_trust_level\"?: String,\n \"agent_framework\"?: String,\n \"agent_publisher\"?: String,\n\n };\n\n /// Context for read_file action\n type FileReadContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // File path (optional \u2014 for path-based access control policies)\n \"path\"?: String, // File path being read\n\n // Security checks on file content (optional)\n \"secrets_detected\"?: Bool,\n \"secret_count\"?: Long,\n \"secret_types\"?: Set<String>,\n \"pii_detected\"?: Bool,\n \"pii_types\"?: Set<String>,\n\n // Security - Path Traversal (optional)\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String,\n \"path_traversal_type\"?: String,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Usage Budget \u2014 multi-window token & cost enforcement (optional)\n // See ProcessPromptContext for full documentation.\n \"budget_remaining_pct\"?: Long,\n \"budget_exceeded\"?: Bool,\n \"budget_cost_micros_this_turn\"?: Long,\n \"budget_model\"?: String,\n \"budget_tokens_pct_session\"?: Long,\n \"budget_tokens_pct_daily\"?: Long,\n \"budget_tokens_pct_monthly\"?: Long,\n \"budget_cost_pct_daily\"?: Long,\n \"budget_cost_pct_monthly\"?: Long,\n \"budget_exceeded_session\"?: Bool,\n \"budget_exceeded_daily\"?: Bool,\n \"budget_exceeded_monthly\"?: Bool,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n \"agent_id\"?: String,\n \"agent_type\"?: String,\n \"agent_trust_level\"?: String,\n \"agent_framework\"?: String,\n \"agent_publisher\"?: String,\n\n };\n\n /// Context for write_file action\n type FileWriteContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // File path (optional \u2014 for path-based access control policies)\n \"path\"?: String, // File path being written\n\n // Security - Invisible Character Detection in write content (optional)\n \"invisible_chars_detected\"?: Bool, // Whether invisible Unicode chars detected in write content\n \"invisible_chars_score\"?: Long, // Invisible character attack severity (0-100)\n\n // Security checks on content being written (optional)\n \"secrets_detected\"?: Bool,\n \"secret_count\"?: Long,\n \"secret_types\"?: Set<String>,\n \"pii_detected\"?: Bool,\n \"pii_types\"?: Set<String>,\n\n // Security - Path Traversal (optional)\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String,\n \"path_traversal_type\"?: String,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Usage Budget \u2014 multi-window token & cost enforcement (optional)\n // See ProcessPromptContext for full documentation.\n \"budget_remaining_pct\"?: Long,\n \"budget_exceeded\"?: Bool,\n \"budget_cost_micros_this_turn\"?: Long,\n \"budget_model\"?: String,\n \"budget_tokens_pct_session\"?: Long,\n \"budget_tokens_pct_daily\"?: Long,\n \"budget_tokens_pct_monthly\"?: Long,\n \"budget_cost_pct_daily\"?: Long,\n \"budget_cost_pct_monthly\"?: Long,\n \"budget_exceeded_session\"?: Bool,\n \"budget_exceeded_daily\"?: Bool,\n \"budget_exceeded_monthly\"?: Bool,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n \"agent_id\"?: String,\n \"agent_type\"?: String,\n \"agent_trust_level\"?: String,\n \"agent_framework\"?: String,\n \"agent_publisher\"?: String,\n\n };\n\n /// Context for connect_server action (MCP server connections)\n type ConnectServerContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // MCP context (optional)\n \"mcp_server\"?: String, // MCP server name (e.g., \"github\", \"filesystem\")\n \"mcp_server_verified\"?: Bool, // Whether server is from verified registry\n\n // Agentic - Agent Security (optional)\n \"tool_poisoning_detected\"?: Bool,\n \"tool_poisoning_score\"?: Long,\n \"tool_poisoning_type\"?: String,\n\n // Agentic - MCP Risk (optional)\n \"mcp_config_risk\"?: Bool,\n \"mcp_risk_type\"?: String,\n \"mcp_risk_score\"?: Long,\n\n // Security - Cross-Origin Escalation (optional)\n \"cross_origin_detected\"?: Bool,\n \"cross_origin_type\"?: String,\n \"cross_origin_score\"?: Long,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Usage Budget \u2014 multi-window token & cost enforcement (optional)\n // See ProcessPromptContext for full documentation.\n \"budget_remaining_pct\"?: Long,\n \"budget_exceeded\"?: Bool,\n \"budget_cost_micros_this_turn\"?: Long,\n \"budget_model\"?: String,\n \"budget_tokens_pct_session\"?: Long,\n \"budget_tokens_pct_daily\"?: Long,\n \"budget_tokens_pct_monthly\"?: Long,\n \"budget_cost_pct_daily\"?: Long,\n \"budget_cost_pct_monthly\"?: Long,\n \"budget_exceeded_session\"?: Bool,\n \"budget_exceeded_daily\"?: Bool,\n \"budget_exceeded_monthly\"?: Bool,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n \"agent_id\"?: String,\n \"agent_type\"?: String,\n \"agent_trust_level\"?: String,\n \"agent_framework\"?: String,\n \"agent_publisher\"?: String,\n\n };\n}\n";
12
+ export declare const GUARDRAILS_SCHEMA = "// =============================================================================\n// Guardrails Cedar Schema\n// =============================================================================\n// Defines entity types, actions, and context attributes for the highflame-shield\n// guardrails service. This schema enables type-safe policy authoring and\n// validation in both Studio UI and backend.\n//\n// Service: highflame-shield (guardrails)\n// Namespace: Guardrails\n// =============================================================================\n\nnamespace Guardrails {\n // =========================================================================\n // Entity Types \u2014 ReBAC Hierarchy\n // =========================================================================\n // Entity hierarchy enables Cedar's `in` operator for policy scoping:\n // Account (org root)\n // \u2514\u2500\u2500 Project in [Account]\n // \u251C\u2500\u2500 App in [Project]\n // \u2502 \u2514\u2500\u2500 Session in [App, Agent]\n // \u2514\u2500\u2500 Agent in [Project]\n // \u2514\u2500\u2500 Session in [App, Agent]\n //\n // Policy scoping examples:\n // resource == Guardrails::App::\"<uuid>\" \u2192 app-scoped (app only)\n // resource == Guardrails::Agent::\"<agent_id>\" \u2192 agent-only (exact match)\n // resource in Guardrails::Agent::\"<agent_id>\" \u2192 agent + its sessions\n // resource in Guardrails::Project::\"<uuid>\" \u2192 project-wide (apps + agents)\n // resource in Guardrails::Account::\"<uuid>\" \u2192 org-wide\n // =========================================================================\n\n /// Account represents an organization (top-level tenant)\n entity Account;\n\n /// Project represents a project within an account\n entity Project in [Account];\n\n /// User represents a principal (human or service) making requests\n entity User;\n\n /// Agent represents an AI agent (Claude, Cursor, Copilot, etc.) making requests.\n /// Used as both principal (who is acting) and resource (policy scoping target).\n /// Agent + sessions: resource in Guardrails::Agent::\"<agent_id>\" (hierarchy match)\n /// Agent only: resource == Guardrails::Agent::\"<agent_id>\" (exact match)\n entity Agent in [Project];\n\n /// App represents a protected application (guardrails-enabled LLM app)\n entity App in [Project];\n\n /// Session represents an agentic conversation session with state tracking.\n /// Sessions can belong to either an App or an Agent.\n entity Session in [App, Agent];\n\n // =========================================================================\n // Actions\n // =========================================================================\n\n /// Process user prompts and AI responses for security threats and content violations\n action \"process_prompt\" appliesTo {\n principal: [User, Agent],\n resource: [App, Agent, Session],\n context: ProcessPromptContext\n };\n\n /// Execute tool calls (shell, file operations, MCP tools)\n action \"call_tool\" appliesTo {\n principal: [User, Agent],\n resource: [Agent, Session],\n context: CallToolContext\n };\n\n /// Read file operations\n action \"read_file\" appliesTo {\n principal: [User, Agent],\n resource: [Agent, Session],\n context: FileReadContext\n };\n\n /// Write file operations\n action \"write_file\" appliesTo {\n principal: [User, Agent],\n resource: [Agent, Session],\n context: FileWriteContext\n };\n\n /// Connect to an MCP server\n action \"connect_server\" appliesTo {\n principal: [User, Agent],\n resource: [Agent, Session],\n context: ConnectServerContext\n };\n\n // =========================================================================\n // Context Types (Action-Specific)\n // =========================================================================\n\n /// Context for process_prompt action (user prompts & AI responses)\n type ProcessPromptContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n \"direction\": String, // \"input\" | \"output\"\n \"content_type\": String, // \"prompt\" | \"response\" | \"tool_call\" | \"file\"\n \"detector_count\": Long,\n\n // Security - Injection & Jailbreak (optional)\n \"injection_score\"?: Long, // Combined injection confidence: MAX(pulse, deep_context)\n \"jailbreak_score\"?: Long, // Combined jailbreak confidence: MAX(pulse, deep_context)\n \"injection_pulse_score\"?: Long, // 0-100 Pulse single-turn classifier\n \"injection_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n \"jailbreak_pulse_score\"?: Long, // 0-100 Pulse single-turn classifier\n \"jailbreak_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n \"injection_type\"?: String, // \"prompt\" | \"sql\" | \"command\" | \"none\"\n\n // Privacy - Secrets (optional)\n \"secrets_detected\"?: Bool,\n \"secret_count\"?: Long,\n \"secret_types\"?: Set<String>, // [\"aws_access_key\", \"github_token\", ...]\n\n // Privacy - PII (optional)\n \"pii_detected\"?: Bool,\n \"pii_count\"?: Long,\n \"pii_types\"?: Set<String>, // [\"email\", \"phone\", \"ssn\", \"credit_card\", ...]\n \"pii_score\"?: Long, // PII ML classifier confidence (0-100) \u2014 catches novel PII patterns that escape regex detection\n\n // Threat Severity Aggregation (optional)\n \"highest_severity\"?: String, // Highest severity across all detectors: \"critical\" | \"high\" | \"medium\" | \"low\" | \"none\"\n\n // Trust & Safety - Toxicity (optional)\n \"violence_score\"?: Long, // 0-100\n \"hate_speech_score\"?: Long, // 0-100\n \"sexual_score\"?: Long, // 0-100\n \"weapons_score\"?: Long, // 0-100\n \"crime_score\"?: Long, // 0-100\n \"profanity_score\"?: Long, // 0-100\n\n // Semantic - Topic Classification (optional)\n \"content_topics\"?: Set<String>, // [\"controlled_substances\", \"weapons_manufacturing\", ...]\n \"topic_confidence\"?: Long, // 0-100\n\n // Security - Invisible Character Detection (optional)\n \"invisible_chars_detected\"?: Bool,\n \"invisible_chars_score\"?: Long, // 0-100\n\n // Security - Pattern Detection (optional)\n \"command_injection_detected\"?: Bool,\n \"command_injection_type\"?: String, // \"reverse_shell\" | \"privilege_escalation\" | \"code_execution\" | \"destructive_command\" | \"data_exfiltration\"\n \"command_injection_score\"?: Long, // 0-100\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String, // \"critical\" | \"high\" | \"medium\" | \"low\" | \"none\"\n \"path_traversal_type\"?: String,\n \"sql_injection_detected\"?: Bool,\n \"sql_injection_type\"?: String, // \"tautology\" | \"union_based\" | \"destructive\" | \"blind\" | \"error_based\"\n \"sql_injection_score\"?: Long, // 0-100\n\n // Security - Cross-Origin Escalation (optional)\n \"cross_origin_detected\"?: Bool,\n \"cross_origin_type\"?: String, // \"cross_origin_tool\" | \"cross_origin_server\" | \"none\"\n \"cross_origin_score\"?: Long, // 0-100\n\n // Security - Encoded Injection (optional)\n \"encoded_content_detected\"?: Bool,\n \"encoded_types\"?: Set<String>, // [\"base64\", \"hex\", \"unicode\", \"url\", ...]\n \"encoded_count\"?: Long,\n \"encoded_score\"?: Long, // 0-100\n\n // Language & Script Detection (optional)\n \"detected_language\"?: String, // ISO language code\n \"is_english\"?: Bool,\n \"language_confidence\"?: Long, // 0-100\n \"detected_script\"?: String, // \"latin\" | \"cyrillic\" | \"arabic\" | \"unknown\" | ...\n \"is_latin_script\"?: Bool,\n \"script_confidence\"?: Long, // 0-100\n\n // Content Analysis (optional)\n \"hallucination_score\"?: Long,\n \"factuality_score\"?: Long, // 0-100\n \"sentiment_score\"?: Long,\n \"contains_code\"?: Bool,\n \"code_languages\"?: Set<String>,\n \"code_ratio\"?: Long, // 0-100, percentage of content that is code\n \"keyword_matched\"?: Bool,\n \"keyword_categories\"?: Set<String>,\n \"keyword_count\"?: Long,\n \"contains_non_ascii\"?: Bool,\n \"phishing_detected\"?: Bool,\n \"content_safety_score\"?: Long, // 0-100\n \"content_safety_blocked\"?: Bool,\n\n // Agentic - Multi-Turn Context (optional)\n \"conversation_turn\"?: Long,\n \"multi_turn_detection\"?: Bool,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Usage Budget \u2014 multi-window token & cost enforcement (optional)\n // Emitted by usage_budget detector. Enforced across session/daily/monthly windows\n // and user/app/project/account dimensions. Percentages are 0-100.\n \"budget_remaining_pct\"?: Long, // Min remaining % across all windows\n \"budget_exceeded\"?: Bool, // Any window limit exceeded\n \"budget_cost_micros_this_turn\"?: Long, // Cost of this request in microdollars (USD * 1e6)\n \"budget_model\"?: String, // Model name used for cost calculation\n \"budget_tokens_pct_session\"?: Long, // Session token usage % (0-100)\n \"budget_tokens_pct_daily\"?: Long, // Daily token usage % (0-100)\n \"budget_tokens_pct_monthly\"?: Long, // Monthly token usage % (0-100)\n \"budget_cost_pct_daily\"?: Long, // Daily cost usage % (0-100)\n \"budget_cost_pct_monthly\"?: Long, // Monthly cost usage % (0-100)\n \"budget_exceeded_session\"?: Bool, // Session-scoped budget exceeded\n \"budget_exceeded_daily\"?: Bool, // Any daily-scoped budget exceeded\n \"budget_exceeded_monthly\"?: Bool, // Any monthly-scoped budget exceeded\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n // Present when the request is made by an AI agent (API key or JWT with agent claims).\n // Empty strings for human user requests. Use these to write agent-specific policies.\n \"agent_id\"?: String, // Unique agent identifier (e.g., \"agent_research_v3\")\n \"agent_type\"?: String, // \"orchestrator\" | \"autonomous\" | \"tool_agent\" | \"human_proxy\"\n \"agent_trust_level\"?: String, // \"first_party\" | \"verified_third_party\" | \"unverified\"\n \"agent_framework\"?: String, // Agent framework (e.g., \"claude-code\", \"langchain\", \"crewai\")\n \"agent_publisher\"?: String, // Organization that published the agent\n\n };\n\n /// Context for call_tool action (agentic tool execution)\n type CallToolContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // Tool Risk (optional)\n \"tool_name\"?: String, // \"shell\", \"write_file\", \"http_post\", etc.\n \"tool_risk_score\"?: Long, // 0-100\n \"tool_is_sensitive\"?: Bool,\n \"tool_category\"?: String, // \"safe\" | \"sensitive\" | \"dangerous\"\n \"tool_is_builtin\"?: Bool,\n\n // MCP context (optional \u2014 only present for MCP tool calls)\n \"mcp_server\"?: String, // MCP server name (e.g., \"github\", \"filesystem\")\n \"mcp_tool\"?: String, // MCP tool name within the server\n \"mcp_server_verified\"?: Bool, // Whether server is from verified registry\n\n // Agentic - Behavioral Patterns (optional)\n \"suspicious_pattern\"?: Bool,\n \"pattern_type\"?: String, // \"data_exfiltration\" | \"secret_exfiltration\" | \"db_exfiltration\" | \"credential_theft\" | \"destructive_sequence\" | \"none\"\n \"sequence_risk\"?: Long, // 0-100\n\n // Agentic - Loop Detection (optional)\n \"loop_detected\"?: Bool,\n \"loop_count\"?: Long,\n \"loop_tool\"?: String,\n\n // Usage Budget \u2014 multi-window token & cost enforcement (optional)\n // See ProcessPromptContext for full documentation.\n \"budget_remaining_pct\"?: Long, // Min remaining % across all windows\n \"budget_exceeded\"?: Bool, // Any window limit exceeded\n \"budget_cost_micros_this_turn\"?: Long, // Cost of this request in microdollars\n \"budget_model\"?: String,\n \"budget_tokens_pct_session\"?: Long,\n \"budget_tokens_pct_daily\"?: Long,\n \"budget_tokens_pct_monthly\"?: Long,\n \"budget_cost_pct_daily\"?: Long,\n \"budget_cost_pct_monthly\"?: Long,\n \"budget_exceeded_session\"?: Bool,\n \"budget_exceeded_daily\"?: Bool,\n \"budget_exceeded_monthly\"?: Bool,\n\n // Semantic - Topic Classification (optional)\n \"content_topics\"?: Set<String>, // [\"controlled_substances\", \"weapons_manufacturing\", ...]\n \"topic_confidence\"?: Long, // 0-100\n\n // Security checks on tool arguments (optional)\n \"secrets_detected\"?: Bool,\n \"secret_count\"?: Long,\n \"secret_types\"?: Set<String>,\n \"pii_detected\"?: Bool,\n \"pii_types\"?: Set<String>,\n \"pii_count\"?: Long, // Number of PII pattern matches in tool content\n \"pii_score\"?: Long, // PII ML classifier confidence (0-100)\n \"injection_score\"?: Long,\n \"injection_pulse_score\"?: Long, // 0-100 Pulse single-turn classifier\n \"injection_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n\n // Security - Pattern Detection (optional)\n \"command_injection_detected\"?: Bool,\n \"command_injection_type\"?: String,\n \"command_injection_score\"?: Long, // 0-100\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String,\n \"path_traversal_type\"?: String,\n \"sql_injection_detected\"?: Bool,\n \"sql_injection_type\"?: String,\n \"sql_injection_score\"?: Long, // 0-100\n\n // Security - Cross-Origin Escalation (optional)\n \"cross_origin_detected\"?: Bool,\n \"cross_origin_type\"?: String,\n \"cross_origin_score\"?: Long, // 0-100\n\n // File & Path (optional \u2014 for path-based access control policies)\n \"path\"?: String, // File path when tool operates on files\n\n // Security - Invisible Character Detection in tool args (optional)\n \"invisible_chars_detected\"?: Bool, // Whether invisible Unicode chars detected in tool args\n \"invisible_chars_score\"?: Long, // Invisible character attack severity (0-100)\n\n // Security - Encoded Injection (optional)\n \"encoded_content_detected\"?: Bool,\n \"encoded_types\"?: Set<String>,\n \"encoded_count\"?: Long,\n \"encoded_score\"?: Long, // 0-100\n\n // Agentic - Agent Security (optional)\n \"tool_poisoning_detected\"?: Bool,\n \"tool_poisoning_score\"?: Long, // 0-100\n \"tool_poisoning_type\"?: String, // \"hidden_instructions\" | \"system_prompt_injection\" | \"authority_hijack\"\n \"rug_pull_detected\"?: Bool,\n \"rug_pull_score\"?: Long, // 0-100\n \"rug_pull_type\"?: String, // \"risk_spike\" | \"pattern_change\" | \"combined\" | \"none\"\n\n // Agentic - Indirect Prompt Injection (optional \u2014 injection via tool outputs/retrieved content)\n \"indirect_injection_score\"?: Long, // Indirect injection risk score (0-100)\n \"indirect_injection_type\"?: String, // Type of indirect injection detected\n\n // Agentic - MCP Risk (optional)\n \"mcp_config_risk\"?: Bool,\n \"mcp_risk_type\"?: String, // \"inline_execution\" | \"suspicious_url\" | \"cross_origin\"\n \"mcp_risk_score\"?: Long, // 0-100\n\n // Tool Operation Classifier (optional) \u2014 populated by AST-based classifiers (bash, python, etc.)\n \"tool_operation_classes\"?: Set<String>, // subset of {\"readonly\", \"write_enabling\", \"execute_enabling\", \"network_access\", \"unknown\"}\n\n // Agentic - Multi-Turn Context (optional)\n \"conversation_turn\"?: Long,\n \"multi_turn_detection\"?: Bool,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n \"agent_id\"?: String,\n \"agent_type\"?: String,\n \"agent_trust_level\"?: String,\n \"agent_framework\"?: String,\n \"agent_publisher\"?: String,\n\n };\n\n /// Context for read_file action\n type FileReadContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // File path (optional \u2014 for path-based access control policies)\n \"path\"?: String, // File path being read\n\n // Security checks on file content (optional)\n \"secrets_detected\"?: Bool,\n \"secret_count\"?: Long,\n \"secret_types\"?: Set<String>,\n \"pii_detected\"?: Bool,\n \"pii_types\"?: Set<String>,\n\n // Security - Path Traversal (optional)\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String,\n \"path_traversal_type\"?: String,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Usage Budget \u2014 multi-window token & cost enforcement (optional)\n // See ProcessPromptContext for full documentation.\n \"budget_remaining_pct\"?: Long,\n \"budget_exceeded\"?: Bool,\n \"budget_cost_micros_this_turn\"?: Long,\n \"budget_model\"?: String,\n \"budget_tokens_pct_session\"?: Long,\n \"budget_tokens_pct_daily\"?: Long,\n \"budget_tokens_pct_monthly\"?: Long,\n \"budget_cost_pct_daily\"?: Long,\n \"budget_cost_pct_monthly\"?: Long,\n \"budget_exceeded_session\"?: Bool,\n \"budget_exceeded_daily\"?: Bool,\n \"budget_exceeded_monthly\"?: Bool,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n \"agent_id\"?: String,\n \"agent_type\"?: String,\n \"agent_trust_level\"?: String,\n \"agent_framework\"?: String,\n \"agent_publisher\"?: String,\n\n };\n\n /// Context for write_file action\n type FileWriteContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // File path (optional \u2014 for path-based access control policies)\n \"path\"?: String, // File path being written\n\n // Security - Invisible Character Detection in write content (optional)\n \"invisible_chars_detected\"?: Bool, // Whether invisible Unicode chars detected in write content\n \"invisible_chars_score\"?: Long, // Invisible character attack severity (0-100)\n\n // Security checks on content being written (optional)\n \"secrets_detected\"?: Bool,\n \"secret_count\"?: Long,\n \"secret_types\"?: Set<String>,\n \"pii_detected\"?: Bool,\n \"pii_types\"?: Set<String>,\n\n // Security - Path Traversal (optional)\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String,\n \"path_traversal_type\"?: String,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Usage Budget \u2014 multi-window token & cost enforcement (optional)\n // See ProcessPromptContext for full documentation.\n \"budget_remaining_pct\"?: Long,\n \"budget_exceeded\"?: Bool,\n \"budget_cost_micros_this_turn\"?: Long,\n \"budget_model\"?: String,\n \"budget_tokens_pct_session\"?: Long,\n \"budget_tokens_pct_daily\"?: Long,\n \"budget_tokens_pct_monthly\"?: Long,\n \"budget_cost_pct_daily\"?: Long,\n \"budget_cost_pct_monthly\"?: Long,\n \"budget_exceeded_session\"?: Bool,\n \"budget_exceeded_daily\"?: Bool,\n \"budget_exceeded_monthly\"?: Bool,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n \"agent_id\"?: String,\n \"agent_type\"?: String,\n \"agent_trust_level\"?: String,\n \"agent_framework\"?: String,\n \"agent_publisher\"?: String,\n\n };\n\n /// Context for connect_server action (MCP server connections)\n type ConnectServerContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // MCP context (optional)\n \"mcp_server\"?: String, // MCP server name (e.g., \"github\", \"filesystem\")\n \"mcp_server_verified\"?: Bool, // Whether server is from verified registry\n\n // Agentic - Agent Security (optional)\n \"tool_poisoning_detected\"?: Bool,\n \"tool_poisoning_score\"?: Long,\n \"tool_poisoning_type\"?: String,\n\n // Agentic - MCP Risk (optional)\n \"mcp_config_risk\"?: Bool,\n \"mcp_risk_type\"?: String,\n \"mcp_risk_score\"?: Long,\n\n // Security - Cross-Origin Escalation (optional)\n \"cross_origin_detected\"?: Bool,\n \"cross_origin_type\"?: String,\n \"cross_origin_score\"?: Long,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Usage Budget \u2014 multi-window token & cost enforcement (optional)\n // See ProcessPromptContext for full documentation.\n \"budget_remaining_pct\"?: Long,\n \"budget_exceeded\"?: Bool,\n \"budget_cost_micros_this_turn\"?: Long,\n \"budget_model\"?: String,\n \"budget_tokens_pct_session\"?: Long,\n \"budget_tokens_pct_daily\"?: Long,\n \"budget_tokens_pct_monthly\"?: Long,\n \"budget_cost_pct_daily\"?: Long,\n \"budget_cost_pct_monthly\"?: Long,\n \"budget_exceeded_session\"?: Bool,\n \"budget_exceeded_daily\"?: Bool,\n \"budget_exceeded_monthly\"?: Bool,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n \"agent_id\"?: String,\n \"agent_type\"?: String,\n \"agent_trust_level\"?: String,\n \"agent_framework\"?: String,\n \"agent_publisher\"?: String,\n\n };\n}\n";
13
13
  /**
14
14
  * Overwatch Cedar schema
15
15
  *
16
16
  * Full Cedar schema for overwatch, embedded at codegen time.
17
17
  */
18
- export declare const OVERWATCH_SCHEMA = "// Overwatch Cedar Schema\n// ===================================\n// IDE Agent Security & Policy Enforcement\n//\n// Overwatch protects IDE agent operations (prompts, tool calls, file access, MCP connections)\n// by evaluating threats detected by the detection engine pipeline against Cedar policies.\n//\n// Architecture:\n// User/Agent \u2192 IDE Hook \u2192 Detection Engine \u2192 Cedar Policy \u2192 Allow/Deny\n//\n// Supported IDEs:\n// - Cursor (beforeSubmitPrompt, beforeShellExecution, beforeMCPExecution, etc.)\n// - Claude Code (UserPromptSubmit, PreToolUse)\n// - GitHub Copilot (userPromptSubmitted, preToolUse)\n//\n// Threat Coverage:\n// - OWASP Top 10 for LLM Applications 2025 (LLM01-LLM10)\n// - OWASP Top 10 for Agentic Applications (ASI01-ASI10)\n// - OWASP MCP Top 10 (MCP01-MCP05)\n// - MITRE ATLAS Agent Techniques (AML.T0051, AML.T0080-T0082)\n\nnamespace Overwatch {\n\n// =============================================================================\n// ENTITIES - Tenant Hierarchy (ReBAC)\n// =============================================================================\n// Aligned with Guardrails entity hierarchy (Account \u2192 Project).\n// Overwatch does not have app-specific policies, so App is omitted.\n//\n// Entity hierarchy enables Cedar's `in` operator for policy scoping:\n// Account (org root)\n// \u2514\u2500\u2500 Project in [Account]\n// \u2514\u2500\u2500 Tool/Server/FilePath/LlmPrompt in [Project]\n//\n// Policy scoping examples:\n// resource == Overwatch::Tool::\"shell\" \u2192 specific tool\n// resource in Overwatch::Project::\"<uuid>\" \u2192 project-wide\n// resource in Overwatch::Account::\"<uuid>\" \u2192 org-wide\n\n/// Account represents an organization (top-level tenant)\nentity Account;\n\n/// Project represents a project within an account\nentity Project in [Account];\n\n// =============================================================================\n// ENTITIES - Principals\n// =============================================================================\n\n/// Human user or service account making requests to the IDE\nentity User;\n\n/// AI agent (Claude, GitHub Copilot, etc.)\nentity Agent;\n\n// =============================================================================\n// ENTITIES - Resources (scoped under Project)\n// =============================================================================\n\n/// LLM prompt or session \u2014 resource for process_prompt action\nentity LlmPrompt in [Project];\n\n/// MCP tool or native IDE tool \u2014 resource for call_tool action\nentity Tool in [Project];\n\n/// MCP server \u2014 resource for connect_server action\nentity Server in [Project];\n\n/// File system path \u2014 resource for read_file/write_file/call_tool actions\nentity FilePath in [Project];\n\n// =============================================================================\n// ACTIONS\n// =============================================================================\n\n// User submits a prompt or receives AI response\n// Threat focus: injection, jailbreak, secrets, PII, content safety, invisible chars\naction process_prompt appliesTo {\n principal: [User, Agent],\n resource: [LlmPrompt],\n context: {\n // --- Event & Source ---\n content: String, // Raw content being scanned\n source: String, // IDE source: \"cursor\", \"claudecode\", \"github_copilot\"\n event: String, // Hook event name\n user_email: String, // User identifier\n\n // --- Workspace ---\n cwd?: String, // Current working directory\n workspace_root?: String, // Workspace/repository root\n\n // --- Threat Detection (from detection engine pipeline) ---\n threat_count: Long, // Total threats detected\n highest_severity: String, // \"critical\", \"high\", \"medium\", \"low\", \"none\"\n threat_categories: Set<String>, // Threat category names\n detected_threats: Set<String>, // Detection rule names that matched\n max_threat_severity: Long, // Numeric severity (0=none, 1=low, 2=medium, 3=high, 4=critical)\n secrets_detected: Bool, // Whether secrets/credentials detected\n\n // --- Secrets (granular) ---\n secret_types?: Set<String>, // Types: \"aws_access_key\", \"github_token\", \"ssh_private_key\", etc.\n secret_count?: Long, // Number of distinct secrets found\n\n // --- PII Detection ---\n pii_detected?: Bool, // Whether any PII patterns matched\n pii_types?: Set<String>, // Types: \"ssn\", \"credit_card\", \"email\", \"phone\", etc.\n pii_count?: Long, // Number of PII matches\n\n // --- Encoding & Unicode Attacks ---\n invisible_chars_detected?: Bool, // Zero-width chars, bidi overrides, tag chars detected\n invisible_chars_score?: Long, // Unicode attack severity (0-100)\n\n // --- Content Safety Scores (0-100, from ML classifiers) ---\n violence_score: Long,\n weapons_score: Long,\n hate_speech_score: Long,\n crime_score: Long,\n sexual_score: Long,\n profanity_score: Long,\n\n // --- ML Detector Confidence Scores (0-100) ---\n pii_score: Long, // PII detection classifier confidence\n injection_score: Long, // Combined injection confidence: MAX(pulse, deep_context)\n jailbreak_score: Long, // Combined jailbreak confidence: MAX(pulse, deep_context)\n injection_pulse_score?: Long, // 0-100 Pulse single-turn classifier\n injection_deep_context_score?: Long, // 0-100 DeepContext multi-turn\n jailbreak_pulse_score?: Long, // 0-100 Pulse single-turn classifier\n jailbreak_deep_context_score?: Long, // 0-100 DeepContext multi-turn\n\n // --- Agent Security (0-100) ---\n indirect_injection_score: Long, // Indirect prompt injection risk (OWASP LLM01, ASI01)\n\n // --- Session Detection History (cross-turn sticky flags) ---\n session_pii_detected?: Bool,\n session_pii_types?: Set<String>,\n session_secrets_detected?: Bool,\n session_secret_types?: Set<String>,\n session_injection_detected?: Bool,\n session_command_injection?: Bool,\n session_threat_turns?: Long,\n session_max_injection_score?: Long,\n session_max_jailbreak_score?: Long,\n session_max_command_injection_score?: Long,\n session_max_pii_score?: Long,\n session_max_secret_score?: Long,\n session_cumulative_risk_score?: Long,\n\n // --- Legacy ---\n prompt_text?: String, // Same as content (backward compatibility)\n response_content?: String, // Response content (if available)\n },\n};\n\n// User calls a tool (native IDE tool or MCP tool)\n// Threat focus: command injection, tool poisoning, rug pull, data exfiltration, loops\naction call_tool appliesTo {\n principal: [User, Agent],\n resource: [Tool, FilePath],\n context: {\n // --- Event & Source ---\n content: String, // Raw content being scanned (e.g., shell command, tool args)\n source: String, // IDE source\n event: String, // Hook event name\n user_email: String, // User identifier\n\n // --- Tool & MCP ---\n tool_name?: String, // Normalized tool name (\"shell\", \"read_file\", etc.)\n mcp_server?: String, // MCP server name\n mcp_tool?: String, // MCP tool name\n\n // --- File & Path ---\n path?: String, // File path (if file operation)\n\n // --- Workspace ---\n cwd?: String,\n workspace_root?: String,\n\n // --- Threat Detection ---\n threat_count?: Long,\n highest_severity?: String,\n threat_categories?: Set<String>,\n detected_threats?: Set<String>,\n max_threat_severity?: Long,\n secrets_detected?: Bool,\n\n // --- Secrets (granular) ---\n secret_types?: Set<String>,\n secret_count?: Long,\n\n // --- PII Detection ---\n pii_detected?: Bool,\n pii_types?: Set<String>,\n pii_count?: Long,\n\n // --- Encoding & Unicode Attacks ---\n invisible_chars_detected?: Bool,\n invisible_chars_score?: Long,\n\n // --- Content Safety Scores (0-100) ---\n violence_score?: Long,\n weapons_score?: Long,\n hate_speech_score?: Long,\n crime_score?: Long,\n sexual_score?: Long,\n profanity_score?: Long,\n\n // --- ML Detector Confidence Scores (0-100) ---\n pii_score?: Long,\n injection_score?: Long, // Combined injection confidence: MAX(pulse, deep_context)\n jailbreak_score?: Long, // Combined jailbreak confidence: MAX(pulse, deep_context)\n injection_pulse_score?: Long, // 0-100 Pulse single-turn classifier\n injection_deep_context_score?: Long, // 0-100 DeepContext multi-turn\n jailbreak_pulse_score?: Long, // 0-100 Pulse single-turn classifier\n jailbreak_deep_context_score?: Long, // 0-100 DeepContext multi-turn\n\n // --- Agent Security (0-100) --- (OWASP ASI01, ASI02, ASI04; MITRE AML.T0051)\n tool_poisoning_score?: Long, // Hidden instructions in tool description/args\n tool_poisoning_detected?: Bool, // Boolean flag for tool poisoning\n rug_pull_score?: Long, // Tool behavior drift after trust establishment\n rug_pull_detected?: Bool, // Boolean flag for rug pull\n indirect_injection_score?: Long, // Indirect injection via tool output\n\n // --- Tool Risk Assessment ---\n tool_risk_score?: Long, // Computed tool risk (0-100)\n tool_category?: String, // \"safe\", \"sensitive\", \"dangerous\"\n tool_is_sensitive?: Bool, // Sensitivity classification\n tool_is_builtin?: Bool, // Built-in IDE tool vs MCP tool\n\n // --- Behavioral Analysis --- (OWASP LLM10, ASI02, ASI08)\n loop_detected?: Bool, // Consecutive same-tool call loop\n loop_count?: Long, // Number of consecutive repeat calls\n loop_tool?: String, // Tool name in loop\n suspicious_pattern?: Bool, // Data exfiltration or attack sequence detected\n pattern_type?: String, // \"data_exfiltration\", \"secret_exfiltration\", \"credential_theft\", \"destructive_sequence\"\n sequence_risk?: Long, // Sequence risk score (0-100)\n\n // --- MCP Trust ---\n mcp_server_verified?: Bool, // Whether server is from verified registry\n\n // --- Session Detection History (cross-turn sticky flags) ---\n session_pii_detected?: Bool,\n session_pii_types?: Set<String>,\n session_secrets_detected?: Bool,\n session_secret_types?: Set<String>,\n session_injection_detected?: Bool,\n session_command_injection?: Bool,\n session_threat_turns?: Long,\n session_max_injection_score?: Long,\n session_max_jailbreak_score?: Long,\n session_max_command_injection_score?: Long,\n session_max_pii_score?: Long,\n session_max_secret_score?: Long,\n session_cumulative_risk_score?: Long,\n\n // --- Legacy ---\n response_content?: String,\n },\n};\n\n// Connect to an MCP server\n// Threat focus: supply chain, tool poisoning, rug pull, config risk\naction connect_server appliesTo {\n principal: [User, Agent],\n resource: [Server],\n context: {\n content?: String, // Server config content (if available)\n source: String,\n event: String,\n user_email: String,\n mcp_server?: String,\n\n // --- Threat Detection ---\n threat_count?: Long,\n highest_severity?: String,\n threat_categories?: Set<String>,\n max_threat_severity?: Long,\n\n // --- Agent Security (0-100) --- (OWASP ASI04, MCP01-MCP05)\n tool_poisoning_score?: Long, // Poisoned tool descriptions in server\n tool_poisoning_detected?: Bool,\n rug_pull_score?: Long, // Server behavior change after approval\n rug_pull_detected?: Bool,\n indirect_injection_score?: Long, // Injection payloads in server responses\n\n // --- MCP Trust & Config Risk ---\n mcp_server_verified?: Bool, // Verified registry status\n mcp_config_risk?: Bool, // Risky server config detected (inline code exec, etc.)\n mcp_risk_score?: Long, // Config risk severity (0-100)\n\n // --- Session Detection History (cross-turn sticky flags) ---\n session_pii_detected?: Bool,\n session_pii_types?: Set<String>,\n session_secrets_detected?: Bool,\n session_secret_types?: Set<String>,\n session_injection_detected?: Bool,\n session_command_injection?: Bool,\n session_threat_turns?: Long,\n session_max_injection_score?: Long,\n session_max_jailbreak_score?: Long,\n session_max_command_injection_score?: Long,\n session_max_pii_score?: Long,\n session_max_secret_score?: Long,\n session_cumulative_risk_score?: Long,\n },\n};\n\n// Read a file from disk\n// Threat focus: secrets exposure, PII exposure, path traversal, sensitive paths\naction read_file appliesTo {\n principal: [User, Agent],\n resource: [FilePath],\n context: {\n content: String,\n source: String,\n event: String,\n user_email: String,\n path?: String,\n cwd?: String,\n workspace_root?: String,\n\n // --- Threat Detection ---\n threat_count?: Long,\n highest_severity?: String,\n threat_categories?: Set<String>,\n detected_threats?: Set<String>,\n max_threat_severity?: Long,\n secrets_detected?: Bool,\n\n // --- Secrets (granular) ---\n secret_types?: Set<String>,\n secret_count?: Long,\n\n // --- PII Detection ---\n pii_detected?: Bool,\n pii_types?: Set<String>,\n pii_count?: Long,\n\n // --- Session Detection History (cross-turn sticky flags) ---\n session_pii_detected?: Bool,\n session_pii_types?: Set<String>,\n session_secrets_detected?: Bool,\n session_secret_types?: Set<String>,\n session_injection_detected?: Bool,\n session_command_injection?: Bool,\n session_threat_turns?: Long,\n session_max_injection_score?: Long,\n session_max_jailbreak_score?: Long,\n session_max_command_injection_score?: Long,\n session_max_pii_score?: Long,\n session_max_secret_score?: Long,\n session_cumulative_risk_score?: Long,\n\n // --- Agent Security ---\n indirect_injection_score?: Long, // Indirect injection via file content\n },\n};\n\n// Write a file to disk\n// Threat focus: secrets in output, PII in output, sensitive paths, malicious code\naction write_file appliesTo {\n principal: [User, Agent],\n resource: [FilePath],\n context: {\n content: String,\n source: String,\n event: String,\n user_email: String,\n path?: String,\n cwd?: String,\n workspace_root?: String,\n\n // --- Threat Detection ---\n threat_count?: Long,\n highest_severity?: String,\n threat_categories?: Set<String>,\n detected_threats?: Set<String>,\n max_threat_severity?: Long,\n secrets_detected?: Bool,\n\n // --- Secrets (granular) ---\n secret_types?: Set<String>,\n secret_count?: Long,\n\n // --- PII Detection ---\n pii_detected?: Bool,\n pii_types?: Set<String>,\n pii_count?: Long,\n\n // --- Session Detection History (cross-turn sticky flags) ---\n session_pii_detected?: Bool,\n session_pii_types?: Set<String>,\n session_secrets_detected?: Bool,\n session_secret_types?: Set<String>,\n session_injection_detected?: Bool,\n session_command_injection?: Bool,\n session_threat_turns?: Long,\n session_max_injection_score?: Long,\n session_max_jailbreak_score?: Long,\n session_max_command_injection_score?: Long,\n session_max_pii_score?: Long,\n session_max_secret_score?: Long,\n session_cumulative_risk_score?: Long,\n\n // --- Agent Security ---\n indirect_injection_score?: Long, // Indirect injection via file content\n },\n};\n\n}\n";
18
+ export declare const OVERWATCH_SCHEMA = "// Overwatch Cedar Schema\n// ===================================\n// IDE Agent Security & Policy Enforcement\n//\n// Overwatch protects IDE agent operations (prompts, tool calls, file access, MCP connections)\n// by evaluating threats detected by the detection engine pipeline against Cedar policies.\n//\n// Architecture:\n// User/Agent \u2192 IDE Hook \u2192 Detection Engine \u2192 Cedar Policy \u2192 Allow/Deny\n//\n// Supported IDEs:\n// - Cursor (beforeSubmitPrompt, beforeShellExecution, beforeMCPExecution, etc.)\n// - Claude Code (UserPromptSubmit, PreToolUse)\n// - GitHub Copilot (userPromptSubmitted, preToolUse)\n//\n// Threat Coverage:\n// - OWASP Top 10 for LLM Applications 2025 (LLM01-LLM10)\n// - OWASP Top 10 for Agentic Applications (ASI01-ASI10)\n// - OWASP MCP Top 10 (MCP01-MCP05)\n// - MITRE ATLAS Agent Techniques (AML.T0051, AML.T0080-T0082)\n\nnamespace Overwatch {\n\n// =============================================================================\n// ENTITIES - Tenant Hierarchy (ReBAC)\n// =============================================================================\n// Aligned with Guardrails entity hierarchy (Account \u2192 Project).\n// Overwatch does not have app-specific policies, so App is omitted.\n//\n// Entity hierarchy enables Cedar's `in` operator for policy scoping:\n// Account (org root)\n// \u2514\u2500\u2500 Project in [Account]\n// \u2514\u2500\u2500 Tool/Server/FilePath/LlmPrompt in [Project]\n//\n// Policy scoping examples:\n// resource == Overwatch::Tool::\"shell\" \u2192 specific tool\n// resource in Overwatch::Project::\"<uuid>\" \u2192 project-wide\n// resource in Overwatch::Account::\"<uuid>\" \u2192 org-wide\n\n/// Account represents an organization (top-level tenant)\nentity Account;\n\n/// Project represents a project within an account\nentity Project in [Account];\n\n// =============================================================================\n// ENTITIES - Principals\n// =============================================================================\n\n/// Human user or service account making requests to the IDE\nentity User;\n\n/// AI agent (Claude, GitHub Copilot, etc.)\nentity Agent;\n\n// =============================================================================\n// ENTITIES - Resources (scoped under Project)\n// =============================================================================\n\n/// LLM prompt or session \u2014 resource for process_prompt action\nentity LlmPrompt in [Project];\n\n/// MCP tool or native IDE tool \u2014 resource for call_tool action\nentity Tool in [Project];\n\n/// MCP server \u2014 resource for connect_server action\nentity Server in [Project];\n\n/// File system path \u2014 resource for read_file/write_file/call_tool actions\nentity FilePath in [Project];\n\n// =============================================================================\n// ACTIONS\n// =============================================================================\n\n// User submits a prompt or receives AI response\n// Threat focus: injection, jailbreak, secrets, PII, content safety, invisible chars\naction process_prompt appliesTo {\n principal: [User, Agent],\n resource: [LlmPrompt],\n context: {\n // --- Event & Source ---\n content: String, // Raw content being scanned\n source: String, // IDE source: \"cursor\", \"claudecode\", \"github_copilot\"\n event: String, // Hook event name\n user_email: String, // User identifier\n\n // --- Workspace ---\n cwd?: String, // Current working directory\n workspace_root?: String, // Workspace/repository root\n\n // --- Threat Detection (from detection engine pipeline) ---\n threat_count: Long, // Total threats detected\n highest_severity: String, // \"critical\", \"high\", \"medium\", \"low\", \"none\"\n threat_categories: Set<String>, // Threat category names\n detected_threats: Set<String>, // Detection rule names that matched\n max_threat_severity: Long, // Numeric severity (0=none, 1=low, 2=medium, 3=high, 4=critical)\n secrets_detected: Bool, // Whether secrets/credentials detected\n\n // --- Secrets (granular) ---\n secret_types?: Set<String>, // Types: \"aws_access_key\", \"github_token\", \"ssh_private_key\", etc.\n secret_count?: Long, // Number of distinct secrets found\n\n // --- PII Detection ---\n pii_detected?: Bool, // Whether any PII patterns matched\n pii_types?: Set<String>, // Types: \"ssn\", \"credit_card\", \"email\", \"phone\", etc.\n pii_count?: Long, // Number of PII matches\n\n // --- Encoding & Unicode Attacks ---\n invisible_chars_detected?: Bool, // Zero-width chars, bidi overrides, tag chars detected\n invisible_chars_score?: Long, // Unicode attack severity (0-100)\n\n // --- Content Safety Scores (0-100, from ML classifiers) ---\n violence_score: Long,\n weapons_score: Long,\n hate_speech_score: Long,\n crime_score: Long,\n sexual_score: Long,\n profanity_score: Long,\n\n // --- ML Detector Confidence Scores (0-100) ---\n pii_score: Long, // PII detection classifier confidence\n injection_score: Long, // Combined injection confidence: MAX(pulse, deep_context)\n jailbreak_score: Long, // Combined jailbreak confidence: MAX(pulse, deep_context)\n injection_pulse_score?: Long, // 0-100 Pulse single-turn classifier\n injection_deep_context_score?: Long, // 0-100 DeepContext multi-turn\n jailbreak_pulse_score?: Long, // 0-100 Pulse single-turn classifier\n jailbreak_deep_context_score?: Long, // 0-100 DeepContext multi-turn\n\n // --- Agent Security (0-100) ---\n indirect_injection_score: Long, // Indirect prompt injection risk (OWASP LLM01, ASI01)\n\n // --- Session Detection History (cross-turn sticky flags) ---\n session_pii_detected?: Bool,\n session_pii_types?: Set<String>,\n session_secrets_detected?: Bool,\n session_secret_types?: Set<String>,\n session_injection_detected?: Bool,\n session_command_injection?: Bool,\n session_threat_turns?: Long,\n session_max_injection_score?: Long,\n session_max_jailbreak_score?: Long,\n session_max_command_injection_score?: Long,\n session_max_pii_score?: Long,\n session_max_secret_score?: Long,\n session_cumulative_risk_score?: Long,\n\n // --- Legacy ---\n prompt_text?: String, // Same as content (backward compatibility)\n response_content?: String, // Response content (if available)\n },\n};\n\n// User calls a tool (native IDE tool or MCP tool)\n// Threat focus: command injection, tool poisoning, rug pull, data exfiltration, loops\naction call_tool appliesTo {\n principal: [User, Agent],\n resource: [Tool, FilePath],\n context: {\n // --- Event & Source ---\n content: String, // Raw content being scanned (e.g., shell command, tool args)\n source: String, // IDE source\n event: String, // Hook event name\n user_email: String, // User identifier\n\n // --- Tool & MCP ---\n tool_name?: String, // Normalized tool name (\"shell\", \"read_file\", etc.)\n mcp_server?: String, // MCP server name\n mcp_tool?: String, // MCP tool name\n\n // --- File & Path ---\n path?: String, // File path (if file operation)\n\n // --- Workspace ---\n cwd?: String,\n workspace_root?: String,\n\n // --- Threat Detection ---\n threat_count?: Long,\n highest_severity?: String,\n threat_categories?: Set<String>,\n detected_threats?: Set<String>,\n max_threat_severity?: Long,\n secrets_detected?: Bool,\n\n // --- Secrets (granular) ---\n secret_types?: Set<String>,\n secret_count?: Long,\n\n // --- PII Detection ---\n pii_detected?: Bool,\n pii_types?: Set<String>,\n pii_count?: Long,\n\n // --- Encoding & Unicode Attacks ---\n invisible_chars_detected?: Bool,\n invisible_chars_score?: Long,\n\n // --- Content Safety Scores (0-100) ---\n violence_score?: Long,\n weapons_score?: Long,\n hate_speech_score?: Long,\n crime_score?: Long,\n sexual_score?: Long,\n profanity_score?: Long,\n\n // --- ML Detector Confidence Scores (0-100) ---\n pii_score?: Long,\n injection_score?: Long, // Combined injection confidence: MAX(pulse, deep_context)\n jailbreak_score?: Long, // Combined jailbreak confidence: MAX(pulse, deep_context)\n injection_pulse_score?: Long, // 0-100 Pulse single-turn classifier\n injection_deep_context_score?: Long, // 0-100 DeepContext multi-turn\n jailbreak_pulse_score?: Long, // 0-100 Pulse single-turn classifier\n jailbreak_deep_context_score?: Long, // 0-100 DeepContext multi-turn\n\n // --- Agent Security (0-100) --- (OWASP ASI01, ASI02, ASI04; MITRE AML.T0051)\n tool_poisoning_score?: Long, // Hidden instructions in tool description/args\n tool_poisoning_detected?: Bool, // Boolean flag for tool poisoning\n rug_pull_score?: Long, // Tool behavior drift after trust establishment\n rug_pull_detected?: Bool, // Boolean flag for rug pull\n indirect_injection_score?: Long, // Indirect injection via tool output\n\n // --- Tool Risk Assessment ---\n tool_risk_score?: Long, // Computed tool risk (0-100)\n tool_category?: String, // \"safe\", \"sensitive\", \"dangerous\"\n tool_is_sensitive?: Bool, // Sensitivity classification\n tool_is_builtin?: Bool, // Built-in IDE tool vs MCP tool\n\n // --- Behavioral Analysis --- (OWASP LLM10, ASI02, ASI08)\n loop_detected?: Bool, // Consecutive same-tool call loop\n loop_count?: Long, // Number of consecutive repeat calls\n loop_tool?: String, // Tool name in loop\n suspicious_pattern?: Bool, // Data exfiltration or attack sequence detected\n pattern_type?: String, // \"data_exfiltration\", \"secret_exfiltration\", \"credential_theft\", \"destructive_sequence\"\n sequence_risk?: Long, // Sequence risk score (0-100)\n\n // --- MCP Trust ---\n mcp_server_verified?: Bool, // Whether server is from verified registry\n\n // --- Tool Operation Classifier ---\n tool_operation_classes?: Set<String>, // subset of {\"readonly\", \"write_enabling\", \"execute_enabling\", \"network_access\", \"unknown\"}\n\n // --- Session Detection History (cross-turn sticky flags) ---\n session_pii_detected?: Bool,\n session_pii_types?: Set<String>,\n session_secrets_detected?: Bool,\n session_secret_types?: Set<String>,\n session_injection_detected?: Bool,\n session_command_injection?: Bool,\n session_threat_turns?: Long,\n session_max_injection_score?: Long,\n session_max_jailbreak_score?: Long,\n session_max_command_injection_score?: Long,\n session_max_pii_score?: Long,\n session_max_secret_score?: Long,\n session_cumulative_risk_score?: Long,\n\n // --- Legacy ---\n response_content?: String,\n },\n};\n\n// Connect to an MCP server\n// Threat focus: supply chain, tool poisoning, rug pull, config risk\naction connect_server appliesTo {\n principal: [User, Agent],\n resource: [Server],\n context: {\n content?: String, // Server config content (if available)\n source: String,\n event: String,\n user_email: String,\n mcp_server?: String,\n\n // --- Threat Detection ---\n threat_count?: Long,\n highest_severity?: String,\n threat_categories?: Set<String>,\n max_threat_severity?: Long,\n\n // --- Agent Security (0-100) --- (OWASP ASI04, MCP01-MCP05)\n tool_poisoning_score?: Long, // Poisoned tool descriptions in server\n tool_poisoning_detected?: Bool,\n rug_pull_score?: Long, // Server behavior change after approval\n rug_pull_detected?: Bool,\n indirect_injection_score?: Long, // Injection payloads in server responses\n\n // --- MCP Trust & Config Risk ---\n mcp_server_verified?: Bool, // Verified registry status\n mcp_config_risk?: Bool, // Risky server config detected (inline code exec, etc.)\n mcp_risk_score?: Long, // Config risk severity (0-100)\n\n // --- Session Detection History (cross-turn sticky flags) ---\n session_pii_detected?: Bool,\n session_pii_types?: Set<String>,\n session_secrets_detected?: Bool,\n session_secret_types?: Set<String>,\n session_injection_detected?: Bool,\n session_command_injection?: Bool,\n session_threat_turns?: Long,\n session_max_injection_score?: Long,\n session_max_jailbreak_score?: Long,\n session_max_command_injection_score?: Long,\n session_max_pii_score?: Long,\n session_max_secret_score?: Long,\n session_cumulative_risk_score?: Long,\n },\n};\n\n// Read a file from disk\n// Threat focus: secrets exposure, PII exposure, path traversal, sensitive paths\naction read_file appliesTo {\n principal: [User, Agent],\n resource: [FilePath],\n context: {\n content: String,\n source: String,\n event: String,\n user_email: String,\n path?: String,\n cwd?: String,\n workspace_root?: String,\n\n // --- Threat Detection ---\n threat_count?: Long,\n highest_severity?: String,\n threat_categories?: Set<String>,\n detected_threats?: Set<String>,\n max_threat_severity?: Long,\n secrets_detected?: Bool,\n\n // --- Secrets (granular) ---\n secret_types?: Set<String>,\n secret_count?: Long,\n\n // --- PII Detection ---\n pii_detected?: Bool,\n pii_types?: Set<String>,\n pii_count?: Long,\n\n // --- Session Detection History (cross-turn sticky flags) ---\n session_pii_detected?: Bool,\n session_pii_types?: Set<String>,\n session_secrets_detected?: Bool,\n session_secret_types?: Set<String>,\n session_injection_detected?: Bool,\n session_command_injection?: Bool,\n session_threat_turns?: Long,\n session_max_injection_score?: Long,\n session_max_jailbreak_score?: Long,\n session_max_command_injection_score?: Long,\n session_max_pii_score?: Long,\n session_max_secret_score?: Long,\n session_cumulative_risk_score?: Long,\n\n // --- Agent Security ---\n indirect_injection_score?: Long, // Indirect injection via file content\n },\n};\n\n// Write a file to disk\n// Threat focus: secrets in output, PII in output, sensitive paths, malicious code\naction write_file appliesTo {\n principal: [User, Agent],\n resource: [FilePath],\n context: {\n content: String,\n source: String,\n event: String,\n user_email: String,\n path?: String,\n cwd?: String,\n workspace_root?: String,\n\n // --- Threat Detection ---\n threat_count?: Long,\n highest_severity?: String,\n threat_categories?: Set<String>,\n detected_threats?: Set<String>,\n max_threat_severity?: Long,\n secrets_detected?: Bool,\n\n // --- Secrets (granular) ---\n secret_types?: Set<String>,\n secret_count?: Long,\n\n // --- PII Detection ---\n pii_detected?: Bool,\n pii_types?: Set<String>,\n pii_count?: Long,\n\n // --- Session Detection History (cross-turn sticky flags) ---\n session_pii_detected?: Bool,\n session_pii_types?: Set<String>,\n session_secrets_detected?: Bool,\n session_secret_types?: Set<String>,\n session_injection_detected?: Bool,\n session_command_injection?: Bool,\n session_threat_turns?: Long,\n session_max_injection_score?: Long,\n session_max_jailbreak_score?: Long,\n session_max_command_injection_score?: Long,\n session_max_pii_score?: Long,\n session_max_secret_score?: Long,\n session_cumulative_risk_score?: Long,\n\n // --- Agent Security ---\n indirect_injection_score?: Long, // Indirect injection via file content\n },\n};\n\n}\n";
19
19
  /**
20
20
  * Palisade Cedar schema
21
21
  *
package/dist/service-schemas.gen.js CHANGED
@@ -133,6 +133,9 @@ action call_tool appliesTo {
133
133
  tool_is_sensitive?: Bool,
134
134
  tool_is_builtin?: Bool,
135
135
 
136
+ // --- Tool Operation Classifier ---
137
+ tool_operation_classes?: Set<String>, // subset of {"readonly", "write_enabling", "execute_enabling", "network_access", "unknown"}
138
+
136
139
  // --- MCP Trust ---
137
140
  mcp_server_verified?: Bool, // Whether server is from verified registry
138
141
 
@@ -797,6 +800,9 @@ namespace Guardrails {
797
800
  "mcp_risk_type"?: String, // "inline_execution" | "suspicious_url" | "cross_origin"
798
801
  "mcp_risk_score"?: Long, // 0-100
799
802
 
803
+ // Tool Operation Classifier (optional) — populated by AST-based classifiers (bash, python, etc.)
804
+ "tool_operation_classes"?: Set<String>, // subset of {"readonly", "write_enabling", "execute_enabling", "network_access", "unknown"}
805
+
800
806
  // Agentic - Multi-Turn Context (optional)
801
807
  "conversation_turn"?: Long,
802
808
  "multi_turn_detection"?: Bool,
@@ -1258,6 +1264,9 @@ action call_tool appliesTo {
1258
1264
  // --- MCP Trust ---
1259
1265
  mcp_server_verified?: Bool, // Whether server is from verified registry
1260
1266
 
1267
+ // --- Tool Operation Classifier ---
1268
+ tool_operation_classes?: Set<String>, // subset of {"readonly", "write_enabling", "execute_enabling", "network_access", "unknown"}
1269
+
1261
1270
  // --- Session Detection History (cross-turn sticky flags) ---
1262
1271
  session_pii_detected?: Bool,
1263
1272
  session_pii_types?: Set<String>,
@@ -2036,6 +2045,7 @@ export const AI_GATEWAY_CONTEXT = {
2036
2045
  { "key": "tool_category", "type": "string", "required": false, "description": "Tool category: safe/sensitive/dangerous" },
2037
2046
  { "key": "tool_is_sensitive", "type": "boolean", "required": false, "description": "Tool sensitivity flag" },
2038
2047
  { "key": "tool_is_builtin", "type": "boolean", "required": false, "description": "Built-in tool flag" },
2048
+ { "key": "tool_operation_classes", "type": "array", "required": false, "description": "All operation classes observed in the tool call. Subset of: \'readonly\', \'write_enabling\', \'execute_enabling\', \'network_access\', \'unknown\'. \'unknown\' appears when any unrecognized or variable-expanded command was seen." },
2039
2049
  { "key": "mcp_server_verified", "type": "boolean", "required": false, "description": "Whether server is from verified registry" },
2040
2050
  { "key": "violence_score", "type": "number", "required": false, "description": "Violence content score (0-100)" },
2041
2051
  { "key": "weapons_score", "type": "number", "required": false, "description": "Weapons content score (0-100)" },
@@ -2368,6 +2378,7 @@ export const GUARDRAILS_CONTEXT = {
2368
2378
  { "key": "mcp_config_risk", "type": "boolean", "required": false, "description": "Whether MCP configuration risk was detected (inline code execution, suspicious URLs, cross-origin issues)" },
2369
2379
  { "key": "mcp_risk_type", "type": "string", "required": false, "description": "Type of MCP risk: \'inline_execution\', \'suspicious_url\', or \'cross_origin\'" },
2370
2380
  { "key": "mcp_risk_score", "type": "number", "required": false, "description": "Risk score for MCP configuration issues (0-100). Typical threshold: >=70 for blocks" },
2381
+ { "key": "tool_operation_classes", "type": "array", "required": false, "description": "All operation classes observed in the tool call. Subset of: \'readonly\', \'write_enabling\', \'execute_enabling\', \'network_access\', \'unknown\'. \'unknown\' appears when any unrecognized or variable-expanded command was seen." },
2371
2382
  { "key": "cross_origin_detected", "type": "boolean", "required": false, "description": "Whether cross-origin escalation patterns were detected in tool calls crossing trust boundaries" },
2372
2383
  { "key": "cross_origin_type", "type": "string", "required": false, "description": "Type of cross-origin escalation detected in tool call" },
2373
2384
  { "key": "cross_origin_score", "type": "number", "required": false, "description": "Risk score for cross-origin escalation in tool calls (0-100)" },
@@ -2633,6 +2644,7 @@ export const OVERWATCH_CONTEXT = {
2633
2644
  { "key": "pattern_type", "type": "string", "required": false, "description": "Type of suspicious pattern: data_exfiltration, secret_exfiltration, credential_theft, destructive_sequence" },
2634
2645
  { "key": "sequence_risk", "type": "number", "required": false, "description": "Behavioral sequence risk score (0-100)" },
2635
2646
  { "key": "mcp_server_verified", "type": "boolean", "required": false, "description": "Whether the MCP server is from a verified registry" },
2647
+ { "key": "tool_operation_classes", "type": "array", "required": false, "description": "All operation classes observed in the tool call. Subset of: \'readonly\', \'write_enabling\', \'execute_enabling\', \'network_access\', \'unknown\'. \'unknown\' appears when any unrecognized or variable-expanded command was seen." },
2636
2648
  { "key": "session_pii_detected", "type": "boolean", "required": false, "description": "Whether PII was detected in any previous turn of the session" },
2637
2649
  { "key": "session_pii_types", "type": "array", "required": false, "description": "PII types detected across the session (accumulated)" },
2638
2650
  { "key": "session_secrets_detected", "type": "boolean", "required": false, "description": "Whether secrets were detected in any previous turn of the session" },
package/dist/types.d.ts CHANGED
@@ -2,6 +2,7 @@ export * from './entities.gen.js';
2
2
  export * from './actions.gen.js';
3
3
  export * from './context.gen.js';
4
4
  export * from './schema.gen.js';
5
+ export * from './decision-effects.gen.js';
5
6
  export * from './aarm-annotations.gen.js';
6
7
  export * from './builder.js';
7
8
  export * from './errors.js';
package/dist/types.js CHANGED
@@ -9,6 +9,9 @@ export * from './entities.gen.js';
9
9
  export * from './actions.gen.js';
10
10
  export * from './context.gen.js';
11
11
  export * from './schema.gen.js';
12
+ // Canonical decision-effect vocabulary (browser-safe). Studio's Monaco
13
+ // policy editor imports these typed symbols rather than string literals.
14
+ export * from './decision-effects.gen.js';
12
15
  // AARM-aware annotation registry (browser-safe — Studio uses this
13
16
  // for Monaco autocomplete + lint of @step_up_required / @defer_* keys).
14
17
  export * from './aarm-annotations.gen.js';
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@highflame/policy",
3
- "version": "2.1.39",
3
+ "version": "2.1.41",
4
4
  "engines": {
5
5
  "node": ">=18"
6
6
  },