@highflame/policy 2.1.4 → 2.1.5

package/README.md

@@ -168,6 +168,47 @@ result.unstructured.forEach(policy => {
 });
 ```
 
+## Condition Groups (Visual Builder Support)
+
+Bidirectional conversion between recursive `ConditionExpression` ASTs and flat `ConditionGroup` arrays for visual condition builder UIs.
+
+```typescript
+import {
+  expressionToGroups,
+  groupsToExpression,
+  expressionToCedar,
+  extractContextFields,
+} from '@highflame/policy/types';
+
+// Parse Cedar → edit in UI → generate Cedar
+const result = parseCedarToRules(cedarText);
+const rule = result.rules[0];
+
+if (rule.conditionExpression) {
+  // Convert AST to flat groups for visual builder
+  const groups = expressionToGroups(rule.conditionExpression);
+
+  // User edits groups in UI...
+
+  // Convert back to AST
+  const expr = groupsToExpression(groups);
+
+  // Render to Cedar text
+  const cedarCondition = expressionToCedar(expr);
+}
+```
+
+### Why Top-Level AND Between Groups?
+
+Groups are always combined with **AND** at the top level. This reflects Cedar's authorization model:
+
+- **Cedar provides OR between policies for free** — if ANY `forbid` matches, the request is denied
+- **AND within a rule**: "block if injection > 70 AND jailbreak > 65" → conditions in one AND group
+- **OR within a rule**: "block if violence > 70 OR hate > 70" → conditions in one OR group
+- **OR between rules**: separate `forbid` rules — Cedar ORs them automatically
+
+This means `(A && B) || (C && D)` is expressed as two separate rules, which is cleaner, more auditable, and idiomatic Cedar.
+
 ## Available Constants
 
 - **17 Entity Types**: `EntityType.User`, `Scanner`, `Artifact`, `Tool`, etc.

package/_schemas/guardrails/context.json

@@ -38,16 +38,40 @@
           "description": "Number of detectors that were executed for this request"
         },
         {
-          "key": "injection_score",
+          "key": "injection_confidence",
           "type": "number",
           "required": false,
-          "description": "ML-based confidence score for prompt injection attacks (0-100). Higher scores indicate higher confidence. Typical threshold: >85 for high-confidence blocks"
+          "description": "Combined prompt injection confidence (0-100). MAX of all detector scores (Pulse + DeepContext). Use injection_pulse_score / injection_deep_context_score for individual detector control"
         },
         {
-          "key": "jailbreak_score",
+          "key": "jailbreak_confidence",
           "type": "number",
           "required": false,
-          "description": "ML-based confidence score for jailbreak attempts (0-100). Detects attempts to bypass safety guardrails. Typical threshold: >80 for blocks"
+          "description": "Combined jailbreak detection confidence (0-100). MAX of all detector scores (Pulse + DeepContext). Use jailbreak_pulse_score / jailbreak_deep_context_score for individual detector control"
+        },
+        {
+          "key": "injection_pulse_score",
+          "type": "number",
+          "required": false,
+          "description": "Highflame single-turn classifier score for prompt injection (0-100). Raw score from Pulse detector before combination with deep-context. Use for per-detector policy control"
+        },
+        {
+          "key": "injection_deep_context_score",
+          "type": "number",
+          "required": false,
+          "description": "DeepContext multi-turn analyzer score for prompt injection (0-100). Tracks injection patterns across conversation history. Generally higher confidence than single-turn"
+        },
+        {
+          "key": "jailbreak_pulse_score",
+          "type": "number",
+          "required": false,
+          "description": "Highflame single-turn classifier score for jailbreak attempts (0-100). Raw score from Pulse detector before combination with deep-context"
+        },
+        {
+          "key": "jailbreak_deep_context_score",
+          "type": "number",
+          "required": false,
+          "description": "DeepContext multi-turn analyzer score for jailbreak attempts (0-100). Detects jailbreak escalation patterns across conversation turns"
         },
         {
           "key": "injection_type",
@@ -372,6 +396,84 @@
           "type": "boolean",
           "required": false,
           "description": "Whether multi-turn injection patterns were detected (attack spread across multiple conversation turns)"
+        },
+        {
+          "key": "session_pii_detected",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether PII was detected in any previous turn of the session"
+        },
+        {
+          "key": "session_pii_types",
+          "type": "array",
+          "required": false,
+          "description": "PII types detected across the session (accumulated)"
+        },
+        {
+          "key": "session_secrets_detected",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether secrets were detected in any previous turn of the session"
+        },
+        {
+          "key": "session_secret_types",
+          "type": "array",
+          "required": false,
+          "description": "Secret types detected across the session (accumulated)"
+        },
+        {
+          "key": "session_injection_detected",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether prompt injection was detected in any previous turn of the session"
+        },
+        {
+          "key": "session_command_injection",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether command injection was detected in any previous turn of the session"
+        },
+        {
+          "key": "session_threat_turns",
+          "type": "number",
+          "required": false,
+          "description": "Number of turns in the session where threats were detected"
+        },
+        {
+          "key": "session_max_injection_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest prompt injection score seen in any turn of the session (0-100). Use for tiered responses: >75 hard block, >50 restrict permissions"
+        },
+        {
+          "key": "session_max_jailbreak_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest jailbreak detection score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_max_command_injection_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest command injection score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_max_pii_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest PII risk score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_max_secret_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest secret detection score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_cumulative_risk_score",
+          "type": "number",
+          "required": false,
+          "description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant"
         }
       ]
     },
@@ -524,10 +626,22 @@
           "description": "Array of PII types found in tool arguments"
         },
         {
-          "key": "injection_score",
+          "key": "injection_confidence",
+          "type": "number",
+          "required": false,
+          "description": "Combined prompt injection confidence in tool arguments (0-100). MAX of all detector scores (Pulse + DeepContext). Use injection_pulse_score / injection_deep_context_score for individual detector control"
+        },
+        {
+          "key": "injection_pulse_score",
+          "type": "number",
+          "required": false,
+          "description": "Highflame single-turn classifier score for prompt injection in tool arguments (0-100). Raw score from Pulse detector before combination with deep-context"
+        },
+        {
+          "key": "injection_deep_context_score",
           "type": "number",
           "required": false,
-          "description": "ML-based confidence score for prompt injection in tool arguments (0-100)"
+          "description": "DeepContext multi-turn analyzer score for prompt injection in tool arguments (0-100). Tracks injection patterns across tool call history"
         },
         {
           "key": "command_injection_detected",
@@ -690,6 +804,84 @@
           "type": "boolean",
           "required": false,
           "description": "Whether multi-turn injection patterns were detected across tool calls in the session"
+        },
+        {
+          "key": "session_pii_detected",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether PII was detected in any previous turn of the session"
+        },
+        {
+          "key": "session_pii_types",
+          "type": "array",
+          "required": false,
+          "description": "PII types detected across the session (accumulated)"
+        },
+        {
+          "key": "session_secrets_detected",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether secrets were detected in any previous turn of the session"
+        },
+        {
+          "key": "session_secret_types",
+          "type": "array",
+          "required": false,
+          "description": "Secret types detected across the session (accumulated)"
+        },
+        {
+          "key": "session_injection_detected",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether prompt injection was detected in any previous turn of the session"
+        },
+        {
+          "key": "session_command_injection",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether command injection was detected in any previous turn of the session"
+        },
+        {
+          "key": "session_threat_turns",
+          "type": "number",
+          "required": false,
+          "description": "Number of turns in the session where threats were detected"
+        },
+        {
+          "key": "session_max_injection_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest prompt injection score seen in any turn of the session (0-100). Use for tiered responses: >75 hard block, >50 restrict permissions"
+        },
+        {
+          "key": "session_max_jailbreak_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest jailbreak detection score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_max_command_injection_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest command injection score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_max_pii_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest PII risk score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_max_secret_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest secret detection score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_cumulative_risk_score",
+          "type": "number",
+          "required": false,
+          "description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant"
         }
       ]
     },
@@ -750,6 +942,84 @@
           "type": "string",
           "required": false,
           "description": "Type of path traversal detected in the file read path"
+        },
+        {
+          "key": "session_pii_detected",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether PII was detected in any previous turn of the session"
+        },
+        {
+          "key": "session_pii_types",
+          "type": "array",
+          "required": false,
+          "description": "PII types detected across the session (accumulated)"
+        },
+        {
+          "key": "session_secrets_detected",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether secrets were detected in any previous turn of the session"
+        },
+        {
+          "key": "session_secret_types",
+          "type": "array",
+          "required": false,
+          "description": "Secret types detected across the session (accumulated)"
+        },
+        {
+          "key": "session_injection_detected",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether prompt injection was detected in any previous turn of the session"
+        },
+        {
+          "key": "session_command_injection",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether command injection was detected in any previous turn of the session"
+        },
+        {
+          "key": "session_threat_turns",
+          "type": "number",
+          "required": false,
+          "description": "Number of turns in the session where threats were detected"
+        },
+        {
+          "key": "session_max_injection_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest prompt injection score seen in any turn of the session (0-100). Use for tiered responses: >75 hard block, >50 restrict permissions"
+        },
+        {
+          "key": "session_max_jailbreak_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest jailbreak detection score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_max_command_injection_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest command injection score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_max_pii_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest PII risk score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_max_secret_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest secret detection score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_cumulative_risk_score",
+          "type": "number",
+          "required": false,
+          "description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant"
         }
       ]
     },
@@ -810,6 +1080,84 @@
           "type": "string",
           "required": false,
           "description": "Type of path traversal detected in the file write path"
+        },
+        {
+          "key": "session_pii_detected",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether PII was detected in any previous turn of the session"
+        },
+        {
+          "key": "session_pii_types",
+          "type": "array",
+          "required": false,
+          "description": "PII types detected across the session (accumulated)"
+        },
+        {
+          "key": "session_secrets_detected",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether secrets were detected in any previous turn of the session"
+        },
+        {
+          "key": "session_secret_types",
+          "type": "array",
+          "required": false,
+          "description": "Secret types detected across the session (accumulated)"
+        },
+        {
+          "key": "session_injection_detected",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether prompt injection was detected in any previous turn of the session"
+        },
+        {
+          "key": "session_command_injection",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether command injection was detected in any previous turn of the session"
+        },
+        {
+          "key": "session_threat_turns",
+          "type": "number",
+          "required": false,
+          "description": "Number of turns in the session where threats were detected"
+        },
+        {
+          "key": "session_max_injection_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest prompt injection score seen in any turn of the session (0-100). Use for tiered responses: >75 hard block, >50 restrict permissions"
+        },
+        {
+          "key": "session_max_jailbreak_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest jailbreak detection score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_max_command_injection_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest command injection score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_max_pii_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest PII risk score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_max_secret_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest secret detection score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_cumulative_risk_score",
+          "type": "number",
+          "required": false,
+          "description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant"
         }
       ]
     },
@@ -894,6 +1242,84 @@
           "type": "number",
           "required": false,
           "description": "Risk score for cross-origin escalation in server connection (0-100)"
+        },
+        {
+          "key": "session_pii_detected",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether PII was detected in any previous turn of the session"
+        },
+        {
+          "key": "session_pii_types",
+          "type": "array",
+          "required": false,
+          "description": "PII types detected across the session (accumulated)"
+        },
+        {
+          "key": "session_secrets_detected",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether secrets were detected in any previous turn of the session"
+        },
+        {
+          "key": "session_secret_types",
+          "type": "array",
+          "required": false,
+          "description": "Secret types detected across the session (accumulated)"
+        },
+        {
+          "key": "session_injection_detected",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether prompt injection was detected in any previous turn of the session"
+        },
+        {
+          "key": "session_command_injection",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether command injection was detected in any previous turn of the session"
+        },
+        {
+          "key": "session_threat_turns",
+          "type": "number",
+          "required": false,
+          "description": "Number of turns in the session where threats were detected"
+        },
+        {
+          "key": "session_max_injection_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest prompt injection score seen in any turn of the session (0-100). Use for tiered responses: >75 hard block, >50 restrict permissions"
+        },
+        {
+          "key": "session_max_jailbreak_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest jailbreak detection score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_max_command_injection_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest command injection score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_max_pii_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest PII risk score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_max_secret_score",
+          "type": "number",
+          "required": false,
+          "description": "Highest secret detection score seen in any turn of the session (0-100)"
+        },
+        {
+          "key": "session_cumulative_risk_score",
+          "type": "number",
+          "required": false,
+          "description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant"
         }
       ]
     }

package/_schemas/guardrails/schema.cedarschema

@@ -96,8 +96,12 @@ namespace Guardrails {
         "detector_count": Long,
 
         // Security - Injection & Jailbreak (optional)
-        "injection_score"?: Long,        // 0-100
-        "jailbreak_score"?: Long,        // 0-100
+        "injection_confidence"?: Long,  // Combined injection confidence: MAX(pulse, deep_context)
+        "jailbreak_confidence"?: Long,  // Combined jailbreak confidence: MAX(pulse, deep_context)
+        "injection_pulse_score"?: Long,  // 0-100 Pulse single-turn classifier
+        "injection_deep_context_score"?: Long, // 0-100 DeepContext multi-turn
+        "jailbreak_pulse_score"?: Long,  // 0-100 Pulse single-turn classifier
+        "jailbreak_deep_context_score"?: Long, // 0-100 DeepContext multi-turn
         "injection_type"?: String,       // "prompt" | "sql" | "command" | "none"
 
         // Privacy - Secrets (optional)
@@ -183,6 +187,12 @@ namespace Guardrails {
         "session_injection_detected"?: Bool,
         "session_command_injection"?: Bool,
         "session_threat_turns"?: Long,
+        "session_max_injection_score"?: Long,
+        "session_max_jailbreak_score"?: Long,
+        "session_max_command_injection_score"?: Long,
+        "session_max_pii_score"?: Long,
+        "session_max_secret_score"?: Long,
+        "session_cumulative_risk_score"?: Long,
 
     };
 
@@ -227,7 +237,9 @@ namespace Guardrails {
         "secret_types"?: Set<String>,
         "pii_detected"?: Bool,
         "pii_types"?: Set<String>,
-        "injection_score"?: Long,
+        "injection_confidence"?: Long,
+        "injection_pulse_score"?: Long,  // 0-100 Pulse single-turn classifier
+        "injection_deep_context_score"?: Long, // 0-100 DeepContext multi-turn
 
         // Security - Pattern Detection (optional)
         "command_injection_detected"?: Bool,
@@ -276,6 +288,12 @@ namespace Guardrails {
         "session_injection_detected"?: Bool,
         "session_command_injection"?: Bool,
         "session_threat_turns"?: Long,
+        "session_max_injection_score"?: Long,
+        "session_max_jailbreak_score"?: Long,
+        "session_max_command_injection_score"?: Long,
+        "session_max_pii_score"?: Long,
+        "session_max_secret_score"?: Long,
+        "session_cumulative_risk_score"?: Long,
 
     };
 
@@ -304,6 +322,12 @@ namespace Guardrails {
         "session_injection_detected"?: Bool,
         "session_command_injection"?: Bool,
         "session_threat_turns"?: Long,
+        "session_max_injection_score"?: Long,
+        "session_max_jailbreak_score"?: Long,
+        "session_max_command_injection_score"?: Long,
+        "session_max_pii_score"?: Long,
+        "session_max_secret_score"?: Long,
+        "session_cumulative_risk_score"?: Long,
 
     };
 
@@ -332,6 +356,12 @@ namespace Guardrails {
         "session_injection_detected"?: Bool,
         "session_command_injection"?: Bool,
         "session_threat_turns"?: Long,
+        "session_max_injection_score"?: Long,
+        "session_max_jailbreak_score"?: Long,
+        "session_max_command_injection_score"?: Long,
+        "session_max_pii_score"?: Long,
+        "session_max_secret_score"?: Long,
+        "session_cumulative_risk_score"?: Long,
 
     };
 
@@ -368,6 +398,12 @@ namespace Guardrails {
         "session_injection_detected"?: Bool,
         "session_command_injection"?: Bool,
         "session_threat_turns"?: Long,
+        "session_max_injection_score"?: Long,
+        "session_max_jailbreak_score"?: Long,
+        "session_max_command_injection_score"?: Long,
+        "session_max_pii_score"?: Long,
+        "session_max_secret_score"?: Long,
+        "session_cumulative_risk_score"?: Long,
 
     };
 }

package/_schemas/guardrails/templates/defaults/injection.cedar

@@ -5,8 +5,8 @@
 // Uses ML-based confidence scores from normalized context.
 //
 // Context keys used (normalized by projection layer):
-// - injection_score: Long (0-100) - Overall injection confidence
-// - jailbreak_score: Long (0-100) - Jailbreak attempt confidence
+// - injection_confidence: Long (0-100) - Overall injection confidence
+// - jailbreak_confidence: Long (0-100) - Jailbreak attempt confidence
 // - injection_type: String - Type of injection detected
 // - contains_invisible_chars: Bool - Invisible Unicode characters detected
 // - invisible_chars_score: Long (0-100) - Invisible character density
@@ -25,7 +25,7 @@ forbid (
     action,
     resource
 ) when {
-    context has injection_score && context.injection_score > 85
+    context has injection_confidence && context.injection_confidence > 85
 };
 
 @id("jailbreak-block-high-confidence")
@@ -38,7 +38,7 @@ forbid (
     action,
     resource
 ) when {
-    context has jailbreak_score && context.jailbreak_score > 80
+    context has jailbreak_confidence && context.jailbreak_confidence > 80
 };
 
 @id("injection-combined-threshold")
@@ -51,8 +51,8 @@ forbid (
     action,
     resource
 ) when {
-    context has injection_score && context has jailbreak_score &&
-    context.injection_score > 60 && context.jailbreak_score > 60
+    context has injection_confidence && context has jailbreak_confidence &&
+    context.injection_confidence > 60 && context.jailbreak_confidence > 60
 };
 
 @id("injection-invisible-chars")