@highflame/policy 2.1.4 → 2.1.5

package/dist/service-schemas.gen.js

@@ -112,8 +112,12 @@ namespace Guardrails {
         "detector_count": Long,
 
         // Security - Injection & Jailbreak (optional)
-        "injection_score"?: Long,        // 0-100
-        "jailbreak_score"?: Long,        // 0-100
+        "injection_confidence"?: Long,  // Combined injection confidence: MAX(pulse, deep_context)
+        "jailbreak_confidence"?: Long,  // Combined jailbreak confidence: MAX(pulse, deep_context)
+        "injection_pulse_score"?: Long,  // 0-100 Pulse single-turn classifier
+        "injection_deep_context_score"?: Long, // 0-100 DeepContext multi-turn
+        "jailbreak_pulse_score"?: Long,  // 0-100 Pulse single-turn classifier
+        "jailbreak_deep_context_score"?: Long, // 0-100 DeepContext multi-turn
         "injection_type"?: String,       // "prompt" | "sql" | "command" | "none"
 
         // Privacy - Secrets (optional)
@@ -199,6 +203,12 @@ namespace Guardrails {
         "session_injection_detected"?: Bool,
         "session_command_injection"?: Bool,
         "session_threat_turns"?: Long,
+        "session_max_injection_score"?: Long,
+        "session_max_jailbreak_score"?: Long,
+        "session_max_command_injection_score"?: Long,
+        "session_max_pii_score"?: Long,
+        "session_max_secret_score"?: Long,
+        "session_cumulative_risk_score"?: Long,
 
     };
 
@@ -243,7 +253,9 @@ namespace Guardrails {
         "secret_types"?: Set<String>,
         "pii_detected"?: Bool,
         "pii_types"?: Set<String>,
-        "injection_score"?: Long,
+        "injection_confidence"?: Long,
+        "injection_pulse_score"?: Long,  // 0-100 Pulse single-turn classifier
+        "injection_deep_context_score"?: Long, // 0-100 DeepContext multi-turn
 
         // Security - Pattern Detection (optional)
         "command_injection_detected"?: Bool,
@@ -292,6 +304,12 @@ namespace Guardrails {
         "session_injection_detected"?: Bool,
         "session_command_injection"?: Bool,
         "session_threat_turns"?: Long,
+        "session_max_injection_score"?: Long,
+        "session_max_jailbreak_score"?: Long,
+        "session_max_command_injection_score"?: Long,
+        "session_max_pii_score"?: Long,
+        "session_max_secret_score"?: Long,
+        "session_cumulative_risk_score"?: Long,
 
     };
 
@@ -320,6 +338,12 @@ namespace Guardrails {
         "session_injection_detected"?: Bool,
         "session_command_injection"?: Bool,
         "session_threat_turns"?: Long,
+        "session_max_injection_score"?: Long,
+        "session_max_jailbreak_score"?: Long,
+        "session_max_command_injection_score"?: Long,
+        "session_max_pii_score"?: Long,
+        "session_max_secret_score"?: Long,
+        "session_cumulative_risk_score"?: Long,
 
     };
 
@@ -348,6 +372,12 @@ namespace Guardrails {
         "session_injection_detected"?: Bool,
         "session_command_injection"?: Bool,
         "session_threat_turns"?: Long,
+        "session_max_injection_score"?: Long,
+        "session_max_jailbreak_score"?: Long,
+        "session_max_command_injection_score"?: Long,
+        "session_max_pii_score"?: Long,
+        "session_max_secret_score"?: Long,
+        "session_cumulative_risk_score"?: Long,
 
     };
 
@@ -384,6 +414,12 @@ namespace Guardrails {
         "session_injection_detected"?: Bool,
         "session_command_injection"?: Bool,
         "session_threat_turns"?: Long,
+        "session_max_injection_score"?: Long,
+        "session_max_jailbreak_score"?: Long,
+        "session_max_command_injection_score"?: Long,
+        "session_max_pii_score"?: Long,
+        "session_max_secret_score"?: Long,
+        "session_cumulative_risk_score"?: Long,
 
     };
 }
@@ -515,8 +551,12 @@ action process_prompt appliesTo {
 
     // --- ML Detector Confidence Scores (0-100) ---
     pii_confidence: Long,             // PII detection classifier confidence
-    injection_confidence: Long,       // Prompt injection classifier confidence
-    jailbreak_confidence: Long,       // Jailbreak detection classifier confidence
+    injection_confidence: Long,       // Combined injection confidence: MAX(pulse, deep_context)
+    jailbreak_confidence: Long,       // Combined jailbreak confidence: MAX(pulse, deep_context)
+    injection_pulse_score?: Long,     // 0-100 Pulse single-turn classifier
+    injection_deep_context_score?: Long, // 0-100 DeepContext multi-turn
+    jailbreak_pulse_score?: Long,     // 0-100 Pulse single-turn classifier
+    jailbreak_deep_context_score?: Long, // 0-100 DeepContext multi-turn
 
     // --- Agent Security (0-100) ---
     indirect_injection_score: Long,   // Indirect prompt injection risk (OWASP LLM01, ASI01)
@@ -529,6 +569,12 @@ action process_prompt appliesTo {
     session_injection_detected?: Bool,
     session_command_injection?: Bool,
     session_threat_turns?: Long,
+    session_max_injection_score?: Long,
+    session_max_jailbreak_score?: Long,
+    session_max_command_injection_score?: Long,
+    session_max_pii_score?: Long,
+    session_max_secret_score?: Long,
+    session_cumulative_risk_score?: Long,
 
     // --- Legacy ---
     prompt_text?: String,             // Same as content (backward compatibility)
@@ -591,8 +637,12 @@ action call_tool appliesTo {
 
     // --- ML Detector Confidence Scores (0-100) ---
     pii_confidence?: Long,
-    injection_confidence?: Long,
-    jailbreak_confidence?: Long,
+    injection_confidence?: Long,      // Combined injection confidence: MAX(pulse, deep_context)
+    jailbreak_confidence?: Long,      // Combined jailbreak confidence: MAX(pulse, deep_context)
+    injection_pulse_score?: Long,     // 0-100 Pulse single-turn classifier
+    injection_deep_context_score?: Long, // 0-100 DeepContext multi-turn
+    jailbreak_pulse_score?: Long,     // 0-100 Pulse single-turn classifier
+    jailbreak_deep_context_score?: Long, // 0-100 DeepContext multi-turn
 
     // --- Agent Security (0-100) --- (OWASP ASI01, ASI02, ASI04; MITRE AML.T0051)
     tool_poisoning_score?: Long,      // Hidden instructions in tool description/args
@@ -626,6 +676,12 @@ action call_tool appliesTo {
     session_injection_detected?: Bool,
     session_command_injection?: Bool,
     session_threat_turns?: Long,
+    session_max_injection_score?: Long,
+    session_max_jailbreak_score?: Long,
+    session_max_command_injection_score?: Long,
+    session_max_pii_score?: Long,
+    session_max_secret_score?: Long,
+    session_cumulative_risk_score?: Long,
 
     // --- Legacy ---
     response_content?: String,
@@ -670,6 +726,12 @@ action connect_server appliesTo {
     session_injection_detected?: Bool,
     session_command_injection?: Bool,
     session_threat_turns?: Long,
+    session_max_injection_score?: Long,
+    session_max_jailbreak_score?: Long,
+    session_max_command_injection_score?: Long,
+    session_max_pii_score?: Long,
+    session_max_secret_score?: Long,
+    session_cumulative_risk_score?: Long,
   },
 };
 
@@ -712,6 +774,12 @@ action read_file appliesTo {
     session_injection_detected?: Bool,
     session_command_injection?: Bool,
     session_threat_turns?: Long,
+    session_max_injection_score?: Long,
+    session_max_jailbreak_score?: Long,
+    session_max_command_injection_score?: Long,
+    session_max_pii_score?: Long,
+    session_max_secret_score?: Long,
+    session_cumulative_risk_score?: Long,
   },
 };
 
@@ -754,6 +822,12 @@ action write_file appliesTo {
     session_injection_detected?: Bool,
     session_command_injection?: Bool,
     session_threat_turns?: Long,
+    session_max_injection_score?: Long,
+    session_max_jailbreak_score?: Long,
+    session_max_command_injection_score?: Long,
+    session_max_pii_score?: Long,
+    session_max_secret_score?: Long,
+    session_cumulative_risk_score?: Long,
   },
 };
 
@@ -1344,8 +1418,12 @@ export const GUARDRAILS_CONTEXT = {
                 { "key": "direction", "type": "string", "required": true, "description": "Content flow direction: \'input\' for user prompts, \'output\' for AI responses. Use this to apply different policies to inputs vs outputs (e.g., block PII only in outputs)" },
                 { "key": "content_type", "type": "string", "required": true, "description": "Type of content being analyzed: \'prompt\', \'response\', \'tool_call\', or \'file\'" },
                 { "key": "detector_count", "type": "number", "required": true, "description": "Number of detectors that were executed for this request" },
-                { "key": "injection_score", "type": "number", "required": false, "description": "ML-based confidence score for prompt injection attacks (0-100). Higher scores indicate higher confidence. Typical threshold: >85 for high-confidence blocks" },
-                { "key": "jailbreak_score", "type": "number", "required": false, "description": "ML-based confidence score for jailbreak attempts (0-100). Detects attempts to bypass safety guardrails. Typical threshold: >80 for blocks" },
+                { "key": "injection_confidence", "type": "number", "required": false, "description": "Combined prompt injection confidence (0-100). MAX of all detector scores (Pulse + DeepContext). Use injection_pulse_score / injection_deep_context_score for individual detector control" },
+                { "key": "jailbreak_confidence", "type": "number", "required": false, "description": "Combined jailbreak detection confidence (0-100). MAX of all detector scores (Pulse + DeepContext). Use jailbreak_pulse_score / jailbreak_deep_context_score for individual detector control" },
+                { "key": "injection_pulse_score", "type": "number", "required": false, "description": "Highflame single-turn classifier score for prompt injection (0-100). Raw score from Pulse detector before combination with deep-context. Use for per-detector policy control" },
+                { "key": "injection_deep_context_score", "type": "number", "required": false, "description": "DeepContext multi-turn analyzer score for prompt injection (0-100). Tracks injection patterns across conversation history. Generally higher confidence than single-turn" },
+                { "key": "jailbreak_pulse_score", "type": "number", "required": false, "description": "Highflame single-turn classifier score for jailbreak attempts (0-100). Raw score from Pulse detector before combination with deep-context" },
+                { "key": "jailbreak_deep_context_score", "type": "number", "required": false, "description": "DeepContext multi-turn analyzer score for jailbreak attempts (0-100). Detects jailbreak escalation patterns across conversation turns" },
                 { "key": "injection_type", "type": "string", "required": false, "description": "Type of injection detected: \'prompt\', \'sql\', \'command\', or \'none\'. Use this to apply different policies per injection type" },
                 { "key": "contains_secrets", "type": "boolean", "required": false, "description": "Whether any API keys, tokens, passwords, or credentials were detected in the content. True indicates presence of secrets" },
                 { "key": "secret_count", "type": "number", "required": false, "description": "Total number of secret matches found. Multiple matches may indicate data dumps or accidental credential exposure" },
@@ -1399,7 +1477,20 @@ export const GUARDRAILS_CONTEXT = {
                 { "key": "content_safety_score", "type": "number", "required": false, "description": "Aggregate content safety score (0-100). Combines multiple safety signals into a single risk indicator" },
                 { "key": "content_safety_blocked", "type": "boolean", "required": false, "description": "Whether content was flagged for blocking by the content safety system" },
                 { "key": "conversation_turn", "type": "number", "required": false, "description": "Current conversation turn number. Use for policies that escalate strictness over long conversations" },
-                { "key": "multi_turn_detection", "type": "boolean", "required": false, "description": "Whether multi-turn injection patterns were detected (attack spread across multiple conversation turns)" }
+                { "key": "multi_turn_detection", "type": "boolean", "required": false, "description": "Whether multi-turn injection patterns were detected (attack spread across multiple conversation turns)" },
+                { "key": "session_pii_detected", "type": "boolean", "required": false, "description": "Whether PII was detected in any previous turn of the session" },
+                { "key": "session_pii_types", "type": "array", "required": false, "description": "PII types detected across the session (accumulated)" },
+                { "key": "session_secrets_detected", "type": "boolean", "required": false, "description": "Whether secrets were detected in any previous turn of the session" },
+                { "key": "session_secret_types", "type": "array", "required": false, "description": "Secret types detected across the session (accumulated)" },
+                { "key": "session_injection_detected", "type": "boolean", "required": false, "description": "Whether prompt injection was detected in any previous turn of the session" },
+                { "key": "session_command_injection", "type": "boolean", "required": false, "description": "Whether command injection was detected in any previous turn of the session" },
+                { "key": "session_threat_turns", "type": "number", "required": false, "description": "Number of turns in the session where threats were detected" },
+                { "key": "session_max_injection_score", "type": "number", "required": false, "description": "Highest prompt injection score seen in any turn of the session (0-100). Use for tiered responses: >75 hard block, >50 restrict permissions" },
+                { "key": "session_max_jailbreak_score", "type": "number", "required": false, "description": "Highest jailbreak detection score seen in any turn of the session (0-100)" },
+                { "key": "session_max_command_injection_score", "type": "number", "required": false, "description": "Highest command injection score seen in any turn of the session (0-100)" },
+                { "key": "session_max_pii_score", "type": "number", "required": false, "description": "Highest PII risk score seen in any turn of the session (0-100)" },
+                { "key": "session_max_secret_score", "type": "number", "required": false, "description": "Highest secret detection score seen in any turn of the session (0-100)" },
+                { "key": "session_cumulative_risk_score", "type": "number", "required": false, "description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant" }
             ]
         },
         {
@@ -1430,7 +1521,9 @@ export const GUARDRAILS_CONTEXT = {
                 { "key": "secret_types", "type": "array", "required": false, "description": "Array of secret types found in tool arguments" },
                 { "key": "pii_detected", "type": "boolean", "required": false, "description": "Whether PII was detected in tool arguments or content" },
                 { "key": "pii_types", "type": "array", "required": false, "description": "Array of PII types found in tool arguments" },
-                { "key": "injection_score", "type": "number", "required": false, "description": "ML-based confidence score for prompt injection in tool arguments (0-100)" },
+                { "key": "injection_confidence", "type": "number", "required": false, "description": "Combined prompt injection confidence in tool arguments (0-100). MAX of all detector scores (Pulse + DeepContext). Use injection_pulse_score / injection_deep_context_score for individual detector control" },
+                { "key": "injection_pulse_score", "type": "number", "required": false, "description": "Highflame single-turn classifier score for prompt injection in tool arguments (0-100). Raw score from Pulse detector before combination with deep-context" },
+                { "key": "injection_deep_context_score", "type": "number", "required": false, "description": "DeepContext multi-turn analyzer score for prompt injection in tool arguments (0-100). Tracks injection patterns across tool call history" },
                 { "key": "command_injection_detected", "type": "boolean", "required": false, "description": "Whether command injection patterns were detected in tool arguments" },
                 { "key": "command_injection_type", "type": "string", "required": false, "description": "Type of command injection detected in tool arguments" },
                 { "key": "command_injection_score", "type": "number", "required": false, "description": "Confidence score for command injection in tool arguments (0-100)" },
@@ -1457,7 +1550,20 @@ export const GUARDRAILS_CONTEXT = {
                 { "key": "encoded_score", "type": "number", "required": false, "description": "Risk score for encoded injection in tool arguments (0-100)" },
                 { "key": "rug_pull_type", "type": "string", "required": false, "description": "Type of rug pull detected: \'risk_spike\' (sudden risk increase), \'pattern_change\' (behavioral shift), \'combined\', or \'none\'" },
                 { "key": "conversation_turn", "type": "number", "required": false, "description": "Current conversation turn number for the agentic session" },
-                { "key": "multi_turn_detection", "type": "boolean", "required": false, "description": "Whether multi-turn injection patterns were detected across tool calls in the session" }
+                { "key": "multi_turn_detection", "type": "boolean", "required": false, "description": "Whether multi-turn injection patterns were detected across tool calls in the session" },
+                { "key": "session_pii_detected", "type": "boolean", "required": false, "description": "Whether PII was detected in any previous turn of the session" },
+                { "key": "session_pii_types", "type": "array", "required": false, "description": "PII types detected across the session (accumulated)" },
+                { "key": "session_secrets_detected", "type": "boolean", "required": false, "description": "Whether secrets were detected in any previous turn of the session" },
+                { "key": "session_secret_types", "type": "array", "required": false, "description": "Secret types detected across the session (accumulated)" },
+                { "key": "session_injection_detected", "type": "boolean", "required": false, "description": "Whether prompt injection was detected in any previous turn of the session" },
+                { "key": "session_command_injection", "type": "boolean", "required": false, "description": "Whether command injection was detected in any previous turn of the session" },
+                { "key": "session_threat_turns", "type": "number", "required": false, "description": "Number of turns in the session where threats were detected" },
+                { "key": "session_max_injection_score", "type": "number", "required": false, "description": "Highest prompt injection score seen in any turn of the session (0-100). Use for tiered responses: >75 hard block, >50 restrict permissions" },
+                { "key": "session_max_jailbreak_score", "type": "number", "required": false, "description": "Highest jailbreak detection score seen in any turn of the session (0-100)" },
+                { "key": "session_max_command_injection_score", "type": "number", "required": false, "description": "Highest command injection score seen in any turn of the session (0-100)" },
+                { "key": "session_max_pii_score", "type": "number", "required": false, "description": "Highest PII risk score seen in any turn of the session (0-100)" },
+                { "key": "session_max_secret_score", "type": "number", "required": false, "description": "Highest secret detection score seen in any turn of the session (0-100)" },
+                { "key": "session_cumulative_risk_score", "type": "number", "required": false, "description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant" }
             ]
         },
         {
@@ -1472,7 +1578,20 @@ export const GUARDRAILS_CONTEXT = {
                 { "key": "pii_types", "type": "array", "required": false, "description": "Array of PII types found in file content" },
                 { "key": "path_traversal_detected", "type": "boolean", "required": false, "description": "Whether path traversal patterns were detected in the file path being read" },
                 { "key": "path_traversal_severity", "type": "string", "required": false, "description": "Severity of path traversal in the file read path" },
-                { "key": "path_traversal_type", "type": "string", "required": false, "description": "Type of path traversal detected in the file read path" }
+                { "key": "path_traversal_type", "type": "string", "required": false, "description": "Type of path traversal detected in the file read path" },
+                { "key": "session_pii_detected", "type": "boolean", "required": false, "description": "Whether PII was detected in any previous turn of the session" },
+                { "key": "session_pii_types", "type": "array", "required": false, "description": "PII types detected across the session (accumulated)" },
+                { "key": "session_secrets_detected", "type": "boolean", "required": false, "description": "Whether secrets were detected in any previous turn of the session" },
+                { "key": "session_secret_types", "type": "array", "required": false, "description": "Secret types detected across the session (accumulated)" },
+                { "key": "session_injection_detected", "type": "boolean", "required": false, "description": "Whether prompt injection was detected in any previous turn of the session" },
+                { "key": "session_command_injection", "type": "boolean", "required": false, "description": "Whether command injection was detected in any previous turn of the session" },
+                { "key": "session_threat_turns", "type": "number", "required": false, "description": "Number of turns in the session where threats were detected" },
+                { "key": "session_max_injection_score", "type": "number", "required": false, "description": "Highest prompt injection score seen in any turn of the session (0-100). Use for tiered responses: >75 hard block, >50 restrict permissions" },
+                { "key": "session_max_jailbreak_score", "type": "number", "required": false, "description": "Highest jailbreak detection score seen in any turn of the session (0-100)" },
+                { "key": "session_max_command_injection_score", "type": "number", "required": false, "description": "Highest command injection score seen in any turn of the session (0-100)" },
+                { "key": "session_max_pii_score", "type": "number", "required": false, "description": "Highest PII risk score seen in any turn of the session (0-100)" },
+                { "key": "session_max_secret_score", "type": "number", "required": false, "description": "Highest secret detection score seen in any turn of the session (0-100)" },
+                { "key": "session_cumulative_risk_score", "type": "number", "required": false, "description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant" }
             ]
         },
         {
@@ -1487,7 +1606,20 @@ export const GUARDRAILS_CONTEXT = {
                 { "key": "pii_types", "type": "array", "required": false, "description": "Array of PII types found in write content" },
                 { "key": "path_traversal_detected", "type": "boolean", "required": false, "description": "Whether path traversal patterns were detected in the file path being written" },
                 { "key": "path_traversal_severity", "type": "string", "required": false, "description": "Severity of path traversal in the file write path" },
-                { "key": "path_traversal_type", "type": "string", "required": false, "description": "Type of path traversal detected in the file write path" }
+                { "key": "path_traversal_type", "type": "string", "required": false, "description": "Type of path traversal detected in the file write path" },
+                { "key": "session_pii_detected", "type": "boolean", "required": false, "description": "Whether PII was detected in any previous turn of the session" },
+                { "key": "session_pii_types", "type": "array", "required": false, "description": "PII types detected across the session (accumulated)" },
+                { "key": "session_secrets_detected", "type": "boolean", "required": false, "description": "Whether secrets were detected in any previous turn of the session" },
+                { "key": "session_secret_types", "type": "array", "required": false, "description": "Secret types detected across the session (accumulated)" },
+                { "key": "session_injection_detected", "type": "boolean", "required": false, "description": "Whether prompt injection was detected in any previous turn of the session" },
+                { "key": "session_command_injection", "type": "boolean", "required": false, "description": "Whether command injection was detected in any previous turn of the session" },
+                { "key": "session_threat_turns", "type": "number", "required": false, "description": "Number of turns in the session where threats were detected" },
+                { "key": "session_max_injection_score", "type": "number", "required": false, "description": "Highest prompt injection score seen in any turn of the session (0-100). Use for tiered responses: >75 hard block, >50 restrict permissions" },
+                { "key": "session_max_jailbreak_score", "type": "number", "required": false, "description": "Highest jailbreak detection score seen in any turn of the session (0-100)" },
+                { "key": "session_max_command_injection_score", "type": "number", "required": false, "description": "Highest command injection score seen in any turn of the session (0-100)" },
+                { "key": "session_max_pii_score", "type": "number", "required": false, "description": "Highest PII risk score seen in any turn of the session (0-100)" },
+                { "key": "session_max_secret_score", "type": "number", "required": false, "description": "Highest secret detection score seen in any turn of the session (0-100)" },
+                { "key": "session_cumulative_risk_score", "type": "number", "required": false, "description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant" }
             ]
         },
         {
@@ -1506,7 +1638,20 @@ export const GUARDRAILS_CONTEXT = {
                 { "key": "mcp_risk_score", "type": "number", "required": false, "description": "Risk score for MCP configuration issues (0-100)" },
                 { "key": "cross_origin_detected", "type": "boolean", "required": false, "description": "Whether cross-origin escalation patterns were detected in the MCP server connection" },
                 { "key": "cross_origin_type", "type": "string", "required": false, "description": "Type of cross-origin escalation detected in server connection" },
-                { "key": "cross_origin_score", "type": "number", "required": false, "description": "Risk score for cross-origin escalation in server connection (0-100)" }
+                { "key": "cross_origin_score", "type": "number", "required": false, "description": "Risk score for cross-origin escalation in server connection (0-100)" },
+                { "key": "session_pii_detected", "type": "boolean", "required": false, "description": "Whether PII was detected in any previous turn of the session" },
+                { "key": "session_pii_types", "type": "array", "required": false, "description": "PII types detected across the session (accumulated)" },
+                { "key": "session_secrets_detected", "type": "boolean", "required": false, "description": "Whether secrets were detected in any previous turn of the session" },
+                { "key": "session_secret_types", "type": "array", "required": false, "description": "Secret types detected across the session (accumulated)" },
+                { "key": "session_injection_detected", "type": "boolean", "required": false, "description": "Whether prompt injection was detected in any previous turn of the session" },
+                { "key": "session_command_injection", "type": "boolean", "required": false, "description": "Whether command injection was detected in any previous turn of the session" },
+                { "key": "session_threat_turns", "type": "number", "required": false, "description": "Number of turns in the session where threats were detected" },
+                { "key": "session_max_injection_score", "type": "number", "required": false, "description": "Highest prompt injection score seen in any turn of the session (0-100). Use for tiered responses: >75 hard block, >50 restrict permissions" },
+                { "key": "session_max_jailbreak_score", "type": "number", "required": false, "description": "Highest jailbreak detection score seen in any turn of the session (0-100)" },
+                { "key": "session_max_command_injection_score", "type": "number", "required": false, "description": "Highest command injection score seen in any turn of the session (0-100)" },
+                { "key": "session_max_pii_score", "type": "number", "required": false, "description": "Highest PII risk score seen in any turn of the session (0-100)" },
+                { "key": "session_max_secret_score", "type": "number", "required": false, "description": "Highest secret detection score seen in any turn of the session (0-100)" },
+                { "key": "session_cumulative_risk_score", "type": "number", "required": false, "description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant" }
             ]
         }
     ]
@@ -1551,8 +1696,12 @@ export const OVERWATCH_CONTEXT = {
                 { "key": "sexual_score", "type": "number", "required": true, "description": "Sexual content detection score (0-100)" },
                 { "key": "profanity_score", "type": "number", "required": true, "description": "Profanity detection score (0-100)" },
                 { "key": "pii_confidence", "type": "number", "required": true, "description": "PII detection ML classifier confidence (0-100)" },
-                { "key": "injection_confidence", "type": "number", "required": true, "description": "Prompt injection ML classifier confidence (0-100)" },
-                { "key": "jailbreak_confidence", "type": "number", "required": true, "description": "Jailbreak detection ML classifier confidence (0-100)" },
+                { "key": "injection_confidence", "type": "number", "required": true, "description": "Combined prompt injection confidence (0-100). MAX of all detector scores (Pulse + DeepContext). Use injection_pulse_score / injection_deep_context_score for individual detector control" },
+                { "key": "jailbreak_confidence", "type": "number", "required": true, "description": "Combined jailbreak detection confidence (0-100). MAX of all detector scores (Pulse + DeepContext). Use jailbreak_pulse_score / jailbreak_deep_context_score for individual detector control" },
+                { "key": "injection_pulse_score", "type": "number", "required": false, "description": "Highflame single-turn classifier score for prompt injection (0-100). Raw score from Pulse detector before combination with deep-context. Use for per-detector policy control" },
+                { "key": "injection_deep_context_score", "type": "number", "required": false, "description": "DeepContext multi-turn analyzer score for prompt injection (0-100). Tracks injection patterns across conversation history. Generally higher confidence than single-turn" },
+                { "key": "jailbreak_pulse_score", "type": "number", "required": false, "description": "Highflame single-turn classifier score for jailbreak attempts (0-100). Raw score from Pulse detector before combination with deep-context" },
+                { "key": "jailbreak_deep_context_score", "type": "number", "required": false, "description": "DeepContext multi-turn analyzer score for jailbreak attempts (0-100). Detects jailbreak escalation patterns across conversation turns" },
                 { "key": "indirect_injection_score", "type": "number", "required": true, "description": "Indirect prompt injection risk score (0-100) — injection via tool outputs or retrieved content" },
                 { "key": "session_pii_detected", "type": "boolean", "required": false, "description": "Whether PII was detected in any previous turn of the session" },
                 { "key": "session_pii_types", "type": "array", "required": false, "description": "PII types detected across the session (accumulated)" },
@@ -1560,7 +1709,13 @@ export const OVERWATCH_CONTEXT = {
                 { "key": "session_secret_types", "type": "array", "required": false, "description": "Secret types detected across the session (accumulated)" },
                 { "key": "session_injection_detected", "type": "boolean", "required": false, "description": "Whether prompt injection was detected in any previous turn of the session" },
                 { "key": "session_command_injection", "type": "boolean", "required": false, "description": "Whether command injection was detected in any previous turn of the session" },
-                { "key": "session_threat_turns", "type": "number", "required": false, "description": "Number of turns in the session where threats were detected" }
+                { "key": "session_threat_turns", "type": "number", "required": false, "description": "Number of turns in the session where threats were detected" },
+                { "key": "session_max_injection_score", "type": "number", "required": false, "description": "Highest prompt injection score seen in any turn of the session (0-100). Use for tiered responses: >75 hard block, >50 restrict permissions" },
+                { "key": "session_max_jailbreak_score", "type": "number", "required": false, "description": "Highest jailbreak detection score seen in any turn of the session (0-100)" },
+                { "key": "session_max_command_injection_score", "type": "number", "required": false, "description": "Highest command injection score seen in any turn of the session (0-100)" },
+                { "key": "session_max_pii_score", "type": "number", "required": false, "description": "Highest PII risk score seen in any turn of the session (0-100)" },
+                { "key": "session_max_secret_score", "type": "number", "required": false, "description": "Highest secret detection score seen in any turn of the session (0-100)" },
+                { "key": "session_cumulative_risk_score", "type": "number", "required": false, "description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant" }
             ]
         },
         {
@@ -1598,8 +1753,12 @@ export const OVERWATCH_CONTEXT = {
                 { "key": "sexual_score", "type": "number", "required": false, "description": "Sexual content detection score (0-100)" },
                 { "key": "profanity_score", "type": "number", "required": false, "description": "Profanity detection score (0-100)" },
                 { "key": "pii_confidence", "type": "number", "required": false, "description": "PII detection ML classifier confidence (0-100)" },
-                { "key": "injection_confidence", "type": "number", "required": false, "description": "Prompt injection ML classifier confidence (0-100)" },
-                { "key": "jailbreak_confidence", "type": "number", "required": false, "description": "Jailbreak detection ML classifier confidence (0-100)" },
+                { "key": "injection_confidence", "type": "number", "required": false, "description": "Combined prompt injection confidence (0-100). MAX of all detector scores (Pulse + DeepContext). Use injection_pulse_score / injection_deep_context_score for individual detector control" },
+                { "key": "jailbreak_confidence", "type": "number", "required": false, "description": "Combined jailbreak detection confidence (0-100). MAX of all detector scores (Pulse + DeepContext). Use jailbreak_pulse_score / jailbreak_deep_context_score for individual detector control" },
+                { "key": "injection_pulse_score", "type": "number", "required": false, "description": "Highflame single-turn classifier score for prompt injection in tool arguments (0-100). Raw score from Pulse detector before combination with deep-context" },
+                { "key": "injection_deep_context_score", "type": "number", "required": false, "description": "DeepContext multi-turn analyzer score for prompt injection in tool arguments (0-100). Tracks injection patterns across tool call history" },
+                { "key": "jailbreak_pulse_score", "type": "number", "required": false, "description": "Highflame single-turn classifier score for jailbreak in tool arguments (0-100). Raw score from Pulse detector before combination with deep-context" },
+                { "key": "jailbreak_deep_context_score", "type": "number", "required": false, "description": "DeepContext multi-turn analyzer score for jailbreak in tool arguments (0-100). Detects jailbreak escalation patterns across tool call turns" },
                 { "key": "tool_poisoning_score", "type": "number", "required": false, "description": "Tool description manipulation risk score (0-100) — hidden instructions in tool descriptions or arguments" },
                 { "key": "tool_poisoning_detected", "type": "boolean", "required": false, "description": "Whether tool poisoning patterns were explicitly detected" },
                 { "key": "rug_pull_score", "type": "number", "required": false, "description": "Tool behavioral drift score (0-100) — deviation from established tool behavior patterns" },
@@ -1622,7 +1781,13 @@ export const OVERWATCH_CONTEXT = {
                 { "key": "session_secret_types", "type": "array", "required": false, "description": "Secret types detected across the session (accumulated)" },
                 { "key": "session_injection_detected", "type": "boolean", "required": false, "description": "Whether prompt injection was detected in any previous turn of the session" },
                 { "key": "session_command_injection", "type": "boolean", "required": false, "description": "Whether command injection was detected in any previous turn of the session" },
-                { "key": "session_threat_turns", "type": "number", "required": false, "description": "Number of turns in the session where threats were detected" }
+                { "key": "session_threat_turns", "type": "number", "required": false, "description": "Number of turns in the session where threats were detected" },
+                { "key": "session_max_injection_score", "type": "number", "required": false, "description": "Highest prompt injection score seen in any turn of the session (0-100). Use for tiered responses: >75 hard block, >50 restrict permissions" },
+                { "key": "session_max_jailbreak_score", "type": "number", "required": false, "description": "Highest jailbreak detection score seen in any turn of the session (0-100)" },
+                { "key": "session_max_command_injection_score", "type": "number", "required": false, "description": "Highest command injection score seen in any turn of the session (0-100)" },
+                { "key": "session_max_pii_score", "type": "number", "required": false, "description": "Highest PII risk score seen in any turn of the session (0-100)" },
+                { "key": "session_max_secret_score", "type": "number", "required": false, "description": "Highest secret detection score seen in any turn of the session (0-100)" },
+                { "key": "session_cumulative_risk_score", "type": "number", "required": false, "description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant" }
             ]
         },
         {
@@ -1653,7 +1818,13 @@ export const OVERWATCH_CONTEXT = {
                 { "key": "session_secret_types", "type": "array", "required": false, "description": "Secret types detected across the session (accumulated)" },
                 { "key": "session_injection_detected", "type": "boolean", "required": false, "description": "Whether prompt injection was detected in any previous turn of the session" },
                 { "key": "session_command_injection", "type": "boolean", "required": false, "description": "Whether command injection was detected in any previous turn of the session" },
-                { "key": "session_threat_turns", "type": "number", "required": false, "description": "Number of turns in the session where threats were detected" }
+                { "key": "session_threat_turns", "type": "number", "required": false, "description": "Number of turns in the session where threats were detected" },
+                { "key": "session_max_injection_score", "type": "number", "required": false, "description": "Highest prompt injection score seen in any turn of the session (0-100). Use for tiered responses: >75 hard block, >50 restrict permissions" },
+                { "key": "session_max_jailbreak_score", "type": "number", "required": false, "description": "Highest jailbreak detection score seen in any turn of the session (0-100)" },
+                { "key": "session_max_command_injection_score", "type": "number", "required": false, "description": "Highest command injection score seen in any turn of the session (0-100)" },
+                { "key": "session_max_pii_score", "type": "number", "required": false, "description": "Highest PII risk score seen in any turn of the session (0-100)" },
+                { "key": "session_max_secret_score", "type": "number", "required": false, "description": "Highest secret detection score seen in any turn of the session (0-100)" },
+                { "key": "session_cumulative_risk_score", "type": "number", "required": false, "description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant" }
             ]
         },
         {
@@ -1684,7 +1855,13 @@ export const OVERWATCH_CONTEXT = {
                 { "key": "session_secret_types", "type": "array", "required": false, "description": "Secret types detected across the session (accumulated)" },
                 { "key": "session_injection_detected", "type": "boolean", "required": false, "description": "Whether prompt injection was detected in any previous turn of the session" },
                 { "key": "session_command_injection", "type": "boolean", "required": false, "description": "Whether command injection was detected in any previous turn of the session" },
-                { "key": "session_threat_turns", "type": "number", "required": false, "description": "Number of turns in the session where threats were detected" }
+                { "key": "session_threat_turns", "type": "number", "required": false, "description": "Number of turns in the session where threats were detected" },
+                { "key": "session_max_injection_score", "type": "number", "required": false, "description": "Highest prompt injection score seen in any turn of the session (0-100). Use for tiered responses: >75 hard block, >50 restrict permissions" },
+                { "key": "session_max_jailbreak_score", "type": "number", "required": false, "description": "Highest jailbreak detection score seen in any turn of the session (0-100)" },
+                { "key": "session_max_command_injection_score", "type": "number", "required": false, "description": "Highest command injection score seen in any turn of the session (0-100)" },
+                { "key": "session_max_pii_score", "type": "number", "required": false, "description": "Highest PII risk score seen in any turn of the session (0-100)" },
+                { "key": "session_max_secret_score", "type": "number", "required": false, "description": "Highest secret detection score seen in any turn of the session (0-100)" },
+                { "key": "session_cumulative_risk_score", "type": "number", "required": false, "description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant" }
             ]
         },
         {
@@ -1716,7 +1893,13 @@ export const OVERWATCH_CONTEXT = {
                 { "key": "session_secret_types", "type": "array", "required": false, "description": "Secret types detected across the session (accumulated)" },
                 { "key": "session_injection_detected", "type": "boolean", "required": false, "description": "Whether prompt injection was detected in any previous turn of the session" },
                 { "key": "session_command_injection", "type": "boolean", "required": false, "description": "Whether command injection was detected in any previous turn of the session" },
-                { "key": "session_threat_turns", "type": "number", "required": false, "description": "Number of turns in the session where threats were detected" }
+                { "key": "session_threat_turns", "type": "number", "required": false, "description": "Number of turns in the session where threats were detected" },
+                { "key": "session_max_injection_score", "type": "number", "required": false, "description": "Highest prompt injection score seen in any turn of the session (0-100). Use for tiered responses: >75 hard block, >50 restrict permissions" },
+                { "key": "session_max_jailbreak_score", "type": "number", "required": false, "description": "Highest jailbreak detection score seen in any turn of the session (0-100)" },
+                { "key": "session_max_command_injection_score", "type": "number", "required": false, "description": "Highest command injection score seen in any turn of the session (0-100)" },
+                { "key": "session_max_pii_score", "type": "number", "required": false, "description": "Highest PII risk score seen in any turn of the session (0-100)" },
+                { "key": "session_max_secret_score", "type": "number", "required": false, "description": "Highest secret detection score seen in any turn of the session (0-100)" },
+                { "key": "session_cumulative_risk_score", "type": "number", "required": false, "description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant" }
             ]
         }
     ]

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@highflame/policy",
-  "version": "2.1.4",
+  "version": "2.1.5",
   "description": "Highflame Cedar policy types and engine wrapper",
   "readme": "README.md",
   "main": "dist/index.js",

package/_schemas/guardrails/templates/profiles/chat_assistant.cedar

@@ -1,85 +0,0 @@
-// =============================================================================
-// Chat Assistant Profile
-// =============================================================================
-// Optimized for customer-facing chatbots and conversational AI.
-// Strict content moderation, PII protection, and injection defense.
-// No tool-related policies (chat assistants don't call tools).
-//
-// Deploy: One-click deploy scopes all rules to a specific application via
-// resource == Guardrails::App::"<app-uuid>" (injected at deploy time).
-//
-// Category: organization
-// Namespace: Guardrails
-// =============================================================================
-
-@id("chat-toxicity-strict")
-@name("Strict toxicity for chat")
-@description("Lower thresholds for customer-facing content — blocks toxicity above 70")
-@severity("critical")
-@tags("profile,chat-assistant,toxicity,trust-safety")
-forbid (
-    principal,
-    action == Guardrails::Action::"process_prompt",
-    resource
-) when {
-    context.violence_score > 70 ||
-    context.hate_speech_score > 70 ||
-    context.sexual_score > 70 ||
-    context.profanity_score > 70
-};
-
-@id("chat-pii-block-input-output")
-@name("Block PII in both directions")
-@description("Blocks PII in both user inputs and assistant outputs for chat applications")
-@severity("high")
-@tags("profile,chat-assistant,pii,privacy")
-forbid (
-    principal,
-    action == Guardrails::Action::"process_prompt",
-    resource
-) when {
-    context.pii_detected == true
-};
-
-@id("chat-injection-lower-threshold")
-@name("Aggressive injection defense for chat")
-@description("Lower injection threshold for public-facing chat — blocks above 70")
-@severity("high")
-@tags("profile,chat-assistant,injection,security")
-forbid (
-    principal,
-    action == Guardrails::Action::"process_prompt",
-    resource
-) when {
-    context.injection_score > 70
-};
-
-@id("chat-jailbreak-lower-threshold")
-@name("Aggressive jailbreak defense for chat")
-@description("Lower jailbreak threshold for public-facing chat — blocks above 65")
-@severity("high")
-@tags("profile,chat-assistant,jailbreak,security")
-forbid (
-    principal,
-    action == Guardrails::Action::"process_prompt",
-    resource
-) when {
-    context.jailbreak_score > 65
-};
-
-@id("chat-topic-restriction")
-@name("Block restricted topics in chat")
-@description("Prevents chat assistants from discussing dangerous or regulated topics")
-@severity("high")
-@tags("profile,chat-assistant,semantic,compliance")
-forbid (
-    principal,
-    action == Guardrails::Action::"process_prompt",
-    resource
-) when {
-    context.topic_confidence > 70 &&
-    (context.content_topics.contains("weapons_manufacturing") ||
-     context.content_topics.contains("illegal_activity") ||
-     context.content_topics.contains("controlled_substances") ||
-     context.content_topics.contains("financial_fraud"))
-};