@highflame/policy 2.1.4 → 2.1.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +41 -0
- package/_schemas/guardrails/context.json +600 -6
- package/_schemas/guardrails/schema.cedarschema +79 -3
- package/_schemas/guardrails/templates/defaults/agent_identity.cedar +118 -0
- package/_schemas/guardrails/templates/defaults/agentic_safety.cedar +4 -4
- package/_schemas/guardrails/templates/defaults/injection.cedar +10 -10
- package/_schemas/guardrails/templates/defaults/secrets.cedar +2 -2
- package/_schemas/guardrails/templates/defaults/security_patterns.cedar +1 -1
- package/_schemas/guardrails/templates/defaults/toxicity.cedar +3 -3
- package/_schemas/guardrails/templates/profiles/chat_assistant/privacy.cedar +1 -1
- package/_schemas/guardrails/templates/profiles/chat_assistant/security.cedar +4 -4
- package/_schemas/guardrails/templates/profiles/chat_assistant/trust_safety.cedar +2 -2
- package/_schemas/guardrails/templates/profiles/code_agent/agentic_security.cedar +3 -3
- package/_schemas/guardrails/templates/profiles/data_pipeline/agentic_security.cedar +1 -1
- package/_schemas/guardrails/templates/profiles/data_pipeline/privacy.cedar +2 -2
- package/_schemas/guardrails/templates/profiles/data_pipeline/security.cedar +3 -3
- package/_schemas/guardrails/templates/profiles/multi_agent/agent_safety.cedar +157 -0
- package/_schemas/guardrails/templates/profiles/multi_agent/agent_trust.cedar +140 -0
- package/_schemas/guardrails/templates/templates.json +41 -0
- package/_schemas/overwatch/context.json +232 -4
- package/_schemas/overwatch/schema.cedarschema +42 -4
- package/dist/guardrails-context.gen.d.ts +24 -2
- package/dist/guardrails-context.gen.js +24 -2
- package/dist/guardrails-defaults.gen.d.ts +1 -1
- package/dist/guardrails-defaults.gen.js +524 -36
- package/dist/overwatch-context.gen.d.ts +10 -0
- package/dist/overwatch-context.gen.js +10 -0
- package/dist/service-schemas.gen.d.ts +2 -2
- package/dist/service-schemas.gen.js +275 -24
- package/package.json +1 -1
- package/_schemas/guardrails/templates/profiles/chat_assistant.cedar +0 -85
- package/_schemas/guardrails/templates/profiles/code_agent.cedar +0 -125
- package/_schemas/guardrails/templates/profiles/data_pipeline.cedar +0 -111
|
@@ -38,16 +38,40 @@
|
|
|
38
38
|
"description": "Number of detectors that were executed for this request"
|
|
39
39
|
},
|
|
40
40
|
{
|
|
41
|
-
"key": "
|
|
41
|
+
"key": "injection_confidence",
|
|
42
42
|
"type": "number",
|
|
43
43
|
"required": false,
|
|
44
|
-
"description": "
|
|
44
|
+
"description": "Combined prompt injection confidence (0-100). MAX of all detector scores (Pulse + DeepContext). Use injection_pulse_score / injection_deep_context_score for individual detector control"
|
|
45
45
|
},
|
|
46
46
|
{
|
|
47
|
-
"key": "
|
|
47
|
+
"key": "jailbreak_confidence",
|
|
48
48
|
"type": "number",
|
|
49
49
|
"required": false,
|
|
50
|
-
"description": "
|
|
50
|
+
"description": "Combined jailbreak detection confidence (0-100). MAX of all detector scores (Pulse + DeepContext). Use jailbreak_pulse_score / jailbreak_deep_context_score for individual detector control"
|
|
51
|
+
},
|
|
52
|
+
{
|
|
53
|
+
"key": "injection_pulse_score",
|
|
54
|
+
"type": "number",
|
|
55
|
+
"required": false,
|
|
56
|
+
"description": "Highflame single-turn classifier score for prompt injection (0-100). Raw score from Pulse detector before combination with deep-context. Use for per-detector policy control"
|
|
57
|
+
},
|
|
58
|
+
{
|
|
59
|
+
"key": "injection_deep_context_score",
|
|
60
|
+
"type": "number",
|
|
61
|
+
"required": false,
|
|
62
|
+
"description": "DeepContext multi-turn analyzer score for prompt injection (0-100). Tracks injection patterns across conversation history. Generally higher confidence than single-turn"
|
|
63
|
+
},
|
|
64
|
+
{
|
|
65
|
+
"key": "jailbreak_pulse_score",
|
|
66
|
+
"type": "number",
|
|
67
|
+
"required": false,
|
|
68
|
+
"description": "Highflame single-turn classifier score for jailbreak attempts (0-100). Raw score from Pulse detector before combination with deep-context"
|
|
69
|
+
},
|
|
70
|
+
{
|
|
71
|
+
"key": "jailbreak_deep_context_score",
|
|
72
|
+
"type": "number",
|
|
73
|
+
"required": false,
|
|
74
|
+
"description": "DeepContext multi-turn analyzer score for jailbreak attempts (0-100). Detects jailbreak escalation patterns across conversation turns"
|
|
51
75
|
},
|
|
52
76
|
{
|
|
53
77
|
"key": "injection_type",
|
|
@@ -372,6 +396,114 @@
|
|
|
372
396
|
"type": "boolean",
|
|
373
397
|
"required": false,
|
|
374
398
|
"description": "Whether multi-turn injection patterns were detected (attack spread across multiple conversation turns)"
|
|
399
|
+
},
|
|
400
|
+
{
|
|
401
|
+
"key": "session_pii_detected",
|
|
402
|
+
"type": "boolean",
|
|
403
|
+
"required": false,
|
|
404
|
+
"description": "Whether PII was detected in any previous turn of the session"
|
|
405
|
+
},
|
|
406
|
+
{
|
|
407
|
+
"key": "session_pii_types",
|
|
408
|
+
"type": "array",
|
|
409
|
+
"required": false,
|
|
410
|
+
"description": "PII types detected across the session (accumulated)"
|
|
411
|
+
},
|
|
412
|
+
{
|
|
413
|
+
"key": "session_secrets_detected",
|
|
414
|
+
"type": "boolean",
|
|
415
|
+
"required": false,
|
|
416
|
+
"description": "Whether secrets were detected in any previous turn of the session"
|
|
417
|
+
},
|
|
418
|
+
{
|
|
419
|
+
"key": "session_secret_types",
|
|
420
|
+
"type": "array",
|
|
421
|
+
"required": false,
|
|
422
|
+
"description": "Secret types detected across the session (accumulated)"
|
|
423
|
+
},
|
|
424
|
+
{
|
|
425
|
+
"key": "session_injection_detected",
|
|
426
|
+
"type": "boolean",
|
|
427
|
+
"required": false,
|
|
428
|
+
"description": "Whether prompt injection was detected in any previous turn of the session"
|
|
429
|
+
},
|
|
430
|
+
{
|
|
431
|
+
"key": "session_command_injection",
|
|
432
|
+
"type": "boolean",
|
|
433
|
+
"required": false,
|
|
434
|
+
"description": "Whether command injection was detected in any previous turn of the session"
|
|
435
|
+
},
|
|
436
|
+
{
|
|
437
|
+
"key": "session_threat_turns",
|
|
438
|
+
"type": "number",
|
|
439
|
+
"required": false,
|
|
440
|
+
"description": "Number of turns in the session where threats were detected"
|
|
441
|
+
},
|
|
442
|
+
{
|
|
443
|
+
"key": "session_max_injection_score",
|
|
444
|
+
"type": "number",
|
|
445
|
+
"required": false,
|
|
446
|
+
"description": "Highest prompt injection score seen in any turn of the session (0-100). Use for tiered responses: >75 hard block, >50 restrict permissions"
|
|
447
|
+
},
|
|
448
|
+
{
|
|
449
|
+
"key": "session_max_jailbreak_score",
|
|
450
|
+
"type": "number",
|
|
451
|
+
"required": false,
|
|
452
|
+
"description": "Highest jailbreak detection score seen in any turn of the session (0-100)"
|
|
453
|
+
},
|
|
454
|
+
{
|
|
455
|
+
"key": "session_max_command_injection_score",
|
|
456
|
+
"type": "number",
|
|
457
|
+
"required": false,
|
|
458
|
+
"description": "Highest command injection score seen in any turn of the session (0-100)"
|
|
459
|
+
},
|
|
460
|
+
{
|
|
461
|
+
"key": "session_max_pii_score",
|
|
462
|
+
"type": "number",
|
|
463
|
+
"required": false,
|
|
464
|
+
"description": "Highest PII risk score seen in any turn of the session (0-100)"
|
|
465
|
+
},
|
|
466
|
+
{
|
|
467
|
+
"key": "session_max_secret_score",
|
|
468
|
+
"type": "number",
|
|
469
|
+
"required": false,
|
|
470
|
+
"description": "Highest secret detection score seen in any turn of the session (0-100)"
|
|
471
|
+
},
|
|
472
|
+
{
|
|
473
|
+
"key": "session_cumulative_risk_score",
|
|
474
|
+
"type": "number",
|
|
475
|
+
"required": false,
|
|
476
|
+
"description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant"
|
|
477
|
+
},
|
|
478
|
+
{
|
|
479
|
+
"key": "agent_id",
|
|
480
|
+
"type": "string",
|
|
481
|
+
"required": false,
|
|
482
|
+
"description": "Unique identifier of the authenticated AI agent making this request (e.g., 'agent_research_v3'). Empty string for human user requests. Use this to write agent-specific policies"
|
|
483
|
+
},
|
|
484
|
+
{
|
|
485
|
+
"key": "agent_type",
|
|
486
|
+
"type": "string",
|
|
487
|
+
"required": false,
|
|
488
|
+
"description": "Type of the authenticated agent: 'orchestrator' (coordinates sub-agents), 'autonomous' (self-directed), 'tool_agent' (single-purpose tool), or 'human_proxy' (acts on behalf of a human). Empty string for human users"
|
|
489
|
+
},
|
|
490
|
+
{
|
|
491
|
+
"key": "agent_trust_level",
|
|
492
|
+
"type": "string",
|
|
493
|
+
"required": false,
|
|
494
|
+
"description": "Trust level of the authenticated agent: 'first_party' (your own agents), 'verified_third_party' (audited external agents), or 'unverified' (unknown agents). Use this for tiered access control — e.g., only first_party agents can call dangerous tools"
|
|
495
|
+
},
|
|
496
|
+
{
|
|
497
|
+
"key": "agent_framework",
|
|
498
|
+
"type": "string",
|
|
499
|
+
"required": false,
|
|
500
|
+
"description": "Framework or SDK the agent is built with (e.g., 'claude-code', 'langchain', 'crewai', 'autogen'). Use this to apply framework-specific policies"
|
|
501
|
+
},
|
|
502
|
+
{
|
|
503
|
+
"key": "agent_publisher",
|
|
504
|
+
"type": "string",
|
|
505
|
+
"required": false,
|
|
506
|
+
"description": "Organization that published the agent (e.g., 'anthropic', 'internal', 'acme-corp'). Use this for organization-level trust policies"
|
|
375
507
|
}
|
|
376
508
|
]
|
|
377
509
|
},
|
|
@@ -505,6 +637,12 @@
|
|
|
505
637
|
"required": false,
|
|
506
638
|
"description": "Whether secrets were detected in tool arguments or content"
|
|
507
639
|
},
|
|
640
|
+
{
|
|
641
|
+
"key": "secret_count",
|
|
642
|
+
"type": "number",
|
|
643
|
+
"required": false,
|
|
644
|
+
"description": "Total number of secret matches found in tool arguments or content. Multiple matches may indicate data dumps or accidental credential exposure"
|
|
645
|
+
},
|
|
508
646
|
{
|
|
509
647
|
"key": "secret_types",
|
|
510
648
|
"type": "array",
|
|
@@ -524,10 +662,22 @@
|
|
|
524
662
|
"description": "Array of PII types found in tool arguments"
|
|
525
663
|
},
|
|
526
664
|
{
|
|
527
|
-
"key": "
|
|
665
|
+
"key": "injection_confidence",
|
|
666
|
+
"type": "number",
|
|
667
|
+
"required": false,
|
|
668
|
+
"description": "Combined prompt injection confidence in tool arguments (0-100). MAX of all detector scores (Pulse + DeepContext). Use injection_pulse_score / injection_deep_context_score for individual detector control"
|
|
669
|
+
},
|
|
670
|
+
{
|
|
671
|
+
"key": "injection_pulse_score",
|
|
672
|
+
"type": "number",
|
|
673
|
+
"required": false,
|
|
674
|
+
"description": "Highflame single-turn classifier score for prompt injection in tool arguments (0-100). Raw score from Pulse detector before combination with deep-context"
|
|
675
|
+
},
|
|
676
|
+
{
|
|
677
|
+
"key": "injection_deep_context_score",
|
|
528
678
|
"type": "number",
|
|
529
679
|
"required": false,
|
|
530
|
-
"description": "
|
|
680
|
+
"description": "DeepContext multi-turn analyzer score for prompt injection in tool arguments (0-100). Tracks injection patterns across tool call history"
|
|
531
681
|
},
|
|
532
682
|
{
|
|
533
683
|
"key": "command_injection_detected",
|
|
@@ -690,6 +840,114 @@
|
|
|
690
840
|
"type": "boolean",
|
|
691
841
|
"required": false,
|
|
692
842
|
"description": "Whether multi-turn injection patterns were detected across tool calls in the session"
|
|
843
|
+
},
|
|
844
|
+
{
|
|
845
|
+
"key": "session_pii_detected",
|
|
846
|
+
"type": "boolean",
|
|
847
|
+
"required": false,
|
|
848
|
+
"description": "Whether PII was detected in any previous turn of the session"
|
|
849
|
+
},
|
|
850
|
+
{
|
|
851
|
+
"key": "session_pii_types",
|
|
852
|
+
"type": "array",
|
|
853
|
+
"required": false,
|
|
854
|
+
"description": "PII types detected across the session (accumulated)"
|
|
855
|
+
},
|
|
856
|
+
{
|
|
857
|
+
"key": "session_secrets_detected",
|
|
858
|
+
"type": "boolean",
|
|
859
|
+
"required": false,
|
|
860
|
+
"description": "Whether secrets were detected in any previous turn of the session"
|
|
861
|
+
},
|
|
862
|
+
{
|
|
863
|
+
"key": "session_secret_types",
|
|
864
|
+
"type": "array",
|
|
865
|
+
"required": false,
|
|
866
|
+
"description": "Secret types detected across the session (accumulated)"
|
|
867
|
+
},
|
|
868
|
+
{
|
|
869
|
+
"key": "session_injection_detected",
|
|
870
|
+
"type": "boolean",
|
|
871
|
+
"required": false,
|
|
872
|
+
"description": "Whether prompt injection was detected in any previous turn of the session"
|
|
873
|
+
},
|
|
874
|
+
{
|
|
875
|
+
"key": "session_command_injection",
|
|
876
|
+
"type": "boolean",
|
|
877
|
+
"required": false,
|
|
878
|
+
"description": "Whether command injection was detected in any previous turn of the session"
|
|
879
|
+
},
|
|
880
|
+
{
|
|
881
|
+
"key": "session_threat_turns",
|
|
882
|
+
"type": "number",
|
|
883
|
+
"required": false,
|
|
884
|
+
"description": "Number of turns in the session where threats were detected"
|
|
885
|
+
},
|
|
886
|
+
{
|
|
887
|
+
"key": "session_max_injection_score",
|
|
888
|
+
"type": "number",
|
|
889
|
+
"required": false,
|
|
890
|
+
"description": "Highest prompt injection score seen in any turn of the session (0-100). Use for tiered responses: >75 hard block, >50 restrict permissions"
|
|
891
|
+
},
|
|
892
|
+
{
|
|
893
|
+
"key": "session_max_jailbreak_score",
|
|
894
|
+
"type": "number",
|
|
895
|
+
"required": false,
|
|
896
|
+
"description": "Highest jailbreak detection score seen in any turn of the session (0-100)"
|
|
897
|
+
},
|
|
898
|
+
{
|
|
899
|
+
"key": "session_max_command_injection_score",
|
|
900
|
+
"type": "number",
|
|
901
|
+
"required": false,
|
|
902
|
+
"description": "Highest command injection score seen in any turn of the session (0-100)"
|
|
903
|
+
},
|
|
904
|
+
{
|
|
905
|
+
"key": "session_max_pii_score",
|
|
906
|
+
"type": "number",
|
|
907
|
+
"required": false,
|
|
908
|
+
"description": "Highest PII risk score seen in any turn of the session (0-100)"
|
|
909
|
+
},
|
|
910
|
+
{
|
|
911
|
+
"key": "session_max_secret_score",
|
|
912
|
+
"type": "number",
|
|
913
|
+
"required": false,
|
|
914
|
+
"description": "Highest secret detection score seen in any turn of the session (0-100)"
|
|
915
|
+
},
|
|
916
|
+
{
|
|
917
|
+
"key": "session_cumulative_risk_score",
|
|
918
|
+
"type": "number",
|
|
919
|
+
"required": false,
|
|
920
|
+
"description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant"
|
|
921
|
+
},
|
|
922
|
+
{
|
|
923
|
+
"key": "agent_id",
|
|
924
|
+
"type": "string",
|
|
925
|
+
"required": false,
|
|
926
|
+
"description": "Unique identifier of the authenticated AI agent making this request (e.g., 'agent_research_v3'). Empty string for human user requests. Use this to write agent-specific policies"
|
|
927
|
+
},
|
|
928
|
+
{
|
|
929
|
+
"key": "agent_type",
|
|
930
|
+
"type": "string",
|
|
931
|
+
"required": false,
|
|
932
|
+
"description": "Type of the authenticated agent: 'orchestrator' (coordinates sub-agents), 'autonomous' (self-directed), 'tool_agent' (single-purpose tool), or 'human_proxy' (acts on behalf of a human). Empty string for human users"
|
|
933
|
+
},
|
|
934
|
+
{
|
|
935
|
+
"key": "agent_trust_level",
|
|
936
|
+
"type": "string",
|
|
937
|
+
"required": false,
|
|
938
|
+
"description": "Trust level of the authenticated agent: 'first_party' (your own agents), 'verified_third_party' (audited external agents), or 'unverified' (unknown agents). Use this for tiered access control — e.g., only first_party agents can call dangerous tools"
|
|
939
|
+
},
|
|
940
|
+
{
|
|
941
|
+
"key": "agent_framework",
|
|
942
|
+
"type": "string",
|
|
943
|
+
"required": false,
|
|
944
|
+
"description": "Framework or SDK the agent is built with (e.g., 'claude-code', 'langchain', 'crewai', 'autogen'). Use this to apply framework-specific policies"
|
|
945
|
+
},
|
|
946
|
+
{
|
|
947
|
+
"key": "agent_publisher",
|
|
948
|
+
"type": "string",
|
|
949
|
+
"required": false,
|
|
950
|
+
"description": "Organization that published the agent (e.g., 'anthropic', 'internal', 'acme-corp'). Use this for organization-level trust policies"
|
|
693
951
|
}
|
|
694
952
|
]
|
|
695
953
|
},
|
|
@@ -715,6 +973,12 @@
|
|
|
715
973
|
"required": false,
|
|
716
974
|
"description": "Whether secrets were detected in the file content being read"
|
|
717
975
|
},
|
|
976
|
+
{
|
|
977
|
+
"key": "secret_count",
|
|
978
|
+
"type": "number",
|
|
979
|
+
"required": false,
|
|
980
|
+
"description": "Total number of secret matches found in file content. Multiple matches may indicate data dumps or accidental credential exposure"
|
|
981
|
+
},
|
|
718
982
|
{
|
|
719
983
|
"key": "secret_types",
|
|
720
984
|
"type": "array",
|
|
@@ -750,6 +1014,114 @@
|
|
|
750
1014
|
"type": "string",
|
|
751
1015
|
"required": false,
|
|
752
1016
|
"description": "Type of path traversal detected in the file read path"
|
|
1017
|
+
},
|
|
1018
|
+
{
|
|
1019
|
+
"key": "session_pii_detected",
|
|
1020
|
+
"type": "boolean",
|
|
1021
|
+
"required": false,
|
|
1022
|
+
"description": "Whether PII was detected in any previous turn of the session"
|
|
1023
|
+
},
|
|
1024
|
+
{
|
|
1025
|
+
"key": "session_pii_types",
|
|
1026
|
+
"type": "array",
|
|
1027
|
+
"required": false,
|
|
1028
|
+
"description": "PII types detected across the session (accumulated)"
|
|
1029
|
+
},
|
|
1030
|
+
{
|
|
1031
|
+
"key": "session_secrets_detected",
|
|
1032
|
+
"type": "boolean",
|
|
1033
|
+
"required": false,
|
|
1034
|
+
"description": "Whether secrets were detected in any previous turn of the session"
|
|
1035
|
+
},
|
|
1036
|
+
{
|
|
1037
|
+
"key": "session_secret_types",
|
|
1038
|
+
"type": "array",
|
|
1039
|
+
"required": false,
|
|
1040
|
+
"description": "Secret types detected across the session (accumulated)"
|
|
1041
|
+
},
|
|
1042
|
+
{
|
|
1043
|
+
"key": "session_injection_detected",
|
|
1044
|
+
"type": "boolean",
|
|
1045
|
+
"required": false,
|
|
1046
|
+
"description": "Whether prompt injection was detected in any previous turn of the session"
|
|
1047
|
+
},
|
|
1048
|
+
{
|
|
1049
|
+
"key": "session_command_injection",
|
|
1050
|
+
"type": "boolean",
|
|
1051
|
+
"required": false,
|
|
1052
|
+
"description": "Whether command injection was detected in any previous turn of the session"
|
|
1053
|
+
},
|
|
1054
|
+
{
|
|
1055
|
+
"key": "session_threat_turns",
|
|
1056
|
+
"type": "number",
|
|
1057
|
+
"required": false,
|
|
1058
|
+
"description": "Number of turns in the session where threats were detected"
|
|
1059
|
+
},
|
|
1060
|
+
{
|
|
1061
|
+
"key": "session_max_injection_score",
|
|
1062
|
+
"type": "number",
|
|
1063
|
+
"required": false,
|
|
1064
|
+
"description": "Highest prompt injection score seen in any turn of the session (0-100). Use for tiered responses: >75 hard block, >50 restrict permissions"
|
|
1065
|
+
},
|
|
1066
|
+
{
|
|
1067
|
+
"key": "session_max_jailbreak_score",
|
|
1068
|
+
"type": "number",
|
|
1069
|
+
"required": false,
|
|
1070
|
+
"description": "Highest jailbreak detection score seen in any turn of the session (0-100)"
|
|
1071
|
+
},
|
|
1072
|
+
{
|
|
1073
|
+
"key": "session_max_command_injection_score",
|
|
1074
|
+
"type": "number",
|
|
1075
|
+
"required": false,
|
|
1076
|
+
"description": "Highest command injection score seen in any turn of the session (0-100)"
|
|
1077
|
+
},
|
|
1078
|
+
{
|
|
1079
|
+
"key": "session_max_pii_score",
|
|
1080
|
+
"type": "number",
|
|
1081
|
+
"required": false,
|
|
1082
|
+
"description": "Highest PII risk score seen in any turn of the session (0-100)"
|
|
1083
|
+
},
|
|
1084
|
+
{
|
|
1085
|
+
"key": "session_max_secret_score",
|
|
1086
|
+
"type": "number",
|
|
1087
|
+
"required": false,
|
|
1088
|
+
"description": "Highest secret detection score seen in any turn of the session (0-100)"
|
|
1089
|
+
},
|
|
1090
|
+
{
|
|
1091
|
+
"key": "session_cumulative_risk_score",
|
|
1092
|
+
"type": "number",
|
|
1093
|
+
"required": false,
|
|
1094
|
+
"description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant"
|
|
1095
|
+
},
|
|
1096
|
+
{
|
|
1097
|
+
"key": "agent_id",
|
|
1098
|
+
"type": "string",
|
|
1099
|
+
"required": false,
|
|
1100
|
+
"description": "Unique identifier of the authenticated AI agent making this request (e.g., 'agent_research_v3'). Empty string for human user requests. Use this to write agent-specific policies"
|
|
1101
|
+
},
|
|
1102
|
+
{
|
|
1103
|
+
"key": "agent_type",
|
|
1104
|
+
"type": "string",
|
|
1105
|
+
"required": false,
|
|
1106
|
+
"description": "Type of the authenticated agent: 'orchestrator' (coordinates sub-agents), 'autonomous' (self-directed), 'tool_agent' (single-purpose tool), or 'human_proxy' (acts on behalf of a human). Empty string for human users"
|
|
1107
|
+
},
|
|
1108
|
+
{
|
|
1109
|
+
"key": "agent_trust_level",
|
|
1110
|
+
"type": "string",
|
|
1111
|
+
"required": false,
|
|
1112
|
+
"description": "Trust level of the authenticated agent: 'first_party' (your own agents), 'verified_third_party' (audited external agents), or 'unverified' (unknown agents). Use this for tiered access control — e.g., only first_party agents can call dangerous tools"
|
|
1113
|
+
},
|
|
1114
|
+
{
|
|
1115
|
+
"key": "agent_framework",
|
|
1116
|
+
"type": "string",
|
|
1117
|
+
"required": false,
|
|
1118
|
+
"description": "Framework or SDK the agent is built with (e.g., 'claude-code', 'langchain', 'crewai', 'autogen'). Use this to apply framework-specific policies"
|
|
1119
|
+
},
|
|
1120
|
+
{
|
|
1121
|
+
"key": "agent_publisher",
|
|
1122
|
+
"type": "string",
|
|
1123
|
+
"required": false,
|
|
1124
|
+
"description": "Organization that published the agent (e.g., 'anthropic', 'internal', 'acme-corp'). Use this for organization-level trust policies"
|
|
753
1125
|
}
|
|
754
1126
|
]
|
|
755
1127
|
},
|
|
@@ -775,6 +1147,12 @@
|
|
|
775
1147
|
"required": false,
|
|
776
1148
|
"description": "Whether secrets were detected in the content being written. Block writes containing credentials"
|
|
777
1149
|
},
|
|
1150
|
+
{
|
|
1151
|
+
"key": "secret_count",
|
|
1152
|
+
"type": "number",
|
|
1153
|
+
"required": false,
|
|
1154
|
+
"description": "Total number of secret matches found in write content. Multiple matches may indicate data dumps or accidental credential exposure"
|
|
1155
|
+
},
|
|
778
1156
|
{
|
|
779
1157
|
"key": "secret_types",
|
|
780
1158
|
"type": "array",
|
|
@@ -810,6 +1188,114 @@
|
|
|
810
1188
|
"type": "string",
|
|
811
1189
|
"required": false,
|
|
812
1190
|
"description": "Type of path traversal detected in the file write path"
|
|
1191
|
+
},
|
|
1192
|
+
{
|
|
1193
|
+
"key": "session_pii_detected",
|
|
1194
|
+
"type": "boolean",
|
|
1195
|
+
"required": false,
|
|
1196
|
+
"description": "Whether PII was detected in any previous turn of the session"
|
|
1197
|
+
},
|
|
1198
|
+
{
|
|
1199
|
+
"key": "session_pii_types",
|
|
1200
|
+
"type": "array",
|
|
1201
|
+
"required": false,
|
|
1202
|
+
"description": "PII types detected across the session (accumulated)"
|
|
1203
|
+
},
|
|
1204
|
+
{
|
|
1205
|
+
"key": "session_secrets_detected",
|
|
1206
|
+
"type": "boolean",
|
|
1207
|
+
"required": false,
|
|
1208
|
+
"description": "Whether secrets were detected in any previous turn of the session"
|
|
1209
|
+
},
|
|
1210
|
+
{
|
|
1211
|
+
"key": "session_secret_types",
|
|
1212
|
+
"type": "array",
|
|
1213
|
+
"required": false,
|
|
1214
|
+
"description": "Secret types detected across the session (accumulated)"
|
|
1215
|
+
},
|
|
1216
|
+
{
|
|
1217
|
+
"key": "session_injection_detected",
|
|
1218
|
+
"type": "boolean",
|
|
1219
|
+
"required": false,
|
|
1220
|
+
"description": "Whether prompt injection was detected in any previous turn of the session"
|
|
1221
|
+
},
|
|
1222
|
+
{
|
|
1223
|
+
"key": "session_command_injection",
|
|
1224
|
+
"type": "boolean",
|
|
1225
|
+
"required": false,
|
|
1226
|
+
"description": "Whether command injection was detected in any previous turn of the session"
|
|
1227
|
+
},
|
|
1228
|
+
{
|
|
1229
|
+
"key": "session_threat_turns",
|
|
1230
|
+
"type": "number",
|
|
1231
|
+
"required": false,
|
|
1232
|
+
"description": "Number of turns in the session where threats were detected"
|
|
1233
|
+
},
|
|
1234
|
+
{
|
|
1235
|
+
"key": "session_max_injection_score",
|
|
1236
|
+
"type": "number",
|
|
1237
|
+
"required": false,
|
|
1238
|
+
"description": "Highest prompt injection score seen in any turn of the session (0-100). Use for tiered responses: >75 hard block, >50 restrict permissions"
|
|
1239
|
+
},
|
|
1240
|
+
{
|
|
1241
|
+
"key": "session_max_jailbreak_score",
|
|
1242
|
+
"type": "number",
|
|
1243
|
+
"required": false,
|
|
1244
|
+
"description": "Highest jailbreak detection score seen in any turn of the session (0-100)"
|
|
1245
|
+
},
|
|
1246
|
+
{
|
|
1247
|
+
"key": "session_max_command_injection_score",
|
|
1248
|
+
"type": "number",
|
|
1249
|
+
"required": false,
|
|
1250
|
+
"description": "Highest command injection score seen in any turn of the session (0-100)"
|
|
1251
|
+
},
|
|
1252
|
+
{
|
|
1253
|
+
"key": "session_max_pii_score",
|
|
1254
|
+
"type": "number",
|
|
1255
|
+
"required": false,
|
|
1256
|
+
"description": "Highest PII risk score seen in any turn of the session (0-100)"
|
|
1257
|
+
},
|
|
1258
|
+
{
|
|
1259
|
+
"key": "session_max_secret_score",
|
|
1260
|
+
"type": "number",
|
|
1261
|
+
"required": false,
|
|
1262
|
+
"description": "Highest secret detection score seen in any turn of the session (0-100)"
|
|
1263
|
+
},
|
|
1264
|
+
{
|
|
1265
|
+
"key": "session_cumulative_risk_score",
|
|
1266
|
+
"type": "number",
|
|
1267
|
+
"required": false,
|
|
1268
|
+
"description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant"
|
|
1269
|
+
},
|
|
1270
|
+
{
|
|
1271
|
+
"key": "agent_id",
|
|
1272
|
+
"type": "string",
|
|
1273
|
+
"required": false,
|
|
1274
|
+
"description": "Unique identifier of the authenticated AI agent making this request (e.g., 'agent_research_v3'). Empty string for human user requests. Use this to write agent-specific policies"
|
|
1275
|
+
},
|
|
1276
|
+
{
|
|
1277
|
+
"key": "agent_type",
|
|
1278
|
+
"type": "string",
|
|
1279
|
+
"required": false,
|
|
1280
|
+
"description": "Type of the authenticated agent: 'orchestrator' (coordinates sub-agents), 'autonomous' (self-directed), 'tool_agent' (single-purpose tool), or 'human_proxy' (acts on behalf of a human). Empty string for human users"
|
|
1281
|
+
},
|
|
1282
|
+
{
|
|
1283
|
+
"key": "agent_trust_level",
|
|
1284
|
+
"type": "string",
|
|
1285
|
+
"required": false,
|
|
1286
|
+
"description": "Trust level of the authenticated agent: 'first_party' (your own agents), 'verified_third_party' (audited external agents), or 'unverified' (unknown agents). Use this for tiered access control — e.g., only first_party agents can call dangerous tools"
|
|
1287
|
+
},
|
|
1288
|
+
{
|
|
1289
|
+
"key": "agent_framework",
|
|
1290
|
+
"type": "string",
|
|
1291
|
+
"required": false,
|
|
1292
|
+
"description": "Framework or SDK the agent is built with (e.g., 'claude-code', 'langchain', 'crewai', 'autogen'). Use this to apply framework-specific policies"
|
|
1293
|
+
},
|
|
1294
|
+
{
|
|
1295
|
+
"key": "agent_publisher",
|
|
1296
|
+
"type": "string",
|
|
1297
|
+
"required": false,
|
|
1298
|
+
"description": "Organization that published the agent (e.g., 'anthropic', 'internal', 'acme-corp'). Use this for organization-level trust policies"
|
|
813
1299
|
}
|
|
814
1300
|
]
|
|
815
1301
|
},
|
|
@@ -894,6 +1380,114 @@
|
|
|
894
1380
|
"type": "number",
|
|
895
1381
|
"required": false,
|
|
896
1382
|
"description": "Risk score for cross-origin escalation in server connection (0-100)"
|
|
1383
|
+
},
|
|
1384
|
+
{
|
|
1385
|
+
"key": "session_pii_detected",
|
|
1386
|
+
"type": "boolean",
|
|
1387
|
+
"required": false,
|
|
1388
|
+
"description": "Whether PII was detected in any previous turn of the session"
|
|
1389
|
+
},
|
|
1390
|
+
{
|
|
1391
|
+
"key": "session_pii_types",
|
|
1392
|
+
"type": "array",
|
|
1393
|
+
"required": false,
|
|
1394
|
+
"description": "PII types detected across the session (accumulated)"
|
|
1395
|
+
},
|
|
1396
|
+
{
|
|
1397
|
+
"key": "session_secrets_detected",
|
|
1398
|
+
"type": "boolean",
|
|
1399
|
+
"required": false,
|
|
1400
|
+
"description": "Whether secrets were detected in any previous turn of the session"
|
|
1401
|
+
},
|
|
1402
|
+
{
|
|
1403
|
+
"key": "session_secret_types",
|
|
1404
|
+
"type": "array",
|
|
1405
|
+
"required": false,
|
|
1406
|
+
"description": "Secret types detected across the session (accumulated)"
|
|
1407
|
+
},
|
|
1408
|
+
{
|
|
1409
|
+
"key": "session_injection_detected",
|
|
1410
|
+
"type": "boolean",
|
|
1411
|
+
"required": false,
|
|
1412
|
+
"description": "Whether prompt injection was detected in any previous turn of the session"
|
|
1413
|
+
},
|
|
1414
|
+
{
|
|
1415
|
+
"key": "session_command_injection",
|
|
1416
|
+
"type": "boolean",
|
|
1417
|
+
"required": false,
|
|
1418
|
+
"description": "Whether command injection was detected in any previous turn of the session"
|
|
1419
|
+
},
|
|
1420
|
+
{
|
|
1421
|
+
"key": "session_threat_turns",
|
|
1422
|
+
"type": "number",
|
|
1423
|
+
"required": false,
|
|
1424
|
+
"description": "Number of turns in the session where threats were detected"
|
|
1425
|
+
},
|
|
1426
|
+
{
|
|
1427
|
+
"key": "session_max_injection_score",
|
|
1428
|
+
"type": "number",
|
|
1429
|
+
"required": false,
|
|
1430
|
+
"description": "Highest prompt injection score seen in any turn of the session (0-100). Use for tiered responses: >75 hard block, >50 restrict permissions"
|
|
1431
|
+
},
|
|
1432
|
+
{
|
|
1433
|
+
"key": "session_max_jailbreak_score",
|
|
1434
|
+
"type": "number",
|
|
1435
|
+
"required": false,
|
|
1436
|
+
"description": "Highest jailbreak detection score seen in any turn of the session (0-100)"
|
|
1437
|
+
},
|
|
1438
|
+
{
|
|
1439
|
+
"key": "session_max_command_injection_score",
|
|
1440
|
+
"type": "number",
|
|
1441
|
+
"required": false,
|
|
1442
|
+
"description": "Highest command injection score seen in any turn of the session (0-100)"
|
|
1443
|
+
},
|
|
1444
|
+
{
|
|
1445
|
+
"key": "session_max_pii_score",
|
|
1446
|
+
"type": "number",
|
|
1447
|
+
"required": false,
|
|
1448
|
+
"description": "Highest PII risk score seen in any turn of the session (0-100)"
|
|
1449
|
+
},
|
|
1450
|
+
{
|
|
1451
|
+
"key": "session_max_secret_score",
|
|
1452
|
+
"type": "number",
|
|
1453
|
+
"required": false,
|
|
1454
|
+
"description": "Highest secret detection score seen in any turn of the session (0-100)"
|
|
1455
|
+
},
|
|
1456
|
+
{
|
|
1457
|
+
"key": "session_cumulative_risk_score",
|
|
1458
|
+
"type": "number",
|
|
1459
|
+
"required": false,
|
|
1460
|
+
"description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant"
|
|
1461
|
+
},
|
|
1462
|
+
{
|
|
1463
|
+
"key": "agent_id",
|
|
1464
|
+
"type": "string",
|
|
1465
|
+
"required": false,
|
|
1466
|
+
"description": "Unique identifier of the authenticated AI agent making this request (e.g., 'agent_research_v3'). Empty string for human user requests. Use this to write agent-specific policies"
|
|
1467
|
+
},
|
|
1468
|
+
{
|
|
1469
|
+
"key": "agent_type",
|
|
1470
|
+
"type": "string",
|
|
1471
|
+
"required": false,
|
|
1472
|
+
"description": "Type of the authenticated agent: 'orchestrator' (coordinates sub-agents), 'autonomous' (self-directed), 'tool_agent' (single-purpose tool), or 'human_proxy' (acts on behalf of a human). Empty string for human users"
|
|
1473
|
+
},
|
|
1474
|
+
{
|
|
1475
|
+
"key": "agent_trust_level",
|
|
1476
|
+
"type": "string",
|
|
1477
|
+
"required": false,
|
|
1478
|
+
"description": "Trust level of the authenticated agent: 'first_party' (your own agents), 'verified_third_party' (audited external agents), or 'unverified' (unknown agents). Use this for tiered access control — e.g., only first_party agents can call dangerous tools"
|
|
1479
|
+
},
|
|
1480
|
+
{
|
|
1481
|
+
"key": "agent_framework",
|
|
1482
|
+
"type": "string",
|
|
1483
|
+
"required": false,
|
|
1484
|
+
"description": "Framework or SDK the agent is built with (e.g., 'claude-code', 'langchain', 'crewai', 'autogen'). Use this to apply framework-specific policies"
|
|
1485
|
+
},
|
|
1486
|
+
{
|
|
1487
|
+
"key": "agent_publisher",
|
|
1488
|
+
"type": "string",
|
|
1489
|
+
"required": false,
|
|
1490
|
+
"description": "Organization that published the agent (e.g., 'anthropic', 'internal', 'acme-corp'). Use this for organization-level trust policies"
|
|
897
1491
|
}
|
|
898
1492
|
]
|
|
899
1493
|
}
|