npm - @highflame/policy - Versions diffs - 2.1.4 → 2.1.6 - Mend

@highflame/policy 2.1.4 → 2.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (33) hide show

package/_schemas/guardrails/schema.cedarschema CHANGED Viewed

@@ -96,8 +96,12 @@ namespace Guardrails {
         "detector_count": Long,
         // Security - Injection & Jailbreak (optional)
-        "injection_score"?: Long,        // 0-100
-        "jailbreak_score"?: Long,        // 0-100
+        "injection_confidence"?: Long,  // Combined injection confidence: MAX(pulse, deep_context)
+        "jailbreak_confidence"?: Long,  // Combined jailbreak confidence: MAX(pulse, deep_context)
+        "injection_pulse_score"?: Long,  // 0-100 Pulse single-turn classifier
+        "injection_deep_context_score"?: Long, // 0-100 DeepContext multi-turn
+        "jailbreak_pulse_score"?: Long,  // 0-100 Pulse single-turn classifier
+        "jailbreak_deep_context_score"?: Long, // 0-100 DeepContext multi-turn
         "injection_type"?: String,       // "prompt" | "sql" | "command" | "none"
         // Privacy - Secrets (optional)
@@ -183,6 +187,21 @@ namespace Guardrails {
         "session_injection_detected"?: Bool,
         "session_command_injection"?: Bool,
         "session_threat_turns"?: Long,
+        "session_max_injection_score"?: Long,
+        "session_max_jailbreak_score"?: Long,
+        "session_max_command_injection_score"?: Long,
+        "session_max_pii_score"?: Long,
+        "session_max_secret_score"?: Long,
+        "session_cumulative_risk_score"?: Long,
+        // Agent Identity — authenticated agent principal metadata (optional)
+        // Present when the request is made by an AI agent (API key or JWT with agent claims).
+        // Empty strings for human user requests. Use these to write agent-specific policies.
+        "agent_id"?: String,             // Unique agent identifier (e.g., "agent_research_v3")
+        "agent_type"?: String,           // "orchestrator" | "autonomous" | "tool_agent" | "human_proxy"
+        "agent_trust_level"?: String,    // "first_party" | "verified_third_party" | "unverified"
+        "agent_framework"?: String,      // Agent framework (e.g., "claude-code", "langchain", "crewai")
+        "agent_publisher"?: String,      // Organization that published the agent
     };
@@ -224,10 +243,13 @@ namespace Guardrails {
         // Security checks on tool arguments (optional)
         "contains_secrets"?: Bool,
+        "secret_count"?: Long,
         "secret_types"?: Set<String>,
         "pii_detected"?: Bool,
         "pii_types"?: Set<String>,
-        "injection_score"?: Long,
+        "injection_confidence"?: Long,
+        "injection_pulse_score"?: Long,  // 0-100 Pulse single-turn classifier
+        "injection_deep_context_score"?: Long, // 0-100 DeepContext multi-turn
         // Security - Pattern Detection (optional)
         "command_injection_detected"?: Bool,
@@ -276,6 +298,19 @@ namespace Guardrails {
         "session_injection_detected"?: Bool,
         "session_command_injection"?: Bool,
         "session_threat_turns"?: Long,
+        "session_max_injection_score"?: Long,
+        "session_max_jailbreak_score"?: Long,
+        "session_max_command_injection_score"?: Long,
+        "session_max_pii_score"?: Long,
+        "session_max_secret_score"?: Long,
+        "session_cumulative_risk_score"?: Long,
+        // Agent Identity — authenticated agent principal metadata (optional)
+        "agent_id"?: String,
+        "agent_type"?: String,
+        "agent_trust_level"?: String,
+        "agent_framework"?: String,
+        "agent_publisher"?: String,
     };
@@ -287,6 +322,7 @@ namespace Guardrails {
         // Security checks on file content (optional)
         "contains_secrets"?: Bool,
+        "secret_count"?: Long,
         "secret_types"?: Set<String>,
         "pii_detected"?: Bool,
         "pii_types"?: Set<String>,
@@ -304,6 +340,19 @@ namespace Guardrails {
         "session_injection_detected"?: Bool,
         "session_command_injection"?: Bool,
         "session_threat_turns"?: Long,
+        "session_max_injection_score"?: Long,
+        "session_max_jailbreak_score"?: Long,
+        "session_max_command_injection_score"?: Long,
+        "session_max_pii_score"?: Long,
+        "session_max_secret_score"?: Long,
+        "session_cumulative_risk_score"?: Long,
+        // Agent Identity — authenticated agent principal metadata (optional)
+        "agent_id"?: String,
+        "agent_type"?: String,
+        "agent_trust_level"?: String,
+        "agent_framework"?: String,
+        "agent_publisher"?: String,
     };
@@ -315,6 +364,7 @@ namespace Guardrails {
         // Security checks on content being written (optional)
         "contains_secrets"?: Bool,
+        "secret_count"?: Long,
         "secret_types"?: Set<String>,
         "pii_detected"?: Bool,
         "pii_types"?: Set<String>,
@@ -332,6 +382,19 @@ namespace Guardrails {
         "session_injection_detected"?: Bool,
         "session_command_injection"?: Bool,
         "session_threat_turns"?: Long,
+        "session_max_injection_score"?: Long,
+        "session_max_jailbreak_score"?: Long,
+        "session_max_command_injection_score"?: Long,
+        "session_max_pii_score"?: Long,
+        "session_max_secret_score"?: Long,
+        "session_cumulative_risk_score"?: Long,
+        // Agent Identity — authenticated agent principal metadata (optional)
+        "agent_id"?: String,
+        "agent_type"?: String,
+        "agent_trust_level"?: String,
+        "agent_framework"?: String,
+        "agent_publisher"?: String,
     };
@@ -368,6 +431,19 @@ namespace Guardrails {
         "session_injection_detected"?: Bool,
         "session_command_injection"?: Bool,
         "session_threat_turns"?: Long,
+        "session_max_injection_score"?: Long,
+        "session_max_jailbreak_score"?: Long,
+        "session_max_command_injection_score"?: Long,
+        "session_max_pii_score"?: Long,
+        "session_max_secret_score"?: Long,
+        "session_cumulative_risk_score"?: Long,
+        // Agent Identity — authenticated agent principal metadata (optional)
+        "agent_id"?: String,
+        "agent_type"?: String,
+        "agent_trust_level"?: String,
+        "agent_framework"?: String,
+        "agent_publisher"?: String,
     };
 }

package/_schemas/guardrails/templates/defaults/agent_identity.cedar ADDED Viewed

@@ -0,0 +1,118 @@
+// =============================================================================
+// Agent Identity Policy — Agent-to-Agent Security Defaults
+// =============================================================================
+// Enforces trust-based access control for AI agents authenticated via API key
+// or JWT with agent claims. These policies use agent identity context keys
+// populated from Shield's authentication layer.
+//
+// Agent trust levels:
+//   - first_party:          Your own agents (highest trust)
+//   - verified_third_party: Audited external agents (medium trust)
+//   - unverified:           Unknown/untrusted agents (lowest trust)
+//
+// Agent types:
+//   - orchestrator:   Coordinates sub-agents
+//   - autonomous:     Self-directed, no human in the loop
+//   - tool_agent:     Single-purpose tool execution
+//   - human_proxy:    Acts on behalf of a human
+//
+// Context keys used:
+// - agent_id: String - Unique agent identifier
+// - agent_type: String - Agent classification
+// - agent_trust_level: String - Trust tier
+// - agent_framework: String - Agent framework/SDK
+// - agent_publisher: String - Publishing organization
+// - tool_name: String - Tool being called
+// - tool_category: String - "safe" | "sensitive" | "dangerous"
+// - tool_risk_score: Long (0-100) - Computed risk score
+// - injection_confidence: Long (0-100) - Injection detection score
+//
+// Category: agent_identity
+// Namespace: Guardrails
+// =============================================================================
+// -----------------------------------------------------------------------------
+// Trust-Based Tool Access
+// -----------------------------------------------------------------------------
+@id("agent-block-unverified-dangerous-tools")
+@name("Block unverified agents from dangerous tools")
+@description("Unverified agents cannot execute tools classified as dangerous. Require first_party or verified_third_party trust level for high-risk operations")
+@severity("critical")
+@tags("agent-identity,trust,tools,a2a")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"call_tool",
+    resource
+) when {
+    context.agent_trust_level == "unverified" &&
+    context has tool_category && context.tool_category == "dangerous"
+};
+@id("agent-block-unverified-shell")
+@name("Block unverified agents from shell execution")
+@description("Shell and command execution are restricted to first_party and verified_third_party agents")
+@severity("critical")
+@tags("agent-identity,trust,shell,a2a")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"call_tool",
+    resource
+) when {
+    context.agent_trust_level == "unverified" &&
+    context has tool_name &&
+    (context.tool_name == "shell" ||
+     context.tool_name == "execute_command" ||
+     context.tool_name == "bash")
+};
+@id("agent-block-unverified-sensitive-tools")
+@name("Block unverified agents from sensitive tools with elevated risk")
+@description("Unverified agents cannot execute sensitive tools with risk score above 60")
+@severity("high")
+@tags("agent-identity,trust,tools,a2a")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"call_tool",
+    resource
+) when {
+    context.agent_trust_level == "unverified" &&
+    context has tool_is_sensitive && context.tool_is_sensitive == true &&
+    context has tool_risk_score && context.tool_risk_score > 60
+};
+// -----------------------------------------------------------------------------
+// Autonomous Agent Restrictions
+// -----------------------------------------------------------------------------
+@id("agent-block-autonomous-injection")
+@name("Stricter injection threshold for autonomous agents")
+@description("Autonomous agents operate without human oversight. Apply lower injection confidence threshold (50 vs standard 80) to compensate for lack of human review")
+@severity("high")
+@tags("agent-identity,autonomous,injection,a2a")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"process_prompt",
+    resource
+) when {
+    context.agent_type == "autonomous" &&
+    context has injection_confidence && context.injection_confidence > 50
+};
+// -----------------------------------------------------------------------------
+// Cross-Turn Agent Trust Enforcement
+// -----------------------------------------------------------------------------
+@id("agent-block-unverified-after-threats")
+@name("Block unverified agents after session threats")
+@description("If any prior turn in the session detected threats, block unverified agents from further tool calls. Prevents compromised sessions from being exploited by untrusted agents")
+@severity("critical")
+@tags("agent-identity,trust,session,cross-turn,a2a")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"call_tool",
+    resource
+) when {
+    context.agent_trust_level == "unverified" &&
+    context has session_threat_turns && context.session_threat_turns > 0
+};

package/_schemas/guardrails/templates/defaults/agentic_safety.cedar CHANGED Viewed

@@ -40,7 +40,7 @@ forbid (
 @tags("agentic,exfiltration,security")
 forbid (
     principal,
-    action,
+    action == Guardrails::Action::"call_tool",
     resource
 ) when {
     context has suspicious_pattern && context.suspicious_pattern == true &&
@@ -59,7 +59,7 @@ forbid (
 @tags("agentic,patterns,security")
 forbid (
     principal,
-    action,
+    action == Guardrails::Action::"call_tool",
     resource
 ) when {
     context has sequence_risk && context.sequence_risk > 80
@@ -72,7 +72,7 @@ forbid (
 @tags("agentic,budget,cost-control")
 forbid (
     principal,
-    action,
+    action == Guardrails::Action::"call_tool",
     resource
 ) when {
     context has budget_exceeded && context.budget_exceeded == true
@@ -85,7 +85,7 @@ forbid (
 @tags("agentic,budget,cost-control")
 forbid (
     principal,
-    action,
+    action == Guardrails::Action::"call_tool",
     resource
 ) when {
     context has budget_remaining_pct &&

package/_schemas/guardrails/templates/defaults/injection.cedar CHANGED Viewed

@@ -5,8 +5,8 @@
 // Uses ML-based confidence scores from normalized context.
 //
 // Context keys used (normalized by projection layer):
-// - injection_score: Long (0-100) - Overall injection confidence
-// - jailbreak_score: Long (0-100) - Jailbreak attempt confidence
+// - injection_confidence: Long (0-100) - Overall injection confidence
+// - jailbreak_confidence: Long (0-100) - Jailbreak attempt confidence
 // - injection_type: String - Type of injection detected
 // - contains_invisible_chars: Bool - Invisible Unicode characters detected
 // - invisible_chars_score: Long (0-100) - Invisible character density
@@ -22,10 +22,10 @@
 @tags("injection,jailbreak,security")
 forbid (
     principal,
-    action,
+    action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool"],
     resource
 ) when {
-    context has injection_score && context.injection_score > 85
+    context has injection_confidence && context.injection_confidence > 85
 };
 @id("jailbreak-block-high-confidence")
@@ -35,10 +35,10 @@ forbid (
 @tags("jailbreak,security")
 forbid (
     principal,
-    action,
+    action == Guardrails::Action::"process_prompt",
     resource
 ) when {
-    context has jailbreak_score && context.jailbreak_score > 80
+    context has jailbreak_confidence && context.jailbreak_confidence > 80
 };
 @id("injection-combined-threshold")
@@ -48,11 +48,11 @@ forbid (
 @tags("injection,jailbreak,security")
 forbid (
     principal,
-    action,
+    action == Guardrails::Action::"process_prompt",
     resource
 ) when {
-    context has injection_score && context has jailbreak_score &&
-    context.injection_score > 60 && context.jailbreak_score > 60
+    context has injection_confidence && context has jailbreak_confidence &&
+    context.injection_confidence > 60 && context.jailbreak_confidence > 60
 };
 @id("injection-invisible-chars")
@@ -62,7 +62,7 @@ forbid (
 @tags("injection,unicode,security")
 forbid (
     principal,
-    action,
+    action == Guardrails::Action::"process_prompt",
     resource
 ) when {
     context has contains_invisible_chars && context.contains_invisible_chars == true &&

package/_schemas/guardrails/templates/defaults/secrets.cedar CHANGED Viewed

@@ -20,7 +20,7 @@
 @tags("secrets,security,data-leak")
 forbid (
     principal,
-    action,
+    action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool", Guardrails::Action::"read_file", Guardrails::Action::"write_file"],
     resource
 ) when {
     context has contains_secrets && context.contains_secrets == true
@@ -33,7 +33,7 @@ forbid (
 @tags("secrets,security,data-leak")
 forbid (
     principal,
-    action,
+    action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool", Guardrails::Action::"read_file", Guardrails::Action::"write_file"],
     resource
 ) when {
     context has secret_count && context.secret_count > 2

package/_schemas/guardrails/templates/defaults/security_patterns.cedar CHANGED Viewed

@@ -36,7 +36,7 @@ forbid (
 @tags("path-traversal,security")
 forbid (
     principal,
-    action,
+    action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool", Guardrails::Action::"read_file", Guardrails::Action::"write_file"],
     resource
 ) when {
     context has path_traversal_detected && context.path_traversal_detected == true &&

package/_schemas/guardrails/templates/defaults/toxicity.cedar CHANGED Viewed

@@ -23,7 +23,7 @@
 @tags("toxicity,trust-safety")
 forbid (
     principal,
-    action,
+    action == Guardrails::Action::"process_prompt",
     resource
 ) when {
     (context has violence_score && context.violence_score > 90) ||
@@ -41,7 +41,7 @@ forbid (
 @tags("hate-speech,trust-safety")
 forbid (
     principal,
-    action,
+    action == Guardrails::Action::"process_prompt",
     resource
 ) when {
     context has hate_speech_score && context.hate_speech_score > 75
@@ -54,7 +54,7 @@ forbid (
 @tags("toxicity,trust-safety")
 forbid (
     principal,
-    action,
+    action == Guardrails::Action::"process_prompt",
     resource
 ) when {
     // Any 2 of 6 toxicity scores above 60 triggers a block

package/_schemas/guardrails/templates/profiles/chat_assistant/privacy.cedar CHANGED Viewed

@@ -15,7 +15,7 @@
 @tags("profile,chat-assistant,pii,privacy")
 forbid (
     principal,
-    action,
+    action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool", Guardrails::Action::"read_file", Guardrails::Action::"write_file"],
     resource
 ) when {
     context has pii_detected && context.pii_detected == true

package/_schemas/guardrails/templates/profiles/chat_assistant/security.cedar CHANGED Viewed

@@ -15,10 +15,10 @@
 @tags("profile,chat-assistant,injection,security")
 forbid (
     principal,
-    action,
+    action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool"],
     resource
 ) when {
-    context has injection_score && context.injection_score > 70
+    context has injection_confidence && context.injection_confidence > 70
 };
 @id("chat-jailbreak-lower-threshold")
@@ -28,8 +28,8 @@ forbid (
 @tags("profile,chat-assistant,jailbreak,security")
 forbid (
     principal,
-    action,
+    action == Guardrails::Action::"process_prompt",
     resource
 ) when {
-    context has jailbreak_score && context.jailbreak_score > 65
+    context has jailbreak_confidence && context.jailbreak_confidence > 65
 };

package/_schemas/guardrails/templates/profiles/chat_assistant/trust_safety.cedar CHANGED Viewed

@@ -15,7 +15,7 @@
 @tags("profile,chat-assistant,toxicity,trust-safety")
 forbid (
     principal,
-    action,
+    action == Guardrails::Action::"process_prompt",
     resource
 ) when {
     (context has violence_score && context.violence_score > 70) ||
@@ -31,7 +31,7 @@ forbid (
 @tags("profile,chat-assistant,semantic,compliance")
 forbid (
     principal,
-    action,
+    action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool"],
     resource
 ) when {
     context has topic_confidence && context.topic_confidence > 70 &&

package/_schemas/guardrails/templates/profiles/code_agent/agentic_security.cedar CHANGED Viewed

@@ -73,7 +73,7 @@ forbid (
 @tags("profile,code-agent,agentic,exfiltration")
 forbid (
     principal,
-    action,
+    action == Guardrails::Action::"call_tool",
     resource
 ) when {
     context has suspicious_pattern && context.suspicious_pattern == true &&
@@ -89,7 +89,7 @@ forbid (
 @tags("profile,code-agent,agentic,patterns")
 forbid (
     principal,
-    action,
+    action == Guardrails::Action::"call_tool",
     resource
 ) when {
     context has sequence_risk && context.sequence_risk > 75
@@ -102,7 +102,7 @@ forbid (
 @tags("profile,code-agent,budget,cost-control")
 forbid (
     principal,
-    action,
+    action == Guardrails::Action::"call_tool",
     resource
 ) when {
     context has budget_exceeded && context.budget_exceeded == true

package/_schemas/guardrails/templates/profiles/data_pipeline/agentic_security.cedar CHANGED Viewed

@@ -15,7 +15,7 @@
 @tags("profile,data-pipeline,exfiltration,security")
 forbid (
     principal,
-    action,
+    action == Guardrails::Action::"call_tool",
     resource
 ) when {
     context has suspicious_pattern && context.suspicious_pattern == true &&

package/_schemas/guardrails/templates/profiles/data_pipeline/privacy.cedar CHANGED Viewed

@@ -15,7 +15,7 @@
 @tags("profile,data-pipeline,pii,privacy")
 forbid (
     principal,
-    action,
+    action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool", Guardrails::Action::"read_file", Guardrails::Action::"write_file"],
     resource
 ) when {
     context has pii_detected && context.pii_detected == true
@@ -28,7 +28,7 @@ forbid (
 @tags("profile,data-pipeline,pii,compliance")
 forbid (
     principal,
-    action,
+    action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool", Guardrails::Action::"read_file", Guardrails::Action::"write_file"],
     resource
 ) when {
     context has pii_types &&

package/_schemas/guardrails/templates/profiles/data_pipeline/security.cedar CHANGED Viewed

@@ -15,7 +15,7 @@
 @tags("profile,data-pipeline,secrets,security")
 forbid (
     principal,
-    action,
+    action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool", Guardrails::Action::"read_file", Guardrails::Action::"write_file"],
     resource
 ) when {
     context has contains_secrets && context.contains_secrets == true
@@ -42,8 +42,8 @@ forbid (
 @tags("profile,data-pipeline,injection,security")
 forbid (
     principal,
-    action,
+    action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool"],
     resource
 ) when {
-    context has injection_score && context.injection_score > 65
+    context has injection_confidence && context.injection_confidence > 65
 };