@highflame/policy 2.1.4 → 2.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (33) hide show
  1. package/README.md +41 -0
  2. package/_schemas/guardrails/context.json +600 -6
  3. package/_schemas/guardrails/schema.cedarschema +79 -3
  4. package/_schemas/guardrails/templates/defaults/agent_identity.cedar +118 -0
  5. package/_schemas/guardrails/templates/defaults/agentic_safety.cedar +4 -4
  6. package/_schemas/guardrails/templates/defaults/injection.cedar +10 -10
  7. package/_schemas/guardrails/templates/defaults/secrets.cedar +2 -2
  8. package/_schemas/guardrails/templates/defaults/security_patterns.cedar +1 -1
  9. package/_schemas/guardrails/templates/defaults/toxicity.cedar +3 -3
  10. package/_schemas/guardrails/templates/profiles/chat_assistant/privacy.cedar +1 -1
  11. package/_schemas/guardrails/templates/profiles/chat_assistant/security.cedar +4 -4
  12. package/_schemas/guardrails/templates/profiles/chat_assistant/trust_safety.cedar +2 -2
  13. package/_schemas/guardrails/templates/profiles/code_agent/agentic_security.cedar +3 -3
  14. package/_schemas/guardrails/templates/profiles/data_pipeline/agentic_security.cedar +1 -1
  15. package/_schemas/guardrails/templates/profiles/data_pipeline/privacy.cedar +2 -2
  16. package/_schemas/guardrails/templates/profiles/data_pipeline/security.cedar +3 -3
  17. package/_schemas/guardrails/templates/profiles/multi_agent/agent_safety.cedar +157 -0
  18. package/_schemas/guardrails/templates/profiles/multi_agent/agent_trust.cedar +140 -0
  19. package/_schemas/guardrails/templates/templates.json +41 -0
  20. package/_schemas/overwatch/context.json +232 -4
  21. package/_schemas/overwatch/schema.cedarschema +42 -4
  22. package/dist/guardrails-context.gen.d.ts +24 -2
  23. package/dist/guardrails-context.gen.js +24 -2
  24. package/dist/guardrails-defaults.gen.d.ts +1 -1
  25. package/dist/guardrails-defaults.gen.js +524 -36
  26. package/dist/overwatch-context.gen.d.ts +10 -0
  27. package/dist/overwatch-context.gen.js +10 -0
  28. package/dist/service-schemas.gen.d.ts +2 -2
  29. package/dist/service-schemas.gen.js +275 -24
  30. package/package.json +1 -1
  31. package/_schemas/guardrails/templates/profiles/chat_assistant.cedar +0 -85
  32. package/_schemas/guardrails/templates/profiles/code_agent.cedar +0 -125
  33. package/_schemas/guardrails/templates/profiles/data_pipeline.cedar +0 -111
package/_schemas/guardrails/templates/profiles/chat_assistant.cedar DELETED
@@ -1,85 +0,0 @@
1
- // =============================================================================
2
- // Chat Assistant Profile
3
- // =============================================================================
4
- // Optimized for customer-facing chatbots and conversational AI.
5
- // Strict content moderation, PII protection, and injection defense.
6
- // No tool-related policies (chat assistants don't call tools).
7
- //
8
- // Deploy: One-click deploy scopes all rules to a specific application via
9
- // resource == Guardrails::App::"<app-uuid>" (injected at deploy time).
10
- //
11
- // Category: organization
12
- // Namespace: Guardrails
13
- // =============================================================================
14
-
15
- @id("chat-toxicity-strict")
16
- @name("Strict toxicity for chat")
17
- @description("Lower thresholds for customer-facing content — blocks toxicity above 70")
18
- @severity("critical")
19
- @tags("profile,chat-assistant,toxicity,trust-safety")
20
- forbid (
21
- principal,
22
- action == Guardrails::Action::"process_prompt",
23
- resource
24
- ) when {
25
- context.violence_score > 70 ||
26
- context.hate_speech_score > 70 ||
27
- context.sexual_score > 70 ||
28
- context.profanity_score > 70
29
- };
30
-
31
- @id("chat-pii-block-input-output")
32
- @name("Block PII in both directions")
33
- @description("Blocks PII in both user inputs and assistant outputs for chat applications")
34
- @severity("high")
35
- @tags("profile,chat-assistant,pii,privacy")
36
- forbid (
37
- principal,
38
- action == Guardrails::Action::"process_prompt",
39
- resource
40
- ) when {
41
- context.pii_detected == true
42
- };
43
-
44
- @id("chat-injection-lower-threshold")
45
- @name("Aggressive injection defense for chat")
46
- @description("Lower injection threshold for public-facing chat — blocks above 70")
47
- @severity("high")
48
- @tags("profile,chat-assistant,injection,security")
49
- forbid (
50
- principal,
51
- action == Guardrails::Action::"process_prompt",
52
- resource
53
- ) when {
54
- context.injection_score > 70
55
- };
56
-
57
- @id("chat-jailbreak-lower-threshold")
58
- @name("Aggressive jailbreak defense for chat")
59
- @description("Lower jailbreak threshold for public-facing chat — blocks above 65")
60
- @severity("high")
61
- @tags("profile,chat-assistant,jailbreak,security")
62
- forbid (
63
- principal,
64
- action == Guardrails::Action::"process_prompt",
65
- resource
66
- ) when {
67
- context.jailbreak_score > 65
68
- };
69
-
70
- @id("chat-topic-restriction")
71
- @name("Block restricted topics in chat")
72
- @description("Prevents chat assistants from discussing dangerous or regulated topics")
73
- @severity("high")
74
- @tags("profile,chat-assistant,semantic,compliance")
75
- forbid (
76
- principal,
77
- action == Guardrails::Action::"process_prompt",
78
- resource
79
- ) when {
80
- context.topic_confidence > 70 &&
81
- (context.content_topics.contains("weapons_manufacturing") ||
82
- context.content_topics.contains("illegal_activity") ||
83
- context.content_topics.contains("controlled_substances") ||
84
- context.content_topics.contains("financial_fraud"))
85
- };
package/_schemas/guardrails/templates/profiles/code_agent.cedar DELETED
@@ -1,125 +0,0 @@
1
- // =============================================================================
2
- // Code Agent Profile
3
- // =============================================================================
4
- // Optimized for coding assistants and agentic development tools.
5
- // Focuses on tool risk, shell execution controls, agentic safety patterns,
6
- // and data exfiltration prevention. Relaxed toxicity (code discussions may
7
- // reference security topics legitimately).
8
- //
9
- // Deploy: One-click deploy scopes all rules to a specific application via
10
- // resource == Guardrails::App::"<app-uuid>" (injected at deploy time).
11
- //
12
- // Category: agentic_security
13
- // Namespace: Guardrails
14
- // =============================================================================
15
-
16
- @id("code-block-dangerous-tools")
17
- @name("Block dangerous tool execution")
18
- @description("Forbids tools classified as dangerous or with very high risk scores")
19
- @severity("critical")
20
- @tags("profile,code-agent,tools,agentic")
21
- forbid (
22
- principal,
23
- action == Guardrails::Action::"call_tool",
24
- resource
25
- ) when {
26
- context.tool_risk_score > 85 ||
27
- context.tool_category == "dangerous"
28
- };
29
-
30
- @id("code-block-shell-execution")
31
- @name("Block direct shell commands")
32
- @description("Forbids direct shell and command execution tools")
33
- @severity("high")
34
- @tags("profile,code-agent,tools,shell")
35
- forbid (
36
- principal,
37
- action == Guardrails::Action::"call_tool",
38
- resource
39
- ) when {
40
- context.tool_name == "shell" ||
41
- context.tool_name == "execute_command" ||
42
- context.tool_name == "bash"
43
- };
44
-
45
- @id("code-block-sensitive-tools")
46
- @name("Block sensitive tools with elevated risk")
47
- @description("Forbids sensitive tool calls with risk above 70")
48
- @severity("high")
49
- @tags("profile,code-agent,tools,security")
50
- forbid (
51
- principal,
52
- action == Guardrails::Action::"call_tool",
53
- resource
54
- ) when {
55
- context.tool_is_sensitive == true &&
56
- context.tool_risk_score > 70
57
- };
58
-
59
- @id("code-block-loops")
60
- @name("Block tool call loops")
61
- @description("Stops infinite tool call loops in agentic workflows")
62
- @severity("high")
63
- @tags("profile,code-agent,agentic,loops")
64
- forbid (
65
- principal,
66
- action == Guardrails::Action::"call_tool",
67
- resource
68
- ) when {
69
- context.loop_detected == true &&
70
- context.loop_count > 5
71
- };
72
-
73
- @id("code-block-exfiltration")
74
- @name("Block data exfiltration patterns")
75
- @description("Detects and blocks read → send patterns indicating data theft")
76
- @severity("critical")
77
- @tags("profile,code-agent,agentic,exfiltration")
78
- forbid (
79
- principal,
80
- action,
81
- resource
82
- ) when {
83
- context.suspicious_pattern == true &&
84
- (context.pattern_type == "data_exfiltration" ||
85
- context.pattern_type == "secret_exfiltration")
86
- };
87
-
88
- @id("code-block-high-sequence-risk")
89
- @name("Block high-risk action sequences")
90
- @description("Forbids suspicious multi-step tool sequences with risk above 75")
91
- @severity("high")
92
- @tags("profile,code-agent,agentic,patterns")
93
- forbid (
94
- principal,
95
- action,
96
- resource
97
- ) when {
98
- context.sequence_risk > 75
99
- };
100
-
101
- @id("code-block-budget-exceeded")
102
- @name("Block on budget exceeded")
103
- @description("Stops agent execution when token budget is exhausted")
104
- @severity("medium")
105
- @tags("profile,code-agent,budget,cost-control")
106
- forbid (
107
- principal,
108
- action,
109
- resource
110
- ) when {
111
- context.budget_exceeded == true
112
- };
113
-
114
- @id("code-block-write-secrets")
115
- @name("Block writing secrets to files")
116
- @description("Prevents code agents from writing detected secrets to output files")
117
- @severity("critical")
118
- @tags("profile,code-agent,secrets,security")
119
- forbid (
120
- principal,
121
- action == Guardrails::Action::"write_file",
122
- resource
123
- ) when {
124
- context.contains_secrets == true
125
- };
package/_schemas/guardrails/templates/profiles/data_pipeline.cedar DELETED
@@ -1,111 +0,0 @@
1
- // =============================================================================
2
- // Data Pipeline Profile
3
- // =============================================================================
4
- // Optimized for RAG pipelines, data processing agents, and retrieval systems.
5
- // Strong PII and secrets protection, exfiltration detection, and output
6
- // filtering. Focused on data integrity and privacy compliance.
7
- //
8
- // Deploy: One-click deploy scopes all rules to a specific application via
9
- // resource == Guardrails::App::"<app-uuid>" (injected at deploy time).
10
- //
11
- // Category: privacy
12
- // Namespace: Guardrails
13
- // =============================================================================
14
-
15
- @id("data-pii-block-all")
16
- @name("Block all PII in data pipeline")
17
- @description("Forbids any PII in both inputs and outputs — data pipelines must not process or leak PII")
18
- @severity("critical")
19
- @tags("profile,data-pipeline,pii,privacy")
20
- forbid (
21
- principal,
22
- action == Guardrails::Action::"process_prompt",
23
- resource
24
- ) when {
25
- context.pii_detected == true
26
- };
27
-
28
- @id("data-pii-block-sensitive-types")
29
- @name("Block sensitive PII types strictly")
30
- @description("Zero-tolerance for SSN, credit cards, passport numbers, and medical IDs in data pipelines")
31
- @severity("critical")
32
- @tags("profile,data-pipeline,pii,compliance")
33
- forbid (
34
- principal,
35
- action == Guardrails::Action::"process_prompt",
36
- resource
37
- ) when {
38
- context.pii_types.contains("ssn") ||
39
- context.pii_types.contains("credit_card") ||
40
- context.pii_types.contains("passport") ||
41
- context.pii_types.contains("medical_id") ||
42
- context.pii_types.contains("tax_id")
43
- };
44
-
45
- @id("data-secrets-strict")
46
- @name("Strict secrets detection for data pipeline")
47
- @description("Blocks any content containing secrets — even a single match")
48
- @severity("critical")
49
- @tags("profile,data-pipeline,secrets,security")
50
- forbid (
51
- principal,
52
- action,
53
- resource
54
- ) when {
55
- context.contains_secrets == true
56
- };
57
-
58
- @id("data-block-exfiltration")
59
- @name("Block data exfiltration from pipeline")
60
- @description("Prevents retrieval data from being sent to external endpoints")
61
- @severity("critical")
62
- @tags("profile,data-pipeline,exfiltration,security")
63
- forbid (
64
- principal,
65
- action,
66
- resource
67
- ) when {
68
- context.suspicious_pattern == true &&
69
- (context.pattern_type == "data_exfiltration" ||
70
- context.pattern_type == "db_exfiltration")
71
- };
72
-
73
- @id("data-block-high-risk-tools")
74
- @name("Block high-risk tools in pipeline")
75
- @description("Forbids tools with elevated risk in data processing context")
76
- @severity("high")
77
- @tags("profile,data-pipeline,tools,security")
78
- forbid (
79
- principal,
80
- action == Guardrails::Action::"call_tool",
81
- resource
82
- ) when {
83
- context.tool_risk_score > 60
84
- };
85
-
86
- @id("data-block-output-secrets")
87
- @name("Block secrets in pipeline outputs")
88
- @description("Prevents data pipeline from writing secrets to any output")
89
- @severity("critical")
90
- @tags("profile,data-pipeline,secrets,output")
91
- forbid (
92
- principal,
93
- action == Guardrails::Action::"write_file",
94
- resource
95
- ) when {
96
- context.contains_secrets == true ||
97
- context.secret_count > 0
98
- };
99
-
100
- @id("data-injection-defense")
101
- @name("Pipeline injection defense")
102
- @description("Lower injection threshold for data pipelines — RAG inputs are high-risk for injection")
103
- @severity("high")
104
- @tags("profile,data-pipeline,injection,security")
105
- forbid (
106
- principal,
107
- action == Guardrails::Action::"process_prompt",
108
- resource
109
- ) when {
110
- context.injection_score > 65
111
- };