@highflame/policy 2.1.40 → 2.1.42
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/_schemas/ai_gateway/context.json +66 -0
- package/_schemas/ai_gateway/schema.cedarschema +18 -0
- package/_schemas/guardrails/context.json +66 -0
- package/_schemas/guardrails/schema.cedarschema +18 -0
- package/_schemas/overwatch/context.json +66 -0
- package/_schemas/overwatch/schema.cedarschema +18 -0
- package/_schemas/sentry/context.json +48 -0
- package/_schemas/sentry/schema.cedarschema +12 -0
- package/dist/aarm-annotation.d.ts +120 -0
- package/dist/aarm-annotation.js +494 -0
- package/dist/aarm-annotations.gen.js +1 -1
- package/dist/ai_gateway-context.gen.d.ts +3 -0
- package/dist/ai_gateway-context.gen.js +3 -0
- package/dist/guardrails-context.gen.d.ts +3 -0
- package/dist/guardrails-context.gen.js +3 -0
- package/dist/index.d.ts +1 -0
- package/dist/index.js +3 -0
- package/dist/overwatch-context.gen.d.ts +3 -0
- package/dist/overwatch-context.gen.js +3 -0
- package/dist/sentry-context.gen.d.ts +2 -0
- package/dist/sentry-context.gen.js +2 -0
- package/dist/service-schemas.gen.d.ts +4 -4
- package/dist/service-schemas.gen.js +107 -0
- package/dist/types.d.ts +1 -0
- package/dist/types.js +3 -0
- package/package.json +1 -1
|
@@ -7,6 +7,18 @@
|
|
|
7
7
|
"name": "call_tool",
|
|
8
8
|
"description": "Call an MCP tool — threat focus: command injection, tool poisoning, rug pull, secrets, PII",
|
|
9
9
|
"context_attributes": [
|
|
10
|
+
{
|
|
11
|
+
"key": "role",
|
|
12
|
+
"type": "string",
|
|
13
|
+
"required": false,
|
|
14
|
+
"description": "Caller's RBAC role projected from the principal's token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim."
|
|
15
|
+
},
|
|
16
|
+
{
|
|
17
|
+
"key": "privilege_scope",
|
|
18
|
+
"type": "array",
|
|
19
|
+
"required": false,
|
|
20
|
+
"description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim."
|
|
21
|
+
},
|
|
10
22
|
{
|
|
11
23
|
"key": "content",
|
|
12
24
|
"type": "string",
|
|
@@ -169,6 +181,12 @@
|
|
|
169
181
|
"required": false,
|
|
170
182
|
"description": "Built-in tool flag"
|
|
171
183
|
},
|
|
184
|
+
{
|
|
185
|
+
"key": "tool_operation_classes",
|
|
186
|
+
"type": "array",
|
|
187
|
+
"required": false,
|
|
188
|
+
"description": "All operation classes observed in the tool call. Subset of: 'readonly', 'write_enabling', 'execute_enabling', 'network_access', 'unknown'. 'unknown' appears when any unrecognized or variable-expanded command was seen."
|
|
189
|
+
},
|
|
172
190
|
{
|
|
173
191
|
"key": "mcp_server_verified",
|
|
174
192
|
"type": "boolean",
|
|
@@ -337,6 +355,18 @@
|
|
|
337
355
|
"name": "connect_server",
|
|
338
356
|
"description": "Connect to an MCP server — threat focus: supply chain, tool poisoning, config risk",
|
|
339
357
|
"context_attributes": [
|
|
358
|
+
{
|
|
359
|
+
"key": "role",
|
|
360
|
+
"type": "string",
|
|
361
|
+
"required": false,
|
|
362
|
+
"description": "Caller's RBAC role projected from the principal's token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim."
|
|
363
|
+
},
|
|
364
|
+
{
|
|
365
|
+
"key": "privilege_scope",
|
|
366
|
+
"type": "array",
|
|
367
|
+
"required": false,
|
|
368
|
+
"description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim."
|
|
369
|
+
},
|
|
340
370
|
{
|
|
341
371
|
"key": "content",
|
|
342
372
|
"type": "string",
|
|
@@ -547,6 +577,18 @@
|
|
|
547
577
|
"name": "process_prompt",
|
|
548
578
|
"description": "Process a prompt (MCP or LLM chat completion) — threat focus: injection, jailbreak, secrets, PII, content safety",
|
|
549
579
|
"context_attributes": [
|
|
580
|
+
{
|
|
581
|
+
"key": "role",
|
|
582
|
+
"type": "string",
|
|
583
|
+
"required": false,
|
|
584
|
+
"description": "Caller's RBAC role projected from the principal's token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim."
|
|
585
|
+
},
|
|
586
|
+
{
|
|
587
|
+
"key": "privilege_scope",
|
|
588
|
+
"type": "array",
|
|
589
|
+
"required": false,
|
|
590
|
+
"description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim."
|
|
591
|
+
},
|
|
550
592
|
{
|
|
551
593
|
"key": "content",
|
|
552
594
|
"type": "string",
|
|
@@ -787,6 +829,18 @@
|
|
|
787
829
|
"name": "read_file",
|
|
788
830
|
"description": "Read an MCP resource — threat focus: secrets exposure, PII exposure",
|
|
789
831
|
"context_attributes": [
|
|
832
|
+
{
|
|
833
|
+
"key": "role",
|
|
834
|
+
"type": "string",
|
|
835
|
+
"required": false,
|
|
836
|
+
"description": "Caller's RBAC role projected from the principal's token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim."
|
|
837
|
+
},
|
|
838
|
+
{
|
|
839
|
+
"key": "privilege_scope",
|
|
840
|
+
"type": "array",
|
|
841
|
+
"required": false,
|
|
842
|
+
"description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim."
|
|
843
|
+
},
|
|
790
844
|
{
|
|
791
845
|
"key": "content",
|
|
792
846
|
"type": "string",
|
|
@@ -955,6 +1009,18 @@
|
|
|
955
1009
|
"name": "write_file",
|
|
956
1010
|
"description": "Write an MCP resource — threat focus: secrets in output, PII in output",
|
|
957
1011
|
"context_attributes": [
|
|
1012
|
+
{
|
|
1013
|
+
"key": "role",
|
|
1014
|
+
"type": "string",
|
|
1015
|
+
"required": false,
|
|
1016
|
+
"description": "Caller's RBAC role projected from the principal's token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim."
|
|
1017
|
+
},
|
|
1018
|
+
{
|
|
1019
|
+
"key": "privilege_scope",
|
|
1020
|
+
"type": "array",
|
|
1021
|
+
"required": false,
|
|
1022
|
+
"description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim."
|
|
1023
|
+
},
|
|
958
1024
|
{
|
|
959
1025
|
"key": "content",
|
|
960
1026
|
"type": "string",
|
|
@@ -73,6 +73,9 @@ action call_tool appliesTo {
|
|
|
73
73
|
principal: [User, MCP_Client],
|
|
74
74
|
resource: [Tool],
|
|
75
75
|
context: {
|
|
76
|
+
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
77
|
+
role?: String,
|
|
78
|
+
privilege_scope?: Set<String>,
|
|
76
79
|
// --- Content ---
|
|
77
80
|
content: String, // Raw content being scanned
|
|
78
81
|
|
|
@@ -116,6 +119,9 @@ action call_tool appliesTo {
|
|
|
116
119
|
tool_is_sensitive?: Bool,
|
|
117
120
|
tool_is_builtin?: Bool,
|
|
118
121
|
|
|
122
|
+
// --- Tool Operation Classifier ---
|
|
123
|
+
tool_operation_classes?: Set<String>, // subset of {"readonly", "write_enabling", "execute_enabling", "network_access", "unknown"}
|
|
124
|
+
|
|
119
125
|
// --- MCP Trust ---
|
|
120
126
|
mcp_server_verified?: Bool, // Whether server is from verified registry
|
|
121
127
|
|
|
@@ -176,6 +182,9 @@ action connect_server appliesTo {
|
|
|
176
182
|
principal: [User, MCP_Client],
|
|
177
183
|
resource: [Server],
|
|
178
184
|
context: {
|
|
185
|
+
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
186
|
+
role?: String,
|
|
187
|
+
privilege_scope?: Set<String>,
|
|
179
188
|
content?: String, // Server config content (if available)
|
|
180
189
|
mcp_server?: String,
|
|
181
190
|
|
|
@@ -245,6 +254,9 @@ action process_prompt appliesTo {
|
|
|
245
254
|
principal: [User, MCP_Client],
|
|
246
255
|
resource: [LlmPrompt],
|
|
247
256
|
context: {
|
|
257
|
+
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
258
|
+
role?: String,
|
|
259
|
+
privilege_scope?: Set<String>,
|
|
248
260
|
content: String,
|
|
249
261
|
mcp_server?: String,
|
|
250
262
|
|
|
@@ -323,6 +335,9 @@ action read_file appliesTo {
|
|
|
323
335
|
principal: [User, MCP_Client],
|
|
324
336
|
resource: [FilePath],
|
|
325
337
|
context: {
|
|
338
|
+
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
339
|
+
role?: String,
|
|
340
|
+
privilege_scope?: Set<String>,
|
|
326
341
|
content: String,
|
|
327
342
|
mcp_server?: String,
|
|
328
343
|
|
|
@@ -381,6 +396,9 @@ action write_file appliesTo {
|
|
|
381
396
|
principal: [User, MCP_Client],
|
|
382
397
|
resource: [FilePath],
|
|
383
398
|
context: {
|
|
399
|
+
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
400
|
+
role?: String,
|
|
401
|
+
privilege_scope?: Set<String>,
|
|
384
402
|
content: String,
|
|
385
403
|
mcp_server?: String,
|
|
386
404
|
|
|
@@ -7,6 +7,18 @@
|
|
|
7
7
|
"name": "process_prompt",
|
|
8
8
|
"description": "Analyze user prompts and AI responses for security threats, PII, and content violations",
|
|
9
9
|
"context_attributes": [
|
|
10
|
+
{
|
|
11
|
+
"key": "role",
|
|
12
|
+
"type": "string",
|
|
13
|
+
"required": false,
|
|
14
|
+
"description": "Caller's RBAC role projected from the principal's token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim."
|
|
15
|
+
},
|
|
16
|
+
{
|
|
17
|
+
"key": "privilege_scope",
|
|
18
|
+
"type": "array",
|
|
19
|
+
"required": false,
|
|
20
|
+
"description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim."
|
|
21
|
+
},
|
|
10
22
|
{
|
|
11
23
|
"key": "request_id",
|
|
12
24
|
"type": "string",
|
|
@@ -523,6 +535,18 @@
|
|
|
523
535
|
"name": "call_tool",
|
|
524
536
|
"description": "Execute agentic tool calls, including shell commands, file operations, and MCP tools",
|
|
525
537
|
"context_attributes": [
|
|
538
|
+
{
|
|
539
|
+
"key": "role",
|
|
540
|
+
"type": "string",
|
|
541
|
+
"required": false,
|
|
542
|
+
"description": "Caller's RBAC role projected from the principal's token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim."
|
|
543
|
+
},
|
|
544
|
+
{
|
|
545
|
+
"key": "privilege_scope",
|
|
546
|
+
"type": "array",
|
|
547
|
+
"required": false,
|
|
548
|
+
"description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim."
|
|
549
|
+
},
|
|
526
550
|
{
|
|
527
551
|
"key": "request_id",
|
|
528
552
|
"type": "string",
|
|
@@ -805,6 +829,12 @@
|
|
|
805
829
|
"required": false,
|
|
806
830
|
"description": "Risk score for MCP configuration issues (0-100). Typical threshold: >=70 for blocks"
|
|
807
831
|
},
|
|
832
|
+
{
|
|
833
|
+
"key": "tool_operation_classes",
|
|
834
|
+
"type": "array",
|
|
835
|
+
"required": false,
|
|
836
|
+
"description": "All operation classes observed in the tool call. Subset of: 'readonly', 'write_enabling', 'execute_enabling', 'network_access', 'unknown'. 'unknown' appears when any unrecognized or variable-expanded command was seen."
|
|
837
|
+
},
|
|
808
838
|
{
|
|
809
839
|
"key": "cross_origin_detected",
|
|
810
840
|
"type": "boolean",
|
|
@@ -1009,6 +1039,18 @@
|
|
|
1009
1039
|
"name": "read_file",
|
|
1010
1040
|
"description": "Read file operations for analyzing file content before allowing access",
|
|
1011
1041
|
"context_attributes": [
|
|
1042
|
+
{
|
|
1043
|
+
"key": "role",
|
|
1044
|
+
"type": "string",
|
|
1045
|
+
"required": false,
|
|
1046
|
+
"description": "Caller's RBAC role projected from the principal's token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim."
|
|
1047
|
+
},
|
|
1048
|
+
{
|
|
1049
|
+
"key": "privilege_scope",
|
|
1050
|
+
"type": "array",
|
|
1051
|
+
"required": false,
|
|
1052
|
+
"description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim."
|
|
1053
|
+
},
|
|
1012
1054
|
{
|
|
1013
1055
|
"key": "request_id",
|
|
1014
1056
|
"type": "string",
|
|
@@ -1189,6 +1231,18 @@
|
|
|
1189
1231
|
"name": "write_file",
|
|
1190
1232
|
"description": "Write file operations for preventing writes of sensitive content",
|
|
1191
1233
|
"context_attributes": [
|
|
1234
|
+
{
|
|
1235
|
+
"key": "role",
|
|
1236
|
+
"type": "string",
|
|
1237
|
+
"required": false,
|
|
1238
|
+
"description": "Caller's RBAC role projected from the principal's token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim."
|
|
1239
|
+
},
|
|
1240
|
+
{
|
|
1241
|
+
"key": "privilege_scope",
|
|
1242
|
+
"type": "array",
|
|
1243
|
+
"required": false,
|
|
1244
|
+
"description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim."
|
|
1245
|
+
},
|
|
1192
1246
|
{
|
|
1193
1247
|
"key": "request_id",
|
|
1194
1248
|
"type": "string",
|
|
@@ -1381,6 +1435,18 @@
|
|
|
1381
1435
|
"name": "connect_server",
|
|
1382
1436
|
"description": "Connect to an MCP server, used to control which MCP servers are allowed",
|
|
1383
1437
|
"context_attributes": [
|
|
1438
|
+
{
|
|
1439
|
+
"key": "role",
|
|
1440
|
+
"type": "string",
|
|
1441
|
+
"required": false,
|
|
1442
|
+
"description": "Caller's RBAC role projected from the principal's token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim."
|
|
1443
|
+
},
|
|
1444
|
+
{
|
|
1445
|
+
"key": "privilege_scope",
|
|
1446
|
+
"type": "array",
|
|
1447
|
+
"required": false,
|
|
1448
|
+
"description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim."
|
|
1449
|
+
},
|
|
1384
1450
|
{
|
|
1385
1451
|
"key": "request_id",
|
|
1386
1452
|
"type": "string",
|
|
@@ -96,6 +96,9 @@ namespace Guardrails {
|
|
|
96
96
|
|
|
97
97
|
/// Context for process_prompt action (user prompts & AI responses)
|
|
98
98
|
type ProcessPromptContext = {
|
|
99
|
+
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
100
|
+
"role"?: String,
|
|
101
|
+
"privilege_scope"?: Set<String>,
|
|
99
102
|
// Core metadata (required)
|
|
100
103
|
"request_id": String,
|
|
101
104
|
"timestamp": Long,
|
|
@@ -235,6 +238,9 @@ namespace Guardrails {
|
|
|
235
238
|
|
|
236
239
|
/// Context for call_tool action (agentic tool execution)
|
|
237
240
|
type CallToolContext = {
|
|
241
|
+
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
242
|
+
"role"?: String,
|
|
243
|
+
"privilege_scope"?: Set<String>,
|
|
238
244
|
// Core metadata (required)
|
|
239
245
|
"request_id": String,
|
|
240
246
|
"timestamp": Long,
|
|
@@ -338,6 +344,9 @@ namespace Guardrails {
|
|
|
338
344
|
"mcp_risk_type"?: String, // "inline_execution" | "suspicious_url" | "cross_origin"
|
|
339
345
|
"mcp_risk_score"?: Long, // 0-100
|
|
340
346
|
|
|
347
|
+
// Tool Operation Classifier (optional) — populated by AST-based classifiers (bash, python, etc.)
|
|
348
|
+
"tool_operation_classes"?: Set<String>, // subset of {"readonly", "write_enabling", "execute_enabling", "network_access", "unknown"}
|
|
349
|
+
|
|
341
350
|
// Agentic - Multi-Turn Context (optional)
|
|
342
351
|
"conversation_turn"?: Long,
|
|
343
352
|
"multi_turn_detection"?: Bool,
|
|
@@ -368,6 +377,9 @@ namespace Guardrails {
|
|
|
368
377
|
|
|
369
378
|
/// Context for read_file action
|
|
370
379
|
type FileReadContext = {
|
|
380
|
+
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
381
|
+
"role"?: String,
|
|
382
|
+
"privilege_scope"?: Set<String>,
|
|
371
383
|
// Core metadata (required)
|
|
372
384
|
"request_id": String,
|
|
373
385
|
"timestamp": Long,
|
|
@@ -428,6 +440,9 @@ namespace Guardrails {
|
|
|
428
440
|
|
|
429
441
|
/// Context for write_file action
|
|
430
442
|
type FileWriteContext = {
|
|
443
|
+
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
444
|
+
"role"?: String,
|
|
445
|
+
"privilege_scope"?: Set<String>,
|
|
431
446
|
// Core metadata (required)
|
|
432
447
|
"request_id": String,
|
|
433
448
|
"timestamp": Long,
|
|
@@ -492,6 +507,9 @@ namespace Guardrails {
|
|
|
492
507
|
|
|
493
508
|
/// Context for connect_server action (MCP server connections)
|
|
494
509
|
type ConnectServerContext = {
|
|
510
|
+
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
511
|
+
"role"?: String,
|
|
512
|
+
"privilege_scope"?: Set<String>,
|
|
495
513
|
// Core metadata (required)
|
|
496
514
|
"request_id": String,
|
|
497
515
|
"timestamp": Long,
|
|
@@ -7,6 +7,18 @@
|
|
|
7
7
|
"name": "process_prompt",
|
|
8
8
|
"description": "User submits a prompt or receives AI response",
|
|
9
9
|
"context_attributes": [
|
|
10
|
+
{
|
|
11
|
+
"key": "role",
|
|
12
|
+
"type": "string",
|
|
13
|
+
"required": false,
|
|
14
|
+
"description": "Caller's RBAC role projected from the principal's token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim."
|
|
15
|
+
},
|
|
16
|
+
{
|
|
17
|
+
"key": "privilege_scope",
|
|
18
|
+
"type": "array",
|
|
19
|
+
"required": false,
|
|
20
|
+
"description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim."
|
|
21
|
+
},
|
|
10
22
|
{
|
|
11
23
|
"key": "content",
|
|
12
24
|
"type": "string",
|
|
@@ -301,6 +313,18 @@
|
|
|
301
313
|
"name": "call_tool",
|
|
302
314
|
"description": "User calls a tool (native IDE tool or MCP tool)",
|
|
303
315
|
"context_attributes": [
|
|
316
|
+
{
|
|
317
|
+
"key": "role",
|
|
318
|
+
"type": "string",
|
|
319
|
+
"required": false,
|
|
320
|
+
"description": "Caller's RBAC role projected from the principal's token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim."
|
|
321
|
+
},
|
|
322
|
+
{
|
|
323
|
+
"key": "privilege_scope",
|
|
324
|
+
"type": "array",
|
|
325
|
+
"required": false,
|
|
326
|
+
"description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim."
|
|
327
|
+
},
|
|
304
328
|
{
|
|
305
329
|
"key": "content",
|
|
306
330
|
"type": "string",
|
|
@@ -619,6 +643,12 @@
|
|
|
619
643
|
"required": false,
|
|
620
644
|
"description": "Whether the MCP server is from a verified registry"
|
|
621
645
|
},
|
|
646
|
+
{
|
|
647
|
+
"key": "tool_operation_classes",
|
|
648
|
+
"type": "array",
|
|
649
|
+
"required": false,
|
|
650
|
+
"description": "All operation classes observed in the tool call. Subset of: 'readonly', 'write_enabling', 'execute_enabling', 'network_access', 'unknown'. 'unknown' appears when any unrecognized or variable-expanded command was seen."
|
|
651
|
+
},
|
|
622
652
|
{
|
|
623
653
|
"key": "session_pii_detected",
|
|
624
654
|
"type": "boolean",
|
|
@@ -703,6 +733,18 @@
|
|
|
703
733
|
"name": "connect_server",
|
|
704
734
|
"description": "Connect to an MCP server",
|
|
705
735
|
"context_attributes": [
|
|
736
|
+
{
|
|
737
|
+
"key": "role",
|
|
738
|
+
"type": "string",
|
|
739
|
+
"required": false,
|
|
740
|
+
"description": "Caller's RBAC role projected from the principal's token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim."
|
|
741
|
+
},
|
|
742
|
+
{
|
|
743
|
+
"key": "privilege_scope",
|
|
744
|
+
"type": "array",
|
|
745
|
+
"required": false,
|
|
746
|
+
"description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim."
|
|
747
|
+
},
|
|
706
748
|
{
|
|
707
749
|
"key": "content",
|
|
708
750
|
"type": "string",
|
|
@@ -895,6 +937,18 @@
|
|
|
895
937
|
"name": "read_file",
|
|
896
938
|
"description": "Read a file from disk",
|
|
897
939
|
"context_attributes": [
|
|
940
|
+
{
|
|
941
|
+
"key": "role",
|
|
942
|
+
"type": "string",
|
|
943
|
+
"required": false,
|
|
944
|
+
"description": "Caller's RBAC role projected from the principal's token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim."
|
|
945
|
+
},
|
|
946
|
+
{
|
|
947
|
+
"key": "privilege_scope",
|
|
948
|
+
"type": "array",
|
|
949
|
+
"required": false,
|
|
950
|
+
"description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim."
|
|
951
|
+
},
|
|
898
952
|
{
|
|
899
953
|
"key": "content",
|
|
900
954
|
"type": "string",
|
|
@@ -1087,6 +1141,18 @@
|
|
|
1087
1141
|
"name": "write_file",
|
|
1088
1142
|
"description": "Write a file to disk",
|
|
1089
1143
|
"context_attributes": [
|
|
1144
|
+
{
|
|
1145
|
+
"key": "role",
|
|
1146
|
+
"type": "string",
|
|
1147
|
+
"required": false,
|
|
1148
|
+
"description": "Caller's RBAC role projected from the principal's token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim."
|
|
1149
|
+
},
|
|
1150
|
+
{
|
|
1151
|
+
"key": "privilege_scope",
|
|
1152
|
+
"type": "array",
|
|
1153
|
+
"required": false,
|
|
1154
|
+
"description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim."
|
|
1155
|
+
},
|
|
1090
1156
|
{
|
|
1091
1157
|
"key": "content",
|
|
1092
1158
|
"type": "string",
|
|
@@ -79,6 +79,9 @@ action process_prompt appliesTo {
|
|
|
79
79
|
principal: [User, Agent],
|
|
80
80
|
resource: [LlmPrompt],
|
|
81
81
|
context: {
|
|
82
|
+
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
83
|
+
role?: String,
|
|
84
|
+
privilege_scope?: Set<String>,
|
|
82
85
|
// --- Event & Source ---
|
|
83
86
|
content: String, // Raw content being scanned
|
|
84
87
|
source: String, // IDE source: "cursor", "claudecode", "github_copilot"
|
|
@@ -157,6 +160,9 @@ action call_tool appliesTo {
|
|
|
157
160
|
principal: [User, Agent],
|
|
158
161
|
resource: [Tool, FilePath],
|
|
159
162
|
context: {
|
|
163
|
+
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
164
|
+
role?: String,
|
|
165
|
+
privilege_scope?: Set<String>,
|
|
160
166
|
// --- Event & Source ---
|
|
161
167
|
content: String, // Raw content being scanned (e.g., shell command, tool args)
|
|
162
168
|
source: String, // IDE source
|
|
@@ -237,6 +243,9 @@ action call_tool appliesTo {
|
|
|
237
243
|
// --- MCP Trust ---
|
|
238
244
|
mcp_server_verified?: Bool, // Whether server is from verified registry
|
|
239
245
|
|
|
246
|
+
// --- Tool Operation Classifier ---
|
|
247
|
+
tool_operation_classes?: Set<String>, // subset of {"readonly", "write_enabling", "execute_enabling", "network_access", "unknown"}
|
|
248
|
+
|
|
240
249
|
// --- Session Detection History (cross-turn sticky flags) ---
|
|
241
250
|
session_pii_detected?: Bool,
|
|
242
251
|
session_pii_types?: Set<String>,
|
|
@@ -263,6 +272,9 @@ action connect_server appliesTo {
|
|
|
263
272
|
principal: [User, Agent],
|
|
264
273
|
resource: [Server],
|
|
265
274
|
context: {
|
|
275
|
+
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
276
|
+
role?: String,
|
|
277
|
+
privilege_scope?: Set<String>,
|
|
266
278
|
content?: String, // Server config content (if available)
|
|
267
279
|
source: String,
|
|
268
280
|
event: String,
|
|
@@ -310,6 +322,9 @@ action read_file appliesTo {
|
|
|
310
322
|
principal: [User, Agent],
|
|
311
323
|
resource: [FilePath],
|
|
312
324
|
context: {
|
|
325
|
+
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
326
|
+
role?: String,
|
|
327
|
+
privilege_scope?: Set<String>,
|
|
313
328
|
content: String,
|
|
314
329
|
source: String,
|
|
315
330
|
event: String,
|
|
@@ -361,6 +376,9 @@ action write_file appliesTo {
|
|
|
361
376
|
principal: [User, Agent],
|
|
362
377
|
resource: [FilePath],
|
|
363
378
|
context: {
|
|
379
|
+
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
380
|
+
role?: String,
|
|
381
|
+
privilege_scope?: Set<String>,
|
|
364
382
|
content: String,
|
|
365
383
|
source: String,
|
|
366
384
|
event: String,
|
|
@@ -7,6 +7,18 @@
|
|
|
7
7
|
"name": "process_prompt",
|
|
8
8
|
"description": "User sends a message (prompt) to an AI chat service via the browser",
|
|
9
9
|
"context_attributes": [
|
|
10
|
+
{
|
|
11
|
+
"key": "role",
|
|
12
|
+
"type": "string",
|
|
13
|
+
"required": false,
|
|
14
|
+
"description": "Caller's RBAC role projected from the principal's token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim."
|
|
15
|
+
},
|
|
16
|
+
{
|
|
17
|
+
"key": "privilege_scope",
|
|
18
|
+
"type": "array",
|
|
19
|
+
"required": false,
|
|
20
|
+
"description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim."
|
|
21
|
+
},
|
|
10
22
|
{
|
|
11
23
|
"key": "content",
|
|
12
24
|
"type": "string",
|
|
@@ -331,6 +343,18 @@
|
|
|
331
343
|
"name": "receive_response",
|
|
332
344
|
"description": "AI service responds to the user — scan response content for harmful output",
|
|
333
345
|
"context_attributes": [
|
|
346
|
+
{
|
|
347
|
+
"key": "role",
|
|
348
|
+
"type": "string",
|
|
349
|
+
"required": false,
|
|
350
|
+
"description": "Caller's RBAC role projected from the principal's token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim."
|
|
351
|
+
},
|
|
352
|
+
{
|
|
353
|
+
"key": "privilege_scope",
|
|
354
|
+
"type": "array",
|
|
355
|
+
"required": false,
|
|
356
|
+
"description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim."
|
|
357
|
+
},
|
|
334
358
|
{
|
|
335
359
|
"key": "content",
|
|
336
360
|
"type": "string",
|
|
@@ -565,6 +589,18 @@
|
|
|
565
589
|
"name": "paste_content",
|
|
566
590
|
"description": "User pastes content into an AI chat (clipboard, cross-tab, cross-app)",
|
|
567
591
|
"context_attributes": [
|
|
592
|
+
{
|
|
593
|
+
"key": "role",
|
|
594
|
+
"type": "string",
|
|
595
|
+
"required": false,
|
|
596
|
+
"description": "Caller's RBAC role projected from the principal's token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim."
|
|
597
|
+
},
|
|
598
|
+
{
|
|
599
|
+
"key": "privilege_scope",
|
|
600
|
+
"type": "array",
|
|
601
|
+
"required": false,
|
|
602
|
+
"description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim."
|
|
603
|
+
},
|
|
568
604
|
{
|
|
569
605
|
"key": "content",
|
|
570
606
|
"type": "string",
|
|
@@ -853,6 +889,18 @@
|
|
|
853
889
|
"name": "upload_file",
|
|
854
890
|
"description": "User uploads a file or document into an AI chat service",
|
|
855
891
|
"context_attributes": [
|
|
892
|
+
{
|
|
893
|
+
"key": "role",
|
|
894
|
+
"type": "string",
|
|
895
|
+
"required": false,
|
|
896
|
+
"description": "Caller's RBAC role projected from the principal's token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim."
|
|
897
|
+
},
|
|
898
|
+
{
|
|
899
|
+
"key": "privilege_scope",
|
|
900
|
+
"type": "array",
|
|
901
|
+
"required": false,
|
|
902
|
+
"description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim."
|
|
903
|
+
},
|
|
856
904
|
{
|
|
857
905
|
"key": "content",
|
|
858
906
|
"type": "string",
|
|
@@ -78,6 +78,9 @@ action process_prompt appliesTo {
|
|
|
78
78
|
principal: [User],
|
|
79
79
|
resource: [ChatSession],
|
|
80
80
|
context: {
|
|
81
|
+
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
82
|
+
role?: String,
|
|
83
|
+
privilege_scope?: Set<String>,
|
|
81
84
|
// --- Core Metadata ---
|
|
82
85
|
content: String, // Raw message content being sent
|
|
83
86
|
source: String, // Browser extension identifier: "sentry"
|
|
@@ -165,6 +168,9 @@ action receive_response appliesTo {
|
|
|
165
168
|
principal: [User],
|
|
166
169
|
resource: [ChatSession],
|
|
167
170
|
context: {
|
|
171
|
+
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
172
|
+
role?: String,
|
|
173
|
+
privilege_scope?: Set<String>,
|
|
168
174
|
// --- Core Metadata ---
|
|
169
175
|
content: String, // AI response content
|
|
170
176
|
source: String,
|
|
@@ -231,6 +237,9 @@ action paste_content appliesTo {
|
|
|
231
237
|
principal: [User],
|
|
232
238
|
resource: [ChatSession, Document],
|
|
233
239
|
context: {
|
|
240
|
+
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
241
|
+
role?: String,
|
|
242
|
+
privilege_scope?: Set<String>,
|
|
234
243
|
// --- Core Metadata ---
|
|
235
244
|
content: String, // Pasted content
|
|
236
245
|
source: String,
|
|
@@ -308,6 +317,9 @@ action upload_file appliesTo {
|
|
|
308
317
|
principal: [User],
|
|
309
318
|
resource: [Document, ChatSession],
|
|
310
319
|
context: {
|
|
320
|
+
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
321
|
+
role?: String,
|
|
322
|
+
privilege_scope?: Set<String>,
|
|
311
323
|
// --- Core Metadata ---
|
|
312
324
|
content: String, // Extracted file text content (for scanning)
|
|
313
325
|
source: String,
|