@highflame/policy 2.1.40 → 2.1.42
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/_schemas/ai_gateway/context.json +66 -0
- package/_schemas/ai_gateway/schema.cedarschema +18 -0
- package/_schemas/guardrails/context.json +66 -0
- package/_schemas/guardrails/schema.cedarschema +18 -0
- package/_schemas/overwatch/context.json +66 -0
- package/_schemas/overwatch/schema.cedarschema +18 -0
- package/_schemas/sentry/context.json +48 -0
- package/_schemas/sentry/schema.cedarschema +12 -0
- package/dist/aarm-annotation.d.ts +120 -0
- package/dist/aarm-annotation.js +494 -0
- package/dist/aarm-annotations.gen.js +1 -1
- package/dist/ai_gateway-context.gen.d.ts +3 -0
- package/dist/ai_gateway-context.gen.js +3 -0
- package/dist/guardrails-context.gen.d.ts +3 -0
- package/dist/guardrails-context.gen.js +3 -0
- package/dist/index.d.ts +1 -0
- package/dist/index.js +3 -0
- package/dist/overwatch-context.gen.d.ts +3 -0
- package/dist/overwatch-context.gen.js +3 -0
- package/dist/sentry-context.gen.d.ts +2 -0
- package/dist/sentry-context.gen.js +2 -0
- package/dist/service-schemas.gen.d.ts +4 -4
- package/dist/service-schemas.gen.js +107 -0
- package/dist/types.d.ts +1 -0
- package/dist/types.js +3 -0
- package/package.json +1 -1
|
@@ -90,6 +90,9 @@ action call_tool appliesTo {
|
|
|
90
90
|
principal: [User, MCP_Client],
|
|
91
91
|
resource: [Tool],
|
|
92
92
|
context: {
|
|
93
|
+
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
94
|
+
role?: String,
|
|
95
|
+
privilege_scope?: Set<String>,
|
|
93
96
|
// --- Content ---
|
|
94
97
|
content: String, // Raw content being scanned
|
|
95
98
|
|
|
@@ -133,6 +136,9 @@ action call_tool appliesTo {
|
|
|
133
136
|
tool_is_sensitive?: Bool,
|
|
134
137
|
tool_is_builtin?: Bool,
|
|
135
138
|
|
|
139
|
+
// --- Tool Operation Classifier ---
|
|
140
|
+
tool_operation_classes?: Set<String>, // subset of {"readonly", "write_enabling", "execute_enabling", "network_access", "unknown"}
|
|
141
|
+
|
|
136
142
|
// --- MCP Trust ---
|
|
137
143
|
mcp_server_verified?: Bool, // Whether server is from verified registry
|
|
138
144
|
|
|
@@ -193,6 +199,9 @@ action connect_server appliesTo {
|
|
|
193
199
|
principal: [User, MCP_Client],
|
|
194
200
|
resource: [Server],
|
|
195
201
|
context: {
|
|
202
|
+
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
203
|
+
role?: String,
|
|
204
|
+
privilege_scope?: Set<String>,
|
|
196
205
|
content?: String, // Server config content (if available)
|
|
197
206
|
mcp_server?: String,
|
|
198
207
|
|
|
@@ -262,6 +271,9 @@ action process_prompt appliesTo {
|
|
|
262
271
|
principal: [User, MCP_Client],
|
|
263
272
|
resource: [LlmPrompt],
|
|
264
273
|
context: {
|
|
274
|
+
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
275
|
+
role?: String,
|
|
276
|
+
privilege_scope?: Set<String>,
|
|
265
277
|
content: String,
|
|
266
278
|
mcp_server?: String,
|
|
267
279
|
|
|
@@ -340,6 +352,9 @@ action read_file appliesTo {
|
|
|
340
352
|
principal: [User, MCP_Client],
|
|
341
353
|
resource: [FilePath],
|
|
342
354
|
context: {
|
|
355
|
+
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
356
|
+
role?: String,
|
|
357
|
+
privilege_scope?: Set<String>,
|
|
343
358
|
content: String,
|
|
344
359
|
mcp_server?: String,
|
|
345
360
|
|
|
@@ -398,6 +413,9 @@ action write_file appliesTo {
|
|
|
398
413
|
principal: [User, MCP_Client],
|
|
399
414
|
resource: [FilePath],
|
|
400
415
|
context: {
|
|
416
|
+
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
417
|
+
role?: String,
|
|
418
|
+
privilege_scope?: Set<String>,
|
|
401
419
|
content: String,
|
|
402
420
|
mcp_server?: String,
|
|
403
421
|
|
|
@@ -555,6 +573,9 @@ namespace Guardrails {
|
|
|
555
573
|
|
|
556
574
|
/// Context for process_prompt action (user prompts & AI responses)
|
|
557
575
|
type ProcessPromptContext = {
|
|
576
|
+
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
577
|
+
"role"?: String,
|
|
578
|
+
"privilege_scope"?: Set<String>,
|
|
558
579
|
// Core metadata (required)
|
|
559
580
|
"request_id": String,
|
|
560
581
|
"timestamp": Long,
|
|
@@ -694,6 +715,9 @@ namespace Guardrails {
|
|
|
694
715
|
|
|
695
716
|
/// Context for call_tool action (agentic tool execution)
|
|
696
717
|
type CallToolContext = {
|
|
718
|
+
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
719
|
+
"role"?: String,
|
|
720
|
+
"privilege_scope"?: Set<String>,
|
|
697
721
|
// Core metadata (required)
|
|
698
722
|
"request_id": String,
|
|
699
723
|
"timestamp": Long,
|
|
@@ -797,6 +821,9 @@ namespace Guardrails {
|
|
|
797
821
|
"mcp_risk_type"?: String, // "inline_execution" | "suspicious_url" | "cross_origin"
|
|
798
822
|
"mcp_risk_score"?: Long, // 0-100
|
|
799
823
|
|
|
824
|
+
// Tool Operation Classifier (optional) — populated by AST-based classifiers (bash, python, etc.)
|
|
825
|
+
"tool_operation_classes"?: Set<String>, // subset of {"readonly", "write_enabling", "execute_enabling", "network_access", "unknown"}
|
|
826
|
+
|
|
800
827
|
// Agentic - Multi-Turn Context (optional)
|
|
801
828
|
"conversation_turn"?: Long,
|
|
802
829
|
"multi_turn_detection"?: Bool,
|
|
@@ -827,6 +854,9 @@ namespace Guardrails {
|
|
|
827
854
|
|
|
828
855
|
/// Context for read_file action
|
|
829
856
|
type FileReadContext = {
|
|
857
|
+
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
858
|
+
"role"?: String,
|
|
859
|
+
"privilege_scope"?: Set<String>,
|
|
830
860
|
// Core metadata (required)
|
|
831
861
|
"request_id": String,
|
|
832
862
|
"timestamp": Long,
|
|
@@ -887,6 +917,9 @@ namespace Guardrails {
|
|
|
887
917
|
|
|
888
918
|
/// Context for write_file action
|
|
889
919
|
type FileWriteContext = {
|
|
920
|
+
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
921
|
+
"role"?: String,
|
|
922
|
+
"privilege_scope"?: Set<String>,
|
|
890
923
|
// Core metadata (required)
|
|
891
924
|
"request_id": String,
|
|
892
925
|
"timestamp": Long,
|
|
@@ -951,6 +984,9 @@ namespace Guardrails {
|
|
|
951
984
|
|
|
952
985
|
/// Context for connect_server action (MCP server connections)
|
|
953
986
|
type ConnectServerContext = {
|
|
987
|
+
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
988
|
+
"role"?: String,
|
|
989
|
+
"privilege_scope"?: Set<String>,
|
|
954
990
|
// Core metadata (required)
|
|
955
991
|
"request_id": String,
|
|
956
992
|
"timestamp": Long,
|
|
@@ -1100,6 +1136,9 @@ action process_prompt appliesTo {
|
|
|
1100
1136
|
principal: [User, Agent],
|
|
1101
1137
|
resource: [LlmPrompt],
|
|
1102
1138
|
context: {
|
|
1139
|
+
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
1140
|
+
role?: String,
|
|
1141
|
+
privilege_scope?: Set<String>,
|
|
1103
1142
|
// --- Event & Source ---
|
|
1104
1143
|
content: String, // Raw content being scanned
|
|
1105
1144
|
source: String, // IDE source: "cursor", "claudecode", "github_copilot"
|
|
@@ -1178,6 +1217,9 @@ action call_tool appliesTo {
|
|
|
1178
1217
|
principal: [User, Agent],
|
|
1179
1218
|
resource: [Tool, FilePath],
|
|
1180
1219
|
context: {
|
|
1220
|
+
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
1221
|
+
role?: String,
|
|
1222
|
+
privilege_scope?: Set<String>,
|
|
1181
1223
|
// --- Event & Source ---
|
|
1182
1224
|
content: String, // Raw content being scanned (e.g., shell command, tool args)
|
|
1183
1225
|
source: String, // IDE source
|
|
@@ -1258,6 +1300,9 @@ action call_tool appliesTo {
|
|
|
1258
1300
|
// --- MCP Trust ---
|
|
1259
1301
|
mcp_server_verified?: Bool, // Whether server is from verified registry
|
|
1260
1302
|
|
|
1303
|
+
// --- Tool Operation Classifier ---
|
|
1304
|
+
tool_operation_classes?: Set<String>, // subset of {"readonly", "write_enabling", "execute_enabling", "network_access", "unknown"}
|
|
1305
|
+
|
|
1261
1306
|
// --- Session Detection History (cross-turn sticky flags) ---
|
|
1262
1307
|
session_pii_detected?: Bool,
|
|
1263
1308
|
session_pii_types?: Set<String>,
|
|
@@ -1284,6 +1329,9 @@ action connect_server appliesTo {
|
|
|
1284
1329
|
principal: [User, Agent],
|
|
1285
1330
|
resource: [Server],
|
|
1286
1331
|
context: {
|
|
1332
|
+
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
1333
|
+
role?: String,
|
|
1334
|
+
privilege_scope?: Set<String>,
|
|
1287
1335
|
content?: String, // Server config content (if available)
|
|
1288
1336
|
source: String,
|
|
1289
1337
|
event: String,
|
|
@@ -1331,6 +1379,9 @@ action read_file appliesTo {
|
|
|
1331
1379
|
principal: [User, Agent],
|
|
1332
1380
|
resource: [FilePath],
|
|
1333
1381
|
context: {
|
|
1382
|
+
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
1383
|
+
role?: String,
|
|
1384
|
+
privilege_scope?: Set<String>,
|
|
1334
1385
|
content: String,
|
|
1335
1386
|
source: String,
|
|
1336
1387
|
event: String,
|
|
@@ -1382,6 +1433,9 @@ action write_file appliesTo {
|
|
|
1382
1433
|
principal: [User, Agent],
|
|
1383
1434
|
resource: [FilePath],
|
|
1384
1435
|
context: {
|
|
1436
|
+
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
1437
|
+
role?: String,
|
|
1438
|
+
privilege_scope?: Set<String>,
|
|
1385
1439
|
content: String,
|
|
1386
1440
|
source: String,
|
|
1387
1441
|
event: String,
|
|
@@ -1688,6 +1742,9 @@ action process_prompt appliesTo {
|
|
|
1688
1742
|
principal: [User],
|
|
1689
1743
|
resource: [ChatSession],
|
|
1690
1744
|
context: {
|
|
1745
|
+
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
1746
|
+
role?: String,
|
|
1747
|
+
privilege_scope?: Set<String>,
|
|
1691
1748
|
// --- Core Metadata ---
|
|
1692
1749
|
content: String, // Raw message content being sent
|
|
1693
1750
|
source: String, // Browser extension identifier: "sentry"
|
|
@@ -1775,6 +1832,9 @@ action receive_response appliesTo {
|
|
|
1775
1832
|
principal: [User],
|
|
1776
1833
|
resource: [ChatSession],
|
|
1777
1834
|
context: {
|
|
1835
|
+
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
1836
|
+
role?: String,
|
|
1837
|
+
privilege_scope?: Set<String>,
|
|
1778
1838
|
// --- Core Metadata ---
|
|
1779
1839
|
content: String, // AI response content
|
|
1780
1840
|
source: String,
|
|
@@ -1841,6 +1901,9 @@ action paste_content appliesTo {
|
|
|
1841
1901
|
principal: [User],
|
|
1842
1902
|
resource: [ChatSession, Document],
|
|
1843
1903
|
context: {
|
|
1904
|
+
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
1905
|
+
role?: String,
|
|
1906
|
+
privilege_scope?: Set<String>,
|
|
1844
1907
|
// --- Core Metadata ---
|
|
1845
1908
|
content: String, // Pasted content
|
|
1846
1909
|
source: String,
|
|
@@ -1918,6 +1981,9 @@ action upload_file appliesTo {
|
|
|
1918
1981
|
principal: [User],
|
|
1919
1982
|
resource: [Document, ChatSession],
|
|
1920
1983
|
context: {
|
|
1984
|
+
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
1985
|
+
role?: String,
|
|
1986
|
+
privilege_scope?: Set<String>,
|
|
1921
1987
|
// --- Core Metadata ---
|
|
1922
1988
|
content: String, // Extracted file text content (for scanning)
|
|
1923
1989
|
source: String,
|
|
@@ -2009,6 +2075,8 @@ export const AI_GATEWAY_CONTEXT = {
|
|
|
2009
2075
|
"name": "call_tool",
|
|
2010
2076
|
"description": "Call an MCP tool — threat focus: command injection, tool poisoning, rug pull, secrets, PII",
|
|
2011
2077
|
"context_attributes": [
|
|
2078
|
+
{ "key": "role", "type": "string", "required": false, "description": "Caller\'s RBAC role projected from the principal\'s token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim." },
|
|
2079
|
+
{ "key": "privilege_scope", "type": "array", "required": false, "description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim." },
|
|
2012
2080
|
{ "key": "content", "type": "string", "required": true, "description": "Raw content being scanned" },
|
|
2013
2081
|
{ "key": "tool_name", "type": "string", "required": false, "description": "Tool name" },
|
|
2014
2082
|
{ "key": "mcp_server", "type": "string", "required": false, "description": "MCP server name" },
|
|
@@ -2036,6 +2104,7 @@ export const AI_GATEWAY_CONTEXT = {
|
|
|
2036
2104
|
{ "key": "tool_category", "type": "string", "required": false, "description": "Tool category: safe/sensitive/dangerous" },
|
|
2037
2105
|
{ "key": "tool_is_sensitive", "type": "boolean", "required": false, "description": "Tool sensitivity flag" },
|
|
2038
2106
|
{ "key": "tool_is_builtin", "type": "boolean", "required": false, "description": "Built-in tool flag" },
|
|
2107
|
+
{ "key": "tool_operation_classes", "type": "array", "required": false, "description": "All operation classes observed in the tool call. Subset of: \'readonly\', \'write_enabling\', \'execute_enabling\', \'network_access\', \'unknown\'. \'unknown\' appears when any unrecognized or variable-expanded command was seen." },
|
|
2039
2108
|
{ "key": "mcp_server_verified", "type": "boolean", "required": false, "description": "Whether server is from verified registry" },
|
|
2040
2109
|
{ "key": "violence_score", "type": "number", "required": false, "description": "Violence content score (0-100)" },
|
|
2041
2110
|
{ "key": "weapons_score", "type": "number", "required": false, "description": "Weapons content score (0-100)" },
|
|
@@ -2069,6 +2138,8 @@ export const AI_GATEWAY_CONTEXT = {
|
|
|
2069
2138
|
"name": "connect_server",
|
|
2070
2139
|
"description": "Connect to an MCP server — threat focus: supply chain, tool poisoning, config risk",
|
|
2071
2140
|
"context_attributes": [
|
|
2141
|
+
{ "key": "role", "type": "string", "required": false, "description": "Caller\'s RBAC role projected from the principal\'s token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim." },
|
|
2142
|
+
{ "key": "privilege_scope", "type": "array", "required": false, "description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim." },
|
|
2072
2143
|
{ "key": "content", "type": "string", "required": false, "description": "Server config content" },
|
|
2073
2144
|
{ "key": "mcp_server", "type": "string", "required": false, "description": "MCP server name" },
|
|
2074
2145
|
{ "key": "threat_count", "type": "number", "required": false, "description": "Total threats detected" },
|
|
@@ -2109,6 +2180,8 @@ export const AI_GATEWAY_CONTEXT = {
|
|
|
2109
2180
|
"name": "process_prompt",
|
|
2110
2181
|
"description": "Process a prompt (MCP or LLM chat completion) — threat focus: injection, jailbreak, secrets, PII, content safety",
|
|
2111
2182
|
"context_attributes": [
|
|
2183
|
+
{ "key": "role", "type": "string", "required": false, "description": "Caller\'s RBAC role projected from the principal\'s token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim." },
|
|
2184
|
+
{ "key": "privilege_scope", "type": "array", "required": false, "description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim." },
|
|
2112
2185
|
{ "key": "content", "type": "string", "required": true, "description": "Raw content being scanned" },
|
|
2113
2186
|
{ "key": "mcp_server", "type": "string", "required": false, "description": "MCP server name" },
|
|
2114
2187
|
{ "key": "threat_count", "type": "number", "required": false, "description": "Total threats detected" },
|
|
@@ -2154,6 +2227,8 @@ export const AI_GATEWAY_CONTEXT = {
|
|
|
2154
2227
|
"name": "read_file",
|
|
2155
2228
|
"description": "Read an MCP resource — threat focus: secrets exposure, PII exposure",
|
|
2156
2229
|
"context_attributes": [
|
|
2230
|
+
{ "key": "role", "type": "string", "required": false, "description": "Caller\'s RBAC role projected from the principal\'s token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim." },
|
|
2231
|
+
{ "key": "privilege_scope", "type": "array", "required": false, "description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim." },
|
|
2157
2232
|
{ "key": "content", "type": "string", "required": true, "description": "Raw content being scanned" },
|
|
2158
2233
|
{ "key": "mcp_server", "type": "string", "required": false, "description": "MCP server name" },
|
|
2159
2234
|
{ "key": "threat_count", "type": "number", "required": false, "description": "Total threats detected" },
|
|
@@ -2187,6 +2262,8 @@ export const AI_GATEWAY_CONTEXT = {
|
|
|
2187
2262
|
"name": "write_file",
|
|
2188
2263
|
"description": "Write an MCP resource — threat focus: secrets in output, PII in output",
|
|
2189
2264
|
"context_attributes": [
|
|
2265
|
+
{ "key": "role", "type": "string", "required": false, "description": "Caller\'s RBAC role projected from the principal\'s token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim." },
|
|
2266
|
+
{ "key": "privilege_scope", "type": "array", "required": false, "description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim." },
|
|
2190
2267
|
{ "key": "content", "type": "string", "required": true, "description": "Raw content being scanned" },
|
|
2191
2268
|
{ "key": "mcp_server", "type": "string", "required": false, "description": "MCP server name" },
|
|
2192
2269
|
{ "key": "threat_count", "type": "number", "required": false, "description": "Total threats detected" },
|
|
@@ -2230,6 +2307,8 @@ export const GUARDRAILS_CONTEXT = {
|
|
|
2230
2307
|
"name": "process_prompt",
|
|
2231
2308
|
"description": "Analyze user prompts and AI responses for security threats, PII, and content violations",
|
|
2232
2309
|
"context_attributes": [
|
|
2310
|
+
{ "key": "role", "type": "string", "required": false, "description": "Caller\'s RBAC role projected from the principal\'s token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim." },
|
|
2311
|
+
{ "key": "privilege_scope", "type": "array", "required": false, "description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim." },
|
|
2233
2312
|
{ "key": "request_id", "type": "string", "required": true, "description": "Unique identifier for this request, useful for audit trails and debugging" },
|
|
2234
2313
|
{ "key": "timestamp", "type": "number", "required": true, "description": "Unix timestamp in milliseconds when the request was processed" },
|
|
2235
2314
|
{ "key": "direction", "type": "string", "required": true, "description": "Content flow direction: \'input\' for user prompts, \'output\' for AI responses. Use this to apply different policies to inputs vs outputs (e.g., block PII only in outputs)" },
|
|
@@ -2321,6 +2400,8 @@ export const GUARDRAILS_CONTEXT = {
|
|
|
2321
2400
|
"name": "call_tool",
|
|
2322
2401
|
"description": "Execute agentic tool calls, including shell commands, file operations, and MCP tools",
|
|
2323
2402
|
"context_attributes": [
|
|
2403
|
+
{ "key": "role", "type": "string", "required": false, "description": "Caller\'s RBAC role projected from the principal\'s token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim." },
|
|
2404
|
+
{ "key": "privilege_scope", "type": "array", "required": false, "description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim." },
|
|
2324
2405
|
{ "key": "request_id", "type": "string", "required": true, "description": "Unique identifier for this request" },
|
|
2325
2406
|
{ "key": "timestamp", "type": "number", "required": true, "description": "Unix timestamp in milliseconds" },
|
|
2326
2407
|
{ "key": "tool_name", "type": "string", "required": false, "description": "Name of the tool being called (e.g., \'shell\', \'write_file\', \'http_post\'). Use this to block specific dangerous tools" },
|
|
@@ -2368,6 +2449,7 @@ export const GUARDRAILS_CONTEXT = {
|
|
|
2368
2449
|
{ "key": "mcp_config_risk", "type": "boolean", "required": false, "description": "Whether MCP configuration risk was detected (inline code execution, suspicious URLs, cross-origin issues)" },
|
|
2369
2450
|
{ "key": "mcp_risk_type", "type": "string", "required": false, "description": "Type of MCP risk: \'inline_execution\', \'suspicious_url\', or \'cross_origin\'" },
|
|
2370
2451
|
{ "key": "mcp_risk_score", "type": "number", "required": false, "description": "Risk score for MCP configuration issues (0-100). Typical threshold: >=70 for blocks" },
|
|
2452
|
+
{ "key": "tool_operation_classes", "type": "array", "required": false, "description": "All operation classes observed in the tool call. Subset of: \'readonly\', \'write_enabling\', \'execute_enabling\', \'network_access\', \'unknown\'. \'unknown\' appears when any unrecognized or variable-expanded command was seen." },
|
|
2371
2453
|
{ "key": "cross_origin_detected", "type": "boolean", "required": false, "description": "Whether cross-origin escalation patterns were detected in tool calls crossing trust boundaries" },
|
|
2372
2454
|
{ "key": "cross_origin_type", "type": "string", "required": false, "description": "Type of cross-origin escalation detected in tool call" },
|
|
2373
2455
|
{ "key": "cross_origin_score", "type": "number", "required": false, "description": "Risk score for cross-origin escalation in tool calls (0-100)" },
|
|
@@ -2407,6 +2489,8 @@ export const GUARDRAILS_CONTEXT = {
|
|
|
2407
2489
|
"name": "read_file",
|
|
2408
2490
|
"description": "Read file operations for analyzing file content before allowing access",
|
|
2409
2491
|
"context_attributes": [
|
|
2492
|
+
{ "key": "role", "type": "string", "required": false, "description": "Caller\'s RBAC role projected from the principal\'s token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim." },
|
|
2493
|
+
{ "key": "privilege_scope", "type": "array", "required": false, "description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim." },
|
|
2410
2494
|
{ "key": "request_id", "type": "string", "required": true, "description": "Unique identifier for this request" },
|
|
2411
2495
|
{ "key": "timestamp", "type": "number", "required": true, "description": "Unix timestamp in milliseconds" },
|
|
2412
2496
|
{ "key": "path", "type": "string", "required": false, "description": "File path being read. Use for path-based access control policies (e.g., block .env files, system directories, credential directories)" },
|
|
@@ -2442,6 +2526,8 @@ export const GUARDRAILS_CONTEXT = {
|
|
|
2442
2526
|
"name": "write_file",
|
|
2443
2527
|
"description": "Write file operations for preventing writes of sensitive content",
|
|
2444
2528
|
"context_attributes": [
|
|
2529
|
+
{ "key": "role", "type": "string", "required": false, "description": "Caller\'s RBAC role projected from the principal\'s token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim." },
|
|
2530
|
+
{ "key": "privilege_scope", "type": "array", "required": false, "description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim." },
|
|
2445
2531
|
{ "key": "request_id", "type": "string", "required": true, "description": "Unique identifier for this request" },
|
|
2446
2532
|
{ "key": "timestamp", "type": "number", "required": true, "description": "Unix timestamp in milliseconds" },
|
|
2447
2533
|
{ "key": "path", "type": "string", "required": false, "description": "File path being written. Use for path-based blocking policies (e.g., block writes to .env files, credential directories)" },
|
|
@@ -2479,6 +2565,8 @@ export const GUARDRAILS_CONTEXT = {
|
|
|
2479
2565
|
"name": "connect_server",
|
|
2480
2566
|
"description": "Connect to an MCP server, used to control which MCP servers are allowed",
|
|
2481
2567
|
"context_attributes": [
|
|
2568
|
+
{ "key": "role", "type": "string", "required": false, "description": "Caller\'s RBAC role projected from the principal\'s token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim." },
|
|
2569
|
+
{ "key": "privilege_scope", "type": "array", "required": false, "description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim." },
|
|
2482
2570
|
{ "key": "request_id", "type": "string", "required": true, "description": "Unique identifier for this request" },
|
|
2483
2571
|
{ "key": "timestamp", "type": "number", "required": true, "description": "Unix timestamp in milliseconds" },
|
|
2484
2572
|
{ "key": "mcp_server", "type": "string", "required": false, "description": "Name of the MCP server being connected to (e.g., \'github\', \'filesystem\', \'slack\'). Use this to allow or block specific MCP servers" },
|
|
@@ -2526,6 +2614,8 @@ export const OVERWATCH_CONTEXT = {
|
|
|
2526
2614
|
"name": "process_prompt",
|
|
2527
2615
|
"description": "User submits a prompt or receives AI response",
|
|
2528
2616
|
"context_attributes": [
|
|
2617
|
+
{ "key": "role", "type": "string", "required": false, "description": "Caller\'s RBAC role projected from the principal\'s token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim." },
|
|
2618
|
+
{ "key": "privilege_scope", "type": "array", "required": false, "description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim." },
|
|
2529
2619
|
{ "key": "content", "type": "string", "required": true, "description": "Raw content being scanned (prompt, command, etc.)" },
|
|
2530
2620
|
{ "key": "source", "type": "string", "required": true, "description": "IDE source: cursor, claudecode, github_copilot" },
|
|
2531
2621
|
{ "key": "event", "type": "string", "required": true, "description": "Hook event name (e.g., beforeSubmitPrompt, UserPromptSubmit)" },
|
|
@@ -2580,6 +2670,8 @@ export const OVERWATCH_CONTEXT = {
|
|
|
2580
2670
|
"name": "call_tool",
|
|
2581
2671
|
"description": "User calls a tool (native IDE tool or MCP tool)",
|
|
2582
2672
|
"context_attributes": [
|
|
2673
|
+
{ "key": "role", "type": "string", "required": false, "description": "Caller\'s RBAC role projected from the principal\'s token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim." },
|
|
2674
|
+
{ "key": "privilege_scope", "type": "array", "required": false, "description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim." },
|
|
2583
2675
|
{ "key": "content", "type": "string", "required": true, "description": "Raw content being scanned (e.g., shell command, tool arguments)" },
|
|
2584
2676
|
{ "key": "source", "type": "string", "required": true, "description": "IDE source: cursor, claudecode, github_copilot" },
|
|
2585
2677
|
{ "key": "event", "type": "string", "required": true, "description": "Hook event name (e.g., beforeShellExecution, PreToolUse)" },
|
|
@@ -2633,6 +2725,7 @@ export const OVERWATCH_CONTEXT = {
|
|
|
2633
2725
|
{ "key": "pattern_type", "type": "string", "required": false, "description": "Type of suspicious pattern: data_exfiltration, secret_exfiltration, credential_theft, destructive_sequence" },
|
|
2634
2726
|
{ "key": "sequence_risk", "type": "number", "required": false, "description": "Behavioral sequence risk score (0-100)" },
|
|
2635
2727
|
{ "key": "mcp_server_verified", "type": "boolean", "required": false, "description": "Whether the MCP server is from a verified registry" },
|
|
2728
|
+
{ "key": "tool_operation_classes", "type": "array", "required": false, "description": "All operation classes observed in the tool call. Subset of: \'readonly\', \'write_enabling\', \'execute_enabling\', \'network_access\', \'unknown\'. \'unknown\' appears when any unrecognized or variable-expanded command was seen." },
|
|
2636
2729
|
{ "key": "session_pii_detected", "type": "boolean", "required": false, "description": "Whether PII was detected in any previous turn of the session" },
|
|
2637
2730
|
{ "key": "session_pii_types", "type": "array", "required": false, "description": "PII types detected across the session (accumulated)" },
|
|
2638
2731
|
{ "key": "session_secrets_detected", "type": "boolean", "required": false, "description": "Whether secrets were detected in any previous turn of the session" },
|
|
@@ -2652,6 +2745,8 @@ export const OVERWATCH_CONTEXT = {
|
|
|
2652
2745
|
"name": "connect_server",
|
|
2653
2746
|
"description": "Connect to an MCP server",
|
|
2654
2747
|
"context_attributes": [
|
|
2748
|
+
{ "key": "role", "type": "string", "required": false, "description": "Caller\'s RBAC role projected from the principal\'s token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim." },
|
|
2749
|
+
{ "key": "privilege_scope", "type": "array", "required": false, "description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim." },
|
|
2655
2750
|
{ "key": "content", "type": "string", "required": false, "description": "Server configuration content (if available)" },
|
|
2656
2751
|
{ "key": "source", "type": "string", "required": true, "description": "IDE source: cursor, claudecode, github_copilot" },
|
|
2657
2752
|
{ "key": "event", "type": "string", "required": true, "description": "Hook event name" },
|
|
@@ -2689,6 +2784,8 @@ export const OVERWATCH_CONTEXT = {
|
|
|
2689
2784
|
"name": "read_file",
|
|
2690
2785
|
"description": "Read a file from disk",
|
|
2691
2786
|
"context_attributes": [
|
|
2787
|
+
{ "key": "role", "type": "string", "required": false, "description": "Caller\'s RBAC role projected from the principal\'s token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim." },
|
|
2788
|
+
{ "key": "privilege_scope", "type": "array", "required": false, "description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim." },
|
|
2692
2789
|
{ "key": "content", "type": "string", "required": true, "description": "File content or operation details" },
|
|
2693
2790
|
{ "key": "source", "type": "string", "required": true, "description": "IDE source: cursor, claudecode, github_copilot" },
|
|
2694
2791
|
{ "key": "event", "type": "string", "required": true, "description": "Hook event name (e.g., beforeReadFile)" },
|
|
@@ -2726,6 +2823,8 @@ export const OVERWATCH_CONTEXT = {
|
|
|
2726
2823
|
"name": "write_file",
|
|
2727
2824
|
"description": "Write a file to disk",
|
|
2728
2825
|
"context_attributes": [
|
|
2826
|
+
{ "key": "role", "type": "string", "required": false, "description": "Caller\'s RBAC role projected from the principal\'s token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim." },
|
|
2827
|
+
{ "key": "privilege_scope", "type": "array", "required": false, "description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim." },
|
|
2729
2828
|
{ "key": "content", "type": "string", "required": true, "description": "File content being written" },
|
|
2730
2829
|
{ "key": "source", "type": "string", "required": true, "description": "IDE source: cursor, claudecode, github_copilot" },
|
|
2731
2830
|
{ "key": "event", "type": "string", "required": true, "description": "Hook event name" },
|
|
@@ -2872,6 +2971,8 @@ export const SENTRY_CONTEXT = {
|
|
|
2872
2971
|
"name": "process_prompt",
|
|
2873
2972
|
"description": "User sends a message (prompt) to an AI chat service via the browser",
|
|
2874
2973
|
"context_attributes": [
|
|
2974
|
+
{ "key": "role", "type": "string", "required": false, "description": "Caller\'s RBAC role projected from the principal\'s token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim." },
|
|
2975
|
+
{ "key": "privilege_scope", "type": "array", "required": false, "description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim." },
|
|
2875
2976
|
{ "key": "content", "type": "string", "required": true, "description": "Raw message content being sent to the AI service" },
|
|
2876
2977
|
{ "key": "source", "type": "string", "required": true, "description": "Browser extension identifier (always \'sentry\')" },
|
|
2877
2978
|
{ "key": "event", "type": "string", "required": true, "description": "Event type (always \'process_prompt\')" },
|
|
@@ -2931,6 +3032,8 @@ export const SENTRY_CONTEXT = {
|
|
|
2931
3032
|
"name": "receive_response",
|
|
2932
3033
|
"description": "AI service responds to the user — scan response content for harmful output",
|
|
2933
3034
|
"context_attributes": [
|
|
3035
|
+
{ "key": "role", "type": "string", "required": false, "description": "Caller\'s RBAC role projected from the principal\'s token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim." },
|
|
3036
|
+
{ "key": "privilege_scope", "type": "array", "required": false, "description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim." },
|
|
2934
3037
|
{ "key": "content", "type": "string", "required": true, "description": "AI response content" },
|
|
2935
3038
|
{ "key": "source", "type": "string", "required": true, "description": "Browser extension identifier" },
|
|
2936
3039
|
{ "key": "event", "type": "string", "required": true, "description": "Event type (always \'receive_response\')" },
|
|
@@ -2975,6 +3078,8 @@ export const SENTRY_CONTEXT = {
|
|
|
2975
3078
|
"name": "paste_content",
|
|
2976
3079
|
"description": "User pastes content into an AI chat (clipboard, cross-tab, cross-app)",
|
|
2977
3080
|
"context_attributes": [
|
|
3081
|
+
{ "key": "role", "type": "string", "required": false, "description": "Caller\'s RBAC role projected from the principal\'s token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim." },
|
|
3082
|
+
{ "key": "privilege_scope", "type": "array", "required": false, "description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim." },
|
|
2978
3083
|
{ "key": "content", "type": "string", "required": true, "description": "Pasted content" },
|
|
2979
3084
|
{ "key": "source", "type": "string", "required": true, "description": "Browser extension identifier" },
|
|
2980
3085
|
{ "key": "event", "type": "string", "required": true, "description": "Event type (always \'paste_content\')" },
|
|
@@ -3028,6 +3133,8 @@ export const SENTRY_CONTEXT = {
|
|
|
3028
3133
|
"name": "upload_file",
|
|
3029
3134
|
"description": "User uploads a file or document into an AI chat service",
|
|
3030
3135
|
"context_attributes": [
|
|
3136
|
+
{ "key": "role", "type": "string", "required": false, "description": "Caller\'s RBAC role projected from the principal\'s token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim." },
|
|
3137
|
+
{ "key": "privilege_scope", "type": "array", "required": false, "description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim." },
|
|
3031
3138
|
{ "key": "content", "type": "string", "required": true, "description": "Extracted file text content (for scanning)" },
|
|
3032
3139
|
{ "key": "source", "type": "string", "required": true, "description": "Browser extension identifier" },
|
|
3033
3140
|
{ "key": "event", "type": "string", "required": true, "description": "Event type (always \'upload_file\')" },
|
package/dist/types.d.ts
CHANGED
|
@@ -4,6 +4,7 @@ export * from './context.gen.js';
|
|
|
4
4
|
export * from './schema.gen.js';
|
|
5
5
|
export * from './decision-effects.gen.js';
|
|
6
6
|
export * from './aarm-annotations.gen.js';
|
|
7
|
+
export * from './aarm-annotation.js';
|
|
7
8
|
export * from './builder.js';
|
|
8
9
|
export * from './errors.js';
|
|
9
10
|
export * from './annotations.js';
|
package/dist/types.js
CHANGED
|
@@ -15,6 +15,9 @@ export * from './decision-effects.gen.js';
|
|
|
15
15
|
// AARM-aware annotation registry (browser-safe — Studio uses this
|
|
16
16
|
// for Monaco autocomplete + lint of @step_up_required / @defer_* keys).
|
|
17
17
|
export * from './aarm-annotations.gen.js';
|
|
18
|
+
// AARM annotation parser/validator (browser-safe — typed parse + fail-closed
|
|
19
|
+
// validation; Studio lints with the exact rules Shield runs at sync time).
|
|
20
|
+
export * from './aarm-annotation.js';
|
|
18
21
|
// PolicyBuilder - works in browser (no WASM dependency)
|
|
19
22
|
export * from './builder.js';
|
|
20
23
|
// Error types - works in browser (no WASM dependency)
|