@highflame/policy 2.1.44 → 2.1.45

package/_schemas/guardrails/schema.cedarschema

@@ -252,6 +252,33 @@ namespace Guardrails {
         "tool_category"?: String,        // "safe" | "sensitive" | "dangerous"
         "tool_is_builtin"?: Bool,
 
+        // AARM R3 (CAP-ENF-007) — Action Parameter Validation.
+        // Structured tool-call arguments, projected and type-coerced by Shield so
+        // policies can validate them by type / range / pattern / allowlist /
+        // blocklist — e.g.
+        //   forbid ... when { context.action_params has amount &&
+        //                     context.action_params.amount > 10000 };
+        // Only well-known, safety-relevant argument names are projected; each value
+        // is coerced to its declared type. An argument that is present but NOT
+        // coercible to its declared type is dropped (so policies never read a
+        // wrong-typed value) and its name is recorded in `param_type_violations`.
+        "action_params"?: {
+            "amount"?: Long,        // numeric — range limits (e.g. transfer / spend amount)
+            "count"?: Long,         // numeric — range limits (e.g. batch size, fan-out)
+            "command"?: String,     // string  — allowlist / blocklist / pattern (e.g. shell command)
+            "path"?: String,        // string  — pattern (e.g. filesystem path)
+            "url"?: String,         // string  — pattern / allowlist (e.g. egress host)
+            "recipient"?: String,   // string  — allowlist / pattern (e.g. payout / email target)
+            "target"?: String,      // string  — allowlist (e.g. resource / table name)
+            "query"?: String,       // string  — pattern (e.g. SQL / search query)
+        },
+        // True when any projected argument was present but failed type coercion
+        // (e.g. a non-numeric `amount`). Lets a policy deny on a type violation
+        // instead of the wrong-typed value silently vanishing.
+        "param_type_violation"?: Bool,
+        // Names of the arguments that were present but failed type coercion.
+        "param_type_violations"?: Set<String>,
+
         // MCP context (optional — only present for MCP tool calls)
         "mcp_server"?: String,           // MCP server name (e.g., "github", "filesystem")
         "mcp_tool"?: String,             // MCP tool name within the server

package/_schemas/guardrails/templates/param_validation.cedar

@@ -0,0 +1,119 @@
+// =============================================================================
+// Action Parameter Validation  (AARM R3 / CAP-ENF-007)
+// =============================================================================
+// Validates the structured arguments of a tool call. Shield projects well-known,
+// safety-relevant tool-call arguments into `context.action_params` (each value
+// coerced to its declared type), so policies can enforce parameter constraints by
+//   - type:       deny when an argument failed type coercion (param_type_violation)
+//   - range:      numeric bounds on a parameter (e.g. amount, count)
+//   - pattern:    Cedar `like` glob on a string parameter (e.g. path, url)
+//   - allowlist:  permit only an approved set of values
+//   - blocklist:  deny a set of dangerous values
+//
+// These are EXAMPLES — customize the thresholds, patterns, and allow/block lists
+// for your tenant. Not auto-deployed.
+//
+// Context keys consumed:
+//   - action_params:        { amount, count, command, path, url, recipient, target, query }
+//   - param_type_violation: Bool
+//
+// Category:  agent-security
+// Namespace: Guardrails
+// =============================================================================
+
+// ---------------------------------------------------------------------------
+// type — deny when any projected argument failed type coercion
+// ---------------------------------------------------------------------------
+@id("agent-security.param-type-violation")
+@name("Deny tool calls with mistyped parameters")
+@description("Denies call_tool when any projected argument was present but failed type coercion (e.g. a non-numeric amount).")
+@severity("high")
+@tags("category:agent-security,surface:call-tool,aarm:r3,check:type,posture:deny-default")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has param_type_violation && context.param_type_violation
+};
+
+// ---------------------------------------------------------------------------
+// range — numeric bound on a parameter
+// ---------------------------------------------------------------------------
+@id("agent-security.param-amount-range")
+@name("Deny tool calls exceeding the amount limit")
+@description("Range check: denies call_tool when action_params.amount exceeds 10000.")
+@severity("high")
+@tags("category:agent-security,surface:call-tool,aarm:r3,check:range,posture:deny-default")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has action_params &&
+    context.action_params has amount &&
+    context.action_params.amount > 10000
+};
+
+// ---------------------------------------------------------------------------
+// blocklist — deny a set of dangerous command values
+// ---------------------------------------------------------------------------
+@id("agent-security.param-command-blocklist")
+@name("Block dangerous shell commands by parameter")
+@description("Blocklist check: denies call_tool when action_params.command is a destructive command.")
+@severity("critical")
+@tags("category:agent-security,surface:call-tool,aarm:r3,check:blocklist,posture:deny-default")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has action_params &&
+    context.action_params has command &&
+    (
+        context.action_params.command like "*rm -rf*" ||
+        context.action_params.command like "*shutdown*" ||
+        context.action_params.command like "*mkfs*"
+    )
+};
+
+// ---------------------------------------------------------------------------
+// pattern — Cedar `like` glob on a string parameter
+// ---------------------------------------------------------------------------
+@id("agent-security.param-path-pattern")
+@name("Restrict file paths by pattern")
+@description("Pattern check: denies call_tool when action_params.path is outside the /workspace/ tree.")
+@severity("high")
+@tags("category:agent-security,surface:call-tool,aarm:r3,check:pattern,posture:deny-default")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has action_params &&
+    context.action_params has path &&
+    !(context.action_params.path like "/workspace/*")
+};
+
+// ---------------------------------------------------------------------------
+// allowlist — permit only an approved set of recipient values
+// ---------------------------------------------------------------------------
+@id("agent-security.param-recipient-allowlist")
+@name("Allow payouts only to approved recipients")
+@description("Allowlist check: denies call_tool when action_params.recipient is not in the approved set.")
+@severity("high")
+@tags("category:agent-security,surface:call-tool,aarm:r3,check:allowlist,posture:deny-default")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has action_params &&
+    context.action_params has recipient &&
+    !(["treasury@example.com", "payroll@example.com"].contains(context.action_params.recipient))
+};

package/_schemas/guardrails/templates/templates.json

@@ -354,6 +354,15 @@
       "file": "profiles/advanced_detection/threat_severity.cedar",
       "severity": "critical",
       "tags": ["category:security", "detection:aggregate", "posture:catch-all"]
+    },
+    {
+      "id": "agent-security.param-validation",
+      "name": "Action Parameter Validation",
+      "description": "Validate tool-call arguments by type, range, pattern, and allowlist/blocklist. Customize the thresholds and lists for your tenant.",
+      "category": "agent-security",
+      "file": "param_validation.cedar",
+      "severity": "high",
+      "tags": ["category:agent-security", "surface:call-tool", "aarm:r3", "posture:deny-default"]
     }
   ]
 }

package/dist/guardrails-defaults.gen.js

@@ -2718,6 +2718,126 @@ when {
     context has highest_severity && context.highest_severity == "critical"
 };
 `;
+const GUARDRAILS_AGENT_SECURITY_PARAM_VALIDATION_CEDAR = `// =============================================================================
+// Action Parameter Validation  (AARM R3 / CAP-ENF-007)
+// =============================================================================
+// Validates the structured arguments of a tool call. Shield projects well-known,
+// safety-relevant tool-call arguments into \`context.action_params\` (each value
+// coerced to its declared type), so policies can enforce parameter constraints by
+//   - type:       deny when an argument failed type coercion (param_type_violation)
+//   - range:      numeric bounds on a parameter (e.g. amount, count)
+//   - pattern:    Cedar \`like\` glob on a string parameter (e.g. path, url)
+//   - allowlist:  permit only an approved set of values
+//   - blocklist:  deny a set of dangerous values
+//
+// These are EXAMPLES — customize the thresholds, patterns, and allow/block lists
+// for your tenant. Not auto-deployed.
+//
+// Context keys consumed:
+//   - action_params:        { amount, count, command, path, url, recipient, target, query }
+//   - param_type_violation: Bool
+//
+// Category:  agent-security
+// Namespace: Guardrails
+// =============================================================================
+
+// ---------------------------------------------------------------------------
+// type — deny when any projected argument failed type coercion
+// ---------------------------------------------------------------------------
+@id("agent-security.param-type-violation")
+@name("Deny tool calls with mistyped parameters")
+@description("Denies call_tool when any projected argument was present but failed type coercion (e.g. a non-numeric amount).")
+@severity("high")
+@tags("category:agent-security,surface:call-tool,aarm:r3,check:type,posture:deny-default")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has param_type_violation && context.param_type_violation
+};
+
+// ---------------------------------------------------------------------------
+// range — numeric bound on a parameter
+// ---------------------------------------------------------------------------
+@id("agent-security.param-amount-range")
+@name("Deny tool calls exceeding the amount limit")
+@description("Range check: denies call_tool when action_params.amount exceeds 10000.")
+@severity("high")
+@tags("category:agent-security,surface:call-tool,aarm:r3,check:range,posture:deny-default")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has action_params &&
+    context.action_params has amount &&
+    context.action_params.amount > 10000
+};
+
+// ---------------------------------------------------------------------------
+// blocklist — deny a set of dangerous command values
+// ---------------------------------------------------------------------------
+@id("agent-security.param-command-blocklist")
+@name("Block dangerous shell commands by parameter")
+@description("Blocklist check: denies call_tool when action_params.command is a destructive command.")
+@severity("critical")
+@tags("category:agent-security,surface:call-tool,aarm:r3,check:blocklist,posture:deny-default")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has action_params &&
+    context.action_params has command &&
+    (
+        context.action_params.command like "*rm -rf*" ||
+        context.action_params.command like "*shutdown*" ||
+        context.action_params.command like "*mkfs*"
+    )
+};
+
+// ---------------------------------------------------------------------------
+// pattern — Cedar \`like\` glob on a string parameter
+// ---------------------------------------------------------------------------
+@id("agent-security.param-path-pattern")
+@name("Restrict file paths by pattern")
+@description("Pattern check: denies call_tool when action_params.path is outside the /workspace/ tree.")
+@severity("high")
+@tags("category:agent-security,surface:call-tool,aarm:r3,check:pattern,posture:deny-default")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has action_params &&
+    context.action_params has path &&
+    !(context.action_params.path like "/workspace/*")
+};
+
+// ---------------------------------------------------------------------------
+// allowlist — permit only an approved set of recipient values
+// ---------------------------------------------------------------------------
+@id("agent-security.param-recipient-allowlist")
+@name("Allow payouts only to approved recipients")
+@description("Allowlist check: denies call_tool when action_params.recipient is not in the approved set.")
+@severity("high")
+@tags("category:agent-security,surface:call-tool,aarm:r3,check:allowlist,posture:deny-default")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has action_params &&
+    context.action_params has recipient &&
+    !(["treasury@example.com", "payroll@example.com"].contains(context.action_params.recipient))
+};
+`;
 // =============================================================================
 // CATEGORIES
 // =============================================================================
@@ -3048,6 +3168,15 @@ export const GUARDRAILS_TEMPLATES = [
         severity: 'critical',
         tags: ['category:security', 'detection:aggregate', 'posture:catch-all'],
     },
+    {
+        id: 'agent-security.param-validation',
+        name: 'Action Parameter Validation',
+        description: 'Validate tool-call arguments by type, range, pattern, and allowlist/blocklist. Customize the thresholds and lists for your tenant.',
+        category: 'agent-security',
+        cedarText: GUARDRAILS_AGENT_SECURITY_PARAM_VALIDATION_CEDAR,
+        severity: 'high',
+        tags: ['category:agent-security', 'surface:call-tool', 'aarm:r3', 'posture:deny-default'],
+    },
 ];
 // =============================================================================
 // TEMPLATES METADATA
@@ -3409,6 +3538,15 @@ export const GUARDRAILS_TEMPLATES_JSON = `{
       "file": "profiles/advanced_detection/threat_severity.cedar",
       "severity": "critical",
       "tags": ["category:security", "detection:aggregate", "posture:catch-all"]
+    },
+    {
+      "id": "agent-security.param-validation",
+      "name": "Action Parameter Validation",
+      "description": "Validate tool-call arguments by type, range, pattern, and allowlist/blocklist. Customize the thresholds and lists for your tenant.",
+      "category": "agent-security",
+      "file": "param_validation.cedar",
+      "severity": "high",
+      "tags": ["category:agent-security", "surface:call-tool", "aarm:r3", "posture:deny-default"]
     }
   ]
 }

package/dist/service-schemas.gen.d.ts

@@ -9,7 +9,7 @@ export declare const AI_GATEWAY_SCHEMA = "// AIGateway Cedar Schema\n// ========
  *
  * Full Cedar schema for guardrails, embedded at codegen time.
  */
-export declare const GUARDRAILS_SCHEMA = "// =============================================================================\n// Guardrails Cedar Schema\n// =============================================================================\n// Defines entity types, actions, and context attributes for the highflame-shield\n// guardrails service. This schema enables type-safe policy authoring and\n// validation in both Studio UI and backend.\n//\n// Service: highflame-shield (guardrails)\n// Namespace: Guardrails\n// =============================================================================\n\nnamespace Guardrails {\n    // =========================================================================\n    // Entity Types \u2014 ReBAC Hierarchy\n    // =========================================================================\n    // Entity hierarchy enables Cedar's `in` operator for policy scoping:\n    //   Account (org root)\n    //     \u2514\u2500\u2500 Project in [Account]\n    //           \u251C\u2500\u2500 App in [Project]\n    //           \u2502     \u2514\u2500\u2500 Session in [App, Agent]\n    //           \u2514\u2500\u2500 Agent in [Project]\n    //                 \u2514\u2500\u2500 Session in [App, Agent]\n    //\n    // Policy scoping examples:\n    //   resource == Guardrails::App::\"<uuid>\"              \u2192 app-scoped (app only)\n    //   resource == Guardrails::Agent::\"<agent_id>\"        \u2192 agent-only (exact match)\n    //   resource in Guardrails::Agent::\"<agent_id>\"        \u2192 agent + its sessions\n    //   resource in Guardrails::Project::\"<uuid>\"          \u2192 project-wide (apps + agents)\n    //   resource in Guardrails::Account::\"<uuid>\"          \u2192 org-wide\n    // =========================================================================\n\n    /// Account represents an organization (top-level tenant)\n    entity Account;\n\n    /// Project represents a project within an account\n    entity Project in [Account];\n\n    /// User represents a principal (human or service) making requests\n    entity User;\n\n    /// Agent represents an AI agent (Claude, Cursor, Copilot, etc.) making requests.\n    /// Used as both principal (who is acting) and resource (policy scoping target).\n    /// Agent + sessions: resource in Guardrails::Agent::\"<agent_id>\" (hierarchy match)\n    /// Agent only:       resource == Guardrails::Agent::\"<agent_id>\" (exact match)\n    entity Agent in [Project];\n\n    /// App represents a protected application (guardrails-enabled LLM app)\n    entity App in [Project];\n\n    /// Session represents an agentic conversation session with state tracking.\n    /// Sessions can belong to either an App or an Agent.\n    entity Session in [App, Agent];\n\n    // =========================================================================\n    // Actions\n    // =========================================================================\n\n    /// Process user prompts and AI responses for security threats and content violations\n    action \"process_prompt\" appliesTo {\n        principal: [User, Agent],\n        resource: [App, Agent, Session],\n        context: ProcessPromptContext\n    };\n\n    /// Execute tool calls (shell, file operations, MCP tools)\n    action \"call_tool\" appliesTo {\n        principal: [User, Agent],\n        resource: [Agent, Session],\n        context: CallToolContext\n    };\n\n    /// Read file operations\n    action \"read_file\" appliesTo {\n        principal: [User, Agent],\n        resource: [Agent, Session],\n        context: FileReadContext\n    };\n\n    /// Write file operations\n    action \"write_file\" appliesTo {\n        principal: [User, Agent],\n        resource: [Agent, Session],\n        context: FileWriteContext\n    };\n\n    /// Connect to an MCP server\n    action \"connect_server\" appliesTo {\n        principal: [User, Agent],\n        resource: [Agent, Session],\n        context: ConnectServerContext\n    };\n\n    // =========================================================================\n    // Context Types (Action-Specific)\n    // =========================================================================\n\n    /// Context for process_prompt action (user prompts & AI responses)\n    type ProcessPromptContext = {\n        // Identity (AARM R6 / CAP-IDN-011) \u2014 projected from the principal's token; optional.\n        \"role\"?: String,\n        \"privilege_scope\"?: Set<String>,\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n        \"direction\": String,        // \"input\" | \"output\"\n        \"content_type\": String,     // \"prompt\" | \"response\" | \"tool_call\" | \"file\"\n        \"detector_count\": Long,\n\n        // Security - Injection & Jailbreak (optional)\n        \"injection_score\"?: Long,  // Combined injection confidence: MAX(pulse, deep_context)\n        \"jailbreak_score\"?: Long,  // Combined jailbreak confidence: MAX(pulse, deep_context)\n        \"injection_pulse_score\"?: Long,  // 0-100 Pulse single-turn classifier\n        \"injection_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n        \"jailbreak_pulse_score\"?: Long,  // 0-100 Pulse single-turn classifier\n        \"jailbreak_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n        \"injection_type\"?: String,       // \"prompt\" | \"sql\" | \"command\" | \"none\"\n\n        // Privacy - Secrets (optional)\n        \"secrets_detected\"?: Bool,\n        \"secret_count\"?: Long,\n        \"secret_types\"?: Set<String>,    // [\"aws_access_key\", \"github_token\", ...]\n\n        // Privacy - PII (optional)\n        \"pii_detected\"?: Bool,\n        \"pii_count\"?: Long,\n        \"pii_types\"?: Set<String>,       // [\"email\", \"phone\", \"ssn\", \"credit_card\", ...]\n        \"pii_score\"?: Long,         // PII ML classifier confidence (0-100) \u2014 catches novel PII patterns that escape regex detection\n\n        // Threat Severity Aggregation (optional)\n        \"highest_severity\"?: String,     // Highest severity across all detectors: \"critical\" | \"high\" | \"medium\" | \"low\" | \"none\"\n\n        // Trust & Safety - Toxicity (optional)\n        \"violence_score\"?: Long,         // 0-100\n        \"hate_speech_score\"?: Long,      // 0-100\n        \"sexual_score\"?: Long,           // 0-100\n        \"weapons_score\"?: Long,          // 0-100\n        \"crime_score\"?: Long,            // 0-100\n        \"profanity_score\"?: Long,        // 0-100\n\n        // Semantic - Topic Classification (optional)\n        \"content_topics\"?: Set<String>,      // [\"controlled_substances\", \"weapons_manufacturing\", ...]\n        \"topic_confidence\"?: Long,           // 0-100\n\n        // Security - Invisible Character Detection (optional)\n        \"invisible_chars_detected\"?: Bool,\n        \"invisible_chars_score\"?: Long,      // 0-100\n\n        // Security - Pattern Detection (optional)\n        \"command_injection_detected\"?: Bool,\n        \"command_injection_type\"?: String,       // \"reverse_shell\" | \"privilege_escalation\" | \"code_execution\" | \"destructive_command\" | \"data_exfiltration\"\n        \"command_injection_score\"?: Long,        // 0-100\n        \"path_traversal_detected\"?: Bool,\n        \"path_traversal_severity\"?: String,      // \"critical\" | \"high\" | \"medium\" | \"low\" | \"none\"\n        \"path_traversal_type\"?: String,\n        \"sql_injection_detected\"?: Bool,\n        \"sql_injection_type\"?: String,           // \"tautology\" | \"union_based\" | \"destructive\" | \"blind\" | \"error_based\"\n        \"sql_injection_score\"?: Long,            // 0-100\n\n        // Security - Cross-Origin Escalation (optional)\n        \"cross_origin_detected\"?: Bool,\n        \"cross_origin_type\"?: String,            // \"cross_origin_tool\" | \"cross_origin_server\" | \"none\"\n        \"cross_origin_score\"?: Long,             // 0-100\n\n        // Security - Encoded Injection (optional)\n        \"encoded_content_detected\"?: Bool,\n        \"encoded_types\"?: Set<String>,           // [\"base64\", \"hex\", \"unicode\", \"url\", ...]\n        \"encoded_count\"?: Long,\n        \"encoded_score\"?: Long,                  // 0-100\n\n        // Language & Script Detection (optional)\n        \"detected_language\"?: String,            // ISO language code\n        \"is_english\"?: Bool,\n        \"language_confidence\"?: Long,            // 0-100\n        \"detected_script\"?: String,              // \"latin\" | \"cyrillic\" | \"arabic\" | \"unknown\" | ...\n        \"is_latin_script\"?: Bool,\n        \"script_confidence\"?: Long,              // 0-100\n\n        // Content Analysis (optional)\n        \"hallucination_score\"?: Long,\n        \"factuality_score\"?: Long,               // 0-100\n        \"sentiment_score\"?: Long,\n        \"contains_code\"?: Bool,\n        \"code_languages\"?: Set<String>,\n        \"code_ratio\"?: Long,                     // 0-100, percentage of content that is code\n        \"keyword_matched\"?: Bool,\n        \"keyword_categories\"?: Set<String>,\n        \"keyword_count\"?: Long,\n        \"contains_non_ascii\"?: Bool,\n        \"phishing_detected\"?: Bool,\n        \"content_safety_score\"?: Long,           // 0-100\n        \"content_safety_blocked\"?: Bool,\n\n        // Agentic - Multi-Turn Context (optional)\n        \"conversation_turn\"?: Long,\n        \"multi_turn_detection\"?: Bool,\n\n        // Session Detection History \u2014 cross-turn sticky flags (optional)\n        \"session_pii_detected\"?: Bool,\n        \"session_pii_types\"?: Set<String>,\n        \"session_secrets_detected\"?: Bool,\n        \"session_secret_types\"?: Set<String>,\n        \"session_injection_detected\"?: Bool,\n        \"session_command_injection\"?: Bool,\n        \"session_threat_turns\"?: Long,\n        \"session_max_injection_score\"?: Long,\n        \"session_max_jailbreak_score\"?: Long,\n        \"session_max_command_injection_score\"?: Long,\n        \"session_max_pii_score\"?: Long,\n        \"session_max_secret_score\"?: Long,\n        \"session_cumulative_risk_score\"?: Long,\n\n        // Usage Budget \u2014 multi-window token & cost enforcement (optional)\n        // Emitted by usage_budget detector. Enforced across session/daily/monthly windows\n        // and user/app/project/account dimensions. Percentages are 0-100.\n        \"budget_remaining_pct\"?: Long,          // Min remaining % across all windows\n        \"budget_exceeded\"?: Bool,               // Any window limit exceeded\n        \"budget_cost_micros_this_turn\"?: Long,  // Cost of this request in microdollars (USD * 1e6)\n        \"budget_model\"?: String,                // Model name used for cost calculation\n        \"budget_tokens_pct_session\"?: Long,     // Session token usage % (0-100)\n        \"budget_tokens_pct_daily\"?: Long,       // Daily token usage % (0-100)\n        \"budget_tokens_pct_monthly\"?: Long,     // Monthly token usage % (0-100)\n        \"budget_cost_pct_daily\"?: Long,         // Daily cost usage % (0-100)\n        \"budget_cost_pct_monthly\"?: Long,       // Monthly cost usage % (0-100)\n        \"budget_exceeded_session\"?: Bool,       // Session-scoped budget exceeded\n        \"budget_exceeded_daily\"?: Bool,         // Any daily-scoped budget exceeded\n        \"budget_exceeded_monthly\"?: Bool,       // Any monthly-scoped budget exceeded\n\n        // Agent Identity \u2014 authenticated agent principal metadata (optional)\n        // Present when the request is made by an AI agent (API key or JWT with agent claims).\n        // Empty strings for human user requests. Use these to write agent-specific policies.\n        \"agent_id\"?: String,             // Unique agent identifier (e.g., \"agent_research_v3\")\n        \"agent_type\"?: String,           // \"orchestrator\" | \"autonomous\" | \"tool_agent\" | \"human_proxy\"\n        \"agent_trust_level\"?: String,    // \"first_party\" | \"verified_third_party\" | \"unverified\"\n        \"agent_framework\"?: String,      // Agent framework (e.g., \"claude-code\", \"langchain\", \"crewai\")\n        \"agent_publisher\"?: String,      // Organization that published the agent\n\n    };\n\n    /// Context for call_tool action (agentic tool execution)\n    type CallToolContext = {\n        // Identity (AARM R6 / CAP-IDN-011) \u2014 projected from the principal's token; optional.\n        \"role\"?: String,\n        \"privilege_scope\"?: Set<String>,\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n\n        // Tool Risk (optional)\n        \"tool_name\"?: String,            // \"shell\", \"write_file\", \"http_post\", etc.\n        \"tool_risk_score\"?: Long,        // 0-100\n        \"tool_is_sensitive\"?: Bool,\n        \"tool_category\"?: String,        // \"safe\" | \"sensitive\" | \"dangerous\"\n        \"tool_is_builtin\"?: Bool,\n\n        // MCP context (optional \u2014 only present for MCP tool calls)\n        \"mcp_server\"?: String,           // MCP server name (e.g., \"github\", \"filesystem\")\n        \"mcp_tool\"?: String,             // MCP tool name within the server\n        \"mcp_server_verified\"?: Bool,    // Whether server is from verified registry\n\n        // Agentic - Behavioral Patterns (optional)\n        \"suspicious_pattern\"?: Bool,\n        \"pattern_type\"?: String,         // \"data_exfiltration\" | \"secret_exfiltration\" | \"db_exfiltration\" | \"credential_theft\" | \"destructive_sequence\" | \"none\"\n        \"sequence_risk\"?: Long,          // 0-100\n\n        // Agentic - Loop Detection (optional)\n        \"loop_detected\"?: Bool,\n        \"loop_count\"?: Long,\n        \"loop_tool\"?: String,\n\n        // Usage Budget \u2014 multi-window token & cost enforcement (optional)\n        // See ProcessPromptContext for full documentation.\n        \"budget_remaining_pct\"?: Long,          // Min remaining % across all windows\n        \"budget_exceeded\"?: Bool,               // Any window limit exceeded\n        \"budget_cost_micros_this_turn\"?: Long,  // Cost of this request in microdollars\n        \"budget_model\"?: String,\n        \"budget_tokens_pct_session\"?: Long,\n        \"budget_tokens_pct_daily\"?: Long,\n        \"budget_tokens_pct_monthly\"?: Long,\n        \"budget_cost_pct_daily\"?: Long,\n        \"budget_cost_pct_monthly\"?: Long,\n        \"budget_exceeded_session\"?: Bool,\n        \"budget_exceeded_daily\"?: Bool,\n        \"budget_exceeded_monthly\"?: Bool,\n\n        // Semantic - Topic Classification (optional)\n        \"content_topics\"?: Set<String>,      // [\"controlled_substances\", \"weapons_manufacturing\", ...]\n        \"topic_confidence\"?: Long,           // 0-100\n\n        // Security checks on tool arguments (optional)\n        \"secrets_detected\"?: Bool,\n        \"secret_count\"?: Long,\n        \"secret_types\"?: Set<String>,\n        \"pii_detected\"?: Bool,\n        \"pii_types\"?: Set<String>,\n        \"pii_count\"?: Long,              // Number of PII pattern matches in tool content\n        \"pii_score\"?: Long,         // PII ML classifier confidence (0-100)\n        \"injection_score\"?: Long,\n        \"injection_pulse_score\"?: Long,  // 0-100 Pulse single-turn classifier\n        \"injection_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n\n        // Security - Pattern Detection (optional)\n        \"command_injection_detected\"?: Bool,\n        \"command_injection_type\"?: String,\n        \"command_injection_score\"?: Long,        // 0-100\n        \"path_traversal_detected\"?: Bool,\n        \"path_traversal_severity\"?: String,\n        \"path_traversal_type\"?: String,\n        \"sql_injection_detected\"?: Bool,\n        \"sql_injection_type\"?: String,\n        \"sql_injection_score\"?: Long,            // 0-100\n\n        // Security - Cross-Origin Escalation (optional)\n        \"cross_origin_detected\"?: Bool,\n        \"cross_origin_type\"?: String,\n        \"cross_origin_score\"?: Long,             // 0-100\n\n        // File & Path (optional \u2014 for path-based access control policies)\n        \"path\"?: String,                         // File path when tool operates on files\n\n        // Security - Invisible Character Detection in tool args (optional)\n        \"invisible_chars_detected\"?: Bool,       // Whether invisible Unicode chars detected in tool args\n        \"invisible_chars_score\"?: Long,          // Invisible character attack severity (0-100)\n\n        // Security - Encoded Injection (optional)\n        \"encoded_content_detected\"?: Bool,\n        \"encoded_types\"?: Set<String>,\n        \"encoded_count\"?: Long,\n        \"encoded_score\"?: Long,                  // 0-100\n\n        // Agentic - Agent Security (optional)\n        \"tool_poisoning_detected\"?: Bool,\n        \"tool_poisoning_score\"?: Long,           // 0-100\n        \"tool_poisoning_type\"?: String,          // \"hidden_instructions\" | \"system_prompt_injection\" | \"authority_hijack\"\n        \"rug_pull_detected\"?: Bool,\n        \"rug_pull_score\"?: Long,                 // 0-100\n        \"rug_pull_type\"?: String,                // \"risk_spike\" | \"pattern_change\" | \"combined\" | \"none\"\n\n        // Agentic - Indirect Prompt Injection (optional \u2014 injection via tool outputs/retrieved content)\n        \"indirect_injection_score\"?: Long,       // Indirect injection risk score (0-100)\n        \"indirect_injection_type\"?: String,      // Type of indirect injection detected\n\n        // Agentic - MCP Risk (optional)\n        \"mcp_config_risk\"?: Bool,\n        \"mcp_risk_type\"?: String,                // \"inline_execution\" | \"suspicious_url\" | \"cross_origin\"\n        \"mcp_risk_score\"?: Long,                 // 0-100\n\n        // Tool Operation Classifier (optional) \u2014 populated by AST-based classifiers (bash, python, etc.)\n        \"tool_operation_classes\"?: Set<String>,  // subset of {\"readonly\", \"write_enabling\", \"execute_enabling\", \"network_access\", \"unknown\"}\n\n        // Agentic - Multi-Turn Context (optional)\n        \"conversation_turn\"?: Long,\n        \"multi_turn_detection\"?: Bool,\n\n        // Session Detection History \u2014 cross-turn sticky flags (optional)\n        \"session_pii_detected\"?: Bool,\n        \"session_pii_types\"?: Set<String>,\n        \"session_secrets_detected\"?: Bool,\n        \"session_secret_types\"?: Set<String>,\n        \"session_injection_detected\"?: Bool,\n        \"session_command_injection\"?: Bool,\n        \"session_threat_turns\"?: Long,\n        \"session_max_injection_score\"?: Long,\n        \"session_max_jailbreak_score\"?: Long,\n        \"session_max_command_injection_score\"?: Long,\n        \"session_max_pii_score\"?: Long,\n        \"session_max_secret_score\"?: Long,\n        \"session_cumulative_risk_score\"?: Long,\n\n        // Agent Identity \u2014 authenticated agent principal metadata (optional)\n        \"agent_id\"?: String,\n        \"agent_type\"?: String,\n        \"agent_trust_level\"?: String,\n        \"agent_framework\"?: String,\n        \"agent_publisher\"?: String,\n\n    };\n\n    /// Context for read_file action\n    type FileReadContext = {\n        // Identity (AARM R6 / CAP-IDN-011) \u2014 projected from the principal's token; optional.\n        \"role\"?: String,\n        \"privilege_scope\"?: Set<String>,\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n\n        // File path (optional \u2014 for path-based access control policies)\n        \"path\"?: String,                 // File path being read\n\n        // Security checks on file content (optional)\n        \"secrets_detected\"?: Bool,\n        \"secret_count\"?: Long,\n        \"secret_types\"?: Set<String>,\n        \"pii_detected\"?: Bool,\n        \"pii_types\"?: Set<String>,\n\n        // Security - Path Traversal (optional)\n        \"path_traversal_detected\"?: Bool,\n        \"path_traversal_severity\"?: String,\n        \"path_traversal_type\"?: String,\n\n        // Session Detection History \u2014 cross-turn sticky flags (optional)\n        \"session_pii_detected\"?: Bool,\n        \"session_pii_types\"?: Set<String>,\n        \"session_secrets_detected\"?: Bool,\n        \"session_secret_types\"?: Set<String>,\n        \"session_injection_detected\"?: Bool,\n        \"session_command_injection\"?: Bool,\n        \"session_threat_turns\"?: Long,\n        \"session_max_injection_score\"?: Long,\n        \"session_max_jailbreak_score\"?: Long,\n        \"session_max_command_injection_score\"?: Long,\n        \"session_max_pii_score\"?: Long,\n        \"session_max_secret_score\"?: Long,\n        \"session_cumulative_risk_score\"?: Long,\n\n        // Usage Budget \u2014 multi-window token & cost enforcement (optional)\n        // See ProcessPromptContext for full documentation.\n        \"budget_remaining_pct\"?: Long,\n        \"budget_exceeded\"?: Bool,\n        \"budget_cost_micros_this_turn\"?: Long,\n        \"budget_model\"?: String,\n        \"budget_tokens_pct_session\"?: Long,\n        \"budget_tokens_pct_daily\"?: Long,\n        \"budget_tokens_pct_monthly\"?: Long,\n        \"budget_cost_pct_daily\"?: Long,\n        \"budget_cost_pct_monthly\"?: Long,\n        \"budget_exceeded_session\"?: Bool,\n        \"budget_exceeded_daily\"?: Bool,\n        \"budget_exceeded_monthly\"?: Bool,\n\n        // Agent Identity \u2014 authenticated agent principal metadata (optional)\n        \"agent_id\"?: String,\n        \"agent_type\"?: String,\n        \"agent_trust_level\"?: String,\n        \"agent_framework\"?: String,\n        \"agent_publisher\"?: String,\n\n    };\n\n    /// Context for write_file action\n    type FileWriteContext = {\n        // Identity (AARM R6 / CAP-IDN-011) \u2014 projected from the principal's token; optional.\n        \"role\"?: String,\n        \"privilege_scope\"?: Set<String>,\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n\n        // File path (optional \u2014 for path-based access control policies)\n        \"path\"?: String,                         // File path being written\n\n        // Security - Invisible Character Detection in write content (optional)\n        \"invisible_chars_detected\"?: Bool,       // Whether invisible Unicode chars detected in write content\n        \"invisible_chars_score\"?: Long,          // Invisible character attack severity (0-100)\n\n        // Security checks on content being written (optional)\n        \"secrets_detected\"?: Bool,\n        \"secret_count\"?: Long,\n        \"secret_types\"?: Set<String>,\n        \"pii_detected\"?: Bool,\n        \"pii_types\"?: Set<String>,\n\n        // Security - Path Traversal (optional)\n        \"path_traversal_detected\"?: Bool,\n        \"path_traversal_severity\"?: String,\n        \"path_traversal_type\"?: String,\n\n        // Session Detection History \u2014 cross-turn sticky flags (optional)\n        \"session_pii_detected\"?: Bool,\n        \"session_pii_types\"?: Set<String>,\n        \"session_secrets_detected\"?: Bool,\n        \"session_secret_types\"?: Set<String>,\n        \"session_injection_detected\"?: Bool,\n        \"session_command_injection\"?: Bool,\n        \"session_threat_turns\"?: Long,\n        \"session_max_injection_score\"?: Long,\n        \"session_max_jailbreak_score\"?: Long,\n        \"session_max_command_injection_score\"?: Long,\n        \"session_max_pii_score\"?: Long,\n        \"session_max_secret_score\"?: Long,\n        \"session_cumulative_risk_score\"?: Long,\n\n        // Usage Budget \u2014 multi-window token & cost enforcement (optional)\n        // See ProcessPromptContext for full documentation.\n        \"budget_remaining_pct\"?: Long,\n        \"budget_exceeded\"?: Bool,\n        \"budget_cost_micros_this_turn\"?: Long,\n        \"budget_model\"?: String,\n        \"budget_tokens_pct_session\"?: Long,\n        \"budget_tokens_pct_daily\"?: Long,\n        \"budget_tokens_pct_monthly\"?: Long,\n        \"budget_cost_pct_daily\"?: Long,\n        \"budget_cost_pct_monthly\"?: Long,\n        \"budget_exceeded_session\"?: Bool,\n        \"budget_exceeded_daily\"?: Bool,\n        \"budget_exceeded_monthly\"?: Bool,\n\n        // Agent Identity \u2014 authenticated agent principal metadata (optional)\n        \"agent_id\"?: String,\n        \"agent_type\"?: String,\n        \"agent_trust_level\"?: String,\n        \"agent_framework\"?: String,\n        \"agent_publisher\"?: String,\n\n    };\n\n    /// Context for connect_server action (MCP server connections)\n    type ConnectServerContext = {\n        // Identity (AARM R6 / CAP-IDN-011) \u2014 projected from the principal's token; optional.\n        \"role\"?: String,\n        \"privilege_scope\"?: Set<String>,\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n\n        // MCP context (optional)\n        \"mcp_server\"?: String,           // MCP server name (e.g., \"github\", \"filesystem\")\n        \"mcp_server_verified\"?: Bool,    // Whether server is from verified registry\n\n        // Agentic - Agent Security (optional)\n        \"tool_poisoning_detected\"?: Bool,\n        \"tool_poisoning_score\"?: Long,\n        \"tool_poisoning_type\"?: String,\n\n        // Agentic - MCP Risk (optional)\n        \"mcp_config_risk\"?: Bool,\n        \"mcp_risk_type\"?: String,\n        \"mcp_risk_score\"?: Long,\n\n        // Security - Cross-Origin Escalation (optional)\n        \"cross_origin_detected\"?: Bool,\n        \"cross_origin_type\"?: String,\n        \"cross_origin_score\"?: Long,\n\n        // Session Detection History \u2014 cross-turn sticky flags (optional)\n        \"session_pii_detected\"?: Bool,\n        \"session_pii_types\"?: Set<String>,\n        \"session_secrets_detected\"?: Bool,\n        \"session_secret_types\"?: Set<String>,\n        \"session_injection_detected\"?: Bool,\n        \"session_command_injection\"?: Bool,\n        \"session_threat_turns\"?: Long,\n        \"session_max_injection_score\"?: Long,\n        \"session_max_jailbreak_score\"?: Long,\n        \"session_max_command_injection_score\"?: Long,\n        \"session_max_pii_score\"?: Long,\n        \"session_max_secret_score\"?: Long,\n        \"session_cumulative_risk_score\"?: Long,\n\n        // Usage Budget \u2014 multi-window token & cost enforcement (optional)\n        // See ProcessPromptContext for full documentation.\n        \"budget_remaining_pct\"?: Long,\n        \"budget_exceeded\"?: Bool,\n        \"budget_cost_micros_this_turn\"?: Long,\n        \"budget_model\"?: String,\n        \"budget_tokens_pct_session\"?: Long,\n        \"budget_tokens_pct_daily\"?: Long,\n        \"budget_tokens_pct_monthly\"?: Long,\n        \"budget_cost_pct_daily\"?: Long,\n        \"budget_cost_pct_monthly\"?: Long,\n        \"budget_exceeded_session\"?: Bool,\n        \"budget_exceeded_daily\"?: Bool,\n        \"budget_exceeded_monthly\"?: Bool,\n\n        // Agent Identity \u2014 authenticated agent principal metadata (optional)\n        \"agent_id\"?: String,\n        \"agent_type\"?: String,\n        \"agent_trust_level\"?: String,\n        \"agent_framework\"?: String,\n        \"agent_publisher\"?: String,\n\n    };\n}\n";
+export declare const GUARDRAILS_SCHEMA = "// =============================================================================\n// Guardrails Cedar Schema\n// =============================================================================\n// Defines entity types, actions, and context attributes for the highflame-shield\n// guardrails service. This schema enables type-safe policy authoring and\n// validation in both Studio UI and backend.\n//\n// Service: highflame-shield (guardrails)\n// Namespace: Guardrails\n// =============================================================================\n\nnamespace Guardrails {\n    // =========================================================================\n    // Entity Types \u2014 ReBAC Hierarchy\n    // =========================================================================\n    // Entity hierarchy enables Cedar's `in` operator for policy scoping:\n    //   Account (org root)\n    //     \u2514\u2500\u2500 Project in [Account]\n    //           \u251C\u2500\u2500 App in [Project]\n    //           \u2502     \u2514\u2500\u2500 Session in [App, Agent]\n    //           \u2514\u2500\u2500 Agent in [Project]\n    //                 \u2514\u2500\u2500 Session in [App, Agent]\n    //\n    // Policy scoping examples:\n    //   resource == Guardrails::App::\"<uuid>\"              \u2192 app-scoped (app only)\n    //   resource == Guardrails::Agent::\"<agent_id>\"        \u2192 agent-only (exact match)\n    //   resource in Guardrails::Agent::\"<agent_id>\"        \u2192 agent + its sessions\n    //   resource in Guardrails::Project::\"<uuid>\"          \u2192 project-wide (apps + agents)\n    //   resource in Guardrails::Account::\"<uuid>\"          \u2192 org-wide\n    // =========================================================================\n\n    /// Account represents an organization (top-level tenant)\n    entity Account;\n\n    /// Project represents a project within an account\n    entity Project in [Account];\n\n    /// User represents a principal (human or service) making requests\n    entity User;\n\n    /// Agent represents an AI agent (Claude, Cursor, Copilot, etc.) making requests.\n    /// Used as both principal (who is acting) and resource (policy scoping target).\n    /// Agent + sessions: resource in Guardrails::Agent::\"<agent_id>\" (hierarchy match)\n    /// Agent only:       resource == Guardrails::Agent::\"<agent_id>\" (exact match)\n    entity Agent in [Project];\n\n    /// App represents a protected application (guardrails-enabled LLM app)\n    entity App in [Project];\n\n    /// Session represents an agentic conversation session with state tracking.\n    /// Sessions can belong to either an App or an Agent.\n    entity Session in [App, Agent];\n\n    // =========================================================================\n    // Actions\n    // =========================================================================\n\n    /// Process user prompts and AI responses for security threats and content violations\n    action \"process_prompt\" appliesTo {\n        principal: [User, Agent],\n        resource: [App, Agent, Session],\n        context: ProcessPromptContext\n    };\n\n    /// Execute tool calls (shell, file operations, MCP tools)\n    action \"call_tool\" appliesTo {\n        principal: [User, Agent],\n        resource: [Agent, Session],\n        context: CallToolContext\n    };\n\n    /// Read file operations\n    action \"read_file\" appliesTo {\n        principal: [User, Agent],\n        resource: [Agent, Session],\n        context: FileReadContext\n    };\n\n    /// Write file operations\n    action \"write_file\" appliesTo {\n        principal: [User, Agent],\n        resource: [Agent, Session],\n        context: FileWriteContext\n    };\n\n    /// Connect to an MCP server\n    action \"connect_server\" appliesTo {\n        principal: [User, Agent],\n        resource: [Agent, Session],\n        context: ConnectServerContext\n    };\n\n    // =========================================================================\n    // Context Types (Action-Specific)\n    // =========================================================================\n\n    /// Context for process_prompt action (user prompts & AI responses)\n    type ProcessPromptContext = {\n        // Identity (AARM R6 / CAP-IDN-011) \u2014 projected from the principal's token; optional.\n        \"role\"?: String,\n        \"privilege_scope\"?: Set<String>,\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n        \"direction\": String,        // \"input\" | \"output\"\n        \"content_type\": String,     // \"prompt\" | \"response\" | \"tool_call\" | \"file\"\n        \"detector_count\": Long,\n\n        // Security - Injection & Jailbreak (optional)\n        \"injection_score\"?: Long,  // Combined injection confidence: MAX(pulse, deep_context)\n        \"jailbreak_score\"?: Long,  // Combined jailbreak confidence: MAX(pulse, deep_context)\n        \"injection_pulse_score\"?: Long,  // 0-100 Pulse single-turn classifier\n        \"injection_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n        \"jailbreak_pulse_score\"?: Long,  // 0-100 Pulse single-turn classifier\n        \"jailbreak_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n        \"injection_type\"?: String,       // \"prompt\" | \"sql\" | \"command\" | \"none\"\n\n        // Privacy - Secrets (optional)\n        \"secrets_detected\"?: Bool,\n        \"secret_count\"?: Long,\n        \"secret_types\"?: Set<String>,    // [\"aws_access_key\", \"github_token\", ...]\n\n        // Privacy - PII (optional)\n        \"pii_detected\"?: Bool,\n        \"pii_count\"?: Long,\n        \"pii_types\"?: Set<String>,       // [\"email\", \"phone\", \"ssn\", \"credit_card\", ...]\n        \"pii_score\"?: Long,         // PII ML classifier confidence (0-100) \u2014 catches novel PII patterns that escape regex detection\n\n        // Threat Severity Aggregation (optional)\n        \"highest_severity\"?: String,     // Highest severity across all detectors: \"critical\" | \"high\" | \"medium\" | \"low\" | \"none\"\n\n        // Trust & Safety - Toxicity (optional)\n        \"violence_score\"?: Long,         // 0-100\n        \"hate_speech_score\"?: Long,      // 0-100\n        \"sexual_score\"?: Long,           // 0-100\n        \"weapons_score\"?: Long,          // 0-100\n        \"crime_score\"?: Long,            // 0-100\n        \"profanity_score\"?: Long,        // 0-100\n\n        // Semantic - Topic Classification (optional)\n        \"content_topics\"?: Set<String>,      // [\"controlled_substances\", \"weapons_manufacturing\", ...]\n        \"topic_confidence\"?: Long,           // 0-100\n\n        // Security - Invisible Character Detection (optional)\n        \"invisible_chars_detected\"?: Bool,\n        \"invisible_chars_score\"?: Long,      // 0-100\n\n        // Security - Pattern Detection (optional)\n        \"command_injection_detected\"?: Bool,\n        \"command_injection_type\"?: String,       // \"reverse_shell\" | \"privilege_escalation\" | \"code_execution\" | \"destructive_command\" | \"data_exfiltration\"\n        \"command_injection_score\"?: Long,        // 0-100\n        \"path_traversal_detected\"?: Bool,\n        \"path_traversal_severity\"?: String,      // \"critical\" | \"high\" | \"medium\" | \"low\" | \"none\"\n        \"path_traversal_type\"?: String,\n        \"sql_injection_detected\"?: Bool,\n        \"sql_injection_type\"?: String,           // \"tautology\" | \"union_based\" | \"destructive\" | \"blind\" | \"error_based\"\n        \"sql_injection_score\"?: Long,            // 0-100\n\n        // Security - Cross-Origin Escalation (optional)\n        \"cross_origin_detected\"?: Bool,\n        \"cross_origin_type\"?: String,            // \"cross_origin_tool\" | \"cross_origin_server\" | \"none\"\n        \"cross_origin_score\"?: Long,             // 0-100\n\n        // Security - Encoded Injection (optional)\n        \"encoded_content_detected\"?: Bool,\n        \"encoded_types\"?: Set<String>,           // [\"base64\", \"hex\", \"unicode\", \"url\", ...]\n        \"encoded_count\"?: Long,\n        \"encoded_score\"?: Long,                  // 0-100\n\n        // Language & Script Detection (optional)\n        \"detected_language\"?: String,            // ISO language code\n        \"is_english\"?: Bool,\n        \"language_confidence\"?: Long,            // 0-100\n        \"detected_script\"?: String,              // \"latin\" | \"cyrillic\" | \"arabic\" | \"unknown\" | ...\n        \"is_latin_script\"?: Bool,\n        \"script_confidence\"?: Long,              // 0-100\n\n        // Content Analysis (optional)\n        \"hallucination_score\"?: Long,\n        \"factuality_score\"?: Long,               // 0-100\n        \"sentiment_score\"?: Long,\n        \"contains_code\"?: Bool,\n        \"code_languages\"?: Set<String>,\n        \"code_ratio\"?: Long,                     // 0-100, percentage of content that is code\n        \"keyword_matched\"?: Bool,\n        \"keyword_categories\"?: Set<String>,\n        \"keyword_count\"?: Long,\n        \"contains_non_ascii\"?: Bool,\n        \"phishing_detected\"?: Bool,\n        \"content_safety_score\"?: Long,           // 0-100\n        \"content_safety_blocked\"?: Bool,\n\n        // Agentic - Multi-Turn Context (optional)\n        \"conversation_turn\"?: Long,\n        \"multi_turn_detection\"?: Bool,\n\n        // Session Detection History \u2014 cross-turn sticky flags (optional)\n        \"session_pii_detected\"?: Bool,\n        \"session_pii_types\"?: Set<String>,\n        \"session_secrets_detected\"?: Bool,\n        \"session_secret_types\"?: Set<String>,\n        \"session_injection_detected\"?: Bool,\n        \"session_command_injection\"?: Bool,\n        \"session_threat_turns\"?: Long,\n        \"session_max_injection_score\"?: Long,\n        \"session_max_jailbreak_score\"?: Long,\n        \"session_max_command_injection_score\"?: Long,\n        \"session_max_pii_score\"?: Long,\n        \"session_max_secret_score\"?: Long,\n        \"session_cumulative_risk_score\"?: Long,\n\n        // Usage Budget \u2014 multi-window token & cost enforcement (optional)\n        // Emitted by usage_budget detector. Enforced across session/daily/monthly windows\n        // and user/app/project/account dimensions. Percentages are 0-100.\n        \"budget_remaining_pct\"?: Long,          // Min remaining % across all windows\n        \"budget_exceeded\"?: Bool,               // Any window limit exceeded\n        \"budget_cost_micros_this_turn\"?: Long,  // Cost of this request in microdollars (USD * 1e6)\n        \"budget_model\"?: String,                // Model name used for cost calculation\n        \"budget_tokens_pct_session\"?: Long,     // Session token usage % (0-100)\n        \"budget_tokens_pct_daily\"?: Long,       // Daily token usage % (0-100)\n        \"budget_tokens_pct_monthly\"?: Long,     // Monthly token usage % (0-100)\n        \"budget_cost_pct_daily\"?: Long,         // Daily cost usage % (0-100)\n        \"budget_cost_pct_monthly\"?: Long,       // Monthly cost usage % (0-100)\n        \"budget_exceeded_session\"?: Bool,       // Session-scoped budget exceeded\n        \"budget_exceeded_daily\"?: Bool,         // Any daily-scoped budget exceeded\n        \"budget_exceeded_monthly\"?: Bool,       // Any monthly-scoped budget exceeded\n\n        // Agent Identity \u2014 authenticated agent principal metadata (optional)\n        // Present when the request is made by an AI agent (API key or JWT with agent claims).\n        // Empty strings for human user requests. Use these to write agent-specific policies.\n        \"agent_id\"?: String,             // Unique agent identifier (e.g., \"agent_research_v3\")\n        \"agent_type\"?: String,           // \"orchestrator\" | \"autonomous\" | \"tool_agent\" | \"human_proxy\"\n        \"agent_trust_level\"?: String,    // \"first_party\" | \"verified_third_party\" | \"unverified\"\n        \"agent_framework\"?: String,      // Agent framework (e.g., \"claude-code\", \"langchain\", \"crewai\")\n        \"agent_publisher\"?: String,      // Organization that published the agent\n\n    };\n\n    /// Context for call_tool action (agentic tool execution)\n    type CallToolContext = {\n        // Identity (AARM R6 / CAP-IDN-011) \u2014 projected from the principal's token; optional.\n        \"role\"?: String,\n        \"privilege_scope\"?: Set<String>,\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n\n        // Tool Risk (optional)\n        \"tool_name\"?: String,            // \"shell\", \"write_file\", \"http_post\", etc.\n        \"tool_risk_score\"?: Long,        // 0-100\n        \"tool_is_sensitive\"?: Bool,\n        \"tool_category\"?: String,        // \"safe\" | \"sensitive\" | \"dangerous\"\n        \"tool_is_builtin\"?: Bool,\n\n        // AARM R3 (CAP-ENF-007) \u2014 Action Parameter Validation.\n        // Structured tool-call arguments, projected and type-coerced by Shield so\n        // policies can validate them by type / range / pattern / allowlist /\n        // blocklist \u2014 e.g.\n        //   forbid ... when { context.action_params has amount &&\n        //                     context.action_params.amount > 10000 };\n        // Only well-known, safety-relevant argument names are projected; each value\n        // is coerced to its declared type. An argument that is present but NOT\n        // coercible to its declared type is dropped (so policies never read a\n        // wrong-typed value) and its name is recorded in `param_type_violations`.\n        \"action_params\"?: {\n            \"amount\"?: Long,        // numeric \u2014 range limits (e.g. transfer / spend amount)\n            \"count\"?: Long,         // numeric \u2014 range limits (e.g. batch size, fan-out)\n            \"command\"?: String,     // string  \u2014 allowlist / blocklist / pattern (e.g. shell command)\n            \"path\"?: String,        // string  \u2014 pattern (e.g. filesystem path)\n            \"url\"?: String,         // string  \u2014 pattern / allowlist (e.g. egress host)\n            \"recipient\"?: String,   // string  \u2014 allowlist / pattern (e.g. payout / email target)\n            \"target\"?: String,      // string  \u2014 allowlist (e.g. resource / table name)\n            \"query\"?: String,       // string  \u2014 pattern (e.g. SQL / search query)\n        },\n        // True when any projected argument was present but failed type coercion\n        // (e.g. a non-numeric `amount`). Lets a policy deny on a type violation\n        // instead of the wrong-typed value silently vanishing.\n        \"param_type_violation\"?: Bool,\n        // Names of the arguments that were present but failed type coercion.\n        \"param_type_violations\"?: Set<String>,\n\n        // MCP context (optional \u2014 only present for MCP tool calls)\n        \"mcp_server\"?: String,           // MCP server name (e.g., \"github\", \"filesystem\")\n        \"mcp_tool\"?: String,             // MCP tool name within the server\n        \"mcp_server_verified\"?: Bool,    // Whether server is from verified registry\n\n        // Agentic - Behavioral Patterns (optional)\n        \"suspicious_pattern\"?: Bool,\n        \"pattern_type\"?: String,         // \"data_exfiltration\" | \"secret_exfiltration\" | \"db_exfiltration\" | \"credential_theft\" | \"destructive_sequence\" | \"none\"\n        \"sequence_risk\"?: Long,          // 0-100\n\n        // Agentic - Loop Detection (optional)\n        \"loop_detected\"?: Bool,\n        \"loop_count\"?: Long,\n        \"loop_tool\"?: String,\n\n        // Usage Budget \u2014 multi-window token & cost enforcement (optional)\n        // See ProcessPromptContext for full documentation.\n        \"budget_remaining_pct\"?: Long,          // Min remaining % across all windows\n        \"budget_exceeded\"?: Bool,               // Any window limit exceeded\n        \"budget_cost_micros_this_turn\"?: Long,  // Cost of this request in microdollars\n        \"budget_model\"?: String,\n        \"budget_tokens_pct_session\"?: Long,\n        \"budget_tokens_pct_daily\"?: Long,\n        \"budget_tokens_pct_monthly\"?: Long,\n        \"budget_cost_pct_daily\"?: Long,\n        \"budget_cost_pct_monthly\"?: Long,\n        \"budget_exceeded_session\"?: Bool,\n        \"budget_exceeded_daily\"?: Bool,\n        \"budget_exceeded_monthly\"?: Bool,\n\n        // Semantic - Topic Classification (optional)\n        \"content_topics\"?: Set<String>,      // [\"controlled_substances\", \"weapons_manufacturing\", ...]\n        \"topic_confidence\"?: Long,           // 0-100\n\n        // Security checks on tool arguments (optional)\n        \"secrets_detected\"?: Bool,\n        \"secret_count\"?: Long,\n        \"secret_types\"?: Set<String>,\n        \"pii_detected\"?: Bool,\n        \"pii_types\"?: Set<String>,\n        \"pii_count\"?: Long,              // Number of PII pattern matches in tool content\n        \"pii_score\"?: Long,         // PII ML classifier confidence (0-100)\n        \"injection_score\"?: Long,\n        \"injection_pulse_score\"?: Long,  // 0-100 Pulse single-turn classifier\n        \"injection_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n\n        // Security - Pattern Detection (optional)\n        \"command_injection_detected\"?: Bool,\n        \"command_injection_type\"?: String,\n        \"command_injection_score\"?: Long,        // 0-100\n        \"path_traversal_detected\"?: Bool,\n        \"path_traversal_severity\"?: String,\n        \"path_traversal_type\"?: String,\n        \"sql_injection_detected\"?: Bool,\n        \"sql_injection_type\"?: String,\n        \"sql_injection_score\"?: Long,            // 0-100\n\n        // Security - Cross-Origin Escalation (optional)\n        \"cross_origin_detected\"?: Bool,\n        \"cross_origin_type\"?: String,\n        \"cross_origin_score\"?: Long,             // 0-100\n\n        // File & Path (optional \u2014 for path-based access control policies)\n        \"path\"?: String,                         // File path when tool operates on files\n\n        // Security - Invisible Character Detection in tool args (optional)\n        \"invisible_chars_detected\"?: Bool,       // Whether invisible Unicode chars detected in tool args\n        \"invisible_chars_score\"?: Long,          // Invisible character attack severity (0-100)\n\n        // Security - Encoded Injection (optional)\n        \"encoded_content_detected\"?: Bool,\n        \"encoded_types\"?: Set<String>,\n        \"encoded_count\"?: Long,\n        \"encoded_score\"?: Long,                  // 0-100\n\n        // Agentic - Agent Security (optional)\n        \"tool_poisoning_detected\"?: Bool,\n        \"tool_poisoning_score\"?: Long,           // 0-100\n        \"tool_poisoning_type\"?: String,          // \"hidden_instructions\" | \"system_prompt_injection\" | \"authority_hijack\"\n        \"rug_pull_detected\"?: Bool,\n        \"rug_pull_score\"?: Long,                 // 0-100\n        \"rug_pull_type\"?: String,                // \"risk_spike\" | \"pattern_change\" | \"combined\" | \"none\"\n\n        // Agentic - Indirect Prompt Injection (optional \u2014 injection via tool outputs/retrieved content)\n        \"indirect_injection_score\"?: Long,       // Indirect injection risk score (0-100)\n        \"indirect_injection_type\"?: String,      // Type of indirect injection detected\n\n        // Agentic - MCP Risk (optional)\n        \"mcp_config_risk\"?: Bool,\n        \"mcp_risk_type\"?: String,                // \"inline_execution\" | \"suspicious_url\" | \"cross_origin\"\n        \"mcp_risk_score\"?: Long,                 // 0-100\n\n        // Tool Operation Classifier (optional) \u2014 populated by AST-based classifiers (bash, python, etc.)\n        \"tool_operation_classes\"?: Set<String>,  // subset of {\"readonly\", \"write_enabling\", \"execute_enabling\", \"network_access\", \"unknown\"}\n\n        // Agentic - Multi-Turn Context (optional)\n        \"conversation_turn\"?: Long,\n        \"multi_turn_detection\"?: Bool,\n\n        // Session Detection History \u2014 cross-turn sticky flags (optional)\n        \"session_pii_detected\"?: Bool,\n        \"session_pii_types\"?: Set<String>,\n        \"session_secrets_detected\"?: Bool,\n        \"session_secret_types\"?: Set<String>,\n        \"session_injection_detected\"?: Bool,\n        \"session_command_injection\"?: Bool,\n        \"session_threat_turns\"?: Long,\n        \"session_max_injection_score\"?: Long,\n        \"session_max_jailbreak_score\"?: Long,\n        \"session_max_command_injection_score\"?: Long,\n        \"session_max_pii_score\"?: Long,\n        \"session_max_secret_score\"?: Long,\n        \"session_cumulative_risk_score\"?: Long,\n\n        // Agent Identity \u2014 authenticated agent principal metadata (optional)\n        \"agent_id\"?: String,\n        \"agent_type\"?: String,\n        \"agent_trust_level\"?: String,\n        \"agent_framework\"?: String,\n        \"agent_publisher\"?: String,\n\n    };\n\n    /// Context for read_file action\n    type FileReadContext = {\n        // Identity (AARM R6 / CAP-IDN-011) \u2014 projected from the principal's token; optional.\n        \"role\"?: String,\n        \"privilege_scope\"?: Set<String>,\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n\n        // File path (optional \u2014 for path-based access control policies)\n        \"path\"?: String,                 // File path being read\n\n        // Security checks on file content (optional)\n        \"secrets_detected\"?: Bool,\n        \"secret_count\"?: Long,\n        \"secret_types\"?: Set<String>,\n        \"pii_detected\"?: Bool,\n        \"pii_types\"?: Set<String>,\n\n        // Security - Path Traversal (optional)\n        \"path_traversal_detected\"?: Bool,\n        \"path_traversal_severity\"?: String,\n        \"path_traversal_type\"?: String,\n\n        // Session Detection History \u2014 cross-turn sticky flags (optional)\n        \"session_pii_detected\"?: Bool,\n        \"session_pii_types\"?: Set<String>,\n        \"session_secrets_detected\"?: Bool,\n        \"session_secret_types\"?: Set<String>,\n        \"session_injection_detected\"?: Bool,\n        \"session_command_injection\"?: Bool,\n        \"session_threat_turns\"?: Long,\n        \"session_max_injection_score\"?: Long,\n        \"session_max_jailbreak_score\"?: Long,\n        \"session_max_command_injection_score\"?: Long,\n        \"session_max_pii_score\"?: Long,\n        \"session_max_secret_score\"?: Long,\n        \"session_cumulative_risk_score\"?: Long,\n\n        // Usage Budget \u2014 multi-window token & cost enforcement (optional)\n        // See ProcessPromptContext for full documentation.\n        \"budget_remaining_pct\"?: Long,\n        \"budget_exceeded\"?: Bool,\n        \"budget_cost_micros_this_turn\"?: Long,\n        \"budget_model\"?: String,\n        \"budget_tokens_pct_session\"?: Long,\n        \"budget_tokens_pct_daily\"?: Long,\n        \"budget_tokens_pct_monthly\"?: Long,\n        \"budget_cost_pct_daily\"?: Long,\n        \"budget_cost_pct_monthly\"?: Long,\n        \"budget_exceeded_session\"?: Bool,\n        \"budget_exceeded_daily\"?: Bool,\n        \"budget_exceeded_monthly\"?: Bool,\n\n        // Agent Identity \u2014 authenticated agent principal metadata (optional)\n        \"agent_id\"?: String,\n        \"agent_type\"?: String,\n        \"agent_trust_level\"?: String,\n        \"agent_framework\"?: String,\n        \"agent_publisher\"?: String,\n\n    };\n\n    /// Context for write_file action\n    type FileWriteContext = {\n        // Identity (AARM R6 / CAP-IDN-011) \u2014 projected from the principal's token; optional.\n        \"role\"?: String,\n        \"privilege_scope\"?: Set<String>,\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n\n        // File path (optional \u2014 for path-based access control policies)\n        \"path\"?: String,                         // File path being written\n\n        // Security - Invisible Character Detection in write content (optional)\n        \"invisible_chars_detected\"?: Bool,       // Whether invisible Unicode chars detected in write content\n        \"invisible_chars_score\"?: Long,          // Invisible character attack severity (0-100)\n\n        // Security checks on content being written (optional)\n        \"secrets_detected\"?: Bool,\n        \"secret_count\"?: Long,\n        \"secret_types\"?: Set<String>,\n        \"pii_detected\"?: Bool,\n        \"pii_types\"?: Set<String>,\n\n        // Security - Path Traversal (optional)\n        \"path_traversal_detected\"?: Bool,\n        \"path_traversal_severity\"?: String,\n        \"path_traversal_type\"?: String,\n\n        // Session Detection History \u2014 cross-turn sticky flags (optional)\n        \"session_pii_detected\"?: Bool,\n        \"session_pii_types\"?: Set<String>,\n        \"session_secrets_detected\"?: Bool,\n        \"session_secret_types\"?: Set<String>,\n        \"session_injection_detected\"?: Bool,\n        \"session_command_injection\"?: Bool,\n        \"session_threat_turns\"?: Long,\n        \"session_max_injection_score\"?: Long,\n        \"session_max_jailbreak_score\"?: Long,\n        \"session_max_command_injection_score\"?: Long,\n        \"session_max_pii_score\"?: Long,\n        \"session_max_secret_score\"?: Long,\n        \"session_cumulative_risk_score\"?: Long,\n\n        // Usage Budget \u2014 multi-window token & cost enforcement (optional)\n        // See ProcessPromptContext for full documentation.\n        \"budget_remaining_pct\"?: Long,\n        \"budget_exceeded\"?: Bool,\n        \"budget_cost_micros_this_turn\"?: Long,\n        \"budget_model\"?: String,\n        \"budget_tokens_pct_session\"?: Long,\n        \"budget_tokens_pct_daily\"?: Long,\n        \"budget_tokens_pct_monthly\"?: Long,\n        \"budget_cost_pct_daily\"?: Long,\n        \"budget_cost_pct_monthly\"?: Long,\n        \"budget_exceeded_session\"?: Bool,\n        \"budget_exceeded_daily\"?: Bool,\n        \"budget_exceeded_monthly\"?: Bool,\n\n        // Agent Identity \u2014 authenticated agent principal metadata (optional)\n        \"agent_id\"?: String,\n        \"agent_type\"?: String,\n        \"agent_trust_level\"?: String,\n        \"agent_framework\"?: String,\n        \"agent_publisher\"?: String,\n\n    };\n\n    /// Context for connect_server action (MCP server connections)\n    type ConnectServerContext = {\n        // Identity (AARM R6 / CAP-IDN-011) \u2014 projected from the principal's token; optional.\n        \"role\"?: String,\n        \"privilege_scope\"?: Set<String>,\n        // Core metadata (required)\n        \"request_id\": String,\n        \"timestamp\": Long,\n\n        // MCP context (optional)\n        \"mcp_server\"?: String,           // MCP server name (e.g., \"github\", \"filesystem\")\n        \"mcp_server_verified\"?: Bool,    // Whether server is from verified registry\n\n        // Agentic - Agent Security (optional)\n        \"tool_poisoning_detected\"?: Bool,\n        \"tool_poisoning_score\"?: Long,\n        \"tool_poisoning_type\"?: String,\n\n        // Agentic - MCP Risk (optional)\n        \"mcp_config_risk\"?: Bool,\n        \"mcp_risk_type\"?: String,\n        \"mcp_risk_score\"?: Long,\n\n        // Security - Cross-Origin Escalation (optional)\n        \"cross_origin_detected\"?: Bool,\n        \"cross_origin_type\"?: String,\n        \"cross_origin_score\"?: Long,\n\n        // Session Detection History \u2014 cross-turn sticky flags (optional)\n        \"session_pii_detected\"?: Bool,\n        \"session_pii_types\"?: Set<String>,\n        \"session_secrets_detected\"?: Bool,\n        \"session_secret_types\"?: Set<String>,\n        \"session_injection_detected\"?: Bool,\n        \"session_command_injection\"?: Bool,\n        \"session_threat_turns\"?: Long,\n        \"session_max_injection_score\"?: Long,\n        \"session_max_jailbreak_score\"?: Long,\n        \"session_max_command_injection_score\"?: Long,\n        \"session_max_pii_score\"?: Long,\n        \"session_max_secret_score\"?: Long,\n        \"session_cumulative_risk_score\"?: Long,\n\n        // Usage Budget \u2014 multi-window token & cost enforcement (optional)\n        // See ProcessPromptContext for full documentation.\n        \"budget_remaining_pct\"?: Long,\n        \"budget_exceeded\"?: Bool,\n        \"budget_cost_micros_this_turn\"?: Long,\n        \"budget_model\"?: String,\n        \"budget_tokens_pct_session\"?: Long,\n        \"budget_tokens_pct_daily\"?: Long,\n        \"budget_tokens_pct_monthly\"?: Long,\n        \"budget_cost_pct_daily\"?: Long,\n        \"budget_cost_pct_monthly\"?: Long,\n        \"budget_exceeded_session\"?: Bool,\n        \"budget_exceeded_daily\"?: Bool,\n        \"budget_exceeded_monthly\"?: Bool,\n\n        // Agent Identity \u2014 authenticated agent principal metadata (optional)\n        \"agent_id\"?: String,\n        \"agent_type\"?: String,\n        \"agent_trust_level\"?: String,\n        \"agent_framework\"?: String,\n        \"agent_publisher\"?: String,\n\n    };\n}\n";
 /**
  * Overwatch Cedar schema
  *

package/dist/service-schemas.gen.js

@@ -729,6 +729,33 @@ namespace Guardrails {
         "tool_category"?: String,        // "safe" | "sensitive" | "dangerous"
         "tool_is_builtin"?: Bool,
 
+        // AARM R3 (CAP-ENF-007) — Action Parameter Validation.
+        // Structured tool-call arguments, projected and type-coerced by Shield so
+        // policies can validate them by type / range / pattern / allowlist /
+        // blocklist — e.g.
+        //   forbid ... when { context.action_params has amount &&
+        //                     context.action_params.amount > 10000 };
+        // Only well-known, safety-relevant argument names are projected; each value
+        // is coerced to its declared type. An argument that is present but NOT
+        // coercible to its declared type is dropped (so policies never read a
+        // wrong-typed value) and its name is recorded in \`param_type_violations\`.
+        "action_params"?: {
+            "amount"?: Long,        // numeric — range limits (e.g. transfer / spend amount)
+            "count"?: Long,         // numeric — range limits (e.g. batch size, fan-out)
+            "command"?: String,     // string  — allowlist / blocklist / pattern (e.g. shell command)
+            "path"?: String,        // string  — pattern (e.g. filesystem path)
+            "url"?: String,         // string  — pattern / allowlist (e.g. egress host)
+            "recipient"?: String,   // string  — allowlist / pattern (e.g. payout / email target)
+            "target"?: String,      // string  — allowlist (e.g. resource / table name)
+            "query"?: String,       // string  — pattern (e.g. SQL / search query)
+        },
+        // True when any projected argument was present but failed type coercion
+        // (e.g. a non-numeric \`amount\`). Lets a policy deny on a type violation
+        // instead of the wrong-typed value silently vanishing.
+        "param_type_violation"?: Bool,
+        // Names of the arguments that were present but failed type coercion.
+        "param_type_violations"?: Set<String>,
+
         // MCP context (optional — only present for MCP tool calls)
         "mcp_server"?: String,           // MCP server name (e.g., "github", "filesystem")
         "mcp_tool"?: String,             // MCP tool name within the server

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@highflame/policy",
-  "version": "2.1.44",
+  "version": "2.1.45",
   "engines": {
     "node": ">=18"
   },