@highflame/policy 2.1.45 → 2.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/_schemas/guardrails/context.json +132 -0
- package/_schemas/guardrails/schema.cedarschema +20 -0
- package/dist/ai_gateway-context.gen.d.ts +5 -0
- package/dist/ai_gateway-context.gen.js +67 -0
- package/dist/ai_gateway-detectors.gen.d.ts +6 -0
- package/dist/ai_gateway-detectors.gen.js +217 -0
- package/dist/detector-card-types.gen.d.ts +45 -0
- package/dist/detector-card-types.gen.js +1 -0
- package/dist/guardrails-context.gen.d.ts +11 -0
- package/dist/guardrails-context.gen.js +134 -0
- package/dist/guardrails-detectors.gen.d.ts +6 -0
- package/dist/guardrails-detectors.gen.js +574 -0
- package/dist/index.d.ts +5 -5
- package/dist/index.js +5 -5
- package/dist/overwatch-context.gen.d.ts +5 -0
- package/dist/overwatch-context.gen.js +78 -0
- package/dist/overwatch-detectors.gen.d.ts +6 -0
- package/dist/overwatch-detectors.gen.js +220 -0
- package/dist/palisade-context.gen.d.ts +5 -0
- package/dist/palisade-context.gen.js +21 -0
- package/dist/sentry-context.gen.d.ts +5 -0
- package/dist/sentry-context.gen.js +75 -0
- package/dist/sentry-detectors.gen.d.ts +6 -0
- package/dist/sentry-detectors.gen.js +162 -0
- package/dist/service-schemas.gen.d.ts +1 -1
- package/dist/service-schemas.gen.js +42 -0
- package/dist/types.d.ts +5 -5
- package/dist/types.js +5 -5
- package/package.json +23 -2
|
@@ -9,7 +9,7 @@ export declare const AI_GATEWAY_SCHEMA = "// AIGateway Cedar Schema\n// ========
|
|
|
9
9
|
*
|
|
10
10
|
* Full Cedar schema for guardrails, embedded at codegen time.
|
|
11
11
|
*/
|
|
12
|
-
export declare const GUARDRAILS_SCHEMA = "// =============================================================================\n// Guardrails Cedar Schema\n// =============================================================================\n// Defines entity types, actions, and context attributes for the highflame-shield\n// guardrails service. This schema enables type-safe policy authoring and\n// validation in both Studio UI and backend.\n//\n// Service: highflame-shield (guardrails)\n// Namespace: Guardrails\n// =============================================================================\n\nnamespace Guardrails {\n // =========================================================================\n // Entity Types \u2014 ReBAC Hierarchy\n // =========================================================================\n // Entity hierarchy enables Cedar's `in` operator for policy scoping:\n // Account (org root)\n // \u2514\u2500\u2500 Project in [Account]\n // \u251C\u2500\u2500 App in [Project]\n // \u2502 \u2514\u2500\u2500 Session in [App, Agent]\n // \u2514\u2500\u2500 Agent in [Project]\n // \u2514\u2500\u2500 Session in [App, Agent]\n //\n // Policy scoping examples:\n // resource == Guardrails::App::\"<uuid>\" \u2192 app-scoped (app only)\n // resource == Guardrails::Agent::\"<agent_id>\" \u2192 agent-only (exact match)\n // resource in Guardrails::Agent::\"<agent_id>\" \u2192 agent + its sessions\n // resource in Guardrails::Project::\"<uuid>\" \u2192 project-wide (apps + agents)\n // resource in Guardrails::Account::\"<uuid>\" \u2192 org-wide\n // =========================================================================\n\n /// Account represents an organization (top-level tenant)\n entity Account;\n\n /// Project represents a project within an account\n entity Project in [Account];\n\n /// User represents a principal (human or service) making requests\n entity User;\n\n /// Agent represents an AI agent (Claude, Cursor, Copilot, etc.) making requests.\n /// Used as both principal (who is acting) and resource (policy scoping target).\n /// Agent + sessions: resource in Guardrails::Agent::\"<agent_id>\" (hierarchy match)\n /// Agent only: resource == Guardrails::Agent::\"<agent_id>\" (exact match)\n entity Agent in [Project];\n\n /// App represents a protected application (guardrails-enabled LLM app)\n entity App in [Project];\n\n /// Session represents an agentic conversation session with state tracking.\n /// Sessions can belong to either an App or an Agent.\n entity Session in [App, Agent];\n\n // =========================================================================\n // Actions\n // =========================================================================\n\n /// Process user prompts and AI responses for security threats and content violations\n action \"process_prompt\" appliesTo {\n principal: [User, Agent],\n resource: [App, Agent, Session],\n context: ProcessPromptContext\n };\n\n /// Execute tool calls (shell, file operations, MCP tools)\n action \"call_tool\" appliesTo {\n principal: [User, Agent],\n resource: [Agent, Session],\n context: CallToolContext\n };\n\n /// Read file operations\n action \"read_file\" appliesTo {\n principal: [User, Agent],\n resource: [Agent, Session],\n context: FileReadContext\n };\n\n /// Write file operations\n action \"write_file\" appliesTo {\n principal: [User, Agent],\n resource: [Agent, Session],\n context: FileWriteContext\n };\n\n /// Connect to an MCP server\n action \"connect_server\" appliesTo {\n principal: [User, Agent],\n resource: [Agent, Session],\n context: ConnectServerContext\n };\n\n // =========================================================================\n // Context Types (Action-Specific)\n // =========================================================================\n\n /// Context for process_prompt action (user prompts & AI responses)\n type ProcessPromptContext = {\n // Identity (AARM R6 / CAP-IDN-011) \u2014 projected from the principal's token; optional.\n \"role\"?: String,\n \"privilege_scope\"?: Set<String>,\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n \"direction\": String, // \"input\" | \"output\"\n \"content_type\": String, // \"prompt\" | \"response\" | \"tool_call\" | \"file\"\n \"detector_count\": Long,\n\n // Security - Injection & Jailbreak (optional)\n \"injection_score\"?: Long, // Combined injection confidence: MAX(pulse, deep_context)\n \"jailbreak_score\"?: Long, // Combined jailbreak confidence: MAX(pulse, deep_context)\n \"injection_pulse_score\"?: Long, // 0-100 Pulse single-turn classifier\n \"injection_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n \"jailbreak_pulse_score\"?: Long, // 0-100 Pulse single-turn classifier\n \"jailbreak_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n \"injection_type\"?: String, // \"prompt\" | \"sql\" | \"command\" | \"none\"\n\n // Privacy - Secrets (optional)\n \"secrets_detected\"?: Bool,\n \"secret_count\"?: Long,\n \"secret_types\"?: Set<String>, // [\"aws_access_key\", \"github_token\", ...]\n\n // Privacy - PII (optional)\n \"pii_detected\"?: Bool,\n \"pii_count\"?: Long,\n \"pii_types\"?: Set<String>, // [\"email\", \"phone\", \"ssn\", \"credit_card\", ...]\n \"pii_score\"?: Long, // PII ML classifier confidence (0-100) \u2014 catches novel PII patterns that escape regex detection\n\n // Threat Severity Aggregation (optional)\n \"highest_severity\"?: String, // Highest severity across all detectors: \"critical\" | \"high\" | \"medium\" | \"low\" | \"none\"\n\n // Trust & Safety - Toxicity (optional)\n \"violence_score\"?: Long, // 0-100\n \"hate_speech_score\"?: Long, // 0-100\n \"sexual_score\"?: Long, // 0-100\n \"weapons_score\"?: Long, // 0-100\n \"crime_score\"?: Long, // 0-100\n \"profanity_score\"?: Long, // 0-100\n\n // Semantic - Topic Classification (optional)\n \"content_topics\"?: Set<String>, // [\"controlled_substances\", \"weapons_manufacturing\", ...]\n \"topic_confidence\"?: Long, // 0-100\n\n // Security - Invisible Character Detection (optional)\n \"invisible_chars_detected\"?: Bool,\n \"invisible_chars_score\"?: Long, // 0-100\n\n // Security - Pattern Detection (optional)\n \"command_injection_detected\"?: Bool,\n \"command_injection_type\"?: String, // \"reverse_shell\" | \"privilege_escalation\" | \"code_execution\" | \"destructive_command\" | \"data_exfiltration\"\n \"command_injection_score\"?: Long, // 0-100\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String, // \"critical\" | \"high\" | \"medium\" | \"low\" | \"none\"\n \"path_traversal_type\"?: String,\n \"sql_injection_detected\"?: Bool,\n \"sql_injection_type\"?: String, // \"tautology\" | \"union_based\" | \"destructive\" | \"blind\" | \"error_based\"\n \"sql_injection_score\"?: Long, // 0-100\n\n // Security - Cross-Origin Escalation (optional)\n \"cross_origin_detected\"?: Bool,\n \"cross_origin_type\"?: String, // \"cross_origin_tool\" | \"cross_origin_server\" | \"none\"\n \"cross_origin_score\"?: Long, // 0-100\n\n // Security - Encoded Injection (optional)\n \"encoded_content_detected\"?: Bool,\n \"encoded_types\"?: Set<String>, // [\"base64\", \"hex\", \"unicode\", \"url\", ...]\n \"encoded_count\"?: Long,\n \"encoded_score\"?: Long, // 0-100\n\n // Language & Script Detection (optional)\n \"detected_language\"?: String, // ISO language code\n \"is_english\"?: Bool,\n \"language_confidence\"?: Long, // 0-100\n \"detected_script\"?: String, // \"latin\" | \"cyrillic\" | \"arabic\" | \"unknown\" | ...\n \"is_latin_script\"?: Bool,\n \"script_confidence\"?: Long, // 0-100\n\n // Content Analysis (optional)\n \"hallucination_score\"?: Long,\n \"factuality_score\"?: Long, // 0-100\n \"sentiment_score\"?: Long,\n \"contains_code\"?: Bool,\n \"code_languages\"?: Set<String>,\n \"code_ratio\"?: Long, // 0-100, percentage of content that is code\n \"keyword_matched\"?: Bool,\n \"keyword_categories\"?: Set<String>,\n \"keyword_count\"?: Long,\n \"contains_non_ascii\"?: Bool,\n \"phishing_detected\"?: Bool,\n \"content_safety_score\"?: Long, // 0-100\n \"content_safety_blocked\"?: Bool,\n\n // Agentic - Multi-Turn Context (optional)\n \"conversation_turn\"?: Long,\n \"multi_turn_detection\"?: Bool,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Usage Budget \u2014 multi-window token & cost enforcement (optional)\n // Emitted by usage_budget detector. Enforced across session/daily/monthly windows\n // and user/app/project/account dimensions. Percentages are 0-100.\n \"budget_remaining_pct\"?: Long, // Min remaining % across all windows\n \"budget_exceeded\"?: Bool, // Any window limit exceeded\n \"budget_cost_micros_this_turn\"?: Long, // Cost of this request in microdollars (USD * 1e6)\n \"budget_model\"?: String, // Model name used for cost calculation\n \"budget_tokens_pct_session\"?: Long, // Session token usage % (0-100)\n \"budget_tokens_pct_daily\"?: Long, // Daily token usage % (0-100)\n \"budget_tokens_pct_monthly\"?: Long, // Monthly token usage % (0-100)\n \"budget_cost_pct_daily\"?: Long, // Daily cost usage % (0-100)\n \"budget_cost_pct_monthly\"?: Long, // Monthly cost usage % (0-100)\n \"budget_exceeded_session\"?: Bool, // Session-scoped budget exceeded\n \"budget_exceeded_daily\"?: Bool, // Any daily-scoped budget exceeded\n \"budget_exceeded_monthly\"?: Bool, // Any monthly-scoped budget exceeded\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n // Present when the request is made by an AI agent (API key or JWT with agent claims).\n // Empty strings for human user requests. Use these to write agent-specific policies.\n \"agent_id\"?: String, // Unique agent identifier (e.g., \"agent_research_v3\")\n \"agent_type\"?: String, // \"orchestrator\" | \"autonomous\" | \"tool_agent\" | \"human_proxy\"\n \"agent_trust_level\"?: String, // \"first_party\" | \"verified_third_party\" | \"unverified\"\n \"agent_framework\"?: String, // Agent framework (e.g., \"claude-code\", \"langchain\", \"crewai\")\n \"agent_publisher\"?: String, // Organization that published the agent\n\n };\n\n /// Context for call_tool action (agentic tool execution)\n type CallToolContext = {\n // Identity (AARM R6 / CAP-IDN-011) \u2014 projected from the principal's token; optional.\n \"role\"?: String,\n \"privilege_scope\"?: Set<String>,\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // Tool Risk (optional)\n \"tool_name\"?: String, // \"shell\", \"write_file\", \"http_post\", etc.\n \"tool_risk_score\"?: Long, // 0-100\n \"tool_is_sensitive\"?: Bool,\n \"tool_category\"?: String, // \"safe\" | \"sensitive\" | \"dangerous\"\n \"tool_is_builtin\"?: Bool,\n\n // AARM R3 (CAP-ENF-007) \u2014 Action Parameter Validation.\n // Structured tool-call arguments, projected and type-coerced by Shield so\n // policies can validate them by type / range / pattern / allowlist /\n // blocklist \u2014 e.g.\n // forbid ... when { context.action_params has amount &&\n // context.action_params.amount > 10000 };\n // Only well-known, safety-relevant argument names are projected; each value\n // is coerced to its declared type. An argument that is present but NOT\n // coercible to its declared type is dropped (so policies never read a\n // wrong-typed value) and its name is recorded in `param_type_violations`.\n \"action_params\"?: {\n \"amount\"?: Long, // numeric \u2014 range limits (e.g. transfer / spend amount)\n \"count\"?: Long, // numeric \u2014 range limits (e.g. batch size, fan-out)\n \"command\"?: String, // string \u2014 allowlist / blocklist / pattern (e.g. shell command)\n \"path\"?: String, // string \u2014 pattern (e.g. filesystem path)\n \"url\"?: String, // string \u2014 pattern / allowlist (e.g. egress host)\n \"recipient\"?: String, // string \u2014 allowlist / pattern (e.g. payout / email target)\n \"target\"?: String, // string \u2014 allowlist (e.g. resource / table name)\n \"query\"?: String, // string \u2014 pattern (e.g. SQL / search query)\n },\n // True when any projected argument was present but failed type coercion\n // (e.g. a non-numeric `amount`). Lets a policy deny on a type violation\n // instead of the wrong-typed value silently vanishing.\n \"param_type_violation\"?: Bool,\n // Names of the arguments that were present but failed type coercion.\n \"param_type_violations\"?: Set<String>,\n\n // MCP context (optional \u2014 only present for MCP tool calls)\n \"mcp_server\"?: String, // MCP server name (e.g., \"github\", \"filesystem\")\n \"mcp_tool\"?: String, // MCP tool name within the server\n \"mcp_server_verified\"?: Bool, // Whether server is from verified registry\n\n // Agentic - Behavioral Patterns (optional)\n \"suspicious_pattern\"?: Bool,\n \"pattern_type\"?: String, // \"data_exfiltration\" | \"secret_exfiltration\" | \"db_exfiltration\" | \"credential_theft\" | \"destructive_sequence\" | \"none\"\n \"sequence_risk\"?: Long, // 0-100\n\n // Agentic - Loop Detection (optional)\n \"loop_detected\"?: Bool,\n \"loop_count\"?: Long,\n \"loop_tool\"?: String,\n\n // Usage Budget \u2014 multi-window token & cost enforcement (optional)\n // See ProcessPromptContext for full documentation.\n \"budget_remaining_pct\"?: Long, // Min remaining % across all windows\n \"budget_exceeded\"?: Bool, // Any window limit exceeded\n \"budget_cost_micros_this_turn\"?: Long, // Cost of this request in microdollars\n \"budget_model\"?: String,\n \"budget_tokens_pct_session\"?: Long,\n \"budget_tokens_pct_daily\"?: Long,\n \"budget_tokens_pct_monthly\"?: Long,\n \"budget_cost_pct_daily\"?: Long,\n \"budget_cost_pct_monthly\"?: Long,\n \"budget_exceeded_session\"?: Bool,\n \"budget_exceeded_daily\"?: Bool,\n \"budget_exceeded_monthly\"?: Bool,\n\n // Semantic - Topic Classification (optional)\n \"content_topics\"?: Set<String>, // [\"controlled_substances\", \"weapons_manufacturing\", ...]\n \"topic_confidence\"?: Long, // 0-100\n\n // Security checks on tool arguments (optional)\n \"secrets_detected\"?: Bool,\n \"secret_count\"?: Long,\n \"secret_types\"?: Set<String>,\n \"pii_detected\"?: Bool,\n \"pii_types\"?: Set<String>,\n \"pii_count\"?: Long, // Number of PII pattern matches in tool content\n \"pii_score\"?: Long, // PII ML classifier confidence (0-100)\n \"injection_score\"?: Long,\n \"injection_pulse_score\"?: Long, // 0-100 Pulse single-turn classifier\n \"injection_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n\n // Security - Pattern Detection (optional)\n \"command_injection_detected\"?: Bool,\n \"command_injection_type\"?: String,\n \"command_injection_score\"?: Long, // 0-100\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String,\n \"path_traversal_type\"?: String,\n \"sql_injection_detected\"?: Bool,\n \"sql_injection_type\"?: String,\n \"sql_injection_score\"?: Long, // 0-100\n\n // Security - Cross-Origin Escalation (optional)\n \"cross_origin_detected\"?: Bool,\n \"cross_origin_type\"?: String,\n \"cross_origin_score\"?: Long, // 0-100\n\n // File & Path (optional \u2014 for path-based access control policies)\n \"path\"?: String, // File path when tool operates on files\n\n // Security - Invisible Character Detection in tool args (optional)\n \"invisible_chars_detected\"?: Bool, // Whether invisible Unicode chars detected in tool args\n \"invisible_chars_score\"?: Long, // Invisible character attack severity (0-100)\n\n // Security - Encoded Injection (optional)\n \"encoded_content_detected\"?: Bool,\n \"encoded_types\"?: Set<String>,\n \"encoded_count\"?: Long,\n \"encoded_score\"?: Long, // 0-100\n\n // Agentic - Agent Security (optional)\n \"tool_poisoning_detected\"?: Bool,\n \"tool_poisoning_score\"?: Long, // 0-100\n \"tool_poisoning_type\"?: String, // \"hidden_instructions\" | \"system_prompt_injection\" | \"authority_hijack\"\n \"rug_pull_detected\"?: Bool,\n \"rug_pull_score\"?: Long, // 0-100\n \"rug_pull_type\"?: String, // \"risk_spike\" | \"pattern_change\" | \"combined\" | \"none\"\n\n // Agentic - Indirect Prompt Injection (optional \u2014 injection via tool outputs/retrieved content)\n \"indirect_injection_score\"?: Long, // Indirect injection risk score (0-100)\n \"indirect_injection_type\"?: String, // Type of indirect injection detected\n\n // Agentic - MCP Risk (optional)\n \"mcp_config_risk\"?: Bool,\n \"mcp_risk_type\"?: String, // \"inline_execution\" | \"suspicious_url\" | \"cross_origin\"\n \"mcp_risk_score\"?: Long, // 0-100\n\n // Tool Operation Classifier (optional) \u2014 populated by AST-based classifiers (bash, python, etc.)\n \"tool_operation_classes\"?: Set<String>, // subset of {\"readonly\", \"write_enabling\", \"execute_enabling\", \"network_access\", \"unknown\"}\n\n // Agentic - Multi-Turn Context (optional)\n \"conversation_turn\"?: Long,\n \"multi_turn_detection\"?: Bool,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n \"agent_id\"?: String,\n \"agent_type\"?: String,\n \"agent_trust_level\"?: String,\n \"agent_framework\"?: String,\n \"agent_publisher\"?: String,\n\n };\n\n /// Context for read_file action\n type FileReadContext = {\n // Identity (AARM R6 / CAP-IDN-011) \u2014 projected from the principal's token; optional.\n \"role\"?: String,\n \"privilege_scope\"?: Set<String>,\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // File path (optional \u2014 for path-based access control policies)\n \"path\"?: String, // File path being read\n\n // Security checks on file content (optional)\n \"secrets_detected\"?: Bool,\n \"secret_count\"?: Long,\n \"secret_types\"?: Set<String>,\n \"pii_detected\"?: Bool,\n \"pii_types\"?: Set<String>,\n\n // Security - Path Traversal (optional)\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String,\n \"path_traversal_type\"?: String,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Usage Budget \u2014 multi-window token & cost enforcement (optional)\n // See ProcessPromptContext for full documentation.\n \"budget_remaining_pct\"?: Long,\n \"budget_exceeded\"?: Bool,\n \"budget_cost_micros_this_turn\"?: Long,\n \"budget_model\"?: String,\n \"budget_tokens_pct_session\"?: Long,\n \"budget_tokens_pct_daily\"?: Long,\n \"budget_tokens_pct_monthly\"?: Long,\n \"budget_cost_pct_daily\"?: Long,\n \"budget_cost_pct_monthly\"?: Long,\n \"budget_exceeded_session\"?: Bool,\n \"budget_exceeded_daily\"?: Bool,\n \"budget_exceeded_monthly\"?: Bool,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n \"agent_id\"?: String,\n \"agent_type\"?: String,\n \"agent_trust_level\"?: String,\n \"agent_framework\"?: String,\n \"agent_publisher\"?: String,\n\n };\n\n /// Context for write_file action\n type FileWriteContext = {\n // Identity (AARM R6 / CAP-IDN-011) \u2014 projected from the principal's token; optional.\n \"role\"?: String,\n \"privilege_scope\"?: Set<String>,\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // File path (optional \u2014 for path-based access control policies)\n \"path\"?: String, // File path being written\n\n // Security - Invisible Character Detection in write content (optional)\n \"invisible_chars_detected\"?: Bool, // Whether invisible Unicode chars detected in write content\n \"invisible_chars_score\"?: Long, // Invisible character attack severity (0-100)\n\n // Security checks on content being written (optional)\n \"secrets_detected\"?: Bool,\n \"secret_count\"?: Long,\n \"secret_types\"?: Set<String>,\n \"pii_detected\"?: Bool,\n \"pii_types\"?: Set<String>,\n\n // Security - Path Traversal (optional)\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String,\n \"path_traversal_type\"?: String,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Usage Budget \u2014 multi-window token & cost enforcement (optional)\n // See ProcessPromptContext for full documentation.\n \"budget_remaining_pct\"?: Long,\n \"budget_exceeded\"?: Bool,\n \"budget_cost_micros_this_turn\"?: Long,\n \"budget_model\"?: String,\n \"budget_tokens_pct_session\"?: Long,\n \"budget_tokens_pct_daily\"?: Long,\n \"budget_tokens_pct_monthly\"?: Long,\n \"budget_cost_pct_daily\"?: Long,\n \"budget_cost_pct_monthly\"?: Long,\n \"budget_exceeded_session\"?: Bool,\n \"budget_exceeded_daily\"?: Bool,\n \"budget_exceeded_monthly\"?: Bool,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n \"agent_id\"?: String,\n \"agent_type\"?: String,\n \"agent_trust_level\"?: String,\n \"agent_framework\"?: String,\n \"agent_publisher\"?: String,\n\n };\n\n /// Context for connect_server action (MCP server connections)\n type ConnectServerContext = {\n // Identity (AARM R6 / CAP-IDN-011) \u2014 projected from the principal's token; optional.\n \"role\"?: String,\n \"privilege_scope\"?: Set<String>,\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // MCP context (optional)\n \"mcp_server\"?: String, // MCP server name (e.g., \"github\", \"filesystem\")\n \"mcp_server_verified\"?: Bool, // Whether server is from verified registry\n\n // Agentic - Agent Security (optional)\n \"tool_poisoning_detected\"?: Bool,\n \"tool_poisoning_score\"?: Long,\n \"tool_poisoning_type\"?: String,\n\n // Agentic - MCP Risk (optional)\n \"mcp_config_risk\"?: Bool,\n \"mcp_risk_type\"?: String,\n \"mcp_risk_score\"?: Long,\n\n // Security - Cross-Origin Escalation (optional)\n \"cross_origin_detected\"?: Bool,\n \"cross_origin_type\"?: String,\n \"cross_origin_score\"?: Long,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Usage Budget \u2014 multi-window token & cost enforcement (optional)\n // See ProcessPromptContext for full documentation.\n \"budget_remaining_pct\"?: Long,\n \"budget_exceeded\"?: Bool,\n \"budget_cost_micros_this_turn\"?: Long,\n \"budget_model\"?: String,\n \"budget_tokens_pct_session\"?: Long,\n \"budget_tokens_pct_daily\"?: Long,\n \"budget_tokens_pct_monthly\"?: Long,\n \"budget_cost_pct_daily\"?: Long,\n \"budget_cost_pct_monthly\"?: Long,\n \"budget_exceeded_session\"?: Bool,\n \"budget_exceeded_daily\"?: Bool,\n \"budget_exceeded_monthly\"?: Bool,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n \"agent_id\"?: String,\n \"agent_type\"?: String,\n \"agent_trust_level\"?: String,\n \"agent_framework\"?: String,\n \"agent_publisher\"?: String,\n\n };\n}\n";
|
|
12
|
+
export declare const GUARDRAILS_SCHEMA = "// =============================================================================\n// Guardrails Cedar Schema\n// =============================================================================\n// Defines entity types, actions, and context attributes for the highflame-shield\n// guardrails service. This schema enables type-safe policy authoring and\n// validation in both Studio UI and backend.\n//\n// Service: highflame-shield (guardrails)\n// Namespace: Guardrails\n// =============================================================================\n\nnamespace Guardrails {\n // =========================================================================\n // Entity Types \u2014 ReBAC Hierarchy\n // =========================================================================\n // Entity hierarchy enables Cedar's `in` operator for policy scoping:\n // Account (org root)\n // \u2514\u2500\u2500 Project in [Account]\n // \u251C\u2500\u2500 App in [Project]\n // \u2502 \u2514\u2500\u2500 Session in [App, Agent]\n // \u2514\u2500\u2500 Agent in [Project]\n // \u2514\u2500\u2500 Session in [App, Agent]\n //\n // Policy scoping examples:\n // resource == Guardrails::App::\"<uuid>\" \u2192 app-scoped (app only)\n // resource == Guardrails::Agent::\"<agent_id>\" \u2192 agent-only (exact match)\n // resource in Guardrails::Agent::\"<agent_id>\" \u2192 agent + its sessions\n // resource in Guardrails::Project::\"<uuid>\" \u2192 project-wide (apps + agents)\n // resource in Guardrails::Account::\"<uuid>\" \u2192 org-wide\n // =========================================================================\n\n /// Account represents an organization (top-level tenant)\n entity Account;\n\n /// Project represents a project within an account\n entity Project in [Account];\n\n /// User represents a principal (human or service) making requests\n entity User;\n\n /// Agent represents an AI agent (Claude, Cursor, Copilot, etc.) making requests.\n /// Used as both principal (who is acting) and resource (policy scoping target).\n /// Agent + sessions: resource in Guardrails::Agent::\"<agent_id>\" (hierarchy match)\n /// Agent only: resource == Guardrails::Agent::\"<agent_id>\" (exact match)\n entity Agent in [Project];\n\n /// App represents a protected application (guardrails-enabled LLM app)\n entity App in [Project];\n\n /// Session represents an agentic conversation session with state tracking.\n /// Sessions can belong to either an App or an Agent.\n entity Session in [App, Agent];\n\n // =========================================================================\n // Actions\n // =========================================================================\n\n /// Process user prompts and AI responses for security threats and content violations\n action \"process_prompt\" appliesTo {\n principal: [User, Agent],\n resource: [App, Agent, Session],\n context: ProcessPromptContext\n };\n\n /// Execute tool calls (shell, file operations, MCP tools)\n action \"call_tool\" appliesTo {\n principal: [User, Agent],\n resource: [Agent, Session],\n context: CallToolContext\n };\n\n /// Read file operations\n action \"read_file\" appliesTo {\n principal: [User, Agent],\n resource: [Agent, Session],\n context: FileReadContext\n };\n\n /// Write file operations\n action \"write_file\" appliesTo {\n principal: [User, Agent],\n resource: [Agent, Session],\n context: FileWriteContext\n };\n\n /// Connect to an MCP server\n action \"connect_server\" appliesTo {\n principal: [User, Agent],\n resource: [Agent, Session],\n context: ConnectServerContext\n };\n\n // =========================================================================\n // Context Types (Action-Specific)\n // =========================================================================\n\n /// Context for process_prompt action (user prompts & AI responses)\n type ProcessPromptContext = {\n // Identity (AARM R6 / CAP-IDN-011) \u2014 projected from the principal's token; optional.\n \"role\"?: String,\n \"privilege_scope\"?: Set<String>,\n \"identity_type\"?: String, // Principal identity class: \"human\" | \"agent\" | \"service\"\n \"principal\"?: String, // Stable principal identifier (e.g. ZeroID / WIMSE URI or user id)\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n \"direction\": String, // \"input\" | \"output\"\n \"content_type\": String, // \"prompt\" | \"response\" | \"tool_call\" | \"file\"\n \"detector_count\": Long,\n\n // Security - Injection & Jailbreak (optional)\n \"injection_score\"?: Long, // Combined injection confidence: MAX(pulse, deep_context)\n \"jailbreak_score\"?: Long, // Combined jailbreak confidence: MAX(pulse, deep_context)\n \"injection_pulse_score\"?: Long, // 0-100 Pulse single-turn classifier\n \"injection_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n \"jailbreak_pulse_score\"?: Long, // 0-100 Pulse single-turn classifier\n \"jailbreak_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n \"injection_type\"?: String, // \"prompt\" | \"sql\" | \"command\" | \"none\"\n\n // Privacy - Secrets (optional)\n \"secrets_detected\"?: Bool,\n \"secret_count\"?: Long,\n \"secret_types\"?: Set<String>, // [\"aws_access_key\", \"github_token\", ...]\n\n // Privacy - PII (optional)\n \"pii_detected\"?: Bool,\n \"pii_count\"?: Long,\n \"pii_types\"?: Set<String>, // [\"email\", \"phone\", \"ssn\", \"credit_card\", ...]\n \"pii_score\"?: Long, // PII ML classifier confidence (0-100) \u2014 catches novel PII patterns that escape regex detection\n\n // Threat Severity Aggregation (optional)\n \"highest_severity\"?: String, // Highest severity across all detectors: \"critical\" | \"high\" | \"medium\" | \"low\" | \"none\"\n\n // Trust & Safety - Toxicity (optional)\n \"violence_score\"?: Long, // 0-100\n \"hate_speech_score\"?: Long, // 0-100\n \"sexual_score\"?: Long, // 0-100\n \"weapons_score\"?: Long, // 0-100\n \"crime_score\"?: Long, // 0-100\n \"profanity_score\"?: Long, // 0-100\n\n // Semantic - Topic Classification (optional)\n \"content_topics\"?: Set<String>, // [\"controlled_substances\", \"weapons_manufacturing\", ...]\n \"topic_confidence\"?: Long, // 0-100\n\n // Security - Invisible Character Detection (optional)\n \"invisible_chars_detected\"?: Bool,\n \"invisible_chars_score\"?: Long, // 0-100\n\n // Security - Pattern Detection (optional)\n \"command_injection_detected\"?: Bool,\n \"command_injection_type\"?: String, // \"reverse_shell\" | \"privilege_escalation\" | \"code_execution\" | \"destructive_command\" | \"data_exfiltration\"\n \"command_injection_score\"?: Long, // 0-100\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String, // \"critical\" | \"high\" | \"medium\" | \"low\" | \"none\"\n \"path_traversal_type\"?: String,\n \"sql_injection_detected\"?: Bool,\n \"sql_injection_type\"?: String, // \"tautology\" | \"union_based\" | \"destructive\" | \"blind\" | \"error_based\"\n \"sql_injection_score\"?: Long, // 0-100\n\n // Security - Cross-Origin Escalation (optional)\n \"cross_origin_detected\"?: Bool,\n \"cross_origin_type\"?: String, // \"cross_origin_tool\" | \"cross_origin_server\" | \"none\"\n \"cross_origin_score\"?: Long, // 0-100\n\n // Security - Encoded Injection (optional)\n \"encoded_content_detected\"?: Bool,\n \"encoded_types\"?: Set<String>, // [\"base64\", \"hex\", \"unicode\", \"url\", ...]\n \"encoded_count\"?: Long,\n \"encoded_score\"?: Long, // 0-100\n\n // Language & Script Detection (optional)\n \"detected_language\"?: String, // ISO language code\n \"is_english\"?: Bool,\n \"language_confidence\"?: Long, // 0-100\n \"detected_script\"?: String, // \"latin\" | \"cyrillic\" | \"arabic\" | \"unknown\" | ...\n \"is_latin_script\"?: Bool,\n \"script_confidence\"?: Long, // 0-100\n\n // Content Analysis (optional)\n \"hallucination_score\"?: Long,\n \"factuality_score\"?: Long, // 0-100\n \"sentiment_score\"?: Long,\n \"contains_code\"?: Bool,\n \"code_languages\"?: Set<String>,\n \"code_ratio\"?: Long, // 0-100, percentage of content that is code\n \"keyword_matched\"?: Bool,\n \"keyword_categories\"?: Set<String>,\n \"keyword_count\"?: Long,\n \"contains_non_ascii\"?: Bool,\n \"phishing_detected\"?: Bool,\n \"content_safety_score\"?: Long, // 0-100\n \"content_safety_blocked\"?: Bool,\n\n // Agentic - Multi-Turn Context (optional)\n \"conversation_turn\"?: Long,\n \"multi_turn_detection\"?: Bool,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n \"session_original_request\"?: String, // The session's first user request (drift / goal-hijack policies)\n \"session_max_sensitivity\"?: String, // Highest data-sensitivity tier seen this session\n\n // Usage Budget \u2014 multi-window token & cost enforcement (optional)\n // Emitted by usage_budget detector. Enforced across session/daily/monthly windows\n // and user/app/project/account dimensions. Percentages are 0-100.\n \"budget_remaining_pct\"?: Long, // Min remaining % across all windows\n \"budget_exceeded\"?: Bool, // Any window limit exceeded\n \"budget_cost_micros_this_turn\"?: Long, // Cost of this request in microdollars (USD * 1e6)\n \"budget_model\"?: String, // Model name used for cost calculation\n \"budget_tokens_pct_session\"?: Long, // Session token usage % (0-100)\n \"budget_tokens_pct_daily\"?: Long, // Daily token usage % (0-100)\n \"budget_tokens_pct_monthly\"?: Long, // Monthly token usage % (0-100)\n \"budget_cost_pct_daily\"?: Long, // Daily cost usage % (0-100)\n \"budget_cost_pct_monthly\"?: Long, // Monthly cost usage % (0-100)\n \"budget_exceeded_session\"?: Bool, // Session-scoped budget exceeded\n \"budget_exceeded_daily\"?: Bool, // Any daily-scoped budget exceeded\n \"budget_exceeded_monthly\"?: Bool, // Any monthly-scoped budget exceeded\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n // Present when the request is made by an AI agent (API key or JWT with agent claims).\n // Empty strings for human user requests. Use these to write agent-specific policies.\n \"agent_id\"?: String, // Unique agent identifier (e.g., \"agent_research_v3\")\n \"agent_type\"?: String, // \"orchestrator\" | \"autonomous\" | \"tool_agent\" | \"human_proxy\"\n \"agent_trust_level\"?: String, // \"first_party\" | \"verified_third_party\" | \"unverified\"\n \"agent_framework\"?: String, // Agent framework (e.g., \"claude-code\", \"langchain\", \"crewai\")\n \"agent_publisher\"?: String, // Organization that published the agent\n\n };\n\n /// Context for call_tool action (agentic tool execution)\n type CallToolContext = {\n // Identity (AARM R6 / CAP-IDN-011) \u2014 projected from the principal's token; optional.\n \"role\"?: String,\n \"privilege_scope\"?: Set<String>,\n \"identity_type\"?: String, // Principal identity class: \"human\" | \"agent\" | \"service\"\n \"principal\"?: String, // Stable principal identifier (e.g. ZeroID / WIMSE URI or user id)\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // Tool Risk (optional)\n \"tool_name\"?: String, // \"shell\", \"write_file\", \"http_post\", etc.\n \"tool_risk_score\"?: Long, // 0-100\n \"tool_is_sensitive\"?: Bool,\n \"tool_category\"?: String, // \"safe\" | \"sensitive\" | \"dangerous\"\n \"tool_is_builtin\"?: Bool,\n\n // AARM R3 (CAP-ENF-007) \u2014 Action Parameter Validation.\n // Structured tool-call arguments, projected and type-coerced by Shield so\n // policies can validate them by type / range / pattern / allowlist /\n // blocklist \u2014 e.g.\n // forbid ... when { context.action_params has amount &&\n // context.action_params.amount > 10000 };\n // Only well-known, safety-relevant argument names are projected; each value\n // is coerced to its declared type. An argument that is present but NOT\n // coercible to its declared type is dropped (so policies never read a\n // wrong-typed value) and its name is recorded in `param_type_violations`.\n \"action_params\"?: {\n \"amount\"?: Long, // numeric \u2014 range limits (e.g. transfer / spend amount)\n \"count\"?: Long, // numeric \u2014 range limits (e.g. batch size, fan-out)\n \"command\"?: String, // string \u2014 allowlist / blocklist / pattern (e.g. shell command)\n \"path\"?: String, // string \u2014 pattern (e.g. filesystem path)\n \"url\"?: String, // string \u2014 pattern / allowlist (e.g. egress host)\n \"recipient\"?: String, // string \u2014 allowlist / pattern (e.g. payout / email target)\n \"target\"?: String, // string \u2014 allowlist (e.g. resource / table name)\n \"query\"?: String, // string \u2014 pattern (e.g. SQL / search query)\n },\n // True when any projected argument was present but failed type coercion\n // (e.g. a non-numeric `amount`). Lets a policy deny on a type violation\n // instead of the wrong-typed value silently vanishing.\n \"param_type_violation\"?: Bool,\n // Names of the arguments that were present but failed type coercion.\n \"param_type_violations\"?: Set<String>,\n\n // MCP context (optional \u2014 only present for MCP tool calls)\n \"mcp_server\"?: String, // MCP server name (e.g., \"github\", \"filesystem\")\n \"mcp_tool\"?: String, // MCP tool name within the server\n \"mcp_server_verified\"?: Bool, // Whether server is from verified registry\n\n // Agentic - Behavioral Patterns (optional)\n \"suspicious_pattern\"?: Bool,\n \"pattern_type\"?: String, // \"data_exfiltration\" | \"secret_exfiltration\" | \"db_exfiltration\" | \"credential_theft\" | \"destructive_sequence\" | \"none\"\n \"sequence_risk\"?: Long, // 0-100\n\n // Agentic - Loop Detection (optional)\n \"loop_detected\"?: Bool,\n \"loop_count\"?: Long,\n \"loop_tool\"?: String,\n\n // Usage Budget \u2014 multi-window token & cost enforcement (optional)\n // See ProcessPromptContext for full documentation.\n \"budget_remaining_pct\"?: Long, // Min remaining % across all windows\n \"budget_exceeded\"?: Bool, // Any window limit exceeded\n \"budget_cost_micros_this_turn\"?: Long, // Cost of this request in microdollars\n \"budget_model\"?: String,\n \"budget_tokens_pct_session\"?: Long,\n \"budget_tokens_pct_daily\"?: Long,\n \"budget_tokens_pct_monthly\"?: Long,\n \"budget_cost_pct_daily\"?: Long,\n \"budget_cost_pct_monthly\"?: Long,\n \"budget_exceeded_session\"?: Bool,\n \"budget_exceeded_daily\"?: Bool,\n \"budget_exceeded_monthly\"?: Bool,\n\n // Semantic - Topic Classification (optional)\n \"content_topics\"?: Set<String>, // [\"controlled_substances\", \"weapons_manufacturing\", ...]\n \"topic_confidence\"?: Long, // 0-100\n\n // Security checks on tool arguments (optional)\n \"secrets_detected\"?: Bool,\n \"secret_count\"?: Long,\n \"secret_types\"?: Set<String>,\n \"pii_detected\"?: Bool,\n \"pii_types\"?: Set<String>,\n \"pii_count\"?: Long, // Number of PII pattern matches in tool content\n \"pii_score\"?: Long, // PII ML classifier confidence (0-100)\n \"injection_score\"?: Long,\n \"injection_pulse_score\"?: Long, // 0-100 Pulse single-turn classifier\n \"injection_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n\n // Security - Pattern Detection (optional)\n \"command_injection_detected\"?: Bool,\n \"command_injection_type\"?: String,\n \"command_injection_score\"?: Long, // 0-100\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String,\n \"path_traversal_type\"?: String,\n \"sql_injection_detected\"?: Bool,\n \"sql_injection_type\"?: String,\n \"sql_injection_score\"?: Long, // 0-100\n\n // Security - Cross-Origin Escalation (optional)\n \"cross_origin_detected\"?: Bool,\n \"cross_origin_type\"?: String,\n \"cross_origin_score\"?: Long, // 0-100\n\n // File & Path (optional \u2014 for path-based access control policies)\n \"path\"?: String, // File path when tool operates on files\n\n // Security - Invisible Character Detection in tool args (optional)\n \"invisible_chars_detected\"?: Bool, // Whether invisible Unicode chars detected in tool args\n \"invisible_chars_score\"?: Long, // Invisible character attack severity (0-100)\n\n // Security - Encoded Injection (optional)\n \"encoded_content_detected\"?: Bool,\n \"encoded_types\"?: Set<String>,\n \"encoded_count\"?: Long,\n \"encoded_score\"?: Long, // 0-100\n\n // Agentic - Agent Security (optional)\n \"tool_poisoning_detected\"?: Bool,\n \"tool_poisoning_score\"?: Long, // 0-100\n \"tool_poisoning_type\"?: String, // \"hidden_instructions\" | \"system_prompt_injection\" | \"authority_hijack\"\n \"rug_pull_detected\"?: Bool,\n \"rug_pull_score\"?: Long, // 0-100\n \"rug_pull_type\"?: String, // \"risk_spike\" | \"pattern_change\" | \"combined\" | \"none\"\n\n // Agentic - Indirect Prompt Injection (optional \u2014 injection via tool outputs/retrieved content)\n \"indirect_injection_score\"?: Long, // Indirect injection risk score (0-100)\n \"indirect_injection_type\"?: String, // Type of indirect injection detected\n\n // Agentic - MCP Risk (optional)\n \"mcp_config_risk\"?: Bool,\n \"mcp_risk_type\"?: String, // \"inline_execution\" | \"suspicious_url\" | \"cross_origin\"\n \"mcp_risk_score\"?: Long, // 0-100\n\n // Tool Operation Classifier (optional) \u2014 populated by AST-based classifiers (bash, python, etc.)\n \"tool_operation_classes\"?: Set<String>, // subset of {\"readonly\", \"write_enabling\", \"execute_enabling\", \"network_access\", \"unknown\"}\n\n // Agentic - Multi-Turn Context (optional)\n \"conversation_turn\"?: Long,\n \"multi_turn_detection\"?: Bool,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n \"session_original_request\"?: String, // The session's first user request (drift / goal-hijack policies)\n \"session_max_sensitivity\"?: String, // Highest data-sensitivity tier seen this session\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n \"agent_id\"?: String,\n \"agent_type\"?: String,\n \"agent_trust_level\"?: String,\n \"agent_framework\"?: String,\n \"agent_publisher\"?: String,\n\n };\n\n /// Context for read_file action\n type FileReadContext = {\n // Identity (AARM R6 / CAP-IDN-011) \u2014 projected from the principal's token; optional.\n \"role\"?: String,\n \"privilege_scope\"?: Set<String>,\n \"identity_type\"?: String, // Principal identity class: \"human\" | \"agent\" | \"service\"\n \"principal\"?: String, // Stable principal identifier (e.g. ZeroID / WIMSE URI or user id)\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // File path (optional \u2014 for path-based access control policies)\n \"path\"?: String, // File path being read\n\n // Security checks on file content (optional)\n \"secrets_detected\"?: Bool,\n \"secret_count\"?: Long,\n \"secret_types\"?: Set<String>,\n \"pii_detected\"?: Bool,\n \"pii_types\"?: Set<String>,\n\n // Security - Path Traversal (optional)\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String,\n \"path_traversal_type\"?: String,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n \"session_original_request\"?: String, // The session's first user request (drift / goal-hijack policies)\n \"session_max_sensitivity\"?: String, // Highest data-sensitivity tier seen this session\n\n // Usage Budget \u2014 multi-window token & cost enforcement (optional)\n // See ProcessPromptContext for full documentation.\n \"budget_remaining_pct\"?: Long,\n \"budget_exceeded\"?: Bool,\n \"budget_cost_micros_this_turn\"?: Long,\n \"budget_model\"?: String,\n \"budget_tokens_pct_session\"?: Long,\n \"budget_tokens_pct_daily\"?: Long,\n \"budget_tokens_pct_monthly\"?: Long,\n \"budget_cost_pct_daily\"?: Long,\n \"budget_cost_pct_monthly\"?: Long,\n \"budget_exceeded_session\"?: Bool,\n \"budget_exceeded_daily\"?: Bool,\n \"budget_exceeded_monthly\"?: Bool,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n \"agent_id\"?: String,\n \"agent_type\"?: String,\n \"agent_trust_level\"?: String,\n \"agent_framework\"?: String,\n \"agent_publisher\"?: String,\n\n };\n\n /// Context for write_file action\n type FileWriteContext = {\n // Identity (AARM R6 / CAP-IDN-011) \u2014 projected from the principal's token; optional.\n \"role\"?: String,\n \"privilege_scope\"?: Set<String>,\n \"identity_type\"?: String, // Principal identity class: \"human\" | \"agent\" | \"service\"\n \"principal\"?: String, // Stable principal identifier (e.g. ZeroID / WIMSE URI or user id)\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // File path (optional \u2014 for path-based access control policies)\n \"path\"?: String, // File path being written\n\n // Security - Invisible Character Detection in write content (optional)\n \"invisible_chars_detected\"?: Bool, // Whether invisible Unicode chars detected in write content\n \"invisible_chars_score\"?: Long, // Invisible character attack severity (0-100)\n\n // Security checks on content being written (optional)\n \"secrets_detected\"?: Bool,\n \"secret_count\"?: Long,\n \"secret_types\"?: Set<String>,\n \"pii_detected\"?: Bool,\n \"pii_types\"?: Set<String>,\n\n // Security - Path Traversal (optional)\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String,\n \"path_traversal_type\"?: String,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n \"session_original_request\"?: String, // The session's first user request (drift / goal-hijack policies)\n \"session_max_sensitivity\"?: String, // Highest data-sensitivity tier seen this session\n\n // Usage Budget \u2014 multi-window token & cost enforcement (optional)\n // See ProcessPromptContext for full documentation.\n \"budget_remaining_pct\"?: Long,\n \"budget_exceeded\"?: Bool,\n \"budget_cost_micros_this_turn\"?: Long,\n \"budget_model\"?: String,\n \"budget_tokens_pct_session\"?: Long,\n \"budget_tokens_pct_daily\"?: Long,\n \"budget_tokens_pct_monthly\"?: Long,\n \"budget_cost_pct_daily\"?: Long,\n \"budget_cost_pct_monthly\"?: Long,\n \"budget_exceeded_session\"?: Bool,\n \"budget_exceeded_daily\"?: Bool,\n \"budget_exceeded_monthly\"?: Bool,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n \"agent_id\"?: String,\n \"agent_type\"?: String,\n \"agent_trust_level\"?: String,\n \"agent_framework\"?: String,\n \"agent_publisher\"?: String,\n\n };\n\n /// Context for connect_server action (MCP server connections)\n type ConnectServerContext = {\n // Identity (AARM R6 / CAP-IDN-011) \u2014 projected from the principal's token; optional.\n \"role\"?: String,\n \"privilege_scope\"?: Set<String>,\n \"identity_type\"?: String, // Principal identity class: \"human\" | \"agent\" | \"service\"\n \"principal\"?: String, // Stable principal identifier (e.g. ZeroID / WIMSE URI or user id)\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // MCP context (optional)\n \"mcp_server\"?: String, // MCP server name (e.g., \"github\", \"filesystem\")\n \"mcp_server_verified\"?: Bool, // Whether server is from verified registry\n\n // Agentic - Agent Security (optional)\n \"tool_poisoning_detected\"?: Bool,\n \"tool_poisoning_score\"?: Long,\n \"tool_poisoning_type\"?: String,\n\n // Agentic - MCP Risk (optional)\n \"mcp_config_risk\"?: Bool,\n \"mcp_risk_type\"?: String,\n \"mcp_risk_score\"?: Long,\n\n // Security - Cross-Origin Escalation (optional)\n \"cross_origin_detected\"?: Bool,\n \"cross_origin_type\"?: String,\n \"cross_origin_score\"?: Long,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n \"session_original_request\"?: String, // The session's first user request (drift / goal-hijack policies)\n \"session_max_sensitivity\"?: String, // Highest data-sensitivity tier seen this session\n\n // Usage Budget \u2014 multi-window token & cost enforcement (optional)\n // See ProcessPromptContext for full documentation.\n \"budget_remaining_pct\"?: Long,\n \"budget_exceeded\"?: Bool,\n \"budget_cost_micros_this_turn\"?: Long,\n \"budget_model\"?: String,\n \"budget_tokens_pct_session\"?: Long,\n \"budget_tokens_pct_daily\"?: Long,\n \"budget_tokens_pct_monthly\"?: Long,\n \"budget_cost_pct_daily\"?: Long,\n \"budget_cost_pct_monthly\"?: Long,\n \"budget_exceeded_session\"?: Bool,\n \"budget_exceeded_daily\"?: Bool,\n \"budget_exceeded_monthly\"?: Bool,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n \"agent_id\"?: String,\n \"agent_type\"?: String,\n \"agent_trust_level\"?: String,\n \"agent_framework\"?: String,\n \"agent_publisher\"?: String,\n\n };\n}\n";
|
|
13
13
|
/**
|
|
14
14
|
* Overwatch Cedar schema
|
|
15
15
|
*
|
|
@@ -576,6 +576,8 @@ namespace Guardrails {
|
|
|
576
576
|
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
577
577
|
"role"?: String,
|
|
578
578
|
"privilege_scope"?: Set<String>,
|
|
579
|
+
"identity_type"?: String, // Principal identity class: "human" | "agent" | "service"
|
|
580
|
+
"principal"?: String, // Stable principal identifier (e.g. ZeroID / WIMSE URI or user id)
|
|
579
581
|
// Core metadata (required)
|
|
580
582
|
"request_id": String,
|
|
581
583
|
"timestamp": Long,
|
|
@@ -685,6 +687,8 @@ namespace Guardrails {
|
|
|
685
687
|
"session_max_pii_score"?: Long,
|
|
686
688
|
"session_max_secret_score"?: Long,
|
|
687
689
|
"session_cumulative_risk_score"?: Long,
|
|
690
|
+
"session_original_request"?: String, // The session's first user request (drift / goal-hijack policies)
|
|
691
|
+
"session_max_sensitivity"?: String, // Highest data-sensitivity tier seen this session
|
|
688
692
|
|
|
689
693
|
// Usage Budget — multi-window token & cost enforcement (optional)
|
|
690
694
|
// Emitted by usage_budget detector. Enforced across session/daily/monthly windows
|
|
@@ -718,6 +722,8 @@ namespace Guardrails {
|
|
|
718
722
|
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
719
723
|
"role"?: String,
|
|
720
724
|
"privilege_scope"?: Set<String>,
|
|
725
|
+
"identity_type"?: String, // Principal identity class: "human" | "agent" | "service"
|
|
726
|
+
"principal"?: String, // Stable principal identifier (e.g. ZeroID / WIMSE URI or user id)
|
|
721
727
|
// Core metadata (required)
|
|
722
728
|
"request_id": String,
|
|
723
729
|
"timestamp": Long,
|
|
@@ -869,6 +875,8 @@ namespace Guardrails {
|
|
|
869
875
|
"session_max_pii_score"?: Long,
|
|
870
876
|
"session_max_secret_score"?: Long,
|
|
871
877
|
"session_cumulative_risk_score"?: Long,
|
|
878
|
+
"session_original_request"?: String, // The session's first user request (drift / goal-hijack policies)
|
|
879
|
+
"session_max_sensitivity"?: String, // Highest data-sensitivity tier seen this session
|
|
872
880
|
|
|
873
881
|
// Agent Identity — authenticated agent principal metadata (optional)
|
|
874
882
|
"agent_id"?: String,
|
|
@@ -884,6 +892,8 @@ namespace Guardrails {
|
|
|
884
892
|
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
885
893
|
"role"?: String,
|
|
886
894
|
"privilege_scope"?: Set<String>,
|
|
895
|
+
"identity_type"?: String, // Principal identity class: "human" | "agent" | "service"
|
|
896
|
+
"principal"?: String, // Stable principal identifier (e.g. ZeroID / WIMSE URI or user id)
|
|
887
897
|
// Core metadata (required)
|
|
888
898
|
"request_id": String,
|
|
889
899
|
"timestamp": Long,
|
|
@@ -917,6 +927,8 @@ namespace Guardrails {
|
|
|
917
927
|
"session_max_pii_score"?: Long,
|
|
918
928
|
"session_max_secret_score"?: Long,
|
|
919
929
|
"session_cumulative_risk_score"?: Long,
|
|
930
|
+
"session_original_request"?: String, // The session's first user request (drift / goal-hijack policies)
|
|
931
|
+
"session_max_sensitivity"?: String, // Highest data-sensitivity tier seen this session
|
|
920
932
|
|
|
921
933
|
// Usage Budget — multi-window token & cost enforcement (optional)
|
|
922
934
|
// See ProcessPromptContext for full documentation.
|
|
@@ -947,6 +959,8 @@ namespace Guardrails {
|
|
|
947
959
|
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
948
960
|
"role"?: String,
|
|
949
961
|
"privilege_scope"?: Set<String>,
|
|
962
|
+
"identity_type"?: String, // Principal identity class: "human" | "agent" | "service"
|
|
963
|
+
"principal"?: String, // Stable principal identifier (e.g. ZeroID / WIMSE URI or user id)
|
|
950
964
|
// Core metadata (required)
|
|
951
965
|
"request_id": String,
|
|
952
966
|
"timestamp": Long,
|
|
@@ -984,6 +998,8 @@ namespace Guardrails {
|
|
|
984
998
|
"session_max_pii_score"?: Long,
|
|
985
999
|
"session_max_secret_score"?: Long,
|
|
986
1000
|
"session_cumulative_risk_score"?: Long,
|
|
1001
|
+
"session_original_request"?: String, // The session's first user request (drift / goal-hijack policies)
|
|
1002
|
+
"session_max_sensitivity"?: String, // Highest data-sensitivity tier seen this session
|
|
987
1003
|
|
|
988
1004
|
// Usage Budget — multi-window token & cost enforcement (optional)
|
|
989
1005
|
// See ProcessPromptContext for full documentation.
|
|
@@ -1014,6 +1030,8 @@ namespace Guardrails {
|
|
|
1014
1030
|
// Identity (AARM R6 / CAP-IDN-011) — projected from the principal's token; optional.
|
|
1015
1031
|
"role"?: String,
|
|
1016
1032
|
"privilege_scope"?: Set<String>,
|
|
1033
|
+
"identity_type"?: String, // Principal identity class: "human" | "agent" | "service"
|
|
1034
|
+
"principal"?: String, // Stable principal identifier (e.g. ZeroID / WIMSE URI or user id)
|
|
1017
1035
|
// Core metadata (required)
|
|
1018
1036
|
"request_id": String,
|
|
1019
1037
|
"timestamp": Long,
|
|
@@ -1051,6 +1069,8 @@ namespace Guardrails {
|
|
|
1051
1069
|
"session_max_pii_score"?: Long,
|
|
1052
1070
|
"session_max_secret_score"?: Long,
|
|
1053
1071
|
"session_cumulative_risk_score"?: Long,
|
|
1072
|
+
"session_original_request"?: String, // The session's first user request (drift / goal-hijack policies)
|
|
1073
|
+
"session_max_sensitivity"?: String, // Highest data-sensitivity tier seen this session
|
|
1054
1074
|
|
|
1055
1075
|
// Usage Budget — multi-window token & cost enforcement (optional)
|
|
1056
1076
|
// See ProcessPromptContext for full documentation.
|
|
@@ -2336,6 +2356,8 @@ export const GUARDRAILS_CONTEXT = {
|
|
|
2336
2356
|
"context_attributes": [
|
|
2337
2357
|
{ "key": "role", "type": "string", "required": false, "description": "Caller\'s RBAC role projected from the principal\'s token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim." },
|
|
2338
2358
|
{ "key": "privilege_scope", "type": "array", "required": false, "description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim." },
|
|
2359
|
+
{ "key": "identity_type", "type": "string", "required": false, "description": "Principal identity class projected from the token: \'human\', \'agent\', or \'service\'. Use to apply identity-class-specific policies" },
|
|
2360
|
+
{ "key": "principal", "type": "string", "required": false, "description": "Stable principal identifier projected from the token (e.g. a ZeroID / WIMSE URI or user id). Absent when the token carries no principal claim" },
|
|
2339
2361
|
{ "key": "request_id", "type": "string", "required": true, "description": "Unique identifier for this request, useful for audit trails and debugging" },
|
|
2340
2362
|
{ "key": "timestamp", "type": "number", "required": true, "description": "Unix timestamp in milliseconds when the request was processed" },
|
|
2341
2363
|
{ "key": "direction", "type": "string", "required": true, "description": "Content flow direction: \'input\' for user prompts, \'output\' for AI responses. Use this to apply different policies to inputs vs outputs (e.g., block PII only in outputs)" },
|
|
@@ -2416,6 +2438,8 @@ export const GUARDRAILS_CONTEXT = {
|
|
|
2416
2438
|
{ "key": "session_max_pii_score", "type": "number", "required": false, "description": "Highest PII risk score seen in any turn of the session (0-100)" },
|
|
2417
2439
|
{ "key": "session_max_secret_score", "type": "number", "required": false, "description": "Highest secret detection score seen in any turn of the session (0-100)" },
|
|
2418
2440
|
{ "key": "session_cumulative_risk_score", "type": "number", "required": false, "description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant" },
|
|
2441
|
+
{ "key": "session_max_sensitivity", "type": "string", "required": false, "description": "Highest data-sensitivity tier observed across the session (e.g. \'public\', \'internal\', \'confidential\', \'restricted\'). Use for session-level escalation policies" },
|
|
2442
|
+
{ "key": "session_original_request", "type": "string", "required": false, "description": "The session\'s first user request, retained for drift / goal-hijack policies that compare later turns against the original intent" },
|
|
2419
2443
|
{ "key": "agent_id", "type": "string", "required": false, "description": "Unique identifier of the authenticated AI agent making this request (e.g., \'agent_research_v3\'). Empty string for human user requests. Use this to write agent-specific policies" },
|
|
2420
2444
|
{ "key": "agent_type", "type": "string", "required": false, "description": "Type of the authenticated agent: \'orchestrator\' (coordinates sub-agents), \'autonomous\' (self-directed), \'tool_agent\' (single-purpose tool), or \'human_proxy\' (acts on behalf of a human). Empty string for human users" },
|
|
2421
2445
|
{ "key": "agent_trust_level", "type": "string", "required": false, "description": "Trust level of the authenticated agent: \'first_party\' (your own agents), \'verified_third_party\' (audited external agents), or \'unverified\' (unknown agents). Use this for tiered access control — e.g., only first_party agents can call dangerous tools" },
|
|
@@ -2429,6 +2453,8 @@ export const GUARDRAILS_CONTEXT = {
|
|
|
2429
2453
|
"context_attributes": [
|
|
2430
2454
|
{ "key": "role", "type": "string", "required": false, "description": "Caller\'s RBAC role projected from the principal\'s token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim." },
|
|
2431
2455
|
{ "key": "privilege_scope", "type": "array", "required": false, "description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim." },
|
|
2456
|
+
{ "key": "identity_type", "type": "string", "required": false, "description": "Principal identity class projected from the token: \'human\', \'agent\', or \'service\'. Use to apply identity-class-specific policies" },
|
|
2457
|
+
{ "key": "principal", "type": "string", "required": false, "description": "Stable principal identifier projected from the token (e.g. a ZeroID / WIMSE URI or user id). Absent when the token carries no principal claim" },
|
|
2432
2458
|
{ "key": "request_id", "type": "string", "required": true, "description": "Unique identifier for this request" },
|
|
2433
2459
|
{ "key": "timestamp", "type": "number", "required": true, "description": "Unix timestamp in milliseconds" },
|
|
2434
2460
|
{ "key": "tool_name", "type": "string", "required": false, "description": "Name of the tool being called (e.g., \'shell\', \'write_file\', \'http_post\'). Use this to block specific dangerous tools" },
|
|
@@ -2436,6 +2462,8 @@ export const GUARDRAILS_CONTEXT = {
|
|
|
2436
2462
|
{ "key": "tool_is_sensitive", "type": "boolean", "required": false, "description": "Whether the tool is classified as sensitive (shell, file operations, network access, etc.)" },
|
|
2437
2463
|
{ "key": "tool_category", "type": "string", "required": false, "description": "Tool classification: \'safe\', \'sensitive\', or \'dangerous\'. Based on tool type and argument patterns" },
|
|
2438
2464
|
{ "key": "tool_is_builtin", "type": "boolean", "required": false, "description": "Whether the tool is a built-in tool (vs MCP external tool). Built-in tools are generally more trusted" },
|
|
2465
|
+
{ "key": "param_type_violation", "type": "boolean", "required": false, "description": "True when any projected tool-call argument (action_params, CAP-ENF-007 / AARM R3) was present but failed type coercion. Lets a policy deny on a type violation instead of the wrong-typed value silently vanishing" },
|
|
2466
|
+
{ "key": "param_type_violations", "type": "array", "required": false, "description": "Names of the tool-call arguments that were present but failed type coercion (action_params, CAP-ENF-007 / AARM R3)" },
|
|
2439
2467
|
{ "key": "mcp_server", "type": "string", "required": false, "description": "Name of the MCP server providing this tool (e.g., \'github\', \'filesystem\', \'slack\'). Empty for built-in tools. Use this to control which tools are allowed per MCP server" },
|
|
2440
2468
|
{ "key": "mcp_tool", "type": "string", "required": false, "description": "Name of the specific tool within the MCP server (e.g., \'read_issues\', \'create_file\'). Use with mcp_server for fine-grained per-tool permissioning" },
|
|
2441
2469
|
{ "key": "mcp_server_verified", "type": "boolean", "required": false, "description": "Whether the MCP server is from a verified/trusted registry. Unverified servers have elevated risk scores. Use this to block tool calls from unverified sources" },
|
|
@@ -2505,6 +2533,8 @@ export const GUARDRAILS_CONTEXT = {
|
|
|
2505
2533
|
{ "key": "session_max_pii_score", "type": "number", "required": false, "description": "Highest PII risk score seen in any turn of the session (0-100)" },
|
|
2506
2534
|
{ "key": "session_max_secret_score", "type": "number", "required": false, "description": "Highest secret detection score seen in any turn of the session (0-100)" },
|
|
2507
2535
|
{ "key": "session_cumulative_risk_score", "type": "number", "required": false, "description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant" },
|
|
2536
|
+
{ "key": "session_max_sensitivity", "type": "string", "required": false, "description": "Highest data-sensitivity tier observed across the session (e.g. \'public\', \'internal\', \'confidential\', \'restricted\'). Use for session-level escalation policies" },
|
|
2537
|
+
{ "key": "session_original_request", "type": "string", "required": false, "description": "The session\'s first user request, retained for drift / goal-hijack policies that compare later turns against the original intent" },
|
|
2508
2538
|
{ "key": "agent_id", "type": "string", "required": false, "description": "Unique identifier of the authenticated AI agent making this request (e.g., \'agent_research_v3\'). Empty string for human user requests. Use this to write agent-specific policies" },
|
|
2509
2539
|
{ "key": "agent_type", "type": "string", "required": false, "description": "Type of the authenticated agent: \'orchestrator\' (coordinates sub-agents), \'autonomous\' (self-directed), \'tool_agent\' (single-purpose tool), or \'human_proxy\' (acts on behalf of a human). Empty string for human users" },
|
|
2510
2540
|
{ "key": "agent_trust_level", "type": "string", "required": false, "description": "Trust level of the authenticated agent: \'first_party\' (your own agents), \'verified_third_party\' (audited external agents), or \'unverified\' (unknown agents). Use this for tiered access control — e.g., only first_party agents can call dangerous tools" },
|
|
@@ -2518,6 +2548,8 @@ export const GUARDRAILS_CONTEXT = {
|
|
|
2518
2548
|
"context_attributes": [
|
|
2519
2549
|
{ "key": "role", "type": "string", "required": false, "description": "Caller\'s RBAC role projected from the principal\'s token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim." },
|
|
2520
2550
|
{ "key": "privilege_scope", "type": "array", "required": false, "description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim." },
|
|
2551
|
+
{ "key": "identity_type", "type": "string", "required": false, "description": "Principal identity class projected from the token: \'human\', \'agent\', or \'service\'. Use to apply identity-class-specific policies" },
|
|
2552
|
+
{ "key": "principal", "type": "string", "required": false, "description": "Stable principal identifier projected from the token (e.g. a ZeroID / WIMSE URI or user id). Absent when the token carries no principal claim" },
|
|
2521
2553
|
{ "key": "request_id", "type": "string", "required": true, "description": "Unique identifier for this request" },
|
|
2522
2554
|
{ "key": "timestamp", "type": "number", "required": true, "description": "Unix timestamp in milliseconds" },
|
|
2523
2555
|
{ "key": "path", "type": "string", "required": false, "description": "File path being read. Use for path-based access control policies (e.g., block .env files, system directories, credential directories)" },
|
|
@@ -2542,6 +2574,8 @@ export const GUARDRAILS_CONTEXT = {
|
|
|
2542
2574
|
{ "key": "session_max_pii_score", "type": "number", "required": false, "description": "Highest PII risk score seen in any turn of the session (0-100)" },
|
|
2543
2575
|
{ "key": "session_max_secret_score", "type": "number", "required": false, "description": "Highest secret detection score seen in any turn of the session (0-100)" },
|
|
2544
2576
|
{ "key": "session_cumulative_risk_score", "type": "number", "required": false, "description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant" },
|
|
2577
|
+
{ "key": "session_max_sensitivity", "type": "string", "required": false, "description": "Highest data-sensitivity tier observed across the session (e.g. \'public\', \'internal\', \'confidential\', \'restricted\'). Use for session-level escalation policies" },
|
|
2578
|
+
{ "key": "session_original_request", "type": "string", "required": false, "description": "The session\'s first user request, retained for drift / goal-hijack policies that compare later turns against the original intent" },
|
|
2545
2579
|
{ "key": "agent_id", "type": "string", "required": false, "description": "Unique identifier of the authenticated AI agent making this request (e.g., \'agent_research_v3\'). Empty string for human user requests. Use this to write agent-specific policies" },
|
|
2546
2580
|
{ "key": "agent_type", "type": "string", "required": false, "description": "Type of the authenticated agent: \'orchestrator\' (coordinates sub-agents), \'autonomous\' (self-directed), \'tool_agent\' (single-purpose tool), or \'human_proxy\' (acts on behalf of a human). Empty string for human users" },
|
|
2547
2581
|
{ "key": "agent_trust_level", "type": "string", "required": false, "description": "Trust level of the authenticated agent: \'first_party\' (your own agents), \'verified_third_party\' (audited external agents), or \'unverified\' (unknown agents). Use this for tiered access control — e.g., only first_party agents can call dangerous tools" },
|
|
@@ -2555,6 +2589,8 @@ export const GUARDRAILS_CONTEXT = {
|
|
|
2555
2589
|
"context_attributes": [
|
|
2556
2590
|
{ "key": "role", "type": "string", "required": false, "description": "Caller\'s RBAC role projected from the principal\'s token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim." },
|
|
2557
2591
|
{ "key": "privilege_scope", "type": "array", "required": false, "description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim." },
|
|
2592
|
+
{ "key": "identity_type", "type": "string", "required": false, "description": "Principal identity class projected from the token: \'human\', \'agent\', or \'service\'. Use to apply identity-class-specific policies" },
|
|
2593
|
+
{ "key": "principal", "type": "string", "required": false, "description": "Stable principal identifier projected from the token (e.g. a ZeroID / WIMSE URI or user id). Absent when the token carries no principal claim" },
|
|
2558
2594
|
{ "key": "request_id", "type": "string", "required": true, "description": "Unique identifier for this request" },
|
|
2559
2595
|
{ "key": "timestamp", "type": "number", "required": true, "description": "Unix timestamp in milliseconds" },
|
|
2560
2596
|
{ "key": "path", "type": "string", "required": false, "description": "File path being written. Use for path-based blocking policies (e.g., block writes to .env files, credential directories)" },
|
|
@@ -2581,6 +2617,8 @@ export const GUARDRAILS_CONTEXT = {
|
|
|
2581
2617
|
{ "key": "session_max_pii_score", "type": "number", "required": false, "description": "Highest PII risk score seen in any turn of the session (0-100)" },
|
|
2582
2618
|
{ "key": "session_max_secret_score", "type": "number", "required": false, "description": "Highest secret detection score seen in any turn of the session (0-100)" },
|
|
2583
2619
|
{ "key": "session_cumulative_risk_score", "type": "number", "required": false, "description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant" },
|
|
2620
|
+
{ "key": "session_max_sensitivity", "type": "string", "required": false, "description": "Highest data-sensitivity tier observed across the session (e.g. \'public\', \'internal\', \'confidential\', \'restricted\'). Use for session-level escalation policies" },
|
|
2621
|
+
{ "key": "session_original_request", "type": "string", "required": false, "description": "The session\'s first user request, retained for drift / goal-hijack policies that compare later turns against the original intent" },
|
|
2584
2622
|
{ "key": "agent_id", "type": "string", "required": false, "description": "Unique identifier of the authenticated AI agent making this request (e.g., \'agent_research_v3\'). Empty string for human user requests. Use this to write agent-specific policies" },
|
|
2585
2623
|
{ "key": "agent_type", "type": "string", "required": false, "description": "Type of the authenticated agent: \'orchestrator\' (coordinates sub-agents), \'autonomous\' (self-directed), \'tool_agent\' (single-purpose tool), or \'human_proxy\' (acts on behalf of a human). Empty string for human users" },
|
|
2586
2624
|
{ "key": "agent_trust_level", "type": "string", "required": false, "description": "Trust level of the authenticated agent: \'first_party\' (your own agents), \'verified_third_party\' (audited external agents), or \'unverified\' (unknown agents). Use this for tiered access control — e.g., only first_party agents can call dangerous tools" },
|
|
@@ -2594,6 +2632,8 @@ export const GUARDRAILS_CONTEXT = {
|
|
|
2594
2632
|
"context_attributes": [
|
|
2595
2633
|
{ "key": "role", "type": "string", "required": false, "description": "Caller\'s RBAC role projected from the principal\'s token (AARM R6 / CAP-IDN-011), e.g. finance_lead. Absent when the token carries no role claim." },
|
|
2596
2634
|
{ "key": "privilege_scope", "type": "array", "required": false, "description": "Privilege-scope strings granted to the caller, projected from the token (AARM R6 / CAP-IDN-011), e.g. transfer:approve. Absent when the token carries no claim." },
|
|
2635
|
+
{ "key": "identity_type", "type": "string", "required": false, "description": "Principal identity class projected from the token: \'human\', \'agent\', or \'service\'. Use to apply identity-class-specific policies" },
|
|
2636
|
+
{ "key": "principal", "type": "string", "required": false, "description": "Stable principal identifier projected from the token (e.g. a ZeroID / WIMSE URI or user id). Absent when the token carries no principal claim" },
|
|
2597
2637
|
{ "key": "request_id", "type": "string", "required": true, "description": "Unique identifier for this request" },
|
|
2598
2638
|
{ "key": "timestamp", "type": "number", "required": true, "description": "Unix timestamp in milliseconds" },
|
|
2599
2639
|
{ "key": "mcp_server", "type": "string", "required": false, "description": "Name of the MCP server being connected to (e.g., \'github\', \'filesystem\', \'slack\'). Use this to allow or block specific MCP servers" },
|
|
@@ -2620,6 +2660,8 @@ export const GUARDRAILS_CONTEXT = {
|
|
|
2620
2660
|
{ "key": "session_max_pii_score", "type": "number", "required": false, "description": "Highest PII risk score seen in any turn of the session (0-100)" },
|
|
2621
2661
|
{ "key": "session_max_secret_score", "type": "number", "required": false, "description": "Highest secret detection score seen in any turn of the session (0-100)" },
|
|
2622
2662
|
{ "key": "session_cumulative_risk_score", "type": "number", "required": false, "description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant" },
|
|
2663
|
+
{ "key": "session_max_sensitivity", "type": "string", "required": false, "description": "Highest data-sensitivity tier observed across the session (e.g. \'public\', \'internal\', \'confidential\', \'restricted\'). Use for session-level escalation policies" },
|
|
2664
|
+
{ "key": "session_original_request", "type": "string", "required": false, "description": "The session\'s first user request, retained for drift / goal-hijack policies that compare later turns against the original intent" },
|
|
2623
2665
|
{ "key": "agent_id", "type": "string", "required": false, "description": "Unique identifier of the authenticated AI agent making this request (e.g., \'agent_research_v3\'). Empty string for human user requests. Use this to write agent-specific policies" },
|
|
2624
2666
|
{ "key": "agent_type", "type": "string", "required": false, "description": "Type of the authenticated agent: \'orchestrator\' (coordinates sub-agents), \'autonomous\' (self-directed), \'tool_agent\' (single-purpose tool), or \'human_proxy\' (acts on behalf of a human). Empty string for human users" },
|
|
2625
2667
|
{ "key": "agent_trust_level", "type": "string", "required": false, "description": "Trust level of the authenticated agent: \'first_party\' (your own agents), \'verified_third_party\' (audited external agents), or \'unverified\' (unknown agents). Use this for tiered access control — e.g., only first_party agents can call dangerous tools" },
|
package/dist/types.d.ts
CHANGED
|
@@ -13,11 +13,11 @@ export * from './explain.js';
|
|
|
13
13
|
export * from './condition-groups.js';
|
|
14
14
|
export { AI_GATEWAY_SCHEMA, AI_GATEWAY_CONTEXT, GUARDRAILS_SCHEMA, GUARDRAILS_CONTEXT, OVERWATCH_SCHEMA, OVERWATCH_CONTEXT, PALISADE_SCHEMA, PALISADE_CONTEXT, SENTRY_SCHEMA, SENTRY_CONTEXT, } from './service-schemas.gen.js';
|
|
15
15
|
export type { ContextAttribute, ActionContext, ServiceContext, } from './service-schemas.gen.js';
|
|
16
|
-
export { AiGatewayContextKey } from './ai_gateway-context.gen.js';
|
|
17
|
-
export { GuardrailsContextKey } from './guardrails-context.gen.js';
|
|
18
|
-
export { OverwatchContextKey } from './overwatch-context.gen.js';
|
|
19
|
-
export { PalisadeContextKey } from './palisade-context.gen.js';
|
|
20
|
-
export { SentryContextKey } from './sentry-context.gen.js';
|
|
16
|
+
export { AiGatewayContextKey, AiGatewayContextKeys } from './ai_gateway-context.gen.js';
|
|
17
|
+
export { GuardrailsContextKey, GuardrailsContextKeys } from './guardrails-context.gen.js';
|
|
18
|
+
export { OverwatchContextKey, OverwatchContextKeys } from './overwatch-context.gen.js';
|
|
19
|
+
export { PalisadeContextKey, PalisadeContextKeys } from './palisade-context.gen.js';
|
|
20
|
+
export { SentryContextKey, SentryContextKeys } from './sentry-context.gen.js';
|
|
21
21
|
export { AI_GATEWAY_ENTITIES, AI_GATEWAY_ACTION_ENTITIES, } from './ai_gateway-entities.gen.js';
|
|
22
22
|
export { GUARDRAILS_ENTITIES, GUARDRAILS_ACTION_ENTITIES, } from './guardrails-entities.gen.js';
|
|
23
23
|
export { OVERWATCH_ENTITIES, OVERWATCH_ACTION_ENTITIES, } from './overwatch-entities.gen.js';
|
package/dist/types.js
CHANGED
|
@@ -34,11 +34,11 @@ export * from './condition-groups.js';
|
|
|
34
34
|
// Service-specific schemas and context (inlined, browser-safe)
|
|
35
35
|
export { AI_GATEWAY_SCHEMA, AI_GATEWAY_CONTEXT, GUARDRAILS_SCHEMA, GUARDRAILS_CONTEXT, OVERWATCH_SCHEMA, OVERWATCH_CONTEXT, PALISADE_SCHEMA, PALISADE_CONTEXT, SENTRY_SCHEMA, SENTRY_CONTEXT, } from './service-schemas.gen.js';
|
|
36
36
|
// Service-specific context key enums
|
|
37
|
-
export { AiGatewayContextKey } from './ai_gateway-context.gen.js';
|
|
38
|
-
export { GuardrailsContextKey } from './guardrails-context.gen.js';
|
|
39
|
-
export { OverwatchContextKey } from './overwatch-context.gen.js';
|
|
40
|
-
export { PalisadeContextKey } from './palisade-context.gen.js';
|
|
41
|
-
export { SentryContextKey } from './sentry-context.gen.js';
|
|
37
|
+
export { AiGatewayContextKey, AiGatewayContextKeys } from './ai_gateway-context.gen.js';
|
|
38
|
+
export { GuardrailsContextKey, GuardrailsContextKeys } from './guardrails-context.gen.js';
|
|
39
|
+
export { OverwatchContextKey, OverwatchContextKeys } from './overwatch-context.gen.js';
|
|
40
|
+
export { PalisadeContextKey, PalisadeContextKeys } from './palisade-context.gen.js';
|
|
41
|
+
export { SentryContextKey, SentryContextKeys } from './sentry-context.gen.js';
|
|
42
42
|
// Service-specific entity metadata (for UI - principals, resources, actions)
|
|
43
43
|
export { AI_GATEWAY_ENTITIES, AI_GATEWAY_ACTION_ENTITIES, } from './ai_gateway-entities.gen.js';
|
|
44
44
|
export { GUARDRAILS_ENTITIES, GUARDRAILS_ACTION_ENTITIES, } from './guardrails-entities.gen.js';
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@highflame/policy",
|
|
3
|
-
"version": "2.1
|
|
3
|
+
"version": "2.2.1",
|
|
4
4
|
"engines": {
|
|
5
5
|
"node": ">=18"
|
|
6
6
|
},
|
|
@@ -38,6 +38,26 @@
|
|
|
38
38
|
"./context/guardrails": "./_schemas/guardrails/context.json",
|
|
39
39
|
"./schemas/sentry": "./_schemas/sentry/schema.cedarschema",
|
|
40
40
|
"./context/sentry": "./_schemas/sentry/context.json",
|
|
41
|
+
"./detectors/types": {
|
|
42
|
+
"import": "./dist/detector-card-types.gen.js",
|
|
43
|
+
"types": "./dist/detector-card-types.gen.d.ts"
|
|
44
|
+
},
|
|
45
|
+
"./detectors/guardrails": {
|
|
46
|
+
"import": "./dist/guardrails-detectors.gen.js",
|
|
47
|
+
"types": "./dist/guardrails-detectors.gen.d.ts"
|
|
48
|
+
},
|
|
49
|
+
"./detectors/overwatch": {
|
|
50
|
+
"import": "./dist/overwatch-detectors.gen.js",
|
|
51
|
+
"types": "./dist/overwatch-detectors.gen.d.ts"
|
|
52
|
+
},
|
|
53
|
+
"./detectors/sentry": {
|
|
54
|
+
"import": "./dist/sentry-detectors.gen.js",
|
|
55
|
+
"types": "./dist/sentry-detectors.gen.d.ts"
|
|
56
|
+
},
|
|
57
|
+
"./detectors/ai_gateway": {
|
|
58
|
+
"import": "./dist/ai_gateway-detectors.gen.js",
|
|
59
|
+
"types": "./dist/ai_gateway-detectors.gen.d.ts"
|
|
60
|
+
},
|
|
41
61
|
"./engine": {
|
|
42
62
|
"import": "./dist/engine.js",
|
|
43
63
|
"types": "./dist/engine.d.ts"
|
|
@@ -62,7 +82,8 @@
|
|
|
62
82
|
"prepublishOnly": "npm run build"
|
|
63
83
|
},
|
|
64
84
|
"dependencies": {
|
|
65
|
-
"@cedar-policy/cedar-wasm": "^4.0.0"
|
|
85
|
+
"@cedar-policy/cedar-wasm": "^4.0.0",
|
|
86
|
+
"@highflame/taxonomy": "^1.1.16"
|
|
66
87
|
},
|
|
67
88
|
"devDependencies": {
|
|
68
89
|
"@types/node": "^25.2.0",
|