@highflame/policy 2.1.5 → 2.1.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (29) hide show
  1. package/_schemas/guardrails/context.json +168 -0
  2. package/_schemas/guardrails/schema.cedarschema +40 -0
  3. package/_schemas/guardrails/templates/defaults/agent_identity.cedar +118 -0
  4. package/_schemas/guardrails/templates/defaults/agentic_safety.cedar +4 -4
  5. package/_schemas/guardrails/templates/defaults/injection.cedar +4 -4
  6. package/_schemas/guardrails/templates/defaults/secrets.cedar +2 -2
  7. package/_schemas/guardrails/templates/defaults/security_patterns.cedar +1 -1
  8. package/_schemas/guardrails/templates/defaults/semantic.cedar +10 -7
  9. package/_schemas/guardrails/templates/defaults/toxicity.cedar +3 -3
  10. package/_schemas/guardrails/templates/mcp_tool_permissions.cedar +7 -5
  11. package/_schemas/guardrails/templates/profiles/chat_assistant/privacy.cedar +1 -1
  12. package/_schemas/guardrails/templates/profiles/chat_assistant/security.cedar +2 -2
  13. package/_schemas/guardrails/templates/profiles/chat_assistant/trust_safety.cedar +2 -2
  14. package/_schemas/guardrails/templates/profiles/code_agent/agentic_security.cedar +3 -3
  15. package/_schemas/guardrails/templates/profiles/data_pipeline/agentic_security.cedar +1 -1
  16. package/_schemas/guardrails/templates/profiles/data_pipeline/privacy.cedar +2 -2
  17. package/_schemas/guardrails/templates/profiles/data_pipeline/security.cedar +2 -2
  18. package/_schemas/guardrails/templates/profiles/multi_agent/agent_safety.cedar +157 -0
  19. package/_schemas/guardrails/templates/profiles/multi_agent/agent_trust.cedar +140 -0
  20. package/_schemas/guardrails/templates/templates.json +40 -0
  21. package/dist/engine.d.ts +1 -1
  22. package/dist/engine.js +1 -1
  23. package/dist/guardrails-context.gen.d.ts +5 -0
  24. package/dist/guardrails-context.gen.js +5 -0
  25. package/dist/guardrails-defaults.gen.d.ts +1 -1
  26. package/dist/guardrails-defaults.gen.js +520 -32
  27. package/dist/service-schemas.gen.d.ts +1 -1
  28. package/dist/service-schemas.gen.js +73 -5
  29. package/package.json +1 -1
package/dist/service-schemas.gen.d.ts CHANGED
@@ -3,7 +3,7 @@
3
3
  *
4
4
  * Full Cedar schema for guardrails, embedded at codegen time.
5
5
  */
6
- export declare const GUARDRAILS_SCHEMA = "// =============================================================================\n// Guardrails Cedar Schema\n// =============================================================================\n// Defines entity types, actions, and context attributes for the highflame-shield\n// guardrails service. This schema enables type-safe policy authoring and\n// validation in both Studio UI and backend.\n//\n// Service: highflame-shield (guardrails)\n// Namespace: Guardrails\n// =============================================================================\n\nnamespace Guardrails {\n // =========================================================================\n // Entity Types \u2014 ReBAC Hierarchy\n // =========================================================================\n // Entity hierarchy enables Cedar's `in` operator for policy scoping:\n // Account (org root)\n // \u2514\u2500\u2500 Project in [Account]\n // \u2514\u2500\u2500 App in [Project]\n // \u2514\u2500\u2500 Session in [App]\n //\n // Policy scoping examples:\n // resource == Guardrails::App::\"<uuid>\" \u2192 app-scoped\n // resource in Guardrails::Project::\"<uuid>\" \u2192 project-wide\n // resource in Guardrails::Account::\"<uuid>\" \u2192 org-wide\n // =========================================================================\n\n /// Account represents an organization (top-level tenant)\n entity Account;\n\n /// Project represents a project within an account\n entity Project in [Account];\n\n /// User represents a principal (human or service) making requests\n entity User;\n\n /// Agent represents an AI agent (Claude, Cursor, Copilot, etc.) making requests\n entity Agent;\n\n /// App represents a protected application (guardrails-enabled LLM app)\n entity App in [Project];\n\n /// Session represents an agentic conversation session with state tracking\n entity Session in [App];\n\n // =========================================================================\n // Actions\n // =========================================================================\n\n /// Process user prompts and AI responses for security threats and content violations\n action \"process_prompt\" appliesTo {\n principal: [User, Agent],\n resource: [App, Session],\n context: ProcessPromptContext\n };\n\n /// Execute tool calls (shell, file operations, MCP tools)\n action \"call_tool\" appliesTo {\n principal: [User, Agent],\n resource: [Session],\n context: CallToolContext\n };\n\n /// Read file operations\n action \"read_file\" appliesTo {\n principal: [User, Agent],\n resource: [Session],\n context: FileReadContext\n };\n\n /// Write file operations\n action \"write_file\" appliesTo {\n principal: [User, Agent],\n resource: [Session],\n context: FileWriteContext\n };\n\n /// Connect to an MCP server\n action \"connect_server\" appliesTo {\n principal: [User, Agent],\n resource: [Session],\n context: ConnectServerContext\n };\n\n // =========================================================================\n // Context Types (Action-Specific)\n // =========================================================================\n\n /// Context for process_prompt action (user prompts & AI responses)\n type ProcessPromptContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n \"direction\": String, // \"input\" | \"output\"\n \"content_type\": String, // \"prompt\" | \"response\" | \"tool_call\" | \"file\"\n \"detector_count\": Long,\n\n // Security - Injection & Jailbreak (optional)\n \"injection_confidence\"?: Long, // Combined injection confidence: MAX(pulse, deep_context)\n \"jailbreak_confidence\"?: Long, // Combined jailbreak confidence: MAX(pulse, deep_context)\n \"injection_pulse_score\"?: Long, // 0-100 Pulse single-turn classifier\n \"injection_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n \"jailbreak_pulse_score\"?: Long, // 0-100 Pulse single-turn classifier\n \"jailbreak_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n \"injection_type\"?: String, // \"prompt\" | \"sql\" | \"command\" | \"none\"\n\n // Privacy - Secrets (optional)\n \"contains_secrets\"?: Bool,\n \"secret_count\"?: Long,\n \"secret_types\"?: Set<String>, // [\"aws_access_key\", \"github_token\", ...]\n\n // Privacy - PII (optional)\n \"pii_detected\"?: Bool,\n \"pii_count\"?: Long,\n \"pii_types\"?: Set<String>, // [\"email\", \"phone\", \"ssn\", \"credit_card\", ...]\n\n // Trust & Safety - Toxicity (optional)\n \"violence_score\"?: Long, // 0-100\n \"hate_speech_score\"?: Long, // 0-100\n \"sexual_score\"?: Long, // 0-100\n \"weapons_score\"?: Long, // 0-100\n \"crime_score\"?: Long, // 0-100\n \"profanity_score\"?: Long, // 0-100\n\n // Semantic - Topic Classification (optional)\n \"content_topics\"?: Set<String>, // [\"controlled_substances\", \"weapons_manufacturing\", ...]\n \"topic_confidence\"?: Long, // 0-100\n\n // Security - Invisible Character Detection (optional)\n \"contains_invisible_chars\"?: Bool,\n \"invisible_chars_score\"?: Long, // 0-100\n\n // Security - Pattern Detection (optional)\n \"command_injection_detected\"?: Bool,\n \"command_injection_type\"?: String, // \"reverse_shell\" | \"privilege_escalation\" | \"code_execution\" | \"destructive_command\" | \"data_exfiltration\"\n \"command_injection_score\"?: Long, // 0-100\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String, // \"critical\" | \"high\" | \"medium\" | \"low\" | \"none\"\n \"path_traversal_type\"?: String,\n \"sql_injection_detected\"?: Bool,\n \"sql_injection_type\"?: String, // \"tautology\" | \"union_based\" | \"destructive\" | \"blind\" | \"error_based\"\n \"sql_injection_score\"?: Long, // 0-100\n\n // Security - Cross-Origin Escalation (optional)\n \"cross_origin_detected\"?: Bool,\n \"cross_origin_type\"?: String, // \"cross_origin_tool\" | \"cross_origin_server\" | \"none\"\n \"cross_origin_score\"?: Long, // 0-100\n\n // Security - Encoded Injection (optional)\n \"encoded_content_detected\"?: Bool,\n \"encoded_types\"?: Set<String>, // [\"base64\", \"hex\", \"unicode\", \"url\", ...]\n \"encoded_count\"?: Long,\n \"encoded_score\"?: Long, // 0-100\n\n // Language & Script Detection (optional)\n \"detected_language\"?: String, // ISO language code\n \"is_english\"?: Bool,\n \"language_confidence\"?: Long, // 0-100\n \"detected_script\"?: String, // \"latin\" | \"cyrillic\" | \"arabic\" | \"unknown\" | ...\n \"is_latin_script\"?: Bool,\n \"script_confidence\"?: Long, // 0-100\n\n // Content Analysis (optional)\n \"hallucination_score\"?: Long,\n \"factuality_score\"?: Long, // 0-100\n \"sentiment_score\"?: Long,\n \"contains_code\"?: Bool,\n \"code_languages\"?: Set<String>,\n \"code_ratio\"?: Long, // 0-100, percentage of content that is code\n \"keyword_matched\"?: Bool,\n \"keyword_categories\"?: Set<String>,\n \"keyword_count\"?: Long,\n \"contains_non_ascii\"?: Bool,\n \"phishing_detected\"?: Bool,\n \"content_safety_score\"?: Long, // 0-100\n \"content_safety_blocked\"?: Bool,\n\n // Agentic - Multi-Turn Context (optional)\n \"conversation_turn\"?: Long,\n \"multi_turn_detection\"?: Bool,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n };\n\n /// Context for call_tool action (agentic tool execution)\n type CallToolContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // Tool Risk (optional)\n \"tool_name\"?: String, // \"shell\", \"write_file\", \"http_post\", etc.\n \"tool_risk_score\"?: Long, // 0-100\n \"tool_is_sensitive\"?: Bool,\n \"tool_category\"?: String, // \"safe\" | \"sensitive\" | \"dangerous\"\n \"tool_is_builtin\"?: Bool,\n\n // MCP context (optional \u2014 only present for MCP tool calls)\n \"mcp_server\"?: String, // MCP server name (e.g., \"github\", \"filesystem\")\n \"mcp_tool\"?: String, // MCP tool name within the server\n \"mcp_server_verified\"?: Bool, // Whether server is from verified registry\n\n // Agentic - Behavioral Patterns (optional)\n \"suspicious_pattern\"?: Bool,\n \"pattern_type\"?: String, // \"data_exfiltration\" | \"secret_exfiltration\" | \"db_exfiltration\" | \"none\"\n \"sequence_risk\"?: Long, // 0-100\n\n // Agentic - Loop Detection (optional)\n \"loop_detected\"?: Bool,\n \"loop_count\"?: Long,\n \"loop_tool\"?: String,\n\n // Agentic - Budget Control (optional)\n \"budget_remaining_pct\"?: Long, // 0-100\n \"budget_exceeded\"?: Bool,\n\n // Semantic - Topic Classification (optional)\n \"content_topics\"?: Set<String>, // [\"controlled_substances\", \"weapons_manufacturing\", ...]\n \"topic_confidence\"?: Long, // 0-100\n\n // Security checks on tool arguments (optional)\n \"contains_secrets\"?: Bool,\n \"secret_types\"?: Set<String>,\n \"pii_detected\"?: Bool,\n \"pii_types\"?: Set<String>,\n \"injection_confidence\"?: Long,\n \"injection_pulse_score\"?: Long, // 0-100 Pulse single-turn classifier\n \"injection_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n\n // Security - Pattern Detection (optional)\n \"command_injection_detected\"?: Bool,\n \"command_injection_type\"?: String,\n \"command_injection_score\"?: Long, // 0-100\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String,\n \"path_traversal_type\"?: String,\n \"sql_injection_detected\"?: Bool,\n \"sql_injection_type\"?: String,\n \"sql_injection_score\"?: Long, // 0-100\n\n // Security - Cross-Origin Escalation (optional)\n \"cross_origin_detected\"?: Bool,\n \"cross_origin_type\"?: String,\n \"cross_origin_score\"?: Long, // 0-100\n\n // Security - Encoded Injection (optional)\n \"encoded_content_detected\"?: Bool,\n \"encoded_types\"?: Set<String>,\n \"encoded_count\"?: Long,\n \"encoded_score\"?: Long, // 0-100\n\n // Agentic - Agent Security (optional)\n \"tool_poisoning_detected\"?: Bool,\n \"tool_poisoning_score\"?: Long, // 0-100\n \"tool_poisoning_type\"?: String, // \"hidden_instructions\" | \"system_prompt_injection\" | \"authority_hijack\"\n \"rug_pull_detected\"?: Bool,\n \"rug_pull_score\"?: Long, // 0-100\n \"rug_pull_type\"?: String, // \"risk_spike\" | \"pattern_change\" | \"combined\" | \"none\"\n\n // Agentic - MCP Risk (optional)\n \"mcp_config_risk\"?: Bool,\n \"mcp_risk_type\"?: String, // \"inline_execution\" | \"suspicious_url\" | \"cross_origin\"\n \"mcp_risk_score\"?: Long, // 0-100\n\n // Agentic - Multi-Turn Context (optional)\n \"conversation_turn\"?: Long,\n \"multi_turn_detection\"?: Bool,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n };\n\n /// Context for read_file action\n type FileReadContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // Security checks on file content (optional)\n \"contains_secrets\"?: Bool,\n \"secret_types\"?: Set<String>,\n \"pii_detected\"?: Bool,\n \"pii_types\"?: Set<String>,\n\n // Security - Path Traversal (optional)\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String,\n \"path_traversal_type\"?: String,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n };\n\n /// Context for write_file action\n type FileWriteContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // Security checks on content being written (optional)\n \"contains_secrets\"?: Bool,\n \"secret_types\"?: Set<String>,\n \"pii_detected\"?: Bool,\n \"pii_types\"?: Set<String>,\n\n // Security - Path Traversal (optional)\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String,\n \"path_traversal_type\"?: String,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n };\n\n /// Context for connect_server action (MCP server connections)\n type ConnectServerContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // MCP context (optional)\n \"mcp_server\"?: String, // MCP server name (e.g., \"github\", \"filesystem\")\n \"mcp_server_verified\"?: Bool, // Whether server is from verified registry\n\n // Agentic - Agent Security (optional)\n \"tool_poisoning_detected\"?: Bool,\n \"tool_poisoning_score\"?: Long,\n \"tool_poisoning_type\"?: String,\n\n // Agentic - MCP Risk (optional)\n \"mcp_config_risk\"?: Bool,\n \"mcp_risk_type\"?: String,\n \"mcp_risk_score\"?: Long,\n\n // Security - Cross-Origin Escalation (optional)\n \"cross_origin_detected\"?: Bool,\n \"cross_origin_type\"?: String,\n \"cross_origin_score\"?: Long,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n };\n}\n";
6
+ export declare const GUARDRAILS_SCHEMA = "// =============================================================================\n// Guardrails Cedar Schema\n// =============================================================================\n// Defines entity types, actions, and context attributes for the highflame-shield\n// guardrails service. This schema enables type-safe policy authoring and\n// validation in both Studio UI and backend.\n//\n// Service: highflame-shield (guardrails)\n// Namespace: Guardrails\n// =============================================================================\n\nnamespace Guardrails {\n // =========================================================================\n // Entity Types \u2014 ReBAC Hierarchy\n // =========================================================================\n // Entity hierarchy enables Cedar's `in` operator for policy scoping:\n // Account (org root)\n // \u2514\u2500\u2500 Project in [Account]\n // \u2514\u2500\u2500 App in [Project]\n // \u2514\u2500\u2500 Session in [App]\n //\n // Policy scoping examples:\n // resource == Guardrails::App::\"<uuid>\" \u2192 app-scoped\n // resource in Guardrails::Project::\"<uuid>\" \u2192 project-wide\n // resource in Guardrails::Account::\"<uuid>\" \u2192 org-wide\n // =========================================================================\n\n /// Account represents an organization (top-level tenant)\n entity Account;\n\n /// Project represents a project within an account\n entity Project in [Account];\n\n /// User represents a principal (human or service) making requests\n entity User;\n\n /// Agent represents an AI agent (Claude, Cursor, Copilot, etc.) making requests\n entity Agent;\n\n /// App represents a protected application (guardrails-enabled LLM app)\n entity App in [Project];\n\n /// Session represents an agentic conversation session with state tracking\n entity Session in [App];\n\n // =========================================================================\n // Actions\n // =========================================================================\n\n /// Process user prompts and AI responses for security threats and content violations\n action \"process_prompt\" appliesTo {\n principal: [User, Agent],\n resource: [App, Session],\n context: ProcessPromptContext\n };\n\n /// Execute tool calls (shell, file operations, MCP tools)\n action \"call_tool\" appliesTo {\n principal: [User, Agent],\n resource: [Session],\n context: CallToolContext\n };\n\n /// Read file operations\n action \"read_file\" appliesTo {\n principal: [User, Agent],\n resource: [Session],\n context: FileReadContext\n };\n\n /// Write file operations\n action \"write_file\" appliesTo {\n principal: [User, Agent],\n resource: [Session],\n context: FileWriteContext\n };\n\n /// Connect to an MCP server\n action \"connect_server\" appliesTo {\n principal: [User, Agent],\n resource: [Session],\n context: ConnectServerContext\n };\n\n // =========================================================================\n // Context Types (Action-Specific)\n // =========================================================================\n\n /// Context for process_prompt action (user prompts & AI responses)\n type ProcessPromptContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n \"direction\": String, // \"input\" | \"output\"\n \"content_type\": String, // \"prompt\" | \"response\" | \"tool_call\" | \"file\"\n \"detector_count\": Long,\n\n // Security - Injection & Jailbreak (optional)\n \"injection_confidence\"?: Long, // Combined injection confidence: MAX(pulse, deep_context)\n \"jailbreak_confidence\"?: Long, // Combined jailbreak confidence: MAX(pulse, deep_context)\n \"injection_pulse_score\"?: Long, // 0-100 Pulse single-turn classifier\n \"injection_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n \"jailbreak_pulse_score\"?: Long, // 0-100 Pulse single-turn classifier\n \"jailbreak_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n \"injection_type\"?: String, // \"prompt\" | \"sql\" | \"command\" | \"none\"\n\n // Privacy - Secrets (optional)\n \"contains_secrets\"?: Bool,\n \"secret_count\"?: Long,\n \"secret_types\"?: Set<String>, // [\"aws_access_key\", \"github_token\", ...]\n\n // Privacy - PII (optional)\n \"pii_detected\"?: Bool,\n \"pii_count\"?: Long,\n \"pii_types\"?: Set<String>, // [\"email\", \"phone\", \"ssn\", \"credit_card\", ...]\n\n // Trust & Safety - Toxicity (optional)\n \"violence_score\"?: Long, // 0-100\n \"hate_speech_score\"?: Long, // 0-100\n \"sexual_score\"?: Long, // 0-100\n \"weapons_score\"?: Long, // 0-100\n \"crime_score\"?: Long, // 0-100\n \"profanity_score\"?: Long, // 0-100\n\n // Semantic - Topic Classification (optional)\n \"content_topics\"?: Set<String>, // [\"controlled_substances\", \"weapons_manufacturing\", ...]\n \"topic_confidence\"?: Long, // 0-100\n\n // Security - Invisible Character Detection (optional)\n \"contains_invisible_chars\"?: Bool,\n \"invisible_chars_score\"?: Long, // 0-100\n\n // Security - Pattern Detection (optional)\n \"command_injection_detected\"?: Bool,\n \"command_injection_type\"?: String, // \"reverse_shell\" | \"privilege_escalation\" | \"code_execution\" | \"destructive_command\" | \"data_exfiltration\"\n \"command_injection_score\"?: Long, // 0-100\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String, // \"critical\" | \"high\" | \"medium\" | \"low\" | \"none\"\n \"path_traversal_type\"?: String,\n \"sql_injection_detected\"?: Bool,\n \"sql_injection_type\"?: String, // \"tautology\" | \"union_based\" | \"destructive\" | \"blind\" | \"error_based\"\n \"sql_injection_score\"?: Long, // 0-100\n\n // Security - Cross-Origin Escalation (optional)\n \"cross_origin_detected\"?: Bool,\n \"cross_origin_type\"?: String, // \"cross_origin_tool\" | \"cross_origin_server\" | \"none\"\n \"cross_origin_score\"?: Long, // 0-100\n\n // Security - Encoded Injection (optional)\n \"encoded_content_detected\"?: Bool,\n \"encoded_types\"?: Set<String>, // [\"base64\", \"hex\", \"unicode\", \"url\", ...]\n \"encoded_count\"?: Long,\n \"encoded_score\"?: Long, // 0-100\n\n // Language & Script Detection (optional)\n \"detected_language\"?: String, // ISO language code\n \"is_english\"?: Bool,\n \"language_confidence\"?: Long, // 0-100\n \"detected_script\"?: String, // \"latin\" | \"cyrillic\" | \"arabic\" | \"unknown\" | ...\n \"is_latin_script\"?: Bool,\n \"script_confidence\"?: Long, // 0-100\n\n // Content Analysis (optional)\n \"hallucination_score\"?: Long,\n \"factuality_score\"?: Long, // 0-100\n \"sentiment_score\"?: Long,\n \"contains_code\"?: Bool,\n \"code_languages\"?: Set<String>,\n \"code_ratio\"?: Long, // 0-100, percentage of content that is code\n \"keyword_matched\"?: Bool,\n \"keyword_categories\"?: Set<String>,\n \"keyword_count\"?: Long,\n \"contains_non_ascii\"?: Bool,\n \"phishing_detected\"?: Bool,\n \"content_safety_score\"?: Long, // 0-100\n \"content_safety_blocked\"?: Bool,\n\n // Agentic - Multi-Turn Context (optional)\n \"conversation_turn\"?: Long,\n \"multi_turn_detection\"?: Bool,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n // Present when the request is made by an AI agent (API key or JWT with agent claims).\n // Empty strings for human user requests. Use these to write agent-specific policies.\n \"agent_id\"?: String, // Unique agent identifier (e.g., \"agent_research_v3\")\n \"agent_type\"?: String, // \"orchestrator\" | \"autonomous\" | \"tool_agent\" | \"human_proxy\"\n \"agent_trust_level\"?: String, // \"first_party\" | \"verified_third_party\" | \"unverified\"\n \"agent_framework\"?: String, // Agent framework (e.g., \"claude-code\", \"langchain\", \"crewai\")\n \"agent_publisher\"?: String, // Organization that published the agent\n\n };\n\n /// Context for call_tool action (agentic tool execution)\n type CallToolContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // Tool Risk (optional)\n \"tool_name\"?: String, // \"shell\", \"write_file\", \"http_post\", etc.\n \"tool_risk_score\"?: Long, // 0-100\n \"tool_is_sensitive\"?: Bool,\n \"tool_category\"?: String, // \"safe\" | \"sensitive\" | \"dangerous\"\n \"tool_is_builtin\"?: Bool,\n\n // MCP context (optional \u2014 only present for MCP tool calls)\n \"mcp_server\"?: String, // MCP server name (e.g., \"github\", \"filesystem\")\n \"mcp_tool\"?: String, // MCP tool name within the server\n \"mcp_server_verified\"?: Bool, // Whether server is from verified registry\n\n // Agentic - Behavioral Patterns (optional)\n \"suspicious_pattern\"?: Bool,\n \"pattern_type\"?: String, // \"data_exfiltration\" | \"secret_exfiltration\" | \"db_exfiltration\" | \"none\"\n \"sequence_risk\"?: Long, // 0-100\n\n // Agentic - Loop Detection (optional)\n \"loop_detected\"?: Bool,\n \"loop_count\"?: Long,\n \"loop_tool\"?: String,\n\n // Agentic - Budget Control (optional)\n \"budget_remaining_pct\"?: Long, // 0-100\n \"budget_exceeded\"?: Bool,\n\n // Semantic - Topic Classification (optional)\n \"content_topics\"?: Set<String>, // [\"controlled_substances\", \"weapons_manufacturing\", ...]\n \"topic_confidence\"?: Long, // 0-100\n\n // Security checks on tool arguments (optional)\n \"contains_secrets\"?: Bool,\n \"secret_count\"?: Long,\n \"secret_types\"?: Set<String>,\n \"pii_detected\"?: Bool,\n \"pii_types\"?: Set<String>,\n \"injection_confidence\"?: Long,\n \"injection_pulse_score\"?: Long, // 0-100 Pulse single-turn classifier\n \"injection_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n\n // Security - Pattern Detection (optional)\n \"command_injection_detected\"?: Bool,\n \"command_injection_type\"?: String,\n \"command_injection_score\"?: Long, // 0-100\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String,\n \"path_traversal_type\"?: String,\n \"sql_injection_detected\"?: Bool,\n \"sql_injection_type\"?: String,\n \"sql_injection_score\"?: Long, // 0-100\n\n // Security - Cross-Origin Escalation (optional)\n \"cross_origin_detected\"?: Bool,\n \"cross_origin_type\"?: String,\n \"cross_origin_score\"?: Long, // 0-100\n\n // Security - Encoded Injection (optional)\n \"encoded_content_detected\"?: Bool,\n \"encoded_types\"?: Set<String>,\n \"encoded_count\"?: Long,\n \"encoded_score\"?: Long, // 0-100\n\n // Agentic - Agent Security (optional)\n \"tool_poisoning_detected\"?: Bool,\n \"tool_poisoning_score\"?: Long, // 0-100\n \"tool_poisoning_type\"?: String, // \"hidden_instructions\" | \"system_prompt_injection\" | \"authority_hijack\"\n \"rug_pull_detected\"?: Bool,\n \"rug_pull_score\"?: Long, // 0-100\n \"rug_pull_type\"?: String, // \"risk_spike\" | \"pattern_change\" | \"combined\" | \"none\"\n\n // Agentic - MCP Risk (optional)\n \"mcp_config_risk\"?: Bool,\n \"mcp_risk_type\"?: String, // \"inline_execution\" | \"suspicious_url\" | \"cross_origin\"\n \"mcp_risk_score\"?: Long, // 0-100\n\n // Agentic - Multi-Turn Context (optional)\n \"conversation_turn\"?: Long,\n \"multi_turn_detection\"?: Bool,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n \"agent_id\"?: String,\n \"agent_type\"?: String,\n \"agent_trust_level\"?: String,\n \"agent_framework\"?: String,\n \"agent_publisher\"?: String,\n\n };\n\n /// Context for read_file action\n type FileReadContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // Security checks on file content (optional)\n \"contains_secrets\"?: Bool,\n \"secret_count\"?: Long,\n \"secret_types\"?: Set<String>,\n \"pii_detected\"?: Bool,\n \"pii_types\"?: Set<String>,\n\n // Security - Path Traversal (optional)\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String,\n \"path_traversal_type\"?: String,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n \"agent_id\"?: String,\n \"agent_type\"?: String,\n \"agent_trust_level\"?: String,\n \"agent_framework\"?: String,\n \"agent_publisher\"?: String,\n\n };\n\n /// Context for write_file action\n type FileWriteContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // Security checks on content being written (optional)\n \"contains_secrets\"?: Bool,\n \"secret_count\"?: Long,\n \"secret_types\"?: Set<String>,\n \"pii_detected\"?: Bool,\n \"pii_types\"?: Set<String>,\n\n // Security - Path Traversal (optional)\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String,\n \"path_traversal_type\"?: String,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n \"agent_id\"?: String,\n \"agent_type\"?: String,\n \"agent_trust_level\"?: String,\n \"agent_framework\"?: String,\n \"agent_publisher\"?: String,\n\n };\n\n /// Context for connect_server action (MCP server connections)\n type ConnectServerContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // MCP context (optional)\n \"mcp_server\"?: String, // MCP server name (e.g., \"github\", \"filesystem\")\n \"mcp_server_verified\"?: Bool, // Whether server is from verified registry\n\n // Agentic - Agent Security (optional)\n \"tool_poisoning_detected\"?: Bool,\n \"tool_poisoning_score\"?: Long,\n \"tool_poisoning_type\"?: String,\n\n // Agentic - MCP Risk (optional)\n \"mcp_config_risk\"?: Bool,\n \"mcp_risk_type\"?: String,\n \"mcp_risk_score\"?: Long,\n\n // Security - Cross-Origin Escalation (optional)\n \"cross_origin_detected\"?: Bool,\n \"cross_origin_type\"?: String,\n \"cross_origin_score\"?: Long,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n \"agent_id\"?: String,\n \"agent_type\"?: String,\n \"agent_trust_level\"?: String,\n \"agent_framework\"?: String,\n \"agent_publisher\"?: String,\n\n };\n}\n";
7
7
  /**
8
8
  * Overwatch Cedar schema
9
9
  *
package/dist/service-schemas.gen.js CHANGED
@@ -210,6 +210,15 @@ namespace Guardrails {
210
210
  "session_max_secret_score"?: Long,
211
211
  "session_cumulative_risk_score"?: Long,
212
212
 
213
+ // Agent Identity — authenticated agent principal metadata (optional)
214
+ // Present when the request is made by an AI agent (API key or JWT with agent claims).
215
+ // Empty strings for human user requests. Use these to write agent-specific policies.
216
+ "agent_id"?: String, // Unique agent identifier (e.g., "agent_research_v3")
217
+ "agent_type"?: String, // "orchestrator" | "autonomous" | "tool_agent" | "human_proxy"
218
+ "agent_trust_level"?: String, // "first_party" | "verified_third_party" | "unverified"
219
+ "agent_framework"?: String, // Agent framework (e.g., "claude-code", "langchain", "crewai")
220
+ "agent_publisher"?: String, // Organization that published the agent
221
+
213
222
  };
214
223
 
215
224
  /// Context for call_tool action (agentic tool execution)
@@ -250,6 +259,7 @@ namespace Guardrails {
250
259
 
251
260
  // Security checks on tool arguments (optional)
252
261
  "contains_secrets"?: Bool,
262
+ "secret_count"?: Long,
253
263
  "secret_types"?: Set<String>,
254
264
  "pii_detected"?: Bool,
255
265
  "pii_types"?: Set<String>,
@@ -311,6 +321,13 @@ namespace Guardrails {
311
321
  "session_max_secret_score"?: Long,
312
322
  "session_cumulative_risk_score"?: Long,
313
323
 
324
+ // Agent Identity — authenticated agent principal metadata (optional)
325
+ "agent_id"?: String,
326
+ "agent_type"?: String,
327
+ "agent_trust_level"?: String,
328
+ "agent_framework"?: String,
329
+ "agent_publisher"?: String,
330
+
314
331
  };
315
332
 
316
333
  /// Context for read_file action
@@ -321,6 +338,7 @@ namespace Guardrails {
321
338
 
322
339
  // Security checks on file content (optional)
323
340
  "contains_secrets"?: Bool,
341
+ "secret_count"?: Long,
324
342
  "secret_types"?: Set<String>,
325
343
  "pii_detected"?: Bool,
326
344
  "pii_types"?: Set<String>,
@@ -345,6 +363,13 @@ namespace Guardrails {
345
363
  "session_max_secret_score"?: Long,
346
364
  "session_cumulative_risk_score"?: Long,
347
365
 
366
+ // Agent Identity — authenticated agent principal metadata (optional)
367
+ "agent_id"?: String,
368
+ "agent_type"?: String,
369
+ "agent_trust_level"?: String,
370
+ "agent_framework"?: String,
371
+ "agent_publisher"?: String,
372
+
348
373
  };
349
374
 
350
375
  /// Context for write_file action
@@ -355,6 +380,7 @@ namespace Guardrails {
355
380
 
356
381
  // Security checks on content being written (optional)
357
382
  "contains_secrets"?: Bool,
383
+ "secret_count"?: Long,
358
384
  "secret_types"?: Set<String>,
359
385
  "pii_detected"?: Bool,
360
386
  "pii_types"?: Set<String>,
@@ -379,6 +405,13 @@ namespace Guardrails {
379
405
  "session_max_secret_score"?: Long,
380
406
  "session_cumulative_risk_score"?: Long,
381
407
 
408
+ // Agent Identity — authenticated agent principal metadata (optional)
409
+ "agent_id"?: String,
410
+ "agent_type"?: String,
411
+ "agent_trust_level"?: String,
412
+ "agent_framework"?: String,
413
+ "agent_publisher"?: String,
414
+
382
415
  };
383
416
 
384
417
  /// Context for connect_server action (MCP server connections)
@@ -421,6 +454,13 @@ namespace Guardrails {
421
454
  "session_max_secret_score"?: Long,
422
455
  "session_cumulative_risk_score"?: Long,
423
456
 
457
+ // Agent Identity — authenticated agent principal metadata (optional)
458
+ "agent_id"?: String,
459
+ "agent_type"?: String,
460
+ "agent_trust_level"?: String,
461
+ "agent_framework"?: String,
462
+ "agent_publisher"?: String,
463
+
424
464
  };
425
465
  }
426
466
  `;
@@ -1490,7 +1530,12 @@ export const GUARDRAILS_CONTEXT = {
1490
1530
  { "key": "session_max_command_injection_score", "type": "number", "required": false, "description": "Highest command injection score seen in any turn of the session (0-100)" },
1491
1531
  { "key": "session_max_pii_score", "type": "number", "required": false, "description": "Highest PII risk score seen in any turn of the session (0-100)" },
1492
1532
  { "key": "session_max_secret_score", "type": "number", "required": false, "description": "Highest secret detection score seen in any turn of the session (0-100)" },
1493
- { "key": "session_cumulative_risk_score", "type": "number", "required": false, "description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant" }
1533
+ { "key": "session_cumulative_risk_score", "type": "number", "required": false, "description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant" },
1534
+ { "key": "agent_id", "type": "string", "required": false, "description": "Unique identifier of the authenticated AI agent making this request (e.g., \'agent_research_v3\'). Empty string for human user requests. Use this to write agent-specific policies" },
1535
+ { "key": "agent_type", "type": "string", "required": false, "description": "Type of the authenticated agent: \'orchestrator\' (coordinates sub-agents), \'autonomous\' (self-directed), \'tool_agent\' (single-purpose tool), or \'human_proxy\' (acts on behalf of a human). Empty string for human users" },
1536
+ { "key": "agent_trust_level", "type": "string", "required": false, "description": "Trust level of the authenticated agent: \'first_party\' (your own agents), \'verified_third_party\' (audited external agents), or \'unverified\' (unknown agents). Use this for tiered access control — e.g., only first_party agents can call dangerous tools" },
1537
+ { "key": "agent_framework", "type": "string", "required": false, "description": "Framework or SDK the agent is built with (e.g., \'claude-code\', \'langchain\', \'crewai\', \'autogen\'). Use this to apply framework-specific policies" },
1538
+ { "key": "agent_publisher", "type": "string", "required": false, "description": "Organization that published the agent (e.g., \'anthropic\', \'internal\', \'acme-corp\'). Use this for organization-level trust policies" }
1494
1539
  ]
1495
1540
  },
1496
1541
  {
@@ -1518,6 +1563,7 @@ export const GUARDRAILS_CONTEXT = {
1518
1563
  { "key": "content_topics", "type": "array", "required": false, "description": "Semantic topics detected in tool arguments or content (e.g., [\'controlled_substances\']). Use .contains() to restrict tool calls involving specific topics" },
1519
1564
  { "key": "topic_confidence", "type": "number", "required": false, "description": "Confidence score from topic classifier for tool content (0-100)" },
1520
1565
  { "key": "contains_secrets", "type": "boolean", "required": false, "description": "Whether secrets were detected in tool arguments or content" },
1566
+ { "key": "secret_count", "type": "number", "required": false, "description": "Total number of secret matches found in tool arguments or content. Multiple matches may indicate data dumps or accidental credential exposure" },
1521
1567
  { "key": "secret_types", "type": "array", "required": false, "description": "Array of secret types found in tool arguments" },
1522
1568
  { "key": "pii_detected", "type": "boolean", "required": false, "description": "Whether PII was detected in tool arguments or content" },
1523
1569
  { "key": "pii_types", "type": "array", "required": false, "description": "Array of PII types found in tool arguments" },
@@ -1563,7 +1609,12 @@ export const GUARDRAILS_CONTEXT = {
1563
1609
  { "key": "session_max_command_injection_score", "type": "number", "required": false, "description": "Highest command injection score seen in any turn of the session (0-100)" },
1564
1610
  { "key": "session_max_pii_score", "type": "number", "required": false, "description": "Highest PII risk score seen in any turn of the session (0-100)" },
1565
1611
  { "key": "session_max_secret_score", "type": "number", "required": false, "description": "Highest secret detection score seen in any turn of the session (0-100)" },
1566
- { "key": "session_cumulative_risk_score", "type": "number", "required": false, "description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant" }
1612
+ { "key": "session_cumulative_risk_score", "type": "number", "required": false, "description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant" },
1613
+ { "key": "agent_id", "type": "string", "required": false, "description": "Unique identifier of the authenticated AI agent making this request (e.g., \'agent_research_v3\'). Empty string for human user requests. Use this to write agent-specific policies" },
1614
+ { "key": "agent_type", "type": "string", "required": false, "description": "Type of the authenticated agent: \'orchestrator\' (coordinates sub-agents), \'autonomous\' (self-directed), \'tool_agent\' (single-purpose tool), or \'human_proxy\' (acts on behalf of a human). Empty string for human users" },
1615
+ { "key": "agent_trust_level", "type": "string", "required": false, "description": "Trust level of the authenticated agent: \'first_party\' (your own agents), \'verified_third_party\' (audited external agents), or \'unverified\' (unknown agents). Use this for tiered access control — e.g., only first_party agents can call dangerous tools" },
1616
+ { "key": "agent_framework", "type": "string", "required": false, "description": "Framework or SDK the agent is built with (e.g., \'claude-code\', \'langchain\', \'crewai\', \'autogen\'). Use this to apply framework-specific policies" },
1617
+ { "key": "agent_publisher", "type": "string", "required": false, "description": "Organization that published the agent (e.g., \'anthropic\', \'internal\', \'acme-corp\'). Use this for organization-level trust policies" }
1567
1618
  ]
1568
1619
  },
1569
1620
  {
@@ -1573,6 +1624,7 @@ export const GUARDRAILS_CONTEXT = {
1573
1624
  { "key": "request_id", "type": "string", "required": true, "description": "Unique identifier for this request" },
1574
1625
  { "key": "timestamp", "type": "number", "required": true, "description": "Unix timestamp in milliseconds" },
1575
1626
  { "key": "contains_secrets", "type": "boolean", "required": false, "description": "Whether secrets were detected in the file content being read" },
1627
+ { "key": "secret_count", "type": "number", "required": false, "description": "Total number of secret matches found in file content. Multiple matches may indicate data dumps or accidental credential exposure" },
1576
1628
  { "key": "secret_types", "type": "array", "required": false, "description": "Array of secret types found in file content" },
1577
1629
  { "key": "pii_detected", "type": "boolean", "required": false, "description": "Whether PII was detected in the file content" },
1578
1630
  { "key": "pii_types", "type": "array", "required": false, "description": "Array of PII types found in file content" },
@@ -1591,7 +1643,12 @@ export const GUARDRAILS_CONTEXT = {
1591
1643
  { "key": "session_max_command_injection_score", "type": "number", "required": false, "description": "Highest command injection score seen in any turn of the session (0-100)" },
1592
1644
  { "key": "session_max_pii_score", "type": "number", "required": false, "description": "Highest PII risk score seen in any turn of the session (0-100)" },
1593
1645
  { "key": "session_max_secret_score", "type": "number", "required": false, "description": "Highest secret detection score seen in any turn of the session (0-100)" },
1594
- { "key": "session_cumulative_risk_score", "type": "number", "required": false, "description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant" }
1646
+ { "key": "session_cumulative_risk_score", "type": "number", "required": false, "description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant" },
1647
+ { "key": "agent_id", "type": "string", "required": false, "description": "Unique identifier of the authenticated AI agent making this request (e.g., \'agent_research_v3\'). Empty string for human user requests. Use this to write agent-specific policies" },
1648
+ { "key": "agent_type", "type": "string", "required": false, "description": "Type of the authenticated agent: \'orchestrator\' (coordinates sub-agents), \'autonomous\' (self-directed), \'tool_agent\' (single-purpose tool), or \'human_proxy\' (acts on behalf of a human). Empty string for human users" },
1649
+ { "key": "agent_trust_level", "type": "string", "required": false, "description": "Trust level of the authenticated agent: \'first_party\' (your own agents), \'verified_third_party\' (audited external agents), or \'unverified\' (unknown agents). Use this for tiered access control — e.g., only first_party agents can call dangerous tools" },
1650
+ { "key": "agent_framework", "type": "string", "required": false, "description": "Framework or SDK the agent is built with (e.g., \'claude-code\', \'langchain\', \'crewai\', \'autogen\'). Use this to apply framework-specific policies" },
1651
+ { "key": "agent_publisher", "type": "string", "required": false, "description": "Organization that published the agent (e.g., \'anthropic\', \'internal\', \'acme-corp\'). Use this for organization-level trust policies" }
1595
1652
  ]
1596
1653
  },
1597
1654
  {
@@ -1601,6 +1658,7 @@ export const GUARDRAILS_CONTEXT = {
1601
1658
  { "key": "request_id", "type": "string", "required": true, "description": "Unique identifier for this request" },
1602
1659
  { "key": "timestamp", "type": "number", "required": true, "description": "Unix timestamp in milliseconds" },
1603
1660
  { "key": "contains_secrets", "type": "boolean", "required": false, "description": "Whether secrets were detected in the content being written. Block writes containing credentials" },
1661
+ { "key": "secret_count", "type": "number", "required": false, "description": "Total number of secret matches found in write content. Multiple matches may indicate data dumps or accidental credential exposure" },
1604
1662
  { "key": "secret_types", "type": "array", "required": false, "description": "Array of secret types found in write content" },
1605
1663
  { "key": "pii_detected", "type": "boolean", "required": false, "description": "Whether PII was detected in the content being written" },
1606
1664
  { "key": "pii_types", "type": "array", "required": false, "description": "Array of PII types found in write content" },
@@ -1619,7 +1677,12 @@ export const GUARDRAILS_CONTEXT = {
1619
1677
  { "key": "session_max_command_injection_score", "type": "number", "required": false, "description": "Highest command injection score seen in any turn of the session (0-100)" },
1620
1678
  { "key": "session_max_pii_score", "type": "number", "required": false, "description": "Highest PII risk score seen in any turn of the session (0-100)" },
1621
1679
  { "key": "session_max_secret_score", "type": "number", "required": false, "description": "Highest secret detection score seen in any turn of the session (0-100)" },
1622
- { "key": "session_cumulative_risk_score", "type": "number", "required": false, "description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant" }
1680
+ { "key": "session_cumulative_risk_score", "type": "number", "required": false, "description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant" },
1681
+ { "key": "agent_id", "type": "string", "required": false, "description": "Unique identifier of the authenticated AI agent making this request (e.g., \'agent_research_v3\'). Empty string for human user requests. Use this to write agent-specific policies" },
1682
+ { "key": "agent_type", "type": "string", "required": false, "description": "Type of the authenticated agent: \'orchestrator\' (coordinates sub-agents), \'autonomous\' (self-directed), \'tool_agent\' (single-purpose tool), or \'human_proxy\' (acts on behalf of a human). Empty string for human users" },
1683
+ { "key": "agent_trust_level", "type": "string", "required": false, "description": "Trust level of the authenticated agent: \'first_party\' (your own agents), \'verified_third_party\' (audited external agents), or \'unverified\' (unknown agents). Use this for tiered access control — e.g., only first_party agents can call dangerous tools" },
1684
+ { "key": "agent_framework", "type": "string", "required": false, "description": "Framework or SDK the agent is built with (e.g., \'claude-code\', \'langchain\', \'crewai\', \'autogen\'). Use this to apply framework-specific policies" },
1685
+ { "key": "agent_publisher", "type": "string", "required": false, "description": "Organization that published the agent (e.g., \'anthropic\', \'internal\', \'acme-corp\'). Use this for organization-level trust policies" }
1623
1686
  ]
1624
1687
  },
1625
1688
  {
@@ -1651,7 +1714,12 @@ export const GUARDRAILS_CONTEXT = {
1651
1714
  { "key": "session_max_command_injection_score", "type": "number", "required": false, "description": "Highest command injection score seen in any turn of the session (0-100)" },
1652
1715
  { "key": "session_max_pii_score", "type": "number", "required": false, "description": "Highest PII risk score seen in any turn of the session (0-100)" },
1653
1716
  { "key": "session_max_secret_score", "type": "number", "required": false, "description": "Highest secret detection score seen in any turn of the session (0-100)" },
1654
- { "key": "session_cumulative_risk_score", "type": "number", "required": false, "description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant" }
1717
+ { "key": "session_cumulative_risk_score", "type": "number", "required": false, "description": "Sum of per-turn risk scores across the session. Catches death-by-a-thousand-cuts where no single turn is high but cumulative risk is significant" },
1718
+ { "key": "agent_id", "type": "string", "required": false, "description": "Unique identifier of the authenticated AI agent making this request (e.g., \'agent_research_v3\'). Empty string for human user requests. Use this to write agent-specific policies" },
1719
+ { "key": "agent_type", "type": "string", "required": false, "description": "Type of the authenticated agent: \'orchestrator\' (coordinates sub-agents), \'autonomous\' (self-directed), \'tool_agent\' (single-purpose tool), or \'human_proxy\' (acts on behalf of a human). Empty string for human users" },
1720
+ { "key": "agent_trust_level", "type": "string", "required": false, "description": "Trust level of the authenticated agent: \'first_party\' (your own agents), \'verified_third_party\' (audited external agents), or \'unverified\' (unknown agents). Use this for tiered access control — e.g., only first_party agents can call dangerous tools" },
1721
+ { "key": "agent_framework", "type": "string", "required": false, "description": "Framework or SDK the agent is built with (e.g., \'claude-code\', \'langchain\', \'crewai\', \'autogen\'). Use this to apply framework-specific policies" },
1722
+ { "key": "agent_publisher", "type": "string", "required": false, "description": "Organization that published the agent (e.g., \'anthropic\', \'internal\', \'acme-corp\'). Use this for organization-level trust policies" }
1655
1723
  ]
1656
1724
  }
1657
1725
  ]
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@highflame/policy",
3
- "version": "2.1.5",
3
+ "version": "2.1.7",
4
4
  "description": "Highflame Cedar policy types and engine wrapper",
5
5
  "readme": "README.md",
6
6
  "main": "dist/index.js",