@highflame/policy 2.1.7 → 2.1.8

package/_schemas/guardrails/templates/profiles/a2a_security/inter_agent_injection.cedar

@@ -0,0 +1,134 @@
+// =============================================================================
+// A2A Security — Inter-Agent Injection Defense
+// =============================================================================
+// Detects and blocks prompt injection that travels between independent agents:
+//
+// 1. INDIRECT INJECTION: Malicious content injected via tool outputs, RAG
+//    retrieval, or API responses from one agent that manipulates another.
+//    In A2A, this is the primary attack vector because agents consume each
+//    other's outputs as trusted input.
+//
+// 2. MULTI-TURN PROGRESSIVE ATTACKS: Gradual context manipulation across
+//    turns where each turn is benign individually but collectively builds
+//    toward goal hijacking. The GRU-based deep context detector tracks
+//    conversation state across turns.
+//
+// 3. ENCODED PAYLOAD DELIVERY: Base64, hex, or hash-encoded instructions
+//    designed to bypass single-turn classifiers. In A2A communication,
+//    encoded content is a strong indicator of injection evasion.
+//
+// Key A2A distinction: In MAS, the orchestrator controls all communication.
+// In A2A, each agent independently receives content from external agents,
+// making indirect injection the dominant threat vector.
+//
+// Compliance:
+//   OWASP LLM01 (Prompt Injection) — indirect variant
+//   OWASP ASI01 (Agent Goal Hijack)
+//   MITRE ATLAS AML.T0051 (LLM Prompt Injection)
+//   MITRE ATLAS AML.T0051.002 (Indirect Prompt Injection)
+//   NIST 800-53 SI-10 (Information Input Validation)
+//
+// Category: agent_identity
+// Namespace: Guardrails
+// =============================================================================
+
+// -----------------------------------------------------------------------------
+// Indirect Injection — Tool Output Poisoning
+// -----------------------------------------------------------------------------
+
+// Block indirect injection from agent tool calls
+@id("a2a-indirect-injection-agent")
+@name("Block indirect injection from agent tool calls")
+@description("Block tool execution when indirect injection is detected in content received by an agent (score >= 60). Indirect injection travels through tool outputs, RAG retrieval, and API responses — the primary A2A attack vector because agents consume each other's outputs as trusted input. Lower threshold than code-agent (70) because cross-system content has higher adversarial surface.")
+@severity("critical")
+@tags("profile,a2a-security,indirect-injection,tool-output,owasp-lml01,mitre-t0051-002")
+@reject_message("Tool execution blocked: indirect prompt injection detected in content received by this agent (score >= 60). An external source may be attempting to hijack agent behavior through tool outputs or retrieved content.")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has agent_id && context.agent_id != "" &&
+    context has indirect_injection_score && context.indirect_injection_score >= 60
+};
+
+// Stricter threshold for sensitive tools
+@id("a2a-indirect-injection-sensitive-agent")
+@name("Block moderate indirect injection on sensitive tools from agents")
+@description("Block sensitive tool execution from agents when indirect injection score exceeds 40. Sensitive tools (write_file, http_post, send_email) amplify the damage of indirect injection — a lower threshold compensates for the higher blast radius of sensitive operations in cross-system communication.")
+@severity("critical")
+@tags("profile,a2a-security,indirect-injection,sensitive-tools,owasp-asi01")
+@reject_message("Sensitive tool blocked: moderate indirect injection risk detected in agent-to-agent content (score >= 40). Sensitive tools require higher confidence that inter-agent content is safe.")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has agent_id && context.agent_id != "" &&
+    context has indirect_injection_score && context.indirect_injection_score >= 40 &&
+    context has tool_is_sensitive && context.tool_is_sensitive == true
+};
+
+// -----------------------------------------------------------------------------
+// Multi-Turn Progressive Attacks — Deep Context GRU Detection
+// -----------------------------------------------------------------------------
+
+// Block multi-turn progressive injection for non-first-party agents
+@id("a2a-deep-context-injection-agent")
+@name("Block multi-turn progressive injection for agents")
+@description("Block non-first-party agents when the GRU-based deep context detector identifies multi-turn progressive injection (score >= 60). Each turn may be benign individually, but the GRU model tracks hidden state across the full conversation to detect gradual goal hijacking.")
+@severity("high")
+@tags("profile,a2a-security,multi-turn,deep-context,injection,owasp-lml01")
+@reject_message("Request blocked: multi-turn progressive injection detected across conversation history (deep context score >= 60). A gradual attack may be building context manipulation over multiple agent turns.")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"process_prompt",
+    resource
+)
+when {
+    context has agent_trust_level && context.agent_trust_level != "first_party" &&
+    context has multi_turn_detection && context.multi_turn_detection == true &&
+    context has injection_deep_context_score && context.injection_deep_context_score >= 60
+};
+
+// Block multi-turn progressive jailbreak for non-first-party agents
+@id("a2a-deep-context-jailbreak-agent")
+@name("Block multi-turn progressive jailbreak for agents")
+@description("Block non-first-party agents when the GRU-based deep context detector identifies multi-turn progressive jailbreak (score >= 60). Jailbreak attempts spread across turns are harder to detect with single-turn classifiers — the deep context model maintains conversation state to catch these patterns.")
+@severity("high")
+@tags("profile,a2a-security,multi-turn,deep-context,jailbreak,owasp-asi01")
+@reject_message("Request blocked: multi-turn progressive jailbreak detected across conversation history (deep context score >= 60). A gradual jailbreak attempt is building across multiple agent turns.")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"process_prompt",
+    resource
+)
+when {
+    context has agent_trust_level && context.agent_trust_level != "first_party" &&
+    context has multi_turn_detection && context.multi_turn_detection == true &&
+    context has jailbreak_deep_context_score && context.jailbreak_deep_context_score >= 60
+};
+
+// -----------------------------------------------------------------------------
+// Encoded Payload Delivery — Injection Evasion
+// -----------------------------------------------------------------------------
+
+// Block encoded injection payloads between agents
+@id("a2a-encoded-injection-agent")
+@name("Block encoded payload delivery between agents")
+@description("Block agent requests when encoded payloads are detected (base64, hex, or suspicious hash content with score >= 60). In A2A communication, encoded content is a strong indicator of injection evasion — agents should communicate in plaintext, not encoded payloads.")
+@severity("high")
+@tags("profile,a2a-security,encoded-injection,evasion,base64,owasp-lml01")
+@reject_message("Request blocked: encoded payload detected in agent communication (base64, hex, or suspicious hash content). Encoded content in agent-to-agent messages indicates injection evasion or payload delivery.")
+forbid (
+    principal is Guardrails::Agent,
+    action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool"],
+    resource
+)
+when {
+    context has agent_id && context.agent_id != "" &&
+    context has encoded_content_detected && context.encoded_content_detected == true &&
+    context has encoded_score && context.encoded_score >= 60
+};

package/_schemas/guardrails/templates/profiles/a2a_security/supply_chain.cedar

@@ -0,0 +1,117 @@
+// =============================================================================
+// A2A Security — Supply Chain & Behavioral Drift
+// =============================================================================
+// Detects and blocks supply chain attacks specific to agent-to-agent ecosystems:
+//
+// 1. TOOL POISONING: External agents install or recommend MCP tools with
+//    hidden instructions, system prompt injection, authority hijack, or
+//    information suppression patterns in tool descriptions.
+//
+// 2. RUG PULL: An agent or tool that behaves normally during evaluation
+//    but changes behavior after trust is established — "risk_spike" (sudden
+//    risk increase) or "pattern_change" (behavioral deviation).
+//
+// 3. CREDENTIAL THEFT CHAINS: Multi-step attack where an agent reads
+//    credential files, encodes them, and exfiltrates via network tools.
+//    In A2A, this is higher risk because external agents have legitimate
+//    reasons to call multiple tools in sequence.
+//
+// Key A2A distinction: In MAS, the orchestrator vets all tools centrally.
+// In A2A, each agent brings its own tool ecosystem, creating a supply chain
+// attack surface at every agent boundary.
+//
+// Compliance:
+//   OWASP ASI04 (Supply Chain Vulnerabilities)
+//   OWASP MCP01 (Tool Poisoning)
+//   OWASP MCP03 (Tool Shadowing)
+//   MITRE ATT&CK T1552 (Unsecured Credentials)
+//   MITRE ATLAS AML.T0049 (Backdoor ML Model) — analogous to agent drift
+//   NIST 800-53 SI-7 (Software, Firmware, and Information Integrity)
+//
+// Category: agent_identity
+// Namespace: Guardrails
+// =============================================================================
+
+// -----------------------------------------------------------------------------
+// Tool Poisoning — Hidden Instructions in External Agent Tools
+// -----------------------------------------------------------------------------
+
+// Block tool poisoning from non-first-party agents
+@id("a2a-tool-poisoning-agent")
+@name("Block tool poisoning from non-first-party agents")
+@description("Block tool execution when poisoning is detected from non-first-party agents (score >= 60). Tool poisoning includes hidden instructions, system prompt injection, authority hijack, and information suppression patterns in tool descriptions or arguments. Lower threshold than default (70) because external agent tool chains have higher supply chain risk.")
+@severity("critical")
+@tags("profile,a2a-security,supply-chain,tool-poisoning,owasp-mcp01,owasp-asi04")
+@reject_message("Tool execution blocked: tool poisoning detected in content from a non-first-party agent (score >= 60). Hidden instructions, authority hijack, or system prompt injection patterns found in tool descriptions or arguments.")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has agent_trust_level && context.agent_trust_level != "first_party" &&
+    context has tool_poisoning_detected && context.tool_poisoning_detected == true &&
+    context has tool_poisoning_score && context.tool_poisoning_score >= 60
+};
+
+// Block poisoned MCP server connections from agents
+@id("a2a-server-poisoning-agent")
+@name("Block poisoned server connections from agents")
+@description("Block MCP server connections when poisoning is detected from agent requests (score >= 55). Server-level poisoning has wider blast radius than individual tool poisoning — a single compromised server connection exposes all tools on that server. Lower threshold (55 vs 60) compensates for the amplified impact.")
+@severity("critical")
+@tags("profile,a2a-security,supply-chain,server-poisoning,mcp,owasp-mcp01")
+@reject_message("MCP server connection blocked: tool poisoning patterns detected in server from agent request (score >= 55). Server-level poisoning affects all tools and warrants a lower threshold than individual tool poisoning.")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"connect_server",
+    resource
+)
+when {
+    context has agent_id && context.agent_id != "" &&
+    context has tool_poisoning_detected && context.tool_poisoning_detected == true &&
+    context has tool_poisoning_score && context.tool_poisoning_score >= 55
+};
+
+// -----------------------------------------------------------------------------
+// Rug Pull — Behavioral Drift After Trust Establishment
+// -----------------------------------------------------------------------------
+
+// Block after rug pull behavioral drift detection
+@id("a2a-rug-pull-agent")
+@name("Block rug pull behavioral drift from agents")
+@description("Block tool execution when behavioral drift is detected in agent tool usage (score >= 70). The rug pull detector compares current tool behavior against established baselines — a sudden risk spike or tool alternation pattern change after 3+ normal calls indicates the agent or tool has been compromised mid-session.")
+@severity("critical")
+@tags("profile,a2a-security,supply-chain,rug-pull,behavioral-drift,mitre-t0049")
+@reject_message("Tool execution blocked: behavioral drift detected in agent tool usage (rug pull score >= 70). The tool's behavior has deviated significantly from established patterns, indicating potential supply chain compromise.")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has agent_id && context.agent_id != "" &&
+    context has rug_pull_detected && context.rug_pull_detected == true &&
+    context has rug_pull_score && context.rug_pull_score >= 70
+};
+
+// -----------------------------------------------------------------------------
+// Credential Theft Chains — Multi-Step Exfiltration
+// -----------------------------------------------------------------------------
+
+// Block agent-initiated credential theft chains
+@id("a2a-credential-theft-agent")
+@name("Block agent-initiated credential theft chains")
+@description("Block tool execution when credential theft patterns are detected from non-first-party agents. The pattern detector identifies multi-step sequences (read credentials → encode → exfiltrate) that indicate coordinated credential harvesting. In A2A, external agents have legitimate multi-tool workflows, making pattern-based detection essential to distinguish theft from normal usage.")
+@severity("critical")
+@tags("profile,a2a-security,supply-chain,credential-theft,exfiltration,mitre-t1552")
+@reject_message("Tool execution blocked: credential theft chain detected from a non-first-party agent. The agent is performing a multi-step operation to harvest and exfiltrate credentials. Only first-party agents may access credential-adjacent resources.")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has agent_trust_level && context.agent_trust_level != "first_party" &&
+    context has suspicious_pattern && context.suspicious_pattern == true &&
+    context has pattern_type && context.pattern_type == "credential_theft"
+};

package/_schemas/guardrails/templates/profiles/advanced_detection/pii.cedar

@@ -0,0 +1,73 @@
+// =============================================================================
+// Advanced Detection — PII
+// =============================================================================
+// Advanced PII detection policies using ML classifier confidence scoring,
+// bulk exposure thresholds, and file operation blocking. Goes beyond the
+// boolean pii_detected flag with layered detection:
+//
+//   1. Bulk PII exposure — 3+ PII matches indicates data dumps or CSV pastes
+//   2. ML classifier confidence — catches novel PII patterns that regex misses
+//   3. File operation PII — prevents PII persistence to disk
+//
+// These policies benefit any Guardrails deployment — not just coding agents.
+//
+// Adapted from Overwatch PII detection policies for Guardrails namespace.
+//
+// Compliance:
+//   PCI DSS 3.4 (Payment Card Data)
+//   GDPR Art. 32 (Security of Processing)
+//   HIPAA §164.312 (Technical Safeguards)
+//   CCPA §1798.150 (Data Protection)
+//   NIST 800-53 SI-4 (Information System Monitoring)
+//
+// Category: privacy
+// Namespace: Guardrails
+// =============================================================================
+
+// Block bulk PII exposure (3+ PII matches)
+@id("detection-block-bulk-pii")
+@name("Block bulk PII exposure")
+@description("Block content containing 3 or more PII matches. Multiple PII items in a single request indicates a data dump, CSV paste, or data exfiltration attempt. Single PII occurrences may be incidental — bulk exposure is always intentional or negligent.")
+@severity("critical")
+@tags("profile,advanced-detection,pii,bulk,data-exfiltration,gdpr-art-32,ccpa")
+@reject_message("Content blocked: multiple PII items detected (3+). Bulk personal data must never be processed through AI agents. Use data masking or tokenization for batch operations.")
+forbid (
+    principal,
+    action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool"],
+    resource
+)
+when {
+    context has pii_count && context.pii_count >= 3
+};
+
+// Block content with high ML PII classifier confidence
+@id("detection-block-pii-high-confidence")
+@name("Block high-confidence PII")
+@description("Block content when the ML PII classifier confidence exceeds threshold (80/100). Catches novel PII patterns including names, addresses, and identifiers that regex rules may miss — defense-in-depth behind the pii_detected boolean.")
+@severity("critical")
+@tags("profile,advanced-detection,pii,ml-classifier,privacy,compliance")
+@reject_message("Content blocked: the ML classifier detected personally identifiable information with high confidence. Even if specific PII types aren't identified, the content appears to contain personal data.")
+forbid (
+    principal,
+    action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool"],
+    resource
+)
+when {
+    context has pii_confidence && context.pii_confidence >= 80
+};
+
+// Block file operations containing PII
+@id("detection-block-pii-file-ops")
+@name("Block file operations with PII")
+@description("Block file reads and writes when PII is detected. Prevents agents from reading files containing personal data and from writing PII to new files where it could persist or be version-controlled.")
+@severity("high")
+@tags("profile,advanced-detection,pii,file-ops,data-protection,gdpr-art-32")
+@reject_message("File operation blocked: personally identifiable information was detected. Files containing PII must not be read or written through AI agents.")
+forbid (
+    principal,
+    action in [Guardrails::Action::"read_file", Guardrails::Action::"write_file"],
+    resource
+)
+when {
+    context has pii_detected && context.pii_detected == true
+};

package/_schemas/guardrails/templates/profiles/advanced_detection/secrets.cedar

@@ -0,0 +1,66 @@
+// =============================================================================
+// Advanced Detection — Granular Secrets
+// =============================================================================
+// Blocks specific high-risk credential types and API tokens using granular
+// secret_types matching. Goes beyond the boolean contains_secrets detection
+// to identify and block cloud provider keys, GitHub tokens, SSH keys,
+// database credentials, and API tokens.
+//
+// These policies benefit any Guardrails deployment — not just coding agents.
+//
+// Adapted from Overwatch granular secret type policies for Guardrails namespace.
+//
+// Compliance:
+//   NIST 800-53 IA-5 (Authenticator Management)
+//   NIST 800-53 SC-28 (Protection of Information at Rest)
+//   MITRE ATT&CK T1552 (Unsecured Credentials)
+//   CIS Benchmark 1.4 (Secrets Management)
+//
+// Category: security
+// Namespace: Guardrails
+// =============================================================================
+
+// Block high-risk credential types across all actions
+@id("detection-block-high-risk-secret-types")
+@name("Block high-risk credential types")
+@description("Block content containing cloud provider keys (AWS, GCP, Azure), GitHub tokens, SSH private keys, or database connection strings. These credential types pose the highest exfiltration risk and must never pass through AI agents.")
+@severity("critical")
+@tags("profile,advanced-detection,secrets,aws,gcp,azure,github,ssh,database,nist-ia-5,mitre-t1552")
+@reject_message("Content blocked: high-risk credentials detected (cloud provider keys, GitHub tokens, SSH keys, or database credentials). Use a secrets manager — never pass credentials through AI agents.")
+forbid (
+    principal,
+    action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool", Guardrails::Action::"read_file", Guardrails::Action::"write_file"],
+    resource
+)
+when {
+    context has secret_types &&
+    (context.secret_types.contains("aws_access_key") ||
+     context.secret_types.contains("aws_secret_key") ||
+     context.secret_types.contains("gcp_service_account") ||
+     context.secret_types.contains("azure_client_secret") ||
+     context.secret_types.contains("github_token") ||
+     context.secret_types.contains("github_pat") ||
+     context.secret_types.contains("ssh_private_key") ||
+     context.secret_types.contains("database_url"))
+};
+
+// Block API keys and bearer tokens across all actions
+@id("detection-block-api-keys")
+@name("Block API keys and bearer tokens")
+@description("Block content containing generic API keys, bearer tokens, JWT tokens, and OAuth credentials. These are the most commonly leaked credential types in AI agent interactions.")
+@severity("high")
+@tags("profile,advanced-detection,secrets,api-key,bearer,jwt,oauth,nist-ia-5")
+@reject_message("Content blocked: API keys, bearer tokens, or OAuth credentials detected. These must never be passed through AI agent prompts or tool calls.")
+forbid (
+    principal,
+    action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool", Guardrails::Action::"read_file", Guardrails::Action::"write_file"],
+    resource
+)
+when {
+    context has secret_types &&
+    (context.secret_types.contains("api_key") ||
+     context.secret_types.contains("bearer_token") ||
+     context.secret_types.contains("jwt_token") ||
+     context.secret_types.contains("oauth_token") ||
+     context.secret_types.contains("oauth_secret"))
+};

package/_schemas/guardrails/templates/profiles/advanced_detection/threat_severity.cedar

@@ -0,0 +1,35 @@
+// =============================================================================
+// Advanced Detection — Threat Severity
+// =============================================================================
+// Severity-based catch-all policy that blocks any content flagged as critical
+// severity by detection engines. Acts as a safety net behind all other policies
+// — if any detector reports critical severity, the content is blocked regardless
+// of whether a specific category policy caught it.
+//
+// This policy benefits any Guardrails deployment — not just coding agents.
+//
+// Adapted from Overwatch threat severity aggregation for Guardrails namespace.
+//
+// Compliance:
+//   NIST 800-53 SI-3 (Malicious Code Protection)
+//   NIST 800-53 SI-4 (Information System Monitoring)
+//
+// Category: security
+// Namespace: Guardrails
+// =============================================================================
+
+// Block any content with critical severity threats
+@id("detection-block-critical-severity")
+@name("Block critical severity threats")
+@description("Block all content when any detection engine reports critical severity. This is the ultimate catch-all — critical threats are blocked regardless of type or source. Acts as a safety net behind all other policies.")
+@severity("critical")
+@tags("profile,advanced-detection,severity,critical,catch-all,nist-si-3")
+@reject_message("Your content was blocked because security scanners detected a critical-severity threat. This content cannot be processed.")
+forbid (
+    principal,
+    action == Guardrails::Action::"process_prompt",
+    resource
+)
+when {
+    context has highest_severity && context.highest_severity == "critical"
+};

package/_schemas/guardrails/templates/profiles/code_agent/encoding.cedar

@@ -0,0 +1,55 @@
+// =============================================================================
+// Code Agent — Encoding & Unicode Attack Protection
+// =============================================================================
+// Blocks invisible Unicode characters in tool arguments and file writes to
+// prevent encoding-based prompt injection and persistent invisible payloads.
+//
+// Tool arguments and file content should be plain text — invisible characters
+// (zero-width joiners, bidirectional overrides, tag characters) indicate
+// payload injection or encoding evasion attempts.
+//
+// Adapted from Overwatch encoding attack policies for Guardrails namespace.
+//
+// Ref: EchoLeak CVE-2025-32711 (invisible prompt injection via Unicode)
+//      Rules File Backdoor (Pillar Security, March 2025)
+//
+// Compliance:
+//   OWASP LLM01 (Prompt Injection) — encoding evasion
+//   OWASP ASI01 (Agent Goal Hijack) — hidden instructions
+//   NIST 800-53 SI-10 (Information Input Validation)
+//
+// Category: security
+// Namespace: Guardrails
+// =============================================================================
+
+// Block tool calls with invisible characters in arguments
+@id("code-block-invisible-tool-args")
+@name("Block invisible characters in tool calls")
+@description("Block tool execution when invisible Unicode characters are detected in tool arguments or content. Tool arguments should be plain text/JSON — invisible characters in tool calls are almost certainly malicious payload injection.")
+@severity("critical")
+@tags("profile,code-agent,encoding,unicode,invisible-chars,tools,owasp-asi01")
+@reject_message("Tool execution blocked: invisible Unicode characters detected in tool arguments. Tool calls should contain only plain text — invisible characters indicate payload injection or encoding evasion.")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has contains_invisible_chars && context.contains_invisible_chars == true
+};
+
+// Block file writes with invisible characters
+@id("code-block-invisible-file-write")
+@name("Block invisible characters in file writes")
+@description("Block file writes when invisible Unicode characters are detected. Prevents persistence of invisible payloads in source code, config files, or documentation where they could later be processed by AI agents.")
+@severity("high")
+@tags("profile,code-agent,encoding,unicode,invisible-chars,file-write,owasp-asi01")
+@reject_message("File write blocked: invisible Unicode characters detected in content. Writing invisible characters to files can create persistent backdoors that affect AI agents processing those files later.")
+forbid (
+    principal,
+    action == Guardrails::Action::"write_file",
+    resource
+)
+when {
+    context has contains_invisible_chars && context.contains_invisible_chars == true
+};

package/_schemas/guardrails/templates/profiles/code_agent/path_security.cedar

@@ -0,0 +1,148 @@
+// =============================================================================
+// Code Agent — Path Security
+// =============================================================================
+// Blocks access to sensitive file paths including environment files, credential
+// files, system directories, and credential directories. Also blocks destructive
+// file operations (delete, rmdir, unlink) by default.
+//
+// Adapted from Overwatch IDE security policies for Guardrails namespace.
+//
+// Compliance:
+//   NIST 800-53 AC-6 (Least Privilege)
+//   NIST 800-53 SC-28 (Protection of Information at Rest)
+//   MITRE ATT&CK T1552 (Unsecured Credentials)
+//   MITRE ATT&CK T1005 (Data from Local System)
+//   CIS Benchmark 1.4 (Secrets Management)
+//
+// Category: security
+// Namespace: Guardrails
+// =============================================================================
+
+// ---------------------------------------------------------------------------
+// Section 1: Environment File Protection
+// Environment files are the #1 source of accidental credential exposure.
+// ---------------------------------------------------------------------------
+
+@id("code-block-env-files")
+@name("Block .env file access")
+@description("Block access to .env files that commonly contain secrets, API keys, and database credentials. Environment files are the #1 source of accidental credential exposure in development workflows.")
+@severity("high")
+@tags("profile,code-agent,path-security,env-files,secrets,nist-sc-28,mitre-t1552")
+@reject_message("Access to .env files is blocked because they commonly contain secrets, API keys, and database credentials. Use a secrets manager instead of .env files.")
+forbid (
+    principal,
+    action in [Guardrails::Action::"read_file", Guardrails::Action::"write_file", Guardrails::Action::"call_tool"],
+    resource
+)
+when {
+    context has path && context.path like "*.env*"
+};
+
+// ---------------------------------------------------------------------------
+// Section 2: Credential File Protection
+// Blocks access to common credential and configuration files.
+// ---------------------------------------------------------------------------
+
+@id("code-block-credential-files")
+@name("Block credential file access")
+@description("Block access to common credential files: .netrc, .npmrc, .pypirc, Docker config, Kubernetes config, cloud provider credentials, and service account files.")
+@severity("high")
+@tags("profile,code-agent,path-security,credential-files,secrets,nist-sc-28,mitre-t1555")
+@reject_message("Access to this credential file is blocked. Files like .netrc, .npmrc, .pypirc, and cloud provider config files commonly contain hardcoded credentials.")
+forbid (
+    principal,
+    action in [Guardrails::Action::"read_file", Guardrails::Action::"write_file", Guardrails::Action::"call_tool"],
+    resource
+)
+when {
+    context has path &&
+    (context.path like "*/.netrc" ||
+     context.path like "*/.npmrc" ||
+     context.path like "*/.pypirc" ||
+     context.path like "*/.docker/config.json" ||
+     context.path like "*/.kube/config" ||
+     context.path like "*/.config/gcloud/*" ||
+     context.path like "*/credentials.json" ||
+     context.path like "*/service-account*.json")
+};
+
+// ---------------------------------------------------------------------------
+// Section 3: System Directory Protection
+// Blocks access to sensitive system directories.
+// ---------------------------------------------------------------------------
+
+@id("code-block-system-paths")
+@name("Block system directory access")
+@description("Prevent access to sensitive system directories (/etc, /proc, /sys, /root, /var). These directories contain system configuration, process information, and credentials that agents must never access.")
+@severity("high")
+@tags("profile,code-agent,path-security,system-paths,nist-ac-6,mitre-t1005")
+@reject_message("Access blocked: this path targets a sensitive system directory. AI agents are restricted from accessing /etc, /proc, /sys, /root, and /var directories.")
+forbid (
+    principal,
+    action in [Guardrails::Action::"read_file", Guardrails::Action::"write_file", Guardrails::Action::"call_tool"],
+    resource
+)
+when {
+    context has path &&
+    (context.path like "/etc/*" ||
+     context.path like "/proc/*" ||
+     context.path like "/sys/*" ||
+     context.path like "/root/*" ||
+     context.path like "/var/log/*" ||
+     context.path like "/var/run/*")
+};
+
+// ---------------------------------------------------------------------------
+// Section 4: Credential Directory Protection
+// Blocks access to SSH keys, cloud credentials, and key material.
+// ---------------------------------------------------------------------------
+
+@id("code-block-credential-paths")
+@name("Block credential directory access")
+@description("Prevent access to SSH keys, cloud provider credentials, GPG keys, and other authentication material directories. These are primary targets for credential theft (MITRE T1552).")
+@severity("critical")
+@tags("profile,code-agent,path-security,credentials,ssh,aws,mitre-t1552")
+@reject_message("Access blocked: this path targets a credential or key directory (.ssh, .aws, .gnupg, .config/gcloud). AI agents must never access authentication material.")
+forbid (
+    principal,
+    action in [Guardrails::Action::"read_file", Guardrails::Action::"write_file", Guardrails::Action::"call_tool"],
+    resource
+)
+when {
+    context has path &&
+    (context.path like "*/.ssh/*" ||
+     context.path like "*/.aws/*" ||
+     context.path like "*/.gnupg/*" ||
+     context.path like "*/.config/gcloud/*" ||
+     context.path like "*/.azure/*" ||
+     context.path like "*.pem" ||
+     context.path like "*/id_rsa*" ||
+     context.path like "*/id_ed25519*" ||
+     context.path like "*/id_ecdsa*")
+};
+
+// ---------------------------------------------------------------------------
+// Section 5: Destructive File Operations
+// Blocks destructive file operations by default.
+// ---------------------------------------------------------------------------
+
+@id("code-block-destructive-ops")
+@name("Block destructive file operations")
+@description("Block file deletion, directory removal, and other destructive operations. Agents should not have delete access by default — destructive operations require explicit human approval.")
+@severity("high")
+@tags("profile,code-agent,path-security,destructive,file-ops,nist-ac-3")
+@reject_message("Tool execution was blocked: destructive file operations (delete, rmdir, unlink) are restricted to prevent data loss. Request explicit human approval for destructive actions.")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has tool_name &&
+    (context.tool_name == "fs.delete" ||
+     context.tool_name == "fs.rmdir" ||
+     context.tool_name == "fs.unlink" ||
+     context.tool_name == "fs.remove" ||
+     context.tool_name == "delete_file" ||
+     context.tool_name == "remove_directory")
+};