@highflame/policy 2.1.7 → 2.1.8

package/dist/guardrails-defaults.gen.js

@@ -1400,6 +1400,1101 @@ forbid (
     )
 };
 `;
+const GUARDRAILS_CODE_AGENT_PATH_SECURITY_CEDAR = `// =============================================================================
+// Code Agent — Path Security
+// =============================================================================
+// Blocks access to sensitive file paths including environment files, credential
+// files, system directories, and credential directories. Also blocks destructive
+// file operations (delete, rmdir, unlink) by default.
+//
+// Adapted from Overwatch IDE security policies for Guardrails namespace.
+//
+// Compliance:
+//   NIST 800-53 AC-6 (Least Privilege)
+//   NIST 800-53 SC-28 (Protection of Information at Rest)
+//   MITRE ATT&CK T1552 (Unsecured Credentials)
+//   MITRE ATT&CK T1005 (Data from Local System)
+//   CIS Benchmark 1.4 (Secrets Management)
+//
+// Category: security
+// Namespace: Guardrails
+// =============================================================================
+
+// ---------------------------------------------------------------------------
+// Section 1: Environment File Protection
+// Environment files are the #1 source of accidental credential exposure.
+// ---------------------------------------------------------------------------
+
+@id("code-block-env-files")
+@name("Block .env file access")
+@description("Block access to .env files that commonly contain secrets, API keys, and database credentials. Environment files are the #1 source of accidental credential exposure in development workflows.")
+@severity("high")
+@tags("profile,code-agent,path-security,env-files,secrets,nist-sc-28,mitre-t1552")
+@reject_message("Access to .env files is blocked because they commonly contain secrets, API keys, and database credentials. Use a secrets manager instead of .env files.")
+forbid (
+    principal,
+    action in [Guardrails::Action::"read_file", Guardrails::Action::"write_file", Guardrails::Action::"call_tool"],
+    resource
+)
+when {
+    context has path && context.path like "*.env*"
+};
+
+// ---------------------------------------------------------------------------
+// Section 2: Credential File Protection
+// Blocks access to common credential and configuration files.
+// ---------------------------------------------------------------------------
+
+@id("code-block-credential-files")
+@name("Block credential file access")
+@description("Block access to common credential files: .netrc, .npmrc, .pypirc, Docker config, Kubernetes config, cloud provider credentials, and service account files.")
+@severity("high")
+@tags("profile,code-agent,path-security,credential-files,secrets,nist-sc-28,mitre-t1555")
+@reject_message("Access to this credential file is blocked. Files like .netrc, .npmrc, .pypirc, and cloud provider config files commonly contain hardcoded credentials.")
+forbid (
+    principal,
+    action in [Guardrails::Action::"read_file", Guardrails::Action::"write_file", Guardrails::Action::"call_tool"],
+    resource
+)
+when {
+    context has path &&
+    (context.path like "*/.netrc" ||
+     context.path like "*/.npmrc" ||
+     context.path like "*/.pypirc" ||
+     context.path like "*/.docker/config.json" ||
+     context.path like "*/.kube/config" ||
+     context.path like "*/.config/gcloud/*" ||
+     context.path like "*/credentials.json" ||
+     context.path like "*/service-account*.json")
+};
+
+// ---------------------------------------------------------------------------
+// Section 3: System Directory Protection
+// Blocks access to sensitive system directories.
+// ---------------------------------------------------------------------------
+
+@id("code-block-system-paths")
+@name("Block system directory access")
+@description("Prevent access to sensitive system directories (/etc, /proc, /sys, /root, /var). These directories contain system configuration, process information, and credentials that agents must never access.")
+@severity("high")
+@tags("profile,code-agent,path-security,system-paths,nist-ac-6,mitre-t1005")
+@reject_message("Access blocked: this path targets a sensitive system directory. AI agents are restricted from accessing /etc, /proc, /sys, /root, and /var directories.")
+forbid (
+    principal,
+    action in [Guardrails::Action::"read_file", Guardrails::Action::"write_file", Guardrails::Action::"call_tool"],
+    resource
+)
+when {
+    context has path &&
+    (context.path like "/etc/*" ||
+     context.path like "/proc/*" ||
+     context.path like "/sys/*" ||
+     context.path like "/root/*" ||
+     context.path like "/var/log/*" ||
+     context.path like "/var/run/*")
+};
+
+// ---------------------------------------------------------------------------
+// Section 4: Credential Directory Protection
+// Blocks access to SSH keys, cloud credentials, and key material.
+// ---------------------------------------------------------------------------
+
+@id("code-block-credential-paths")
+@name("Block credential directory access")
+@description("Prevent access to SSH keys, cloud provider credentials, GPG keys, and other authentication material directories. These are primary targets for credential theft (MITRE T1552).")
+@severity("critical")
+@tags("profile,code-agent,path-security,credentials,ssh,aws,mitre-t1552")
+@reject_message("Access blocked: this path targets a credential or key directory (.ssh, .aws, .gnupg, .config/gcloud). AI agents must never access authentication material.")
+forbid (
+    principal,
+    action in [Guardrails::Action::"read_file", Guardrails::Action::"write_file", Guardrails::Action::"call_tool"],
+    resource
+)
+when {
+    context has path &&
+    (context.path like "*/.ssh/*" ||
+     context.path like "*/.aws/*" ||
+     context.path like "*/.gnupg/*" ||
+     context.path like "*/.config/gcloud/*" ||
+     context.path like "*/.azure/*" ||
+     context.path like "*.pem" ||
+     context.path like "*/id_rsa*" ||
+     context.path like "*/id_ed25519*" ||
+     context.path like "*/id_ecdsa*")
+};
+
+// ---------------------------------------------------------------------------
+// Section 5: Destructive File Operations
+// Blocks destructive file operations by default.
+// ---------------------------------------------------------------------------
+
+@id("code-block-destructive-ops")
+@name("Block destructive file operations")
+@description("Block file deletion, directory removal, and other destructive operations. Agents should not have delete access by default — destructive operations require explicit human approval.")
+@severity("high")
+@tags("profile,code-agent,path-security,destructive,file-ops,nist-ac-3")
+@reject_message("Tool execution was blocked: destructive file operations (delete, rmdir, unlink) are restricted to prevent data loss. Request explicit human approval for destructive actions.")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has tool_name &&
+    (context.tool_name == "fs.delete" ||
+     context.tool_name == "fs.rmdir" ||
+     context.tool_name == "fs.unlink" ||
+     context.tool_name == "fs.remove" ||
+     context.tool_name == "delete_file" ||
+     context.tool_name == "remove_directory")
+};
+`;
+const GUARDRAILS_CODE_AGENT_SUPPLY_CHAIN_CEDAR = `// =============================================================================
+// Code Agent — Supply Chain Security
+// =============================================================================
+// Detects and blocks MCP server poisoning, indirect prompt injection from tool
+// outputs, credential theft chains, and destructive operation sequences.
+//
+// These are agentic AI-specific attack vectors where tool descriptions, server
+// responses, or behavioral drift manipulate agent behavior.
+//
+// Adapted from Overwatch agent security and behavioral analysis policies for
+// the Guardrails namespace.
+//
+// Compliance:
+//   OWASP ASI01 (Agent Goal Hijack)
+//   OWASP ASI02 (Tool Misuse)
+//   OWASP ASI04 (Supply Chain)
+//   OWASP LLM01 (Prompt Injection) — indirect variant
+//   OWASP MCP01-05
+//   MITRE ATLAS AML.T0051 (Prompt Injection)
+//   MITRE ATT&CK T1552 (Unsecured Credentials)
+//
+// Category: agentic_security
+// Namespace: Guardrails
+// =============================================================================
+
+// ---------------------------------------------------------------------------
+// Section 1: MCP Server Poisoning
+// Blocks connections to MCP servers with poisoned tool descriptions.
+// Lower threshold than tool-level poisoning since it affects all tools.
+// ---------------------------------------------------------------------------
+
+@id("code-block-server-poisoning")
+@name("Block poisoned MCP servers")
+@description("Block connections to MCP servers when tool poisoning patterns are detected in tool descriptions (score >= 60). Lower threshold than tool-level poisoning since server-level poisoning affects all tools on the server.")
+@severity("critical")
+@tags("profile,code-agent,supply-chain,tool-poisoning,mcp-security,owasp-asi04")
+@reject_message("MCP server connection blocked: tool poisoning patterns detected in server tool descriptions. Review server tools before connecting.")
+forbid (
+    principal,
+    action == Guardrails::Action::"connect_server",
+    resource
+)
+when {
+    context has tool_poisoning_score && context.tool_poisoning_score >= 60
+};
+
+// ---------------------------------------------------------------------------
+// Section 2: Indirect Prompt Injection
+// Blocks injection from tool outputs and retrieved content — not direct
+// user input but external content that manipulates agent behavior.
+// Ref: EchoLeak CVE-2025-32711, IDEsaster (30+ CVEs)
+// ---------------------------------------------------------------------------
+
+@id("code-block-indirect-injection")
+@name("Block indirect prompt injection")
+@description("Block tool execution when indirect prompt injection is detected in tool outputs, file contents, or retrieved documents (score >= 70). Defends against injection via external content that manipulates agent behavior.")
+@severity("critical")
+@tags("profile,code-agent,supply-chain,indirect-injection,owasp-llm01,owasp-asi01")
+@reject_message("Content blocked: indirect prompt injection detected in tool output or retrieved content. An external source may be attempting to hijack agent behavior.")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has indirect_injection_score && context.indirect_injection_score >= 70
+};
+
+@id("code-block-indirect-injection-sensitive")
+@name("Block indirect injection on sensitive tools")
+@description("Lower threshold (>= 50) for indirect injection when the tool is classified as sensitive. Even moderate injection risk on sensitive tools (shell, file write, network) warrants blocking.")
+@severity("critical")
+@tags("profile,code-agent,supply-chain,indirect-injection,sensitive-tools,owasp-asi02")
+@reject_message("Sensitive tool execution blocked: moderate indirect injection risk detected. Sensitive tools require higher confidence that content is safe.")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has indirect_injection_score && context.indirect_injection_score >= 50 &&
+    context has tool_is_sensitive && context.tool_is_sensitive == true
+};
+
+// ---------------------------------------------------------------------------
+// Section 3: Behavioral Attack Patterns
+// Detects multi-step attack chains targeting credentials and workspace integrity.
+// ---------------------------------------------------------------------------
+
+@id("code-block-credential-theft")
+@name("Block credential theft chains")
+@description("Block tool execution when a credential theft chain is detected — accessing SSH keys, cloud credentials, or API tokens followed by encoding, compression, or transfer operations. Multi-step attack pattern for autonomous credential harvesting.")
+@severity("critical")
+@tags("profile,code-agent,supply-chain,credential-theft,behavioral,mitre-t1552")
+@reject_message("Tool execution blocked: credential theft chain detected. The agent is performing a multi-step operation to harvest and exfiltrate credentials.")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has suspicious_pattern && context.suspicious_pattern == true &&
+    context has pattern_type && context.pattern_type == "credential_theft"
+};
+
+@id("code-block-destructive-sequence")
+@name("Block destructive operation sequences")
+@description("Block tool execution when a destructive operation sequence is detected — bulk file deletions, permission changes, config overwrites, or repository manipulation patterns. Prevents agent-initiated workspace damage.")
+@severity("critical")
+@tags("profile,code-agent,supply-chain,destructive,behavioral,owasp-asi02")
+@reject_message("Tool execution blocked: destructive operation sequence detected. The agent is performing a pattern of destructive operations that could damage the workspace.")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has suspicious_pattern && context.suspicious_pattern == true &&
+    context has pattern_type && context.pattern_type == "destructive_sequence"
+};
+`;
+const GUARDRAILS_CODE_AGENT_ENCODING_CEDAR = `// =============================================================================
+// Code Agent — Encoding & Unicode Attack Protection
+// =============================================================================
+// Blocks invisible Unicode characters in tool arguments and file writes to
+// prevent encoding-based prompt injection and persistent invisible payloads.
+//
+// Tool arguments and file content should be plain text — invisible characters
+// (zero-width joiners, bidirectional overrides, tag characters) indicate
+// payload injection or encoding evasion attempts.
+//
+// Adapted from Overwatch encoding attack policies for Guardrails namespace.
+//
+// Ref: EchoLeak CVE-2025-32711 (invisible prompt injection via Unicode)
+//      Rules File Backdoor (Pillar Security, March 2025)
+//
+// Compliance:
+//   OWASP LLM01 (Prompt Injection) — encoding evasion
+//   OWASP ASI01 (Agent Goal Hijack) — hidden instructions
+//   NIST 800-53 SI-10 (Information Input Validation)
+//
+// Category: security
+// Namespace: Guardrails
+// =============================================================================
+
+// Block tool calls with invisible characters in arguments
+@id("code-block-invisible-tool-args")
+@name("Block invisible characters in tool calls")
+@description("Block tool execution when invisible Unicode characters are detected in tool arguments or content. Tool arguments should be plain text/JSON — invisible characters in tool calls are almost certainly malicious payload injection.")
+@severity("critical")
+@tags("profile,code-agent,encoding,unicode,invisible-chars,tools,owasp-asi01")
+@reject_message("Tool execution blocked: invisible Unicode characters detected in tool arguments. Tool calls should contain only plain text — invisible characters indicate payload injection or encoding evasion.")
+forbid (
+    principal,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has contains_invisible_chars && context.contains_invisible_chars == true
+};
+
+// Block file writes with invisible characters
+@id("code-block-invisible-file-write")
+@name("Block invisible characters in file writes")
+@description("Block file writes when invisible Unicode characters are detected. Prevents persistence of invisible payloads in source code, config files, or documentation where they could later be processed by AI agents.")
+@severity("high")
+@tags("profile,code-agent,encoding,unicode,invisible-chars,file-write,owasp-asi01")
+@reject_message("File write blocked: invisible Unicode characters detected in content. Writing invisible characters to files can create persistent backdoors that affect AI agents processing those files later.")
+forbid (
+    principal,
+    action == Guardrails::Action::"write_file",
+    resource
+)
+when {
+    context has contains_invisible_chars && context.contains_invisible_chars == true
+};
+`;
+const GUARDRAILS_ADVANCED_DETECTION_SECRETS_CEDAR = `// =============================================================================
+// Advanced Detection — Granular Secrets
+// =============================================================================
+// Blocks specific high-risk credential types and API tokens using granular
+// secret_types matching. Goes beyond the boolean contains_secrets detection
+// to identify and block cloud provider keys, GitHub tokens, SSH keys,
+// database credentials, and API tokens.
+//
+// These policies benefit any Guardrails deployment — not just coding agents.
+//
+// Adapted from Overwatch granular secret type policies for Guardrails namespace.
+//
+// Compliance:
+//   NIST 800-53 IA-5 (Authenticator Management)
+//   NIST 800-53 SC-28 (Protection of Information at Rest)
+//   MITRE ATT&CK T1552 (Unsecured Credentials)
+//   CIS Benchmark 1.4 (Secrets Management)
+//
+// Category: security
+// Namespace: Guardrails
+// =============================================================================
+
+// Block high-risk credential types across all actions
+@id("detection-block-high-risk-secret-types")
+@name("Block high-risk credential types")
+@description("Block content containing cloud provider keys (AWS, GCP, Azure), GitHub tokens, SSH private keys, or database connection strings. These credential types pose the highest exfiltration risk and must never pass through AI agents.")
+@severity("critical")
+@tags("profile,advanced-detection,secrets,aws,gcp,azure,github,ssh,database,nist-ia-5,mitre-t1552")
+@reject_message("Content blocked: high-risk credentials detected (cloud provider keys, GitHub tokens, SSH keys, or database credentials). Use a secrets manager — never pass credentials through AI agents.")
+forbid (
+    principal,
+    action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool", Guardrails::Action::"read_file", Guardrails::Action::"write_file"],
+    resource
+)
+when {
+    context has secret_types &&
+    (context.secret_types.contains("aws_access_key") ||
+     context.secret_types.contains("aws_secret_key") ||
+     context.secret_types.contains("gcp_service_account") ||
+     context.secret_types.contains("azure_client_secret") ||
+     context.secret_types.contains("github_token") ||
+     context.secret_types.contains("github_pat") ||
+     context.secret_types.contains("ssh_private_key") ||
+     context.secret_types.contains("database_url"))
+};
+
+// Block API keys and bearer tokens across all actions
+@id("detection-block-api-keys")
+@name("Block API keys and bearer tokens")
+@description("Block content containing generic API keys, bearer tokens, JWT tokens, and OAuth credentials. These are the most commonly leaked credential types in AI agent interactions.")
+@severity("high")
+@tags("profile,advanced-detection,secrets,api-key,bearer,jwt,oauth,nist-ia-5")
+@reject_message("Content blocked: API keys, bearer tokens, or OAuth credentials detected. These must never be passed through AI agent prompts or tool calls.")
+forbid (
+    principal,
+    action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool", Guardrails::Action::"read_file", Guardrails::Action::"write_file"],
+    resource
+)
+when {
+    context has secret_types &&
+    (context.secret_types.contains("api_key") ||
+     context.secret_types.contains("bearer_token") ||
+     context.secret_types.contains("jwt_token") ||
+     context.secret_types.contains("oauth_token") ||
+     context.secret_types.contains("oauth_secret"))
+};
+`;
+const GUARDRAILS_ADVANCED_DETECTION_PII_CEDAR = `// =============================================================================
+// Advanced Detection — PII
+// =============================================================================
+// Advanced PII detection policies using ML classifier confidence scoring,
+// bulk exposure thresholds, and file operation blocking. Goes beyond the
+// boolean pii_detected flag with layered detection:
+//
+//   1. Bulk PII exposure — 3+ PII matches indicates data dumps or CSV pastes
+//   2. ML classifier confidence — catches novel PII patterns that regex misses
+//   3. File operation PII — prevents PII persistence to disk
+//
+// These policies benefit any Guardrails deployment — not just coding agents.
+//
+// Adapted from Overwatch PII detection policies for Guardrails namespace.
+//
+// Compliance:
+//   PCI DSS 3.4 (Payment Card Data)
+//   GDPR Art. 32 (Security of Processing)
+//   HIPAA §164.312 (Technical Safeguards)
+//   CCPA §1798.150 (Data Protection)
+//   NIST 800-53 SI-4 (Information System Monitoring)
+//
+// Category: privacy
+// Namespace: Guardrails
+// =============================================================================
+
+// Block bulk PII exposure (3+ PII matches)
+@id("detection-block-bulk-pii")
+@name("Block bulk PII exposure")
+@description("Block content containing 3 or more PII matches. Multiple PII items in a single request indicates a data dump, CSV paste, or data exfiltration attempt. Single PII occurrences may be incidental — bulk exposure is always intentional or negligent.")
+@severity("critical")
+@tags("profile,advanced-detection,pii,bulk,data-exfiltration,gdpr-art-32,ccpa")
+@reject_message("Content blocked: multiple PII items detected (3+). Bulk personal data must never be processed through AI agents. Use data masking or tokenization for batch operations.")
+forbid (
+    principal,
+    action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool"],
+    resource
+)
+when {
+    context has pii_count && context.pii_count >= 3
+};
+
+// Block content with high ML PII classifier confidence
+@id("detection-block-pii-high-confidence")
+@name("Block high-confidence PII")
+@description("Block content when the ML PII classifier confidence exceeds threshold (80/100). Catches novel PII patterns including names, addresses, and identifiers that regex rules may miss — defense-in-depth behind the pii_detected boolean.")
+@severity("critical")
+@tags("profile,advanced-detection,pii,ml-classifier,privacy,compliance")
+@reject_message("Content blocked: the ML classifier detected personally identifiable information with high confidence. Even if specific PII types aren't identified, the content appears to contain personal data.")
+forbid (
+    principal,
+    action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool"],
+    resource
+)
+when {
+    context has pii_confidence && context.pii_confidence >= 80
+};
+
+// Block file operations containing PII
+@id("detection-block-pii-file-ops")
+@name("Block file operations with PII")
+@description("Block file reads and writes when PII is detected. Prevents agents from reading files containing personal data and from writing PII to new files where it could persist or be version-controlled.")
+@severity("high")
+@tags("profile,advanced-detection,pii,file-ops,data-protection,gdpr-art-32")
+@reject_message("File operation blocked: personally identifiable information was detected. Files containing PII must not be read or written through AI agents.")
+forbid (
+    principal,
+    action in [Guardrails::Action::"read_file", Guardrails::Action::"write_file"],
+    resource
+)
+when {
+    context has pii_detected && context.pii_detected == true
+};
+`;
+const GUARDRAILS_ADVANCED_DETECTION_THREAT_SEVERITY_CEDAR = `// =============================================================================
+// Advanced Detection — Threat Severity
+// =============================================================================
+// Severity-based catch-all policy that blocks any content flagged as critical
+// severity by detection engines. Acts as a safety net behind all other policies
+// — if any detector reports critical severity, the content is blocked regardless
+// of whether a specific category policy caught it.
+//
+// This policy benefits any Guardrails deployment — not just coding agents.
+//
+// Adapted from Overwatch threat severity aggregation for Guardrails namespace.
+//
+// Compliance:
+//   NIST 800-53 SI-3 (Malicious Code Protection)
+//   NIST 800-53 SI-4 (Information System Monitoring)
+//
+// Category: security
+// Namespace: Guardrails
+// =============================================================================
+
+// Block any content with critical severity threats
+@id("detection-block-critical-severity")
+@name("Block critical severity threats")
+@description("Block all content when any detection engine reports critical severity. This is the ultimate catch-all — critical threats are blocked regardless of type or source. Acts as a safety net behind all other policies.")
+@severity("critical")
+@tags("profile,advanced-detection,severity,critical,catch-all,nist-si-3")
+@reject_message("Your content was blocked because security scanners detected a critical-severity threat. This content cannot be processed.")
+forbid (
+    principal,
+    action == Guardrails::Action::"process_prompt",
+    resource
+)
+when {
+    context has highest_severity && context.highest_severity == "critical"
+};
+`;
+const GUARDRAILS_A2A_CROSS_ORIGIN_CEDAR = `// =============================================================================
+// A2A Security — Cross-Origin Trust Boundary Enforcement
+// =============================================================================
+// Detects and blocks confused deputy attacks where an agent from one trust
+// domain attempts to operate in another. Cross-origin violations occur when:
+//   - An agent proxies requests across security domains
+//   - Mixed-security tool chains span trust boundaries
+//   - URL injection redirects agent communication to untrusted origins
+//
+// Key A2A distinction from MAS: In multi-agent systems (shared orchestrator),
+// cross-origin is unlikely because all agents share a trust context. In A2A
+// (independent agents, separate trust domains), cross-origin is the PRIMARY
+// signal that trust boundaries are being violated.
+//
+// Shield cross-origin detector outputs discrete scores:
+//   90 — mixed localhost + external domain
+//   85 — URL injection in parameters
+//   80 — proxy/redirect patterns
+//   75 — multi-origin tool configs / JSON origin fields
+//   70 — mixed HTTP/HTTPS or ws/wss schemes
+//   65 — JSON arrays with multiple URLs
+//   60 — generic multi-domain patterns
+//
+// Compliance:
+//   OWASP LLM08 (Excessive Agency)
+//   OWASP ASI03 (Excessive Permissions)
+//   MITRE ATLAS AML.T0051.002 (Indirect Prompt Injection via delegation)
+//   NIST 800-53 AC-4 (Information Flow Enforcement)
+//
+// Category: agent_identity
+// Namespace: Guardrails
+// =============================================================================
+
+// Block high-confidence cross-origin for any agent
+@id("a2a-cross-origin-block-critical")
+@name("Block critical cross-origin from any agent")
+@description("Block all agent requests when cross-origin trust boundary violation score exceeds 80. High-confidence cross-origin signals (mixed localhost/external, URL injection, proxy redirects) indicate confused deputy attacks regardless of agent trust level.")
+@severity("critical")
+@tags("profile,a2a-security,cross-origin,confused-deputy,trust-boundary,owasp-llm08")
+@reject_message("Request blocked: high-confidence cross-origin trust boundary violation detected (score >= 80). An external agent or service is attempting to operate across trust domains. Review the origin chain before retrying.")
+forbid (
+    principal is Guardrails::Agent,
+    action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool"],
+    resource
+)
+when {
+    context has agent_id && context.agent_id != "" &&
+    context has cross_origin_detected && context.cross_origin_detected == true &&
+    context has cross_origin_score && context.cross_origin_score >= 80
+};
+
+// Block cross-origin from unverified agents at any signal level
+@id("a2a-cross-origin-block-unverified")
+@name("Block cross-origin from unverified agents")
+@description("Unverified agents are blocked from any cross-origin activity at the lowest meaningful detection threshold (score >= 60). Cross-origin from an unverified source is a strong confused deputy indicator — the agent has no attestation AND is crossing trust boundaries.")
+@severity("high")
+@tags("profile,a2a-security,cross-origin,unverified,trust-boundary,owasp-asi03")
+@reject_message("Request blocked: cross-origin activity detected from an unverified agent. Unverified agents cannot operate across trust boundaries. Register the agent or use a verified agent.")
+forbid (
+    principal is Guardrails::Agent,
+    action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool"],
+    resource
+)
+when {
+    context has agent_trust_level && context.agent_trust_level == "unverified" &&
+    context has cross_origin_detected && context.cross_origin_detected == true &&
+    context has cross_origin_score && context.cross_origin_score >= 60
+};
+
+// Block cross-origin MCP server connections from non-first-party agents
+@id("a2a-cross-origin-block-server-connect")
+@name("Block cross-origin MCP server connections")
+@description("Non-first-party agents cannot connect to MCP servers when cross-origin signals are present (score >= 65). Server-level cross-origin has wide blast radius — a single compromised connection exposes all tools on that server.")
+@severity("critical")
+@tags("profile,a2a-security,cross-origin,mcp,server,trust-boundary,nist-ac-4")
+@reject_message("MCP server connection blocked: cross-origin trust violation detected. Non-first-party agents cannot connect to MCP servers when cross-origin signals are present.")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"connect_server",
+    resource
+)
+when {
+    context has agent_trust_level && context.agent_trust_level != "first_party" &&
+    context has cross_origin_detected && context.cross_origin_detected == true &&
+    context has cross_origin_score && context.cross_origin_score >= 65
+};
+
+// Block cross-origin tool calls on sensitive tools from any agent
+@id("a2a-cross-origin-block-sensitive-tools")
+@name("Block cross-origin on sensitive tools")
+@description("Any agent attempting to call sensitive tools while cross-origin signals are present (score >= 60) is blocked. Sensitive tools (write_file, http_post, send_email) amplify the impact of confused deputy attacks — an agent crossing trust boundaries should not have access to high-impact operations.")
+@severity("high")
+@tags("profile,a2a-security,cross-origin,sensitive-tools,confused-deputy,owasp-llm08")
+@reject_message("Sensitive tool execution blocked: cross-origin trust violation detected. Tool calls to sensitive tools are blocked when cross-origin signals are present from agent requests.")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has agent_id && context.agent_id != "" &&
+    context has cross_origin_detected && context.cross_origin_detected == true &&
+    context has cross_origin_score && context.cross_origin_score >= 60 &&
+    context has tool_is_sensitive && context.tool_is_sensitive == true
+};
+`;
+const GUARDRAILS_A2A_INTER_AGENT_INJECTION_CEDAR = `// =============================================================================
+// A2A Security — Inter-Agent Injection Defense
+// =============================================================================
+// Detects and blocks prompt injection that travels between independent agents:
+//
+// 1. INDIRECT INJECTION: Malicious content injected via tool outputs, RAG
+//    retrieval, or API responses from one agent that manipulates another.
+//    In A2A, this is the primary attack vector because agents consume each
+//    other's outputs as trusted input.
+//
+// 2. MULTI-TURN PROGRESSIVE ATTACKS: Gradual context manipulation across
+//    turns where each turn is benign individually but collectively builds
+//    toward goal hijacking. The GRU-based deep context detector tracks
+//    conversation state across turns.
+//
+// 3. ENCODED PAYLOAD DELIVERY: Base64, hex, or hash-encoded instructions
+//    designed to bypass single-turn classifiers. In A2A communication,
+//    encoded content is a strong indicator of injection evasion.
+//
+// Key A2A distinction: In MAS, the orchestrator controls all communication.
+// In A2A, each agent independently receives content from external agents,
+// making indirect injection the dominant threat vector.
+//
+// Compliance:
+//   OWASP LLM01 (Prompt Injection) — indirect variant
+//   OWASP ASI01 (Agent Goal Hijack)
+//   MITRE ATLAS AML.T0051 (LLM Prompt Injection)
+//   MITRE ATLAS AML.T0051.002 (Indirect Prompt Injection)
+//   NIST 800-53 SI-10 (Information Input Validation)
+//
+// Category: agent_identity
+// Namespace: Guardrails
+// =============================================================================
+
+// -----------------------------------------------------------------------------
+// Indirect Injection — Tool Output Poisoning
+// -----------------------------------------------------------------------------
+
+// Block indirect injection from agent tool calls
+@id("a2a-indirect-injection-agent")
+@name("Block indirect injection from agent tool calls")
+@description("Block tool execution when indirect injection is detected in content received by an agent (score >= 60). Indirect injection travels through tool outputs, RAG retrieval, and API responses — the primary A2A attack vector because agents consume each other's outputs as trusted input. Lower threshold than code-agent (70) because cross-system content has higher adversarial surface.")
+@severity("critical")
+@tags("profile,a2a-security,indirect-injection,tool-output,owasp-lml01,mitre-t0051-002")
+@reject_message("Tool execution blocked: indirect prompt injection detected in content received by this agent (score >= 60). An external source may be attempting to hijack agent behavior through tool outputs or retrieved content.")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has agent_id && context.agent_id != "" &&
+    context has indirect_injection_score && context.indirect_injection_score >= 60
+};
+
+// Stricter threshold for sensitive tools
+@id("a2a-indirect-injection-sensitive-agent")
+@name("Block moderate indirect injection on sensitive tools from agents")
+@description("Block sensitive tool execution from agents when indirect injection score exceeds 40. Sensitive tools (write_file, http_post, send_email) amplify the damage of indirect injection — a lower threshold compensates for the higher blast radius of sensitive operations in cross-system communication.")
+@severity("critical")
+@tags("profile,a2a-security,indirect-injection,sensitive-tools,owasp-asi01")
+@reject_message("Sensitive tool blocked: moderate indirect injection risk detected in agent-to-agent content (score >= 40). Sensitive tools require higher confidence that inter-agent content is safe.")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has agent_id && context.agent_id != "" &&
+    context has indirect_injection_score && context.indirect_injection_score >= 40 &&
+    context has tool_is_sensitive && context.tool_is_sensitive == true
+};
+
+// -----------------------------------------------------------------------------
+// Multi-Turn Progressive Attacks — Deep Context GRU Detection
+// -----------------------------------------------------------------------------
+
+// Block multi-turn progressive injection for non-first-party agents
+@id("a2a-deep-context-injection-agent")
+@name("Block multi-turn progressive injection for agents")
+@description("Block non-first-party agents when the GRU-based deep context detector identifies multi-turn progressive injection (score >= 60). Each turn may be benign individually, but the GRU model tracks hidden state across the full conversation to detect gradual goal hijacking.")
+@severity("high")
+@tags("profile,a2a-security,multi-turn,deep-context,injection,owasp-lml01")
+@reject_message("Request blocked: multi-turn progressive injection detected across conversation history (deep context score >= 60). A gradual attack may be building context manipulation over multiple agent turns.")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"process_prompt",
+    resource
+)
+when {
+    context has agent_trust_level && context.agent_trust_level != "first_party" &&
+    context has multi_turn_detection && context.multi_turn_detection == true &&
+    context has injection_deep_context_score && context.injection_deep_context_score >= 60
+};
+
+// Block multi-turn progressive jailbreak for non-first-party agents
+@id("a2a-deep-context-jailbreak-agent")
+@name("Block multi-turn progressive jailbreak for agents")
+@description("Block non-first-party agents when the GRU-based deep context detector identifies multi-turn progressive jailbreak (score >= 60). Jailbreak attempts spread across turns are harder to detect with single-turn classifiers — the deep context model maintains conversation state to catch these patterns.")
+@severity("high")
+@tags("profile,a2a-security,multi-turn,deep-context,jailbreak,owasp-asi01")
+@reject_message("Request blocked: multi-turn progressive jailbreak detected across conversation history (deep context score >= 60). A gradual jailbreak attempt is building across multiple agent turns.")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"process_prompt",
+    resource
+)
+when {
+    context has agent_trust_level && context.agent_trust_level != "first_party" &&
+    context has multi_turn_detection && context.multi_turn_detection == true &&
+    context has jailbreak_deep_context_score && context.jailbreak_deep_context_score >= 60
+};
+
+// -----------------------------------------------------------------------------
+// Encoded Payload Delivery — Injection Evasion
+// -----------------------------------------------------------------------------
+
+// Block encoded injection payloads between agents
+@id("a2a-encoded-injection-agent")
+@name("Block encoded payload delivery between agents")
+@description("Block agent requests when encoded payloads are detected (base64, hex, or suspicious hash content with score >= 60). In A2A communication, encoded content is a strong indicator of injection evasion — agents should communicate in plaintext, not encoded payloads.")
+@severity("high")
+@tags("profile,a2a-security,encoded-injection,evasion,base64,owasp-lml01")
+@reject_message("Request blocked: encoded payload detected in agent communication (base64, hex, or suspicious hash content). Encoded content in agent-to-agent messages indicates injection evasion or payload delivery.")
+forbid (
+    principal is Guardrails::Agent,
+    action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool"],
+    resource
+)
+when {
+    context has agent_id && context.agent_id != "" &&
+    context has encoded_content_detected && context.encoded_content_detected == true &&
+    context has encoded_score && context.encoded_score >= 60
+};
+`;
+const GUARDRAILS_A2A_SUPPLY_CHAIN_CEDAR = `// =============================================================================
+// A2A Security — Supply Chain & Behavioral Drift
+// =============================================================================
+// Detects and blocks supply chain attacks specific to agent-to-agent ecosystems:
+//
+// 1. TOOL POISONING: External agents install or recommend MCP tools with
+//    hidden instructions, system prompt injection, authority hijack, or
+//    information suppression patterns in tool descriptions.
+//
+// 2. RUG PULL: An agent or tool that behaves normally during evaluation
+//    but changes behavior after trust is established — "risk_spike" (sudden
+//    risk increase) or "pattern_change" (behavioral deviation).
+//
+// 3. CREDENTIAL THEFT CHAINS: Multi-step attack where an agent reads
+//    credential files, encodes them, and exfiltrates via network tools.
+//    In A2A, this is higher risk because external agents have legitimate
+//    reasons to call multiple tools in sequence.
+//
+// Key A2A distinction: In MAS, the orchestrator vets all tools centrally.
+// In A2A, each agent brings its own tool ecosystem, creating a supply chain
+// attack surface at every agent boundary.
+//
+// Compliance:
+//   OWASP ASI04 (Supply Chain Vulnerabilities)
+//   OWASP MCP01 (Tool Poisoning)
+//   OWASP MCP03 (Tool Shadowing)
+//   MITRE ATT&CK T1552 (Unsecured Credentials)
+//   MITRE ATLAS AML.T0049 (Backdoor ML Model) — analogous to agent drift
+//   NIST 800-53 SI-7 (Software, Firmware, and Information Integrity)
+//
+// Category: agent_identity
+// Namespace: Guardrails
+// =============================================================================
+
+// -----------------------------------------------------------------------------
+// Tool Poisoning — Hidden Instructions in External Agent Tools
+// -----------------------------------------------------------------------------
+
+// Block tool poisoning from non-first-party agents
+@id("a2a-tool-poisoning-agent")
+@name("Block tool poisoning from non-first-party agents")
+@description("Block tool execution when poisoning is detected from non-first-party agents (score >= 60). Tool poisoning includes hidden instructions, system prompt injection, authority hijack, and information suppression patterns in tool descriptions or arguments. Lower threshold than default (70) because external agent tool chains have higher supply chain risk.")
+@severity("critical")
+@tags("profile,a2a-security,supply-chain,tool-poisoning,owasp-mcp01,owasp-asi04")
+@reject_message("Tool execution blocked: tool poisoning detected in content from a non-first-party agent (score >= 60). Hidden instructions, authority hijack, or system prompt injection patterns found in tool descriptions or arguments.")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has agent_trust_level && context.agent_trust_level != "first_party" &&
+    context has tool_poisoning_detected && context.tool_poisoning_detected == true &&
+    context has tool_poisoning_score && context.tool_poisoning_score >= 60
+};
+
+// Block poisoned MCP server connections from agents
+@id("a2a-server-poisoning-agent")
+@name("Block poisoned server connections from agents")
+@description("Block MCP server connections when poisoning is detected from agent requests (score >= 55). Server-level poisoning has wider blast radius than individual tool poisoning — a single compromised server connection exposes all tools on that server. Lower threshold (55 vs 60) compensates for the amplified impact.")
+@severity("critical")
+@tags("profile,a2a-security,supply-chain,server-poisoning,mcp,owasp-mcp01")
+@reject_message("MCP server connection blocked: tool poisoning patterns detected in server from agent request (score >= 55). Server-level poisoning affects all tools and warrants a lower threshold than individual tool poisoning.")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"connect_server",
+    resource
+)
+when {
+    context has agent_id && context.agent_id != "" &&
+    context has tool_poisoning_detected && context.tool_poisoning_detected == true &&
+    context has tool_poisoning_score && context.tool_poisoning_score >= 55
+};
+
+// -----------------------------------------------------------------------------
+// Rug Pull — Behavioral Drift After Trust Establishment
+// -----------------------------------------------------------------------------
+
+// Block after rug pull behavioral drift detection
+@id("a2a-rug-pull-agent")
+@name("Block rug pull behavioral drift from agents")
+@description("Block tool execution when behavioral drift is detected in agent tool usage (score >= 70). The rug pull detector compares current tool behavior against established baselines — a sudden risk spike or tool alternation pattern change after 3+ normal calls indicates the agent or tool has been compromised mid-session.")
+@severity("critical")
+@tags("profile,a2a-security,supply-chain,rug-pull,behavioral-drift,mitre-t0049")
+@reject_message("Tool execution blocked: behavioral drift detected in agent tool usage (rug pull score >= 70). The tool's behavior has deviated significantly from established patterns, indicating potential supply chain compromise.")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has agent_id && context.agent_id != "" &&
+    context has rug_pull_detected && context.rug_pull_detected == true &&
+    context has rug_pull_score && context.rug_pull_score >= 70
+};
+
+// -----------------------------------------------------------------------------
+// Credential Theft Chains — Multi-Step Exfiltration
+// -----------------------------------------------------------------------------
+
+// Block agent-initiated credential theft chains
+@id("a2a-credential-theft-agent")
+@name("Block agent-initiated credential theft chains")
+@description("Block tool execution when credential theft patterns are detected from non-first-party agents. The pattern detector identifies multi-step sequences (read credentials → encode → exfiltrate) that indicate coordinated credential harvesting. In A2A, external agents have legitimate multi-tool workflows, making pattern-based detection essential to distinguish theft from normal usage.")
+@severity("critical")
+@tags("profile,a2a-security,supply-chain,credential-theft,exfiltration,mitre-t1552")
+@reject_message("Tool execution blocked: credential theft chain detected from a non-first-party agent. The agent is performing a multi-step operation to harvest and exfiltrate credentials. Only first-party agents may access credential-adjacent resources.")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has agent_trust_level && context.agent_trust_level != "first_party" &&
+    context has suspicious_pattern && context.suspicious_pattern == true &&
+    context has pattern_type && context.pattern_type == "credential_theft"
+};
+`;
+const GUARDRAILS_A2A_IDENTITY_ENFORCEMENT_CEDAR = `// =============================================================================
+// A2A Security — Agent Identity Enforcement
+// =============================================================================
+// Enforces strict identity requirements for cross-system agent communication:
+//
+// 1. ANONYMOUS AGENT BLOCKING: Agents that claim agent_type but provide no
+//    agent_id are likely spoofed or misconfigured — blocked from tool calls.
+//
+// 2. FRAMEWORK REGISTRATION: Unverified agents must declare their framework
+//    (claude-code, langchain, crewai, etc.) for sensitive operations. Missing
+//    framework on unverified agents indicates an ad-hoc or rogue integration.
+//
+// 3. SERVER CONNECTION RESTRICTIONS: Unverified agents cannot establish new
+//    MCP server connections — limits blast radius of unknown agents.
+//
+// 4. AUTONOMOUS + UNVERIFIED = BLOCKED: The most dangerous combination is
+//    an autonomous agent with no verification. No human oversight AND no
+//    trust attestation means zero recovery if the agent is compromised.
+//
+// Key A2A distinction: In MAS, the orchestrator validates all sub-agents.
+// In A2A, each agent self-reports identity, so we must enforce identity
+// completeness and consistency at the policy layer.
+//
+// Compliance:
+//   OWASP ASI05 (Identity Spoofing)
+//   NIST 800-63 (Digital Identity Guidelines)
+//   NIST 800-53 IA-2 (Identification and Authentication)
+//   NIST 800-53 IA-8 (Identification and Authentication — Non-Organizational Users)
+//
+// Category: agent_identity
+// Namespace: Guardrails
+// =============================================================================
+
+// -----------------------------------------------------------------------------
+// Anonymous Agent Detection — Incomplete Identity
+// -----------------------------------------------------------------------------
+
+// Block agents with type but no ID from tool execution
+@id("a2a-block-anonymous-agent-tools")
+@name("Block anonymous agents from tool execution")
+@description("Block tool calls from agents that declare an agent_type but have no agent_id. This pattern (type present, ID absent) indicates a spoofed or misconfigured agent identity — legitimate agents always have both. Human proxies are exempt because they represent authenticated users, not independent agents.")
+@severity("critical")
+@tags("profile,a2a-security,identity,anonymous,spoofing,owasp-asi05,nist-ia-2")
+@reject_message("Tool execution blocked: agent identity is required for A2A tool calls. This request has an agent type but no agent ID, indicating an improperly configured or spoofed agent identity.")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has agent_id && context.agent_id == "" &&
+    context has agent_type && context.agent_type != "" &&
+    context.agent_type != "human_proxy"
+};
+
+// -----------------------------------------------------------------------------
+// Framework Registration — Unverified Agent Restrictions
+// -----------------------------------------------------------------------------
+
+// Block unregistered framework unverified agents from sensitive tools
+@id("a2a-block-unregistered-framework")
+@name("Block unregistered frameworks from sensitive tools")
+@description("Block unverified agents with no declared framework from calling sensitive tools. In A2A, agent_framework identifies the SDK/runtime (claude-code, langchain, crewai, autogen). An unverified agent with no framework declaration is a black-box integration — it cannot be audited, patched, or trusted with sensitive operations.")
+@severity("high")
+@tags("profile,a2a-security,identity,framework,unverified,sensitive-tools,nist-ia-8")
+@reject_message("Sensitive tool blocked: unverified agent with no registered framework attempted to call a sensitive tool. Agents must declare their framework (e.g., claude-code, langchain, crewai) for A2A sensitive operations.")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has agent_framework && context.agent_framework == "" &&
+    context has agent_trust_level && context.agent_trust_level == "unverified" &&
+    context has tool_is_sensitive && context.tool_is_sensitive == true
+};
+
+// -----------------------------------------------------------------------------
+// Server Connection Restrictions
+// -----------------------------------------------------------------------------
+
+// Block unverified agents from establishing MCP server connections
+@id("a2a-block-unverified-server-connect")
+@name("Block unverified agents from MCP server connections")
+@description("Unverified agents cannot establish new MCP server connections in A2A mode. Each server connection expands the agent's capability surface — unverified agents should use only pre-established connections from the orchestrator or host application.")
+@severity("high")
+@tags("profile,a2a-security,identity,unverified,mcp,server,nist-ia-8")
+@reject_message("MCP server connection blocked: unverified agents cannot establish new MCP server connections in A2A mode. Register the agent as verified_third_party or first_party to enable server connections.")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"connect_server",
+    resource
+)
+when {
+    context has agent_trust_level && context.agent_trust_level == "unverified" &&
+    context has agent_id && context.agent_id != ""
+};
+
+// -----------------------------------------------------------------------------
+// Dangerous Combinations — Maximum Risk
+// -----------------------------------------------------------------------------
+
+// Block unverified autonomous agents from all tool calls
+@id("a2a-block-autonomous-unverified")
+@name("Block unverified autonomous agents from all tool calls")
+@description("The combination of autonomous (no human oversight) and unverified (no trust attestation) is the most dangerous agent configuration. If compromised, there is no human to catch anomalies and no verification to limit blast radius. These agents are unconditionally blocked from all tool execution in A2A workflows.")
+@severity("critical")
+@tags("profile,a2a-security,identity,autonomous,unverified,owasp-asi05,nist-ia-2")
+@reject_message("Tool execution blocked: unverified autonomous agents are not permitted in A2A workflows. Autonomous agents operating without human oversight must be at least verified_third_party trust level.")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has agent_type && context.agent_type == "autonomous" &&
+    context has agent_trust_level && context.agent_trust_level == "unverified"
+};
+`;
+const GUARDRAILS_A2A_ESCALATION_DETECTION_CEDAR = `// =============================================================================
+// A2A Security — Escalation Detection & Circuit Breakers
+// =============================================================================
+// Detects progressive capability escalation across agent turns and applies
+// session-level circuit breakers tuned for adversarial A2A communication:
+//
+// 1. SESSION PEAK SCORES: When the maximum injection or jailbreak score
+//    across all prior turns exceeds 70, non-first-party agents are restricted.
+//    Unlike MAS boolean flags, A2A uses numeric peaks for graduated response.
+//
+// 2. CUMULATIVE RISK CIRCUIT BREAKER: When accumulated risk across turns
+//    exceeds 150, sensitive tools are blocked for non-first-party agents.
+//    Lower threshold than MAS (200) because cross-system communication has
+//    higher adversarial surface area.
+//
+// 3. THREAT TURN ESCALATION: After 3+ turns with detected threats, unverified
+//    agents are fully locked out. This catches turn-by-turn probing attacks
+//    where an attacker incrementally tests boundaries.
+//
+// Key A2A distinction: In MAS, the orchestrator can reset or contain sessions.
+// In A2A, independent agents have no shared circuit breaker, so policy must
+// enforce escalation detection at the evaluation layer.
+//
+// Compliance:
+//   OWASP LLM01 (Prompt Injection) — multi-turn variant
+//   MITRE ATLAS AML.T0051 (LLM Prompt Injection)
+//   NIST 800-53 SI-4 (System Monitoring)
+//   NIST 800-53 IR-4 (Incident Handling)
+//
+// Category: agent_identity
+// Namespace: Guardrails
+// =============================================================================
+
+// -----------------------------------------------------------------------------
+// Session Peak Score Monitoring
+// -----------------------------------------------------------------------------
+
+// Block non-first-party agents when session injection peak is high
+@id("a2a-session-injection-peak-block")
+@name("Block agents when session injection peak is high")
+@description("Block non-first-party agents from tool calls and prompt processing when the maximum injection score across all prior turns exceeds 70. Unlike MAS policies that use boolean session_injection_detected, A2A uses the numeric peak score for graduated response — a session with a prior score of 75 is more dangerous than one with 45, even though both set the boolean flag.")
+@severity("critical")
+@tags("profile,a2a-security,escalation,session-peak,injection,owasp-lml01,nist-si-4")
+@reject_message("Request blocked: this session has a prior injection detection peak of 70+. Non-first-party agents are restricted after high injection signals to prevent progressive capability escalation.")
+forbid (
+    principal is Guardrails::Agent,
+    action in [Guardrails::Action::"call_tool", Guardrails::Action::"process_prompt"],
+    resource
+)
+when {
+    context has agent_trust_level && context.agent_trust_level != "first_party" &&
+    context has session_max_injection_score && context.session_max_injection_score >= 70
+};
+
+// Block non-first-party agents when session jailbreak peak is high
+@id("a2a-session-jailbreak-peak-block")
+@name("Block agents when session jailbreak peak is high")
+@description("Block non-first-party agents from prompt processing when the maximum jailbreak score across all prior turns exceeds 70. A high jailbreak peak indicates the session's guardrails may have been partially eroded — subsequent agent requests in this session should be treated as potentially manipulated.")
+@severity("critical")
+@tags("profile,a2a-security,escalation,session-peak,jailbreak,owasp-lml01,nist-si-4")
+@reject_message("Request blocked: this session has a prior jailbreak detection peak of 70+. Non-first-party agents are restricted after high jailbreak signals to prevent progressive manipulation.")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"process_prompt",
+    resource
+)
+when {
+    context has agent_trust_level && context.agent_trust_level != "first_party" &&
+    context has session_max_jailbreak_score && context.session_max_jailbreak_score >= 70
+};
+
+// -----------------------------------------------------------------------------
+// Cumulative Risk Circuit Breaker
+// -----------------------------------------------------------------------------
+
+// Lock down non-first-party agents at high cumulative risk
+@id("a2a-cumulative-risk-agent-lockdown")
+@name("Lock down non-first-party agents at high cumulative risk")
+@description("Block non-first-party agents from sensitive tools when cumulative session risk exceeds 150. Lower threshold than MAS (200) because A2A sessions with cross-system agents should trip the circuit breaker earlier — independent agents cannot coordinate session recovery the way an orchestrator can.")
+@severity("high")
+@tags("profile,a2a-security,escalation,cumulative-risk,circuit-breaker,nist-ir-4")
+@reject_message("Sensitive tool blocked: session cumulative risk exceeds 150. Non-first-party agents are restricted from sensitive tools in elevated-risk sessions to prevent progressive capability gain.")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has agent_trust_level && context.agent_trust_level != "first_party" &&
+    context has session_cumulative_risk_score && context.session_cumulative_risk_score > 150 &&
+    context has tool_is_sensitive && context.tool_is_sensitive == true
+};
+
+// -----------------------------------------------------------------------------
+// Threat Turn Escalation — Probing Detection
+// -----------------------------------------------------------------------------
+
+// Block unverified agents after repeated threat turns
+@id("a2a-threat-turn-escalation-block")
+@name("Block unverified agents after repeated threat turns")
+@description("Block unverified agents from all tool calls after 3+ threat turns are detected in the session. Lower threshold than MAS (5) because repeated threats from an unverified agent's session indicate adversarial probing — the attacker is incrementally testing boundaries. Three threat turns is sufficient evidence of active reconnaissance.")
+@severity("critical")
+@tags("profile,a2a-security,escalation,threat-turns,probing,unverified,nist-ir-4")
+@reject_message("Tool execution blocked: 3+ threat turns detected in this session. Unverified agents are locked out after repeated threat signals to prevent adversarial escalation via turn-by-turn probing.")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has agent_trust_level && context.agent_trust_level == "unverified" &&
+    context has session_threat_turns && context.session_threat_turns > 2
+};
+`;
 // =============================================================================
 // CATEGORIES
 // =============================================================================
@@ -1608,6 +2703,105 @@ export const GUARDRAILS_TEMPLATES = [
         severity: 'critical',
         tags: ['profile', 'multi-agent', 'cross-turn', 'a2a', 'pii', 'secrets', 'injection', 'circuit-breaker'],
     },
+    {
+        id: 'code-agent-path-security',
+        name: 'Code Agent — Path Security',
+        description: 'Block access to .env files, credential files, system directories, credential directories, and destructive file operations for coding agents',
+        category: 'security',
+        cedarText: GUARDRAILS_CODE_AGENT_PATH_SECURITY_CEDAR,
+        severity: 'high',
+        tags: ['profile', 'code-agent', 'path-security', 'credentials', 'system-paths'],
+    },
+    {
+        id: 'code-agent-supply-chain',
+        name: 'Code Agent — Supply Chain Security',
+        description: 'Block MCP server poisoning, indirect prompt injection from tool outputs, credential theft patterns, and destructive operation sequences for coding agents',
+        category: 'agentic_security',
+        cedarText: GUARDRAILS_CODE_AGENT_SUPPLY_CHAIN_CEDAR,
+        severity: 'critical',
+        tags: ['profile', 'code-agent', 'supply-chain', 'tool-poisoning', 'indirect-injection'],
+    },
+    {
+        id: 'code-agent-encoding',
+        name: 'Code Agent — Encoding Attacks',
+        description: 'Block invisible Unicode characters in tool arguments and file writes to prevent encoding-based prompt injection for coding agents',
+        category: 'security',
+        cedarText: GUARDRAILS_CODE_AGENT_ENCODING_CEDAR,
+        severity: 'high',
+        tags: ['profile', 'code-agent', 'encoding', 'unicode', 'invisible-chars'],
+    },
+    {
+        id: 'advanced-detection-secrets',
+        name: 'Advanced Detection — Granular Secrets',
+        description: 'Granular secret type blocking for high-risk credentials (cloud provider keys, GitHub tokens, SSH keys, database URLs) and API keys/tokens',
+        category: 'security',
+        cedarText: GUARDRAILS_ADVANCED_DETECTION_SECRETS_CEDAR,
+        severity: 'critical',
+        tags: ['profile', 'advanced-detection', 'secrets', 'credentials', 'cloud-keys'],
+    },
+    {
+        id: 'advanced-detection-pii',
+        name: 'Advanced Detection — PII',
+        description: 'Bulk PII exposure blocking, high-confidence ML PII detection, and PII in file operations for advanced threat detection',
+        category: 'privacy',
+        cedarText: GUARDRAILS_ADVANCED_DETECTION_PII_CEDAR,
+        severity: 'critical',
+        tags: ['profile', 'advanced-detection', 'pii', 'privacy', 'ml-classifier'],
+    },
+    {
+        id: 'advanced-detection-threat-severity',
+        name: 'Advanced Detection — Threat Severity',
+        description: 'Block any content flagged with critical severity by detection engines as a catch-all safety net',
+        category: 'security',
+        cedarText: GUARDRAILS_ADVANCED_DETECTION_THREAT_SEVERITY_CEDAR,
+        severity: 'critical',
+        tags: ['profile', 'advanced-detection', 'severity', 'critical', 'catch-all'],
+    },
+    {
+        id: 'a2a-cross-origin',
+        name: 'A2A Security — Cross-Origin Trust Boundaries',
+        description: 'Block confused deputy attacks and trust boundary violations from cross-system agent communication — critical cross-origin blocking, unverified agent restrictions, sensitive tool protection',
+        category: 'agent_identity',
+        cedarText: GUARDRAILS_A2A_CROSS_ORIGIN_CEDAR,
+        severity: 'critical',
+        tags: ['profile', 'a2a-security', 'cross-origin', 'confused-deputy', 'trust-boundary'],
+    },
+    {
+        id: 'a2a-inter-agent-injection',
+        name: 'A2A Security — Inter-Agent Injection Defense',
+        description: 'Block indirect prompt injection via tool outputs, multi-turn progressive attacks using deep context models, and encoded payload delivery between independent agents',
+        category: 'agent_identity',
+        cedarText: GUARDRAILS_A2A_INTER_AGENT_INJECTION_CEDAR,
+        severity: 'critical',
+        tags: ['profile', 'a2a-security', 'indirect-injection', 'multi-turn', 'encoded-injection', 'deep-context'],
+    },
+    {
+        id: 'a2a-supply-chain',
+        name: 'A2A Security — Supply Chain & Behavioral Drift',
+        description: 'Block tool poisoning from external agent ecosystems, rug pull behavioral drift, and credential theft chains initiated by compromised agents',
+        category: 'agent_identity',
+        cedarText: GUARDRAILS_A2A_SUPPLY_CHAIN_CEDAR,
+        severity: 'critical',
+        tags: ['profile', 'a2a-security', 'supply-chain', 'tool-poisoning', 'rug-pull', 'credential-theft'],
+    },
+    {
+        id: 'a2a-identity-enforcement',
+        name: 'A2A Security — Agent Identity Enforcement',
+        description: 'Enforce strict identity requirements for cross-system agents — block anonymous agents, require framework registration, prevent unverified autonomous agents',
+        category: 'agent_identity',
+        cedarText: GUARDRAILS_A2A_IDENTITY_ENFORCEMENT_CEDAR,
+        severity: 'critical',
+        tags: ['profile', 'a2a-security', 'identity', 'spoofing', 'framework', 'autonomous'],
+    },
+    {
+        id: 'a2a-escalation-detection',
+        name: 'A2A Security — Escalation Detection & Circuit Breakers',
+        description: 'Detect progressive capability escalation across turns with session peak score monitoring and cumulative risk circuit breakers tuned for adversarial A2A communication',
+        category: 'agent_identity',
+        cedarText: GUARDRAILS_A2A_ESCALATION_DETECTION_CEDAR,
+        severity: 'critical',
+        tags: ['profile', 'a2a-security', 'escalation', 'circuit-breaker', 'session-peak', 'cumulative-risk'],
+    },
 ];
 // =============================================================================
 // TEMPLATES METADATA
@@ -1839,6 +3033,105 @@ export const GUARDRAILS_TEMPLATES_JSON = `{
       "file": "profiles/multi_agent/agent_safety.cedar",
       "severity": "critical",
       "tags": ["profile", "multi-agent", "cross-turn", "a2a", "pii", "secrets", "injection", "circuit-breaker"]
+    },
+    {
+      "id": "code-agent-path-security",
+      "name": "Code Agent — Path Security",
+      "description": "Block access to .env files, credential files, system directories, credential directories, and destructive file operations for coding agents",
+      "category": "security",
+      "file": "profiles/code_agent/path_security.cedar",
+      "severity": "high",
+      "tags": ["profile", "code-agent", "path-security", "credentials", "system-paths"]
+    },
+    {
+      "id": "code-agent-supply-chain",
+      "name": "Code Agent — Supply Chain Security",
+      "description": "Block MCP server poisoning, indirect prompt injection from tool outputs, credential theft patterns, and destructive operation sequences for coding agents",
+      "category": "agentic_security",
+      "file": "profiles/code_agent/supply_chain.cedar",
+      "severity": "critical",
+      "tags": ["profile", "code-agent", "supply-chain", "tool-poisoning", "indirect-injection"]
+    },
+    {
+      "id": "code-agent-encoding",
+      "name": "Code Agent — Encoding Attacks",
+      "description": "Block invisible Unicode characters in tool arguments and file writes to prevent encoding-based prompt injection for coding agents",
+      "category": "security",
+      "file": "profiles/code_agent/encoding.cedar",
+      "severity": "high",
+      "tags": ["profile", "code-agent", "encoding", "unicode", "invisible-chars"]
+    },
+    {
+      "id": "advanced-detection-secrets",
+      "name": "Advanced Detection — Granular Secrets",
+      "description": "Granular secret type blocking for high-risk credentials (cloud provider keys, GitHub tokens, SSH keys, database URLs) and API keys/tokens",
+      "category": "security",
+      "file": "profiles/advanced_detection/secrets.cedar",
+      "severity": "critical",
+      "tags": ["profile", "advanced-detection", "secrets", "credentials", "cloud-keys"]
+    },
+    {
+      "id": "advanced-detection-pii",
+      "name": "Advanced Detection — PII",
+      "description": "Bulk PII exposure blocking, high-confidence ML PII detection, and PII in file operations for advanced threat detection",
+      "category": "privacy",
+      "file": "profiles/advanced_detection/pii.cedar",
+      "severity": "critical",
+      "tags": ["profile", "advanced-detection", "pii", "privacy", "ml-classifier"]
+    },
+    {
+      "id": "advanced-detection-threat-severity",
+      "name": "Advanced Detection — Threat Severity",
+      "description": "Block any content flagged with critical severity by detection engines as a catch-all safety net",
+      "category": "security",
+      "file": "profiles/advanced_detection/threat_severity.cedar",
+      "severity": "critical",
+      "tags": ["profile", "advanced-detection", "severity", "critical", "catch-all"]
+    },
+    {
+      "id": "a2a-cross-origin",
+      "name": "A2A Security — Cross-Origin Trust Boundaries",
+      "description": "Block confused deputy attacks and trust boundary violations from cross-system agent communication — critical cross-origin blocking, unverified agent restrictions, sensitive tool protection",
+      "category": "agent_identity",
+      "file": "profiles/a2a_security/cross_origin.cedar",
+      "severity": "critical",
+      "tags": ["profile", "a2a-security", "cross-origin", "confused-deputy", "trust-boundary"]
+    },
+    {
+      "id": "a2a-inter-agent-injection",
+      "name": "A2A Security — Inter-Agent Injection Defense",
+      "description": "Block indirect prompt injection via tool outputs, multi-turn progressive attacks using deep context models, and encoded payload delivery between independent agents",
+      "category": "agent_identity",
+      "file": "profiles/a2a_security/inter_agent_injection.cedar",
+      "severity": "critical",
+      "tags": ["profile", "a2a-security", "indirect-injection", "multi-turn", "encoded-injection", "deep-context"]
+    },
+    {
+      "id": "a2a-supply-chain",
+      "name": "A2A Security — Supply Chain & Behavioral Drift",
+      "description": "Block tool poisoning from external agent ecosystems, rug pull behavioral drift, and credential theft chains initiated by compromised agents",
+      "category": "agent_identity",
+      "file": "profiles/a2a_security/supply_chain.cedar",
+      "severity": "critical",
+      "tags": ["profile", "a2a-security", "supply-chain", "tool-poisoning", "rug-pull", "credential-theft"]
+    },
+    {
+      "id": "a2a-identity-enforcement",
+      "name": "A2A Security — Agent Identity Enforcement",
+      "description": "Enforce strict identity requirements for cross-system agents — block anonymous agents, require framework registration, prevent unverified autonomous agents",
+      "category": "agent_identity",
+      "file": "profiles/a2a_security/identity_enforcement.cedar",
+      "severity": "critical",
+      "tags": ["profile", "a2a-security", "identity", "spoofing", "framework", "autonomous"]
+    },
+    {
+      "id": "a2a-escalation-detection",
+      "name": "A2A Security — Escalation Detection & Circuit Breakers",
+      "description": "Detect progressive capability escalation across turns with session peak score monitoring and cumulative risk circuit breakers tuned for adversarial A2A communication",
+      "category": "agent_identity",
+      "file": "profiles/a2a_security/escalation_detection.cedar",
+      "severity": "critical",
+      "tags": ["profile", "a2a-security", "escalation", "circuit-breaker", "session-peak", "cumulative-risk"]
     }
   ],
   "profiles": [
@@ -1853,10 +3146,10 @@ export const GUARDRAILS_TEMPLATES_JSON = `{
     {
       "id": "code-agent",
       "name": "Code Agent",
-      "description": "Optimized for coding assistants — tool risk controls, shell blocking, loop detection, exfiltration prevention, budget enforcement",
+      "description": "Optimized for coding assistants — tool risk controls, shell blocking, loop detection, exfiltration prevention, budget enforcement, path security, supply chain defense, and encoding attack protection",
       "severity": "high",
-      "tags": ["code-agent", "tools", "agentic", "exfiltration"],
-      "template_ids": ["code-agent-agentic-security", "code-agent-security"]
+      "tags": ["code-agent", "tools", "agentic", "exfiltration", "path-security", "supply-chain", "encoding"],
+      "template_ids": ["code-agent-agentic-security", "code-agent-security", "code-agent-path-security", "code-agent-supply-chain", "code-agent-encoding"]
     },
     {
       "id": "data-pipeline",
@@ -1868,11 +3161,27 @@ export const GUARDRAILS_TEMPLATES_JSON = `{
     },
     {
       "id": "multi-agent",
-      "name": "Multi-Agent Orchestration",
-      "description": "Production-grade A2A guardrails for multi-agent systems — tiered trust access control, autonomous agent safeguards, cross-turn PII/secrets containment, injection escalation response, cumulative risk circuit breakers",
+      "name": "Multi-Agent Orchestration (MAS)",
+      "description": "Production-grade guardrails for multi-agent systems with shared orchestration — tiered trust access control, autonomous agent safeguards, cross-turn PII/secrets containment, injection escalation response, cumulative risk circuit breakers. For independent agent-to-agent communication across separate trust domains, use the A2A Security profile",
       "severity": "critical",
-      "tags": ["multi-agent", "a2a", "trust", "cross-turn", "circuit-breaker"],
+      "tags": ["multi-agent", "mas", "trust", "cross-turn", "circuit-breaker"],
       "template_ids": ["agent-identity-trust", "multi-agent-trust", "multi-agent-safety"]
+    },
+    {
+      "id": "a2a-security",
+      "name": "A2A Security",
+      "description": "Production-grade security for independent agent-to-agent communication across separate trust domains — cross-origin trust enforcement, inter-agent injection defense (indirect, multi-turn, encoded), supply chain protection (tool poisoning, rug pull), identity enforcement, and escalation circuit breakers",
+      "severity": "critical",
+      "tags": ["a2a-security", "cross-origin", "injection", "supply-chain", "identity", "escalation"],
+      "template_ids": ["a2a-cross-origin", "a2a-inter-agent-injection", "a2a-supply-chain", "a2a-identity-enforcement", "a2a-escalation-detection"]
+    },
+    {
+      "id": "advanced-detection",
+      "name": "Advanced Detection",
+      "description": "Production-grade advanced threat detection — granular secret type blocking, ML-based PII detection, bulk exposure prevention, and critical severity catch-all for high-security environments",
+      "severity": "critical",
+      "tags": ["advanced-detection", "secrets", "pii", "severity", "ml-detection"],
+      "template_ids": ["advanced-detection-secrets", "advanced-detection-pii", "advanced-detection-threat-severity"]
     }
   ]
 }