@highflame/policy 2.1.7 → 2.1.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (20) hide show
  1. package/_schemas/guardrails/context.json +78 -0
  2. package/_schemas/guardrails/schema.cedarschema +28 -1
  3. package/_schemas/guardrails/templates/profiles/a2a_security/cross_origin.cedar +105 -0
  4. package/_schemas/guardrails/templates/profiles/a2a_security/escalation_detection.cedar +113 -0
  5. package/_schemas/guardrails/templates/profiles/a2a_security/identity_enforcement.cedar +118 -0
  6. package/_schemas/guardrails/templates/profiles/a2a_security/inter_agent_injection.cedar +134 -0
  7. package/_schemas/guardrails/templates/profiles/a2a_security/supply_chain.cedar +117 -0
  8. package/_schemas/guardrails/templates/profiles/advanced_detection/pii.cedar +73 -0
  9. package/_schemas/guardrails/templates/profiles/advanced_detection/secrets.cedar +66 -0
  10. package/_schemas/guardrails/templates/profiles/advanced_detection/threat_severity.cedar +35 -0
  11. package/_schemas/guardrails/templates/profiles/code_agent/encoding.cedar +55 -0
  12. package/_schemas/guardrails/templates/profiles/code_agent/path_security.cedar +148 -0
  13. package/_schemas/guardrails/templates/profiles/code_agent/supply_chain.cedar +120 -0
  14. package/_schemas/guardrails/templates/templates.json +121 -6
  15. package/dist/guardrails-context.gen.d.ts +5 -0
  16. package/dist/guardrails-context.gen.js +5 -0
  17. package/dist/guardrails-defaults.gen.js +1315 -6
  18. package/dist/service-schemas.gen.d.ts +1 -1
  19. package/dist/service-schemas.gen.js +41 -1
  20. package/package.json +1 -1
package/dist/service-schemas.gen.d.ts CHANGED
@@ -3,7 +3,7 @@
3
3
  *
4
4
  * Full Cedar schema for guardrails, embedded at codegen time.
5
5
  */
6
- export declare const GUARDRAILS_SCHEMA = "// =============================================================================\n// Guardrails Cedar Schema\n// =============================================================================\n// Defines entity types, actions, and context attributes for the highflame-shield\n// guardrails service. This schema enables type-safe policy authoring and\n// validation in both Studio UI and backend.\n//\n// Service: highflame-shield (guardrails)\n// Namespace: Guardrails\n// =============================================================================\n\nnamespace Guardrails {\n // =========================================================================\n // Entity Types \u2014 ReBAC Hierarchy\n // =========================================================================\n // Entity hierarchy enables Cedar's `in` operator for policy scoping:\n // Account (org root)\n // \u2514\u2500\u2500 Project in [Account]\n // \u2514\u2500\u2500 App in [Project]\n // \u2514\u2500\u2500 Session in [App]\n //\n // Policy scoping examples:\n // resource == Guardrails::App::\"<uuid>\" \u2192 app-scoped\n // resource in Guardrails::Project::\"<uuid>\" \u2192 project-wide\n // resource in Guardrails::Account::\"<uuid>\" \u2192 org-wide\n // =========================================================================\n\n /// Account represents an organization (top-level tenant)\n entity Account;\n\n /// Project represents a project within an account\n entity Project in [Account];\n\n /// User represents a principal (human or service) making requests\n entity User;\n\n /// Agent represents an AI agent (Claude, Cursor, Copilot, etc.) making requests\n entity Agent;\n\n /// App represents a protected application (guardrails-enabled LLM app)\n entity App in [Project];\n\n /// Session represents an agentic conversation session with state tracking\n entity Session in [App];\n\n // =========================================================================\n // Actions\n // =========================================================================\n\n /// Process user prompts and AI responses for security threats and content violations\n action \"process_prompt\" appliesTo {\n principal: [User, Agent],\n resource: [App, Session],\n context: ProcessPromptContext\n };\n\n /// Execute tool calls (shell, file operations, MCP tools)\n action \"call_tool\" appliesTo {\n principal: [User, Agent],\n resource: [Session],\n context: CallToolContext\n };\n\n /// Read file operations\n action \"read_file\" appliesTo {\n principal: [User, Agent],\n resource: [Session],\n context: FileReadContext\n };\n\n /// Write file operations\n action \"write_file\" appliesTo {\n principal: [User, Agent],\n resource: [Session],\n context: FileWriteContext\n };\n\n /// Connect to an MCP server\n action \"connect_server\" appliesTo {\n principal: [User, Agent],\n resource: [Session],\n context: ConnectServerContext\n };\n\n // =========================================================================\n // Context Types (Action-Specific)\n // =========================================================================\n\n /// Context for process_prompt action (user prompts & AI responses)\n type ProcessPromptContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n \"direction\": String, // \"input\" | \"output\"\n \"content_type\": String, // \"prompt\" | \"response\" | \"tool_call\" | \"file\"\n \"detector_count\": Long,\n\n // Security - Injection & Jailbreak (optional)\n \"injection_confidence\"?: Long, // Combined injection confidence: MAX(pulse, deep_context)\n \"jailbreak_confidence\"?: Long, // Combined jailbreak confidence: MAX(pulse, deep_context)\n \"injection_pulse_score\"?: Long, // 0-100 Pulse single-turn classifier\n \"injection_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n \"jailbreak_pulse_score\"?: Long, // 0-100 Pulse single-turn classifier\n \"jailbreak_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n \"injection_type\"?: String, // \"prompt\" | \"sql\" | \"command\" | \"none\"\n\n // Privacy - Secrets (optional)\n \"contains_secrets\"?: Bool,\n \"secret_count\"?: Long,\n \"secret_types\"?: Set<String>, // [\"aws_access_key\", \"github_token\", ...]\n\n // Privacy - PII (optional)\n \"pii_detected\"?: Bool,\n \"pii_count\"?: Long,\n \"pii_types\"?: Set<String>, // [\"email\", \"phone\", \"ssn\", \"credit_card\", ...]\n\n // Trust & Safety - Toxicity (optional)\n \"violence_score\"?: Long, // 0-100\n \"hate_speech_score\"?: Long, // 0-100\n \"sexual_score\"?: Long, // 0-100\n \"weapons_score\"?: Long, // 0-100\n \"crime_score\"?: Long, // 0-100\n \"profanity_score\"?: Long, // 0-100\n\n // Semantic - Topic Classification (optional)\n \"content_topics\"?: Set<String>, // [\"controlled_substances\", \"weapons_manufacturing\", ...]\n \"topic_confidence\"?: Long, // 0-100\n\n // Security - Invisible Character Detection (optional)\n \"contains_invisible_chars\"?: Bool,\n \"invisible_chars_score\"?: Long, // 0-100\n\n // Security - Pattern Detection (optional)\n \"command_injection_detected\"?: Bool,\n \"command_injection_type\"?: String, // \"reverse_shell\" | \"privilege_escalation\" | \"code_execution\" | \"destructive_command\" | \"data_exfiltration\"\n \"command_injection_score\"?: Long, // 0-100\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String, // \"critical\" | \"high\" | \"medium\" | \"low\" | \"none\"\n \"path_traversal_type\"?: String,\n \"sql_injection_detected\"?: Bool,\n \"sql_injection_type\"?: String, // \"tautology\" | \"union_based\" | \"destructive\" | \"blind\" | \"error_based\"\n \"sql_injection_score\"?: Long, // 0-100\n\n // Security - Cross-Origin Escalation (optional)\n \"cross_origin_detected\"?: Bool,\n \"cross_origin_type\"?: String, // \"cross_origin_tool\" | \"cross_origin_server\" | \"none\"\n \"cross_origin_score\"?: Long, // 0-100\n\n // Security - Encoded Injection (optional)\n \"encoded_content_detected\"?: Bool,\n \"encoded_types\"?: Set<String>, // [\"base64\", \"hex\", \"unicode\", \"url\", ...]\n \"encoded_count\"?: Long,\n \"encoded_score\"?: Long, // 0-100\n\n // Language & Script Detection (optional)\n \"detected_language\"?: String, // ISO language code\n \"is_english\"?: Bool,\n \"language_confidence\"?: Long, // 0-100\n \"detected_script\"?: String, // \"latin\" | \"cyrillic\" | \"arabic\" | \"unknown\" | ...\n \"is_latin_script\"?: Bool,\n \"script_confidence\"?: Long, // 0-100\n\n // Content Analysis (optional)\n \"hallucination_score\"?: Long,\n \"factuality_score\"?: Long, // 0-100\n \"sentiment_score\"?: Long,\n \"contains_code\"?: Bool,\n \"code_languages\"?: Set<String>,\n \"code_ratio\"?: Long, // 0-100, percentage of content that is code\n \"keyword_matched\"?: Bool,\n \"keyword_categories\"?: Set<String>,\n \"keyword_count\"?: Long,\n \"contains_non_ascii\"?: Bool,\n \"phishing_detected\"?: Bool,\n \"content_safety_score\"?: Long, // 0-100\n \"content_safety_blocked\"?: Bool,\n\n // Agentic - Multi-Turn Context (optional)\n \"conversation_turn\"?: Long,\n \"multi_turn_detection\"?: Bool,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n // Present when the request is made by an AI agent (API key or JWT with agent claims).\n // Empty strings for human user requests. Use these to write agent-specific policies.\n \"agent_id\"?: String, // Unique agent identifier (e.g., \"agent_research_v3\")\n \"agent_type\"?: String, // \"orchestrator\" | \"autonomous\" | \"tool_agent\" | \"human_proxy\"\n \"agent_trust_level\"?: String, // \"first_party\" | \"verified_third_party\" | \"unverified\"\n \"agent_framework\"?: String, // Agent framework (e.g., \"claude-code\", \"langchain\", \"crewai\")\n \"agent_publisher\"?: String, // Organization that published the agent\n\n };\n\n /// Context for call_tool action (agentic tool execution)\n type CallToolContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // Tool Risk (optional)\n \"tool_name\"?: String, // \"shell\", \"write_file\", \"http_post\", etc.\n \"tool_risk_score\"?: Long, // 0-100\n \"tool_is_sensitive\"?: Bool,\n \"tool_category\"?: String, // \"safe\" | \"sensitive\" | \"dangerous\"\n \"tool_is_builtin\"?: Bool,\n\n // MCP context (optional \u2014 only present for MCP tool calls)\n \"mcp_server\"?: String, // MCP server name (e.g., \"github\", \"filesystem\")\n \"mcp_tool\"?: String, // MCP tool name within the server\n \"mcp_server_verified\"?: Bool, // Whether server is from verified registry\n\n // Agentic - Behavioral Patterns (optional)\n \"suspicious_pattern\"?: Bool,\n \"pattern_type\"?: String, // \"data_exfiltration\" | \"secret_exfiltration\" | \"db_exfiltration\" | \"none\"\n \"sequence_risk\"?: Long, // 0-100\n\n // Agentic - Loop Detection (optional)\n \"loop_detected\"?: Bool,\n \"loop_count\"?: Long,\n \"loop_tool\"?: String,\n\n // Agentic - Budget Control (optional)\n \"budget_remaining_pct\"?: Long, // 0-100\n \"budget_exceeded\"?: Bool,\n\n // Semantic - Topic Classification (optional)\n \"content_topics\"?: Set<String>, // [\"controlled_substances\", \"weapons_manufacturing\", ...]\n \"topic_confidence\"?: Long, // 0-100\n\n // Security checks on tool arguments (optional)\n \"contains_secrets\"?: Bool,\n \"secret_count\"?: Long,\n \"secret_types\"?: Set<String>,\n \"pii_detected\"?: Bool,\n \"pii_types\"?: Set<String>,\n \"injection_confidence\"?: Long,\n \"injection_pulse_score\"?: Long, // 0-100 Pulse single-turn classifier\n \"injection_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n\n // Security - Pattern Detection (optional)\n \"command_injection_detected\"?: Bool,\n \"command_injection_type\"?: String,\n \"command_injection_score\"?: Long, // 0-100\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String,\n \"path_traversal_type\"?: String,\n \"sql_injection_detected\"?: Bool,\n \"sql_injection_type\"?: String,\n \"sql_injection_score\"?: Long, // 0-100\n\n // Security - Cross-Origin Escalation (optional)\n \"cross_origin_detected\"?: Bool,\n \"cross_origin_type\"?: String,\n \"cross_origin_score\"?: Long, // 0-100\n\n // Security - Encoded Injection (optional)\n \"encoded_content_detected\"?: Bool,\n \"encoded_types\"?: Set<String>,\n \"encoded_count\"?: Long,\n \"encoded_score\"?: Long, // 0-100\n\n // Agentic - Agent Security (optional)\n \"tool_poisoning_detected\"?: Bool,\n \"tool_poisoning_score\"?: Long, // 0-100\n \"tool_poisoning_type\"?: String, // \"hidden_instructions\" | \"system_prompt_injection\" | \"authority_hijack\"\n \"rug_pull_detected\"?: Bool,\n \"rug_pull_score\"?: Long, // 0-100\n \"rug_pull_type\"?: String, // \"risk_spike\" | \"pattern_change\" | \"combined\" | \"none\"\n\n // Agentic - MCP Risk (optional)\n \"mcp_config_risk\"?: Bool,\n \"mcp_risk_type\"?: String, // \"inline_execution\" | \"suspicious_url\" | \"cross_origin\"\n \"mcp_risk_score\"?: Long, // 0-100\n\n // Agentic - Multi-Turn Context (optional)\n \"conversation_turn\"?: Long,\n \"multi_turn_detection\"?: Bool,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n \"agent_id\"?: String,\n \"agent_type\"?: String,\n \"agent_trust_level\"?: String,\n \"agent_framework\"?: String,\n \"agent_publisher\"?: String,\n\n };\n\n /// Context for read_file action\n type FileReadContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // Security checks on file content (optional)\n \"contains_secrets\"?: Bool,\n \"secret_count\"?: Long,\n \"secret_types\"?: Set<String>,\n \"pii_detected\"?: Bool,\n \"pii_types\"?: Set<String>,\n\n // Security - Path Traversal (optional)\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String,\n \"path_traversal_type\"?: String,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n \"agent_id\"?: String,\n \"agent_type\"?: String,\n \"agent_trust_level\"?: String,\n \"agent_framework\"?: String,\n \"agent_publisher\"?: String,\n\n };\n\n /// Context for write_file action\n type FileWriteContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // Security checks on content being written (optional)\n \"contains_secrets\"?: Bool,\n \"secret_count\"?: Long,\n \"secret_types\"?: Set<String>,\n \"pii_detected\"?: Bool,\n \"pii_types\"?: Set<String>,\n\n // Security - Path Traversal (optional)\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String,\n \"path_traversal_type\"?: String,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n \"agent_id\"?: String,\n \"agent_type\"?: String,\n \"agent_trust_level\"?: String,\n \"agent_framework\"?: String,\n \"agent_publisher\"?: String,\n\n };\n\n /// Context for connect_server action (MCP server connections)\n type ConnectServerContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // MCP context (optional)\n \"mcp_server\"?: String, // MCP server name (e.g., \"github\", \"filesystem\")\n \"mcp_server_verified\"?: Bool, // Whether server is from verified registry\n\n // Agentic - Agent Security (optional)\n \"tool_poisoning_detected\"?: Bool,\n \"tool_poisoning_score\"?: Long,\n \"tool_poisoning_type\"?: String,\n\n // Agentic - MCP Risk (optional)\n \"mcp_config_risk\"?: Bool,\n \"mcp_risk_type\"?: String,\n \"mcp_risk_score\"?: Long,\n\n // Security - Cross-Origin Escalation (optional)\n \"cross_origin_detected\"?: Bool,\n \"cross_origin_type\"?: String,\n \"cross_origin_score\"?: Long,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n \"agent_id\"?: String,\n \"agent_type\"?: String,\n \"agent_trust_level\"?: String,\n \"agent_framework\"?: String,\n \"agent_publisher\"?: String,\n\n };\n}\n";
6
+ export declare const GUARDRAILS_SCHEMA = "// =============================================================================\n// Guardrails Cedar Schema\n// =============================================================================\n// Defines entity types, actions, and context attributes for the highflame-shield\n// guardrails service. This schema enables type-safe policy authoring and\n// validation in both Studio UI and backend.\n//\n// Service: highflame-shield (guardrails)\n// Namespace: Guardrails\n// =============================================================================\n\nnamespace Guardrails {\n // =========================================================================\n // Entity Types \u2014 ReBAC Hierarchy\n // =========================================================================\n // Entity hierarchy enables Cedar's `in` operator for policy scoping:\n // Account (org root)\n // \u2514\u2500\u2500 Project in [Account]\n // \u2514\u2500\u2500 App in [Project]\n // \u2514\u2500\u2500 Session in [App]\n //\n // Policy scoping examples:\n // resource == Guardrails::App::\"<uuid>\" \u2192 app-scoped\n // resource in Guardrails::Project::\"<uuid>\" \u2192 project-wide\n // resource in Guardrails::Account::\"<uuid>\" \u2192 org-wide\n // =========================================================================\n\n /// Account represents an organization (top-level tenant)\n entity Account;\n\n /// Project represents a project within an account\n entity Project in [Account];\n\n /// User represents a principal (human or service) making requests\n entity User;\n\n /// Agent represents an AI agent (Claude, Cursor, Copilot, etc.) making requests\n entity Agent;\n\n /// App represents a protected application (guardrails-enabled LLM app)\n entity App in [Project];\n\n /// Session represents an agentic conversation session with state tracking\n entity Session in [App];\n\n // =========================================================================\n // Actions\n // =========================================================================\n\n /// Process user prompts and AI responses for security threats and content violations\n action \"process_prompt\" appliesTo {\n principal: [User, Agent],\n resource: [App, Session],\n context: ProcessPromptContext\n };\n\n /// Execute tool calls (shell, file operations, MCP tools)\n action \"call_tool\" appliesTo {\n principal: [User, Agent],\n resource: [Session],\n context: CallToolContext\n };\n\n /// Read file operations\n action \"read_file\" appliesTo {\n principal: [User, Agent],\n resource: [Session],\n context: FileReadContext\n };\n\n /// Write file operations\n action \"write_file\" appliesTo {\n principal: [User, Agent],\n resource: [Session],\n context: FileWriteContext\n };\n\n /// Connect to an MCP server\n action \"connect_server\" appliesTo {\n principal: [User, Agent],\n resource: [Session],\n context: ConnectServerContext\n };\n\n // =========================================================================\n // Context Types (Action-Specific)\n // =========================================================================\n\n /// Context for process_prompt action (user prompts & AI responses)\n type ProcessPromptContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n \"direction\": String, // \"input\" | \"output\"\n \"content_type\": String, // \"prompt\" | \"response\" | \"tool_call\" | \"file\"\n \"detector_count\": Long,\n\n // Security - Injection & Jailbreak (optional)\n \"injection_confidence\"?: Long, // Combined injection confidence: MAX(pulse, deep_context)\n \"jailbreak_confidence\"?: Long, // Combined jailbreak confidence: MAX(pulse, deep_context)\n \"injection_pulse_score\"?: Long, // 0-100 Pulse single-turn classifier\n \"injection_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n \"jailbreak_pulse_score\"?: Long, // 0-100 Pulse single-turn classifier\n \"jailbreak_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n \"injection_type\"?: String, // \"prompt\" | \"sql\" | \"command\" | \"none\"\n\n // Privacy - Secrets (optional)\n \"contains_secrets\"?: Bool,\n \"secret_count\"?: Long,\n \"secret_types\"?: Set<String>, // [\"aws_access_key\", \"github_token\", ...]\n\n // Privacy - PII (optional)\n \"pii_detected\"?: Bool,\n \"pii_count\"?: Long,\n \"pii_types\"?: Set<String>, // [\"email\", \"phone\", \"ssn\", \"credit_card\", ...]\n \"pii_confidence\"?: Long, // PII ML classifier confidence (0-100) \u2014 catches novel PII patterns that escape regex detection\n\n // Threat Severity Aggregation (optional)\n \"highest_severity\"?: String, // Highest severity across all detectors: \"critical\" | \"high\" | \"medium\" | \"low\" | \"none\"\n\n // Trust & Safety - Toxicity (optional)\n \"violence_score\"?: Long, // 0-100\n \"hate_speech_score\"?: Long, // 0-100\n \"sexual_score\"?: Long, // 0-100\n \"weapons_score\"?: Long, // 0-100\n \"crime_score\"?: Long, // 0-100\n \"profanity_score\"?: Long, // 0-100\n\n // Semantic - Topic Classification (optional)\n \"content_topics\"?: Set<String>, // [\"controlled_substances\", \"weapons_manufacturing\", ...]\n \"topic_confidence\"?: Long, // 0-100\n\n // Security - Invisible Character Detection (optional)\n \"contains_invisible_chars\"?: Bool,\n \"invisible_chars_score\"?: Long, // 0-100\n\n // Security - Pattern Detection (optional)\n \"command_injection_detected\"?: Bool,\n \"command_injection_type\"?: String, // \"reverse_shell\" | \"privilege_escalation\" | \"code_execution\" | \"destructive_command\" | \"data_exfiltration\"\n \"command_injection_score\"?: Long, // 0-100\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String, // \"critical\" | \"high\" | \"medium\" | \"low\" | \"none\"\n \"path_traversal_type\"?: String,\n \"sql_injection_detected\"?: Bool,\n \"sql_injection_type\"?: String, // \"tautology\" | \"union_based\" | \"destructive\" | \"blind\" | \"error_based\"\n \"sql_injection_score\"?: Long, // 0-100\n\n // Security - Cross-Origin Escalation (optional)\n \"cross_origin_detected\"?: Bool,\n \"cross_origin_type\"?: String, // \"cross_origin_tool\" | \"cross_origin_server\" | \"none\"\n \"cross_origin_score\"?: Long, // 0-100\n\n // Security - Encoded Injection (optional)\n \"encoded_content_detected\"?: Bool,\n \"encoded_types\"?: Set<String>, // [\"base64\", \"hex\", \"unicode\", \"url\", ...]\n \"encoded_count\"?: Long,\n \"encoded_score\"?: Long, // 0-100\n\n // Language & Script Detection (optional)\n \"detected_language\"?: String, // ISO language code\n \"is_english\"?: Bool,\n \"language_confidence\"?: Long, // 0-100\n \"detected_script\"?: String, // \"latin\" | \"cyrillic\" | \"arabic\" | \"unknown\" | ...\n \"is_latin_script\"?: Bool,\n \"script_confidence\"?: Long, // 0-100\n\n // Content Analysis (optional)\n \"hallucination_score\"?: Long,\n \"factuality_score\"?: Long, // 0-100\n \"sentiment_score\"?: Long,\n \"contains_code\"?: Bool,\n \"code_languages\"?: Set<String>,\n \"code_ratio\"?: Long, // 0-100, percentage of content that is code\n \"keyword_matched\"?: Bool,\n \"keyword_categories\"?: Set<String>,\n \"keyword_count\"?: Long,\n \"contains_non_ascii\"?: Bool,\n \"phishing_detected\"?: Bool,\n \"content_safety_score\"?: Long, // 0-100\n \"content_safety_blocked\"?: Bool,\n\n // Agentic - Multi-Turn Context (optional)\n \"conversation_turn\"?: Long,\n \"multi_turn_detection\"?: Bool,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n // Present when the request is made by an AI agent (API key or JWT with agent claims).\n // Empty strings for human user requests. Use these to write agent-specific policies.\n \"agent_id\"?: String, // Unique agent identifier (e.g., \"agent_research_v3\")\n \"agent_type\"?: String, // \"orchestrator\" | \"autonomous\" | \"tool_agent\" | \"human_proxy\"\n \"agent_trust_level\"?: String, // \"first_party\" | \"verified_third_party\" | \"unverified\"\n \"agent_framework\"?: String, // Agent framework (e.g., \"claude-code\", \"langchain\", \"crewai\")\n \"agent_publisher\"?: String, // Organization that published the agent\n\n };\n\n /// Context for call_tool action (agentic tool execution)\n type CallToolContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // Tool Risk (optional)\n \"tool_name\"?: String, // \"shell\", \"write_file\", \"http_post\", etc.\n \"tool_risk_score\"?: Long, // 0-100\n \"tool_is_sensitive\"?: Bool,\n \"tool_category\"?: String, // \"safe\" | \"sensitive\" | \"dangerous\"\n \"tool_is_builtin\"?: Bool,\n\n // MCP context (optional \u2014 only present for MCP tool calls)\n \"mcp_server\"?: String, // MCP server name (e.g., \"github\", \"filesystem\")\n \"mcp_tool\"?: String, // MCP tool name within the server\n \"mcp_server_verified\"?: Bool, // Whether server is from verified registry\n\n // Agentic - Behavioral Patterns (optional)\n \"suspicious_pattern\"?: Bool,\n \"pattern_type\"?: String, // \"data_exfiltration\" | \"secret_exfiltration\" | \"db_exfiltration\" | \"credential_theft\" | \"destructive_sequence\" | \"none\"\n \"sequence_risk\"?: Long, // 0-100\n\n // Agentic - Loop Detection (optional)\n \"loop_detected\"?: Bool,\n \"loop_count\"?: Long,\n \"loop_tool\"?: String,\n\n // Agentic - Budget Control (optional)\n \"budget_remaining_pct\"?: Long, // 0-100\n \"budget_exceeded\"?: Bool,\n\n // Semantic - Topic Classification (optional)\n \"content_topics\"?: Set<String>, // [\"controlled_substances\", \"weapons_manufacturing\", ...]\n \"topic_confidence\"?: Long, // 0-100\n\n // Security checks on tool arguments (optional)\n \"contains_secrets\"?: Bool,\n \"secret_count\"?: Long,\n \"secret_types\"?: Set<String>,\n \"pii_detected\"?: Bool,\n \"pii_types\"?: Set<String>,\n \"pii_count\"?: Long, // Number of PII pattern matches in tool content\n \"pii_confidence\"?: Long, // PII ML classifier confidence (0-100)\n \"injection_confidence\"?: Long,\n \"injection_pulse_score\"?: Long, // 0-100 Pulse single-turn classifier\n \"injection_deep_context_score\"?: Long, // 0-100 DeepContext multi-turn\n\n // Security - Pattern Detection (optional)\n \"command_injection_detected\"?: Bool,\n \"command_injection_type\"?: String,\n \"command_injection_score\"?: Long, // 0-100\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String,\n \"path_traversal_type\"?: String,\n \"sql_injection_detected\"?: Bool,\n \"sql_injection_type\"?: String,\n \"sql_injection_score\"?: Long, // 0-100\n\n // Security - Cross-Origin Escalation (optional)\n \"cross_origin_detected\"?: Bool,\n \"cross_origin_type\"?: String,\n \"cross_origin_score\"?: Long, // 0-100\n\n // File & Path (optional \u2014 for path-based access control policies)\n \"path\"?: String, // File path when tool operates on files\n\n // Security - Invisible Character Detection in tool args (optional)\n \"contains_invisible_chars\"?: Bool, // Whether invisible Unicode chars detected in tool args\n \"invisible_chars_score\"?: Long, // Invisible character attack severity (0-100)\n\n // Security - Encoded Injection (optional)\n \"encoded_content_detected\"?: Bool,\n \"encoded_types\"?: Set<String>,\n \"encoded_count\"?: Long,\n \"encoded_score\"?: Long, // 0-100\n\n // Agentic - Agent Security (optional)\n \"tool_poisoning_detected\"?: Bool,\n \"tool_poisoning_score\"?: Long, // 0-100\n \"tool_poisoning_type\"?: String, // \"hidden_instructions\" | \"system_prompt_injection\" | \"authority_hijack\"\n \"rug_pull_detected\"?: Bool,\n \"rug_pull_score\"?: Long, // 0-100\n \"rug_pull_type\"?: String, // \"risk_spike\" | \"pattern_change\" | \"combined\" | \"none\"\n\n // Agentic - Indirect Prompt Injection (optional \u2014 injection via tool outputs/retrieved content)\n \"indirect_injection_score\"?: Long, // Indirect injection risk score (0-100)\n \"indirect_injection_type\"?: String, // Type of indirect injection detected\n\n // Agentic - MCP Risk (optional)\n \"mcp_config_risk\"?: Bool,\n \"mcp_risk_type\"?: String, // \"inline_execution\" | \"suspicious_url\" | \"cross_origin\"\n \"mcp_risk_score\"?: Long, // 0-100\n\n // Agentic - Multi-Turn Context (optional)\n \"conversation_turn\"?: Long,\n \"multi_turn_detection\"?: Bool,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n \"agent_id\"?: String,\n \"agent_type\"?: String,\n \"agent_trust_level\"?: String,\n \"agent_framework\"?: String,\n \"agent_publisher\"?: String,\n\n };\n\n /// Context for read_file action\n type FileReadContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // File path (optional \u2014 for path-based access control policies)\n \"path\"?: String, // File path being read\n\n // Security checks on file content (optional)\n \"contains_secrets\"?: Bool,\n \"secret_count\"?: Long,\n \"secret_types\"?: Set<String>,\n \"pii_detected\"?: Bool,\n \"pii_types\"?: Set<String>,\n\n // Security - Path Traversal (optional)\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String,\n \"path_traversal_type\"?: String,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n \"agent_id\"?: String,\n \"agent_type\"?: String,\n \"agent_trust_level\"?: String,\n \"agent_framework\"?: String,\n \"agent_publisher\"?: String,\n\n };\n\n /// Context for write_file action\n type FileWriteContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // File path (optional \u2014 for path-based access control policies)\n \"path\"?: String, // File path being written\n\n // Security - Invisible Character Detection in write content (optional)\n \"contains_invisible_chars\"?: Bool, // Whether invisible Unicode chars detected in write content\n \"invisible_chars_score\"?: Long, // Invisible character attack severity (0-100)\n\n // Security checks on content being written (optional)\n \"contains_secrets\"?: Bool,\n \"secret_count\"?: Long,\n \"secret_types\"?: Set<String>,\n \"pii_detected\"?: Bool,\n \"pii_types\"?: Set<String>,\n\n // Security - Path Traversal (optional)\n \"path_traversal_detected\"?: Bool,\n \"path_traversal_severity\"?: String,\n \"path_traversal_type\"?: String,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n \"agent_id\"?: String,\n \"agent_type\"?: String,\n \"agent_trust_level\"?: String,\n \"agent_framework\"?: String,\n \"agent_publisher\"?: String,\n\n };\n\n /// Context for connect_server action (MCP server connections)\n type ConnectServerContext = {\n // Core metadata (required)\n \"request_id\": String,\n \"timestamp\": Long,\n\n // MCP context (optional)\n \"mcp_server\"?: String, // MCP server name (e.g., \"github\", \"filesystem\")\n \"mcp_server_verified\"?: Bool, // Whether server is from verified registry\n\n // Agentic - Agent Security (optional)\n \"tool_poisoning_detected\"?: Bool,\n \"tool_poisoning_score\"?: Long,\n \"tool_poisoning_type\"?: String,\n\n // Agentic - MCP Risk (optional)\n \"mcp_config_risk\"?: Bool,\n \"mcp_risk_type\"?: String,\n \"mcp_risk_score\"?: Long,\n\n // Security - Cross-Origin Escalation (optional)\n \"cross_origin_detected\"?: Bool,\n \"cross_origin_type\"?: String,\n \"cross_origin_score\"?: Long,\n\n // Session Detection History \u2014 cross-turn sticky flags (optional)\n \"session_pii_detected\"?: Bool,\n \"session_pii_types\"?: Set<String>,\n \"session_secrets_detected\"?: Bool,\n \"session_secret_types\"?: Set<String>,\n \"session_injection_detected\"?: Bool,\n \"session_command_injection\"?: Bool,\n \"session_threat_turns\"?: Long,\n \"session_max_injection_score\"?: Long,\n \"session_max_jailbreak_score\"?: Long,\n \"session_max_command_injection_score\"?: Long,\n \"session_max_pii_score\"?: Long,\n \"session_max_secret_score\"?: Long,\n \"session_cumulative_risk_score\"?: Long,\n\n // Agent Identity \u2014 authenticated agent principal metadata (optional)\n \"agent_id\"?: String,\n \"agent_type\"?: String,\n \"agent_trust_level\"?: String,\n \"agent_framework\"?: String,\n \"agent_publisher\"?: String,\n\n };\n}\n";
7
7
  /**
8
8
  * Overwatch Cedar schema
9
9
  *
package/dist/service-schemas.gen.js CHANGED
@@ -129,6 +129,10 @@ namespace Guardrails {
129
129
  "pii_detected"?: Bool,
130
130
  "pii_count"?: Long,
131
131
  "pii_types"?: Set<String>, // ["email", "phone", "ssn", "credit_card", ...]
132
+ "pii_confidence"?: Long, // PII ML classifier confidence (0-100) — catches novel PII patterns that escape regex detection
133
+
134
+ // Threat Severity Aggregation (optional)
135
+ "highest_severity"?: String, // Highest severity across all detectors: "critical" | "high" | "medium" | "low" | "none"
132
136
 
133
137
  // Trust & Safety - Toxicity (optional)
134
138
  "violence_score"?: Long, // 0-100
@@ -241,7 +245,7 @@ namespace Guardrails {
241
245
 
242
246
  // Agentic - Behavioral Patterns (optional)
243
247
  "suspicious_pattern"?: Bool,
244
- "pattern_type"?: String, // "data_exfiltration" | "secret_exfiltration" | "db_exfiltration" | "none"
248
+ "pattern_type"?: String, // "data_exfiltration" | "secret_exfiltration" | "db_exfiltration" | "credential_theft" | "destructive_sequence" | "none"
245
249
  "sequence_risk"?: Long, // 0-100
246
250
 
247
251
  // Agentic - Loop Detection (optional)
@@ -263,6 +267,8 @@ namespace Guardrails {
263
267
  "secret_types"?: Set<String>,
264
268
  "pii_detected"?: Bool,
265
269
  "pii_types"?: Set<String>,
270
+ "pii_count"?: Long, // Number of PII pattern matches in tool content
271
+ "pii_confidence"?: Long, // PII ML classifier confidence (0-100)
266
272
  "injection_confidence"?: Long,
267
273
  "injection_pulse_score"?: Long, // 0-100 Pulse single-turn classifier
268
274
  "injection_deep_context_score"?: Long, // 0-100 DeepContext multi-turn
@@ -283,6 +289,13 @@ namespace Guardrails {
283
289
  "cross_origin_type"?: String,
284
290
  "cross_origin_score"?: Long, // 0-100
285
291
 
292
+ // File & Path (optional — for path-based access control policies)
293
+ "path"?: String, // File path when tool operates on files
294
+
295
+ // Security - Invisible Character Detection in tool args (optional)
296
+ "contains_invisible_chars"?: Bool, // Whether invisible Unicode chars detected in tool args
297
+ "invisible_chars_score"?: Long, // Invisible character attack severity (0-100)
298
+
286
299
  // Security - Encoded Injection (optional)
287
300
  "encoded_content_detected"?: Bool,
288
301
  "encoded_types"?: Set<String>,
@@ -297,6 +310,10 @@ namespace Guardrails {
297
310
  "rug_pull_score"?: Long, // 0-100
298
311
  "rug_pull_type"?: String, // "risk_spike" | "pattern_change" | "combined" | "none"
299
312
 
313
+ // Agentic - Indirect Prompt Injection (optional — injection via tool outputs/retrieved content)
314
+ "indirect_injection_score"?: Long, // Indirect injection risk score (0-100)
315
+ "indirect_injection_type"?: String, // Type of indirect injection detected
316
+
300
317
  // Agentic - MCP Risk (optional)
301
318
  "mcp_config_risk"?: Bool,
302
319
  "mcp_risk_type"?: String, // "inline_execution" | "suspicious_url" | "cross_origin"
@@ -336,6 +353,9 @@ namespace Guardrails {
336
353
  "request_id": String,
337
354
  "timestamp": Long,
338
355
 
356
+ // File path (optional — for path-based access control policies)
357
+ "path"?: String, // File path being read
358
+
339
359
  // Security checks on file content (optional)
340
360
  "contains_secrets"?: Bool,
341
361
  "secret_count"?: Long,
@@ -378,6 +398,13 @@ namespace Guardrails {
378
398
  "request_id": String,
379
399
  "timestamp": Long,
380
400
 
401
+ // File path (optional — for path-based access control policies)
402
+ "path"?: String, // File path being written
403
+
404
+ // Security - Invisible Character Detection in write content (optional)
405
+ "contains_invisible_chars"?: Bool, // Whether invisible Unicode chars detected in write content
406
+ "invisible_chars_score"?: Long, // Invisible character attack severity (0-100)
407
+
381
408
  // Security checks on content being written (optional)
382
409
  "contains_secrets"?: Bool,
383
410
  "secret_count"?: Long,
@@ -1471,6 +1498,8 @@ export const GUARDRAILS_CONTEXT = {
1471
1498
  { "key": "pii_detected", "type": "boolean", "required": false, "description": "Whether personally identifiable information (PII) was found in the content. Commonly used to block PII in outputs to prevent data leakage" },
1472
1499
  { "key": "pii_count", "type": "number", "required": false, "description": "Total number of PII matches found (emails, phone numbers, SSNs, etc.)" },
1473
1500
  { "key": "pii_types", "type": "array", "required": false, "description": "Array of PII types detected (e.g., [\'email\', \'phone\', \'ssn\', \'credit_card\']). Use .contains() to block specific sensitive types" },
1501
+ { "key": "pii_confidence", "type": "number", "required": false, "description": "PII detection ML classifier confidence (0-100). Catches novel PII patterns including names, addresses, and identifiers that regex rules may miss. Typical threshold: >=80 for high-confidence blocking" },
1502
+ { "key": "highest_severity", "type": "string", "required": false, "description": "Highest severity level across all detection engines: \'critical\', \'high\', \'medium\', \'low\', or \'none\'. Use for severity-based catch-all policies (e.g., block any content flagged as critical)" },
1474
1503
  { "key": "violence_score", "type": "number", "required": false, "description": "ML-based score for violent content references (0-100). Typical threshold: >90 for critical blocks, >60 for warnings" },
1475
1504
  { "key": "hate_speech_score", "type": "number", "required": false, "description": "ML-based score for hate speech, discriminatory language, or targeted harassment (0-100). Typical threshold: >75 for blocks" },
1476
1505
  { "key": "sexual_score", "type": "number", "required": false, "description": "ML-based score for sexual or adult content (0-100). Adjust thresholds based on your application\'s audience" },
@@ -1567,6 +1596,8 @@ export const GUARDRAILS_CONTEXT = {
1567
1596
  { "key": "secret_types", "type": "array", "required": false, "description": "Array of secret types found in tool arguments" },
1568
1597
  { "key": "pii_detected", "type": "boolean", "required": false, "description": "Whether PII was detected in tool arguments or content" },
1569
1598
  { "key": "pii_types", "type": "array", "required": false, "description": "Array of PII types found in tool arguments" },
1599
+ { "key": "pii_count", "type": "number", "required": false, "description": "Number of PII pattern matches in tool arguments or content. Use >=3 to detect bulk PII exposure indicating data dumps or CSV pastes" },
1600
+ { "key": "pii_confidence", "type": "number", "required": false, "description": "PII detection ML classifier confidence for tool content (0-100). Catches novel PII patterns that escape regex detection" },
1570
1601
  { "key": "injection_confidence", "type": "number", "required": false, "description": "Combined prompt injection confidence in tool arguments (0-100). MAX of all detector scores (Pulse + DeepContext). Use injection_pulse_score / injection_deep_context_score for individual detector control" },
1571
1602
  { "key": "injection_pulse_score", "type": "number", "required": false, "description": "Highflame single-turn classifier score for prompt injection in tool arguments (0-100). Raw score from Pulse detector before combination with deep-context" },
1572
1603
  { "key": "injection_deep_context_score", "type": "number", "required": false, "description": "DeepContext multi-turn analyzer score for prompt injection in tool arguments (0-100). Tracks injection patterns across tool call history" },
@@ -1594,6 +1625,11 @@ export const GUARDRAILS_CONTEXT = {
1594
1625
  { "key": "encoded_types", "type": "array", "required": false, "description": "Array of encoding types detected in tool arguments (e.g., [\'base64\', \'hex\'])" },
1595
1626
  { "key": "encoded_count", "type": "number", "required": false, "description": "Number of encoded segments found in tool arguments" },
1596
1627
  { "key": "encoded_score", "type": "number", "required": false, "description": "Risk score for encoded injection in tool arguments (0-100)" },
1628
+ { "key": "path", "type": "string", "required": false, "description": "File path targeted by the tool call (if file operation). Use for path-based blocking of .env files, credential files, system directories, and credential directories" },
1629
+ { "key": "contains_invisible_chars", "type": "boolean", "required": false, "description": "Whether invisible Unicode characters (zero-width, bidi overrides, tag characters) were detected in tool arguments. Tool args should be plain text — invisible chars indicate payload injection" },
1630
+ { "key": "invisible_chars_score", "type": "number", "required": false, "description": "Invisible character attack severity score in tool arguments (0-100)" },
1631
+ { "key": "indirect_injection_score", "type": "number", "required": false, "description": "Indirect prompt injection risk score (0-100) — injection via tool outputs, retrieved documents, or external content. Use >=70 for general blocking, >=50 for sensitive tools" },
1632
+ { "key": "indirect_injection_type", "type": "string", "required": false, "description": "Type of indirect injection detected in tool content (e.g., instruction override, authority hijack)" },
1597
1633
  { "key": "rug_pull_type", "type": "string", "required": false, "description": "Type of rug pull detected: \'risk_spike\' (sudden risk increase), \'pattern_change\' (behavioral shift), \'combined\', or \'none\'" },
1598
1634
  { "key": "conversation_turn", "type": "number", "required": false, "description": "Current conversation turn number for the agentic session" },
1599
1635
  { "key": "multi_turn_detection", "type": "boolean", "required": false, "description": "Whether multi-turn injection patterns were detected across tool calls in the session" },
@@ -1623,6 +1659,7 @@ export const GUARDRAILS_CONTEXT = {
1623
1659
  "context_attributes": [
1624
1660
  { "key": "request_id", "type": "string", "required": true, "description": "Unique identifier for this request" },
1625
1661
  { "key": "timestamp", "type": "number", "required": true, "description": "Unix timestamp in milliseconds" },
1662
+ { "key": "path", "type": "string", "required": false, "description": "File path being read. Use for path-based access control policies (e.g., block .env files, system directories, credential directories)" },
1626
1663
  { "key": "contains_secrets", "type": "boolean", "required": false, "description": "Whether secrets were detected in the file content being read" },
1627
1664
  { "key": "secret_count", "type": "number", "required": false, "description": "Total number of secret matches found in file content. Multiple matches may indicate data dumps or accidental credential exposure" },
1628
1665
  { "key": "secret_types", "type": "array", "required": false, "description": "Array of secret types found in file content" },
@@ -1657,6 +1694,9 @@ export const GUARDRAILS_CONTEXT = {
1657
1694
  "context_attributes": [
1658
1695
  { "key": "request_id", "type": "string", "required": true, "description": "Unique identifier for this request" },
1659
1696
  { "key": "timestamp", "type": "number", "required": true, "description": "Unix timestamp in milliseconds" },
1697
+ { "key": "path", "type": "string", "required": false, "description": "File path being written. Use for path-based blocking policies (e.g., block writes to .env files, credential directories)" },
1698
+ { "key": "contains_invisible_chars", "type": "boolean", "required": false, "description": "Whether invisible Unicode characters (zero-width, bidi overrides, tag characters) were detected in the content being written. Prevents persistence of invisible payloads in source code" },
1699
+ { "key": "invisible_chars_score", "type": "number", "required": false, "description": "Invisible character attack severity score (0-100) in write content" },
1660
1700
  { "key": "contains_secrets", "type": "boolean", "required": false, "description": "Whether secrets were detected in the content being written. Block writes containing credentials" },
1661
1701
  { "key": "secret_count", "type": "number", "required": false, "description": "Total number of secret matches found in write content. Multiple matches may indicate data dumps or accidental credential exposure" },
1662
1702
  { "key": "secret_types", "type": "array", "required": false, "description": "Array of secret types found in write content" },
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@highflame/policy",
3
- "version": "2.1.7",
3
+ "version": "2.1.8",
4
4
  "description": "Highflame Cedar policy types and engine wrapper",
5
5
  "readme": "README.md",
6
6
  "main": "dist/index.js",