@highflame/policy 2.1.7 → 2.1.9

package/_schemas/guardrails/context.json

@@ -115,6 +115,18 @@
           "required": false,
           "description": "Array of PII types detected (e.g., ['email', 'phone', 'ssn', 'credit_card']). Use .contains() to block specific sensitive types"
         },
+        {
+          "key": "pii_confidence",
+          "type": "number",
+          "required": false,
+          "description": "PII detection ML classifier confidence (0-100). Catches novel PII patterns including names, addresses, and identifiers that regex rules may miss. Typical threshold: >=80 for high-confidence blocking"
+        },
+        {
+          "key": "highest_severity",
+          "type": "string",
+          "required": false,
+          "description": "Highest severity level across all detection engines: 'critical', 'high', 'medium', 'low', or 'none'. Use for severity-based catch-all policies (e.g., block any content flagged as critical)"
+        },
         {
           "key": "violence_score",
           "type": "number",
@@ -661,6 +673,18 @@
           "required": false,
           "description": "Array of PII types found in tool arguments"
         },
+        {
+          "key": "pii_count",
+          "type": "number",
+          "required": false,
+          "description": "Number of PII pattern matches in tool arguments or content. Use >=3 to detect bulk PII exposure indicating data dumps or CSV pastes"
+        },
+        {
+          "key": "pii_confidence",
+          "type": "number",
+          "required": false,
+          "description": "PII detection ML classifier confidence for tool content (0-100). Catches novel PII patterns that escape regex detection"
+        },
         {
           "key": "injection_confidence",
           "type": "number",
@@ -823,6 +847,36 @@
           "required": false,
           "description": "Risk score for encoded injection in tool arguments (0-100)"
         },
+        {
+          "key": "path",
+          "type": "string",
+          "required": false,
+          "description": "File path targeted by the tool call (if file operation). Use for path-based blocking of .env files, credential files, system directories, and credential directories"
+        },
+        {
+          "key": "contains_invisible_chars",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether invisible Unicode characters (zero-width, bidi overrides, tag characters) were detected in tool arguments. Tool args should be plain text — invisible chars indicate payload injection"
+        },
+        {
+          "key": "invisible_chars_score",
+          "type": "number",
+          "required": false,
+          "description": "Invisible character attack severity score in tool arguments (0-100)"
+        },
+        {
+          "key": "indirect_injection_score",
+          "type": "number",
+          "required": false,
+          "description": "Indirect prompt injection risk score (0-100) — injection via tool outputs, retrieved documents, or external content. Use >=70 for general blocking, >=50 for sensitive tools"
+        },
+        {
+          "key": "indirect_injection_type",
+          "type": "string",
+          "required": false,
+          "description": "Type of indirect injection detected in tool content (e.g., instruction override, authority hijack)"
+        },
         {
           "key": "rug_pull_type",
           "type": "string",
@@ -967,6 +1021,12 @@
           "required": true,
           "description": "Unix timestamp in milliseconds"
         },
+        {
+          "key": "path",
+          "type": "string",
+          "required": false,
+          "description": "File path being read. Use for path-based access control policies (e.g., block .env files, system directories, credential directories)"
+        },
         {
           "key": "contains_secrets",
           "type": "boolean",
@@ -1141,6 +1201,24 @@
           "required": true,
           "description": "Unix timestamp in milliseconds"
         },
+        {
+          "key": "path",
+          "type": "string",
+          "required": false,
+          "description": "File path being written. Use for path-based blocking policies (e.g., block writes to .env files, credential directories)"
+        },
+        {
+          "key": "contains_invisible_chars",
+          "type": "boolean",
+          "required": false,
+          "description": "Whether invisible Unicode characters (zero-width, bidi overrides, tag characters) were detected in the content being written. Prevents persistence of invisible payloads in source code"
+        },
+        {
+          "key": "invisible_chars_score",
+          "type": "number",
+          "required": false,
+          "description": "Invisible character attack severity score (0-100) in write content"
+        },
         {
           "key": "contains_secrets",
           "type": "boolean",

package/_schemas/guardrails/schema.cedarschema

@@ -113,6 +113,10 @@ namespace Guardrails {
         "pii_detected"?: Bool,
         "pii_count"?: Long,
         "pii_types"?: Set<String>,       // ["email", "phone", "ssn", "credit_card", ...]
+        "pii_confidence"?: Long,         // PII ML classifier confidence (0-100) — catches novel PII patterns that escape regex detection
+
+        // Threat Severity Aggregation (optional)
+        "highest_severity"?: String,     // Highest severity across all detectors: "critical" | "high" | "medium" | "low" | "none"
 
         // Trust & Safety - Toxicity (optional)
         "violence_score"?: Long,         // 0-100
@@ -225,7 +229,7 @@ namespace Guardrails {
 
         // Agentic - Behavioral Patterns (optional)
         "suspicious_pattern"?: Bool,
-        "pattern_type"?: String,         // "data_exfiltration" | "secret_exfiltration" | "db_exfiltration" | "none"
+        "pattern_type"?: String,         // "data_exfiltration" | "secret_exfiltration" | "db_exfiltration" | "credential_theft" | "destructive_sequence" | "none"
         "sequence_risk"?: Long,          // 0-100
 
         // Agentic - Loop Detection (optional)
@@ -247,6 +251,8 @@ namespace Guardrails {
         "secret_types"?: Set<String>,
         "pii_detected"?: Bool,
         "pii_types"?: Set<String>,
+        "pii_count"?: Long,              // Number of PII pattern matches in tool content
+        "pii_confidence"?: Long,         // PII ML classifier confidence (0-100)
         "injection_confidence"?: Long,
         "injection_pulse_score"?: Long,  // 0-100 Pulse single-turn classifier
         "injection_deep_context_score"?: Long, // 0-100 DeepContext multi-turn
@@ -267,6 +273,13 @@ namespace Guardrails {
         "cross_origin_type"?: String,
         "cross_origin_score"?: Long,             // 0-100
 
+        // File & Path (optional — for path-based access control policies)
+        "path"?: String,                         // File path when tool operates on files
+
+        // Security - Invisible Character Detection in tool args (optional)
+        "contains_invisible_chars"?: Bool,       // Whether invisible Unicode chars detected in tool args
+        "invisible_chars_score"?: Long,          // Invisible character attack severity (0-100)
+
         // Security - Encoded Injection (optional)
         "encoded_content_detected"?: Bool,
         "encoded_types"?: Set<String>,
@@ -281,6 +294,10 @@ namespace Guardrails {
         "rug_pull_score"?: Long,                 // 0-100
         "rug_pull_type"?: String,                // "risk_spike" | "pattern_change" | "combined" | "none"
 
+        // Agentic - Indirect Prompt Injection (optional — injection via tool outputs/retrieved content)
+        "indirect_injection_score"?: Long,       // Indirect injection risk score (0-100)
+        "indirect_injection_type"?: String,      // Type of indirect injection detected
+
         // Agentic - MCP Risk (optional)
         "mcp_config_risk"?: Bool,
         "mcp_risk_type"?: String,                // "inline_execution" | "suspicious_url" | "cross_origin"
@@ -320,6 +337,9 @@ namespace Guardrails {
         "request_id": String,
         "timestamp": Long,
 
+        // File path (optional — for path-based access control policies)
+        "path"?: String,                 // File path being read
+
         // Security checks on file content (optional)
         "contains_secrets"?: Bool,
         "secret_count"?: Long,
@@ -362,6 +382,13 @@ namespace Guardrails {
         "request_id": String,
         "timestamp": Long,
 
+        // File path (optional — for path-based access control policies)
+        "path"?: String,                         // File path being written
+
+        // Security - Invisible Character Detection in write content (optional)
+        "contains_invisible_chars"?: Bool,       // Whether invisible Unicode chars detected in write content
+        "invisible_chars_score"?: Long,          // Invisible character attack severity (0-100)
+
         // Security checks on content being written (optional)
         "contains_secrets"?: Bool,
         "secret_count"?: Long,

package/_schemas/guardrails/templates/profiles/a2a_security/cross_origin.cedar

@@ -0,0 +1,105 @@
+// =============================================================================
+// A2A Security — Cross-Origin Trust Boundary Enforcement
+// =============================================================================
+// Detects and blocks confused deputy attacks where an agent from one trust
+// domain attempts to operate in another. Cross-origin violations occur when:
+//   - An agent proxies requests across security domains
+//   - Mixed-security tool chains span trust boundaries
+//   - URL injection redirects agent communication to untrusted origins
+//
+// Key A2A distinction from MAS: In multi-agent systems (shared orchestrator),
+// cross-origin is unlikely because all agents share a trust context. In A2A
+// (independent agents, separate trust domains), cross-origin is the PRIMARY
+// signal that trust boundaries are being violated.
+//
+// Shield cross-origin detector outputs discrete scores:
+//   90 — mixed localhost + external domain
+//   85 — URL injection in parameters
+//   80 — proxy/redirect patterns
+//   75 — multi-origin tool configs / JSON origin fields
+//   70 — mixed HTTP/HTTPS or ws/wss schemes
+//   65 — JSON arrays with multiple URLs
+//   60 — generic multi-domain patterns
+//
+// Compliance:
+//   OWASP LLM08 (Excessive Agency)
+//   OWASP ASI03 (Excessive Permissions)
+//   MITRE ATLAS AML.T0051.002 (Indirect Prompt Injection via delegation)
+//   NIST 800-53 AC-4 (Information Flow Enforcement)
+//
+// Category: agent_identity
+// Namespace: Guardrails
+// =============================================================================
+
+// Block high-confidence cross-origin for any agent
+@id("a2a-cross-origin-block-critical")
+@name("Block critical cross-origin from any agent")
+@description("Block all agent requests when cross-origin trust boundary violation score exceeds 80. High-confidence cross-origin signals (mixed localhost/external, URL injection, proxy redirects) indicate confused deputy attacks regardless of agent trust level.")
+@severity("critical")
+@tags("profile,a2a-security,cross-origin,confused-deputy,trust-boundary,owasp-llm08")
+@reject_message("Request blocked: high-confidence cross-origin trust boundary violation detected (score >= 80). An external agent or service is attempting to operate across trust domains. Review the origin chain before retrying.")
+forbid (
+    principal is Guardrails::Agent,
+    action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool"],
+    resource
+)
+when {
+    context has agent_id && context.agent_id != "" &&
+    context has cross_origin_detected && context.cross_origin_detected == true &&
+    context has cross_origin_score && context.cross_origin_score >= 80
+};
+
+// Block cross-origin from unverified agents at any signal level
+@id("a2a-cross-origin-block-unverified")
+@name("Block cross-origin from unverified agents")
+@description("Unverified agents are blocked from any cross-origin activity at the lowest meaningful detection threshold (score >= 60). Cross-origin from an unverified source is a strong confused deputy indicator — the agent has no attestation AND is crossing trust boundaries.")
+@severity("high")
+@tags("profile,a2a-security,cross-origin,unverified,trust-boundary,owasp-asi03")
+@reject_message("Request blocked: cross-origin activity detected from an unverified agent. Unverified agents cannot operate across trust boundaries. Register the agent or use a verified agent.")
+forbid (
+    principal is Guardrails::Agent,
+    action in [Guardrails::Action::"process_prompt", Guardrails::Action::"call_tool"],
+    resource
+)
+when {
+    context has agent_trust_level && context.agent_trust_level == "unverified" &&
+    context has cross_origin_detected && context.cross_origin_detected == true &&
+    context has cross_origin_score && context.cross_origin_score >= 60
+};
+
+// Block cross-origin MCP server connections from non-first-party agents
+@id("a2a-cross-origin-block-server-connect")
+@name("Block cross-origin MCP server connections")
+@description("Non-first-party agents cannot connect to MCP servers when cross-origin signals are present (score >= 65). Server-level cross-origin has wide blast radius — a single compromised connection exposes all tools on that server.")
+@severity("critical")
+@tags("profile,a2a-security,cross-origin,mcp,server,trust-boundary,nist-ac-4")
+@reject_message("MCP server connection blocked: cross-origin trust violation detected. Non-first-party agents cannot connect to MCP servers when cross-origin signals are present.")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"connect_server",
+    resource
+)
+when {
+    context has agent_trust_level && context.agent_trust_level != "first_party" &&
+    context has cross_origin_detected && context.cross_origin_detected == true &&
+    context has cross_origin_score && context.cross_origin_score >= 65
+};
+
+// Block cross-origin tool calls on sensitive tools from any agent
+@id("a2a-cross-origin-block-sensitive-tools")
+@name("Block cross-origin on sensitive tools")
+@description("Any agent attempting to call sensitive tools while cross-origin signals are present (score >= 60) is blocked. Sensitive tools (write_file, http_post, send_email) amplify the impact of confused deputy attacks — an agent crossing trust boundaries should not have access to high-impact operations.")
+@severity("high")
+@tags("profile,a2a-security,cross-origin,sensitive-tools,confused-deputy,owasp-llm08")
+@reject_message("Sensitive tool execution blocked: cross-origin trust violation detected. Tool calls to sensitive tools are blocked when cross-origin signals are present from agent requests.")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has agent_id && context.agent_id != "" &&
+    context has cross_origin_detected && context.cross_origin_detected == true &&
+    context has cross_origin_score && context.cross_origin_score >= 60 &&
+    context has tool_is_sensitive && context.tool_is_sensitive == true
+};

package/_schemas/guardrails/templates/profiles/a2a_security/escalation_detection.cedar

@@ -0,0 +1,113 @@
+// =============================================================================
+// A2A Security — Escalation Detection & Circuit Breakers
+// =============================================================================
+// Detects progressive capability escalation across agent turns and applies
+// session-level circuit breakers tuned for adversarial A2A communication:
+//
+// 1. SESSION PEAK SCORES: When the maximum injection or jailbreak score
+//    across all prior turns exceeds 70, non-first-party agents are restricted.
+//    Unlike MAS boolean flags, A2A uses numeric peaks for graduated response.
+//
+// 2. CUMULATIVE RISK CIRCUIT BREAKER: When accumulated risk across turns
+//    exceeds 150, sensitive tools are blocked for non-first-party agents.
+//    Lower threshold than MAS (200) because cross-system communication has
+//    higher adversarial surface area.
+//
+// 3. THREAT TURN ESCALATION: After 3+ turns with detected threats, unverified
+//    agents are fully locked out. This catches turn-by-turn probing attacks
+//    where an attacker incrementally tests boundaries.
+//
+// Key A2A distinction: In MAS, the orchestrator can reset or contain sessions.
+// In A2A, independent agents have no shared circuit breaker, so policy must
+// enforce escalation detection at the evaluation layer.
+//
+// Compliance:
+//   OWASP LLM01 (Prompt Injection) — multi-turn variant
+//   MITRE ATLAS AML.T0051 (LLM Prompt Injection)
+//   NIST 800-53 SI-4 (System Monitoring)
+//   NIST 800-53 IR-4 (Incident Handling)
+//
+// Category: agent_identity
+// Namespace: Guardrails
+// =============================================================================
+
+// -----------------------------------------------------------------------------
+// Session Peak Score Monitoring
+// -----------------------------------------------------------------------------
+
+// Block non-first-party agents when session injection peak is high
+@id("a2a-session-injection-peak-block")
+@name("Block agents when session injection peak is high")
+@description("Block non-first-party agents from tool calls and prompt processing when the maximum injection score across all prior turns exceeds 70. Unlike MAS policies that use boolean session_injection_detected, A2A uses the numeric peak score for graduated response — a session with a prior score of 75 is more dangerous than one with 45, even though both set the boolean flag.")
+@severity("critical")
+@tags("profile,a2a-security,escalation,session-peak,injection,owasp-lml01,nist-si-4")
+@reject_message("Request blocked: this session has a prior injection detection peak of 70+. Non-first-party agents are restricted after high injection signals to prevent progressive capability escalation.")
+forbid (
+    principal is Guardrails::Agent,
+    action in [Guardrails::Action::"call_tool", Guardrails::Action::"process_prompt"],
+    resource
+)
+when {
+    context has agent_trust_level && context.agent_trust_level != "first_party" &&
+    context has session_max_injection_score && context.session_max_injection_score >= 70
+};
+
+// Block non-first-party agents when session jailbreak peak is high
+@id("a2a-session-jailbreak-peak-block")
+@name("Block agents when session jailbreak peak is high")
+@description("Block non-first-party agents from prompt processing when the maximum jailbreak score across all prior turns exceeds 70. A high jailbreak peak indicates the session's guardrails may have been partially eroded — subsequent agent requests in this session should be treated as potentially manipulated.")
+@severity("critical")
+@tags("profile,a2a-security,escalation,session-peak,jailbreak,owasp-lml01,nist-si-4")
+@reject_message("Request blocked: this session has a prior jailbreak detection peak of 70+. Non-first-party agents are restricted after high jailbreak signals to prevent progressive manipulation.")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"process_prompt",
+    resource
+)
+when {
+    context has agent_trust_level && context.agent_trust_level != "first_party" &&
+    context has session_max_jailbreak_score && context.session_max_jailbreak_score >= 70
+};
+
+// -----------------------------------------------------------------------------
+// Cumulative Risk Circuit Breaker
+// -----------------------------------------------------------------------------
+
+// Lock down non-first-party agents at high cumulative risk
+@id("a2a-cumulative-risk-agent-lockdown")
+@name("Lock down non-first-party agents at high cumulative risk")
+@description("Block non-first-party agents from sensitive tools when cumulative session risk exceeds 150. Lower threshold than MAS (200) because A2A sessions with cross-system agents should trip the circuit breaker earlier — independent agents cannot coordinate session recovery the way an orchestrator can.")
+@severity("high")
+@tags("profile,a2a-security,escalation,cumulative-risk,circuit-breaker,nist-ir-4")
+@reject_message("Sensitive tool blocked: session cumulative risk exceeds 150. Non-first-party agents are restricted from sensitive tools in elevated-risk sessions to prevent progressive capability gain.")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has agent_trust_level && context.agent_trust_level != "first_party" &&
+    context has session_cumulative_risk_score && context.session_cumulative_risk_score > 150 &&
+    context has tool_is_sensitive && context.tool_is_sensitive == true
+};
+
+// -----------------------------------------------------------------------------
+// Threat Turn Escalation — Probing Detection
+// -----------------------------------------------------------------------------
+
+// Block unverified agents after repeated threat turns
+@id("a2a-threat-turn-escalation-block")
+@name("Block unverified agents after repeated threat turns")
+@description("Block unverified agents from all tool calls after 3+ threat turns are detected in the session. Lower threshold than MAS (5) because repeated threats from an unverified agent's session indicate adversarial probing — the attacker is incrementally testing boundaries. Three threat turns is sufficient evidence of active reconnaissance.")
+@severity("critical")
+@tags("profile,a2a-security,escalation,threat-turns,probing,unverified,nist-ir-4")
+@reject_message("Tool execution blocked: 3+ threat turns detected in this session. Unverified agents are locked out after repeated threat signals to prevent adversarial escalation via turn-by-turn probing.")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has agent_trust_level && context.agent_trust_level == "unverified" &&
+    context has session_threat_turns && context.session_threat_turns > 2
+};

package/_schemas/guardrails/templates/profiles/a2a_security/identity_enforcement.cedar

@@ -0,0 +1,118 @@
+// =============================================================================
+// A2A Security — Agent Identity Enforcement
+// =============================================================================
+// Enforces strict identity requirements for cross-system agent communication:
+//
+// 1. ANONYMOUS AGENT BLOCKING: Agents that claim agent_type but provide no
+//    agent_id are likely spoofed or misconfigured — blocked from tool calls.
+//
+// 2. FRAMEWORK REGISTRATION: Unverified agents must declare their framework
+//    (claude-code, langchain, crewai, etc.) for sensitive operations. Missing
+//    framework on unverified agents indicates an ad-hoc or rogue integration.
+//
+// 3. SERVER CONNECTION RESTRICTIONS: Unverified agents cannot establish new
+//    MCP server connections — limits blast radius of unknown agents.
+//
+// 4. AUTONOMOUS + UNVERIFIED = BLOCKED: The most dangerous combination is
+//    an autonomous agent with no verification. No human oversight AND no
+//    trust attestation means zero recovery if the agent is compromised.
+//
+// Key A2A distinction: In MAS, the orchestrator validates all sub-agents.
+// In A2A, each agent self-reports identity, so we must enforce identity
+// completeness and consistency at the policy layer.
+//
+// Compliance:
+//   OWASP ASI05 (Identity Spoofing)
+//   NIST 800-63 (Digital Identity Guidelines)
+//   NIST 800-53 IA-2 (Identification and Authentication)
+//   NIST 800-53 IA-8 (Identification and Authentication — Non-Organizational Users)
+//
+// Category: agent_identity
+// Namespace: Guardrails
+// =============================================================================
+
+// -----------------------------------------------------------------------------
+// Anonymous Agent Detection — Incomplete Identity
+// -----------------------------------------------------------------------------
+
+// Block agents with type but no ID from tool execution
+@id("a2a-block-anonymous-agent-tools")
+@name("Block anonymous agents from tool execution")
+@description("Block tool calls from agents that declare an agent_type but have no agent_id. This pattern (type present, ID absent) indicates a spoofed or misconfigured agent identity — legitimate agents always have both. Human proxies are exempt because they represent authenticated users, not independent agents.")
+@severity("critical")
+@tags("profile,a2a-security,identity,anonymous,spoofing,owasp-asi05,nist-ia-2")
+@reject_message("Tool execution blocked: agent identity is required for A2A tool calls. This request has an agent type but no agent ID, indicating an improperly configured or spoofed agent identity.")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has agent_id && context.agent_id == "" &&
+    context has agent_type && context.agent_type != "" &&
+    context.agent_type != "human_proxy"
+};
+
+// -----------------------------------------------------------------------------
+// Framework Registration — Unverified Agent Restrictions
+// -----------------------------------------------------------------------------
+
+// Block unregistered framework unverified agents from sensitive tools
+@id("a2a-block-unregistered-framework")
+@name("Block unregistered frameworks from sensitive tools")
+@description("Block unverified agents with no declared framework from calling sensitive tools. In A2A, agent_framework identifies the SDK/runtime (claude-code, langchain, crewai, autogen). An unverified agent with no framework declaration is a black-box integration — it cannot be audited, patched, or trusted with sensitive operations.")
+@severity("high")
+@tags("profile,a2a-security,identity,framework,unverified,sensitive-tools,nist-ia-8")
+@reject_message("Sensitive tool blocked: unverified agent with no registered framework attempted to call a sensitive tool. Agents must declare their framework (e.g., claude-code, langchain, crewai) for A2A sensitive operations.")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has agent_framework && context.agent_framework == "" &&
+    context has agent_trust_level && context.agent_trust_level == "unverified" &&
+    context has tool_is_sensitive && context.tool_is_sensitive == true
+};
+
+// -----------------------------------------------------------------------------
+// Server Connection Restrictions
+// -----------------------------------------------------------------------------
+
+// Block unverified agents from establishing MCP server connections
+@id("a2a-block-unverified-server-connect")
+@name("Block unverified agents from MCP server connections")
+@description("Unverified agents cannot establish new MCP server connections in A2A mode. Each server connection expands the agent's capability surface — unverified agents should use only pre-established connections from the orchestrator or host application.")
+@severity("high")
+@tags("profile,a2a-security,identity,unverified,mcp,server,nist-ia-8")
+@reject_message("MCP server connection blocked: unverified agents cannot establish new MCP server connections in A2A mode. Register the agent as verified_third_party or first_party to enable server connections.")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"connect_server",
+    resource
+)
+when {
+    context has agent_trust_level && context.agent_trust_level == "unverified" &&
+    context has agent_id && context.agent_id != ""
+};
+
+// -----------------------------------------------------------------------------
+// Dangerous Combinations — Maximum Risk
+// -----------------------------------------------------------------------------
+
+// Block unverified autonomous agents from all tool calls
+@id("a2a-block-autonomous-unverified")
+@name("Block unverified autonomous agents from all tool calls")
+@description("The combination of autonomous (no human oversight) and unverified (no trust attestation) is the most dangerous agent configuration. If compromised, there is no human to catch anomalies and no verification to limit blast radius. These agents are unconditionally blocked from all tool execution in A2A workflows.")
+@severity("critical")
+@tags("profile,a2a-security,identity,autonomous,unverified,owasp-asi05,nist-ia-2")
+@reject_message("Tool execution blocked: unverified autonomous agents are not permitted in A2A workflows. Autonomous agents operating without human oversight must be at least verified_third_party trust level.")
+forbid (
+    principal is Guardrails::Agent,
+    action == Guardrails::Action::"call_tool",
+    resource
+)
+when {
+    context has agent_type && context.agent_type == "autonomous" &&
+    context has agent_trust_level && context.agent_trust_level == "unverified"
+};