Policy Templates

Highflame ships a library of ready-to-use Cedar policy profiles covering the most common agent deployment patterns. Profiles are composed on top of a set of default policies that are always active — profiles extend and tighten the defaults for specific use cases rather than replacing them.

Architecture

Every Shield deployment has two policy layers:

┌─────────────────────────────────────────┐
│           Profile policies              │
│  (applied per deployment type/use case) │
├─────────────────────────────────────────┤
│           Default policies              │
│  (always active, not removable)         │
└─────────────────────────────────────────┘

Default policies provide the baseline — blocking the most severe threats across injection, secrets, PII, toxicity, tool risk, and agentic safety regardless of which profile is applied.

Profile policies add use-case-specific rules: tighter thresholds, additional threat categories, identity-aware gates, or session-level circuit breakers that the defaults do not cover.

Default policies

The following policies are active in every Shield deployment and cannot be disabled. They represent the minimum viable security posture.

Policy

Profiles

Six profiles are available. Apply one or more based on your deployment type. Profiles can be combined — for example, apply advanced_detection alongside code_agent to add ML-powered PII and secrets granularity on top of the code agent rules.

chat_assistant

Severity: High Best for: Customer-facing chatbots, consumer AI products, support agents

Designed for public-facing deployments where the user population is untrusted and content safety requirements are strict. Lowers injection and jailbreak thresholds below the defaults and adds bidirectional PII protection.

File

Rules

security.cedar

Injection block at confidence > 70 (vs. default ~80); jailbreak block at confidence > 65

privacy.cedar

PII blocked in both user inputs and assistant outputs

trust_safety.cedar

Toxicity blocked above 70; restricted topics blocked (weapons, illegal activity, controlled substances, financial fraud)

Apply:

client.policies.load_profile("chat_assistant/*")

code_agent

Severity: High Best for: AI coding assistants (Claude Code, Cursor, GitHub Copilot), code generation, IDE integrations

Comprehensive protection for agents that read and write files, execute shell commands, and interact with MCP servers. Covers path traversal to credential files, destructive operation sequences, encoding-based bypass attempts, and supply chain attacks via poisoned tool descriptions.

File

Rules

security.cedar

Blocks writing secrets to files

agentic_security.cedar

Dangerous tools (risk > 85), shell execution, sensitive tools (risk > 70), loop detection (> 5), exfiltration patterns, token budget overruns

path_security.cedar

Blocks .env* files; credential files (.netrc, .npmrc, .pypirc, cloud configs); system paths (/etc/*, /proc/*, /sys/*); credential paths (.ssh/*, .aws/*, .azure/*, *.pem, id_rsa*); destructive operations

encoding.cedar

Blocks tool arguments and file writes containing invisible Unicode characters

supply_chain.cedar

MCP server poisoning (≥ 60); indirect injection from tool outputs (≥ 70, ≥ 50 for sensitive tools); credential theft chains; destructive sequences

Apply:

client.policies.load_profile("code_agent/*")

For full rule details, thresholds, and path patterns, see Setting Up Policies in the Code Agents section.

data_pipeline

Severity: Critical Best for: RAG pipelines, vector database agents, data processing workflows, ETL agents

Zero-tolerance posture for PII and secrets. RAG pipelines are particularly vulnerable to indirect injection — content retrieved from external documents can carry embedded instructions. Thresholds are lowered accordingly.

File

Rules

privacy.cedar

All PII blocked (strict); zero-tolerance for SSN, credit card, passport, medical ID, tax ID

security.cedar

All secrets blocked (strict); secrets blocked in pipeline outputs; injection block at confidence > 65 (lower than default for RAG)

agentic_security.cedar

Exfiltration patterns blocked; tool risk threshold lowered to > 60

Apply:

client.policies.load_profile("data_pipeline/*")

multi_agent

Severity: Critical Best for: Orchestrated multi-agent systems, agent networks with a shared orchestrator

Trust-tiered access control and cross-turn session circuit breakers for orchestrated deployments. See Multi-Agent Policies for full documentation.

File

Rules

agent_trust.cedar

Dangerous tools restricted to first-party; sensitive tools require verified minimum; autonomous agent injection/jailbreak thresholds lowered to 50; autonomous tool risk capped at 70; double-unverified MCP blocked

agent_safety.cedar

Post-PII network lockdown; post-secrets sensitive tool lockdown; post-injection unverified lockdown; post-command-injection full shell lockdown; cumulative risk circuit breakers at 200 and 500

Apply:

client.policies.load_profile("multi_agent/*")

a2a_security

Severity: Critical Best for: Independent peer-to-peer agent communication, agents operating without a central orchestrator

Identity-aware policies covering the attack surface unique to A2A deployments: confused deputy, indirect injection via another agent's outputs, supply chain attacks, and session escalation without an orchestrator to intervene. See A2A Policies for full documentation.

File

Rules

identity_enforcement.cedar

Anonymous agents blocked; unregistered frameworks blocked; autonomous + unverified unconditionally blocked

inter_agent_injection.cedar

Indirect injection (≥ 60); sensitive tools at lower threshold (≥ 40); multi-turn deep context (≥ 60); encoded payloads

cross_origin.cedar

Critical cross-origin (≥ 80) from any agent; unverified agents at lower threshold (≥ 60)

supply_chain.cedar

Tool poisoning (≥ 60); server poisoning (≥ 55); rug pull (≥ 70); credential theft chains

escalation_detection.cedar

Session injection peak (≥ 70); cumulative risk circuit breaker (> 150); threat turn lockout (≥ 3)

Apply:

client.policies.load_profile("a2a_security/*")

advanced_detection

Severity: Critical Best for: High-security environments, financial services, healthcare, regulated data workloads

Adds ML-powered granular detection for secrets and PII on top of any other profile. The defaults detect common patterns; advanced_detection adds type-specific blocking (AWS IAM keys, GCP service accounts, Azure secrets, SSH keys) and ML confidence gating on PII detection.

File

Rules

secrets.cedar

High-risk secret types blocked by format: AWS keys, GCP service accounts, Azure secrets, GitHub tokens, SSH private keys, database connection strings; bearer tokens, JWTs, OAuth secrets

pii.cedar

Bulk PII blocked (3+ matches = data dump); ML classifier confidence ≥ 80 required before block; PII in file reads and writes blocked

threat_severity.cedar

Any content flagged Critical severity by any detector is blocked unconditionally

Apply:

client.policies.load_profile("advanced_detection/*")

advanced_detection is designed to be combined with a use-case profile:

# Code agent with ML-enhanced detection
client.policies.load_profile("code_agent/*")
client.policies.load_profile("advanced_detection/*")

Applying profiles

Profiles are applied via the SDK, the API, or Highflame Studio.

from highflame.shield import GuardrailsClient

client = GuardrailsClient(api_key="...")

# Apply a full profile
client.policies.load_profile("code_agent/*")

# Apply a specific file within a profile
client.policies.load_profile("code_agent/path_security")

# Combine profiles
client.policies.load_profile("code_agent/*")
client.policies.load_profile("advanced_detection/*")

import { GuardrailsClient } from "@highflame/sdk";

const client = new GuardrailsClient({ apiKey: "..." });

// Apply a full profile
await client.policies.loadProfile("code_agent/*");

// Apply a specific file within a profile
await client.policies.loadProfile("code_agent/path_security");

// Combine profiles
await client.policies.loadProfile("code_agent/*");
await client.policies.loadProfile("advanced_detection/*");

In Highflame Studio → Shield → Policies, select Apply profile to pick from the available templates. Profile changes take effect on the next request with no redeploy required.

Profile selection guide

Deployment type

Recommended profile

Add-on

Customer-facing chatbot

chat_assistant

advanced_detection for regulated data

AI coding assistant

code_agent

advanced_detection for enterprise environments

RAG or data pipeline

data_pipeline

advanced_detection always recommended

Orchestrated multi-agent

multi_agent

advanced_detection for high-security

Peer-to-peer agent mesh

a2a_security

advanced_detection for high-security

General-purpose agent

Defaults only

Any profile to harden further

Custom policies

If none of the profiles covers your use case, write custom Cedar policies and load them alongside a profile. Custom rules are evaluated together with profile and default rules — the most restrictive applicable rule wins.

# Load a profile, then add a custom rule
client.policies.load_profile("code_agent/*")
client.policies.load_cedar("""
    @id("custom-block-proprietary-domain")
    forbid(principal, action, resource)
    when {
        context has destination_domain &&
        context.destination_domain == "competitor.com"
    };
""")

See the Cedar Cookbook for common custom policy patterns.

A2A Policies — detailed documentation for the a2a_security profile
Multi-Agent Policies — detailed documentation for the multi_agent profile
Cedar Cookbook — writing and tuning custom Cedar rules
Guardrail Evaluations — how profile rules are evaluated at runtime

PreviousGuardrail Evaluations NextChat Assistant

Last updated 1 month ago

Good evening

Architecture

Default policies

Profiles

chat_assistant

code_agent

data_pipeline

multi_agent

a2a_security

advanced_detection

Applying profiles

Profile selection guide

Custom policies

Related