# Policy Templates Highflame ships a library of ready-to-use Cedar policy profiles covering the most common agent deployment patterns. Profiles are composed on top of a set of default policies that are always active — profiles extend and tighten the defaults for specific use cases rather than replacing them. *** ## Architecture Every Shield deployment has two policy layers: ``` ┌─────────────────────────────────────────┐ │ Profile policies │ │ (applied per deployment type/use case) │ ├─────────────────────────────────────────┤ │ Default policies │ │ (always active, not removable) │ └─────────────────────────────────────────┘ ``` **Default policies** provide the baseline — blocking the most severe threats across injection, secrets, PII, toxicity, tool risk, and agentic safety regardless of which profile is applied. **Profile policies** add use-case-specific rules: tighter thresholds, additional threat categories, identity-aware gates, or session-level circuit breakers that the defaults do not cover. *** ## Default policies The following policies are active in every Shield deployment and cannot be disabled. They represent the minimum viable security posture. | Policy | Category | What it enforces | | --------------------- | ----------------- | ---------------------------------------------------------------------------------------- | | **Injection** | security | Blocks prompt injection and jailbreak above ML confidence threshold | | **Secrets** | security | Blocks API keys, tokens, private keys, and credentials (16+ formats) | | **PII** | privacy | Blocks SSNs, credit card numbers, passport numbers, and other personal identifiers | | **Toxicity** | trust\_safety | Blocks violent, hateful, sexual, and profane content | | **Tool risk** | agentic\_security | Blocks dangerous tools, shell execution, and sensitive tools above risk threshold | | **Agentic safety** | agentic\_security | Blocks agent loops, exfiltration patterns, tool poisoning, rug pull, and budget overruns | | **Security patterns** | security | Blocks command injection, path traversal, and SQL injection via regex patterns | | **Semantic** | security | Semantic content classification for contextual threat signals | | **Agent identity** | agent\_identity | Base trust-level policies for agent identity | | **Baseline** | organization | Default permit policy — all profiles build on top of this | *** ## Profiles Six profiles are available. Apply one or more based on your deployment type. Profiles can be combined — for example, apply `advanced_detection` alongside `code_agent` to add ML-powered PII and secrets granularity on top of the code agent rules. *** ### chat\_assistant **Severity:** High **Best for:** Customer-facing chatbots, consumer AI products, support agents Designed for public-facing deployments where the user population is untrusted and content safety requirements are strict. Lowers injection and jailbreak thresholds below the defaults and adds bidirectional PII protection. | File | Rules | | -------------------- | ------------------------------------------------------------------------------------------------------------------------ | | `security.cedar` | Injection block at confidence > 70 (vs. default \~80); jailbreak block at confidence > 65 | | `privacy.cedar` | PII blocked in both user inputs and assistant outputs | | `trust_safety.cedar` | Toxicity blocked above 70; restricted topics blocked (weapons, illegal activity, controlled substances, financial fraud) | Apply: ```python client.policies.load_profile("chat_assistant/*") ``` *** ### code\_agent **Severity:** High **Best for:** AI coding assistants (Claude Code, Cursor, GitHub Copilot), code generation, IDE integrations Comprehensive protection for agents that read and write files, execute shell commands, and interact with MCP servers. Covers path traversal to credential files, destructive operation sequences, encoding-based bypass attempts, and supply chain attacks via poisoned tool descriptions. | File | Rules | | ------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `security.cedar` | Blocks writing secrets to files | | `agentic_security.cedar` | Dangerous tools (risk > 85), shell execution, sensitive tools (risk > 70), loop detection (> 5), exfiltration patterns, token budget overruns | | `path_security.cedar` | Blocks `.env*` files; credential files (`.netrc`, `.npmrc`, `.pypirc`, cloud configs); system paths (`/etc/*`, `/proc/*`, `/sys/*`); credential paths (`.ssh/*`, `.aws/*`, `.azure/*`, `*.pem`, `id_rsa*`); destructive operations | | `encoding.cedar` | Blocks tool arguments and file writes containing invisible Unicode characters | | `supply_chain.cedar` | MCP server poisoning (≥ 60); indirect injection from tool outputs (≥ 70, ≥ 50 for sensitive tools); credential theft chains; destructive sequences | Apply: ```python client.policies.load_profile("code_agent/*") ``` For full rule details, thresholds, and path patterns, see [Setting Up Policies](/code-agents/setting-up-policies.md) in the Code Agents section. *** ### data\_pipeline **Severity:** Critical **Best for:** RAG pipelines, vector database agents, data processing workflows, ETL agents Zero-tolerance posture for PII and secrets. RAG pipelines are particularly vulnerable to indirect injection — content retrieved from external documents can carry embedded instructions. Thresholds are lowered accordingly. | File | Rules | | ------------------------ | ---------------------------------------------------------------------------------------------------------------------------------- | | `privacy.cedar` | All PII blocked (strict); zero-tolerance for SSN, credit card, passport, medical ID, tax ID | | `security.cedar` | All secrets blocked (strict); secrets blocked in pipeline outputs; injection block at confidence > 65 (lower than default for RAG) | | `agentic_security.cedar` | Exfiltration patterns blocked; tool risk threshold lowered to > 60 | Apply: ```python client.policies.load_profile("data_pipeline/*") ``` *** ### multi\_agent **Severity:** Critical **Best for:** Orchestrated multi-agent systems, agent networks with a shared orchestrator Trust-tiered access control and cross-turn session circuit breakers for orchestrated deployments. See [Multi-Agent Policies](/agent-authorization-and-control-shield/policy-templates/multi-agent-policies.md) for full documentation. | File | Rules | | -------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `agent_trust.cedar` | Dangerous tools restricted to first-party; sensitive tools require verified minimum; autonomous agent injection/jailbreak thresholds lowered to 50; autonomous tool risk capped at 70; double-unverified MCP blocked | | `agent_safety.cedar` | Post-PII network lockdown; post-secrets sensitive tool lockdown; post-injection unverified lockdown; post-command-injection full shell lockdown; cumulative risk circuit breakers at 200 and 500 | Apply: ```python client.policies.load_profile("multi_agent/*") ``` *** ### a2a\_security **Severity:** Critical **Best for:** Independent peer-to-peer agent communication, agents operating without a central orchestrator Identity-aware policies covering the attack surface unique to A2A deployments: confused deputy, indirect injection via another agent's outputs, supply chain attacks, and session escalation without an orchestrator to intervene. See [A2A Policies](/agent-authorization-and-control-shield/policy-templates/a2a-policies.md) for full documentation. | File | Rules | | ----------------------------- | ---------------------------------------------------------------------------------------------------------------------- | | `identity_enforcement.cedar` | Anonymous agents blocked; unregistered frameworks blocked; autonomous + unverified unconditionally blocked | | `inter_agent_injection.cedar` | Indirect injection (≥ 60); sensitive tools at lower threshold (≥ 40); multi-turn deep context (≥ 60); encoded payloads | | `cross_origin.cedar` | Critical cross-origin (≥ 80) from any agent; unverified agents at lower threshold (≥ 60) | | `supply_chain.cedar` | Tool poisoning (≥ 60); server poisoning (≥ 55); rug pull (≥ 70); credential theft chains | | `escalation_detection.cedar` | Session injection peak (≥ 70); cumulative risk circuit breaker (> 150); threat turn lockout (≥ 3) | Apply: ```python client.policies.load_profile("a2a_security/*") ``` *** ### advanced\_detection **Severity:** Critical **Best for:** High-security environments, financial services, healthcare, regulated data workloads Adds ML-powered granular detection for secrets and PII on top of any other profile. The defaults detect common patterns; `advanced_detection` adds type-specific blocking (AWS IAM keys, GCP service accounts, Azure secrets, SSH keys) and ML confidence gating on PII detection. | File | Rules | | ----------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `secrets.cedar` | High-risk secret types blocked by format: AWS keys, GCP service accounts, Azure secrets, GitHub tokens, SSH private keys, database connection strings; bearer tokens, JWTs, OAuth secrets | | `pii.cedar` | Bulk PII blocked (3+ matches = data dump); ML classifier confidence ≥ 80 required before block; PII in file reads and writes blocked | | `threat_severity.cedar` | Any content flagged Critical severity by any detector is blocked unconditionally | Apply: ```python client.policies.load_profile("advanced_detection/*") ``` `advanced_detection` is designed to be combined with a use-case profile: ```python # Code agent with ML-enhanced detection client.policies.load_profile("code_agent/*") client.policies.load_profile("advanced_detection/*") ``` *** ## Applying profiles Profiles are applied via the SDK, the API, or Highflame Studio. {% tabs %} {% tab title="Python" %} ```python from highflame.shield import GuardrailsClient client = GuardrailsClient(api_key="...") # Apply a full profile client.policies.load_profile("code_agent/*") # Apply a specific file within a profile client.policies.load_profile("code_agent/path_security") # Combine profiles client.policies.load_profile("code_agent/*") client.policies.load_profile("advanced_detection/*") ``` {% endtab %} {% tab title="TypeScript" %} ```typescript import { GuardrailsClient } from "@highflame/sdk"; const client = new GuardrailsClient({ apiKey: "..." }); // Apply a full profile await client.policies.loadProfile("code_agent/*"); // Apply a specific file within a profile await client.policies.loadProfile("code_agent/path_security"); // Combine profiles await client.policies.loadProfile("code_agent/*"); await client.policies.loadProfile("advanced_detection/*"); ``` {% endtab %} {% endtabs %} In **Highflame Studio** → **Shield** → **Policies**, select **Apply profile** to pick from the available templates. Profile changes take effect on the next request with no redeploy required. *** ## Profile selection guide | Deployment type | Recommended profile | Add-on | | ------------------------ | ------------------- | ------------------------------------------------ | | Customer-facing chatbot | `chat_assistant` | `advanced_detection` for regulated data | | AI coding assistant | `code_agent` | `advanced_detection` for enterprise environments | | RAG or data pipeline | `data_pipeline` | `advanced_detection` always recommended | | Orchestrated multi-agent | `multi_agent` | `advanced_detection` for high-security | | Peer-to-peer agent mesh | `a2a_security` | `advanced_detection` for high-security | | General-purpose agent | Defaults only | Any profile to harden further | *** ## Custom policies If none of the profiles covers your use case, write custom Cedar policies and load them alongside a profile. Custom rules are evaluated together with profile and default rules — the most restrictive applicable rule wins. ```python # Load a profile, then add a custom rule client.policies.load_profile("code_agent/*") client.policies.load_cedar(""" @id("custom-block-proprietary-domain") forbid(principal, action, resource) when { context has destination_domain && context.destination_domain == "competitor.com" }; """) ``` See the [Cedar Cookbook](/agent-authorization-and-control-shield/cedar-cookbook.md) for common custom policy patterns. *** ## Related * [A2A Policies](/agent-authorization-and-control-shield/policy-templates/a2a-policies.md) — detailed documentation for the `a2a_security` profile * [Multi-Agent Policies](/agent-authorization-and-control-shield/policy-templates/multi-agent-policies.md) — detailed documentation for the `multi_agent` profile * [Cedar Cookbook](/agent-authorization-and-control-shield/cedar-cookbook.md) — writing and tuning custom Cedar rules * [Guardrail Evaluations](/agent-authorization-and-control-shield/guardrails-policies/bounded-functional-units.md) — how profile rules are evaluated at runtime --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.highflame.ai/agent-authorization-and-control-shield/policy-templates.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.