harn-stdlib 0.8.70

Embedded Harn standard library source catalog
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98

// std/security — prompt-injection defense configuration (Burin Layers 0/1).
//
// Scope: configure the runtime's spotlighting + lethal-trifecta gate. The
// substrate lives in the VM (`crate::security`): untrusted external tool/MCP
// output is framed as data, and exfiltration-capable tools are gated once
// untrusted content has entered context. This module is the thin Harn surface
// a host (Burin) calls from its resolved `[security]` config / feature flag;
// pipelines rarely need it.
//
// Import with:
//   import { configure, spotlight, strict, local_ml, off } from "std/security"
/**
 * Push a security policy derived from `config` onto the runtime stack and
 * return the resolved summary. Recognised keys (all optional; safe defaults
 * are applied for any omitted):
 *
 *   - mode: "off" | "spotlight" | "strict" | "local-ml"
 *   - spotlight_external: bool       — frame untrusted output as data
 *   - trifecta_gate: bool            — gate exfil tools while tainted
 *   - pin_mcp_schemas: bool          — re-approve on tool-description change
 *   - gate_secret_reads: bool        — gate secret-file reads while tainted
 *   - detect_injection: bool         — score untrusted content with the
 *                                      injection classifier (implied by
 *                                      mode "local-ml")
 *   - guard_threshold_percent: int   — flag at/above this score percent (0..100)
 *   - trusted_mcp_servers: [str]     — servers exempt from taint + pinning
 *
 * @effects: [state]
 * @allocation: heap
 * @errors: []
 * @api_stability: stable
 * @example: configure({ mode: "spotlight", trusted_mcp_servers: ["internal-docs"] })
 */
pub fn configure(config: dict = {}) -> dict {
  return security_policy(config)
}

/**
 * Enable the default posture: spotlight untrusted content + trifecta gate.
 *
 * @effects: [state]
 * @allocation: heap
 * @errors: []
 * @api_stability: stable
 * @example: spotlight()
 */
pub fn spotlight() -> dict {
  return security_policy({mode: "spotlight"})
}

/**
 * Enable strict mode: spotlight + per-line datamarking of untrusted content.
 *
 * @effects: [state]
 * @allocation: heap
 * @errors: []
 * @api_stability: stable
 * @example: strict()
 */
pub fn strict() -> dict {
  return security_policy({mode: "strict"})
}

/**
 * Enable local-ml mode: spotlight + trifecta gate + on-device injection
 * detection. Untrusted content is scored by the injection classifier (the
 * built-in heuristic by default, or a downloadable `harn-guard` neural model
 * when registered), and a flagged score tightens the trifecta gate.
 *
 * Pass `model` to select a `harn guard` catalog name or model directory; the
 * host loads it lazily when built with the guard inference backend. The empty
 * default keeps the host's configured model (typically the ungated default).
 *
 * @effects: [state]
 * @allocation: heap
 * @errors: []
 * @api_stability: stable
 * @example: local_ml()
 */
pub fn local_ml(model: string = "") -> dict {
  if model == "" {
    return security_policy({mode: "local-ml"})
  }
  return security_policy({mode: "local-ml", guard_model: model})
}

/**
 * Disable every prompt-injection defense layer for this run.
 *
 * @effects: [state]
 * @allocation: heap
 * @errors: []
 * @api_stability: stable
 * @example: off()
 */
pub fn off() -> dict {
  return security_policy({mode: "off"})
}