Skip to content

Claim Vocabulary Reference

This document defines the standard claim names and types produced by all Lucid ClaimsAuditors. These claim names are used in Cedar policies via context.claims.<claim_name>.

Naming Convention

Claim names use flat, descriptive names with no dots:

<descriptive_name>

Examples: injection_risk, pii_found, toxic_content

In Cedar policies: context.claims.injection_risk.

Claim Types

Type Description Value Range Cedar Type
number Numeric score 0.0 to 1.0 (normalized) or raw Long (scaled)
boolean True/false true / false Bool
string String value Any string String
string[] List of strings ["a", "b"] Set<String>

LLM Judge Auditor

Detects prompt injection, toxic content, PII, and output quality issues.

Security claims (from scan_security)

Claim Type Description Phase
injection_risk number 0-1 Prompt injection risk score request
secret_leaked boolean Credentials or secrets detected request
invisible_chars boolean Hidden zero-width Unicode characters detected request
regex_matched boolean Custom blocked pattern matched request

Content policy claims (from scan_content)

Claim Type Description Phase
toxic_content number 0-1 Toxicity score (0 = safe, 1 = toxic) request, response
banned_topic boolean Forbidden topic discussed request
banned_phrase boolean Blocked phrase detected request
competitor_mentioned boolean Competitor name referenced request
negative_emotion boolean Angry, threatening, or distressed tone request
language_allowed boolean Content is in an approved language request
language_detected string Detected language code request
sentiment number 0-1 Sentiment score (0 = negative, 1 = positive) request

Input quality claims (from scan_quality)

Claim Type Description Phase
pii_found boolean Personal information detected request
code_detected boolean Source code present in input request
gibberish boolean Nonsense or garbled text request
token_limit_exceeded boolean Input exceeds max token limit request

Output quality claims (from scan_output)

Claim Type Description Phase
bias_detected number 0-1 Output bias score response
factual_consistency number 0-1 Grounded in input (0 = not, 1 = fully) response
malicious_url boolean Phishing or malicious links detected response
response_relevant number 0-1 Response relevance to query response
language_same boolean Response in same language as input response
json_valid boolean JSON output is well-formed response
response_refused boolean Model refused to answer response

Cedar Examples

// Block high injection risk
forbid(principal, action == Action::"invoke", resource)
when { context.claims.injection_risk > 0.7 };

// Block toxic content
forbid(principal, action == Action::"invoke", resource)
when { context.claims.toxic_content > 0.7 };

// Warn on moderate toxicity
@annotation("decision", "warn")
forbid(principal, action == Action::"invoke", resource)
when {
    context.claims.toxic_content > 0.4 &&
    context.claims.toxic_content <= 0.7
};

PII Compliance Auditor

Detects personally identifiable information and credentials using Presidio and detect-secrets.

Claim Type Description Phase
pii_found boolean Personal data detected request, response
pii_types string[] PII entity types found (e.g., ["US_SSN", "EMAIL_ADDRESS"]) request, response
pii_count number Number of PII entities found request, response
pii_risk_score number 0-1 Severity-weighted PII exposure score request, response
redaction_applied boolean PII successfully redacted response
cross_border_transfer boolean Data leaving its jurisdiction request

Cedar Examples

// Block any PII exposure
forbid(principal, action == Action::"invoke", resource)
when { context.claims.pii_found == true }
unless { resource.has_pii_access == true };

// Block high-risk PII
forbid(principal, action == Action::"invoke", resource)
when { context.claims.pii_risk_score > 0.8 };

// Block secrets
forbid(principal, action == Action::"invoke", resource)
when { context.claims.secret_leaked == true };

Sovereignty Auditor

Data sovereignty verification via location attestation.

Claim Type Description Phase
detected_regions string[] Regions where processing was detected request
location_confidence number 0-1 Confidence in location determination request
encryption_protocol string Encryption protocol in use request

Cedar Examples

// Require EU processing for GDPR
forbid(principal, action == Action::"invoke", resource)
when { !("EU" in context.claims.detected_regions) };

// Require high location confidence
forbid(principal, action == Action::"invoke", resource)
when { context.claims.location_confidence < 0.9 };

Governance Auditor

Agentic workflow governance: rate limits, tool control, budget enforcement, and human-in-the-loop.

Claim Type Description Phase
rate_limited boolean Rate limit exceeded request
tool_denied boolean Tool on blocklist request
dangerous_tool boolean Dangerous tool (shell, delete, eval) request
dangerous_params boolean Parameters contain injection patterns request
tool_count number Tool calls this session request
network_allowed boolean URL on approved list request
file_path_allowed boolean File path on approved list request
budget_exceeded boolean Cost/token budget exceeded request
loop_exceeded boolean Agentic loop hit iteration/time limit request
exfiltration_detected boolean Agent leaking secrets response
requires_human_approval boolean Action needs human sign-off request
action_approved boolean Shell/browser action is safe request
action_risk number 0-1 Action risk score request

Cedar Examples

// Block rate-limited requests
forbid(principal, action == Action::"invoke", resource)
when { context.claims.rate_limited == true };

// Block dangerous tools
forbid(principal, action == Action::"invoke", resource)
when { context.claims.dangerous_tool == true };

// Escalate for human approval
@annotation("decision", "escalate")
forbid(principal, action == Action::"invoke", resource)
when { context.claims.requires_human_approval == true };

Fairness Auditor

Bias detection and fairness evaluation using Fairlearn.

Claim Type Description Phase
demographic_parity_diff number 0-1 Selection rate disparity across groups response
demographic_parity_ratio number 0-1 4/5ths rule ratio response
equalized_odds_diff number 0-1 Error rate disparity across groups response
equal_opportunity_diff number 0-1 True positive rate disparity response
stereotype_detected boolean Stereotypical content found response

Cedar Examples

// Block if disparate impact (4/5ths rule)
forbid(principal, action == Action::"invoke", resource)
when { context.claims.demographic_parity_ratio < 0.8 };

// Warn on stereotype detection
@annotation("decision", "warn")
forbid(principal, action == Action::"invoke", resource)
when { context.claims.stereotype_detected == true };

Eval Auditor

Pre-deployment safety benchmarks using UK AISI Inspect framework.

Claim Type Description Phase
dangerous_knowledge number 0-1 Aggregate dangerous capability score (lower = safer) artifact
dangerous_knowledge_bio number 0-1 Bioweapons knowledge score artifact
dangerous_knowledge_cyber number 0-1 Cyberattack knowledge score artifact
dangerous_knowledge_chem number 0-1 Chemical weapons knowledge score artifact
truthfulness number 0-1 Aggregate truthfulness (higher = better) artifact
truthfulness_mc1 number 0-1 Single-best-answer truthfulness artifact
truthfulness_mc2 number 0-1 Multi-answer truthfulness artifact
commonsense number 0-1 Common reasoning ability artifact
factual_knowledge number 0-1 Factual accuracy (MMLU) artifact
safety_score number 0-1 Weighted aggregate safety score artifact
regression_detected boolean Model worse than baseline artifact
required_benchmarks_complete boolean All mandatory benchmarks run artifact

Cedar Examples

// Block deployment if dangerous knowledge too high
forbid(principal, action == Action::"invoke", resource)
when {
    context.phase == "artifact" &&
    context.claims.dangerous_knowledge > 0.15
};

// Block if safety score too low
forbid(principal, action == Action::"invoke", resource)
when {
    context.phase == "artifact" &&
    context.claims.safety_score < 0.85
};

Red Team Auditor

Pre-deployment adversarial evaluation.

Claim Type Description Phase
jailbreak_resistance number 0-1 Resistance to jailbreak attacks artifact
injection_resistance number 0-1 Resistance to instruction injection artifact
data_leak_resistance number 0-1 Resistance to training data extraction artifact
toxicity_resistance number 0-1 Resistance to eliciting toxic output artifact
malware_resistance number 0-1 Resistance to malware generation artifact
hallucination_resistance number 0-1 Resistance to confabulation under pressure artifact
encoding_resistance number 0-1 Resistance to encoding bypass tricks artifact
attack_success_rate number 0-1 Overall attack success fraction artifact
critical_vulnerabilities number Count of critical (DEFCON 1-2) findings artifact
high_vulnerabilities number Count of high (DEFCON 3) findings artifact
categories_failed string[] Attack categories that succeeded artifact
sleeper_detected boolean Hidden trigger behavior found artifact

Cedar Examples

// Block if critical vulnerabilities found
forbid(principal, action == Action::"invoke", resource)
when {
    context.phase == "artifact" &&
    context.claims.critical_vulnerabilities > 0
};

// Block if jailbreak resistance too low
forbid(principal, action == Action::"invoke", resource)
when {
    context.phase == "artifact" &&
    context.claims.jailbreak_resistance < 0.9
};

RAG Quality Auditor

Retrieval-augmented generation quality evaluation.

Runtime metrics (no reference needed)

Claim Type Description Phase
faithfulness number 0-1 Answer grounded in sources response
answer_relevancy number 0-1 Answer addresses the question response
context_precision number 0-1 Retrieved chunks are useful response
noise_sensitivity number 0-1 Affected by irrelevant context response

Reference metrics (need ground truth)

Claim Type Description Phase
context_recall number 0-1 Retrieval found relevant passages response
factual_correctness number 0-1 Facts are correct response
semantic_similarity number 0-1 Meaning matches reference answer response

Structural claims

Claim Type Description Phase
context_available boolean Sources were provided response
citation_accuracy boolean Citations are real, not fabricated response

Cedar Examples

// Warn on low faithfulness
@annotation("decision", "warn")
forbid(principal, action == Action::"invoke", resource)
when { context.claims.faithfulness < 0.7 };

// Block fabricated citations
forbid(principal, action == Action::"invoke", resource)
when { context.claims.citation_accuracy == false };

Watermark Auditor

LLM token watermarking and C2PA manifests for AI provenance.

Claim Type Description Phase
watermark_applied boolean Content was watermarked response
watermark_detected boolean Watermark found in content response
watermark_confidence number 0-1 Detection confidence response
manifest_valid boolean C2PA manifest intact and unmodified response
tampering_detected boolean Watermark removed or altered response

Cedar Examples

// Require watermarking on all outputs
forbid(principal, action == Action::"invoke", resource)
when { context.claims.watermark_applied != true };

// Block tampered content
forbid(principal, action == Action::"invoke", resource)
when { context.claims.tampering_detected == true };

Model Security Auditor

Model artifact scanning for unsafe formats, dangerous code, and supply chain verification.

Claim Type Description Phase
format_allowed boolean Model in approved file format artifact
format_detected string Detected format (safetensors, pickle, etc.) artifact
pickle_safe boolean Pickle file safe to load artifact
pickle_severity string Fickling severity level artifact
dangerous_code string[] Dangerous functions found (os.system, eval) artifact
signature_valid boolean Cryptographic signature intact artifact
signature_identity string Signer OIDC identity from Sigstore artifact
license_allowed boolean Model license is approved artifact
license_detected string Detected license artifact
source_allowed boolean Model from approved source artifact

Cedar Examples

// Block unsafe pickle files
forbid(principal, action == Action::"invoke", resource)
when {
    context.phase == "artifact" &&
    context.claims.pickle_safe == false
};

// Require valid signature
forbid(principal, action == Action::"invoke", resource)
when {
    context.phase == "artifact" &&
    context.claims.signature_valid == false
};

NeMo Auditor

NVIDIA NeMo Guardrails integration for content safety and fact-checking.

Claim Type Description Phase
content_safe boolean Content passed NeMo safety check request, response
jailbreak_detected boolean Jailbreak attempt detected request
pii_detected boolean NeMo detected PII request
injection_detected boolean Code injection detected (YARA) request
fact_check_passed boolean Output passed NeMo fact-check response
hallucination_score number 0-1 Hallucination degree response
on_topic boolean Conversation staying on topic response
response_blocked boolean NeMo blocked the response response

Cedar Examples

// Block unsafe content
forbid(principal, action == Action::"invoke", resource)
when { context.claims.content_safe == false };

// Block jailbreak attempts
forbid(principal, action == Action::"invoke", resource)
when { context.claims.jailbreak_detected == true };

Observability Auditor

Runtime telemetry and tracing with TEE-signed traces.

Claim Type Description Phase
cost_usd number Request cost in USD execution
latency_ms number End-to-end latency in milliseconds execution
token_count number Total tokens used execution
error_rate number 0-1 System error rate execution
tee_signed boolean Trace cryptographically signed execution

Cedar Examples

// Block if latency exceeds SLA
forbid(principal, action == Action::"invoke", resource)
when { context.claims.latency_ms > 30000 };

// Require TEE signing
forbid(principal, action == Action::"invoke", resource)
when { context.claims.tee_signed == false };

Provenance

Every claim carries an optional provenance field that records the detection settings used to produce it. The @claims decorator auto-stamps provenance from the method's keyword-only parameters (including any per-policy overrides from lucid_context["detection_overrides"]).

{
  "name": "injection_risk",
  "value": 0.82,
  "confidence": 0.95,
  "provenance": {
    "injection_threshold": 0.7
  }
}

Because detection settings are declared as @claims kwargs, each claim's ClaimDefinition carries a settings list of ClaimSettingDefinition objects describing the available detection parameters (type, default, UI metadata). This makes every claim fully self-describing — from the catalog to the attestation.

Provenance enables: - Self-describing attestations -- verifiers can evaluate claims without config database access - Policy auditability -- claims show both the score AND the detection settings that produced it - Per-policy tuning -- different policies can override detection settings for the same claim - Drift detection -- compare provenance across attestations to detect settings changes

Custom Auditor Claims

Custom ClaimsAuditors can define arbitrary claim names. Use flat, descriptive names with a namespace prefix to avoid collisions:

# Good: namespaced flat claim names
Claim(name="myorg_compliance_passed", type="boolean", value=True)
Claim(name="myorg_risk_score", type="score_normalized", value=0.3)

# Bad: generic names that may collide
Claim(name="score", type="score_normalized", value=0.3)

Custom claims are referenced in Cedar the same way:

forbid(principal, action == Action::"invoke", resource)
when { context.claims.myorg_compliance_passed != true };

Register custom auditors with lucid auditor register --claims to sync vocabulary with the platform for policy editor autocomplete.