Graphorin API reference v0.7.0
Graphorin API reference / @graphorin/security / / deriveTaintLabel
Function: deriveTaintLabel()
ts
function deriveTaintLabel(input): TaintLabel;Defined in: packages/security/src/dataflow/derive.ts:45
Derive the provenance label for a tool's output from its resolved trust class, source, and declared sensitivity.
untrustedis keyed off the ToolTrustClass:mcp-derived,web-search, andskill-untrustedproduce untrusted output.sensitiveistrueonly for the'secret'tier.'internal'is the default tier for ordinary user content, so counting it would make the lethal-trifecta gate fire on essentially every run; operators who want a broader gate widen it via policy, not here.
Parameters
| Parameter | Type | Description |
|---|---|---|
input | { sensitiveTiers?: readonly Sensitivity[]; sensitivity?: Sensitivity; source?: ToolSource; trustClass: ToolTrustClass; } | - |
input.sensitiveTiers? | readonly Sensitivity[] | Sensitivity tiers that count as "sensitive" for the lethal-trifecta leg (SDF-8). Default ['secret'] - out of the box only secret-tagged content arms the trifecta, so the gate does not fire on every run. Widen to e.g. ['secret', 'internal'] to also treat ordinary user/PII content (which defaults to 'internal') as sensitive. |
input.sensitivity? | Sensitivity | - |
input.source? | ToolSource | - |
input.trustClass | ToolTrustClass | - |