Skip to content

Graphorin API reference v0.7.0


Graphorin API reference / @graphorin/security / / DataFlowPolicyConfig

Interface: DataFlowPolicyConfig

Defined in: packages/security/src/dataflow/types.ts:182

Configuration for createDataFlowPolicy. Also the shape an agent accepts on AgentConfig.dataFlowPolicy.

Stable

Properties

PropertyModifierTypeDescriptionDefined in
declassifySinks?readonlyreadonly string[]Sink tool names pre-authorized by the operator to receive tainted data. A tainted flow into one of these is audited as declassified and allowed even in 'enforce' mode - the explicit, audited escape hatch for known-good flows.packages/security/src/dataflow/types.ts:216
derivedTaint?readonly"off" | "strict"C6 (pairs security-05): derived-taint propagation mode. - 'off' (default) - current behaviour: sinks gate on verbatim carry and (optionally) the lethal trifecta. - 'strict' - CaMeL-style control-flow integrity: once untrusted content has entered the run, EVERY model-driven sink call fires the derived-untrusted-to-sink flow (paraphrase-robust by construction). Deliberately coarse - in 'enforce' mode this blocks all post-ingestion sinks except declassifySinks; pair with shadow mode first to size the impact.packages/security/src/dataflow/types.ts:237
guardTrifecta?readonlybooleanWhen true (the default), also gate on the conservative lethal-trifecta signal, not only on verbatim untrusted-to-sink carry. Set false to gate exclusively on provable verbatim flow (fewer false positives, weaker guarantee).packages/security/src/dataflow/types.ts:191
minSpanLength?readonlynumberMinimum length of a shared verbatim span (in normalized characters) for the ledger to treat a sink's arguments as carrying untrusted content. Lower = more sensitive (more false positives), clamped up to an 8-char floor below which the probe cannot be meaningful (SDF-5). Default 20.packages/security/src/dataflow/types.ts:224
modereadonlyDataFlowModeEnforcement mode. See DataFlowMode.packages/security/src/dataflow/types.ts:184
sensitiveTiers?readonlyreadonly Sensitivity[]Sensitivity tiers that arm the lethal-trifecta sensitive leg (SDF-8). Default ['secret'] (out-of-the-box behaviour is byte-identical - only secret-tagged content counts). Set e.g. ['secret', 'internal'] so ordinary user/PII content (default 'internal') also counts; the agent's guard builder threads this into deriveTaintLabel. The verbatim untrusted-to-sink leg is independent of this option.packages/security/src/dataflow/types.ts:201
treatPiiAsSensitive?readonlybooleanFIDES-lattice (SDF-8): when true, a tool output that the PII catalogue flags (email, SSN, card, …) arms the lethal-trifecta sensitive leg even without a 'secret' tag - so exfiltrating user/PII content trips the gate. The agent's guard builder wires containsPii into the ledger. Default false ⇒ byte-identical. Composes with sensitiveTiers.packages/security/src/dataflow/types.ts:209