Graphorin API reference v0.7.0
Graphorin API reference / @graphorin/security / / DataFlowPolicyConfig
Interface: DataFlowPolicyConfig
Defined in: packages/security/src/dataflow/types.ts:182
Configuration for createDataFlowPolicy. Also the shape an agent accepts on AgentConfig.dataFlowPolicy.
Stable
Properties
| Property | Modifier | Type | Description | Defined in |
|---|---|---|---|---|
declassifySinks? | readonly | readonly string[] | Sink tool names pre-authorized by the operator to receive tainted data. A tainted flow into one of these is audited as declassified and allowed even in 'enforce' mode - the explicit, audited escape hatch for known-good flows. | packages/security/src/dataflow/types.ts:216 |
derivedTaint? | readonly | "off" | "strict" | C6 (pairs security-05): derived-taint propagation mode. - 'off' (default) - current behaviour: sinks gate on verbatim carry and (optionally) the lethal trifecta. - 'strict' - CaMeL-style control-flow integrity: once untrusted content has entered the run, EVERY model-driven sink call fires the derived-untrusted-to-sink flow (paraphrase-robust by construction). Deliberately coarse - in 'enforce' mode this blocks all post-ingestion sinks except declassifySinks; pair with shadow mode first to size the impact. | packages/security/src/dataflow/types.ts:237 |
guardTrifecta? | readonly | boolean | When true (the default), also gate on the conservative lethal-trifecta signal, not only on verbatim untrusted-to-sink carry. Set false to gate exclusively on provable verbatim flow (fewer false positives, weaker guarantee). | packages/security/src/dataflow/types.ts:191 |
minSpanLength? | readonly | number | Minimum length of a shared verbatim span (in normalized characters) for the ledger to treat a sink's arguments as carrying untrusted content. Lower = more sensitive (more false positives), clamped up to an 8-char floor below which the probe cannot be meaningful (SDF-5). Default 20. | packages/security/src/dataflow/types.ts:224 |
mode | readonly | DataFlowMode | Enforcement mode. See DataFlowMode. | packages/security/src/dataflow/types.ts:184 |
sensitiveTiers? | readonly | readonly Sensitivity[] | Sensitivity tiers that arm the lethal-trifecta sensitive leg (SDF-8). Default ['secret'] (out-of-the-box behaviour is byte-identical - only secret-tagged content counts). Set e.g. ['secret', 'internal'] so ordinary user/PII content (default 'internal') also counts; the agent's guard builder threads this into deriveTaintLabel. The verbatim untrusted-to-sink leg is independent of this option. | packages/security/src/dataflow/types.ts:201 |
treatPiiAsSensitive? | readonly | boolean | FIDES-lattice (SDF-8): when true, a tool output that the PII catalogue flags (email, SSN, card, …) arms the lethal-trifecta sensitive leg even without a 'secret' tag - so exfiltrating user/PII content trips the gate. The agent's guard builder wires containsPii into the ledger. Default false ⇒ byte-identical. Composes with sensitiveTiers. | packages/security/src/dataflow/types.ts:209 |