Graphorin API reference v0.7.0
Graphorin API reference / @graphorin/security / / TaintLabel
Interface: TaintLabel
Defined in: packages/security/src/dataflow/types.ts:69
Provenance label derived from a tool's registration metadata. Describes whether the tool's output should be treated as untrusted and/or sensitive for the purposes of downstream sink checks.
Stable
Properties
| Property | Modifier | Type | Description | Defined in |
|---|---|---|---|---|
sensitive | readonly | boolean | true when the output carries secret-tier data (sensitivity: 'secret'). Only the 'secret' tier counts: 'internal' is the default for ordinary user content, so treating it as sensitive would make the trifecta gate fire on virtually every run. | packages/security/src/dataflow/types.ts:93 |
sensitivity | readonly | | "unknown" | Sensitivity | The producing tool's declared sensitivity ('unknown' when absent). | packages/security/src/dataflow/types.ts:80 |
sourceKind | readonly | string | The producing tool's source kind ('unknown' when unattributed). Typically a ToolSource['kind']; C6 widens the type to string so derived labels can carry descriptive kinds ('llm-derived', 'memory-recall', 'resumed-untrusted'). | packages/security/src/dataflow/types.ts:78 |
trustClass | readonly | ToolTrustClass | Resolved trust class of the producing tool. | packages/security/src/dataflow/types.ts:71 |
untrusted | readonly | boolean | true when the output originates from an untrusted source (mcp-derived, web-search, skill-untrusted) - content a prompt injection could be hidden in. | packages/security/src/dataflow/types.ts:86 |