Skip to content

Graphorin API reference v0.7.0


Graphorin API reference / @graphorin/security / / TaintLabel

Interface: TaintLabel

Defined in: packages/security/src/dataflow/types.ts:69

Provenance label derived from a tool's registration metadata. Describes whether the tool's output should be treated as untrusted and/or sensitive for the purposes of downstream sink checks.

Stable

Properties

PropertyModifierTypeDescriptionDefined in
sensitivereadonlybooleantrue when the output carries secret-tier data (sensitivity: 'secret'). Only the 'secret' tier counts: 'internal' is the default for ordinary user content, so treating it as sensitive would make the trifecta gate fire on virtually every run.packages/security/src/dataflow/types.ts:93
sensitivityreadonly| "unknown" | SensitivityThe producing tool's declared sensitivity ('unknown' when absent).packages/security/src/dataflow/types.ts:80
sourceKindreadonlystringThe producing tool's source kind ('unknown' when unattributed). Typically a ToolSource['kind']; C6 widens the type to string so derived labels can carry descriptive kinds ('llm-derived', 'memory-recall', 'resumed-untrusted').packages/security/src/dataflow/types.ts:78
trustClassreadonlyToolTrustClassResolved trust class of the producing tool.packages/security/src/dataflow/types.ts:71
untrustedreadonlybooleantrue when the output originates from an untrusted source (mcp-derived, web-search, skill-untrusted) - content a prompt injection could be hidden in.packages/security/src/dataflow/types.ts:86