Graphorin API reference v0.4.0
Graphorin API reference / @graphorin/security / / TaintLabel
Interface: TaintLabel
Defined in: packages/security/src/dataflow/types.ts:63
Provenance label derived from a tool's registration metadata. Describes whether the tool's output should be treated as untrusted and/or sensitive for the purposes of downstream sink checks.
Stable
Properties
| Property | Modifier | Type | Description | Defined in |
|---|---|---|---|---|
sensitive | readonly | boolean | true when the output carries secret-tier data (sensitivity: 'secret'). Only the 'secret' tier counts: 'internal' is the default for ordinary user content, so treating it as sensitive would make the trifecta gate fire on virtually every run. | packages/security/src/dataflow/types.ts:82 |
sensitivity | readonly | | "unknown" | Sensitivity | The producing tool's declared sensitivity ('unknown' when absent). | packages/security/src/dataflow/types.ts:69 |
sourceKind | readonly | "unknown" | "web-search" | "first-party" | "built-in" | "skill" | "mcp" | The producing tool's source kind ('unknown' when unattributed). | packages/security/src/dataflow/types.ts:67 |
trustClass | readonly | ToolTrustClass | Resolved trust class of the producing tool. | packages/security/src/dataflow/types.ts:65 |
untrusted | readonly | boolean | true when the output originates from an untrusted source (mcp-derived, web-search, skill-untrusted) — content a prompt injection could be hidden in. | packages/security/src/dataflow/types.ts:75 |