Open Source

Taint Propagation

Every piece of data in your agent pipeline carries a trust label. Untrusted data can never drive privileged actions — no matter how many agents process it, no matter how it's transformed.

Agent Bus Governed Memory Pre-Decision Safety Identity

The problem: data laundering

Web Scrape UNTRUSTED Agent A UNTRUSTED Agent B UNTRUSTED approve_payment() BLOCKED propagates worst-wins DENIED

An attacker injects malicious content into a web scrape. Agent A reads it. Agent B processes it. Agent C uses the result to approve a payment. By the time Agent C acts, the data looks clean — it came from Agent B, a trusted internal agent. But the original source was untrusted.

Without taint tracking, this is invisible. With taint tracking, the UNTRUSTED label follows the data through every hop. Agent C is blocked from using it for payments.

Six trust levels

Data enters the system labeled. The label never upgrades. Worst-wins when data is combined.

VERIFIED
Cryptographically verified source. Signed manifests, verified APIs.
HUMAN
Direct human input. Typed by a person, not generated.
SYSTEM
System-generated. Config files, constants, internal state.
DERIVED
Computed from other data. Trust level inherited from worst input.
UNTRUSTED
External, unknown source. Web scrapes, email content, tool responses from unknown servers.
MALICIOUS
Confirmed malicious. Never downgrades. Blocked from all actions.

How propagation works

When Agent A sends data to Agent B, the taint label travels with it. When Agent B combines data from two sources, the output inherits the worst label. When any agent tries to use data for a privileged action, the taint gate checks the label.

1
Label at ingress
Web scrape arrives, labeled UNTRUSTED automatically
2
Propagate through pipeline
Agent A processes it, sends to Agent B. Label follows.
3
Combine with worst-wins
Agent B merges UNTRUSTED + SYSTEM data. Result: UNTRUSTED.
4
Block at action
Agent C tries approve_payment with UNTRUSTED data. DENIED.
Web scrape ──[UNTRUSTED]──▶ Agent A
                                    │
                              processes data
                                    │
                              ──[UNTRUSTED]──▶ Agent B
                                                      │
                                                merges with
                                                system config
                                              [SYSTEM]
                                                      │
                                              worst-wins:
                                              [UNTRUSTED]
                                                      │
                                                      ▼
                                                Agent C
                                              approve_payment()
                                                      │
                                              DENIED
                                          untrusted data cannot
                                          drive privileged actions

Privileged actions (blocked with untrusted data)

These actions require SYSTEM trust or higher. UNTRUSTED or DERIVED data cannot trigger them.

write_db

Database writes. INSERT, UPDATE, DELETE.

send_email

Outbound email to any recipient.

transfer_funds

Financial transfers of any amount.

approve_payment

Payment approval workflows.

delete_record

Record deletion in any system.

deploy

Code deployment to any environment.

Why no competitor has this

Most agent security tools inspect individual tool calls in isolation. They see "approve_payment(amount=500)" and check if that's allowed. They don't know WHERE the data came from.

Taint propagation tracks data lineage across the entire pipeline. The payment amount came from a web scrape three hops ago? Blocked. The payment amount came from a verified internal database? Allowed. Same action, different provenance, different decision.

This is the principle behind kernel-level taint tracking (used in OS security for decades) applied to AI agent data flows.

External label import

Import your existing data classification taxonomy. Map your internal labels to our 6-level system.

Cross-agent tracking

Labels survive agent-to-agent communication via the Agent Bus. No way to launder untrusted data by passing it through "trusted" intermediaries.

Audit trail

Every taint label, every propagation hop, every blocked action is logged in the hash-chained audit trail. Full provenance for compliance.

SDK usage

# Label data at ingress
shield.label(data_id="web_scrape_001", trust="UNTRUSTED", source="web-crawler")

# Data flows through your pipeline...
# Taint propagates automatically across agents

# Later: agent tries to approve a payment
result = shield.evaluate(
    tool="approve_payment",
    args={"amount": 500, "account": "acme-corp"},
    data_refs=["web_scrape_001"]
)

print(result.decision)   # "deny"
print(result.reason)     # "UNTRUSTED data cannot drive approve_payment"
print(result.taint_chain)
# [{"source": "web_scrape_001", "trust": "UNTRUSTED", "hops": 3}]

Data trust that follows your data.

Start Free Read the Docs