Skip to content

feat(aep): add deny capability decisions and output_taint_labels#6

Merged
HainingYin merged 1 commit into
mainfrom
feat/aep-deny-decisions-and-taint-labels
Jul 3, 2026
Merged

feat(aep): add deny capability decisions and output_taint_labels#6
HainingYin merged 1 commit into
mainfrom
feat/aep-deny-decisions-and-taint-labels

Conversation

@HainingYin

Copy link
Copy Markdown
Contributor

Summary

  • deny decisions: New denied_tools parameter on buildAEPEvidence() emits CapabilityDecision with decision: "deny" for tools blocked by policy/firewall. Previously only "allow" was recorded.
  • output_taint_labels: Maps isUntrusted flag from tool_call events to output_taint_labels: ["external", "user-supplied"] on ActionEvidence, enabling OAA taint tracking controls.

Motivation

Addresses wasmagent-ops#3 requirements 2 and 3:

  • AAI03 Privilege Escalation: partial → supported (deny + CAP finding)
  • AAI06 Data Exfiltration: not_evaluated → partial (output taint)
  • NIST MANAGE-2.2/4.2, MANAGE-2.3, MEASURE-2.8: not_evaluated → partial
  • ISO A.6.2, A.8.3, A.8.5: not_evaluated → partial

Test plan

  • Existing trajectoryExport.test.ts still passes
  • New test: buildAEPEvidence({ denied_tools: ["bash"] }) produces deny CapabilityDecision
  • New test: tool_call event with isUntrusted: true produces output_taint_labels
  • Integration: run with guardrails.deniedTools set, verify deny decisions in exported AEP

🤖 Generated with Claude Code

Two enhancements to buildAEPEvidence():

1. New denied_tools parameter: when tools are blocked by policy/firewall,
   emit CapabilityDecision with decision:"deny" and reason_code:"policy_denied".
   Previously only "allow" decisions were recorded for tools that actually ran.

2. Map isUntrusted from tool_call event data to output_taint_labels
   ["external", "user-supplied"] on ActionEvidence. This feeds OAA controls
   for data exfiltration and taint tracking (AAI06, ISO A.6.2, A.8.3, A.8.5).

Addresses wasmagent-ops#3 requirements 2 and 3.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@HainingYin HainingYin merged commit 14f8efb into main Jul 3, 2026
2 checks passed
@HainingYin HainingYin deleted the feat/aep-deny-decisions-and-taint-labels branch July 3, 2026 07:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant