Taint levels

Taint levels represent the trust provenance of data in a session. When an AI agent reads untrusted content, the session's taint level rises — and never goes back down until explicitly cleared.

The 6 levels

Ordered from most trusted to least trusted:

Key properties

Taint only goes up

Session-level taint is monotonically increasing. If a session starts at OWNER and reads web content, it rises to WEB_CONTENT. It never automatically drops back down.

OWNER → reads untrusted file → UNTRUSTED_HUMAN → fetches URL → WEB_CONTENT

Taint restricts capabilities

Capabilities can require a minimum taint level using colon syntax:

capabilities:
  - exec:trusted        # Only allowed when taint ≤ TRUSTED_CONTACT
  - file.write:owner    # Only allowed when taint = OWNER
  - web_fetch           # Allowed at any taint level

If a session's taint exceeds the capability's threshold, the action is denied — even if the base capability is granted.

Clearing taint

Taint can only be cleared by explicit human action:

sl taint clear

In daemon mode (proxy), taint resets when a new session starts. In CLI mode, taint is tracked per-evaluation based on project trust rules.

Project-based taint

Security Layer assigns initial taint based on the project directory:

# ~/.securitylayer/projects.yaml
trust_rules:
  - path: "~/Dev/Personal/**"    # OWNER
  - path: "~/Dev/Work/**"        # TRUSTED_CONTACT
  - path: "/tmp/**"              # WEB_CONTENT
  - path: "~/Downloads/**"       # WEB_CONTENT
default: UNTRUSTED_HUMAN

This models the file-as-channel threat: a cloned repo can contain adversarial instructions in READMEs, .cursorrules, CLAUDE.md, code comments, package.json postinstall scripts, or git hooks.

Why this matters

Without taint tracking, an AI agent that reads a malicious file and then executes a command is indistinguishable from one following legitimate instructions. Taint tracking makes the system aware that the agent's context has been influenced by untrusted content — and restricts what it can do accordingly.