Core Concepts
Governance pipeline
Section titled “Governance pipeline”Every agent request passes through a multi-step pipeline in three phases:
- Input scanning: PII detection, prompt injection detection, data exfiltration checks
- Execution: LLM or tool call with permission enforcement
- Output scanning: DLP, taint tracking, response classification
A block at any step stops the request immediately. The agent receives a PolicyBlockError with the reason.
Capability tokens
Section titled “Capability tokens”After the pipeline passes, TapPass mints an Ed25519-signed capability token: a cryptographic proof that the request was scanned and approved. Tokens are:
- Time-bounded: valid for 60 seconds
- Action-scoped: list exactly which tools are allowed
- Verifiable offline: no network call needed to validate
Trust tiers
Section titled “Trust tiers”Agents start with minimal permissions and earn access over time:
| Tier | What it can do |
|---|---|
| Observer | Read workspace only, no shell, no network |
| Worker | Safe commands, workspace read/write, fetch only |
| Standard | Most commands, system-wide reads |
| Full | Everything (audit-only mode) |
See Sandbox and Trust Tiers for the full reference.
Governance flags
Section titled “Governance flags”One-header governance: X-TapPass-Flags: mode=observe, pii=mask, email=block. Control agent behavior without editing YAML or Rego policies.
See the Governance Flags guide for all available flags and their values.
Data classification
Section titled “Data classification”Every request is automatically classified:
| Level | Example content |
|---|---|
PUBLIC | General knowledge questions |
INTERNAL | Company processes, non-sensitive business data |
CONFIDENTIAL | Financial data, customer information |
RESTRICTED | PII, credentials, regulated data |
Classification drives model routing, tool permissions, and audit detail level.
Taint tracking
Section titled “Taint tracking”Values carry labels (PII, SECRET, EXTERNAL) through the pipeline. If tainted data reaches a dangerous sink (shell, email, external API), it is blocked. Taint persists across requests within a session.
OPA policy engine
Section titled “OPA policy engine”All policy decisions are made by Open Policy Agent using Rego rules. TapPass enforces OPA’s decisions. If OPA is unreachable, all requests are denied (fail-closed).
What’s next
Section titled “What’s next”You now understand the core concepts. Continue to the Python SDK reference for the full API, or jump to Providers to connect your LLM.