Skip to content
TapPass

Pipeline Step Reference

TapPass runs a 49-step governance pipeline on every agent request. Steps are organized into three phases and grouped by category.

Phase: Before the LLM

Section titled “Phase: Before the LLM”

Access Control

Section titled “Access Control”
StepPositionDescription
validate_input100Validate request structure and schema
rate_limit110Token-bucket rate limiting per agent/org
budget120Monthly USD budget enforcement

Data Protection

Section titled “Data Protection”
StepPositionDescription
detect_pii200Presidio + ML-based PII detection (names, emails, phone numbers, etc.)
pii_tokenize210Replace PII with reversible tokens
detect_secrets220API keys, passwords, connection strings
detect_infra230Infrastructure identifiers (IPs, hostnames, ARNs)
detect_business240Business-sensitive data (revenue, customer counts)
detect_unicode250Unicode homoglyph and invisible character attacks
classify_data260Assign data classification (PUBLIC → TOP SECRET)

Threat Detection

Section titled “Threat Detection”
StepPositionDescription
detect_injection3005-category prompt injection detection (direct, indirect, jailbreak, role hijack, context manipulation)
detect_escalation310Privilege escalation attempts (sudo, admin, system prompt override)
detect_tool_poison320Tool description manipulation and rug-pull detection
detect_exfiltration355Data exfiltration via paste services, DNS tunneling, webhooks, cloud storage, base64 encoding
detect_memory_poison360Memory/identity poisoning: MEMORY.md writes, identity override, persistent injection, time bombs, MCP abuse, context poisoning
detect_insider_threat365AI misalignment detection: self-preservation, blackmail, deception, unauthorized sharing, phishing (session-aware accumulation)

Phase: The Call

Section titled “Phase: The Call”

Route & Execute

Section titled “Route & Execute”
StepPositionDescription
call_llm600Route to LLM provider (OpenAI, Anthropic, Azure, Ollama, etc.)
call_tool610Execute MCP tool calls
tool_permissions620Check tool allowlist / denylist per agent
tool_constraints625Parameter validation and value constraints on tool calls
filter_tools630Remove tools the agent shouldn’t see
scan_tool_calls635Inspect tool call arguments for path traversal, injection, forbidden zones
require_approval640Human-in-the-loop gate for high-risk tool calls
detect_code_exec650Shell command inspection (31 dangerous patterns: sudo, suid, crontab, scp, iptables, etc.)

Phase: After the LLM

Section titled “Phase: After the LLM”

Response Safety

Section titled “Response Safety”
StepPositionDescription
scan_output700DLP scan on LLM responses
content_safety710Toxicity, bias, and harmful content detection
taint_check720Taint tracking: block PII/secrets from reaching public sinks
shell_bleed730Detect shell prompts and terminal escape sequences in output
pii_restore740Reverse PII tokenization for authorized consumers
scan_tool_results750Inspect tool return values for sensitive data

Tracking

Section titled “Tracking”
StepPositionDescription
cost_tracking800Token usage and cost attribution
loop_guard810Detect infinite agentic loops

Configuration

Section titled “Configuration”

Each step supports:

  • on_detection: block, redact, log, or continue
  • threshold: Score threshold for ML-based steps (0.0–1.0)
  • Custom configuration fields per step
detect_injection:
  on_detection: block
  threshold: 0.5


detect_exfiltration:
  on_detection: block


detect_memory_poison:
  on_detection: block
  threshold: 0.6


detect_insider_threat:
  on_detection: block
  threshold: 0.7

Presets

Section titled “Presets”
PresetStepsUse case
Starter11Low-risk internal agents
Standard37Production agents with external access
Regulated43Financial services, healthcare, government