feat: taint checking and security

[ambrishrawat]

This PR introduces a minimal proof-of-concept for taint and security propagation across CBlock, ModelOutputThunk, and session flows, as discussed in generative-computing/mellea#189
.

[mergify]

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 Enforce conventional commit

Wonderful, this rule succeeded.

Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/

• title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert|release)(?:\(.+\))?:

[ambrishrawat]

@nrfulton quick clarifications -

1. What’s the best way for expose taint configuration to devs? e.g. when a description includes a user variable like summarise the following {{email_body}}, should taint be inferred automatically or something they can configure?
2. Would it make sense to have a global strictness setting to toggle between warnings and exceptions for taint violations? Is blocify the best place for this?

[nrfulton]

What’s the best way for expose taint configuration to devs? e.g. when a description includes a user variable like summarise the following {{email_body}}, should taint be inferred automatically or something they can configure?

We should infer automatically where-ever possible. I nthis case, I'm not sure how you would infer taint. I guess you assumption here is that email_boy -- or any user_variable input -- should entail taint?

[ambrishrawat]

Yes, that was the thinking. Making it configurable may make more sense for taint. Any thoughts on the best way to expose that? Would love your take on the code too.

[davidcox]

If there is a tainted variable in the context, everything downstream should get tainted. As for how variables get tainted in the first place, a common way people do this is to define sources, sinks, and (optionally) washers. These are wrappers around interfaces that produce sensitive data (e.g. HR database api), or where it enters an unsafe place (e.g. sending to a UI).

[nrfulton]

1. CBlocks should be immutable.
2. Naming a variable Ccmponent and assigning it to a CBlock is confusing.
3. The cyclic reference here is a bit confusing and invites buggy code. Use tainted_by(None) instead of tainted_by(self) for the root node.

c = CBlock("user input", sec_level=SecLevel.tained_by(None))

[ambrishrawat]

Updated this; tainted_by(None) for root now

[nrfulton]

Why not c.sec_level?

[ambrishrawat]

Defined it as a property and now this works as c.sec_level.is_tainted()

[nrfulton]

Unless the example critically depends on using a particular model, always use session = start_session() instead. This makes the examples easier to maintain.

[nrfulton]

We should use is_tainted instead of is_safe. The meaning of safe is very ambiguous.

[ambrishrawat]

Removed all instances of is_safe

[nrfulton]

Especially in a module called security.core, we should avoid use of magic strings.

[ambrishrawat]

Created SecLevelType enum

[nrfulton]

Instead us something like:

match action:
     case Component...

    case CBlock...

(If type(action) :> Component then check is not necessary because the Component protocol has a parts() method. )

[ambrishrawat]

Updated it to use match/case

[ambrishrawat]

Thanks for the review @nrfulton !
I have incorporated your suggestions. Appreciate another pass when you get the chance

[guicho271828]

hi ambrish!