You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Embedding authorization rules in natural language system prompts is insecure — injected content can claim elevated permissions. A Policy Compiler translates structured access-control policies (RBAC/ABAC-style) into a deterministic enforcement layer that wraps tool calls. The LLM plans the action; the compiler enforces what is actually permitted before any tool executes — independently of prompt content.
Applicability to Zeph
Zeph has PermissionPolicy (shell tool) and TrustGateExecutor (trust levels) but authorization rules are currently tied to config TOML strings and runtime prompt-level checks. A declarative policy DSL (e.g. "allow shell for paths=[/tmp/], deny shell for paths=[/etc/], allow_if trust_level>=Supervised") compiled into a pre-execution enforcement layer would:
Separate concern: LLM decides WHAT to do, policy compiler decides IF it's permitted
Implementation Sketch
Define a simple policy DSL (TOML-based, subset of what's already in [tools.shell])
Implement a PolicyEnforcer that evaluates compiled rules before ToolExecutor::execute
Wire into CompositeExecutor as a pre-execution hook (same pattern as TrustGateExecutor)
CLI: /policy check <tool> <args> for manual policy testing
Priority
High — addresses a known class of authorization bypass vulnerabilities. The CompositeExecutor pre-execution hook pattern is already established in the codebase.
Source
Policy Compiler for Secure Agentic Systems (Feb 2026)
Finding
Embedding authorization rules in natural language system prompts is insecure — injected content can claim elevated permissions. A Policy Compiler translates structured access-control policies (RBAC/ABAC-style) into a deterministic enforcement layer that wraps tool calls. The LLM plans the action; the compiler enforces what is actually permitted before any tool executes — independently of prompt content.
Applicability to Zeph
Zeph has
PermissionPolicy(shell tool) andTrustGateExecutor(trust levels) but authorization rules are currently tied to config TOML strings and runtime prompt-level checks. A declarative policy DSL (e.g. "allow shell for paths=[/tmp/], deny shell for paths=[/etc/], allow_if trust_level>=Supervised") compiled into a pre-execution enforcement layer would:Implementation Sketch
[tools.shell])PolicyEnforcerthat evaluates compiled rules beforeToolExecutor::executeCompositeExecutoras a pre-execution hook (same pattern asTrustGateExecutor)/policy check <tool> <args>for manual policy testingPriority
High — addresses a known class of authorization bypass vulnerabilities. The CompositeExecutor pre-execution hook pattern is already established in the codebase.