Problem
Policy attenuation is the highest-risk DRS algorithm. If the verifier treats an ambiguous child policy as “probably narrower,” that becomes an authorization bypass. The policy language must stay small, mechanical, and fail-closed.
What to do
Add shared policy attenuation vectors for edge cases that must deny by default:
- unknown policy operators or fields
- omitted child fields when parent restricts them
- mixed allowlist narrowing cases
- numeric limits that widen instead of tighten
- boolean restrictions such as
pii_access and write_access
- malformed policy values and wrong types
Acceptance criteria
- shared fixtures include pass and fail cases for every supported policy field
- Rust, Go, and TypeScript consume the same fixtures where applicable
- unknown or malformed policy shapes fail closed
- docs define the exact supported policy language and say unknown semantics are denied
Out of scope
- defining tool-specific semantic capability meaning
- runtime budget/call counting
- adding a broad policy DSL
Problem
Policy attenuation is the highest-risk DRS algorithm. If the verifier treats an ambiguous child policy as “probably narrower,” that becomes an authorization bypass. The policy language must stay small, mechanical, and fail-closed.
What to do
Add shared policy attenuation vectors for edge cases that must deny by default:
pii_accessandwrite_accessAcceptance criteria
Out of scope