Source

Policy Compiler for Secure Agentic Systems (Feb 2026)

Finding

Embedding authorization rules in natural language system prompts is insecure — injected content can claim elevated permissions. A Policy Compiler translates structured access-control policies (RBAC/ABAC-style) into a deterministic enforcement layer that wraps tool calls. The LLM plans the action; the compiler enforces what is actually permitted before any tool executes — independently of prompt content.

Applicability to Zeph

Zeph has PermissionPolicy (shell tool) and TrustGateExecutor (trust levels) but authorization rules are currently tied to config TOML strings and runtime prompt-level checks. A declarative policy DSL (e.g. "allow shell for paths=[/tmp/], deny shell for paths=[/etc/], allow_if trust_level>=Supervised") compiled into a pre-execution enforcement layer would:

1. Harden against the shell blocklist bypass class (SEC-1525, fixed PR fix(tools): enforce shell blocklist before permission policy check #1529)
2. Provide audit-log-compatible policy traces
3. Separate concern: LLM decides WHAT to do, policy compiler decides IF it's permitted

Implementation Sketch

1. Define a simple policy DSL (TOML-based, subset of what's already in [tools.shell])
2. Implement a PolicyEnforcer that evaluates compiled rules before ToolExecutor::execute
3. Wire into CompositeExecutor as a pre-execution hook (same pattern as TrustGateExecutor)
4. CLI: /policy check <tool> <args> for manual policy testing

Priority

High — addresses a known class of authorization bypass vulnerabilities. The CompositeExecutor pre-execution hook pattern is already established in the codebase.