Effective-privileges invariant — provenance & replay failure modes

Reference diagram of provenance and replay failures that can corrupt effective privileges without server-side authorization invariants.

Reference diagram with a chat/text path and a privileged server path. It highlights an invariant: effective privileges must come from server authorization and authoritative state. Failure modes include chat-derived context influencing effective privileges and model output being persisted and replayed into later context.
Effective-privileges invariant — provenance & replay failure modes (reference model).

Overview

A reference model that separates:

  • Chat/text path (untrusted text generation and persistence)
  • Privileged action path (server-side authorization + authoritative state)

Focus: two failure modes where provenance boundaries blur and text-derived artifacts influence privilege-bearing decisions.

Text alternative (long description)

  • Left side: User → Chat UI.
  • Upper path (chat/text): context assembly → LLM runtime → model output (untrusted text) → session artifacts store (logs/history/memory/traces) → FAIL #2: output persisted + replayed into context.
  • Center invariant: Effective privileges must come from server AuthZ + authoritative state.
  • Lower path (privileged/server): policy gate → authorization check server → privileged action API server → session manager (effective privileges) → authoritative state (server truth) + audit/event record (server-issued) → UI status renderer labels/badges.
  • FAIL #1: chat-derived context influences effective privileges.

Scope and limitations

  • Boundary/invariant checklist for review; not a claim about a specific product.
  • “AuthZ” used as shorthand for server-side authorization.