Thanks!

> I'd be interested to hear more about how you handle the provenance tracking in practice, especially when the agent chains multiple data sources together.

When you make a tool call that read data, their values carry taints (provenance). Combine data from A and B, result carries both. Policy checks happen at sinks (tool calls that send data).

> what's the practical difference between dynamic attenuation and just statically removing the third leg upfront? Is it "just" a more elegant solution, or are there other advantages that I'm missing?

Really good question. It's about utility: we don't want to limit the agent more than necessary, otherwise we'll block it from legitimate actions.

Static 2-leg: "This agent can never send externally." Secure, but now it can't reply to emails.

Dynamic attenuation: "This agent can send, but only to certain recipients."