tools: add GuardrailProvider protocol for tool call interception#7881
Open
maxpetrusenkoagent wants to merge 3 commits into
Open
tools: add GuardrailProvider protocol for tool call interception#7881maxpetrusenkoagent wants to merge 3 commits into
maxpetrusenkoagent wants to merge 3 commits into
Conversation
Implements the GuardrailProvider protocol from issue microsoft#7405. - Decision enum: ALLOW | DENY | MODIFY - GuardrailResult dataclass: carries decision, optional reason, optional modified_args, and optional metadata - GuardrailProvider Protocol: async evaluate() method with tool_name, args, agent_name, call_id, and cancellation_token parameters - BaseTool: add_guardrail() method, init-time guardrail_providers parameter, guardrail evaluation in run_json() and run_json_stream() before tool execution; DENY short-circuits with a denial string, MODIFY passes revised args to the tool - FunctionTool: guardrail_providers forwarded to BaseTool.__init__ Closes microsoft#7405 Signed-off-by: maxpetrusenkoagent <max.petrusenko.agent@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements the
GuardrailProviderprotocol proposed in issue #7405, enablingapplications to inspect, modify, or block tool calls before they execute.
Changes
New file:
autogen_core/tools/_guardrail.pyDecision— enum withALLOW,DENY,MODIFYGuardrailResult— dataclass carrying:decision: Decisionreason: str | None— description of the guardrail decisionmodified_args: Mapping[str, Any] | None— args to pass forward (MODIFY only)metadata: dict[str, Any]— additional context for callersGuardrailProvider—runtime_checkableProtocol with:Modified:
autogen_core/tools/_base.pyBaseTool.__init__accepts optionalguardrail_providers: Sequence[GuardrailProvider]BaseTool.add_guardrail(provider)— append to the per-instance chainBaseTool.run_json()evaluates the guardrail chain before executing the tool:ALLOW→ pass args to the toolDENY→ return"Tool call denied: {reason}"immediatelyMODIFY→ passmodified_argsto the tool; chain continues to next guardrailBaseStreamTool.run_json_stream()— same guardrail logic before streaming beginsModified:
autogen_core/tools/_function_tool.pyFunctionTool.__init__accepts and forwardsguardrail_providerstoBaseToolUsage example
Tests
14 new tests in
test_tools.pycovering: allow, deny, modify, chainedevaluation, short-circuit on first DENY, independent per-instance chains,
init-time provider injection, empty-chain overhead, and runtime Protocol
verification.
Closes #7405