@librechat/agents 3.1.76 → 3.1.77
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/graphs/Graph.cjs +9 -0
- package/dist/cjs/graphs/Graph.cjs.map +1 -1
- package/dist/cjs/hitl/askUserQuestion.cjs +67 -0
- package/dist/cjs/hitl/askUserQuestion.cjs.map +1 -0
- package/dist/cjs/hooks/HookRegistry.cjs +54 -0
- package/dist/cjs/hooks/HookRegistry.cjs.map +1 -1
- package/dist/cjs/hooks/createToolPolicyHook.cjs +115 -0
- package/dist/cjs/hooks/createToolPolicyHook.cjs.map +1 -0
- package/dist/cjs/hooks/executeHooks.cjs +40 -1
- package/dist/cjs/hooks/executeHooks.cjs.map +1 -1
- package/dist/cjs/hooks/types.cjs +1 -0
- package/dist/cjs/hooks/types.cjs.map +1 -1
- package/dist/cjs/llm/openai/index.cjs +317 -1
- package/dist/cjs/llm/openai/index.cjs.map +1 -1
- package/dist/cjs/main.cjs +29 -0
- package/dist/cjs/main.cjs.map +1 -1
- package/dist/cjs/run.cjs +400 -42
- package/dist/cjs/run.cjs.map +1 -1
- package/dist/cjs/tools/ToolNode.cjs +551 -55
- package/dist/cjs/tools/ToolNode.cjs.map +1 -1
- package/dist/cjs/tools/search/tavily-scraper.cjs.map +1 -1
- package/dist/cjs/tools/search/tavily-search.cjs.map +1 -1
- package/dist/cjs/tools/search/tool.cjs.map +1 -1
- package/dist/esm/graphs/Graph.mjs +9 -0
- package/dist/esm/graphs/Graph.mjs.map +1 -1
- package/dist/esm/hitl/askUserQuestion.mjs +65 -0
- package/dist/esm/hitl/askUserQuestion.mjs.map +1 -0
- package/dist/esm/hooks/HookRegistry.mjs +54 -0
- package/dist/esm/hooks/HookRegistry.mjs.map +1 -1
- package/dist/esm/hooks/createToolPolicyHook.mjs +113 -0
- package/dist/esm/hooks/createToolPolicyHook.mjs.map +1 -0
- package/dist/esm/hooks/executeHooks.mjs +40 -1
- package/dist/esm/hooks/executeHooks.mjs.map +1 -1
- package/dist/esm/hooks/types.mjs +1 -0
- package/dist/esm/hooks/types.mjs.map +1 -1
- package/dist/esm/llm/openai/index.mjs +318 -2
- package/dist/esm/llm/openai/index.mjs.map +1 -1
- package/dist/esm/main.mjs +3 -0
- package/dist/esm/main.mjs.map +1 -1
- package/dist/esm/run.mjs +400 -42
- package/dist/esm/run.mjs.map +1 -1
- package/dist/esm/tools/ToolNode.mjs +552 -56
- package/dist/esm/tools/ToolNode.mjs.map +1 -1
- package/dist/esm/tools/search/tavily-scraper.mjs.map +1 -1
- package/dist/esm/tools/search/tavily-search.mjs.map +1 -1
- package/dist/esm/tools/search/tool.mjs.map +1 -1
- package/dist/types/graphs/Graph.d.ts +7 -0
- package/dist/types/hitl/askUserQuestion.d.ts +55 -0
- package/dist/types/hitl/index.d.ts +6 -0
- package/dist/types/hooks/HookRegistry.d.ts +58 -0
- package/dist/types/hooks/createToolPolicyHook.d.ts +87 -0
- package/dist/types/hooks/index.d.ts +4 -1
- package/dist/types/hooks/types.d.ts +109 -3
- package/dist/types/index.d.ts +9 -0
- package/dist/types/llm/openai/index.d.ts +17 -0
- package/dist/types/run.d.ts +117 -1
- package/dist/types/tools/ToolNode.d.ts +26 -1
- package/dist/types/types/hitl.d.ts +272 -0
- package/dist/types/types/index.d.ts +1 -0
- package/dist/types/types/run.d.ts +33 -0
- package/dist/types/types/tools.d.ts +19 -0
- package/package.json +1 -1
- package/src/graphs/Graph.ts +9 -0
- package/src/hitl/askUserQuestion.ts +72 -0
- package/src/hitl/index.ts +7 -0
- package/src/hooks/HookRegistry.ts +71 -0
- package/src/hooks/__tests__/createToolPolicyHook.test.ts +259 -0
- package/src/hooks/createToolPolicyHook.ts +184 -0
- package/src/hooks/executeHooks.ts +50 -1
- package/src/hooks/index.ts +6 -0
- package/src/hooks/types.ts +112 -0
- package/src/index.ts +19 -0
- package/src/llm/openai/deepseek.test.ts +479 -0
- package/src/llm/openai/index.ts +484 -1
- package/src/run.ts +456 -47
- package/src/tools/ToolNode.ts +701 -62
- package/src/tools/__tests__/hitl.test.ts +3593 -0
- package/src/tools/search/tavily-scraper.ts +4 -4
- package/src/tools/search/tavily-search.ts +32 -32
- package/src/tools/search/tool.ts +3 -3
- package/src/tools/search/types.ts +3 -1
- package/src/types/hitl.ts +303 -0
- package/src/types/index.ts +1 -0
- package/src/types/run.ts +33 -0
- package/src/types/tools.ts +19 -0
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
import { isBaseMessage, ToolMessage, HumanMessage, isAIMessage } from '@langchain/core/messages';
|
|
2
|
-
import { isCommand, isGraphInterrupt, Command, Send, END } from '@langchain/langgraph';
|
|
2
|
+
import { isCommand, isGraphInterrupt, interrupt, Command, Send, END } from '@langchain/langgraph';
|
|
3
|
+
import { AsyncLocalStorageProviderSingleton } from '@langchain/core/singletons';
|
|
3
4
|
import { Constants, CODE_EXECUTION_TOOLS, GraphEvents } from '../common/enum.mjs';
|
|
4
5
|
import 'nanoid';
|
|
5
6
|
import '../messages/core.mjs';
|
|
@@ -19,6 +20,88 @@ import { ToolOutputReferenceRegistry, buildReferenceKey } from './toolOutputRefe
|
|
|
19
20
|
function isSend(value) {
|
|
20
21
|
return value instanceof Send;
|
|
21
22
|
}
|
|
23
|
+
/**
|
|
24
|
+
* Format a fail-closed diagnostic for malformed approval-decision
|
|
25
|
+
* fields. Hosts deserialize resume payloads from untyped JSON, so
|
|
26
|
+
* `responseText` and `updatedInput` can land here as anything; the
|
|
27
|
+
* blocking ToolMessage carries this string so the host can debug the
|
|
28
|
+
* exact wire shape that was rejected.
|
|
29
|
+
*/
|
|
30
|
+
function describeOfferedShape(value) {
|
|
31
|
+
if (value === undefined) {
|
|
32
|
+
return '<missing>';
|
|
33
|
+
}
|
|
34
|
+
if (value === null) {
|
|
35
|
+
return 'null';
|
|
36
|
+
}
|
|
37
|
+
if (Array.isArray(value)) {
|
|
38
|
+
return 'array';
|
|
39
|
+
}
|
|
40
|
+
return typeof value;
|
|
41
|
+
}
|
|
42
|
+
/**
|
|
43
|
+
* Build the `tool_approval` interrupt payload from the set of pending
|
|
44
|
+
* `ask`-decision entries collected during PreToolUse hook handling.
|
|
45
|
+
* Pure function — doesn't touch ToolNode state — so it lives at module
|
|
46
|
+
* scope. The interrupt itself is raised by the caller (which still
|
|
47
|
+
* needs `interrupt()` plus the AsyncLocalStorage anchoring shim).
|
|
48
|
+
*/
|
|
49
|
+
function buildToolApprovalInterruptPayload(askEntries) {
|
|
50
|
+
return {
|
|
51
|
+
type: 'tool_approval',
|
|
52
|
+
action_requests: askEntries.map(({ entry, reason }) => {
|
|
53
|
+
const request = {
|
|
54
|
+
tool_call_id: entry.call.id,
|
|
55
|
+
name: entry.call.name,
|
|
56
|
+
arguments: entry.args,
|
|
57
|
+
};
|
|
58
|
+
if (reason != null) {
|
|
59
|
+
request.description = reason;
|
|
60
|
+
}
|
|
61
|
+
return request;
|
|
62
|
+
}),
|
|
63
|
+
review_configs: askEntries.map(({ entry, allowedDecisions }) => ({
|
|
64
|
+
action_name: entry.call.name,
|
|
65
|
+
tool_call_id: entry.call.id,
|
|
66
|
+
allowed_decisions: (allowedDecisions ?? [
|
|
67
|
+
'approve',
|
|
68
|
+
'reject',
|
|
69
|
+
'edit',
|
|
70
|
+
'respond',
|
|
71
|
+
]),
|
|
72
|
+
})),
|
|
73
|
+
};
|
|
74
|
+
}
|
|
75
|
+
/**
|
|
76
|
+
* Build a `tool_call_id → ToolApprovalDecision` map from the host's
|
|
77
|
+
* resume value. Hosts may return decisions either as an array (one per
|
|
78
|
+
* action_request, in order) or as a record keyed by `tool_call_id`. Any
|
|
79
|
+
* unrecognized shape (or a decision missing for a given call id) is
|
|
80
|
+
* treated as "no decision" by callers — typically rejected so the run
|
|
81
|
+
* doesn't silently invoke a tool the human never approved.
|
|
82
|
+
*/
|
|
83
|
+
function normalizeApprovalDecisions(callIds, resumeValue) {
|
|
84
|
+
const map = new Map();
|
|
85
|
+
if (resumeValue == null) {
|
|
86
|
+
return map;
|
|
87
|
+
}
|
|
88
|
+
if (Array.isArray(resumeValue)) {
|
|
89
|
+
const limit = Math.min(callIds.length, resumeValue.length);
|
|
90
|
+
for (let i = 0; i < limit; i++) {
|
|
91
|
+
map.set(callIds[i], resumeValue[i]);
|
|
92
|
+
}
|
|
93
|
+
return map;
|
|
94
|
+
}
|
|
95
|
+
if (typeof resumeValue === 'object') {
|
|
96
|
+
for (const callId of callIds) {
|
|
97
|
+
const decision = resumeValue[callId];
|
|
98
|
+
if (decision !== undefined) {
|
|
99
|
+
map.set(callId, decision);
|
|
100
|
+
}
|
|
101
|
+
}
|
|
102
|
+
}
|
|
103
|
+
return map;
|
|
104
|
+
}
|
|
22
105
|
/**
|
|
23
106
|
* Merges code execution session context into the sessions map.
|
|
24
107
|
*
|
|
@@ -91,6 +174,12 @@ class ToolNode extends RunnableCallable {
|
|
|
91
174
|
maxToolResultChars;
|
|
92
175
|
/** Hook registry for PreToolUse/PostToolUse lifecycle hooks */
|
|
93
176
|
hookRegistry;
|
|
177
|
+
/**
|
|
178
|
+
* Run-scoped HITL config. When `enabled`, `ask` decisions from
|
|
179
|
+
* PreToolUse hooks raise a LangGraph `interrupt()` instead of being
|
|
180
|
+
* treated as fail-closed denies.
|
|
181
|
+
*/
|
|
182
|
+
humanInTheLoop;
|
|
94
183
|
/**
|
|
95
184
|
* Registry of tool outputs keyed by `tool<idx>turn<turn>`.
|
|
96
185
|
*
|
|
@@ -111,7 +200,7 @@ class ToolNode extends RunnableCallable {
|
|
|
111
200
|
* other's in-flight state.
|
|
112
201
|
*/
|
|
113
202
|
anonBatchCounter = 0;
|
|
114
|
-
constructor({ tools, toolMap, name, tags, errorHandler, toolCallStepIds, handleToolErrors, loadRuntimeTools, toolRegistry, sessions, eventDrivenMode, agentId, directToolNames, maxContextTokens, maxToolResultChars, hookRegistry, toolOutputReferences, toolOutputRegistry, }) {
|
|
203
|
+
constructor({ tools, toolMap, name, tags, errorHandler, toolCallStepIds, handleToolErrors, loadRuntimeTools, toolRegistry, sessions, eventDrivenMode, agentId, directToolNames, maxContextTokens, maxToolResultChars, hookRegistry, humanInTheLoop, toolOutputReferences, toolOutputRegistry, }) {
|
|
115
204
|
super({ name, tags, func: (input, config) => this.run(input, config) });
|
|
116
205
|
this.toolMap = toolMap ?? new Map(tools.map((tool) => [tool.name, tool]));
|
|
117
206
|
this.toolCallStepIds = toolCallStepIds;
|
|
@@ -127,6 +216,7 @@ class ToolNode extends RunnableCallable {
|
|
|
127
216
|
this.maxToolResultChars =
|
|
128
217
|
maxToolResultChars ?? calculateMaxToolResultChars(maxContextTokens);
|
|
129
218
|
this.hookRegistry = hookRegistry;
|
|
219
|
+
this.humanInTheLoop = humanInTheLoop;
|
|
130
220
|
/**
|
|
131
221
|
* Precedence: an explicitly passed `toolOutputRegistry` instance
|
|
132
222
|
* wins over a config object so a host (`Graph`) can share one
|
|
@@ -667,13 +757,40 @@ class ToolNode extends RunnableCallable {
|
|
|
667
757
|
});
|
|
668
758
|
const messageByCallId = new Map();
|
|
669
759
|
const approvedEntries = [];
|
|
760
|
+
/**
|
|
761
|
+
* Batch-level accumulator for `additionalContext` strings returned
|
|
762
|
+
* by any PreToolUse / PostToolUse / PostToolUseFailure hook in this
|
|
763
|
+
* dispatch. We emit one consolidated `HumanMessage` after all tool
|
|
764
|
+
* results land so the next model turn sees the injected context
|
|
765
|
+
* exactly once, ordered after the ToolMessages.
|
|
766
|
+
*/
|
|
767
|
+
const batchAdditionalContexts = [];
|
|
768
|
+
/**
|
|
769
|
+
* Batch-level outcome record keyed by `tool_call_id`. Captures
|
|
770
|
+
* every tool call's final result (success / error from the host,
|
|
771
|
+
* blocked from HITL deny / reject, substituted from HITL respond)
|
|
772
|
+
* across the three call sites that touch it. We materialize the
|
|
773
|
+
* `PostToolBatch` entry array in `toolCalls` order at dispatch
|
|
774
|
+
* time so hooks correlating outcomes by position see exactly the
|
|
775
|
+
* same sequence the model emitted — independent of when each
|
|
776
|
+
* outcome was recorded (deny entries land synchronously in the
|
|
777
|
+
* hook loop, approved entries land after host execution, respond
|
|
778
|
+
* entries land in the resume branch).
|
|
779
|
+
*/
|
|
780
|
+
const postToolBatchEntryByCallId = new Map();
|
|
670
781
|
const HOOK_FALLBACK = Object.freeze({
|
|
671
782
|
additionalContexts: [],
|
|
672
783
|
errors: [],
|
|
673
784
|
});
|
|
674
785
|
if (this.hookRegistry?.hasHookFor('PreToolUse', runId) === true) {
|
|
786
|
+
/**
|
|
787
|
+
* Capture as a non-null local so the inner `blockEntry` closure
|
|
788
|
+
* doesn't lose narrowing on `this.hookRegistry` and we don't have
|
|
789
|
+
* to defensively `?.` it across every reference inside.
|
|
790
|
+
*/
|
|
791
|
+
const hookRegistry = this.hookRegistry;
|
|
675
792
|
const preResults = await Promise.all(preToolCalls.map((entry) => executeHooks({
|
|
676
|
-
registry:
|
|
793
|
+
registry: hookRegistry,
|
|
677
794
|
input: {
|
|
678
795
|
hook_event_name: 'PreToolUse',
|
|
679
796
|
runId,
|
|
@@ -688,79 +805,347 @@ class ToolNode extends RunnableCallable {
|
|
|
688
805
|
sessionId: runId,
|
|
689
806
|
matchQuery: entry.call.name,
|
|
690
807
|
}).catch(() => HOOK_FALLBACK)));
|
|
691
|
-
|
|
692
|
-
|
|
693
|
-
|
|
694
|
-
|
|
695
|
-
|
|
696
|
-
|
|
697
|
-
|
|
698
|
-
|
|
699
|
-
|
|
700
|
-
|
|
701
|
-
|
|
702
|
-
|
|
703
|
-
|
|
704
|
-
|
|
705
|
-
|
|
808
|
+
/**
|
|
809
|
+
* Side effects deferred from `blockEntry` until after any pending
|
|
810
|
+
* `interrupt()` resolves. Without deferral, a batch that mixes a
|
|
811
|
+
* `deny` decision with an `ask` decision would dispatch
|
|
812
|
+
* `ON_RUN_STEP_COMPLETED` for the denied tool on the FIRST node
|
|
813
|
+
* execution (before `interrupt()` throws), then dispatch the
|
|
814
|
+
* same event AGAIN on the resume re-execution — hosts would
|
|
815
|
+
* observe two completion events for one logical denial. By
|
|
816
|
+
* queueing the dispatch + PermissionDenied hook here and
|
|
817
|
+
* flushing after the interrupt block, we ensure each side effect
|
|
818
|
+
* fires exactly once: never on the first pass when interrupt
|
|
819
|
+
* throws (the flush is unreachable), once on resume / no-ask
|
|
820
|
+
* passes when control reaches the flush.
|
|
821
|
+
*/
|
|
822
|
+
const deferredBlockedSideEffects = [];
|
|
823
|
+
const blockEntry = (entry, reason) => {
|
|
824
|
+
const contentString = `Blocked: ${reason}`;
|
|
825
|
+
messageByCallId.set(entry.call.id, new ToolMessage({
|
|
826
|
+
status: 'error',
|
|
827
|
+
content: contentString,
|
|
828
|
+
name: entry.call.name,
|
|
829
|
+
tool_call_id: entry.call.id,
|
|
830
|
+
}));
|
|
831
|
+
postToolBatchEntryByCallId.set(entry.call.id, {
|
|
832
|
+
toolName: entry.call.name,
|
|
833
|
+
toolInput: entry.args,
|
|
834
|
+
toolUseId: entry.call.id,
|
|
835
|
+
stepId: entry.stepId,
|
|
836
|
+
/**
|
|
837
|
+
* Records the pre-invocation turn count — the same value the
|
|
838
|
+
* executed path captures before incrementing `toolUsageCount`.
|
|
839
|
+
* For a blocked tool the counter is never incremented (no
|
|
840
|
+
* invocation happened), so this is always the count of prior
|
|
841
|
+
* successful invocations of this tool name in earlier batches.
|
|
842
|
+
* Surfaces in the `PostToolBatch` entry so batch hooks see
|
|
843
|
+
* a uniform shape regardless of outcome.
|
|
844
|
+
*/
|
|
845
|
+
turn: this.toolUsageCount.get(entry.call.name) ?? 0,
|
|
846
|
+
status: 'error',
|
|
847
|
+
error: contentString,
|
|
848
|
+
});
|
|
849
|
+
deferredBlockedSideEffects.push({
|
|
850
|
+
callId: entry.call.id,
|
|
851
|
+
toolName: entry.call.name,
|
|
852
|
+
args: entry.args,
|
|
853
|
+
contentString,
|
|
854
|
+
reason,
|
|
855
|
+
});
|
|
856
|
+
};
|
|
857
|
+
const flushDeferredBlockedSideEffects = () => {
|
|
858
|
+
for (const item of deferredBlockedSideEffects) {
|
|
859
|
+
this.dispatchStepCompleted(item.callId, item.toolName, item.args, item.contentString, config);
|
|
860
|
+
if (hookRegistry.hasHookFor('PermissionDenied', runId)) {
|
|
706
861
|
executeHooks({
|
|
707
|
-
registry:
|
|
862
|
+
registry: hookRegistry,
|
|
708
863
|
input: {
|
|
709
864
|
hook_event_name: 'PermissionDenied',
|
|
710
865
|
runId,
|
|
711
866
|
threadId,
|
|
712
867
|
agentId: this.agentId,
|
|
713
|
-
toolName:
|
|
714
|
-
toolInput:
|
|
715
|
-
toolUseId:
|
|
716
|
-
reason,
|
|
868
|
+
toolName: item.toolName,
|
|
869
|
+
toolInput: item.args,
|
|
870
|
+
toolUseId: item.callId,
|
|
871
|
+
reason: item.reason,
|
|
717
872
|
},
|
|
718
873
|
sessionId: runId,
|
|
719
|
-
matchQuery:
|
|
874
|
+
matchQuery: item.toolName,
|
|
720
875
|
}).catch(() => {
|
|
721
876
|
/* PermissionDenied is observational — swallow errors */
|
|
722
877
|
});
|
|
723
878
|
}
|
|
879
|
+
}
|
|
880
|
+
deferredBlockedSideEffects.length = 0;
|
|
881
|
+
};
|
|
882
|
+
/**
|
|
883
|
+
* Apply a hook-supplied or host-supplied input override to a pending
|
|
884
|
+
* entry, re-running the `{{tool<i>turn<n>}}` resolver so any new
|
|
885
|
+
* placeholders introduced by the override are substituted (and any
|
|
886
|
+
* formerly-unresolved refs cleared from the unresolved set).
|
|
887
|
+
*
|
|
888
|
+
* Mixed direct+event batches must use the pre-batch snapshot so a
|
|
889
|
+
* hook-introduced placeholder cannot accidentally resolve to a
|
|
890
|
+
* same-turn direct output that has just registered. Pure event
|
|
891
|
+
* batches don't have a snapshot and resolve against the live
|
|
892
|
+
* registry — safe because no event-side registrations have happened
|
|
893
|
+
* yet.
|
|
894
|
+
*/
|
|
895
|
+
const applyInputOverride = (entry, nextArgs) => {
|
|
896
|
+
if (registry != null) {
|
|
897
|
+
const view = preBatchSnapshot ?? {
|
|
898
|
+
resolve: (args) => registry.resolve(registryRunId, args),
|
|
899
|
+
};
|
|
900
|
+
const { resolved, unresolved } = view.resolve(nextArgs);
|
|
901
|
+
entry.args = resolved;
|
|
902
|
+
if (entry.call.id != null) {
|
|
903
|
+
if (unresolved.length > 0) {
|
|
904
|
+
unresolvedByCallId.set(entry.call.id, unresolved);
|
|
905
|
+
}
|
|
906
|
+
else {
|
|
907
|
+
unresolvedByCallId.delete(entry.call.id);
|
|
908
|
+
}
|
|
909
|
+
}
|
|
910
|
+
return;
|
|
911
|
+
}
|
|
912
|
+
entry.args = nextArgs;
|
|
913
|
+
};
|
|
914
|
+
const askEntries = [];
|
|
915
|
+
for (let i = 0; i < preToolCalls.length; i++) {
|
|
916
|
+
const hookResult = preResults[i];
|
|
917
|
+
const entry = preToolCalls[i];
|
|
918
|
+
for (const ctx of hookResult.additionalContexts) {
|
|
919
|
+
batchAdditionalContexts.push(ctx);
|
|
920
|
+
}
|
|
921
|
+
if (hookResult.decision === 'deny') {
|
|
922
|
+
blockEntry(entry, hookResult.reason ?? 'Blocked by hook');
|
|
923
|
+
continue;
|
|
924
|
+
}
|
|
925
|
+
if (hookResult.decision === 'ask') {
|
|
926
|
+
/**
|
|
927
|
+
* HITL is OFF by default — hosts must explicitly opt in via
|
|
928
|
+
* `humanInTheLoop: { enabled: true }` to engage the
|
|
929
|
+
* `interrupt()` path. When opted out (or omitted), `ask`
|
|
930
|
+
* collapses into the pre-HITL fail-closed path: a blocked
|
|
931
|
+
* tool with an error `ToolMessage`. The default stays
|
|
932
|
+
* conservative until host UIs are ready to render
|
|
933
|
+
* `tool_approval` interrupts; see `HumanInTheLoopConfig`
|
|
934
|
+
* JSDoc for the full rationale and the migration plan.
|
|
935
|
+
*/
|
|
936
|
+
if (this.humanInTheLoop?.enabled !== true) {
|
|
937
|
+
blockEntry(entry, hookResult.reason ?? 'Blocked by hook');
|
|
938
|
+
continue;
|
|
939
|
+
}
|
|
940
|
+
/**
|
|
941
|
+
* Apply `updatedInput` BEFORE queuing into `askEntries` —
|
|
942
|
+
* a hook is allowed to return both a sanitization rewrite
|
|
943
|
+
* and an `ask` decision (e.g. one matcher redacts secrets,
|
|
944
|
+
* another matcher requires approval). Without this, the
|
|
945
|
+
* interrupt payload would surface the original args to the
|
|
946
|
+
* reviewer AND the post-approve execution would run with
|
|
947
|
+
* the original args, silently dropping the hook's rewrite.
|
|
948
|
+
*/
|
|
949
|
+
if (hookResult.updatedInput != null) {
|
|
950
|
+
applyInputOverride(entry, hookResult.updatedInput);
|
|
951
|
+
}
|
|
952
|
+
askEntries.push({
|
|
953
|
+
entry,
|
|
954
|
+
reason: hookResult.reason,
|
|
955
|
+
allowedDecisions: hookResult.allowedDecisions,
|
|
956
|
+
});
|
|
724
957
|
continue;
|
|
725
958
|
}
|
|
726
959
|
if (hookResult.updatedInput != null) {
|
|
960
|
+
applyInputOverride(entry, hookResult.updatedInput);
|
|
961
|
+
}
|
|
962
|
+
approvedEntries.push(entry);
|
|
963
|
+
}
|
|
964
|
+
/**
|
|
965
|
+
* If any entries asked for approval, raise a single LangGraph
|
|
966
|
+
* `interrupt()` carrying every pending request together. The host
|
|
967
|
+
* pauses, gathers human input, and resumes the run with one
|
|
968
|
+
* decision per request. On resume LangGraph re-executes this node
|
|
969
|
+
* from the start; `interrupt()` then returns the resume value
|
|
970
|
+
* instead of throwing, so the loop above re-runs and the same
|
|
971
|
+
* `askEntries` list is rebuilt deterministically (assuming hooks
|
|
972
|
+
* are pure — see `humanInTheLoop` docs).
|
|
973
|
+
*/
|
|
974
|
+
if (askEntries.length > 0) {
|
|
975
|
+
const payload = buildToolApprovalInterruptPayload(askEntries);
|
|
976
|
+
/**
|
|
977
|
+
* `interrupt()` reads the current `RunnableConfig` from
|
|
978
|
+
* AsyncLocalStorage, but our `RunnableCallable` sets
|
|
979
|
+
* `trace = false` for ToolNode (intentional — avoids LangSmith
|
|
980
|
+
* tracing per tool call). Without the trace path, the upstream
|
|
981
|
+
* `runWithConfig` frame is never established, so we re-anchor
|
|
982
|
+
* here using the node's own `config` — Pregel hands us a
|
|
983
|
+
* config that already carries every checkpoint/scratchpad key
|
|
984
|
+
* `interrupt()` needs to suspend and resume.
|
|
985
|
+
*/
|
|
986
|
+
const resumeValue = AsyncLocalStorageProviderSingleton.runWithConfig(config, () => interrupt(payload));
|
|
987
|
+
const decisionByCallId = normalizeApprovalDecisions(askEntries.map(({ entry }) => entry.call.id), resumeValue);
|
|
988
|
+
for (const { entry, reason: askReason, allowedDecisions, } of askEntries) {
|
|
989
|
+
const decision = decisionByCallId.get(entry.call.id) ?? {
|
|
990
|
+
type: 'reject',
|
|
991
|
+
reason: 'No decision provided for tool approval',
|
|
992
|
+
};
|
|
727
993
|
/**
|
|
728
|
-
*
|
|
729
|
-
*
|
|
730
|
-
*
|
|
731
|
-
*
|
|
732
|
-
*
|
|
733
|
-
*
|
|
994
|
+
* Read `decision.type` through a widened view once: hosts
|
|
995
|
+
* deserialize resume payloads from untyped JSON, so the
|
|
996
|
+
* runtime value can be a typo, the wrong type, or missing
|
|
997
|
+
* entirely. Both the `allowedDecisions` enforcement
|
|
998
|
+
* immediately below and the unknown-type fallthrough at the
|
|
999
|
+
* end of this loop body share this single read so the
|
|
1000
|
+
* fail-closed checks compare against the same source.
|
|
734
1001
|
*/
|
|
735
|
-
|
|
1002
|
+
const declaredType = decision.type;
|
|
1003
|
+
/**
|
|
1004
|
+
* Enforce the per-tool `allowedDecisions` allowlist that the
|
|
1005
|
+
* `PreToolUse` hook surfaced in `review_configs`. The host
|
|
1006
|
+
* UI is supposed to honor this when collecting the user's
|
|
1007
|
+
* decision, but the wire is untrusted: a buggy or hostile
|
|
1008
|
+
* host could submit a decision type the policy explicitly
|
|
1009
|
+
* forbids (e.g. `'edit'` when the hook restricted to
|
|
1010
|
+
* `['approve', 'reject']`), bypassing argument-mutation /
|
|
1011
|
+
* response-substitution safeguards. Fail closed when the
|
|
1012
|
+
* declared type isn't in the allowlist.
|
|
1013
|
+
*/
|
|
1014
|
+
if (allowedDecisions != null &&
|
|
1015
|
+
(typeof declaredType !== 'string' ||
|
|
1016
|
+
!allowedDecisions.includes(declaredType))) {
|
|
1017
|
+
const offered = typeof declaredType === 'string' ? declaredType : '<missing>';
|
|
1018
|
+
blockEntry(entry, `Decision "${offered}" not in allowedDecisions [${allowedDecisions.join(', ')}] — failing closed`);
|
|
1019
|
+
continue;
|
|
1020
|
+
}
|
|
1021
|
+
if (decision.type === 'reject') {
|
|
1022
|
+
blockEntry(entry, decision.reason ?? askReason ?? 'Rejected by user');
|
|
1023
|
+
continue;
|
|
1024
|
+
}
|
|
1025
|
+
/**
|
|
1026
|
+
* `respond` short-circuits tool execution: the human supplies
|
|
1027
|
+
* the result the model should see in place of running the
|
|
1028
|
+
* tool. We emit a successful `ToolMessage` directly and skip
|
|
1029
|
+
* dispatch — no host event fires, no real tool side effect
|
|
1030
|
+
* occurs. Mirrors LangChain HITL middleware semantics.
|
|
1031
|
+
*/
|
|
1032
|
+
if (decision.type === 'respond') {
|
|
736
1033
|
/**
|
|
737
|
-
*
|
|
738
|
-
*
|
|
739
|
-
*
|
|
740
|
-
*
|
|
741
|
-
*
|
|
742
|
-
*
|
|
1034
|
+
* Validate the wire shape before touching it: hosts
|
|
1035
|
+
* deserialize resume payloads from untyped JSON, so a
|
|
1036
|
+
* malformed `{ type: 'respond' }` (no `responseText`) or
|
|
1037
|
+
* `{ type: 'respond', responseText: 42 }` would crash
|
|
1038
|
+
* `truncateToolResultContent` (which calls
|
|
1039
|
+
* `content.length`) and turn a fail-closed approval path
|
|
1040
|
+
* into a hard run failure. Route bad shapes through
|
|
1041
|
+
* `blockEntry` like any other unusable decision.
|
|
743
1042
|
*/
|
|
744
|
-
const
|
|
745
|
-
|
|
746
|
-
|
|
747
|
-
|
|
748
|
-
|
|
749
|
-
if (entry.call.id != null) {
|
|
750
|
-
if (unresolved.length > 0) {
|
|
751
|
-
unresolvedByCallId.set(entry.call.id, unresolved);
|
|
752
|
-
}
|
|
753
|
-
else {
|
|
754
|
-
unresolvedByCallId.delete(entry.call.id);
|
|
755
|
-
}
|
|
1043
|
+
const responseText = decision
|
|
1044
|
+
.responseText;
|
|
1045
|
+
if (typeof responseText !== 'string') {
|
|
1046
|
+
blockEntry(entry, `Decision "respond" missing string responseText (got ${describeOfferedShape(responseText)}) — failing closed`);
|
|
1047
|
+
continue;
|
|
756
1048
|
}
|
|
1049
|
+
/**
|
|
1050
|
+
* Truncate the human-supplied text just like the success
|
|
1051
|
+
* path does for real tool output. Without this, a user
|
|
1052
|
+
* pasting a large document as a manual response bypasses
|
|
1053
|
+
* `maxToolResultChars` and can blow past the model's
|
|
1054
|
+
* context window. The PostToolBatch entry surfaces the
|
|
1055
|
+
* truncated text too so batch hooks see what the model
|
|
1056
|
+
* will actually see.
|
|
1057
|
+
*/
|
|
1058
|
+
const truncatedResponse = truncateToolResultContent(responseText, this.maxToolResultChars);
|
|
1059
|
+
messageByCallId.set(entry.call.id, new ToolMessage({
|
|
1060
|
+
status: 'success',
|
|
1061
|
+
content: truncatedResponse,
|
|
1062
|
+
name: entry.call.name,
|
|
1063
|
+
tool_call_id: entry.call.id,
|
|
1064
|
+
}));
|
|
1065
|
+
postToolBatchEntryByCallId.set(entry.call.id, {
|
|
1066
|
+
toolName: entry.call.name,
|
|
1067
|
+
toolInput: entry.args,
|
|
1068
|
+
toolUseId: entry.call.id,
|
|
1069
|
+
stepId: entry.stepId,
|
|
1070
|
+
turn: this.toolUsageCount.get(entry.call.name) ?? 0,
|
|
1071
|
+
status: 'success',
|
|
1072
|
+
toolOutput: truncatedResponse,
|
|
1073
|
+
});
|
|
1074
|
+
/**
|
|
1075
|
+
* Safe to dispatch immediately — unlike `blockEntry` which
|
|
1076
|
+
* defers, `respond` only executes inside the decision-
|
|
1077
|
+
* processing loop, which is reachable only AFTER
|
|
1078
|
+
* `interrupt()` has returned (the resume pass). There is
|
|
1079
|
+
* no risk of being rolled back by a subsequent throw, so
|
|
1080
|
+
* no risk of a duplicate `ON_RUN_STEP_COMPLETED` event.
|
|
1081
|
+
*/
|
|
1082
|
+
this.dispatchStepCompleted(entry.call.id, entry.call.name, entry.args, truncatedResponse, config);
|
|
1083
|
+
continue;
|
|
757
1084
|
}
|
|
758
|
-
|
|
759
|
-
|
|
1085
|
+
if (decision.type === 'edit') {
|
|
1086
|
+
/**
|
|
1087
|
+
* Validate the wire shape before touching it: hosts
|
|
1088
|
+
* deserialize resume payloads from untyped JSON, so a
|
|
1089
|
+
* malformed `{ type: 'edit' }` (no `updatedInput`),
|
|
1090
|
+
* `{ type: 'edit', updatedInput: 'string' }` (non-object),
|
|
1091
|
+
* or `{ type: 'edit', updatedInput: [...] }` (array, not a
|
|
1092
|
+
* plain object) would feed garbage into
|
|
1093
|
+
* `applyInputOverride` and silently approve a tool with
|
|
1094
|
+
* undefined / wrong-shape args. Same trust boundary as
|
|
1095
|
+
* the `respond` validation above — fail closed via
|
|
1096
|
+
* `blockEntry` with a diagnostic.
|
|
1097
|
+
*/
|
|
1098
|
+
const updatedInput = decision
|
|
1099
|
+
.updatedInput;
|
|
1100
|
+
if (updatedInput === null ||
|
|
1101
|
+
typeof updatedInput !== 'object' ||
|
|
1102
|
+
Array.isArray(updatedInput)) {
|
|
1103
|
+
blockEntry(entry, `Decision "edit" missing object updatedInput (got ${describeOfferedShape(updatedInput)}) — failing closed`);
|
|
1104
|
+
continue;
|
|
1105
|
+
}
|
|
1106
|
+
applyInputOverride(entry, updatedInput);
|
|
1107
|
+
approvedEntries.push(entry);
|
|
1108
|
+
continue;
|
|
760
1109
|
}
|
|
1110
|
+
/**
|
|
1111
|
+
* Defensive type widening: hosts deserialize resume payloads
|
|
1112
|
+
* from untyped JSON, so the `decision.type` value at runtime
|
|
1113
|
+
* is whatever string the wire sent — not necessarily one of
|
|
1114
|
+
* the four union variants TS knows about. We compare against
|
|
1115
|
+
* the literal `'approve'` through the widened `declaredType`
|
|
1116
|
+
* captured at the top of this iteration, so a typo or schema
|
|
1117
|
+
* drift (`'aproved'`, `null`, `undefined`) hits the fail-
|
|
1118
|
+
* closed branch below instead of silently approving the
|
|
1119
|
+
* tool. Without this widening, TS narrows the union after
|
|
1120
|
+
* the three earlier branches and treats `=== 'approve'` as
|
|
1121
|
+
* trivially true.
|
|
1122
|
+
*/
|
|
1123
|
+
if (declaredType === 'approve') {
|
|
1124
|
+
approvedEntries.push(entry);
|
|
1125
|
+
continue;
|
|
1126
|
+
}
|
|
1127
|
+
/**
|
|
1128
|
+
* Unknown / missing decision type — fail closed. The whole
|
|
1129
|
+
* point of an approval gate is that "no decision" or
|
|
1130
|
+
* "garbled decision" deny by default.
|
|
1131
|
+
*/
|
|
1132
|
+
const unknownType = typeof declaredType === 'string' ? declaredType : '<missing>';
|
|
1133
|
+
blockEntry(entry, `Unknown approval decision type "${unknownType}" — failing closed`);
|
|
761
1134
|
}
|
|
762
|
-
approvedEntries.push(entry);
|
|
763
1135
|
}
|
|
1136
|
+
/**
|
|
1137
|
+
* Flush deferred denial side effects exactly once. On the FIRST
|
|
1138
|
+
* pass through a batch that contains an `ask`, `interrupt()`
|
|
1139
|
+
* threw above and we never reach this line — so no
|
|
1140
|
+
* `ON_RUN_STEP_COMPLETED` / `PermissionDenied` events fire
|
|
1141
|
+
* for blocked tools yet. On resume the node re-executes from
|
|
1142
|
+
* scratch, `blockEntry` re-queues the same entries, and the
|
|
1143
|
+
* flush below dispatches them once. For batches without any
|
|
1144
|
+
* `ask` (deny-only or empty), the flush still runs here and
|
|
1145
|
+
* dispatches in the same relative position as the pre-deferral
|
|
1146
|
+
* code did (after hook processing, before tool execution).
|
|
1147
|
+
*/
|
|
1148
|
+
flushDeferredBlockedSideEffects();
|
|
764
1149
|
}
|
|
765
1150
|
else {
|
|
766
1151
|
approvedEntries.push(...preToolCalls);
|
|
@@ -829,6 +1214,15 @@ class ToolNode extends RunnableCallable {
|
|
|
829
1214
|
const toolName = request?.name ?? 'unknown';
|
|
830
1215
|
let contentString;
|
|
831
1216
|
let toolMessage;
|
|
1217
|
+
/**
|
|
1218
|
+
* Tracks the post-PostToolUse-hook output so the
|
|
1219
|
+
* `PostToolBatch` entry below sees the final transformed value
|
|
1220
|
+
* even when a hook replaced the original via `updatedOutput`.
|
|
1221
|
+
* Lives at the loop-iteration scope so the success branch can
|
|
1222
|
+
* mutate it; the error branch leaves it unset (and the batch
|
|
1223
|
+
* entry uses `error` instead of `toolOutput` in that case).
|
|
1224
|
+
*/
|
|
1225
|
+
let finalToolOutput = result.content;
|
|
832
1226
|
if (result.status === 'error') {
|
|
833
1227
|
contentString = `Error: ${result.errorMessage ?? 'Unknown error'}\n Please fix your mistakes.`;
|
|
834
1228
|
/**
|
|
@@ -852,7 +1246,7 @@ class ToolNode extends RunnableCallable {
|
|
|
852
1246
|
}),
|
|
853
1247
|
});
|
|
854
1248
|
if (hasFailureHook) {
|
|
855
|
-
await executeHooks({
|
|
1249
|
+
const failureHookResult = await executeHooks({
|
|
856
1250
|
registry: this.hookRegistry,
|
|
857
1251
|
input: {
|
|
858
1252
|
hook_event_name: 'PostToolUseFailure',
|
|
@@ -868,9 +1262,21 @@ class ToolNode extends RunnableCallable {
|
|
|
868
1262
|
},
|
|
869
1263
|
sessionId: runId,
|
|
870
1264
|
matchQuery: toolName,
|
|
871
|
-
}).catch(() =>
|
|
872
|
-
|
|
873
|
-
|
|
1265
|
+
}).catch(() => undefined);
|
|
1266
|
+
/**
|
|
1267
|
+
* Collect `additionalContext` from failure hooks too. Without
|
|
1268
|
+
* this, recovery guidance returned on tool errors (e.g.
|
|
1269
|
+
* "if this tool errors with X, suggest Y to the user") is
|
|
1270
|
+
* silently dropped even though the API surface advertises
|
|
1271
|
+
* `additionalContext` for this event. PostToolUseFailure
|
|
1272
|
+
* remains observational for errors thrown by the hook
|
|
1273
|
+
* itself, but a successfully-returned result is honored.
|
|
1274
|
+
*/
|
|
1275
|
+
if (failureHookResult != null) {
|
|
1276
|
+
for (const ctx of failureHookResult.additionalContexts) {
|
|
1277
|
+
batchAdditionalContexts.push(ctx);
|
|
1278
|
+
}
|
|
1279
|
+
}
|
|
874
1280
|
}
|
|
875
1281
|
}
|
|
876
1282
|
else {
|
|
@@ -896,12 +1302,18 @@ class ToolNode extends RunnableCallable {
|
|
|
896
1302
|
sessionId: runId,
|
|
897
1303
|
matchQuery: toolName,
|
|
898
1304
|
}).catch(() => undefined);
|
|
1305
|
+
if (hookResult != null) {
|
|
1306
|
+
for (const ctx of hookResult.additionalContexts) {
|
|
1307
|
+
batchAdditionalContexts.push(ctx);
|
|
1308
|
+
}
|
|
1309
|
+
}
|
|
899
1310
|
if (hookResult?.updatedOutput != null) {
|
|
900
1311
|
const replaced = typeof hookResult.updatedOutput === 'string'
|
|
901
1312
|
? hookResult.updatedOutput
|
|
902
1313
|
: JSON.stringify(hookResult.updatedOutput);
|
|
903
1314
|
registryRaw = replaced;
|
|
904
1315
|
contentString = truncateToolResultContent(replaced, this.maxToolResultChars);
|
|
1316
|
+
finalToolOutput = hookResult.updatedOutput;
|
|
905
1317
|
}
|
|
906
1318
|
}
|
|
907
1319
|
const batchIndex = batchIndexByCallId.get(result.toolCallId);
|
|
@@ -924,14 +1336,98 @@ class ToolNode extends RunnableCallable {
|
|
|
924
1336
|
});
|
|
925
1337
|
}
|
|
926
1338
|
this.dispatchStepCompleted(result.toolCallId, toolName, request?.args ?? {}, contentString, config, request?.turn);
|
|
1339
|
+
postToolBatchEntryByCallId.set(result.toolCallId, {
|
|
1340
|
+
toolName,
|
|
1341
|
+
toolInput: request?.args ?? {},
|
|
1342
|
+
toolUseId: result.toolCallId,
|
|
1343
|
+
stepId: request?.stepId,
|
|
1344
|
+
turn: request?.turn,
|
|
1345
|
+
status: result.status === 'error' ? 'error' : 'success',
|
|
1346
|
+
...(result.status === 'error'
|
|
1347
|
+
? { error: result.errorMessage ?? 'Unknown error' }
|
|
1348
|
+
: { toolOutput: finalToolOutput }),
|
|
1349
|
+
});
|
|
927
1350
|
messageByCallId.set(result.toolCallId, toolMessage);
|
|
928
1351
|
}
|
|
929
1352
|
}
|
|
930
1353
|
const toolMessages = toolCalls
|
|
931
1354
|
.map((call) => messageByCallId.get(call.id))
|
|
932
1355
|
.filter((m) => m != null);
|
|
1356
|
+
await this.dispatchPostToolBatchAndInjectContext({
|
|
1357
|
+
toolCalls,
|
|
1358
|
+
entriesByCallId: postToolBatchEntryByCallId,
|
|
1359
|
+
batchAdditionalContexts,
|
|
1360
|
+
injected,
|
|
1361
|
+
runId,
|
|
1362
|
+
threadId,
|
|
1363
|
+
});
|
|
933
1364
|
return { toolMessages, injected };
|
|
934
1365
|
}
|
|
1366
|
+
/**
|
|
1367
|
+
* Fires the `PostToolBatch` hook (if registered) and appends the
|
|
1368
|
+
* accumulated batch-level `additionalContext` strings to `injected`
|
|
1369
|
+
* as a single `HumanMessage`. Entries are materialized in the
|
|
1370
|
+
* original `toolCalls` order so hooks correlating outcomes by
|
|
1371
|
+
* position (as the type docs promise) see exactly the sequence
|
|
1372
|
+
* the model emitted, regardless of when each individual outcome
|
|
1373
|
+
* was recorded into the map (deny synchronous, approved
|
|
1374
|
+
* post-execution, respond on resume).
|
|
1375
|
+
*
|
|
1376
|
+
* The PostToolBatch hook's `additionalContexts` flow into the same
|
|
1377
|
+
* batch accumulator per-tool hooks already use, so a single
|
|
1378
|
+
* batch-level convention message can be injected through one path.
|
|
1379
|
+
*
|
|
1380
|
+
* Mutates `batchAdditionalContexts` (push from batch hook) and
|
|
1381
|
+
* `injected` (push the consolidated HumanMessage). The caller owns
|
|
1382
|
+
* those arrays and consumes them right after this returns.
|
|
1383
|
+
*/
|
|
1384
|
+
async dispatchPostToolBatchAndInjectContext(args) {
|
|
1385
|
+
const { toolCalls, entriesByCallId, batchAdditionalContexts, injected, runId, threadId, } = args;
|
|
1386
|
+
const orderedBatchEntries = [];
|
|
1387
|
+
for (const call of toolCalls) {
|
|
1388
|
+
const callId = call.id;
|
|
1389
|
+
if (callId == null) {
|
|
1390
|
+
continue;
|
|
1391
|
+
}
|
|
1392
|
+
const entry = entriesByCallId.get(callId);
|
|
1393
|
+
if (entry != null) {
|
|
1394
|
+
orderedBatchEntries.push(entry);
|
|
1395
|
+
}
|
|
1396
|
+
}
|
|
1397
|
+
if (this.hookRegistry?.hasHookFor('PostToolBatch', runId) === true &&
|
|
1398
|
+
orderedBatchEntries.length > 0) {
|
|
1399
|
+
const batchHookResult = await executeHooks({
|
|
1400
|
+
registry: this.hookRegistry,
|
|
1401
|
+
input: {
|
|
1402
|
+
hook_event_name: 'PostToolBatch',
|
|
1403
|
+
runId,
|
|
1404
|
+
threadId,
|
|
1405
|
+
agentId: this.agentId,
|
|
1406
|
+
entries: orderedBatchEntries,
|
|
1407
|
+
},
|
|
1408
|
+
sessionId: runId,
|
|
1409
|
+
}).catch(() => undefined);
|
|
1410
|
+
if (batchHookResult != null) {
|
|
1411
|
+
for (const ctx of batchHookResult.additionalContexts) {
|
|
1412
|
+
batchAdditionalContexts.push(ctx);
|
|
1413
|
+
}
|
|
1414
|
+
}
|
|
1415
|
+
}
|
|
1416
|
+
if (batchAdditionalContexts.length > 0) {
|
|
1417
|
+
/**
|
|
1418
|
+
* `HumanMessage` carrying a metadata `role: 'system'` marker —
|
|
1419
|
+
* see `convertInjectedMessages` for the wider rationale. Anthropic
|
|
1420
|
+
* and Google reject mid-conversation `SystemMessage`s, so we use
|
|
1421
|
+
* a user-role message and surface the system intent through
|
|
1422
|
+
* `additional_kwargs` for hosts inspecting state. The model sees
|
|
1423
|
+
* a user message; `role` is metadata only.
|
|
1424
|
+
*/
|
|
1425
|
+
injected.push(new HumanMessage({
|
|
1426
|
+
content: batchAdditionalContexts.join('\n\n'),
|
|
1427
|
+
additional_kwargs: { role: 'system', source: 'hook' },
|
|
1428
|
+
}));
|
|
1429
|
+
}
|
|
1430
|
+
}
|
|
935
1431
|
dispatchStepCompleted(toolCallId, toolName, args, output, config, turn) {
|
|
936
1432
|
const stepId = this.toolCallStepIds?.get(toolCallId) ?? '';
|
|
937
1433
|
if (!stepId) {
|