PyPI - hexgate - Versions diffs - 0.1.1__py3-none-any.whl - Mend

hexgate 0.1.1__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (98) hide show

fortify/__init__.py +78 -0
fortify/adapters/__init__.py +0 -0
fortify/adapters/google/__init__.py +3 -0
fortify/adapters/google/runner.py +106 -0
fortify/adapters/google/tools.py +57 -0
fortify/adapters/google/wrapper.py +47 -0
fortify/adapters/langchain/__init__.py +7 -0
fortify/adapters/langchain/agent.py +133 -0
fortify/adapters/langchain/tools.py +248 -0
fortify/adapters/langchain/wrapper.py +70 -0
fortify/adapters/openai/__init__.py +3 -0
fortify/adapters/openai/runner.py +125 -0
fortify/adapters/openai/tools.py +57 -0
fortify/adapters/openai/wrapper.py +47 -0
fortify/adapters/pydantic_ai/__init__.py +7 -0
fortify/adapters/pydantic_ai/agent.py +111 -0
fortify/adapters/pydantic_ai/tools.py +40 -0
fortify/adapters/pydantic_ai/wrapper.py +94 -0
fortify/agents/__init__.py +57 -0
fortify/agents/builtin/__init__.py +1 -0
fortify/agents/builtin/researcher/agent.yaml +7 -0
fortify/agents/builtin/researcher/policy.yaml +10 -0
fortify/agents/builtin/researcher/system.md +5 -0
fortify/agents/factory.py +683 -0
fortify/agents/loader.py +790 -0
fortify/agents/models.py +17 -0
fortify/agents/prompts/agent_system.md +14 -0
fortify/audit.py +292 -0
fortify/bootstrap.py +32 -0
fortify/cli/__init__.py +42 -0
fortify/cli/_common.py +306 -0
fortify/cli/chat.py +282 -0
fortify/cli/policy/__init__.py +17 -0
fortify/cli/policy/main.py +527 -0
fortify/cli/register/__init__.py +8 -0
fortify/cli/register/fortify.py +139 -0
fortify/cli/register/google.py +104 -0
fortify/cli/register/langchain.py +76 -0
fortify/cli/register/main.py +113 -0
fortify/cli/register/manifest.py +65 -0
fortify/cli/register/models.py +107 -0
fortify/cli/register/openai.py +78 -0
fortify/cli/register/pydantic_ai.py +114 -0
fortify/cli/register/register.py +71 -0
fortify/cli/serve.py +337 -0
fortify/cli/state.py +156 -0
fortify/cloud/__init__.py +32 -0
fortify/cloud/attenuate.py +105 -0
fortify/cloud/biscuit.py +172 -0
fortify/cloud/client.py +327 -0
fortify/config/__init__.py +1 -0
fortify/config/settings.py +50 -0
fortify/runtime/__init__.py +53 -0
fortify/runtime/command_policy.py +289 -0
fortify/runtime/context.py +129 -0
fortify/runtime/sandbox_runtime.py +115 -0
fortify/runtime/srt.py +88 -0
fortify/runtime/workspace.py +330 -0
fortify/security/__init__.py +141 -0
fortify/security/bundle.py +399 -0
fortify/security/constraints.py +252 -0
fortify/security/decision.py +145 -0
fortify/security/enforcer.py +83 -0
fortify/security/errors.py +11 -0
fortify/security/file_scope.py +78 -0
fortify/security/models.py +59 -0
fortify/security/policy.py +182 -0
fortify/security/policy_set.py +266 -0
fortify/security/rego.py +334 -0
fortify/security/rego_wasm.py +213 -0
fortify/security/signing.py +122 -0
fortify/security/source.py +372 -0
fortify/security/wasm_engine.py +486 -0
fortify/streaming/__init__.py +57 -0
fortify/streaming/events.py +206 -0
fortify/streaming/normalize.py +429 -0
fortify/tools/__init__.py +21 -0
fortify/tools/bash.py +49 -0
fortify/tools/decorators.py +158 -0
fortify/tools/fetch.py +72 -0
fortify/tools/files/__init__.py +9 -0
fortify/tools/files/_common.py +35 -0
fortify/tools/files/edit_file.py +57 -0
fortify/tools/files/glob.py +48 -0
fortify/tools/files/grep.py +91 -0
fortify/tools/files/read_file.py +39 -0
fortify/tools/files/write_file.py +36 -0
fortify/tools/refund.py +53 -0
fortify/tools/websearch.py +72 -0
fortify/tracing/__init__.py +1 -0
fortify/tracing/langfuse.py +68 -0
fortify/utils/__init__.py +1 -0
fortify/utils/retry.py +58 -0
hexgate-0.1.1.dist-info/METADATA +1440 -0
hexgate-0.1.1.dist-info/RECORD +98 -0
hexgate-0.1.1.dist-info/WHEEL +5 -0
hexgate-0.1.1.dist-info/entry_points.txt +2 -0
hexgate-0.1.1.dist-info/top_level.txt +1 -0

fortify/__init__.py ADDED Viewed

@@ -0,0 +1,78 @@
+"""Public package surface for fortify."""
+from fortify.agents.factory import (
+    create_agent,
+    enforce_policy,
+    invoke_agent,
+    stream_agent,
+    stream_agent_raw,
+)
+from fortify.agents.loader import (
+    clear_registered_agents,
+    list_available_agents,
+    list_builtin_agents,
+    list_local_agents,
+    list_registered_agents,
+    load_agent,
+    load_builtin_agent,
+    load_fortify_agent,
+    load_local_agent,
+    load_registered_agent,
+    register_agent,
+    unregister_agent,
+)
+from fortify.cli.register import AgentManifest, create_manifest
+from fortify.cloud import FortifyClient, FortifyConfig
+from fortify.runtime import LocalWorkspace, ToolUseContext, User, Workspace
+from fortify.security import AgentPolicy
+from fortify.tools import (
+    agent_tool,
+    bash,
+    edit_file,
+    glob,
+    grep,
+    read_file,
+    refund_order,
+    write_file,
+)
+from fortify.tools.fetch import fetch
+from fortify.tools.websearch import web_search
+__all__ = [
+    "AgentManifest",
+    "AgentPolicy",
+    "FortifyClient",
+    "FortifyConfig",
+    "LocalWorkspace",
+    "ToolUseContext",
+    "User",
+    "Workspace",
+    "agent_tool",
+    "bash",
+    "edit_file",
+    "clear_registered_agents",
+    "create_agent",
+    "create_manifest",
+    "enforce_policy",
+    "fetch",
+    "glob",
+    "grep",
+    "invoke_agent",
+    "list_available_agents",
+    "list_builtin_agents",
+    "list_local_agents",
+    "list_registered_agents",
+    "load_agent",
+    "load_builtin_agent",
+    "load_fortify_agent",
+    "load_local_agent",
+    "load_registered_agent",
+    "register_agent",
+    "read_file",
+    "refund_order",
+    "stream_agent",
+    "stream_agent_raw",
+    "unregister_agent",
+    "web_search",
+    "write_file",
+]

fortify/adapters/__init__.py ADDED Viewed

File without changes

fortify/adapters/google/__init__.py ADDED Viewed

@@ -0,0 +1,3 @@
+from fortify.adapters.google.runner import FortifyRunner
+__all__ = ["FortifyRunner"]

fortify/adapters/google/runner.py ADDED Viewed

@@ -0,0 +1,106 @@
+"""Google ADK ``Runner`` wrapper: opens a :class:`User` scope around each
+``Runner.run*`` call so the wrapped tools' enforcers can resolve the
+active role. Langfuse propagation mirrors User identity into spans.
+"""
+import asyncio
+import os
+from contextlib import contextmanager
+from typing import Any, AsyncGenerator, Generator
+import nest_asyncio
+from google.adk.agents import BaseAgent
+from google.adk.runners import Runner
+from google.adk.sessions import BaseSessionService
+from google.genai import types
+from langfuse import get_client, propagate_attributes
+from openinference.instrumentation.google_adk import GoogleADKInstrumentor
+from fortify.adapters.google.wrapper import wrap_google_agent
+from fortify.runtime import User
+class FortifyRunner:
+    """Runner for Google ADK agents with Fortify tool policy and observability."""
+    def __init__(
+        self,
+        *,
+        agent: BaseAgent,
+        app_name: str,
+        session_service: BaseSessionService,
+        api_key: str | None = None,
+        **runner_kwargs: Any,
+    ):
+        self.api_key = api_key or os.getenv("FORTIFY_KEY")
+        if self.api_key is None:
+            raise ValueError(
+                "FORTIFY_KEY is not set. Pass api_key= explicitly or set FORTIFY_KEY environment variable."
+            )
+        # Policy is baked at construction; the Runner is built once and reused
+        # since role resolution happens at call time via the User contextvar.
+        self._wrapped_agent = wrap_google_agent(agent, api_key=self.api_key)
+        self._runner = Runner(
+            agent=self._wrapped_agent,
+            app_name=app_name,
+            session_service=session_service,
+            **runner_kwargs,
+        )
+        self._agent_name = getattr(agent, "name", "default")
+    def _setup_observability(self):
+        """Install Langfuse + GoogleADKInstrumentor (idempotent)."""
+        try:
+            asyncio.get_running_loop()
+        except RuntimeError:
+            # No running loop: safe to patch (and only useful for sync entry points).
+            # Patching a live loop breaks asyncio.current_task() on Python 3.12+.
+            nest_asyncio.apply()
+        get_client()
+        GoogleADKInstrumentor().instrument()
+    @contextmanager
+    def _propagate(self, user: User):
+        """Propagate User identity into Langfuse spans for the block."""
+        kwargs: dict[str, Any] = {"tags": [f"google.runner.run.{self._agent_name}"]}
+        kwargs["user_id"] = user.user_id
+        kwargs["session_id"] = user.session_id
+        kwargs["metadata"] = {"user_role": user.role}
+        with propagate_attributes(**kwargs):
+            yield
+    def run(
+        self,
+        *,
+        new_message: types.Content,
+        user: User,
+        **kwargs: Any,
+    ) -> Generator[Any, None, None]:
+        """Run the Google ADK agent synchronously, yielding events."""
+        self._setup_observability()
+        with user.sync_scope(), self._propagate(user):
+            yield from self._runner.run(
+                user_id=user.user_id,
+                session_id=user.session_id,
+                new_message=new_message,
+                **kwargs,
+            )
+    async def run_async(
+        self,
+        *,
+        new_message: types.Content | None = None,
+        user: User,
+        **kwargs: Any,
+    ) -> AsyncGenerator[Any, None]:
+        """Run the Google ADK agent asynchronously, yielding events."""
+        self._setup_observability()
+        async with user:
+            with self._propagate(user):
+                async for event in self._runner.run_async(
+                    user_id=user.user_id,
+                    session_id=user.session_id,
+                    new_message=new_message,
+                    **kwargs,
+                ):
+                    yield event

fortify/adapters/google/tools.py ADDED Viewed

@@ -0,0 +1,57 @@
+"""Google ADK adapter: wrap ``BaseTool`` so ``run_async`` consults a
+:class:`PolicyEnforcer` first. Non-allow outcomes render as markered
+strings the model sees as tool output.
+"""
+from __future__ import annotations
+import copy
+import functools
+from collections.abc import Callable
+from typing import Any, Union
+from google.adk.tools.base_tool import BaseTool
+from google.adk.tools.function_tool import FunctionTool
+from google.adk.tools.tool_context import ToolContext
+from fortify.security.enforcer import PolicyEnforcer
+ToolEntry = Union[BaseTool, Callable[..., Any]]
+def _normalize(tool: ToolEntry) -> BaseTool:
+    """Coerce a tool entry into a ``BaseTool`` (plain callables → FunctionTool)."""
+    if isinstance(tool, BaseTool):
+        return tool
+    if callable(tool):
+        return FunctionTool(func=tool)
+    raise TypeError(
+        f"Cannot install policy on tool {tool!r}: expected google.adk BaseTool "
+        f"or callable, got {type(tool).__name__}."
+    )
+def wrap_tool(tool: ToolEntry, enforcer: PolicyEnforcer) -> BaseTool:
+    """Return a copy of ``tool`` with ``run_async`` gated by ``enforcer``."""
+    base = _normalize(tool)
+    name = base.name
+    original_run_async = base.run_async
+    @functools.wraps(original_run_async, updated=())
+    async def guarded_run_async(
+        *, args: dict[str, Any], tool_context: ToolContext
+    ) -> Any:
+        decision = enforcer.decide(name, args or {})
+        if decision.allowed:
+            return await original_run_async(args=args, tool_context=tool_context)
+        return decision.as_error_message()
+    wrapped = copy.copy(base)
+    wrapped.run_async = guarded_run_async
+    return wrapped
+def wrap_tools(tools: list[ToolEntry], enforcer: PolicyEnforcer) -> list[BaseTool]:
+    """Return a fresh list of policy-gated copies."""
+    return [wrap_tool(t, enforcer) for t in tools]

fortify/adapters/google/wrapper.py ADDED Viewed

@@ -0,0 +1,47 @@
+"""Google ADK adapter: build a :class:`PolicySet`, construct one
+:class:`PolicyEnforcer`, and return a clone of the agent whose tools
+are policy-gated. User-agnostic at wrap time — role resolution happens
+inside the enforcer via the :class:`User` contextvar.
+"""
+from __future__ import annotations
+from google.adk.agents import BaseAgent
+from fortify import audit
+from fortify.adapters.google.tools import wrap_tools
+from fortify.security import AgentPolicy, BaseToolPolicy, PolicySet
+from fortify.security.enforcer import PolicyEnforcer
+from fortify.security.policy_set import DEFAULT_ROLE_NAME
+def build_policy_set(
+    api_key: str,  # noqa: ARG001 — reserved for the future Fortify-cloud fetch
+    agent_name: str,  # noqa: ARG001 — same
+    tool_names: list[str],
+) -> PolicySet:
+    """Placeholder allow-all one-role bundle. TODO: cloud-fetch via FortifyClient."""
+    default_policy = AgentPolicy(
+        tools={name: BaseToolPolicy(mode="allow") for name in tool_names}
+    )
+    return PolicySet({DEFAULT_ROLE_NAME: default_policy})
+def wrap_google_agent(agent: BaseAgent, *, api_key: str) -> BaseAgent:
+    """Return a clone of ``agent`` with policy-gated tools.
+    Caller must open a :class:`User` scope around the run.
+    ``NEEDS_APPROVAL`` outcomes surface as ``[approval_required]``-prefixed
+    strings in tool results; ``[policy_denied]`` for denials.
+    """
+    audit_sender = audit.configure(api_key)
+    agent_name = getattr(agent, "name", "default")
+    tools = list(getattr(agent, "tools", []) or [])
+    tool_names = [getattr(t, "name", getattr(t, "__name__", "tool")) for t in tools]
+    policy_set = build_policy_set(api_key, agent_name, tool_names)
+    enforcer = PolicyEnforcer(
+        policy_set, agent_name=agent_name, audit_sender=audit_sender
+    )
+    guarded_tools = wrap_tools(tools, enforcer)
+    return agent.model_copy(update={"tools": guarded_tools})

fortify/adapters/langchain/__init__.py ADDED Viewed

@@ -0,0 +1,7 @@
+from fortify.adapters.langchain.agent import FortifyLangchainAgent
+from fortify.adapters.langchain.wrapper import wrap_langchain_agent
+__all__ = [
+    "FortifyLangchainAgent",
+    "wrap_langchain_agent",
+]

fortify/adapters/langchain/agent.py ADDED Viewed

@@ -0,0 +1,133 @@
+"""Proxy around a pre-built ``CompiledStateGraph`` for Fortify-aware calls."""
+from __future__ import annotations
+from typing import Any, AsyncIterator, Iterator
+from langchain_core.runnables import RunnableConfig
+from langfuse import get_client, propagate_attributes
+from langfuse.langchain import CallbackHandler
+from langgraph.graph.state import CompiledStateGraph
+from fortify.runtime import User
+class FortifyLangchainAgent:
+    """Proxy around a ``CompiledStateGraph`` that opens a User scope per call.
+    Tools are already enforcer-installed at construction (by
+    :func:`wrap_langchain_agent`). This proxy pushes the active
+    :class:`User` onto the contextvar and propagates identity into
+    Langfuse spans. ``user`` is per-call, so one proxy serves many
+    users concurrently.
+    """
+    def __init__(
+        self,
+        *,
+        agent: CompiledStateGraph,
+        api_key: str,
+        tool_names: list[str],
+    ) -> None:
+        self._agent = agent
+        self._api_key = api_key
+        self._tool_names = tool_names
+        self._langfuse = get_client()
+        self._callback_handler = CallbackHandler()
+    def _propagate_kwargs(self, user: User, method: str) -> dict[str, Any]:
+        return {
+            "tags": [f"langchain.agent.{method}"],
+            "user_id": user.user_id,
+            "session_id": user.session_id,
+            "metadata": {"user_role": user.role},
+        }
+    def _with_callbacks(self, config: RunnableConfig | None) -> RunnableConfig:
+        """Append the Fortify callback handler to ``config['callbacks']``."""
+        merged: RunnableConfig = dict(config) if config else {}
+        callbacks = list(merged.get("callbacks") or [])
+        if self._callback_handler not in callbacks:
+            callbacks.append(self._callback_handler)
+        merged["callbacks"] = callbacks
+        return merged
+    async def ainvoke(
+        self,
+        input: dict[str, Any],
+        *,
+        user: User,
+        config: RunnableConfig | None = None,
+        **kwargs: Any,
+    ) -> dict[str, Any]:
+        """Invoke the agent asynchronously inside a User scope."""
+        async with user:
+            with propagate_attributes(**self._propagate_kwargs(user, "ainvoke")):
+                return await self._agent.ainvoke(
+                    input, self._with_callbacks(config), **kwargs
+                )
+    def invoke(
+        self,
+        input: dict[str, Any],
+        *,
+        user: User,
+        config: RunnableConfig | None = None,
+        **kwargs: Any,
+    ) -> dict[str, Any]:
+        """Invoke the agent synchronously inside a User scope."""
+        with user.sync_scope():
+            with propagate_attributes(**self._propagate_kwargs(user, "invoke")):
+                return self._agent.invoke(input, self._with_callbacks(config), **kwargs)
+    async def astream(
+        self,
+        input: dict[str, Any],
+        *,
+        user: User,
+        config: RunnableConfig | None = None,
+        **kwargs: Any,
+    ) -> AsyncIterator[dict[str, Any]]:
+        """Stream the agent asynchronously inside a User scope."""
+        async with user:
+            with propagate_attributes(**self._propagate_kwargs(user, "astream")):
+                async for chunk in self._agent.astream(
+                    input, self._with_callbacks(config), **kwargs
+                ):
+                    yield chunk
+    def stream(
+        self,
+        input: dict[str, Any],
+        *,
+        user: User,
+        config: RunnableConfig | None = None,
+        **kwargs: Any,
+    ) -> Iterator[dict[str, Any]]:
+        """Stream the agent synchronously inside a User scope."""
+        with user.sync_scope():
+            with propagate_attributes(**self._propagate_kwargs(user, "stream")):
+                yield from self._agent.stream(
+                    input, self._with_callbacks(config), **kwargs
+                )
+    async def astream_events(
+        self,
+        input: dict[str, Any],
+        version: str,
+        *,
+        user: User,
+        config: RunnableConfig | None = None,
+        **kwargs: Any,
+    ) -> AsyncIterator[dict[str, Any]]:
+        """Stream the agent events asynchronously inside a User scope."""
+        async with user:
+            with propagate_attributes(**self._propagate_kwargs(user, "astream_events")):
+                async for event in self._agent.astream_events(
+                    input, version, config=self._with_callbacks(config), **kwargs
+                ):
+                    yield event
+    def __getattr__(self, name: str) -> Any:
+        """Delegate unknown attributes to the wrapped agent."""
+        return getattr(self._agent, name)

fortify/adapters/langchain/tools.py ADDED Viewed

@@ -0,0 +1,248 @@
+"""LangChain adapter for :class:`PolicyEnforcer`.
+:class:`GuardedTool` wraps a ``BaseTool`` (used by
+:meth:`FortifyAgent.enforce_policy`, which rebuilds the graph) and
+carries an optional ``approval_handler`` for inline ``NEEDS_APPROVAL``
+resolution.
+:func:`install_enforcer_on_tool` mutates ``StructuredTool``'s ``func``/
+``coroutine`` in place (used by :func:`wrap_langchain_agent` for
+pre-built ``CompiledStateGraph``s) and always renders non-allow as a
+structured error — approval flows wire in on the host side.
+"""
+from __future__ import annotations
+import functools
+from collections.abc import Awaitable, Callable
+from inspect import isawaitable
+from typing import Any
+from langchain_core.tools import BaseTool
+from langchain_core.tools.structured import StructuredTool
+from pydantic import ConfigDict
+from fortify.agents.factory import ApprovalHandler
+from fortify.security.decision import Decision, DecisionOutcome
+from fortify.security.enforcer import PolicyEnforcer
+from fortify.tools.decorators import TOOL_METADATA_ATTR
+def _copy_tool_metadata(source: Any, target: Any) -> Any:
+    """Copy fortify tool metadata (tracing labels, etc.) onto a wrapper."""
+    metadata = getattr(source, TOOL_METADATA_ATTR, None)
+    if metadata is not None:
+        setattr(target, TOOL_METADATA_ATTR, metadata)
+    return target
+def _resolve_approval_sync(handler: ApprovalHandler, decision: Decision) -> bool:
+    """Resolve a NEEDS_APPROVAL decision in a sync caller (rejects coroutines)."""
+    if isinstance(handler, bool):
+        return handler
+    result = handler(decision)
+    if isawaitable(result):
+        raise RuntimeError(
+            "approval_handler returned a coroutine; sync tool invocation cannot "
+            "await it — use ainvoke/astream/astream_events"
+        )
+    return bool(result)
+async def _resolve_approval_async(handler: ApprovalHandler, decision: Decision) -> bool:
+    """Resolve a NEEDS_APPROVAL decision in an async caller."""
+    if isinstance(handler, bool):
+        return handler
+    result = handler(decision)
+    if isawaitable(result):
+        result = await result
+    return bool(result)
+class GuardedTool(BaseTool):
+    """LangChain tool wrapper that consults a :class:`PolicyEnforcer`.
+    ALLOW delegates to the wrapped tool; non-ALLOW renders
+    ``Decision.as_error_payload()`` so the LLM sees governance failures
+    as tool output. NEEDS_APPROVAL is treated as denial unless
+    ``approval_handler`` (callable taking the :class:`Decision`, or a
+    ``bool`` shorthand) returns truthy.
+    """
+    model_config = ConfigDict(arbitrary_types_allowed=True)
+    wrapped_tool: BaseTool
+    enforcer: PolicyEnforcer | None = None
+    approval_handler: ApprovalHandler | None = None
+    @classmethod
+    def wrap(
+        cls,
+        tool: BaseTool,
+        *,
+        enforcer: PolicyEnforcer | None = None,
+        approval_handler: ApprovalHandler | None = None,
+    ) -> "GuardedTool":
+        """Return a GuardedTool delegating to ``tool`` after policy check.
+        Idempotent re-wrap: an existing ``GuardedTool`` is unwrapped once
+        so enforcers don't stack; fields fall through unless explicitly
+        overridden.
+        """
+        if isinstance(tool, cls):
+            inner = tool.wrapped_tool
+            resolved_enforcer = enforcer if enforcer is not None else tool.enforcer
+            resolved_approval = (
+                approval_handler
+                if approval_handler is not None
+                else tool.approval_handler
+            )
+        else:
+            inner = tool
+            resolved_enforcer = enforcer
+            resolved_approval = approval_handler
+        guarded = cls(
+            name=inner.name,
+            description=inner.description,
+            args_schema=inner.args_schema,
+            return_direct=inner.return_direct,
+            verbose=inner.verbose,
+            callbacks=inner.callbacks,
+            tags=inner.tags,
+            metadata=inner.metadata,
+            handle_tool_error=inner.handle_tool_error,
+            handle_validation_error=inner.handle_validation_error,
+            response_format=inner.response_format,
+            extras=inner.extras,
+            wrapped_tool=inner,
+            enforcer=resolved_enforcer,
+            approval_handler=resolved_approval,
+        )
+        return _copy_tool_metadata(inner, guarded)
+    async def _arun(self, *args: Any, **kwargs: Any) -> Any:
+        if self.enforcer is not None:
+            decision = self.enforcer.decide(self.name, kwargs)
+            if not decision.allowed:
+                if (
+                    decision.outcome is DecisionOutcome.NEEDS_APPROVAL
+                    and self.approval_handler is not None
+                    and await _resolve_approval_async(self.approval_handler, decision)
+                ):
+                    pass  # approved → fall through and invoke
+                else:
+                    return {"ok": False, "error": decision.as_error_payload()}
+        return await self._invoke_wrapped_async(*args, **kwargs)
+    def _run(self, *args: Any, **kwargs: Any) -> Any:
+        if self.enforcer is not None:
+            decision = self.enforcer.decide(self.name, kwargs)
+            if not decision.allowed:
+                if (
+                    decision.outcome is DecisionOutcome.NEEDS_APPROVAL
+                    and self.approval_handler is not None
+                    and _resolve_approval_sync(self.approval_handler, decision)
+                ):
+                    pass
+                else:
+                    return {"ok": False, "error": decision.as_error_payload()}
+        return self._invoke_wrapped_sync(*args, **kwargs)
+    async def _invoke_wrapped_async(self, *args: Any, **kwargs: Any) -> Any:
+        """Call the wrapped tool without re-entering LangChain instrumentation."""
+        if isinstance(self.wrapped_tool, StructuredTool):
+            if self.wrapped_tool.coroutine is not None:
+                return await self.wrapped_tool.coroutine(*args, **kwargs)
+            if self.wrapped_tool.func is not None:
+                return self.wrapped_tool.func(*args, **kwargs)
+        return await self.wrapped_tool._arun(*args, **kwargs)
+    def _invoke_wrapped_sync(self, *args: Any, **kwargs: Any) -> Any:
+        if (
+            isinstance(self.wrapped_tool, StructuredTool)
+            and self.wrapped_tool.func is not None
+        ):
+            return self.wrapped_tool.func(*args, **kwargs)
+        return self.wrapped_tool._run(*args, **kwargs)
+# ---------------------------------------------------------------------------
+# In-place installer for retrofitting existing CompiledStateGraph tools.
+# ---------------------------------------------------------------------------
+_ORIGINAL_FUNC_ATTR = "_fortify_original_func"
+_ORIGINAL_COROUTINE_ATTR = "_fortify_original_coroutine"
+_INSTALLED_ATTR = "_fortify_enforcer_installed"
+def install_enforcer_on_tool(
+    tool: BaseTool,
+    *,
+    enforcer: PolicyEnforcer,
+) -> BaseTool:
+    """Install :class:`PolicyEnforcer` gating on ``tool`` in place.
+    Same semantics as :class:`GuardedTool` but mutates ``StructuredTool``'s
+    ``func``/``coroutine`` instead of constructing a wrapper — use when
+    the tool is already bound to a ``CompiledStateGraph``. Idempotent:
+    re-install restores captured originals first so gates don't stack.
+    Non-allow outcomes render as the structured error dict; approval
+    flows belong on the host side, not on this in-place installer.
+    """
+    name = tool.name
+    original_func: Callable[..., Any] | None = getattr(tool, _ORIGINAL_FUNC_ATTR, None)
+    if original_func is None:
+        original_func = getattr(tool, "func", None)
+    original_coroutine: Callable[..., Awaitable[Any]] | None = getattr(
+        tool, _ORIGINAL_COROUTINE_ATTR, None
+    )
+    if original_coroutine is None:
+        original_coroutine = getattr(tool, "coroutine", None)
+    if original_func is None and original_coroutine is None:
+        raise TypeError(
+            f"Cannot install policy on tool {name!r}: it is a "
+            f"{type(tool).__name__} without `func`/`coroutine` attributes. "
+            "In-place wrapping only supports StructuredTool-style tools."
+        )
+    if original_func is not None:
+        captured_func = original_func
+        @functools.wraps(captured_func)
+        def guarded_func(*args: Any, **kwargs: Any) -> Any:
+            decision = enforcer.decide(name, kwargs)
+            if decision.allowed:
+                return captured_func(*args, **kwargs)
+            return {"ok": False, "error": decision.as_error_payload()}
+        setattr(tool, _ORIGINAL_FUNC_ATTR, captured_func)
+        tool.func = guarded_func
+    if original_coroutine is not None:
+        captured_coroutine = original_coroutine
+        @functools.wraps(captured_coroutine)
+        async def guarded_coroutine(*args: Any, **kwargs: Any) -> Any:
+            decision = enforcer.decide(name, kwargs)
+            if decision.allowed:
+                return await captured_coroutine(*args, **kwargs)
+            return {"ok": False, "error": decision.as_error_payload()}
+        setattr(tool, _ORIGINAL_COROUTINE_ATTR, captured_coroutine)
+        tool.coroutine = guarded_coroutine
+    tool.handle_tool_error = True
+    setattr(tool, _INSTALLED_ATTR, True)
+    return tool
+def install_enforcer_on_tools(
+    tools: list[BaseTool],
+    *,
+    enforcer: PolicyEnforcer,
+) -> list[BaseTool]:
+    """Install enforcement on every StructuredTool-style tool in place."""
+    for t in tools:
+        install_enforcer_on_tool(t, enforcer=enforcer)
+    return tools