Guardrailed Agent Tool Execution
A guardrail proxy in front of MCP and HTTP tool surfaces — per-tool policy, argument validation, redaction, and a tamper-evident audit log per session.
Problem statement
An internal LLM agent had broad tool access — no scoping, no policy gate, and no audit on tool arguments.
Why it matters
The trust boundary for a tool-calling agent is the tool call itself. Putting a deterministic proxy there turns an unbounded risk into a small, verifiable question per call.
Threat model
- Scope escalation through legitimate tools.
- Exfiltration via tool arguments.
- Confused-deputy abuse of the agent identity.
- Unreconstructable sessions after a failure.
Architecture
Policy, validation, and redaction run before any call leaves the proxy; every call is hash-chained into the audit log.
Key features
- Per-tool policy evaluated before the network call.
- JSON-schema argument validation.
- Field-level redaction on arguments and outputs.
- Approval modes (auto / review / blocked).
- Tamper-evident, replayable audit per session.
Guardrails & controls
Test scenarios
- Scope-escalation attempts on legitimate tools.
- Exfil via argument fields.
- Confused-deputy invocation.
- Audit-chain tamper detection.
Example workflow
Intercept call
The agent's tool call is captured by the proxy.
Evaluate policy
Policy and argument schema are checked before any network call.
Gate or execute
Consequential tools require approval; others execute under redaction.
Chain audit
The call, arguments, and decision are hash-chained into the session log.
Tech stack
- Language
- Python 3.12
- Policy
- Rego-style rules
- Interfaces
- MCP · HTTP tools
- Audit
- Append-only, hash-chained
- Eval
- Red-team session suite
Screenshots
Visual placeholders. Replace with real screenshots and a demo video.
Lessons learned
- Schemas block most bad calls before policy is even consulted.
- Redaction belongs at the boundary, not in the model.
- Replay is what makes the audit trustworthy.
Future roadmap
- Multi-agent delegation graph.
- Signed audit exports.
- SOAR SDK shims for agent calls.
Want this pattern in your stack?
This guardrail proxy sits in front of an agent's tool surface and is open work — get in touch if you're building something similar or want to compare notes.