Skip to content

Comments

feat(langchain, core): add provenance-based execution guard for side-effecting tools#35299

Draft
NITIN Madan (Nitin75408) wants to merge 1 commit intolangchain-ai:masterfrom
Nitin75408:fixes/34469
Draft

feat(langchain, core): add provenance-based execution guard for side-effecting tools#35299
NITIN Madan (Nitin75408) wants to merge 1 commit intolangchain-ai:masterfrom
Nitin75408:fixes/34469

Conversation

@Nitin75408
Copy link
Contributor

Description:

Fixes #34469

Adds an optional, deterministic provenance guard that prevents side-effecting tools from executing with hallucinated arguments. The invariant: no tool with side_effects=True should execute unless every argument can be traced to a value from a prior trusted tool output or user input in the same session.

Changes:

Add side_effects: bool = False field to BaseTool in langchain-core for first-class side-effect classification
Expose side_effects parameter on the tool decorator across all overload signatures
Implement ProvenanceMiddleware using the wrap_tool_call hook — scans message history for trusted text (successful ToolMessage outputs + HumanMessage inputs), blocks execution if any argument value can't be found via substring match, returns error ToolMessage without executing
Export ProvenanceMiddleware from langchain.agents.middleware
Design decisions worth reviewing:

Provenance is stateless — rebuilt from message history each call, no custom state schema needed
Enforcement uses substring matching (str(value) in combined_trusted_text) — simple, deterministic, no heuristics
Trivial values (booleans, None, strings shorter than min_value_length) are skipped
Fully opt-in: side_effects defaults to False, middleware must be explicitly added. Zero behavior change for existing users
include_user_inputs (default True) and min_value_length (default 3) are configurable
Verification:

make format, make lint, make test pass for both libs/core (1650 passed) and libs/langchain_v1 (793 passed)
4 new tests in libs/core for side_effects on the tool decorator
13 new tests in libs/langchain_v1 covering: blocked execution without provenance, allowed execution with provenance, non-side-effecting tools unaffected, backward compat without middleware, user input as provenance (enabled/disabled), trivial value skipping, partial provenance blocking, full read-then-write flow, async variants

@github-actions github-actions bot added core `langchain-core` package issues & PRs langchain `langchain` package issues & PRs external feature For PRs that implement a new feature; NOT A FEATURE REQUEST labels Feb 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

core `langchain-core` package issues & PRs external feature For PRs that implement a new feature; NOT A FEATURE REQUEST langchain `langchain` package issues & PRs

Projects

None yet

Development

Successfully merging this pull request may close these issues.

STTI-001: Proposal for “No Side Effect Without Provenance” invariant

1 participant