Skip to content

[nodejs]Add ApplyGuardrailScope for security guardrail tracing#254

Merged
fpfp100 merged 1 commit into
mainfrom
users/pefan/apply-guardrail-scope
May 20, 2026
Merged

[nodejs]Add ApplyGuardrailScope for security guardrail tracing#254
fpfp100 merged 1 commit into
mainfrom
users/pefan/apply-guardrail-scope

Conversation

@fpfp100
Copy link
Copy Markdown
Contributor

@fpfp100 fpfp100 commented May 20, 2026
edited
Loading

Summary

  • Port of .NET Agent365 SDK PR x711 — 23 pay-per-call tools for your agent (free tier, MCP server included) #252 — adds ApplyGuardrailScope for tracing security guardrail evaluations
  • New contracts: GuardrailDetails, GuardrailFinding, GuardrailDecisionType, GuardrailTargetType, GuardrailRiskSeverity
  • 40+ new telemetry constants (microsoft.security.*, microsoft.guardian.*)
  • Registers apply_guardrail in the exporter operation name whitelist so spans are exported
  • addEvent() method on OpenTelemetryScope base class for recording span events

Exporter payload

The exported OTLP span for an ApplyGuardrailScope:

{
  "traceId": "00000000000000000000000000000001",
  "spanId": "0000000000000002",
  "name": "apply_guardrail Azure Content Safety llm_input",
  "kind": "INTERNAL",
  "startTimeUnixNano": 1779313949000000000,
  "endTimeUnixNano": 1779313950000000000,
  "attributes": {
    "gen_ai.operation.name": "apply_guardrail",
    "microsoft.tenant.id": "tenant-11111111-1111-1111-1111-111111111111",
    "gen_ai.agent.id": "agent-22222222-2222-2222-2222-222222222222",
    "gen_ai.agent.name": "Guardrail Agent",
    "microsoft.guardian.id": "azure-content-safety-001",
    "microsoft.guardian.name": "Azure Content Safety",
    "microsoft.guardian.provider.name": "Azure",
    "microsoft.guardian.version": "2.0.0",
    "microsoft.security.decision.type": "deny",
    "microsoft.security.target.type": "llm_input",
    "microsoft.security.target.id": "msg-12345",
    "microsoft.security.decision.reason": "Content violates hate speech policy",
    "microsoft.security.decision.code": "HATE_SPEECH_001",
    "microsoft.security.policy.id": "policy-abc",
    "microsoft.security.policy.name": "Content Safety Policy",
    "microsoft.security.policy.version": "1.2.0",
    "microsoft.security.content.input.hash": "sha256:abc123def456",
    "microsoft.security.content.modified": false,
    "microsoft.security.content.output.value": "sanitized-hash-output",
    "microsoft.security.external_event_id": "ext-event-789"
  },
  "events": [
    {
      "timeUnixNano": 1779313949000000000,
      "name": "microsoft.security.finding",
      "attributes": {
        "microsoft.security.risk.category": "hate_speech",
        "microsoft.security.risk.severity": "high",
        "microsoft.security.policy.decision.type": "deny",
        "microsoft.security.policy.id": "policy-abc",
        "microsoft.security.risk.score": 0.95
      }
    }
  ],
  "links": null,
  "status": {
    "code": "UNSET",
    "message": ""
  }
}

Test plan

  • 13 unit tests in apply-guardrail-scope.test.ts — scope creation, attributes, recordDecision, recordContentOutput, recordFinding, error recording
  • 1 exporter E2E test in agent365-exporter.test.ts — verifies guardrail spans flow through full export pipeline
  • All 1300+ existing tests pass
  • Build succeeds (CJS + ESM)
  • Line-by-line comparison with .NET PR x711 — 23 pay-per-call tools for your agent (free tier, MCP server included) #252 confirms all constants, contracts, and scope behavior match

🤖 Generated with Claude Code

@jsl517 @claude
Add ApplyGuardrailScope for security guardrail tracing
ed2c2b9 
Port of .NET Agent365 SDK PR #252. Adds a new scope for tracing
security guardrail evaluations with guardian, decision, policy,
content, and finding attributes.

- New ApplyGuardrailScope with start(), recordDecision(),
  recordContentOutput(), and recordFinding() methods
- New contracts: GuardrailDetails, GuardrailFinding,
  GuardrailDecisionType, GuardrailTargetType, GuardrailRiskSeverity
- 40+ new telemetry constants (microsoft.security.*, microsoft.guardian.*)
- addEvent() method on OpenTelemetryScope base class
- Register apply_guardrail in exporter operation name whitelist
- 13 unit tests + 1 exporter E2E test

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@fpfp100 fpfp100 requested a review from a team as a code owner May 20, 2026 21:34
Copilot AI review requested due to automatic review settings May 20, 2026 21:34
Copilot AI reviewed May 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds first-class OpenTelemetry tracing support for security guardrail evaluations in @microsoft/agents-a365-observability, including a dedicated ApplyGuardrailScope, new guardrail contracts/constants, and exporter support so these spans are included in the export pipeline.

Changes:

  • Introduces ApplyGuardrailScope for creating guardrail spans and recording decisions/content output/security findings as span events.
  • Adds guardrail/security contracts and a set of microsoft.security.* / microsoft.guardian.* telemetry constants.
  • Extends export filtering to include apply_guardrail, and adds unit + exporter E2E coverage for the new span shape.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated no comments.

Show a summary per file
File Description
tests/observability/core/apply-guardrail-scope.test.ts New unit tests covering span naming/kind, required attributes, decision updates, content output, findings as span events, and error recording.
tests/observability/core/agent365-exporter.test.ts Adds an E2E exporter test ensuring guardrail attributes and finding events survive serialization/export.
packages/agents-a365-observability/src/tracing/scopes/OpenTelemetryScope.ts Adds a protected addEvent() helper for derived scopes to emit span events consistently.
packages/agents-a365-observability/src/tracing/scopes/ApplyGuardrailScope.ts New scope implementation for guardrail evaluation tracing, including recordDecision, recordContentOutput, and recordFinding.
packages/agents-a365-observability/src/tracing/exporter/utils.ts Whitelists apply_guardrail so guardrail spans are eligible for export.
packages/agents-a365-observability/src/tracing/contracts.ts Adds guardrail/security contracts and enums/consts used by the new scope.
packages/agents-a365-observability/src/tracing/constants.ts Adds guardrail operation name constant plus guardian/security attribute keys and finding event name/keys.
packages/agents-a365-observability/src/index.ts Exposes new contracts and ApplyGuardrailScope from the package public surface.

@fpfp100 fpfp100 changed the title Add ApplyGuardrailScope for security guardrail tracing [nodejs]Add ApplyGuardrailScope for security guardrail tracing May 20, 2026
@fpfp100 fpfp100 merged commit 0793b05 into main May 20, 2026
13 of 14 checks passed
@fpfp100 fpfp100 deleted the users/pefan/apply-guardrail-scope branch May 20, 2026 23:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@juliomenendez juliomenendez juliomenendez approved these changes

@nikhilNava nikhilNava nikhilNava approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@fpfp100 @juliomenendez @nikhilNava @jsl517