Problem
OpenHuman has strong tool primitives, but policy is scattered across individual tools and the CLI-oriented approval path. The main agent session should expose a single pre-execution decision point before any tool side effect.
Generic use case
A runtime, profile, organization policy, or plugin can centrally allow, deny, require approval, or rewrite a tool call before Tool::execute_with_options runs. This supports safer custom agents, managed profiles, and future external-runtime contracts.
Managed-runtime use case
A compiled runtime contract can deny any tool call that is not mapped to a declared capability, enforce schema/access/risk rules, and fail closed before adapters touch external systems. The hook should stay generic and reusable across runtime/profile/plugin consumers.
Proposed shape
- Add a
ToolPolicy trait with a decision result: allow, deny, require approval, or error.
- Thread the policy into the primary
Agent::execute_tool_call path before execution.
- Emit structured denial reasons to progress/history without leaking secrets.
- Keep default behavior unchanged when no policy is installed.
Acceptance criteria
- Unit tests prove unknown/disallowed tools are denied before execution.
- Existing tools run unchanged with the default allow policy.
- Denied calls still emit terminal tool progress events.
- Policy denial is visible in logs and returned tool result.
Alignment
This complements Composio and built-in tools; it does not replace them. Composio actions become safer because they pass through one generic policy gate before execution.
Problem
OpenHuman has strong tool primitives, but policy is scattered across individual tools and the CLI-oriented approval path. The main agent session should expose a single pre-execution decision point before any tool side effect.
Generic use case
A runtime, profile, organization policy, or plugin can centrally allow, deny, require approval, or rewrite a tool call before
Tool::execute_with_optionsruns. This supports safer custom agents, managed profiles, and future external-runtime contracts.Managed-runtime use case
A compiled runtime contract can deny any tool call that is not mapped to a declared capability, enforce schema/access/risk rules, and fail closed before adapters touch external systems. The hook should stay generic and reusable across runtime/profile/plugin consumers.
Proposed shape
ToolPolicytrait with a decision result: allow, deny, require approval, or error.Agent::execute_tool_callpath before execution.Acceptance criteria
Alignment
This complements Composio and built-in tools; it does not replace them. Composio actions become safer because they pass through one generic policy gate before execution.