Skip to content

agentix.guards.permissions

permissions

Dynamic permission guards.

CallbackGuard is agentix's can_use_tool: a per-call callback that decides allow / deny / ask based on whatever you like — the tool, its args, the user's role, external state, a rate limiter. ToolAllowlistGuard is the declarative "this agent may only use these tools" case.

Both are ordinary guards, so they compose with the rest of the pipeline (tiers, PII, injection). The pipeline is AND-ed: the most restrictive guard wins (first deny stops; any confirm asks).

CallbackGuard

CallbackGuard(check: PermissionCheck)

Bases: Guard

Decide each tool call with a user-supplied callback (can_use_tool).

The callback receives the :class:ToolCall and :class:GuardContext and returns a :class:Decision (Decision.allow() / .deny(reason) / .confirm(reason)) or a plain bool. Sync or async::

async def can_use(call, ctx):
    if call.name == "refund" and call.args["amount"] > 1000:
        return Decision.deny("refunds over $1000 need a manager")
    return Decision.allow()

Agent(..., guards=[CallbackGuard(can_use)], confirm_fn=...)

ToolAllowlistGuard

ToolAllowlistGuard(allowed: Iterable[str])

Bases: Guard

Allow only the named tools; deny any other tool call.

Useful to scope a run to a subset of registered tools (or to cleanly reject a tool the model hallucinated).