Expand description
Post-invocation hook pipeline – inspects tool results before they reach the agent.
This module provides a pipeline of post-invocation hooks that run after a tool has produced a response. Each hook can:
- Allow the response to pass through unmodified
- Block the response entirely (replacing it with an error)
- Redact parts of the response before delivery
- Escalate the response for operator review
Hooks run in registration order. A Block from any hook stops the pipeline.
The ready-made SanitizerHook wraps the full OutputSanitizer and
automatically redacts secrets, PII, and high-entropy tokens from tool
results while preserving JSON structure. Sanitization evidence is emitted
alongside the pipeline verdict so the kernel can embed it in the receipt’s
GuardEvidence.
Structs§
- Pipeline
Outcome - Outcome of running the pipeline.
- Post
Invocation Context - Context available to post-invocation hooks after a tool has executed.
- Post
Invocation Pipeline - Pipeline of post-invocation hooks evaluated in registration order.
- Sanitizer
Hook - Post-invocation hook that runs the
OutputSanitizerover tool results.
Enums§
- Post
Invocation Verdict - Verdict from a post-invocation hook.
Traits§
- Post
Invocation Hook - A hook that inspects tool responses after invocation.
Functions§
- sanitize_
json - Run the sanitizer over a JSON value and return the sanitized value plus a
SanitizationResultaggregating all findings/redactions. Useful for tests and for callers that want the raw details without wiring a full pipeline.