Skip to content

Add generated tool provenance and admission checks #2542

Closed
#2549
Closed
Add generated tool provenance and admission checks#2542
#2549
Labels
enhancementfeature-request
@vaddisrinivas

Description

@vaddisrinivas
vaddisrinivas
opened on May 23, 2026

Summary

Add provenance metadata and admission validation for generated capability tools before they enter the OpenHuman tool registry.

Background

Generated tools are now supported as wrappers, but OpenHuman needs a generic admission layer that can reject malformed or unsafe generated tools before the model can see or call them.

Acceptance criteria

  • Generated tools can carry provider id, capability id, source digest, risk level, and policy surface metadata.
  • Admission validation rejects missing or invalid provenance when enforcement is enabled.
  • Admission validation rejects unsafe tool names, duplicate names, invalid schemas, missing risk metadata for write/external capabilities, and disabled/untrusted providers.
  • Diagnostics report whether a generated tool was admitted or rejected and why.
  • Existing generated tools without provenance continue to work when admission enforcement is disabled.
  • Add focused Rust tests for allowed tools, rejected tools, duplicate names, provider trust failures, and diagnostics output.

Non-goals

  • Do not add any runtime-specific bundle format.
  • Do not execute external code.
  • Do not add frontend install/import flows.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementfeature-request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Team Openhuman
    Status
    Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions