I'm evaluating the Anthropic Agent SDK's local execution model. My security assumption: the `allow_tools` list is a hard filter before any tool execution.
My observed behavior contradicts that. The SDK runtime attempts to invoke tools not in the list, causing a runtime error. This looks like a validation bug, not a misconfig.
My setup:
```python
agent = AnthropicAgent(
model="claude-3-haiku-20240307",
allow_tools=[read_file_tool] # Only one tool allowed
)
```
The agent receives a response from the model containing a request for `write_file_tool`. The SDK then tries to instantiate and call `write_file_tool`, which fails because it's not in the `tools` list passed to the model. But the attempt should have been blocked earlier.
Questions:
* Is the `allow_tools` list only for the model call, with post-call validation missing?
* Does the hosted API see a different tool list than the local runtime?
* Is there an implicit trust in the model's output that bypasses the local allow list?
This breaks the expected security boundary. The local runtime should reject unauthorized tool calls before any execution attempt.