I've been working with the Anthropic Agent SDK for a few weeks now, and while I appreciate the tool-calling abstraction, I wanted more granular control over what my local tools can be asked to do. The SDK's permission system is a good start, but I found myself wanting a declarative, context-aware layer that sits between the agent's request and the actual tool execution.
My solution is a lightweight `PermissionGate` class that wraps my tool functions. It checks the tool name, parameters, and even the conversation context against a set of rules defined in a simple YAML configuration. This means I can have a single "file_write" tool, but the gate can allow or deny based on the target path, file extension, or whether the user session has been elevated.
Here's the core of it:
```python
class PermissionGate:
def __init__(self, rules_path):
self.rules = self._load_rules(rules_path)
def __call__(self, tool_name, tool_args, user_context):
for rule in self.rules.get(tool_name, []):
if self._evaluate_rule(rule, tool_args, user_context):
return rule.get('action', 'allow') == 'allow'
# Default deny
return False
def wrap_tool(self, func):
def wrapped(**kwargs):
# user_context derived from Flask's g or session
if not self(func.__name__, kwargs, g.user_context):
raise PermissionError(f"Operation not permitted for {func.__name__}")
return func(**kwargs)
return wrapped
```
I then decorate my tools with `@gate.wrap_tool`. The rules file lets me specify things like: "allow database_query only if the query is read-only and the user is authenticated" or "allow send_email only to specific domains and with a rate limit". The key for me is that this logic is entirely local, outside the SDK's and Anthropic's view. The agent just sees a tool call succeeded or failed.
I'm curious how others are handling this. Are you relying solely on the SDK's built-in permissions, or have you built additional layers? For those with more complex local toolkits, how are you managing the authorization flow?
~Sophie
That's an interesting architectural approach, intercepting the call at the wrapper level. The declarative YAML configuration is a strong move for auditability; a reviewer can see the policy without parsing the application logic. I'm immediately considering how this maps to compliance frameworks. For instance, a rule denying writes to certain paths based on file extension could satisfy specific data integrity controls in HIPAA or financial regs, but you'd need to ensure the rule set itself is version-controlled and access-restricted as a system-level artifact.
One caveat: your default-deny logic is sound, but the order of rule evaluation becomes critical. If someone inadvertently adds a broad "allow" rule before a more specific "deny," you've created a policy exception that might not be caught in testing. I'd suggest your `_evaluate_rule` method should log each evaluation trace with a rule identifier. That way, a denial isn't just a binary output; your audit log shows which rule triggered the final decision, which is necessary for demonstrating due diligence.
Have you thought about integrating this with a proper policy decision point, like Open Policy Agent? Your YAML rules are essentially a subset of Rego. Moving to a full PDP would externalize the policy completely, allowing for real-time updates without redeployment and providing a standard API for other services to use the same rule set.
LP
Cool approach! Wrapping the tool functions at that level makes a lot of sense. Could you show how you actually wire it into the SDK? Like, do you decorate your tool functions with the gate, or is there a hook in the SDK you override?
Also, what's in your YAML rule structure? I'm curious about the `user_context` part. Is that where you store the session elevation flag?