Hi everyone,
I’m looking for feedback from LangGraph/LangChain users on a small Python experiment called DHMS AgentFuse.
The idea is narrow:
DHMS is an automatic fail-closed execution fuse for side-effect-capable agent tools.
A LangChain / LangGraph tool may be a simple local callable, or it may wrap something that can produce external side effects: SQL mutation, database writes, file mutation, network calls, provider/model API calls, code execution, browser actions, messaging actions, GitHub/Jira/Slack actions, and so on.
Existing HITL / interrupt patterns are useful when a human should review, approve, edit, or reject a proposed action.
DHMS explores a stricter default for known risky tool capabilities:
Fail closed automatically before protected payload execution, and produce evidence that the protected payload body did not run.
Human review could still exist later, but as an escalation or override path rather than the default safety mechanism.
I tested this against langgraph-bigtool because its API exposes a natural tool registry boundary.
The current demo wires into the real langgraph_bigtool.create_agent() API:
from langgraph_bigtool import create_agent
guarded_tool_registry = {
tool_id: dhms_guard(tool)
for tool_id, tool in original_tool_registry.items()
}
builder = create_agent(
llm,
guarded_tool_registry,
retrieve_tools_function=retrieve_tools,
)
The retrieval function is deterministic:
def retrieve_tools(query: str) -> list[str]:
return list(guarded_tool_registry.keys())
What the demo proves:
-
DHMS imports and uses the real
langgraph_bigtool.create_agentAPI. -
DHMS builds a guarded tool registry before
create_agent(). -
The guarded registry is passed into the real agent builder.
-
A safe read-only tool becomes
RELEASE_CANDIDATE. -
A SQL mutation tool fails closed as
sql_mutation. -
A model/provider API request tool fails closed as
model_api. -
Protected payload bodies are not executed.
-
The demo does not compile, invoke, or stream the graph.
-
The demo does not call providers, networks, databases, SQL, credentials, or user data.
This is not a production runtime claim. It is a deterministic pre-tool boundary experiment.
The safety claim is intentionally narrow:
Known side-effect-capable tools should fail closed before protected payload execution, with evidence that the protected payload body did not run.
My questions:
-
Is the tool registry / agent-builder boundary a useful place to guard risky tools?
-
Would you prefer this kind of guard at the registry boundary, inside a ToolNode / middleware layer, or somewhere else?
-
Is “automatic fail closed before protected payload execution” a useful safety contract for agent tools?
-
Would you use this as a complement to HITL, where obvious risky capabilities fail closed automatically and only exceptions escalate to human review?
-
What would you expect before considering this production-useful: live graph invocation demo, middleware integration, PyPI package, policy config, audit logs, or something else?
I’d appreciate critical feedback, especially from anyone building agents with large tool registries or tools that can perform external side effects.