STTI-001: Proposal for “No Side Effect Without Provenance” invariant #34469
Description
Checked other resources
- This is a feature request, not a bug report or usage question.
- I added a clear and descriptive title that summarizes the feature request.
- I used the GitHub search to find a similar feature request and didn't find it.
- I checked the LangChain documentation and API reference to see if this feature already exists.
- This is not related to the langchain-community package.
Package (Required)
- langchain
- langchain-openai
- langchain-anthropic
- langchain-classic
- langchain-core
- langchain-cli
- langchain-model-profiles
- langchain-tests
- langchain-text-splitters
- langchain-chroma
- langchain-deepseek
- langchain-exa
- langchain-fireworks
- langchain-groq
- langchain-huggingface
- langchain-mistralai
- langchain-nomic
- langchain-ollama
- langchain-perplexity
- langchain-prompty
- langchain-qdrant
- langchain-xai
- Other / not sure / general
Feature Description
This feature request proposes adding an optional safety invariant to LangChain’s agent/tool execution model.
Currently, tool calls are validated using JSON schema (type/shape) only. This allows agents to invoke side-effecting tools (delete, write, send, mutate) with arguments that are schema-valid but hallucinated, without any requirement that those arguments originate from prior system-observed state within the session.
The requested feature is a framework-level invariant:
No tool with side effects should execute unless every argument can be traced to a value produced by a prior trusted tool output in the same session.
This is not a prompt-level or model-behavior fix. It is a deterministic execution-time control that can be enforced independently of model choice, prompting strategy, or safety tuning.
Use Case
Agent systems frequently operate in environments where tool calls have real-world side effects (data deletion, external API calls, file writes, account changes).
Without argument provenance requirements, agents can hallucinate identifiers, paths, or targets that pass schema validation but were never observed or confirmed by the system. This creates a class of safety and reliability failures that cannot be mitigated reliably through prompting alone.
A provenance-based execution guard would prevent unintended side effects by failing closed when arguments are not grounded in prior tool outputs, improving safety for production agent deployments.
Proposed Solution
At a high level, this could be implemented as an optional execution guard or safety mode at the tool invocation layer.
The guard would track values emitted by trusted tool outputs during a session and require that arguments to side-effecting tools match previously observed values (or derivations thereof).
This issue does not propose a specific implementation or API shape. The intent is to discuss whether such an invariant aligns with LangChain’s direction and, if so, what form of support would be appropriate.
Alternatives Considered
Prompt-based instructions, system messages, and output parsing were considered but rejected as insufficient.
These approaches rely on model compliance and do not provide deterministic guarantees. Schema validation alone also does not address the problem, as hallucinated values can still be schema-valid.
External guardrails implemented outside the framework are possible, but lack standardization and are difficult to reason about across agent stacks.
Additional Context
A concise specification of this invariant (STTI-001: No Side Effect Without Provenance) is available here:
https://github.com/joshuavetos/stti-001
This link is provided for reference only; no code changes are proposed in this issue.