Contrib.social

Add ApprovalExecutableFunctionCallInterface

Open on Drupal.org →
Created on 1 July 2025, 4 days ago

Problem/Motivation

One problem we have right now is that we do not have a way to create a model for determenistic approval of dangerous operations.

So if we add for instance a tool that will delete 10 entities it will just go ahead an do that. With prompt injection attacks or other attack vectors this becomes a nightmare. That is why we haven't really added any tools that are destructive yet.

But even the content entity tools can be quite destructive at the moment - for instance "Make all content types not publish by default" could take some time to entangle, even if its not destructive.

This means that we need to have a solution where a chatbot or other agent orchestration tool can add a modal or some other means of approval before the tool is being executed.

Proposed resolution

  • Add an interface called ApprovalExecutableFunctionCallInterface that extends the ExecutableFunctionCallInterface.
  • The interface will have the methods approvalMessage, setApproval, getApproval and logMessage
  • In the plugin manager add a filter method to create these interfaces.
  • In the base class add a global variables called $approved, that controls if its approved or not. False from the start.
  • In the base class add a start of an execute method, that checks if the class is of ApprovalExecutableFunctionCallInterface and if getApproval is false, it fails with a exception that the tool can not run without approval.
  • Write a PHPStan rule that checks so that any ApprovalExecutableFunctionCallInterface tool, uses the parent::execute in its own execute.

For any orchestration tool, that means that they agent will do a loop and decide to use the tool, the orcehstration tool will get back all the decisions and see that one tool decision is of ApprovalExecutableFunctionCallInterface. It will then set the context values and run approvalMessage and show that to the end user with some confirmation.

If its approved, it will setApproval(true) and can then do the execute method. If just run the execute and the agent will be aware that the user did not approve of the message.

Note that this is just an initial idea on how to solve it, come with suggestions.

🌱 Plan
Status

Active

Version

1.2

Component

AI Core module

Created by

🇩🇪Germany marcus_johansson

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024