ENH: Add pre-tool-call authorization layer to MultiStepAgentΒ #2117
Description
smolagents has excellent sandboxing (E2B, Modal, Docker, local Python) β but MultiStepAgent.step() dispatches tool calls with no authorization layer. Sandboxing prevents system compromise, but doesn't answer: "was this agent authorized to call this tool?"
The Open Agent Protocol (OAP) defines a before_tool_call standard (DOI: 10.5281/zenodo.18901596) that fits naturally into smolagents' tool dispatch: a GuardrailProvider protocol checked before every tool call, with a built-in AllowlistProvider for simple cases and the protocol open for custom implementations.
Would you be open to a PR that adds a guardrail parameter to MultiStepAgent β a GuardrailProvider evaluated in step() before tool(**args) executes? Denied calls would return a structured error observation rather than raising, so the agent can adapt without crashing.
Reference implementation bytedance/deer-flow#1240