Skip to content

MkaliezZ/dhms-engine

Repository files navigation

DHMS / AgentFuse

License: Apache-2.0 Python Install Evidence Docs

Automatic fail-closed execution fuse for side-effect-capable AI agent tools.

DHMS guards AI agent tool calls before protected payload execution. Known safe read-only tools can pass; known risky side-effect tools fail closed, with evidence that the protected payload never ran.

Current proof chain: real LangChain adapter-loop evidence plus real langgraph_bigtool.create_agent() API wiring, sentinel-verified with protected_payload_body_execution_count = 0.

AI agents increasingly call tools that can mutate SQL, files, APIs, code, or business systems. DHMS / AgentFuse focuses on the execution boundary before a tool's protected payload runs: classify risky tool capabilities, release only bounded safe candidates, and fail closed for known-dangerous or unsupported actions before protected payload execution.

Chinese overview: README.zh-CN.md

Quickstart

pip install -e .
python examples/external_integrations/langgraph_bigtool/dhms_guarded_tool_registry_demo.py

Expected final verdict:

DHMS_REAL_LANGGRAPH_BIGTOOL_API_WIRING_DEMO_PASS

If your system python is older than Python 3.10, use a Python 3.11 runtime:

/usr/local/bin/python3.11 -m pip install -e .
/usr/local/bin/python3.11 examples/external_integrations/langgraph_bigtool/dhms_guarded_tool_registry_demo.py

Current External-Facing Proof

  • Current branch: agent-harness-v1.
  • Supporting proof chain: v3.4.2 frozen multi-tool selective interception result review.
  • Latest external-facing demo: v3.5.2 real langgraph_bigtool.create_agent() API wiring.
  • Demo path: examples/external_integrations/langgraph_bigtool/.
  • safe_read_only_summary_tool returns RELEASE_CANDIDATE.
  • dangerous_sql_mutation_tool fails closed with blocked category sql_mutation.
  • model_api_request_tool fails closed with blocked category model_api.
  • protected_payload_body_execution_count = 0.
  • runtime_behaviors_added = 0.
  • execution_authorized_count = 0.

v3.5.2 is the latest external-facing demo. v3.4.2 is the supporting proof-chain foundation, not a competing current-proof label.

Table of Contents

Overview

DHMS began as memory/context/tool-state perturbation testing. The agent-harness-v1 branch is the public DHMS AgentFuse evidence line for the DHMS Execution Fuse Protocol.

What DHMS Does

DHMS / AgentFuse demonstrates a fail-closed execution fuse boundary and evidence record for side-effect-capable AI agent tools. It places a guarded tool registry before protected payload execution, classifies known risky capabilities, and keeps blocked payload bodies unexecuted.

What DHMS Does Not Claim

DHMS / AgentFuse is not claiming production runtime protection.

The v3.5.2 demo:

  • does not compile, invoke, or stream the graph
  • does not call providers, networks, databases, SQL systems, credentials, or user data
  • does not call providers or real model APIs
  • does not perform network requests
  • does not access databases
  • does not execute SQL
  • does not read credentials, environment variables, or user data
  • does not authorize protected payload execution
  • does not claim to protect live production LangGraph agents
  • does not claim LangChain or LangGraph lacks safety mechanisms
  • does not claim DHMS is a finished enterprise security product

Latest Demo

v3.5.2 demonstrates real langgraph_bigtool.create_agent() API wiring. DHMS builds a guarded tool registry before create_agent(), passes it into the real langgraph_bigtool.create_agent() boundary, and uses deterministic retrieval. The demo does not compile, invoke, or stream the graph.

Evidence Chain

The strongest frozen proof-chain foundation remains v3.4.2: a local deterministic real LangChain multi-tool selective interception boundary where one real LangChain agent has three adapter-created guarded tools. DHMS evaluates each tool call independently before protected payload execution, safe read-only returns RELEASE_CANDIDATE, sql_mutation and model_api fail closed, and all protected payload bodies remain unexecuted with sentinel/count evidence.

Evidence field Frozen value
Dependency requirements.txt with langchain>=1.0,<2.0
Runtime and LangChain /usr/local/bin/python3.11, observed LangChain 1.3.11
Reusable guarded adapter dhms_agentfuse/langchain_guarded_tool_adapter.py with reusable adapter APIs
Real LangChain agent loop real_create_agent_imported=true, real_langchain_agent_object_created=true, real agent loop invoked, fake/local driver used, ToolMessage and tool boundary observed
Scenario matrix single_agent_boundary_count=1, registered_adapter_created_tool_count=3, independent_tool_call_count=3
Gate results safe_read_only_release_candidate_count=1, sql_mutation_fail_closed_count=1, model_api_fail_closed_count=1
Sentinel proof all side_effect_sentinel_before=0, side_effect_sentinel_after=0, side_effect_sentinel_delta=0; protected_payload_body_invocation_count=0
Execution/runtime boundary execution_authorized_count=0, runtime_behaviors_added=0
Frozen marker DHMS_REAL_LANGCHAIN_MULTI_TOOL_SELECTIVE_INTERCEPTION_VALIDATION_PASS

Reproduce The Proof

/usr/local/bin/python3.11 validation/run_dhms_langchain_multi_tool_selective_interception_validation_v0.py

Expected output summary: DHMS_REAL_LANGCHAIN_MULTI_TOOL_SELECTIVE_INTERCEPTION_VALIDATION_PASS, single_agent_boundary_count=1, registered_adapter_created_tool_count=3, same_agent_tool_registry=true, independent_tool_call_count=3, safe_read_only_release_candidate_count=1, sql_mutation_fail_closed_count=1, model_api_fail_closed_count=1, all_protected_tool_body_executed_false=true, all_side_effect_sentinel_after_zero=true, execution_authorized_count=0, runtime_behaviors_added=0, sentinel_failure_count=0, protected_payload_body_execution_count=0.

pyproject.toml makes the local dhms_agentfuse package editable-installable. requirements.txt remains the dependency model for LangChain validation dependencies. This is not a PyPI release or package release.

Feedback Wanted

Feedback is especially useful on whether the guarded tool registry boundary is easy to understand, whether the v3.5.2 non-claims are clear enough, and which side-effect-capable tool risks should be prioritized next.

Legacy v2.7 pre-execution proof command:

python3 validation/run_dhms_pre_execution_fuse_loop_proof_v0.py

Screenshot Evidence

docs/development/screenshots/v2_7_3_pre_execution_interception_proof/v2_7_3_pre_execution_interception_proof_terminal.png

The screenshot captures the v2.7.3 proof command output:

python3 validation/run_dhms_pre_execution_fuse_loop_proof_v0.py

This is not a screenshot of:

python3 cli.py gate-proposal examples/proposals/drop_table.json

The v3.0 gate-proposal CLI line is separate from the v2.7 screenshot proof.

View v2.7.3 proof screenshot

v2.7.3 pre-execution interception proof

v2.7 Evidence Chain

v2.8 Evidence Chain

v2.9 Evidence Chain

v3.0 Evidence Chain

v3.1 Evidence Chain

v3.2 Evidence Chain

Milestone Evidence Boundary
v3.2.0 Real LangChain agent loop pre-tool boundary harness Real LangChain agent-loop pre-tool boundary; sentinel proves the executable payload did not run
v3.2.1 Three-run boundary validation All three independent runs kept sentinel=0; the payload body did not execute
v3.2.2 Result review + README sync Assertion records frozen; public boundary synced

Links: v3.2.0 harness doc, v3.2.0 validator, v3.2.1 validator, v3.2.1 assertion records, v3.2.2 result review.

v3.3 Evidence Chain

Milestone Evidence Boundary
v3.3.0 Reusable real LangChain guarded tool adapter boundary expansion Adapter wraps multiple executable local payload bodies; protected payloads remain unexecuted
v3.3.1 3-scenario x 3-run guarded adapter validation Nine real LangChain adapter-loop executions keep sentinel=0 and payload bodies unexecuted
v3.3.2 Result review + README sync Assertion records frozen; README and public boundary synced

Links: v3.3.0 adapter module, v3.3.0 validator, v3.3.1 validator, v3.3.1 assertion records, v3.3.2 result review, v3.3.2 README sync.

v3.4 Evidence Chain

Milestone Evidence Boundary
v3.4.0 Multi-tool selective interception boundary + static spec One real LangChain agent boundary with three adapter-created tools
v3.4.1 Single-agent three-tool validation Same agent/tool registry; 1 release-candidate, 2 fail-closed; payload bodies unexecuted
v3.4.2 Result review + README sync Assertion records frozen; public boundary synced

Links: v3.4.0 boundary doc, v3.4.0 static spec, v3.4.1 validator, v3.4.1 assertion records, v3.4.2 result review.

v3.5 Packaging and External API Wiring

Milestone Evidence Boundary
v3.5.0 Editable local package install pip install -e . works locally; requirements.txt remains the dependency model
v3.5.1 DHMS guard demo based on the langgraph-bigtool tool registry pattern Mirrors the registry shape without importing or running langgraph_bigtool; safe call returns RELEASE_CANDIDATE, dangerous calls fail closed
v3.5.2 Real langgraph_bigtool.create_agent API wiring demo Builds a guarded registry before create_agent(), uses deterministic retrieval, and does not compile/invoke/stream the agent graph

Links: editable package metadata, v3.5.2 real API wiring doc, v3.5.2 example README, v3.5.2 demo.

Public Boundary

DHMS v3.5.2 shows real langgraph_bigtool.create_agent() API wiring with a guarded tool registry. The frozen v3.4.2 proof remains the strongest multi-tool selective interception evidence. Neither is a production safety claim.

Current public boundaries:

  • No production readiness or real-world agent/database protection is claimed.
  • No arbitrary production LangChain agent protection, arbitrary real-world agent protection, tool execution, model-provider call, execution authorization, or runtime behavior is claimed or added.
  • No SQLDatabaseToolkit, SQL Agent, database, model-provider, KerniQ, E2B, MCP, external-runtime, or production-runtime integration is included yet.
  • No v2.7 CLI gate-proposal support is claimed; python3 cli.py gate-proposal examples/proposals/drop_table.json is explicitly not part of the v2.7 proof.
  • The current proof remains bounded to a local deterministic real LangChain agent loop, fake/local model driver, reusable guarded adapter boundary, one agent with three adapter-created tools, RELEASE_CANDIDATE for safe read-only proposals, FAIL_CLOSED for sql_mutation and model_api, execution authorization false, sentinel/count proof, and zero runtime behavior added.
  • The next direction is packaging, integration example, public posting, and external feedback, not another internal proof expansion.

For the detailed non-claims and freeze boundary, see:

Historical Evidence Lines

Quickstart For Older Evidence

python3 cli.py demo-sql-fuse
python3 cli.py demo-file-fuse
python3 cli.py demo-http-fuse
python3 validation/run_dhms_mock_agent_interception_benchmark_v0.py
python3 cli.py bench-mock-agent-interception
python3 validation/run_dhms_controlled_mock_agent_runtime_interception_proof.py
python3 cli.py proof-mock-agent-interception
python3 validation/run_dhms_local_command_proposal_benchmark_v0.py
python3 validation/run_dhms_controlled_mock_agent_local_command_interception_proof.py
python3 validation/run_dhms_runtime_adapter_proposal_benchmark_v0.py
python3 validation/run_dhms_controlled_mock_agent_runtime_adapter_boundary_proof.py

Fresh-clone reproduction is documented in DHMS Fresh Clone Reproduction Check v1.0.1.

Documentation Index

Historical Release Materials

Architecture Note

main keeps the Product Diagnosis v1.3 public checkpoint for perturbation-based LLM memory/context stability testing. The agent-harness-v1 branch layers Agent Harness preview work on top of DHMS without changing protected DHMS theory, metrics, binding, or engine semantics.

License

Licensed under the Apache License, Version 2.0. See LICENSE.

Copyright 2026 Huaxinsheng Zhong.

Trademark Notice

DHMS, DHMS Engine, DHMS AgentFuse, and DHMS Agent Harness are project names and marks of Huaxinsheng Zhong.

Use of these names is permitted for accurate reference to this project, but does not imply endorsement, sponsorship, or affiliation unless explicitly authorized.

The Apache-2.0 license applies to the source code and documentation in this repository. It does not grant trademark rights.

About

DHMS: Automatic fail-closed execution fuse for side-effect-capable AI agent tools - built from memory/context/tool-state perturbation testing toward runtime execution control.

Topics

Resources

License

Contributing

Stars

Watchers

Forks

Packages

 
 
 

Contributors

Languages