Tool Registry and Dispatch Pipeline
Thetool_registry serves as the central authority for available tools, mapping them to their required capabilities and sensitive-tool classifications crates/palyra-common/src/tool_catalog.rs#1-6. When an agent proposes a tool call, it enters a multi-stage dispatch pipeline:
- Validation & Normalization: The proposal is validated against the
ModelVisibleToolCatalogSnapshotand arguments are normalized crates/palyra-daemon/src/application/run_stream/tool_flow.rs#46-54. - Security Evaluation: The system evaluates the call against the Cedar policy engine, checking for required capabilities like
ProcessExecorNetworkcrates/palyra-daemon/src/tool_protocol.rs#4-11. - Approval Gating: If the tool is marked as sensitive or the policy requires it, an interactive approval request is sent to the operator crates/palyra-daemon/src/application/run_stream/tool_flow.rs#3-10.
- Runtime Dispatch: Once approved, the call is routed to the appropriate executor (e.g., Sandbox, Browser, or Wasm) crates/palyra-daemon/src/application/run_stream/tool_flow.rs#64-71.
Tool Execution Flow Diagram
This diagram maps the logical flow of a tool proposal to the code entities responsible for each stage. Sources: crates/palyra-daemon/src/application/run_stream/tool_flow.rs#1-11, crates/palyra-daemon/src/tool_protocol.rs#1-15, crates/palyra-daemon/src/application/run_stream/tool_flow.rs#40-54Security Posture and Attestation
Palyra implements a tamper-evident audit trail for all tool executions. Every outcome—whether a success, a policy denial, or a timeout—is bundled with aToolAttestation crates/palyra-daemon/src/tool_protocol.rs#89-97. This attestation includes a SHA-256 hash that binds the proposal ID, input, output, and the specific executor metadata together crates/palyra-daemon/src/tool_protocol.rs#83-88.
The system also supports “Tool Posture” overrides, allowing operators to set tools to AlwaysAllow, AskEachTime, or Disabled at various scopes (Global, Workspace, Agent, or Session) crates/palyra-daemon/src/tool_posture.rs#91-98.
Security and Posture Entities
Sources: crates/palyra-daemon/src/tool_protocol.rs#73-107, crates/palyra-daemon/src/tool_posture.rs#1-11Tool Executors
Palyra utilizes several specialized executors to provide a secure and functional environment for agents.Sandbox Process Runner
Executes arbitrary shell commands and binaries. It supports multiple isolation tiers, including direct execution withrlimits (Tier B) and containerized/sandboxed execution via Docker or Bubblewrap (Tier C).
For details, see Sandbox Process Runner.
Filesystem Tools: Workspace and OS File Access
Provides structured access to the filesystem. Thepalyra.fs tool family includes scoped workspace operations like directory listing, file reading, and atomic patching using the Palyra Patch Document format.
For details, see Filesystem Tools: Workspace and OS File Access.
Browser Automation (palyra-browserd)
Manages a separatepalyra-browserd service for Chromium-based web automation. It handles session management, SSRF protection, and provides tools for navigation, screenshots, and DOM interaction.
For details, see Browser Automation (palyra-browserd).
Skills and Wasm Plugin System
A plugin architecture using WebAssembly (wasmtime). It allows for extensible “Skills” that run in a highly constrained environment with strictly defined fuel and memory limits.
For details, see Skills and Wasm Plugin System.
Additional Tool Executors
Covers utility tools such aspalyra.http.fetch (with egress proxying), memory management tools, and system routine controls.
For details, see Additional Tool Executors.
Tool Protocol Constants
The system enforces strict quotas and budgets on tool inputs and execution latency to prevent resource exhaustion.| Constant | Value | Description |
|---|---|---|
TOOL_EXECUTION_LATENCY_BUDGET_MS | 200ms | Budget for tool dispatch overhead crates/palyra-daemon/src/gateway.rs#132-132 |
MAX_PROCESS_RUNNER_TOOL_INPUT_BYTES | 128 KB | Maximum size for process execution arguments crates/palyra-daemon/src/tool_protocol.rs#177-177 |
MAX_HTTP_FETCH_TOOL_INPUT_BYTES | 64 KB | Maximum size for HTTP request parameters crates/palyra-daemon/src/tool_protocol.rs#176-176 |
TOOL_MAX_SLEEP_MS | 30,000ms | Maximum duration for the palyra.sleep tool crates/palyra-daemon/src/tool_protocol.rs#160-160 |