Skip to main content
This page covers the specialized tool executors within the Palyra daemon that handle networked operations, long-running programs, delegation, and workspace observability. These executors complement the core process and filesystem tools by providing higher-level abstractions for complex agent tasks.

HTTP Fetch Tool (palyra.http.fetch)

The palyra.http.fetch tool provides policy-gated outbound HTTP access. It is designed to prevent SSRF (Server-Side Request Forgery) and DNS rebinding attacks by integrating directly with the palyra-egress-proxy crate crates/palyra-daemon/src/application/tool_runtime/http_fetch.rs#1-9.

Security and Data Flow

  1. Policy Evaluation: Every request and every subsequent redirect is re-evaluated by the EgressProxyPolicyService crates/palyra-daemon/src/application/tool_runtime/http_fetch.rs#3-9.
  2. Connection Pinning: Resolved IP addresses are pinned into the HTTP client to prevent DNS rebinding between the time of check and time of connect crates/palyra-daemon/src/application/tool_runtime/http_fetch.rs#6-8.
  3. Credential Injection: The tool can inject secrets from the Palyra Vault into headers, ensuring agents never handle raw API keys crates/palyra-egress-proxy/src/lib.rs#3-6.
  4. Content Processing: HTML responses are stripped of non-visible tags (e.g., <script>, <style>) and passed through a safety redaction scan before being returned to the agent crates/palyra-daemon/src/application/tool_runtime/http_fetch.rs#11-13.

HTTP Fetch Architecture

The diagram below illustrates how a fetch request is gated by the egress proxy before hitting the network. Diagram: Egress Gated Fetch Flow Sources: crates/palyra-daemon/src/application/tool_runtime/http_fetch.rs#57-105, crates/palyra-egress-proxy/src/lib.rs#1-7, crates/palyra-daemon/src/application/tool_runtime/http_fetch.rs#11-15

Tool Programs and RPC Delegation

The palyra.tool_program.run tool allows agents to execute declarative, multi-step programs. This enables complex workflows that require explicit tool grants and DAG-based dependencies crates/palyra-daemon/src/application/tool_runtime/tool_program.rs#1-9.

Execution Model

Tool RPC (tool_rpc.rs)

Nested tool calls are managed by the RPC bridge. It re-evaluates security for every child call, ensuring a program cannot escalate privileges beyond its parent proposal crates/palyra-daemon/src/application/tool_rpc.rs#3-5.
FeatureDescription
Call IDCorrelates child calls to the parent proposal in the journal crates/palyra-daemon/src/application/tool_rpc.rs#178-180.
Result ProjectionAllows callers to choose between ModelVisible, SummaryOnly, or ArtifactOnly outputs crates/palyra-daemon/src/application/tool_rpc.rs#63-70.
AttestationEvery child call generates a ToolRpcAttestation for auditability crates/palyra-daemon/src/application/tool_rpc.rs#101-108.
Sources: crates/palyra-daemon/src/application/tool_runtime/tool_program.rs#1-9, crates/palyra-daemon/src/application/tool_runtime/tool_rpc.rs#142-162

Networked Worker Dispatch

Palyra supports distributed execution via a fleet of networked workers. The WorkerFleetManager maintains an in-memory ledger of available workers and their health crates/palyra-workerd/src/lib.rs#3-6.

Attestation and Security

To join the fleet, a worker must present a WorkerAttestation containing: Diagram: Worker Registration and Attestation Sources: crates/palyra-workerd/src/lib.rs#35-62, crates/palyra-workerd/src/lib.rs#113-152, crates/palyra-workerd/tests/critical_attack_scenarios.rs#73-92

Workspace Observability and Artifacts

Workspace-mutating tools record journal-backed checkpoints. The workspace_observability module manages these snapshots for auditing and recovery crates/palyra-daemon/src/application/workspace_observability.rs#3-7.

Key Components

Artifact Read Tool (palyra.artifact.read)

This tool allows agents to read specific artifact versions from the journal. If a full read is denied due to sensitivity, the system automatically attempts a redacted text preview to keep the content model-visible crates/palyra-daemon/src/application/tool_runtime/artifacts.rs#1-8. Sources: crates/palyra-daemon/src/application/workspace_observability.rs#1-15, crates/palyra-daemon/src/application/tool_runtime/artifacts.rs#129-137

Delegation Control (palyra.delegation)

The delegation tools (palyra.delegation.query and palyra.delegation.control) allow agents to spawn sub-tasks (objectives) and monitor their progress crates/palyra-daemon/src/application/tool_runtime/delegation.rs#1-7. Sources: crates/palyra-daemon/src/application/tool_runtime/delegation.rs#1-7, crates/palyra-daemon/src/application/tool_runtime/delegation.rs#139-157