HTTP Fetch Tool (palyra.http.fetch)
The palyra.http.fetch tool provides policy-gated outbound HTTP access. It is designed to prevent SSRF (Server-Side Request Forgery) and DNS rebinding attacks by integrating directly with the palyra-egress-proxy crate crates/palyra-daemon/src/application/tool_runtime/http_fetch.rs#1-9.
Security and Data Flow
- Policy Evaluation: Every request and every subsequent redirect is re-evaluated by the
EgressProxyPolicyServicecrates/palyra-daemon/src/application/tool_runtime/http_fetch.rs#3-9. - Connection Pinning: Resolved IP addresses are pinned into the HTTP client to prevent DNS rebinding between the time of check and time of connect crates/palyra-daemon/src/application/tool_runtime/http_fetch.rs#6-8.
- Credential Injection: The tool can inject secrets from the Palyra Vault into headers, ensuring agents never handle raw API keys crates/palyra-egress-proxy/src/lib.rs#3-6.
- Content Processing: HTML responses are stripped of non-visible tags (e.g.,
<script>,<style>) and passed through a safety redaction scan before being returned to the agent crates/palyra-daemon/src/application/tool_runtime/http_fetch.rs#11-13.
HTTP Fetch Architecture
The diagram below illustrates how a fetch request is gated by the egress proxy before hitting the network. Diagram: Egress Gated Fetch Flow Sources: crates/palyra-daemon/src/application/tool_runtime/http_fetch.rs#57-105, crates/palyra-egress-proxy/src/lib.rs#1-7, crates/palyra-daemon/src/application/tool_runtime/http_fetch.rs#11-15Tool Programs and RPC Delegation
Thepalyra.tool_program.run tool allows agents to execute declarative, multi-step programs. This enables complex workflows that require explicit tool grants and DAG-based dependencies crates/palyra-daemon/src/application/tool_runtime/tool_program.rs#1-9.
Execution Model
- Step Isolation: Each step in a program is executed as a grant-checked tool RPC call crates/palyra-daemon/src/application/tool_runtime/tool_program.rs#3-6.
- Budgeting: Programs operate under shared budgets for steps, runtime, child runs, and output bytes crates/palyra-daemon/src/application/tool_runtime/tool_program.rs#5-7.
- Python Bridge: Programs can execute sandboxed Python code that communicates with the daemon via a JSONL-based RPC bridge crates/palyra-daemon/src/application/tool_runtime/tool_rpc.rs#1-7.
Tool RPC (tool_rpc.rs)
Nested tool calls are managed by the RPC bridge. It re-evaluates security for every child call, ensuring a program cannot escalate privileges beyond its parent proposal crates/palyra-daemon/src/application/tool_rpc.rs#3-5.
| Feature | Description |
|---|---|
| Call ID | Correlates child calls to the parent proposal in the journal crates/palyra-daemon/src/application/tool_rpc.rs#178-180. |
| Result Projection | Allows callers to choose between ModelVisible, SummaryOnly, or ArtifactOnly outputs crates/palyra-daemon/src/application/tool_rpc.rs#63-70. |
| Attestation | Every child call generates a ToolRpcAttestation for auditability crates/palyra-daemon/src/application/tool_rpc.rs#101-108. |
Networked Worker Dispatch
Palyra supports distributed execution via a fleet of networked workers. TheWorkerFleetManager maintains an in-memory ledger of available workers and their health crates/palyra-workerd/src/lib.rs#3-6.
Attestation and Security
To join the fleet, a worker must present aWorkerAttestation containing:
- Image/Build Digests: SHA-256 hashes of the worker’s software stack crates/palyra-workerd/src/lib.rs#38-40.
- Egress Proxy Binding: Verification that the worker booted behind an attested egress proxy crates/palyra-workerd/src/lib.rs#41-42.
- Validity Window:
issued_atandexpires_attimestamps to prevent replay of old attestations crates/palyra-workerd/src/lib.rs#58-61.
Workspace Observability and Artifacts
Workspace-mutating tools record journal-backed checkpoints. Theworkspace_observability module manages these snapshots for auditing and recovery crates/palyra-daemon/src/application/workspace_observability.rs#3-7.
Key Components
- Checkpoints: Pre-flight and post-change snapshots of every touched file crates/palyra-daemon/src/application/workspace_observability.rs#3-5.
- Artifact History: Per-path versions allowing the console to diff changes across runs crates/palyra-daemon/src/application/workspace_observability.rs#126-158.
- Path Guards: All mutations are validated against path-containment guards to prevent directory traversal or symlink attacks crates/palyra-daemon/src/application/workspace_observability.rs#9-12.
Artifact Read Tool (palyra.artifact.read)
This tool allows agents to read specific artifact versions from the journal. If a full read is denied due to sensitivity, the system automatically attempts a redacted text preview to keep the content model-visible crates/palyra-daemon/src/application/tool_runtime/artifacts.rs#1-8.
Sources: crates/palyra-daemon/src/application/workspace_observability.rs#1-15, crates/palyra-daemon/src/application/tool_runtime/artifacts.rs#129-137
Delegation Control (palyra.delegation)
The delegation tools (palyra.delegation.query and palyra.delegation.control) allow agents to spawn sub-tasks (objectives) and monitor their progress crates/palyra-daemon/src/application/tool_runtime/delegation.rs#1-7.
delegate: Spawns a new background task with a specific objective, agent profile, and budget crates/palyra-daemon/src/application/tool_runtime/delegation.rs#159-174.interrupt: Cancels an active delegation crates/palyra-daemon/src/application/tool_runtime/delegation.rs#150.status: Retrieves the currentAuxiliaryTaskState(e.g., Pending, Running, Completed) crates/palyra-daemon/src/application/tool_runtime/delegation.rs#142.