Tool Validation
The current tool-validation policy does three things:
Phase and verdicts
- Phase: pre-execution / input-stage policy evaluation
- Verdicts:
alloworblock
Configuration
pack:
name: tool-validation-example-1
version: "1.0.0"
enabled: true
policies:
chain:
- tool-validation
policy:
tool-validation:
declared_tools:
- web_search
- database_query
schemas:
database_query:
type: object
properties:
table:
type: string
required:
- table
allow_undeclared: false
semantic_validation:
enabled: true
endpoint: https://validator.example.com/judge
model: judge
secret_key_ref:
env: KEEPTRUSTS_VALIDATOR_API_KEY
timeout_ms: 3000
Supported fields
| Field | Type | Default | Notes |
|---|---|---|---|
declared_tools | string[] | [] | Allowlist for requested tool names. |
schemas | object | {} | Map of tool names to JSON Schemas. |
allow_undeclared | boolean | false | When false, undeclared tool names block the request. |
semantic_validation.enabled | boolean | false | Enables the external semantic validator call. |
semantic_validation.endpoint | string | — | Required when semantic validation is enabled. |
semantic_validation.model | string | — | Sent in the validator payload. If omitted, the runtime falls back to judge. |
semantic_validation.secret_key_ref | object | — | Use secret_key_ref.env for the bearer token environment variable. |
semantic_validation.timeout_ms | integer | 3000 | Request timeout for the validator call. |
What the policy validates
Requested tools
The policy extracts tool names from:
- OpenAI-style
tools[*].function.name - MCP-bridge-style
tools[*].name
Schemas
Configured schemas are compiled with the JSON Schema library (Draft 7).
Important: the policy checks that the schemas themselves are valid JSON Schemas. It does not validate actual tool-call arguments against those schemas.
Semantic validation
When enabled, the policy POSTs a payload containing:
declared_toolsschemas- the request's
toolsarray
The response must either:
- include a top-level
valid: true|false, or - include OpenAI-style
choices[0].message.contentJSON with avalidfield
Any validator error, timeout, malformed response, or valid: false result blocks the request.
Behavior notes
- Semantic validation is currently fail-closed, not fail-open.
allow_undeclared: trueallows undeclared tool names but still records them in the policy details payload.- Because this policy does not validate arguments against schemas, pair it with Tool Security or an external semantic validator if you need payload-level scrutiny.
Minimal valid example
policy:
tool-validation:
declared_tools:
- search