feat(plugins): let pre_tool_call hooks block tool execution

Plugins can now return {"action": "block", "message": "reason"} from their pre_tool_call hook to prevent a tool from executing. The error message is returned to the model as a tool result so it can adjust. Covers both execution paths: handle_function_call (model_tools.py) and agent-level tools (run_agent.py _invoke_tool + sequential/concurrent). Blocked tools skip all side effects (counter resets, checkpoints, callbacks, read-loop tracker). Adds skip_pre_tool_call_hook flag to avoid double-firing the hook when run_agent.py already checked and then calls handle_function_call. Salvaged from PR #5385 (gianfrancopiana) and PR #4610 (oredsecurity).
2026-04-25 00:51:20 +00:00 · 2026-04-13 21:15:25 -07:00 · 2026-04-13 21:15:25 -07:00 · eabc0a2f66
commit eabc0a2f66
parent ea74f61d98
6 changed files with 335 additions and 40 deletions
--- a/hermes_cli/plugins.py
+++ b/hermes_cli/plugins.py
@ -584,6 +584,45 @@ def invoke_hook(hook_name: str, **kwargs: Any) -> List[Any]:



+def get_pre_tool_call_block_message(
+    tool_name: str,
+    args: Optional[Dict[str, Any]],
+    task_id: str = "",
+    session_id: str = "",
+    tool_call_id: str = "",
+) -> Optional[str]:
+    """Check ``pre_tool_call`` hooks for a blocking directive.
+
+    Plugins that need to enforce policy (rate limiting, security
+    restrictions, approval workflows) can return::
+
+        {"action": "block", "message": "Reason the tool was blocked"}
+
+    from their ``pre_tool_call`` callback.  The first valid block
+    directive wins.  Invalid or irrelevant hook return values are
+    silently ignored so existing observer-only hooks are unaffected.
+    """
+    hook_results = invoke_hook(
+        "pre_tool_call",
+        tool_name=tool_name,
+        args=args if isinstance(args, dict) else {},
+        task_id=task_id,
+        session_id=session_id,
+        tool_call_id=tool_call_id,
+    )
+
+    for result in hook_results:
+        if not isinstance(result, dict):
+            continue
+        if result.get("action") != "block":
+            continue
+        message = result.get("message")
+        if isinstance(message, str) and message:
+            return message
+
+    return None
+
+
 def get_plugin_context_engine():
    """Return the plugin-registered context engine, or None."""
    return get_plugin_manager()._context_engine