Skip to content
TapPass

Tool Governance

Wrap any callable so every execution is audited through TapPass.

Basic usage

Section titled “Basic usage”
tools = agent.govern([search, send_email, read_file])
# Every tool call is now logged in the audit trail

Works with CrewAI, LangChain, LlamaIndex, Pydantic AI, and plain Python functions.

What gets checked

Section titled “What gets checked”

When a governed tool is called, TapPass:

  1. tool_permissions. checks if this agent is allowed to use this tool
  2. tool_constraints. validates arguments (deny SQL DELETE, restrict recipients)
  3. scan_tool_calls. scans arguments for path traversal, injection, forbidden zones
  4. detect_code_exec. blocks shell commands, eval(), reverse shells
  5. require_approval. pauses for human approval on high-risk operations
  6. Taint tracking. labels tool results as EXTERNAL (untrusted)

Tool permissions

Section titled “Tool permissions”

Configured per-agent via OPA policy:

{
  "tools": {
    "allow": ["search", "read_file"],
    "deny": ["send_email", "delete_user"]
  }
}

Tool constraints

Section titled “Tool constraints”

Argument-level restrictions:

{
  "tools": {
    "read_file": {"path": {"type": "subpath", "root": "/data"}},
    "send_email": {"to": {"type": "pattern", "glob": "*@company.com"}},
    "query_db": {"query": {"deny_patterns": ["DELETE", "DROP"]}}
  }
}

Forbidden zones

Section titled “Forbidden zones”

Tool calls referencing any of 74 protected paths (SSH keys, cloud credentials, crypto wallets) are blocked automatically. Unicode bypass protection is included (null bytes, zero-width characters, Cyrillic confusables).