fix: stop streamed tool execution after known input guardrail tripwire#2688
fix: stop streamed tool execution after known input guardrail tripwire#2688
Conversation
seratch
added
bug
seratch
force-pushed
the
fix/streaming-input-guardrail-tripwire
branch
from
c2d0c73 to
15a3045
Compare
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 15a304514b
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8f03cc1a5b
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| tripwire_result = streamed_result._triggered_input_guardrail_result | ||
| if tripwire_result is not None: | ||
| raise InputGuardrailTripwireTriggered(tripwire_result) |
There was a problem hiding this comment.
raise_if_input_guardrail_tripwire_known raises immediately when _triggered_input_guardrail_result is set. In the slow-cancel sibling path, run_input_guardrails_with_queue has not yet appended that result to streamed_result.input_guardrail_results, so the surfaced InputGuardrailTripwireTriggered.run_data.input_guardrail_results can be empty. This drops the triggering guardrail context for callers handling the exception.
Useful? React with 👍 / 👎.
1 participant
This pull request fixes a streaming-only guardrail race where
Runner.run_streamed()could still execute same-turn tool side effects after a parallel input guardrail tripwire had already been observed.The change keeps the released
run_in_parallel=Truecontract intact for still-running guardrails, but adds a narrow hardening checkpoint for the streaming path once a tripwire is already known. The streaming guardrail runner now records the first triggered result immediately, and streamed turn resolution checks for that state before executing tools or other same-turn side effects.This also adds regression coverage for the streaming-specific case while preserving the existing tests that document the broader parallel guardrail semantics.