[Contrib] Agent-OS Governance: Kernel-Level Policy Enforcement for Crews#4384
[Contrib] Agent-OS Governance: Kernel-Level Policy Enforcement for Crews#4384imran-siddique wants to merge 4 commits intocrewAIInc:mainfrom
Conversation
Adds kernel-level governance for CrewAI workflows. Features: - GovernancePolicy: Define rules for crew behavior - GovernedAgent: Wrap individual agents with policy enforcement - GovernedCrew: Govern entire crews with shared policy - Content filtering with blocked patterns - Tool filtering (blocked/allowed lists) - Full audit trail Integration with Agent-OS kernel for enterprise governance. See: https://github.com/imran-siddique/agent-os
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
- Fix content filtering bypass for non-string outputs - Fix double-counting of agent violations in crew totals - Remove unimplemented human approval features from docs - Add warning when agent lacks execute_task method - Use getattr consistently for agent.role access - Clarify rate limiting requires CrewAI callback integration
1. Rate limiting now enforced: - _tool_calls incremented when tools pass filter - _iterations incremented after each execution - TOOL_LIMIT_EXCEEDED and ITERATION_LIMIT_EXCEEDED violations raised 2. Content filter return type: Already fixed (returns sanitized string) 3. Timeout enforcement: Clarified in docstring that it's audit-only post-execution check. Real-time enforcement needs asyncio.timeout. 4. Audit event task_name: Fixed key mismatch - now extracts from both 'task_name' and 'task' object (via .description or .name) 5. Crew violations in audit log: _record_violation now calls _log_event to ensure all violations appear in audit trail
Please review again |
The _check_output method was returning a string for non-string outputs when violations were detected, which broke downstream consumers expecting specific types (e.g., TaskOutput). Now returns the original object while logging a warning. Violations are still recorded and can be retrieved via get_violations(). Fixes review comment about return type breaking downstream consumers.
All Review Comments Addressed ✅Fixed the Bugbot-identified issue:
The violation is still recorded and can be retrieved via get_violations() - we just don't break the type contract anymore. Could you please provide a final review so we can move forward? Thank you! 🙏 |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| "Returning original object to preserve type. Violations: %d", | ||
| type(output).__name__, | ||
| len(self._violations) | ||
| ) |
There was a problem hiding this comment.
logger undefined in _check_output causes NameError
High Severity
logger is defined as a local variable inside _wrap_execution (line 145) but referenced in _check_output (line 279), which is a separate method with no access to that local scope. When a non-string output triggers a content violation, this raises a NameError, crashing the governed execution instead of gracefully returning the original object.
Additional Locations (1)
| self._record_violation( | ||
| ViolationType.TOOL_LIMIT_EXCEEDED, | ||
| f"Tool calls ({self._tool_calls}) exceeded limit ({self.policy.max_tool_calls})", | ||
| ) |
There was a problem hiding this comment.
Tool filtering incorrectly counted as tool invocations
Medium Severity
_filter_tools increments self._tool_calls for each tool that passes the allow/block filter (line 226), treating the count of available tools as actual tool invocations. If an agent has 10 allowed tools and max_tool_calls is 5, a TOOL_LIMIT_EXCEEDED violation fires before any tool is actually called, making rate limiting ineffective and producing false violations.
Additional Locations (1)
1 participant
Summary
Adds kernel-level governance for CrewAI workflows using Agent-OS.
Why This Matters
CrewAI enables powerful multi-agent crews, but lacks built-in policy enforcement. This module provides:
Changes
Example Usage
\\python
from crewai import Agent, Crew, Task
from crewai.governance import GovernedCrew, GovernancePolicy
Define policy
policy = GovernancePolicy(
max_tool_calls=20,
max_iterations=15,
blocked_patterns=["DROP TABLE", "rm -rf"],
blocked_tools=["shell_tool"],
)
Govern the crew
governed_crew = GovernedCrew(crew, policy)
result = governed_crew.kickoff()
Check audit
print(f"Violations: {len(governed_crew.violations)}")
\\
Value for CrewAI Users
Integration Path
This module works standalone, but can also integrate with the full Agent-OS kernel for:
Related Work
References
Note
Medium Risk
Introduces new runtime wrappers that monkey-patch
Agent.execute_taskand filter/sanitize tool usage and outputs, which could subtly change agent behavior and require validation across CrewAI versions.Overview
Adds a new
crewai.governancemodule that providesGovernancePolicy,GovernedAgent, andGovernedCrewwrappers to apply policy checks during crew execution.GovernedAgentwrapsAgent.execute_taskto filter tools (allow/deny lists), track tool-call and iteration limits (recording violations), and sanitize outputs by truncating and replacing blocked regex patterns; all violations and actions can be recorded to an audit trail with an optionalon_violationcallback.GovernedCrewwraps aCrewto automatically govern all agents, aggregate violations, log crew-level lifecycle events, and record an execution-time violation (post-run) whenmax_execution_timeis exceeded; documentation and examples are added ingovernance/README.md.Written by Cursor Bugbot for commit 4279378. This will update automatically on new commits. Configure here.