You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The sidecar currently always returns Allowed: true synchronously to the hook handler, then fires off the ProcessHookEvent unary RPC asynchronously. The backend's Decision enum (ALLOW, DENY, ASK) is unused infrastructure — there's no path for the backend to actually deny a tool call.
This is because ProcessHookEvent is a unary RPC. The sidecar would have to block on the RPC round-trip for every tool call to get a decision, which adds latency to every agent action.
Proposed solution
Switch ProcessHookEvent back to bidirectional streaming. The sidecar opens a persistent stream at session start and:
Sends each hook event as a message on the stream
Receives the policy decision (allow/deny/ask) back on the same stream
Returns the decision to the hook handler synchronously
This gives the backend a real enforcement path while keeping latency low (no connection setup per event — the stream is already open).
Changes required
Proto (kontext-dev/proto): Change ProcessHookEvent from rpc ProcessHookEvent(ProcessHookEventRequest) returns (ProcessHookEventResponse) to rpc ProcessHookEvent(stream ProcessHookEventRequest) returns (stream ProcessHookEventResponse)
CLI sidecar: Open stream on session start, multiplex events onto it, wait for decisions before returning to hook handler
CLI backend client: Replace IngestEvent unary call with stream send/receive
API handler: Update ConnectRPC handler from unary to bidi streaming, evaluate policy per event, return decisions on the stream
Design considerations
Need a correlation ID per event so the sidecar can match responses to requests on the multiplexed stream
Fallback behavior when stream disconnects: fail-open (allow) or fail-closed (deny)? Configurable?
Latency budget: hook handlers need to respond in ~5-10ms. If the backend can't decide in time, should the sidecar fall back to a local decision?
Problem
The sidecar currently always returns
Allowed: truesynchronously to the hook handler, then fires off theProcessHookEventunary RPC asynchronously. The backend'sDecisionenum (ALLOW,DENY,ASK) is unused infrastructure — there's no path for the backend to actually deny a tool call.This is because
ProcessHookEventis a unary RPC. The sidecar would have to block on the RPC round-trip for every tool call to get a decision, which adds latency to every agent action.Proposed solution
Switch
ProcessHookEventback to bidirectional streaming. The sidecar opens a persistent stream at session start and:This gives the backend a real enforcement path while keeping latency low (no connection setup per event — the stream is already open).
Changes required
kontext-dev/proto): ChangeProcessHookEventfromrpc ProcessHookEvent(ProcessHookEventRequest) returns (ProcessHookEventResponse)torpc ProcessHookEvent(stream ProcessHookEventRequest) returns (stream ProcessHookEventResponse)IngestEventunary call with stream send/receiveDesign considerations
Related