The setup
You are here because agent security moved from notebook magic to product surface area. That is where the charming demo stops being charming and starts asking for state, tests, traces, and a budget.
This chapter gives prompt injection, validation, tool allowlists, sandboxing, secret hygiene, and guardrail layers. The point is not to memorize one API call. The point is to know which abstraction deserves trust and which one is wearing a fake mustache.
Picture this
Mental model
Think in contracts first. A LangChain runnable or LangGraph node is not a poetic suggestion; it is a boundary with inputs, outputs, config, callbacks, and failure modes. If you cannot describe those five things, you are not designing an agent system. You are hosting an improv night.
| Decision | Use this | Not that |
|---|---|---|
| Primary move | allowlists, schemas, sandboxing, and approvals around risky tools | trusting a prompt to enforce a policy that should live in code |
| Evidence | Traceable runs, typed payloads, and repeatable examples | A screenshot of one lucky response |
| Failure posture | Retry, fallback, or interrupt with a reason | Hope the model apologizes convincingly |
Cocky, not careless
Confidence is earned by making the boring parts visible: schemas, state, traces, budgets, and tests. The model can be creative. Your architecture does not get that privilege.
Walkthrough
Start with a tiny runnable-shaped contract. Yes, it looks small. That is the point. Small contracts are how you stop a graph from becoming a haunted house.
from langchain_core.runnables import RunnableLambda
def describe_contract(payload: dict) -> dict:
return {
"input": payload["input"],
"risk": "bounded",
"next_step": "trace-and-test",
}
chain = RunnableLambda(describe_contract).with_config(tags=["chapter-13"])
result = chain.invoke({"input": "ship the graph, not the vibes"})
print(result)
Now attach the concept to the actual chapter topic: prompt injection, validation, tool allowlists, sandboxing, secret hygiene, and guardrail layers. The implementation pattern is deliberately boring: define the boundary, tag the run, record the outcome, then decide whether the next branch is cheap, risky, or worth human attention.
Try this yourself
- Write a runnable or graph node for the smallest useful version of this chapter's pattern.
- Add tags and metadata before you run it. Future you deserves evidence, not folklore.
- Create one failure case on purpose and decide whether it should retry, fallback, interrupt, or stop.
Hall of Shame
Hall of shame: Letting the model decide which tool to call with no allowlistlangchain
This is the move that looks clever for ten minutes and becomes operational debt for six months. It hides the contract, loses the trace, and makes the next engineer debug vibes with a calendar invite. Beautiful work, if the goal was archaeology.
Why this matters in production
The boring checklist is undefeated:
- Inputs are typed and validated.
- Expensive branches have budgets.
- Risky actions have approval gates.
- Every meaningful run is traceable.
- The failure mode is named before users name it for you.
You can now brag that...
- You can explain agent security without hiding behind framework mysticism.
- You know when to allowlists, schemas, sandboxing, and approvals around risky tools.
- You can spot trusting a prompt to enforce a policy that should live in code before it becomes a retro item.