feat(guardrails): send execution source and job key headers#1739
Open
valentinabojan wants to merge 17 commits into
Open
feat(guardrails): send execution source and job key headers#1739valentinabojan wants to merge 17 commits into
valentinabojan wants to merge 17 commits into
Conversation
Guardrail validation calls now carry x-uipath-agenthub-config (execution source) and x-uipath-jobkey headers for licensing/metering correlation, mirroring the licensing flow. The source is derived from the executing CLI command (run -> runtime, debug/dev -> playground, eval -> eval) and exposed via the UIPATH_EXECUTION_SOURCE env var, so it works for both coded and low-code agents since both run through the uipath CLI. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
github-actions
Bot
added
test:uipath-langchain
Also drops the "(AgentHub config)" note from the execution_source docstring. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds correlation metadata to guardrail validation requests by propagating the CLI execution “source” and orchestrator job key into HTTP headers, aligning guardrails with existing licensing/metering flows.
Changes:
- Set
UIPATH_EXECUTION_SOURCEat the start of CLI agent-executing commands (run,debug,dev,eval) via a new execution-source resolver. - Send
x-uipath-agenthub-config(execution source) andx-uipath-jobkey(job key) headers on guardrail validation requests, omitting each when unset. - Add unit tests to verify presence/absence of the new headers on outgoing guardrails requests.
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| packages/uipath/src/uipath/_cli/cli_run.py | Sets execution source for run before runtime construction. |
| packages/uipath/src/uipath/_cli/cli_eval.py | Sets execution source for eval before evaluation execution starts. |
| packages/uipath/src/uipath/_cli/cli_dev.py | Sets execution source for dev before launching the developer console/runtime. |
| packages/uipath/src/uipath/_cli/cli_debug.py | Sets execution source for debug before runtime/debug setup. |
| packages/uipath/src/uipath/_cli/_utils/_execution_source.py | New mapping logic from CLI command → execution source env var. |
| packages/uipath-platform/src/uipath/platform/guardrails/_guardrails_service.py | Adds execution source + job key headers to guardrails validate requests. |
| packages/uipath-platform/src/uipath/platform/common/constants.py | Introduces UIPATH_EXECUTION_SOURCE env var constant. |
| packages/uipath-platform/src/uipath/platform/common/_job_context.py | Adds header_execution_source() helper alongside existing job key header helper. |
| packages/uipath-platform/src/uipath/platform/common/_config.py | Exposes UiPathConfig.execution_source via the new env var. |
| packages/uipath-platform/tests/services/test_guardrails_service.py | Adds tests ensuring headers are present when set and omitted when unset. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Use a dedicated x-uipath-execution-source header instead of reusing x-uipath-agenthub-config. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Mirror get_execution_type's plain command->type mapping; the playground reclassification was a licensing-only concern. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- Raise uipath -> uipath-platform pin to >=0.1.72 (dependency-bump check) - Regenerate uv.lock files for the version bumps (--locked sync) - Add unit tests for set_execution_source and header_execution_source Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…ails-source-job-headers # Conflicts: # packages/uipath/pyproject.toml # packages/uipath/uv.lock
ctiliescuuipath
approved these changes
Jun 23, 2026
…ails-source-job-headers # Conflicts: # packages/uipath-platform/pyproject.toml # packages/uipath-platform/uv.lock # packages/uipath/pyproject.toml # packages/uipath/uv.lock
apetraru-uipath
approved these changes
Jun 23, 2026
radu-mocanu
requested changes
Jun 24, 2026
radu-mocanu
left a comment
radu-mocanu
left a comment
Collaborator
There was a problem hiding this comment.
env vars are acceptable for process bootstrap/config coming from the outside world, but this PR uses an env var as an internal (same-process) message bus from the CLI layer to the platform client. this is not a clean design as it:
- makes the state global
- can t be scoped in async/concurrent eval runs
etc.
we should make this execution metadata part of runtimecontext and pass it through the existing context boundary, as currently done for for command/job/trace-related execution state.
A cleaner shape would be:
- map `command -> execution_source` when building `UiPathRuntimeContext`
- carry it as `runtime_context.execution_source`
- propagate it into `UiPathExecutionContext` / the platform client context
- have `GuardrailsService` read `self._execution_context.execution_source` when adding `x-uipath-guardrails-source`
Replace the UIPATH_EXECUTION_SOURCE env-var bridge with the runtime context boundary, addressing PR review feedback (env var as an internal same-process message bus is global and not scoped for concurrent runs). - platform: add ExecutionSourceContext (a scoped ContextVar manager) and UiPathExecutionContext.execution_source reading it - guardrails: build x-uipath-guardrails-source from self._execution_context.execution_source - cli: enter ExecutionSourceContext(ctx.execution_source) around run/ debug/dev/eval execution, sourcing the value from the runtime context - remove the env var: UIPATH_EXECUTION_SOURCE, UiPathConfig.execution_source, header_execution_source(), and the _execution_source CLI helper - bump uipath-runtime pin to >=0.11.4 for the new UiPathRuntimeContext.execution_source field Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Replace ExecutionSourceContext with a set_execution_source(value) helper backed by the same ContextVar. CLI handlers call it once with ctx.execution_source instead of wrapping the run in a context manager; the set/reset scoping was only meaningful for the dev server and a CLI invocation is one source per process. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…ails-source-job-headers # Conflicts: # packages/uipath-platform/pyproject.toml # packages/uipath-platform/uv.lock # packages/uipath/pyproject.toml # packages/uipath/uv.lock
Extract the dev context/factory setup into _create_dev_factory and unit test it, so the new execution-source logic in the (otherwise untested) dev command is covered. Addresses SonarCloud new-code coverage. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- drop unused type:ignore on _create_dev_factory - patch UiPathRuntimeFactoryRegistry.get via string target to avoid no_implicit_reexport on the cli_dev re-import Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…ails-source-job-headers # Conflicts: # packages/uipath/pyproject.toml
radu-mocanu
reviewed
Jun 24, 2026
| command="debug", | ||
| ) as ctx: | ||
| ) | ||
| set_execution_source(ctx.execution_source) |
Collaborator
There was a problem hiding this comment.
this should be a context manager (like ctx or the resource overwrites). the context var token should be released when we exit the context
Per review feedback, set the execution source with a context manager that releases the ContextVar token on exit (like ResourceOverwritesContext and the runtime ctx), instead of a bare setter. CLI handlers enter 'with ExecutionSourceContext(ctx.execution_source), ctx:'; dev wraps the console/server run. Adds a dev terminal test covering the scoped run. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
🚨 Heads up:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Guardrail validation calls now send the execution source (
x-uipath-guardrails-source) and job key (x-uipath-jobkey) headers for licensing/metering correlation.The source is derived from the executing CLI command (
run→runtime,debug/dev→playground,eval→eval) onUiPathRuntimeContext.execution_source(added in uipath-runtime 0.11.4), and flows through the execution-context boundary rather than an env var: the CLI callsset_execution_source(ctx.execution_source), which sets aContextVarthatUiPathExecutionContext.execution_sourcereads, andGuardrailsServicebuilds the header fromself._execution_context.execution_source. This keeps the source correctly scoped for concurrent/eval runs and works for both coded and low-code agents, since both run through theuipathCLI. Job key continues to come fromUiPathConfig.job_key; both headers are omitted when unset.Requires
uipath-runtime>=0.11.4(companion PR: UiPath/uipath-runtime-python#132).🤖 Generated with Claude Code