Python: follow up FIDES security flow (#5330)

* Python: follow up FIDES security flow

Refine the secure approval path, mark the security classes with the FIDES experimental feature label, and clean up the related docs/tests. Also fix workspace-level validation regressions uncovered while running the full Python check suite.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Python: remove FIDES GitHub MCP sample

Drop the GitHub MCP security sample from the FIDES follow-up branch while keeping the remaining security docs and samples intact.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
Eduard van Valkenburg
2026-04-17 16:35:11 +02:00
committed by eavanvalkenburg
Unverified
parent 8a08776a32
commit 912961b10c
13 changed files with 1804 additions and 2502 deletions
@@ -746,9 +746,12 @@ class AgentFrameworkExecutor:
# Extract policy_violation info if present (from security middleware)
policy_violation_data = content_dict.get("policy_violation")
additional_props: dict[str, Any] | None = None
approval_additional_props: dict[str, Any] | None = None
if isinstance(policy_violation_data, dict):
additional_props = {"policy_violation": True, **policy_violation_data}
approval_additional_props = {
"policy_violation": True,
**policy_violation_data,
}
# Reconstruct function_call from server-stored data
function_call = Content.from_function_call(
@@ -762,7 +765,7 @@ class AgentFrameworkExecutor:
approved,
id=request_id,
function_call=function_call,
additional_properties=additional_props,
additional_properties=approval_additional_props,
)
contents.append(approval_response)
logger.info(
@@ -771,7 +774,7 @@ class AgentFrameworkExecutor:
request_id,
approved,
stored_fc["name"],
additional_props is not None,
approval_additional_props is not None,
)
except ImportError:
logger.warning(
@@ -1756,17 +1756,16 @@ class MessageMapper:
"output_index": context["output_index"],
"sequence_number": self._next_sequence(context),
}
# Include policy violation details if present (from security middleware)
additional_props = getattr(content, "additional_properties", None)
if additional_props and isinstance(additional_props, dict):
if additional_props.get("policy_violation"):
result["policy_violation"] = {
"reason": additional_props.get("reason", "Policy violation detected"),
"violation_type": additional_props.get("violation_type"),
"context_label": additional_props.get("context_label"),
}
additional_props = cast(dict[str, Any] | None, getattr(content, "additional_properties", None))
if additional_props and isinstance(additional_props, dict) and additional_props.get("policy_violation"):
result["policy_violation"] = {
"reason": additional_props.get("reason", "Policy violation detected"),
"violation_type": additional_props.get("violation_type"),
"context_label": additional_props.get("context_label"),
}
return result
async def _map_approval_response_content(self, content: Any, context: dict[str, Any]) -> dict[str, Any]: