Agent Guardrails and Controls: Applying the CORS Model to Agents

[shellz-n-stuff]

Location for comments and discussion relating to the Agent Guardrails and Controls blog post

[uchibeke]

Great discussion thread. The framing here — applying the CORS model to agents — maps directly to something we've been working on, and I think it's worth surfacing.

Block's January 2026 engineering blog post ("Agent Guardrails and Controls: Applying the CORS Model to Agents") documented the gap precisely: there's no automated, consistent approach to limit what a poisoned-prompt tool call can actually do. The CORS POC described in that post never shipped as a production solution.

We built the thing that post was describing.

APort Agent Guardrails is a before_tool_call hook-based authorization layer. Every tool invocation is checked against a YAML policy before execution — the model cannot skip it because it runs at the platform level, not in the prompt layer. A prompt injection can't instruct the agent to "ignore the guardrail step" the way it can with prompt-layer instructions.

The underlying specification — the Open Agent Protocol (OAP) — is DOI-archived at doi.org/10.5281/zenodo.18901596. It's an open standard (not a proprietary format), which means goose integrations, LangChain integrations, and others can all implement the same interoperable spec.

A few things that might be relevant to the goose team:

• before_tool_call hook integration is exactly the pattern: intercept before execution, evaluate policy, allow/deny/audit
• Local-first: no sidecar process required in local mode — YAML policy + hook, zero infrastructure overhead
• OAP passports: agents carry a signed capability manifest declaring what they're authorized to do, not just rules applied at the proxy layer
• Public CTF results: 1,149 social-engineering attempts against the guardrail, 0 bypasses — the only agent guardrail with published adversarial proof-of-security

We'd be glad to submit a PR adding a goose integration extension. If there's an existing extensibility interface for pre-call hooks in goose, we'd build to that. Happy to discuss the implementation approach here or in a PR.

Repo: https://github.com/aporthq/aport-agent-guardrails
Spec: https://github.com/aporthq/aport-spec
DOI: https://doi.org/10.5281/zenodo.18901596