Per-agent tool set
Build agents with a role-scoped tool list. Admin agent gets delete-user; user agent doesn't.
Advertisement
Runtime check on invocation
@Override
protected void beforeToolCall(String name, Map args, AgentContext ctx) {
var user = ctx.getAttribute("currentUser", User.class);
if (!authz.canUse(user, name)) {
throw new AuthorizationDeniedException(name);
}
} Advertisement
Fail with a clear message
Model receives 'you don't have permission for X, try Y instead'. Model can suggest alternatives.