LangGraph

HighflameMiddleware for LangGraph — hooks on before_model, after_model, and wrap_tool_call. Available for Python and TypeScript. Session ID resolved from thread_id automatically.

HighflameMiddleware integrates Highflame Shield into LangGraph agents without modifying individual nodes. It implements the LangGraph AgentMiddleware interface and hooks into every model call and tool execution in the agent loop.

Available for Python and TypeScript.

Installation

pip install 'highflame[langgraph]'

Basic Usage

from highflame import Highflame
from highflame.integrations.langgraph import HighflameMiddleware

client = Highflame(api_key="hf_sk_...")
middleware = HighflameMiddleware(client, mode="enforce")

app = graph.compile(middleware=[middleware])

import { Highflame } from "@highflame/sdk";
import { HighflameMiddleware } from "@highflame/sdk/integrations/langgraph";

const client = new Highflame({ apiKey: "hf_sk_..." });
const middleware = new HighflameMiddleware(client, { mode: "enforce" });

const app = graph.compile({ middleware: [middleware] });

On a policy violation, HighflameMiddleware raises BlockedError before the blocked operation completes.

Constructor

HighflameMiddleware(
    client: Highflame,
    *,
    mode: str = "enforce",
    session_id_key: str | None = None,
)

Parameter

Type

Default

Description

client

Highflame

required

Initialized Highflame client

mode

str

"enforce"

Enforcement mode: "enforce", "monitor", or "alert"

session_id_key

str | None

None

Key to read a session ID from LangGraph state. Falls back to thread_id automatically.

new HighflameMiddleware(client: Highflame, options?: {
  mode?: "enforce" | "monitor" | "alert";
  sessionIdKey?: string;
})

Parameter

Type

Default

Description

client

Highflame

required

Initialized Highflame client

mode

string

"enforce"

Enforcement mode: "enforce", "monitor", or "alert"

sessionIdKey

string | undefined

undefined

Key to read a session ID from LangGraph state. Falls back to thread_id automatically.

Session ID Resolution

The middleware resolves the session ID in this order:

state[session_id_key] (Python) / state[sessionIdKey] (TypeScript) — if set and the key is present in graph state
LangGraph thread_id — read from var_child_runnable_config / AsyncLocalStorage (requires langchain_core >= 0.3)
runtime.thread_id attribute — backward-compatibility fallback
None / undefined — no session tracking

Using LangGraph's thread_id as the session ID is the recommended pattern for multi-turn agents. It requires no additional configuration when thread_id is passed in the run config.

result = await app.ainvoke(
    {"messages": [HumanMessage(content=user_input)]},
    config={"configurable": {"thread_id": "user-123-session-abc"}},
)

Or store the session ID explicitly in graph state:

middleware = HighflameMiddleware(client, session_id_key="session_id")
result = await app.ainvoke({"messages": [...], "session_id": "my-session"})

const result = await app.invoke(
  { messages: [new HumanMessage(userInput)] },
  { configurable: { thread_id: "user-123-session-abc" } },
);

Or store the session ID explicitly in graph state:

const middleware = new HighflameMiddleware(client, { sessionIdKey: "sessionId" });
const result = await app.invoke({ messages: [...], sessionId: "my-session" });

Hooks

HighflameMiddleware registers four hooks in the LangGraph middleware protocol:

`before_model` / `beforeModel`

Runs before the LLM is called. Extracts the last human message from state["messages"] and evaluates it as a prompt.

Content type: "prompt", action: "process_prompt"
On deny: raises BlockedError before the model is invoked

`after_model` / `afterModel`

Runs after the LLM responds. Extracts the last AI message from state["messages"] and evaluates it as a model response.

Content type: "response", action: "process_prompt"
On deny: raises BlockedError before the response is returned

`wrap_tool_call` / `wrapToolCall`

Wraps each tool execution. Evaluates the tool call before execution and the tool result after execution. The tool is never called if the pre-execution check is denied.

Pre-execution: content type "tool_call", action "call_tool"
Post-execution: content type "response", action "call_tool"
On pre-execution deny: raises BlockedError, tool is not called
On post-execution deny: raises BlockedError, result is not returned

`wrap_model_call` / `wrapModelCall`

Pass-through. Model calls are not individually guarded at this layer (prompts and responses are covered by before_model and after_model).

Enforcement Modes

middleware = HighflameMiddleware(client, mode="enforce")  # block violations (default)
middleware = HighflameMiddleware(client, mode="monitor")  # observe without blocking
middleware = HighflameMiddleware(client, mode="alert")    # allow but trigger alerting

new HighflameMiddleware(client, { mode: "enforce" })  // block violations (default)
new HighflameMiddleware(client, { mode: "monitor" })  // observe without blocking
new HighflameMiddleware(client, { mode: "alert" })    // allow but trigger alerting

In monitor and alert mode, BlockedError is never raised. The agent proceeds normally regardless of policy decisions.

Complete Example

from langchain_anthropic import ChatAnthropic
from langgraph.graph import MessagesState, StateGraph, END
from langgraph.prebuilt import ToolNode
from langchain_core.messages import HumanMessage

from highflame import Highflame, BlockedError
from highflame.integrations.langgraph import HighflameMiddleware

client = Highflame(api_key="hf_sk_...")
middleware = HighflameMiddleware(client, mode="enforce")

model = ChatAnthropic(model="claude-sonnet-4-6")

def call_model(state: MessagesState):
    response = model.invoke(state["messages"])
    return {"messages": [response]}

graph = StateGraph(MessagesState)
graph.add_node("agent", call_model)
graph.add_node("tools", ToolNode([shell_tool, web_tool]))
graph.set_entry_point("agent")

app = graph.compile(middleware=[middleware])

try:
    result = await app.ainvoke(
        {"messages": [HumanMessage(content=user_input)]},
        config={"configurable": {"thread_id": session_id}},
    )
except BlockedError as e:
    return {"error": f"Request blocked: {e.response.policy_reason}"}

import { ChatAnthropic } from "@langchain/anthropic";
import { MessagesAnnotation, StateGraph, END } from "@langchain/langgraph";
import { ToolNode } from "@langchain/langgraph/prebuilt";
import { HumanMessage } from "@langchain/core/messages";

import { Highflame, BlockedError } from "@highflame/sdk";
import { HighflameMiddleware } from "@highflame/sdk/integrations/langgraph";

const client = new Highflame({ apiKey: "hf_sk_..." });
const middleware = new HighflameMiddleware(client, { mode: "enforce" });

const model = new ChatAnthropic({ model: "claude-sonnet-4-6" });

const graph = new StateGraph(MessagesAnnotation)
  .addNode("agent", async (state) => ({
    messages: [await model.invoke(state.messages)],
  }))
  .addNode("tools", new ToolNode([shellTool, webTool]))
  .addEdge("__start__", "agent");

const app = graph.compile({ middleware: [middleware] });

try {
  const result = await app.invoke(
    { messages: [new HumanMessage(userInput)] },
    { configurable: { thread_id: sessionId } },
  );
} catch (e) {
  if (e instanceof BlockedError) {
    return { error: `Request blocked: ${e.response.policy_reason}` };
  }
  throw e;
}

Error Handling

from highflame import BlockedError

try:
    result = await app.ainvoke({"messages": [HumanMessage(content=user_input)]})
except BlockedError as e:
    print(f"Blocked: {e.response.policy_reason}")
    print(f"Decision: {e.response.decision}")
    print(f"Signals: {e.response.signals}")

import { BlockedError } from "@highflame/sdk";

try {
  const result = await app.invoke({ messages: [new HumanMessage(userInput)] });
} catch (e) {
  if (e instanceof BlockedError) {
    console.log(`Blocked: ${e.response.policy_reason}`);
    console.log(`Decision: ${e.response.decision}`);
    console.log(`Signals: ${e.response.signals}`);
  }
}

Requirements

Package

Minimum Version

langchain

1.2+

langchain_core

1.2+

langgraph

1.2+

highflame

latest

PreviousAgent Frameworks NextCrewAI

Last updated 1 month ago

Good evening

Installation

Basic Usage

Constructor

Session ID Resolution

Hooks

before_model / beforeModel

after_model / afterModel

wrap_tool_call / wrapToolCall

wrap_model_call / wrapModelCall

Enforcement Modes

Complete Example

Error Handling

Requirements

`before_model` / `beforeModel`

`after_model` / `afterModel`

`wrap_tool_call` / `wrapToolCall`

`wrap_model_call` / `wrapModelCall`