LangGraph Integration

Route LangGraph nodes through pyhall governance. Before a node executes a capability, ask Hall Server whether that capability is allowed for the current tenant and environment. If denied, the node raises before any work runs.

Install

pip install pyhall-wcp langchain-core langgraph

Then start Hall Server:

pyhall hall start

Authentication

POST /api/route requires a session token from Hall Monitor. After logging into Hall Monitor, export your session token from the desktop app settings and set it in your environment: export HALL_SESSION_TOKEN=<token>

Integration Pattern

import os, requests

HALL_URL = "http://localhost:8765"
HALL_TOKEN = os.environ.get("HALL_SESSION_TOKEN", "")

def hall_route(capability_id: str, tenant_id: str = "your-org", **kwargs) -> dict:
    """Route a capability request through Hall Server governance."""
    resp = requests.post(f"{HALL_URL}/api/route",
        headers={"Authorization": f"Bearer {HALL_TOKEN}"},
        json={
            "capability_id": capability_id,
            "env": "dev",
            "data_label": "PUBLIC",
            "tenant_id": tenant_id,
            **kwargs,
        })
    resp.raise_for_status()
    return resp.json()

# In your LangGraph node:
def governed_node(state):
    decision = hall_route("cap.doc.summarize", tenant_id="org.acme")
    if not decision.get("allowed"):
        raise PermissionError(f"Hall denied: {decision.get('deny_reason', 'policy violation')}")
    # proceed with node logic
    ...

The allowed Field

Every response from /api/route includes:

• allowed — true if the capability is permitted under current policy, false if blocked
• deny_reason — human-readable reason when allowed is false (e.g., "risk_tier_exceeded", "capability_not_enrolled")
• decision_id — UUID for audit trail correlation
• worker_id — the enrolled worker assigned to this capability

Always check allowed before proceeding. Never assume true on network error — fail closed.

Reference

• Hall API reference →
• Integrations overview →