Skip to content
Gatelet
GitHub

Constraints

Constraints validate input fields before a tool call is forwarded upstream. If any constraint fails, the call is rejected with a descriptive error message — so the agent can self-correct.

How constraints work

Section titled “How constraints work”

Constraints are evaluated in order before the provider executes. If a constraint fails:

  1. The upstream API is never called
  2. The agent receives an error message showing the expected vs actual value
  3. The call is logged in the audit trail as denied
create_event:
  allow: true
  constraints:
    - field: calendarId
      rule: must_equal
      value: "primary"
    - field: summary
      rule: must_not_be_empty

Constraint rules

Section titled “Constraint rules”

must_equal

Section titled “must_equal”

Field must exactly match the given value.

constraints:
  - field: calendarId
    rule: must_equal
    value: "primary"

If the agent tries calendarId: "work", the error reads:

Constraint failed: calendarId must_equal "primary", got "work"

must_be_one_of

Section titled “must_be_one_of”

Field must be one of the values in the given array.

constraints:
  - field: calendarId
    rule: must_be_one_of
    value:
      - "primary"
      - "work"
      - "family"

must_not_be_empty

Section titled “must_not_be_empty”

Field must not be null, undefined, empty string, whitespace-only string, or empty array.

constraints:
  - field: to
    rule: must_not_be_empty
  - field: subject
    rule: must_not_be_empty

This is useful for operations like sending email where certain fields are always required.

must_match

Section titled “must_match”

Field must fully match a regex pattern. The pattern is automatically anchored — ^(?:pattern)$ — so partial matches are rejected. Uses JavaScript regex syntax, case-sensitive.

constraints:
  - field: from
    rule: must_match
    value: ".*\\+agent@.*"

This example restricts the sender to a Gmail alias like user+agent@gmail.com, preventing the agent from sending as the primary address. Note the .* anchors since the pattern must match the entire field value.

Nested fields

Section titled “Nested fields”

Constraints support dot-notation for nested fields:

constraints:
  - field: start.timeZone
    rule: must_equal
    value: "America/New_York"

Multiple constraints

Section titled “Multiple constraints”

Multiple constraints on the same operation are evaluated in order. All must pass for the call to proceed:

create_event:
  allow: true
  constraints:
    - field: calendarId
      rule: must_equal
      value: "primary"
    - field: summary
      rule: must_not_be_empty
    - field: start.timeZone
      rule: must_be_one_of
      value:
        - "America/New_York"
        - "America/Chicago"
        - "America/Los_Angeles"

Examples

Section titled “Examples”

Restrict calendar writes to primary calendar

Section titled “Restrict calendar writes to primary calendar”
create_event:
  allow: true
  constraints:
    - field: calendarId
      rule: must_equal
      value: "primary"


update_event:
  allow: true
  constraints:
    - field: calendarId
      rule: must_equal
      value: "primary"

Require email fields

Section titled “Require email fields”
send:
  allow: true
  constraints:
    - field: to
      rule: must_not_be_empty
    - field: subject
      rule: must_not_be_empty
    - field: body
      rule: must_not_be_empty

Restrict sender to agent alias

Section titled “Restrict sender to agent alias”
send:
  allow: true
  constraints:
    - field: from
      rule: must_match
      value: ".*\\+agent@.*"