fix(guardrails): publish input_payload at POST on decorator escalation path [AL-289]

The decorator adapter's _run_action published only scope/stage/component, so a
POST escalation left EscalateAction's Inputs empty — the reviewer saw the flagged
output but not the original input (unlike the middleware path). Publish
input_payload at the tool/LLM/agent POST sites so Inputs carries the original
input alongside Outputs. Align the decorator test/docs to the Inputs/Outputs and
ReviewedOutputs naming the middleware path already uses.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: apetraru-uipath

docs/guardrails.md

@@ -446,7 +446,7 @@ def create_my_agent():
 agent = create_my_agent()
 ```
 
-On resume: **Approve** continues (substituting `ReviewedInputs` if the reviewer edited the input, otherwise keeping the original); **Reject** raises `GuardrailBlockException` and terminates the run. The `app_name` / `app_folder_path` / `assignee` / `recipient` / `title` parameters and the auto-derived payload fields behave identically to the [middleware escalation action](#escalation-action-human-in-the-loop) above — refer to it for the full parameter list.
+On resume: **Approve** continues, substituting the reviewer's edit if any — read from `ReviewedInputs` for a PRE (input) escalation and `ReviewedOutputs` for a POST (output) one, otherwise keeping the original; **Reject** raises `GuardrailBlockException` and terminates the run. The `app_name` / `app_folder_path` / `assignee` / `recipient` / `title` parameters and the auto-derived payload fields behave identically to the [middleware escalation action](#escalation-action-human-in-the-loop) above — refer to it for the full parameter list.
 
 > 💡 **Scope inference for the payload context.** `Component` / `ExecutionStage` are derived automatically for the adapter-handled LangChain targets — `@tool`, `BaseChatModel` factories, and `create_agent()` factories. On a plain LangGraph node or plain Python function (handled by the core `@guardrail`, which doesn't publish the LangChain runtime context) the escalation still suspends, but those two fields are not populated.
 

src/uipath_langchain/guardrails/_langchain_adapter.py

@@ -10,6 +10,7 @@
 The adapter is auto-registered when ``uipath_langchain.guardrails`` is imported.
 """
 
+import json
 import logging
 from functools import wraps
 from typing import Any
@@ -72,20 +73,28 @@ def _run_action(
     scope: GuardrailScope | None,
     stage: GuardrailExecutionStage | None,
     component: str | None,
+    input_payload: str | None = None,
 ) -> str | dict[str, Any] | None:
     """Run a guardrail action with its runtime context published.
 
-    Publishes the guardrail context (scope / stage / component) on a
-    ``ContextVar`` for the duration of the action call, so context-aware actions
-    (e.g. ``EscalateAction``) can read it at runtime instead of requiring it to
-    be hardcoded. Mirrors the middleware path's publishing in ``_base.py``.
+    Publishes the guardrail context (scope / stage / component / input_payload)
+    on a ``ContextVar`` for the duration of the action call, so context-aware
+    actions (e.g. ``EscalateAction``) can read it at runtime instead of requiring
+    it to be hardcoded. ``input_payload`` carries the original input at POST so
+    the action can show both input and output. Mirrors the middleware path's
+    publishing in ``_base.py``.
 
     A :class:`GuardrailBlockException` is converted to an ``AgentRuntimeError``.
     Any other exception — notably LangGraph's ``GraphInterrupt`` raised by an
     escalation action — propagates unchanged so the run can suspend.
     """
     token = _action_context.set(
-        GuardrailActionContext(scope=scope, execution_stage=stage, component=component)
+        GuardrailActionContext(
+            scope=scope,
+            execution_stage=stage,
+            component=component,
+            input_payload=input_payload,
+        )
     )
     try:
         return action.handle_validation_result(result, data, name)
@@ -130,6 +139,23 @@ def _extract_message_text(msg: BaseMessage) -> str:
     return ""
 
 
+def _input_payload_from_messages(
+    messages: list[BaseMessage] | None,
+) -> str | None:
+    """JSON-encode the last HumanMessage's text as the original-input payload.
+
+    Used at POST so the escalation action can show the original input alongside
+    the flagged output. Returns ``None`` when there is no usable human input.
+    """
+    if not messages:
+        return None
+    msg = _get_last_human_message(messages)
+    if msg is None:
+        return None
+    text = _extract_message_text(msg)
+    return json.dumps(text) if text else None
+
+
 def _apply_message_text_modification(msg: BaseMessage, modified: str) -> None:
     """Apply a modified text string back to a message in-place."""
     if isinstance(msg.content, str):
@@ -238,6 +264,7 @@ def _apply_post(tool_input: Any, raw_result: Any) -> Any:
                 scope=GuardrailScope.TOOL,
                 stage=GuardrailExecutionStage.POST,
                 component=tool.name,
+                input_payload=json.dumps(input_data),
             )
         if modified is not None:
             if isinstance(raw_result, (ToolMessage, Command)):
@@ -315,6 +342,7 @@ def _apply_llm_post(
     evaluator: _EvaluatorFn,
     action: GuardrailAction,
     name: str,
+    input_messages: list[BaseMessage] | None = None,
 ) -> None:
     """Evaluate the AIMessage content in-place (POST stage, LLM scope)."""
     if not isinstance(response.content, str) or not response.content:
@@ -333,6 +361,7 @@ def _apply_llm_post(
             scope=GuardrailScope.LLM,
             stage=GuardrailExecutionStage.POST,
             component=component_label(GuardrailScope.LLM),
+            input_payload=_input_payload_from_messages(input_messages),
         )
     if isinstance(modified, str) and modified != response.content:
         response.content = modified
@@ -361,7 +390,13 @@ def invoke(self, messages: Any, config: Any = None, **kwargs: Any) -> Any:
                 GuardrailExecutionStage.POST,
                 GuardrailExecutionStage.PRE_AND_POST,
             ):
-                _apply_llm_post(response, evaluator, action, name)
+                _apply_llm_post(
+                    response,
+                    evaluator,
+                    action,
+                    name,
+                    input_messages=messages if isinstance(messages, list) else None,
+                )
             return response
 
         async def ainvoke(
@@ -377,7 +412,13 @@ async def ainvoke(
                 GuardrailExecutionStage.POST,
                 GuardrailExecutionStage.PRE_AND_POST,
             ):
-                _apply_llm_post(response, evaluator, action, name)
+                _apply_llm_post(
+                    response,
+                    evaluator,
+                    action,
+                    name,
+                    input_messages=messages if isinstance(messages, list) else None,
+                )
             return response
 
     llm.__class__ = _GuardedLLM
@@ -458,6 +499,7 @@ def _apply_agent_output_guardrail(
             scope=GuardrailScope.AGENT,
             stage=GuardrailExecutionStage.POST,
             component=component_label(GuardrailScope.AGENT),
+            input_payload=_input_payload_from_messages(messages),
         )
     if isinstance(modified, str) and modified != text:
         _apply_message_text_modification(msg, modified)

tests/cli/test_guardrails_in_langgraph.py

@@ -878,7 +878,7 @@ class TestDecoratorEscalation:
     The adapter fires interrupt() before the guarded agent's real invoke, so — like
     the joke-agent-decorator sample — the guarded agent is embedded in an outer
     graph node, which gives interrupt() the graph/checkpoint context it needs.
-    Payload (Component/ExecutionStage/ToolInputs) matches TestMiddlewareEscalation.
+    Payload (Component/ExecutionStage/Inputs) matches TestMiddlewareEscalation.
     """
 
     @pytest.fixture(autouse=True)
@@ -948,7 +948,7 @@ async def test_escalation_suspends_with_context_derived_payload(self) -> None:
         # adapter publishes — identical to the middleware flavor.
         assert cre.data["Component"] == "Agent"
         assert cre.data["ExecutionStage"] == "PreExecution"
-        assert cre.data["ToolInputs"] == json.dumps("joke about a@b.com")
+        assert cre.data["Inputs"] == json.dumps("joke about a@b.com")
         assert cre.data["GuardrailName"] == "PII escalation guardrail"
 
     @pytest.mark.asyncio

tests/guardrails/test_adapter_context_publishing.py

@@ -12,6 +12,7 @@
 tests guard that too.
 """
 
+import json
 from typing import Any
 
 import pytest
@@ -94,6 +95,7 @@ def test_pre_publishes_tool_pre_context_with_tool_name(self) -> None:
         assert action.seen.scope == GuardrailScope.TOOL
         assert action.seen.execution_stage == GuardrailExecutionStage.PRE
         assert action.seen.component == "my_tool"
+        assert action.seen.input_payload is None  # no separate input at PRE
 
     def test_post_publishes_tool_post_context(self) -> None:
         action = _RecordingAction()
@@ -105,6 +107,8 @@ def test_post_publishes_tool_post_context(self) -> None:
         assert action.seen.scope == GuardrailScope.TOOL
         assert action.seen.execution_stage == GuardrailExecutionStage.POST
         assert action.seen.component == "my_tool"
+        # POST carries the original tool input so the action shows both sides.
+        assert action.seen.input_payload == json.dumps({"text": "a@b.com"})
 
     def test_context_reset_after_invoke(self) -> None:
         action = _RecordingAction()
@@ -136,14 +140,23 @@ def test_pre_publishes_llm_pre_context(self) -> None:
         assert action.seen.scope == GuardrailScope.LLM
         assert action.seen.execution_stage == GuardrailExecutionStage.PRE
         assert action.seen.component == "LLM call"
+        assert action.seen.input_payload is None  # no separate input at PRE
 
     def test_post_publishes_llm_post_context(self) -> None:
         action = _RecordingAction()
-        _apply_llm_post(AIMessage(content="answer a@b.com"), _fail_eval, action, "g")
+        _apply_llm_post(
+            AIMessage(content="answer a@b.com"),
+            _fail_eval,
+            action,
+            "g",
+            input_messages=[HumanMessage(content="hi a@b.com")],
+        )
         assert action.seen is not None
         assert action.seen.scope == GuardrailScope.LLM
         assert action.seen.execution_stage == GuardrailExecutionStage.POST
         assert action.seen.component == "LLM call"
+        # POST carries the original human input so the action shows both sides.
+        assert action.seen.input_payload == json.dumps("hi a@b.com")
 
     def test_context_reset_after_call(self) -> None:
         action = _RecordingAction()
@@ -179,11 +192,17 @@ def test_input_publishes_agent_pre_context(self) -> None:
         assert action.seen.scope == GuardrailScope.AGENT
         assert action.seen.execution_stage == GuardrailExecutionStage.PRE
         assert action.seen.component == "Agent"
+        assert action.seen.input_payload is None  # no separate input at PRE
 
     def test_output_publishes_agent_post_context(self) -> None:
         action = _RecordingAction()
         _apply_agent_output_guardrail(
-            {"messages": [AIMessage(content="answer a@b.com")]},
+            {
+                "messages": [
+                    HumanMessage(content="hi a@b.com"),
+                    AIMessage(content="answer a@b.com"),
+                ]
+            },
             _fail_eval,
             action,
             "g",
@@ -192,6 +211,8 @@ def test_output_publishes_agent_post_context(self) -> None:
         assert action.seen.scope == GuardrailScope.AGENT
         assert action.seen.execution_stage == GuardrailExecutionStage.POST
         assert action.seen.component == "Agent"
+        # POST carries the original human input (from the output messages).
+        assert action.seen.input_payload == json.dumps("hi a@b.com")
 
     def test_context_reset_after_call(self) -> None:
         action = _RecordingAction()