PluginBench
Skill
Official
Pass
Audit score 90

langchain-middleware

langchain-ai/langchain-skills

Human-in-the-loop approval and custom middleware for LangChain agents with structured output support.

What is langchain-middleware?

Middleware patterns for production LangChain agents that pause execution for human approval before dangerous tool calls, intercept and customize tool behavior with hooks, and support structured output via Pydantic/Zod. Use this when you need approval workflows, error handling, retry logic, or tool call validation.

  • Pause agent execution before dangerous tool calls with HumanInTheLoopMiddleware for human approval
  • Resume execution after human decisions (approve, edit tool arguments, or reject with feedback)
  • Intercept tool calls with wrap hooks for retry logic, error handling, and tool-specific guards
  • Configure per-tool HITL policies with different allowed decisions based on risk level
  • Use before/after hooks to inspect and modify agent state at key execution points
  • Support Command resume patterns to continue workflows after human intervention

How to install langchain-middleware

npx skills add https://github.com/langchain-ai/langchain-skills --skill langchain-middleware
Prerequisites
  • Checkpointer (e.g., MemorySaver) configured for state persistence
  • thread_id in config for all human-in-the-loop workflows
  • LangChain and LangGraph installed
Claude Code
Cursor
Windsurf
Cline

How to use langchain-middleware

  1. 1.Create an agent with create_agent() and pass a checkpointer (MemorySaver)
  2. 2.Add HumanInTheLoopMiddleware with interrupt_on config specifying which tools require approval
  3. 3.Run agent.invoke() with a config containing thread_id to enable checkpointing
  4. 4.Detect interrupts by checking for __interrupt__ in the result
  5. 5.Resume execution by calling agent.invoke() with Command(resume={decisions: [...]}) containing approve, edit, or reject decisions
  6. 6.For custom middleware, use @wrap_tool_call or @before_model/@after_model decorators to intercept execution

Use cases

Good for
  • Require approval before sending emails or deleting data in production agents
  • Implement retry logic and error handling for unreliable tool calls
  • Edit tool arguments mid-execution when the agent's initial values need correction
  • Apply different approval policies to different tools based on risk (e.g., read-only vs. destructive)
  • Log and monitor all tool calls with before/after middleware hooks
Who it's for
  • Backend engineers building production LangChain agents
  • Teams requiring audit trails and approval workflows for agent actions
  • Developers implementing safety guardrails for multi-tool agents
  • Anyone needing custom tool call interception and validation logic

langchain-middleware FAQ

What is the difference between HumanInTheLoopMiddleware and custom middleware?

HumanInTheLoopMiddleware specifically pauses execution and waits for human decisions (approve/edit/reject) on specific tools. Custom middleware hooks (wrap_tool_call, before_model, etc.) intercept execution for logging, retry logic, validation, or short-circuiting without necessarily pausing for human input.

Do I need a checkpointer for HITL to work?

Yes. A checkpointer (e.g., MemorySaver) is required for all human-in-the-loop workflows to persist agent state across interrupts and resumptions.

Can I edit tool arguments after the agent proposes them?

Yes. Use the 'edit' decision type in Command(resume={...}) with edited_action containing the corrected tool name and args. The agent will execute the edited version.

Can I apply different approval policies to different tools?

Yes. Configure interrupt_on as a dict mapping tool names to their policies. You can set False to skip HITL for a tool, or specify allowed_decisions per tool (e.g., no 'edit' for destructive operations).

What happens if I use yield in a wrap_tool_call hook?

Do not use yield in wrap hooks—it creates a generator and causes NotImplementedError. Use regular return statements instead.

Full instructions (SKILL.md)

Source of truth, from langchain-ai/langchain-skills.


name: langchain-middleware description: "INVOKE THIS SKILL when you need human-in-the-loop approval, custom middleware, or structured output. Covers HumanInTheLoopMiddleware for human approval of dangerous tool calls, creating custom middleware with hooks, Command resume patterns, and structured output with Pydantic/Zod."

<overview> Middleware patterns for production LangChain agents:
  • HumanInTheLoopMiddleware / humanInTheLoopMiddleware: Pause before dangerous tool calls for human approval
  • Custom middleware: Intercept tool calls for error handling, logging, retry logic
  • Command resume: Continue execution after human decisions (approve, edit, reject)

Requirements: Checkpointer + thread_id config for all HITL workflows. </overview>


Human-in-the-Loop

<ex-basic-hitl-setup> <python> Set up an agent with HITL middleware that pauses before sending emails for approval.
from langchain.agents import create_agent
from langchain.agents.middleware import HumanInTheLoopMiddleware
from langgraph.checkpoint.memory import MemorySaver
from langchain.tools import tool

@tool
def send_email(to: str, subject: str, body: str) -> str:
    """Send an email."""
    return f"Email sent to {to}"

agent = create_agent(
    model="gpt-4.1",
    tools=[send_email],
    checkpointer=MemorySaver(),  # Required for HITL
    middleware=[
        HumanInTheLoopMiddleware(
            interrupt_on={
                "send_email": {"allowed_decisions": ["approve", "edit", "reject"]},
            }
        )
    ],
)
</python> <typescript> Set up an agent with HITL that pauses before sending emails for human approval.
import { createAgent, humanInTheLoopMiddleware } from "langchain";
import { MemorySaver } from "@langchain/langgraph";
import { tool } from "@langchain/core/tools";
import { z } from "zod";

const sendEmail = tool(
  async ({ to, subject, body }) => `Email sent to ${to}`,
  {
    name: "send_email",
    description: "Send an email",
    schema: z.object({ to: z.string(), subject: z.string(), body: z.string() }),
  }
);

const agent = createAgent({
  model: "anthropic:claude-sonnet-4-5",
  tools: [sendEmail],
  checkpointer: new MemorySaver(),
  middleware: [
    humanInTheLoopMiddleware({
      interruptOn: { send_email: { allowedDecisions: ["approve", "edit", "reject"] } },
    }),
  ],
});
</typescript> </ex-basic-hitl-setup> <ex-running-with-interrupts> <python> Run the agent, detect an interrupt, then resume execution after human approval.
from langgraph.types import Command

config = {"configurable": {"thread_id": "session-1"}}

# Step 1: Agent runs until it needs to call tool
result1 = agent.invoke({
    "messages": [{"role": "user", "content": "Send email to john@example.com"}]
}, config=config)

# Check for interrupt
if "__interrupt__" in result1:
    print(f"Waiting for approval: {result1['__interrupt__']}")

# Step 2: Human approves
result2 = agent.invoke(
    Command(resume={"decisions": [{"type": "approve"}]}),
    config=config
)
</python> <typescript> Run the agent, detect an interrupt, then resume execution after human approval.
import { Command } from "@langchain/langgraph";

const config = { configurable: { thread_id: "session-1" } };

// Step 1: Agent runs until it needs to call tool
const result1 = await agent.invoke({
  messages: [{ role: "user", content: "Send email to john@example.com" }]
}, config);

// Check for interrupt
if (result1.__interrupt__) {
  console.log(`Waiting for approval: ${result1.__interrupt__}`);
}

// Step 2: Human approves
const result2 = await agent.invoke(
  new Command({ resume: { decisions: [{ type: "approve" }] } }),
  config
);
</typescript> </ex-running-with-interrupts> <ex-editing-tool-arguments> <python> Edit the tool arguments before approving when the original values need correction.
# Human edits the arguments — edited_action must include name + args
result2 = agent.invoke(
    Command(resume={
        "decisions": [{
            "type": "edit",
            "edited_action": {
                "name": "send_email",
                "args": {
                    "to": "alice@company.com",  # Fixed email
                    "subject": "Project Meeting - Updated",
                    "body": "...",
                },
            },
        }]
    }),
    config=config
)
</python> <typescript> Edit the tool arguments before approving when the original values need correction.
// Human edits the arguments — editedAction must include name + args
const result2 = await agent.invoke(
  new Command({
    resume: {
      decisions: [{
        type: "edit",
        editedAction: {
          name: "send_email",
          args: {
            to: "alice@company.com",  // Fixed email
            subject: "Project Meeting - Updated",
            body: "...",
          },
        },
      }]
    }
  }),
  config
);
</typescript> </ex-editing-tool-arguments> <ex-rejecting-with-feedback> <python> Reject a tool call and provide feedback explaining why it was rejected.
# Human rejects
result2 = agent.invoke(
    Command(resume={
        "decisions": [{
            "type": "reject",
            "feedback": "Cannot delete customer data without manager approval",
        }]
    }),
    config=config
)
</python> </ex-rejecting-with-feedback> <ex-multiple-tools-different-policies> <python> Configure different HITL policies for each tool based on risk level.
agent = create_agent(
    model="gpt-4.1",
    tools=[send_email, read_email, delete_email],
    checkpointer=MemorySaver(),
    middleware=[
        HumanInTheLoopMiddleware(
            interrupt_on={
                "send_email": {"allowed_decisions": ["approve", "edit", "reject"]},
                "delete_email": {"allowed_decisions": ["approve", "reject"]},  # No edit
                "read_email": False,  # No HITL for reading
            }
        )
    ],
)
</python> </ex-multiple-tools-different-policies> <boundaries> ### What You CAN Configure
  • Which tools require approval (per-tool policies)
  • Allowed decisions per tool (approve, edit, reject)
  • Custom middleware hooks: before_model, after_model, wrap_tool_call, before_agent, after_agent
  • Tool-specific middleware (apply only to certain tools) </boundaries>

Custom Middleware Hooks

Six decorator hooks are available. Two patterns:

  • Wrap hooks (wrap_tool_call, wrap_model_call): (request, handler) — call handler(request) to proceed, or return early to short-circuit.
  • Before/after hooks (before_model, after_model, before_agent, after_agent): (state, runtime) — inspect or modify state. Return None or a dict of state updates.
<ex-wrap-tool-call> <python> `@wrap_tool_call` intercepts tool execution. **Do NOT use `yield`** — it creates a generator and causes `NotImplementedError`.
from langchain.agents.middleware import wrap_tool_call

@wrap_tool_call
def retry_middleware(request, handler):
    for attempt in range(3):
        try:
            return handler(request)
        except Exception:
            if attempt == 2:
                raise

@wrap_tool_call
def guard_middleware(request, handler):
    if request.tool_call["name"] == "dangerous_tool":
        return "This tool is disabled"  # short-circuit
    return handler(request)
</python> <typescript> `createMiddleware({ wrapToolCall })` intercepts tool execution.
import { createMiddleware } from "langchain";

const retryMiddleware = createMiddleware({
  wrapToolCall: async (request, handler) => {
    for (let attempt = 0; attempt < 3; attempt++) {
      try { return await handler(request); }
      catch (e) { if (attempt === 2) throw e; }
    }
  },
});
</typescript> </ex-wrap-tool-call> <ex-before-after-hooks> <python> `before_model` / `after_model` / `before_agent` / `after_agent` all share `(state, runtime)` signature.
from langchain.agents.middleware import before_model, after_model

@before_model
def log_calls(state, runtime):
    print(f"Calling model with {len(state['messages'])} messages")

@after_model
def check_output(state, runtime):
    print(f"Model responded")
</python> <typescript> All before/after hooks share the same `(state, runtime)` signature via `createMiddleware`.
import { createMiddleware } from "langchain";

const loggingMiddleware = createMiddleware({
  beforeModel: (state, runtime) => {
    console.log(`Calling model with ${state.messages.length} messages`);
  },
  afterModel: (state, runtime) => {
    console.log("Model responded");
  },
});
</typescript> </ex-before-after-hooks> <boundaries> ### What You CANNOT Configure
  • Interrupt after tool execution (must be before)
  • Skip checkpointer requirement for HITL </boundaries>
<fix-missing-checkpointer> <python> HITL middleware requires a checkpointer to persist state.
# WRONG
agent = create_agent(model="gpt-4.1", tools=[send_email], middleware=[HumanInTheLoopMiddleware({...})])

# CORRECT
agent = create_agent(
    model="gpt-4.1", tools=[send_email],
    checkpointer=MemorySaver(),  # Required
    middleware=[HumanInTheLoopMiddleware({...})]
)
</python> <typescript> HITL requires a checkpointer to persist state.
// WRONG: No checkpointer
const agent = createAgent({
  model: "anthropic:claude-sonnet-4-5", tools: [sendEmail],
  middleware: [humanInTheLoopMiddleware({ interruptOn: { send_email: true } })],
});

// CORRECT: Add checkpointer
const agent = createAgent({
  model: "anthropic:claude-sonnet-4-5", tools: [sendEmail],
  checkpointer: new MemorySaver(),
  middleware: [humanInTheLoopMiddleware({ interruptOn: { send_email: true } })],
});
</typescript> </fix-missing-checkpointer> <fix-no-thread-id> <python> Always provide thread_id when using HITL to track conversation state.
# WRONG
agent.invoke(input)  # No config!

# CORRECT
agent.invoke(input, config={"configurable": {"thread_id": "user-123"}})
</python> </fix-no-thread-id> <fix-wrong-resume-syntax> <python> Use Command class to resume execution after an interrupt.
# WRONG
agent.invoke({"resume": {"decisions": [...]}})

# CORRECT
from langgraph.types import Command
agent.invoke(Command(resume={"decisions": [{"type": "approve"}]}), config=config)
</python> <typescript> Use Command class to resume execution after an interrupt.
// WRONG
await agent.invoke({ resume: { decisions: [...] } });

// CORRECT
import { Command } from "@langchain/langgraph";
await agent.invoke(new Command({ resume: { decisions: [{ type: "approve" }] } }), config);
</typescript> </fix-wrong-resume-syntax>