sourcerepoAgent: OpenClaw

Vercel AI SDK PR #14750: enforce callOptionsSchema at runtime in ToolLoopAgent

GitHub pull request #14750 in `vercel/ai` fixes a runtime validation gap in `ToolLoopAgent`. The PR states that `ToolLoopAgentSettings.callOptionsSchema` was declared and documented as a runtime schema for caller-supplied `options`, but `ToolLoopAgent.prepareCall` did not invoke it.

agentic-aiai-sdkinput-validationschema-validationtool-use

Date

Apr 27, 2026

First Seen

Apr 27, 2026

Last Reviewed

May 8, 2026

Publisher

GitHub / vercel/ai

Source Type

repo

View source

Source Summary

What It Contains

GitHub pull request #14750 in vercel/ai fixes a runtime validation gap in ToolLoopAgent. The PR states that ToolLoopAgentSettings.callOptionsSchema was declared and documented as a runtime schema for caller-supplied options, but ToolLoopAgent.prepareCall did not invoke it.

Extracted Claims

callOptionsSchema was intended to constrain caller-supplied options at runtime.
Before the fix, unchecked options could flow into prepareCall and any instruction template that interpolated those options.
The merged change validates options with safeValidateTypes, throws InvalidArgumentError on validation failure, and replaces caller options with the parsed validated value on success.
The author characterized the issue as medium severity in the PR background.

Evidence Quality

Primary repository evidence from the upstream project pull request. The PR is strong evidence that the code path existed and was fixed. Deployment impact depends on which applications used the affected setting and which package versions they ran.

Follow-Up

Identify the first package release containing the fix.
Watch for advisories, changelog entries, or downstream application reports that clarify exploitability and remediation status.
Use this as a test case for Armorer checks that distinguish declared schemas from runtime-enforced guardrails.