Vercel AI SDK ToolLoopAgent skipped runtime call option schema validation

Vercel AI SDK ToolLoopAgent Skipped Runtime Call Option Schema Validation

Summary

A Vercel AI SDK pull request fixed a ToolLoopAgent gap where callOptionsSchema was documented for caller-supplied options but not enforced at runtime, allowing invalid options to reach instruction or tool-call preparation paths.

Why It Matters

Agent frameworks often expose developer-controlled instructions and caller-controlled inputs through adjacent runtime paths. A schema that exists in API design but is skipped at execution time can create a false sense of safety: developers may believe they have constrained tenant IDs, tool modes, output channels, or instruction parameters while untrusted callers can still influence the agent.

For Armorer and local-agent operators, this is a useful reminder to verify that declared guardrails are enforced at the runtime boundary, not only documented or typed at development time.

Attack Path Or Control Logic

• An application uses Vercel AI SDK ToolLoopAgent and defines callOptionsSchema to constrain caller-supplied options.
• The application passes user-controlled or tenant-controlled options into the agent.
• Before the fix, prepareCall did not invoke the schema, so invalid or unexpected option shapes could flow into preparation logic or instruction templates.
• Depending on how the application used those options, the impact could include policy bypass, instruction manipulation, broken tenant scoping, or downstream assumptions being violated.

Affected Surface

• Vercel AI SDK applications using ToolLoopAgentSettings.callOptionsSchema as a runtime security or policy boundary before the merged fix.
• Agent applications that interpolate caller options into instructions or use options to select tools, tenants, permissions, data scopes, or execution modes.
• Similar agent frameworks where schemas, types, or UI validation are treated as equivalent to server-side runtime enforcement.

Evidence

• Vercel AI SDK pull request #14750 describes the issue, the affected code path, and the merged fix.
• A May 5, 2026 Hacker News post announcing Probus listed this Vercel AI SDK issue among findings reported while testing agent-framework and automation projects.

Mitigations

• Upgrade to a Vercel AI SDK release that includes the ToolLoopAgent callOptionsSchema enforcement fix, or apply the equivalent patch if pinning a commit.
• Treat caller-supplied agent options as untrusted even when TypeScript types or UI schemas exist.
• Validate option schemas at the server/runtime boundary immediately before they influence instructions, tool selection, data access, or execution settings.
• Add regression tests that prove invalid options are rejected and parsed schema defaults/transforms are applied.
• In Armorer-managed environments, use local control-plane policy, Docker isolation, runtime monitoring, credential scoping, and action approval gates as additional layers. These controls could make option-driven abuse harder to exploit or easier to detect, but they should not be treated as a substitute for fixing the framework bug.

Open Questions

• Which published Vercel AI SDK versions first include the merged fix?
• How many downstream applications used callOptionsSchema for security-relevant constraints rather than convenience validation?
• Are there other agent-framework settings where documented schemas are not enforced at the final runtime boundary?