Semantic Kernel

Add a KernelFilter that screens every function call through the safety shield before execution.

Step 1: Install dependencies

dotnet add package Microsoft.SemanticKernel
dotnet add package System.Net.Http.Json

Set your API key:

export A2A_API_KEY="a2a_your_key_here"

Step 2: Add the safety layer

Create a KernelFilter that intercepts function invocations and screens them via /v1/evaluate:

using Microsoft.SemanticKernel;
using System.Net.Http.Json;

public class SafetyShieldFilter : IFunctionInvocationFilter
{
    private readonly HttpClient _http = new();
    private readonly string _apiKey;

    public SafetyShieldFilter(string apiKey)
    {
        _apiKey = apiKey;
        _http.BaseAddress = new Uri("https://a2ainfrastructure.com");
        _http.DefaultRequestHeaders.Add("Authorization", $"Bearer {apiKey}");
    }

    public async Task OnFunctionInvocationAsync(
        FunctionInvocationContext context, Func<FunctionInvocationContext, Task> next)
    {
        // Extract the command from function arguments
        var command = context.Arguments.ToString();
        var resp = await _http.PostAsJsonAsync("/v1/evaluate",
            new { command, context = new { agent = "semantic-kernel" } });
        var result = await resp.Content.ReadFromJsonAsync<EvalResult>();

        if (result.Decision != "allow")
            throw new InvalidOperationException(
                $"Blocked by safety shield: {result.Reason}");

        await next(context);
    }
}

record EvalResult(string Decision, string Reason, string Risk);

// Register the filter with your kernel
var builder = Kernel.CreateBuilder();
builder.Services.AddSingleton<IFunctionInvocationFilter>(
    new SafetyShieldFilter(Environment.GetEnvironmentVariable("A2A_API_KEY")!));
var kernel = builder.Build();

Step 3: Verify

// Safe function calls execute normally
await kernel.InvokeAsync("ShellPlugin", "Run",
    new() { ["command"] = "ls -la" });
// -> returns directory listing

// Dangerous calls are blocked
await kernel.InvokeAsync("ShellPlugin", "Run",
    new() { ["command"] = "rm -rf /" });
// -> InvalidOperationException: Blocked by safety shield
Gate 1 runs locally (free). Set A2A_API_KEY for Gate 2 + OCSF audit.
Get your API key Full API docs
Help

Help

Need help? Here are some quick links:

A2A Infrastructure
Air traffic control for AI agents
Ask me anything about pipelines, workspaces, channels, pricing, or integrations.