langchain - 💡(How to fix) Fix Proposal: Agent Threat Rules detection middleware for LangChain v1 [1 pull requests]

I would like to propose adding ATRThreatDetectionMiddleware to libs/langchain_v1/langchain/agents/middleware as a sibling of the existing PIIMiddleware. The middleware would scan user messages and tool result messages before each model invocation for known agent-attack patterns and either block (raise an error) or flag (annotate the message in additional_kwargs).

Patterns are inspired by Agent Threat Rules at https://github.com/Agent-Threat-Rule/agent-threat-rules, an Apache-2.0 detection catalog covering nine attack categories for LLM agents. The catalog is shipped in production at Cisco AI Defense skill-scanner and Microsoft agent-governance-toolkit PolicyEvaluator. The proposed built-in rule set in the middleware is small and high precision: prompt injection override directives, system prompt extraction, indirect injection markers in tool output, AWS access key id and OpenAI-style key shapes, shell command injection (rm -rf and curl-pipe-sh), and the AWS metadata SSRF endpoint. Users who want the full catalog can supply their own rule loader through the rules constructor argument.

The shape mirrors PIIMiddleware exactly: same AgentMiddleware subclass, same before_model and abefore_model hooks, same can_jump_to=['end'] hook config, same apply_to_input and apply_to_tool_results toggles. No new dependencies, only stdlib re. Tests live under tests/unit_tests/agents/middleware/implementations/ alongside test_pii.py.

Why this fits the middleware layer rather than a separate package: PIIMiddleware sets the precedent that security-focused detection at the message boundary is the right place to filter agent input, and an agent-threat-detection middleware is the natural complement. PII catches PII; ATR catches the attacker patterns specific to agent threat models (prompt injection, indirect injection, tool result poisoning, credential theft). Both are pre-model scans, both can be composed.

I have a draft implementation at PR #37303 (auto-closed pending this issue). Around 406 lines including the module, tests, and init wiring. Happy to revise based on maintainer feedback on naming, default rule set scope, or location (libs/community is also fine if preferred). Apache-2.0 license, ATR catalog is also Apache-2.0.

Question: would maintainers accept this as a langchain_v1 middleware, or would you prefer it in libs/community, or as a separately published package?