Boundary Details

TB1: User/Framework API

• Inside: Graph compilation validates structure (libs/langgraph/langgraph/pregel/_validate.py:validate_graph). Channel types enforce update semantics (libs/langgraph/langgraph/channels/base.py:BaseChannel.update). Functional API validates entrypoint has at least one parameter (libs/langgraph/langgraph/func/__init__.py:entrypoint). Sensitive config keys filtered from metadata propagation — keys containing “key”, “token”, “secret”, “password”, “auth” are excluded (libs/langgraph/langgraph/_internal/_config.py:_exclude_as_metadata). Tool injection merge order ensures system-injected values (InjectedState/InjectedStore/ToolRuntime) overwrite any LLM-supplied collisions (libs/prebuilt/langgraph/prebuilt/tool_node.py:ToolNode._inject_tool_args line 1380). Injected parameter names hidden from LLM tool schema via tool_call_schema filtering.
• Outside: What user nodes do, what tools return, what LLMs generate, how users handle output.
• Crossing mechanism: Python function calls — add_node(callable), add_edge(), compile(checkpointer=...), @entrypoint, @task.

TB2: Checkpoint Storage

• Inside: JsonPlusSerializer controls serialization format (libs/checkpoint/langgraph/checkpoint/serde/jsonplus.py:JsonPlusSerializer). Msgpack type allowlist (libs/checkpoint/langgraph/checkpoint/serde/_msgpack.py:SAFE_MSGPACK_TYPES — 47 safe types including stdlib, langchain_core messages, and langgraph types). Msgpack method allowlist (libs/checkpoint/langgraph/checkpoint/serde/_msgpack.py:SAFE_MSGPACK_METHODS — 1 safe method: datetime.datetime.fromisoformat). JSON module allowlist (libs/checkpoint/langgraph/checkpoint/serde/jsonplus.py:_check_allowed_json_modules). Serde event hooks for monitoring (libs/checkpoint/langgraph/checkpoint/serde/event_hooks.py:emit_serde_event). Optional EncryptedSerializer wrapping (libs/checkpoint/langgraph/checkpoint/serde/encrypted.py:EncryptedSerializer). SQLite filter key regex validation (libs/checkpoint-sqlite/langgraph/checkpoint/sqlite/utils.py:_validate_filter_key). Parameterized SQL queries in both Postgres and SQLite backends.
• Outside: Database access controls, who can read/write checkpoint tables, storage backend integrity.
• Crossing mechanism: Database read/write operations — serialized bytes stored as BYTEA (Postgres) or BLOB (SQLite).

TB3: Remote API

• Inside: _sanitize_config() strips non-primitive values and drops checkpoint-internal keys from outbound config (libs/langgraph/langgraph/pregel/remote.py:_sanitize_config). SDK handles API key from env vars (libs/sdk-py/langgraph_sdk/_shared/utilities.py:_get_api_key). RESERVED_HEADERS prevents user override of x-api-key (libs/sdk-py/langgraph_sdk/_shared/utilities.py:RESERVED_HEADERS).
• Outside: Remote server response content, network integrity, whether the server is legitimate, server-provided Location redirect targets.
• Crossing mechanism: HTTPS requests via httpx through langgraph_sdk.

TB4: CLI Config/Docker

• Inside: Config file parsed as JSON (libs/cli/langgraph_cli/config.py:validate_config_file). Docker subprocess invoked with list-based args via asyncio.create_subprocess_exec, not shell=True (libs/cli/langgraph_cli/exec.py:subp_exec). Template downloads from hardcoded GitHub URLs (libs/cli/langgraph_cli/templates.py). Config schema validation covers store, auth, encryption, http, webhooks, checkpointer, and ui sections (libs/cli/langgraph_cli/schemas.py). Build command content validation blocks shell metacharacters (libs/cli/langgraph_cli/config.py:has_disallowed_build_command_content). WebhookUrlPolicy (libs/cli/langgraph_cli/schemas.py:WebhookUrlPolicy) supports require_https, allowed_domains, allowed_ports, max_url_length, disable_loopback for SSRF protection.
• Outside: Content of langgraph.json, Docker daemon behavior, filesystem permissions.
• Crossing mechanism: JSON file read, subprocess execution, ZIP download/extraction.

TB5: SDK Encryption Handlers

• Inside: Handler signature validation — must be async, must accept exactly 2 positional params (libs/sdk-py/langgraph_sdk/encryption/__init__.py:_validate_handler). Duplicate handler registration prevention (DuplicateHandlerError). EncryptionContext construction with model/field/metadata (libs/sdk-py/langgraph_sdk/encryption/types.py:EncryptionContext). JSON key preservation constraint documented (enforced server-side).
• Outside: Handler implementation correctness, key management strategy, actual encryption/decryption logic, server-side execution in langgraph-api.
• Crossing mechanism: Python decorator registration at import time; server-side invocation at runtime.