Add Gemma 4 + HDP agentic security example (FunctionGemma/)

[asiridalugoda]

Summary

Adds a cookbook example demonstrating how to integrate the Human Delegation Provenance (HDP) protocol with Gemma 4's native function-calling to cryptographically verify that every tool invocation was authorized by a human principal before execution.

Placed in FunctionGemma/ as it extends Gemma 4's function-calling capability with a security layer.

Problem

Gemma 4 is purpose-built for agentic workflows with native function-calling. This creates an underaddressed security gap: when Gemma 4 generates a function call, there is no verifiable record that a human principal authorized that specific action. A compromised system prompt or injected instruction can trigger tool calls that are indistinguishable from legitimate delegation at the tool interface.

This is particularly acute for Gemma 4 E2B/E4B deployments on edge devices (Jetson Nano, Raspberry Pi) directing physical actuators offline with no out-of-band authorization check.

Solution

This example integrates HDP (IETF individual draft draft-helixar-hdp-agentic-delegation-00) as a middleware gate between Gemma 4's function-call output and tool execution:

• Issue Ed25519-signed Delegation Tokens (HDTs) from a human principal
• Gate every Gemma 4 function call through HDPMiddleware.gate() before execution
• Classify actions by irreversibility (Class 0 = read-only → Class 3 = physical actuation)
• Block expired, out-of-scope, or over-class calls pre-execution
• Log every authorization decision in a tamper-evident audit record

Files added

FunctionGemma/
  Gemma_4_HDP_Agentic_Security/
    Gemma_4_HDP_Agentic_Security.ipynb   ← walkthrough notebook
    hdp_middleware.py                     ← drop-in middleware
    README.md                             ← quick start + reference

Irreversibility classes

Class	Definition	Authorization required
0	Fully reversible — reads, queries	HDT sufficient
1	Reversible with effort — writes, moves	HDT sufficient
2	Irreversible — send, delete, publish	HDT + principal confirmation
3	Irreversible + potentially harmful — physical actuation	Dual-principal (HDP-P)

Testing

Middleware logic (HDPMiddleware, HDPDelegationToken, IrreversibilityClass) is self-contained and tested independently of the model. The notebook is designed for google/gemma-4-E4B-it via HuggingFace Transformers — function call outputs are simulated in the demo cells to allow verification logic to be evaluated without GPU access.

References

• Gemma 4 function-calling: https://ai.google.dev/gemma/docs/capabilities/function-calling
• HDP IETF draft: https://datatracker.ietf.org/doc/draft-helixar-hdp-agentic-delegation/
• HDP-P (physical AI agents): https://doi.org/10.5281/ZENODO.19332440
• Helixar HDP-P details: https://helixar.ai/about/labs/hdp-physical/
• Helixar HDP details: https://helixar.ai/about/labs/hdp/

[review-notebook-app]

Check out this pull request on 

See visual diffs & provide feedback on Jupyter Notebooks.

---

Powered by ReviewNB

[asiridalugoda]

Pushed a formatting fix, notebook failed the CI nbfmt check. Re-ran python3 -m tensorflow_docs.tools.nbfmt locally to bring it in line with the repo's formatting standard. No content changes.

arxiv article : https://arxiv.org/abs/2604.04522

[asiridalugoda]

Hey @bebechien, pushed a formatting fix for the nbfmt CI failure. Good to re-run when you get a chance!