feat(langchain): add RejectSystemMessagesMiddleware guardrail

[open-swe]

Description

Adds a prebuilt RejectSystemMessagesMiddleware that guards against user-injected SystemMessage instances in conversation history (request.messages). This prevents end users from overriding the agent's hard-coded system prompt by passing additional system messages via graph.invoke({'messages': [...]}). Supports two modes: filter (default, silently removes) and error (raises SystemMessageViolationError).

This PR was authored by an AI agent.

Test Plan

• Unit tests for filter mode, error mode, async variants, and integration with create_agent

Opened collaboratively by Sydney Runkle and open-swe.

[codspeed-hq]

Merging this PR will improve performance by ×57

⚡ 1 improved benchmark
✅ 1 untouched benchmark
⏩ 13 skipped benchmarks¹

Performance Changes

	Mode	Benchmark	BASE	HEAD	Efficiency
⚡	Simulation	test_create_agent_instantiation_with_middleware	839.3 ms	14.9 ms	×57

---

_{Comparing open-swe/e73e8980-fe53-d194-0758-70628c57fd8c (5bd090f) with master (338aa81)²}

Footnotes

1. 13 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

2. No successful run was found on master (58c4e5b) during the generation of this report, so 338aa81 was used instead as the comparison base. There might be some changes unrelated to this pull request in this report. ↩

[Eugene Yurtsev (eyurtsev)]

Why is this a middleware? This can be done with input validation?