docs: document Agent Threat Rules pre-tool hook path

[maxpetrusenkoagent]

Summary

• Documents the Agent Threat Rules (ATR) integration path in the existing tool hooks guide.
• Shows ATR scanners attaching at the @before_tool_call seam, where CrewAI exposes the chosen tool, concrete tool input, agent/task/crew context, and security_config fingerprints before execution.
• Keeps ATR as an external/optional adapter boundary instead of adding a new core dependency or vendoring the rule corpus.
• Adds a regression test that pins the ATR docs section so the documented integration path does not disappear during future tool-hook docs edits.

Issue

Refs #5763

Why this shape

The issue thread converged on pre-tool scanning as the load-bearing integration point: the agent intent is concrete, but the tool has not executed yet. This PR captures that architecture in the CrewAI docs with a small runnable adapter sketch, including where credential or secret metadata can be attached by the application before scanning.

This intentionally avoids competing with the broader guardrail/governance PRs currently open. It is docs-only plus a focused docs regression test for the ATR-specific integration question.

Verification

uv run ruff check --no-force-exclude lib/crewai/tests/hooks/test_tool_hooks_documentation.py
uv run pytest lib/crewai/tests/hooks/test_tool_hooks_documentation.py lib/crewai/tests/hooks/test_tool_hooks.py -q
git diff --check

Results:

• ruff: passed
• pytest: 26 passed, 37 existing deprecation/FutureWarning warnings
• git diff --check: passed

Duplicate/overlap check

Inspected current open PRs related to tool hooks/governance/security:

• feat(hooks): add provider-based pre-tool-call guardrails #5422 provider-based pre-tool-call guardrails, overlaps tool-hook docs generally, but does not cover Agent Threat Rules.
• feat: Add crew-level before_tool_call and after_tool_call governance hooks #5890 crew-level before/after tool callbacks.
• feat: Add GovernanceDecision and GovernanceOutcome contract types #6030 governance decision/outcome contract types.

No open PR found that answers the ATR-specific integration path from #5763.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 70a6d8fe-2729-47fa-aa16-1682505db1a0

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}