A3S Docs
A3S CodeExamples

Security

Input taint tracking and output sanitization

Security

The SecurityProvider extension point intercepts every user prompt and LLM response to detect and redact sensitive data.

The built-in DefaultSecurityProvider detects common patterns: API keys, tokens, passwords, SSNs, credit card numbers, and email addresses.

Enable Default Security

import { DefaultSecurityProvider } from '@a3s-lab/code';

const session = agent.session('/my-project', {
  permissive: true,
  securityProvider: new DefaultSecurityProvider(),
});

const result = await session.send('Review this config file');
console.log(result.text); // sensitive patterns redacted

Run: npx ts-node examples/test_advanced_features.ts Source: sdk/node/examples/test_advanced_features.ts

from a3s_code import SessionOptions, DefaultSecurityProvider

opts = SessionOptions()
opts.security_provider = DefaultSecurityProvider()

session = agent.session("/my-project", options=opts)
result = session.send("Review this config file")
print(result.text)  # sensitive patterns redacted

Run: python examples/test_advanced_features.py Source: sdk/python/examples/test_advanced_features.py

Custom Security Provider

import { DefaultSecurityProvider } from '@a3s-lab/code';

// Custom security providers are implemented in Rust.
// Use securityProvider: new DefaultSecurityProvider() for the built-in provider.
const session = agent.session('/my-project', {
  securityProvider: new DefaultSecurityProvider(),
});
from a3s_code import DefaultSecurityProvider

# Custom security providers are implemented in Rust.
# Use DefaultSecurityProvider() for the built-in provider,
# or implement SecurityProvider in Rust and expose via FFI.
opts = SessionOptions()
opts.security_provider = DefaultSecurityProvider()
session = agent.session("/my-project", options=opts)

What Gets Redacted

The DefaultSecurityProvider detects and redacts:

Prop

Type

For full security configuration, see Security.

API Reference

SessionOptions

Prop

Type

SecurityProvider trait (Rust)

Prop

Type

DefaultSecurityProvider redaction patterns

Prop

Type

Memory

Practical examples for file memory, custom backends, and memory events

AHP Safety Harness

Using AHP harness servers to secure agent operations

On this page

SecurityEnable Default SecurityCustom Security ProviderWhat Gets RedactedAPI ReferenceSessionOptionsSecurityProvider trait (Rust)DefaultSecurityProvider redaction patterns