Security

A3S Code exposes security controls at session creation time and through session lifecycle hooks. Treat direct host calls such as session.tool() and session.bash() as privileged host operations: the application that calls them is responsible for deciding whether to expose that power to a user.

Delegated child runs inherit bounded permissions from the selected subagent or worker spec. Use confirmationInheritance for child-run Ask decisions, and keep high-risk release or publish commands behind explicit policy.

Permission Policy

const session = agent.session('/repo', {
  permissionPolicy: {
    deny: ['bash(rm -rf*)', 'write(**/.env*)'],
    ask: ['bash(git push*)', 'bash(npm publish*)'],
    allow: ['read(*)', 'grep(*)', 'glob(*)', 'bash(cargo test*)'],
    defaultDecision: 'ask',
    enabled: true,
  },
});

Avoid permissive defaults for release or production sessions. Make dangerous commands explicit and auditable.

Hooks

Hooks are registered on a session with an event type, matcher, optional config, and handler:

session.registerHook(
  'observe-secret-read',
  'pre_tool_use',
  { pathPattern: '**/.env*' },
  { priority: 100 },
  () => ({ action: 'continue' }),
);

console.log(session.hookCount());
session.unregisterHook('observe-secret-read');

AHP

AHP lets an external harness observe and decide around prompts, actions, responses, errors, heartbeats, and idle events. Use it for centralized safety or organization policy.

Verification

Verification reports and summaries are available from the session and selected result fields. Release workflows should require tests, package checks, CI checks, and provider evidence.