A3S Docs
A3S Code

Security

Permission system, HITL confirmation, and extensible security traits

Security

A3S Code provides two built-in security layers: Permission Policy and Human-in-the-Loop (HITL) Confirmation. Additional security logic can be implemented via the SecurityProvider trait and HookEngine.

API Note: The TypeScript SDK exposes a simplified security model. Many features described in this document (PermissionPolicy builder, ConfirmationPolicy, security events) are only available in the Rust SDK. The TypeScript SDK provides permissive mode and DefaultSecurityProvider.

Security Architecture

User Prompt → Agent Loop
  ├─ Permission Policy    ← Deny → Allow → Ask → Default
  ├─ HITL Confirmation    ← Independent of permissions
  ├─ Tool Execution
  └─ SecurityProvider     ← Pluggable via trait (taint tracking, sanitization, etc.)

Permission Policy (Rust SDK)

The permission system controls which tools the agent can use. Rules are evaluated in order: Deny → Allow → Ask → Default.

PermissionPolicy builder API is available in the Rust and Python SDKs. In TypeScript, use the permissive option on SessionOptions to bypass HITL confirmation for all tools.

Pattern Matching

Rules use glob-style pattern matching on tool names and arguments:

Tool(pattern)

Prop

Type

Wildcards: * matches any character except /, ** matches including /, :* matches any suffix.

Preset Policies

Prop

Type

HITL Confirmation

Human-in-the-Loop confirmation is independent of the permission system. Even if a tool is allowed by permissions, HITL can still require user confirmation.

TypeScript: Permissive Mode

In TypeScript, the simplest way to enable all tools without HITL confirmation is the permissive option:

const session = agent.session('/project', {
  permissive: true,
});
session = agent.session("/project", permissive=True)

Built-in Security Provider

A3S Code ships a DefaultSecurityProvider that provides input taint tracking and output sanitisation.

Enabling

import { DefaultSecurityProvider } from '@a3s-lab/code';

const session = agent.session('/project', {
  securityProvider: new DefaultSecurityProvider(),
});
from a3s_code import DefaultSecurityProvider

session = agent.session("/project", security_provider=DefaultSecurityProvider())

Built-in PII Redaction Patterns

DefaultSecurityProvider includes 8 built-in sensitive data patterns that are automatically redacted from LLM output:

Prop

Type

Prompt Injection Detection

DefaultSecurityProvider scans user input for injection patterns:

PatternExample
Ignore prior instructions"Ignore all previous instructions..."
Disregard context"Disregard all prior context..."
Mode switch"You are now in developer mode..."
Forget instructions"Forget everything you learned..."
New instruction injection"New instructions: ..."
System prompt override"System prompt override"

Workspace Boundaries

All file operations are restricted to the session's workspace directory. Attempts to access files outside the workspace are blocked.

Best Practices

Start with strict policy — Use PermissionPolicy::strict() (Rust/Python) and explicitly allow only needed tools
Block dangerous patterns — Always deny destructive bash commands: bash(rm -rf:*), bash(curl:*|sh)
Enable HITL for writes — Require confirmation for file modifications and bash execution
Use workspace boundaries — Never disable workspace restrictions
Implement SecurityProvider — Add custom taint tracking and output sanitization for sensitive data (Rust SDK)
Audit logs — Use hooks to log all tool executions for security review

Security Events

The agent emits security-related events during streaming:

Prop

Type

Detailed security events (PermissionDenied, ConfirmationRequired, etc.) are available in the Rust SDK. The TypeScript SDK surfaces security events through the general event stream with event.type === 'error' for security-related failures.

API Reference

DefaultSecurityProvider

// TypeScript
import { DefaultSecurityProvider } from '@a3s-lab/code';
const provider = new DefaultSecurityProvider();
agent.session('.', { securityProvider: provider });
# Python
from a3s_code import DefaultSecurityProvider
provider = DefaultSecurityProvider()
session = agent.session(".", security_provider=provider)

SecurityProvider trait (Rust)

Prop

Type

AGENTS.md Auto-Loading

Automatic project instructions loading from workspace root

Lifecycle Hooks

11 lifecycle hooks for intercepting tool calls, LLM generations, sessions, and skills

On this page

SecuritySecurity ArchitecturePermission Policy (Rust SDK)Pattern MatchingPreset PoliciesHITL ConfirmationTypeScript: Permissive ModeBuilt-in Security ProviderEnablingBuilt-in PII Redaction PatternsPrompt Injection DetectionWorkspace BoundariesBest PracticesSecurity EventsAPI ReferenceDefaultSecurityProviderSecurityProvider trait (Rust)