A3S SafeClaw
Quick Start
Get SafeClaw running as a security proxy for your AI agent
Quick Start
Configuration
SafeClaw supports both HCL (recommended) and TOML configuration formats. The format is auto-detected by file extension.
Create a safeclaw.hcl configuration file:
gateway {
host = "127.0.0.1"
port = 18790
}
agent {
socket_path = "/run/safeclaw/code-agent.sock"
connect_timeout_secs = 10
wait_for_service = true
}
tee {
enabled = false
}
privacy {
default_sensitivity = "Normal"
enable_semantic_analysis = true
enable_compliance_checks = true
}
audit {
enabled = true
log_capacity = 10000
}Create a safeclaw.toml configuration file:
[gateway]
host = "127.0.0.1"
port = 18790
[agent]
socket_path = "/run/safeclaw/code-agent.sock"
connect_timeout_secs = 10
wait_for_service = true
[tee]
enabled = false
[privacy]
default_sensitivity = "Normal"
enable_semantic_analysis = true
enable_compliance_checks = true
[audit]
enabled = true
log_capacity = 10000Start SafeClaw
# Start with HCL config (recommended)
safeclaw --config safeclaw.hcl
# Start with TOML config
safeclaw --config safeclaw.toml
# Start with debug logging
safeclaw --config safeclaw.hcl --log-level debugSend a Message
# Classify text for PII
curl -X POST http://localhost:18790/api/v1/privacy/classify \
-H "Content-Type: application/json" \
-d '{"text": "My email is user@example.com and my SSN is 123-45-6789"}'
# Response:
# {
# "level": "HighlySensitive",
# "matches": [
# {"rule_name": "email", "level": "Sensitive", "redacted": "[EMAIL]"},
# {"rule_name": "ssn", "level": "HighlySensitive", "redacted": "[SSN]"}
# ],
# "requires_tee": true
# }Send a Chat Message
# Send message through the gateway
curl -X POST http://localhost:18790/api/v1/gateway/message \
-H "Content-Type: application/json" \
-d '{"content": "Help me write a Python script", "channel": "webchat", "user_id": "user-1"}'WebSocket Connection
const ws = new WebSocket("ws://localhost:18790/ws");
ws.onopen = () => {
ws.send(JSON.stringify({
type: "message",
content: "Hello, can you help me?",
channel: "webchat",
user_id: "user-1",
}));
};
ws.onmessage = (event) => {
const response = JSON.parse(event.data);
console.log(response.content);
};Check Health
# Health check
curl http://localhost:18790/health
# Gateway status
curl http://localhost:18790/api/v1/gateway/status
# Audit events
curl http://localhost:18790/api/v1/audit/events
# Service discovery
curl http://localhost:18790/.well-known/a3s-service.jsonEnable TEE
For hardware-level memory encryption:
tee {
enabled = true
network_policy {
enabled = true
default_deny = true
allowed_protocols = ["https"]
allowed_domains {
domain = "api.anthropic.com"
ports = [443]
}
allowed_domains {
domain = "api.openai.com"
ports = [443]
}
}
}[tee]
enabled = true
[tee.network_policy]
enabled = true
default_deny = true
allowed_protocols = ["https"]
[[tee.network_policy.allowed_domains]]
domain = "api.anthropic.com"
ports = [443]
[[tee.network_policy.allowed_domains]]
domain = "api.openai.com"
ports = [443]Add Channel Adapters
channels {
telegram {
bot_token = "${TELEGRAM_BOT_TOKEN}"
}
slack {
bot_token = "${SLACK_BOT_TOKEN}"
signing_secret = "${SLACK_SIGNING_SECRET}"
}
discord {
bot_token = "${DISCORD_BOT_TOKEN}"
public_key = "${DISCORD_PUBLIC_KEY}"
}
}[channels.telegram]
bot_token = "${TELEGRAM_BOT_TOKEN}"
[channels.slack]
bot_token = "${SLACK_BOT_TOKEN}"
signing_secret = "${SLACK_SIGNING_SECRET}"
[channels.discord]
bot_token = "${DISCORD_BOT_TOKEN}"
public_key = "${DISCORD_PUBLIC_KEY}"Webhooks are received at /api/v1/gateway/webhook/:channel (e.g., /api/v1/gateway/webhook/telegram).
Programmatic Usage
use safeclaw::{Gateway, GatewayBuilder, config::SafeClawConfig};
#[tokio::main]
async fn main() -> anyhow::Result<()> {
// Supports both .hcl and .toml — format is auto-detected
let config = SafeClawConfig::from_file("safeclaw.hcl")?;
let gateway = GatewayBuilder::new(config).build().await?;
gateway.start().await?;
gateway.wait_for_shutdown().await;
Ok(())
}