A3S Docs
A3S SafeClaw

Quick Start

Get SafeClaw running as a security proxy for your AI agent

Quick Start

Configuration

SafeClaw supports both HCL (recommended) and TOML configuration formats. The format is auto-detected by file extension.

Create a safeclaw.hcl configuration file:

gateway {
  host = "127.0.0.1"
  port = 18790
}

agent {
  socket_path         = "/run/safeclaw/code-agent.sock"
  connect_timeout_secs = 10
  wait_for_service    = true
}

tee {
  enabled = false
}

privacy {
  default_sensitivity      = "Normal"
  enable_semantic_analysis  = true
  enable_compliance_checks = true
}

audit {
  enabled      = true
  log_capacity = 10000
}

Create a safeclaw.toml configuration file:

[gateway]
host = "127.0.0.1"
port = 18790

[agent]
socket_path = "/run/safeclaw/code-agent.sock"
connect_timeout_secs = 10
wait_for_service = true

[tee]
enabled = false

[privacy]
default_sensitivity = "Normal"
enable_semantic_analysis = true
enable_compliance_checks = true

[audit]
enabled = true
log_capacity = 10000

Start SafeClaw

# Start with HCL config (recommended)
safeclaw --config safeclaw.hcl

# Start with TOML config
safeclaw --config safeclaw.toml

# Start with debug logging
safeclaw --config safeclaw.hcl --log-level debug

Send a Message

# Classify text for PII
curl -X POST http://localhost:18790/api/v1/privacy/classify \
  -H "Content-Type: application/json" \
  -d '{"text": "My email is user@example.com and my SSN is 123-45-6789"}'

# Response:
# {
#   "level": "HighlySensitive",
#   "matches": [
#     {"rule_name": "email", "level": "Sensitive", "redacted": "[EMAIL]"},
#     {"rule_name": "ssn", "level": "HighlySensitive", "redacted": "[SSN]"}
#   ],
#   "requires_tee": true
# }

Send a Chat Message

# Send message through the gateway
curl -X POST http://localhost:18790/api/v1/gateway/message \
  -H "Content-Type: application/json" \
  -d '{"content": "Help me write a Python script", "channel": "webchat", "user_id": "user-1"}'

WebSocket Connection

const ws = new WebSocket("ws://localhost:18790/ws");

ws.onopen = () => {
  ws.send(JSON.stringify({
    type: "message",
    content: "Hello, can you help me?",
    channel: "webchat",
    user_id: "user-1",
  }));
};

ws.onmessage = (event) => {
  const response = JSON.parse(event.data);
  console.log(response.content);
};

Check Health

# Health check
curl http://localhost:18790/health

# Gateway status
curl http://localhost:18790/api/v1/gateway/status

# Audit events
curl http://localhost:18790/api/v1/audit/events

# Service discovery
curl http://localhost:18790/.well-known/a3s-service.json

Enable TEE

For hardware-level memory encryption:

tee {
  enabled = true

  network_policy {
    enabled      = true
    default_deny = true
    allowed_protocols = ["https"]

    allowed_domains {
      domain = "api.anthropic.com"
      ports  = [443]
    }

    allowed_domains {
      domain = "api.openai.com"
      ports  = [443]
    }
  }
}
[tee]
enabled = true

[tee.network_policy]
enabled = true
default_deny = true
allowed_protocols = ["https"]

[[tee.network_policy.allowed_domains]]
domain = "api.anthropic.com"
ports = [443]

[[tee.network_policy.allowed_domains]]
domain = "api.openai.com"
ports = [443]

Add Channel Adapters

channels {
  telegram {
    bot_token = "${TELEGRAM_BOT_TOKEN}"
  }

  slack {
    bot_token      = "${SLACK_BOT_TOKEN}"
    signing_secret = "${SLACK_SIGNING_SECRET}"
  }

  discord {
    bot_token  = "${DISCORD_BOT_TOKEN}"
    public_key = "${DISCORD_PUBLIC_KEY}"
  }
}
[channels.telegram]
bot_token = "${TELEGRAM_BOT_TOKEN}"

[channels.slack]
bot_token = "${SLACK_BOT_TOKEN}"
signing_secret = "${SLACK_SIGNING_SECRET}"

[channels.discord]
bot_token = "${DISCORD_BOT_TOKEN}"
public_key = "${DISCORD_PUBLIC_KEY}"

Webhooks are received at /api/v1/gateway/webhook/:channel (e.g., /api/v1/gateway/webhook/telegram).

Programmatic Usage

use safeclaw::{Gateway, GatewayBuilder, config::SafeClawConfig};

#[tokio::main]
async fn main() -> anyhow::Result<()> {
    // Supports both .hcl and .toml — format is auto-detected
    let config = SafeClawConfig::from_file("safeclaw.hcl")?;
    let gateway = GatewayBuilder::new(config).build().await?;

    gateway.start().await?;
    gateway.wait_for_shutdown().await;
    Ok(())
}

On this page