The gateway now ships in the
praisonai-bot package. praisonai serve gateway still works exactly as documented here; for a standalone install see praisonai-bot Migration.Quick Start
Lock down stranger DMs with one YAML line
Add
trust: untrusted to any binding. Dangerous tools (shell, file mutation, delegation, scheduling) are automatically withheld from the model for that route.How It Works
The apply/restore step happens inside the per-agent lock and is guaranteed to run even when the agent turn raises an exception — so a failed run can never leave an agent permanently hobbled.| Step | What happens |
|---|---|
| Route resolver | Matches the binding with highest priority + specificity |
tool_policy() | Builds a ToolPolicy from trust, allow_tools, deny_tools |
_apply_tool_policy() | Swaps agent.tools to the allowed subset for this turn |
| Agent turn | Model only sees the scoped tool list |
| Restore | agent.tools reset to original regardless of outcome |
Configuration Options
RouteBinding security fields
For routing fields (peer, role, channel_id, account, chat_type, priority) see Gateway Route Bindings.
| Field | Type | Default | Description |
|---|---|---|---|
trust | Optional[str] | None | "untrusted" | "standard" | "trusted". Unknown values normalise to "untrusted" (fail-closed). |
allow_tools | Optional[List[str]] | None | Whitelist by exact tool name. None = allow all except deny rules. Accepts a YAML scalar or list. |
deny_tools | Optional[List[str]] | None | Exact tool names removed before the run. Layers on top of the trust tier’s deny-list. Accepts a YAML scalar or list. |
ToolPolicy dataclass
| Field | Type | Default | Description |
|---|---|---|---|
allow_tools | Optional[Set[str]] | None | Whitelist by exact name. None = allow all except deny rules. |
deny_tools | Set[str] | set() | Exact names removed. |
deny_substrings | List[str] | [] | Case-insensitive substrings; a tool whose name contains any of these is removed. Used by the untrusted tier. |
Module constants
| Constant | Type | Description |
|---|---|---|
UNTRUSTED_DENY_SUBSTRINGS | List[str] | The 12 substrings the untrusted tier seeds: shell, exec, command, subprocess, write_file, edit_file, delete_file, rm_file, delegate, handoff, cronjob, schedule. |
TRUST_TIERS | List[str] | ["untrusted", "standard", "trusted"] (least → most privileged). |
praisonaiagents.gateway:
Common Patterns
Lock down stranger DMs, keep operator at full powersearch on a public-facing route
search tool is offered. Everything else is withheld.
Best Practices
Default new gateway routes to trust: untrusted
Default new gateway routes to trust: untrusted
Opt in to power, not out of safety. Add
trust: untrusted to every new route you create; promote to standard or trusted only when you have a clear need.Layer deny_tools on top of untrusted for project-specific tools
Layer deny_tools on top of untrusted for project-specific tools
UNTRUSTED_DENY_SUBSTRINGS covers the 12 common dangerous families. Custom tools with names like purge_cache or flush_queue won’t match any substring — add them explicitly.Never put your operator's peer on an untrusted binding
Never put your operator's peer on an untrusted binding
Pair
trust: trusted (or omit trust) with your operator’s stable peer: id. If you put an operator peer on untrusted, they will hit the conservative deny-list on every message.Audit UNTRUSTED_DENY_SUBSTRINGS for your tool families
Audit UNTRUSTED_DENY_SUBSTRINGS for your tool families
Import the constant and check your tool names against it before deploying:Anything that bypasses the 12 substrings will leak through
trust: untrusted unless you add an explicit deny_tools entry.Related
Gateway Route Bindings
The routing surface this layers on — match by peer, role, channel, or chat type.
Approval
The second line of defence — require human confirmation before risky tool calls execute.

