.env, SSH keys, the SDK, and system files.
How It Works
Quick Start
How It Works
is_protected() and get_protection_reason() in praisonai.security.protected guard write_file, append_to_file, search_replace, and apply_diff.
Protected targets include environment files, .git/, SSH keys, ~/.aws/, /etc/passwd, praisonaiagents/, and audit.jsonl.
Blocked calls return:
Configuration Options
| Function | Returns | Description |
|---|---|---|
is_protected(path) | bool | Whether the path is blocked |
get_protection_reason(path) | str | None | Human-readable reason |
is_protected(path, extra_protected=[...]) | bool | Add project-specific paths |
Best Practices
Never disable in production
Never disable in production
Protected-path checks are a safety default — extend
extra_protected only after review.Use praisonai code tools
Use praisonai code tools
Protection is enforced in
praisonai.code.tools, not the core FileTools class.Check before custom tools
Check before custom tools
Call
is_protected() in custom write tools that bypass the built-in guards.Keep secrets out of prompts
Keep secrets out of prompts
Even with protection, avoid passing
.env contents into agent context.Related
Security Overview
Full security feature matrix
Shell Tools
Dangerous command protection

