The gateway now ships in the
praisonai-bot package. praisonai serve gateway still works exactly as documented here; for a standalone install see praisonai-bot Migration.Quick Start
1
Lock down stranger DMs with one YAML line
Add
trust: untrusted to any binding. Dangerous tools (shell, file mutation, delegation, scheduling) are automatically withheld from the model for that route.2
Give your operator full power
3
Add explicit allow/deny overrides
deny_tools on top of any trust tier for project-specific tools not covered by the default substrings.How It Works
The apply/restore step happens inside the per-agent lock and is guaranteed to run even when the agent turn raises an exception — so a failed run can never leave an agent permanently hobbled.Configuration Options
RouteBinding security fields
For routing fields (peer, role, channel_id, account, chat_type, priority) see Gateway Route Bindings.
ToolPolicy dataclass
Module constants
Import from
praisonaiagents.gateway:
Common Patterns
Lock down stranger DMs, keep operator at full powersearch on a public-facing route
search tool is offered. Everything else is withheld.
Best Practices
Default new gateway routes to trust: untrusted
Default new gateway routes to trust: untrusted
Opt in to power, not out of safety. Add
trust: untrusted to every new route you create; promote to standard or trusted only when you have a clear need.Layer deny_tools on top of untrusted for project-specific tools
Layer deny_tools on top of untrusted for project-specific tools
UNTRUSTED_DENY_SUBSTRINGS covers the 12 common dangerous families. Custom tools with names like purge_cache or flush_queue won’t match any substring — add them explicitly.Never put your operator's peer on an untrusted binding
Never put your operator's peer on an untrusted binding
Pair
trust: trusted (or omit trust) with your operator’s stable peer: id. If you put an operator peer on untrusted, they will hit the conservative deny-list on every message.Audit UNTRUSTED_DENY_SUBSTRINGS for your tool families
Audit UNTRUSTED_DENY_SUBSTRINGS for your tool families
Import the constant and check your tool names against it before deploying:Anything that bypasses the 12 substrings will leak through
trust: untrusted unless you add an explicit deny_tools entry.Related
Gateway Route Bindings
The routing surface this layers on — match by peer, role, channel, or chat type.
Approval
The second line of defence — require human confirmation before risky tool calls execute.

