Skip to main content
The gateway now ships in the praisonai-bot package. praisonai serve gateway still works exactly as documented here; for a standalone install see praisonai-bot Migration.
Untrusted inbound routes never even see dangerous tools — the model is offered a scoped subset for that turn, then the agent’s original toolset is restored.
The user asks the agent to run tools; gateway tool policy allows or blocks tools before execution.

Quick Start

1

Lock down stranger DMs with one YAML line

Add trust: untrusted to any binding. Dangerous tools (shell, file mutation, delegation, scheduling) are automatically withheld from the model for that route.
2

Give your operator full power

Stranger DMs get the safe subset. Your operator peer gets everything.
3

Add explicit allow/deny overrides

Layer deny_tools on top of any trust tier for project-specific tools not covered by the default substrings.

How It Works

The apply/restore step happens inside the per-agent lock and is guaranteed to run even when the agent turn raises an exception — so a failed run can never leave an agent permanently hobbled.

Configuration Options

RouteBinding security fields

For routing fields (peer, role, channel_id, account, chat_type, priority) see Gateway Route Bindings.

ToolPolicy dataclass

Module constants

Import from praisonaiagents.gateway:

Common Patterns

Lock down stranger DMs, keep operator at full power
Or in YAML:
Channel-scoped policy — deny specific tools on #ops
Whitelist mode — only search on a public-facing route
Only the search tool is offered. Everything else is withheld.

Best Practices

Opt in to power, not out of safety. Add trust: untrusted to every new route you create; promote to standard or trusted only when you have a clear need.
UNTRUSTED_DENY_SUBSTRINGS covers the 12 common dangerous families. Custom tools with names like purge_cache or flush_queue won’t match any substring — add them explicitly.
Pair trust: trusted (or omit trust) with your operator’s stable peer: id. If you put an operator peer on untrusted, they will hit the conservative deny-list on every message.
Import the constant and check your tool names against it before deploying:
Anything that bypasses the 12 substrings will leak through trust: untrusted unless you add an explicit deny_tools entry.

Gateway Route Bindings

The routing surface this layers on — match by peer, role, channel, or chat type.

Approval

The second line of defence — require human confirmation before risky tool calls execute.