.env, SSH keys, the SDK, and system files.
How It Works
Quick Start
1
Simple Usage
Protected-path checks apply automatically when using
praisonai code tools:2
With Configuration
Inspect protection before a write:
How It Works
is_protected() and get_protection_reason() in praisonai.security.protected guard write_file, append_to_file, search_replace, and apply_diff.
Protected targets include environment files, .git/, SSH keys, ~/.aws/, /etc/passwd, praisonaiagents/, and audit.jsonl.
The protected-path check runs before workspace confinement — both apply to every write. See Code Editing → Workspace Security.
Blocked calls return:
Configuration Options
Best Practices
Never disable in production
Never disable in production
Protected-path checks are a safety default — extend
extra_protected only after review.Use praisonai code tools
Use praisonai code tools
Protection is enforced in
praisonai.code.tools, not the core FileTools class.Check before custom tools
Check before custom tools
Call
is_protected() in custom write tools that bypass the built-in guards.Keep secrets out of prompts
Keep secrets out of prompts
Even with protection, avoid passing
.env contents into agent context.Related
Security Overview
Full security feature matrix
Shell Tools
Dangerous command protection

