Configure security sandboxes, rate limiting, circuit breakers, and observability for this agent's tool usage.
Agents use tools to interact with the world — reading files, browsing the web, running commands, calling APIs. Tool Security controls what each agent is allowed to do with its tools. It's like giving an employee a key card that only opens certain doors: you define which directories they can access, which websites they can visit, which commands they can run, and how fast they can work.
A single endpoint provides the merged view:
GET /agents/:id/tool-security — Returns { orgDefaults, agentOverrides, toolSecurity } where toolSecurity is the merged result.PATCH /agents/:id/tool-security — Saves overrides as { toolSecurity: overrides, updatedBy: 'dashboard' }.The save process computes a diff between the current merged config and org defaults — only changed sections are stored as overrides. The "Reset to Org Defaults" action sends an empty {} as overrides.
Tool security is split into two domains:
pathSandbox, ssrf, commandSanitizeraudit, rateLimit, circuitBreaker, telemetryTool security follows a layered inheritance model:
When you modify a setting, it becomes an agent-level override. Fields labeled "ORG DEFAULT" are inherited and not stored at the agent level.
Restricts file system access. Prevents agents from reading sensitive files like .env, SSH keys, or system configs.
/home/user/project). Tag input for easy management.\.env$, \.ssh/). Applied even within allowed directories.Server-Side Request Forgery protection prevents agents from accessing internal infrastructure.
api.example.com).10.0.0.0/8, 169.254.0.0/16 for cloud metadata).Controls shell command execution. Full-width card because command security deserves extra attention.
git, npm, node).curl.*\|.*sh, rm -rf).Records every tool invocation for compliance and debugging.
password, api_key, custom_secret).Per-tool call limits using a token bucket algorithm. Each tool has:
Default limits vary by tool type:
| Tool | Default Max | Default Refill |
|---|---|---|
bash | 10/min | 10/min |
browser | 20/min | 20/min |
web_fetch, web_search | 30/min | 30/min |
read, write, edit, glob, grep, memory | 60/min | 60/min |
Automatically stops calling a tool after consecutive failures. Prevents wasting tokens on broken integrations.
Collects execution timing, success rates, and usage patterns. Useful for identifying slow tools, optimizing workflows, and capacity planning.
169.254.0.0/16 to blocked CIDRs to prevent credential theft via cloud metadata.rm -rf /, curl | sh, and chmod 777.Check the Path Sandbox allowed directories. The file's parent directory must be in the whitelist. Also check blocked patterns — a broad regex like \.json$ could block needed config files.
The agent is calling the tool faster than the configured rate. Increase the max/refill values for that tool, or investigate why the agent is making so many rapid calls.
The underlying tool or API is failing repeatedly. Fix the root cause (API down, wrong credentials, etc.) rather than disabling the circuit breaker.
The reset sends empty overrides to the server. If values still appear customized, refresh the page. The merged view may be showing org defaults that look different from what you expected.
The save bar only appears when the merged config differs from what was loaded. If you changed a value back to its original, the dirty state clears. Make a definitive change to trigger it.