Permissioning & Access Control Kit

Role-based access control for agent tools. Define which tools each agent role can use.

Roles

Settings

Enforce Mode

When off, logs violations but doesn't block

Permission Check

Standard Agent

Web Search

low

Code Execution

high

File Write

high

File Read

medium

External API Call

medium

Database Query

high

Send Email

high

Calculator

low

Integration Code

import { createAccessControl, Role } from 'agent-tools-kit/safety'

const acl = createAccessControl({
  roles: [
    Role.define('standard-agent', {
      'web-search': 'allow',
      'code-exec': 'ask',
      'file-write': 'deny',
      'file-read': 'allow',
      'api-call': 'ask',
      'db-query': 'deny',
      'email-send': 'ask',
      'calculator': 'allow'
    }),
  ],
  enforce: true,
  onDeny: (ctx) => {
    audit.log('permission_denied', {
      agentId: ctx.agentId,
      tool: ctx.toolName,
      role: ctx.role,
      reason: ctx.reason,
    })
  },
  onAsk: async (ctx) => {
    // Trigger human-in-the-loop approval
    return await approvalQueue.request({
      agentId: ctx.agentId,
      tool: ctx.toolName,
      timeout: 30_000,
    })
  }
})

// Wrap tool execution with permission checks
const protectedTool = acl.wrap(myTool, { role: 'standard' })

// Or use as middleware
agent.use(acl.middleware())