Understand defense in layers
Security in 100xprompt is not a single switch. It’s a stack of independent controls, each narrowing what can happen before an action reaches your system.The layers are independent by design. Even if one is relaxed - say you pre-approve a class
of edits - the others still apply. Denials always win, so a broad allow can never override a
specific deny.
Layer 1 - Set the permission model
Safety starts with a permission model that governs what the agent may do, tool by tool. Each capability - reading files, editing, running shell commands, fetching from the web, launching subagents - maps to a permission with one of three outcomes.| Action | Meaning |
|---|---|
allow | The agent may proceed without interruption. |
ask | The agent pauses and requests your explicit approval first. |
deny | The action is blocked outright - no prompt, no exception. |
Permission rules live in your
100xprompt.json and can be set at the organization, project,
or agent level. See Permissions for the full rule syntax and
patterns.Switch permission modes
Beyond static rules, a session runs in a mode that shapes how strictly approvals are enforced. Dial the interaction up or down for the task at hand.| Mode | Behavior |
|---|---|
| Default | Uses your configured rules exactly as written. |
| Accept edits | Auto-approves file edits so you can move fast, while other actions still follow policy. |
| Plan | Read-only investigation - the agent can explore and reason but cannot change files or run commands. |
| Auto | Safe actions proceed automatically; anything risky still asks. It can only relax an “ask” to a proceed - it can never override a deny. |
Layer 2 - Approve sensitive actions
Suppose the agent is about to run a command you’d rather see first. When a rule saysask,
the agent stops and shows you exactly what it wants to do - the command, the file, or the
request - before anything happens. You approve once, approve a whole class of similar
actions, or decline. Nothing sensitive runs behind your back.
Because approvals are explicit and shown in full, there is always a clear record of what the
agent was permitted to do - useful for review and for building trust with a new team.
Layer 3 - Bound command execution
Running commands is one of 100xprompt’s most powerful capabilities, so it’s also one of the most carefully governed. Execution is scoped and bounded, not open-ended.Policy-gated
Every command is checked against your permission rules first. Patterns let you allow
routine tooling while gating destructive or unfamiliar commands behind approval.
Scoped to your work
The agent operates within your project’s working directory by default, and reaching
outside it is itself a permissioned action you can require approval for.
Bounded runs
Long-running and background commands are managed with limits so a task can’t run away
unattended.
Read-only when you want
Plan mode lets the agent investigate thoroughly without the ability to execute anything
that changes state.
Layer 4 - Protect credentials
The credentials 100xprompt uses to reach models and providers are stored locally on your machine - not in your project, and not in any file you would share.Stored locally
Access tokens and keys live in your own local configuration directory - never inside the
repository or a shared config file.
Restricted access
The credential store is written with restrictive, owner-only file permissions so other
users on the machine cannot read it.
Sign-in or key
Authenticate with a provider sign-in flow or an API key. Organizations can point teams at
managed access instead of personal keys.
Kept out of sessions
Credentials are not part of the conversation content and are not included when you share
a session.
Know what leaves your machine - and what stays
Clear data flow is central to trust. In broad terms:- Stays local
- Leaves for the model
- Only when you opt in
- Your credentials and access tokens.
- Your files on disk (the agent reads them locally; only the context needed for a task is sent to the model).
- Your configuration and rules files, unless you choose to share or publish them.
- Long-term memory and any facts the agent remembers about how you work.
Sharing is always a deliberate act. You control whether sessions are shared manually,
automatically, or not at all, and any shared session can be made private again.
Guard against leaking secrets
100xprompt avoids capturing sensitive material where it could later be exposed. Its long-term memory, in particular, is explicitly instructed never to store secrets or personal data, and stored facts are scrubbed of credentials as a second line of defense. API keys, tokens, passwords, credentials, private keys, connection strings, and personal contact and payment details are omitted entirely - not paraphrased or referenced. The same guard applies when a session leaves your machine: before a shared session is published, its content is scanned and high-confidence secrets are redacted automatically. Treat this as a safety net rather than a guarantee - review a session before sharing it widely.Secrets excluded from memory
Durable memory captures how you work - not the secrets you happen to mention. Sensitive
values are dropped, not remembered.
PII kept out
Personal contact and payment details are treated the same way and excluded from stored
facts.
Redacted before sharing
When you publish a session, its content is scanned and common credential shapes are
stripped before it leaves your machine.
Credentials out of band
Because keys live in the protected local store rather than in conversation, they don’t
end up in session content in the first place.
Set admin controls at a glance
Everything above is configurable. Admins set the guardrails once and roll them out across a team.| Control | What an admin can do |
|---|---|
| Permission rules | Set allow / ask / deny for each capability, with patterns for fine-grained gating. |
| Default mode | Establish how strictly approvals are enforced by default. |
| Command gating | Allow trusted tooling while requiring approval for destructive or unknown commands. |
| Directory scope | Require approval before the agent reaches outside the project directory. |
| Model & provider limits | Restrict which models and providers the team may use. |
| Sharing policy | Set sharing to manual, automatic, or disabled organization-wide. |
| Deployment choice | Run managed or self-managed to control where work happens and how data flows. |
Because these controls live in configuration your organization owns, you author your security
posture once and apply it consistently - regardless of whether teams run 100xprompt managed
or self-managed. See 100xprompt for teams & enterprise.
Follow these best practices
Start strict, then loosen deliberately
Start strict, then loosen deliberately
Begin with
ask for edits and commands, watch how the agent works in your codebase, and
relax specific rules as you build confidence - rather than starting permissive.Deny the truly dangerous
Deny the truly dangerous
Use explicit
deny rules for irreversible or destructive commands. Denials always win,
so this is a hard backstop regardless of mode.Use plan mode for exploration
Use plan mode for exploration
When you want the agent to investigate or propose an approach without any risk of change,
run in plan mode - it can read and reason but not act.
Keep secrets in the credential store
Keep secrets in the credential store
Authenticate through the sign-in flow or provider keys, never by embedding secrets in
shared configuration or rules files.
Review shared sessions before sharing widely
Review shared sessions before sharing widely
Related
Permissions
Author the allow / ask / deny rules that anchor the safety model.
Teams & enterprise
Roll security policy out across your whole organization.
Memory & context
How the agent remembers your workflow - and what it deliberately doesn’t.