Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.neuraltrust.ai/llms.txt

Use this file to discover all available pages before exploring further.

The Tool Permission plugin filters which tools an agent is allowed to invoke. It evaluates the requested tools before execution and removes any tool calls that are not permitted by your allow/deny policies.

What it does

  • Inspects agent requests to determine which tools are being requested (PreRequest)
  • Applies an allow/deny policy using a whitelist and/or denylist
  • Edits the request to remove disallowed tools; continues with allowed ones
  • Permissive behavior on parsing issues (request is allowed if no tools are detected or content can’t be parsed)

Configuration Parameters

ParameterTypeDescriptionRequiredDefault
white_listarrayList of tool names explicitly allowedCond.[]
deny_listarrayList of tool names explicitly deniedCond.[]
providerstringLLM request format provider (e.g., openai)Noopenai
Requirement: at least one of white_list or deny_list must be provided. Behavior notes:
  • Stage: PreRequest
  • If there is no body, no tools, or parsing fails, the request proceeds unchanged

Prerequisites

These agent security plugins require upstreams configured in provider mode. See Upstream Services & Routing for details: /trustgate/core-concepts/upstream-services-overview Example upstream (provider mode): 
{
  "name": "{{upstream_service_name}}",
  "algorithm": "round-robin",
  "targets": [
    {
      "provider": "openai",
      "provider_options": { "api": "responses" },
      "weight": 50,
      "priority": 1,
      "default_model": "gpt-4o-mini",
      "models": ["gpt-4", "gpt-4o-mini"],
      "stream": false,
      "credentials": { "api_key": "" }
    }
  ]
}

Example configuration

Whitelist example (only allow specific tools): 
{
  "name": "tool_permission",
  "enabled": true,
  "stage": "pre_request",
  "priority": 1,
  "parallel": false,
  "settings": {
    "provider": "openai",
    "white_list": ["web_search", "db_query"],
    "deny_list": []
  }
}
Denylist example (block specific tools): 
{
  "name": "tool_permission",
  "enabled": true,
  "stage": "pre_request",
  "priority": 1,
  "parallel": false,
  "settings": {
    "provider": "openai",
    "white_list": [],
    "deny_list": ["web_scrape", "exec_shell"]
  }
}

Compatibility

Currently supports agents using the OpenAI LLM request/response format only.

Best practices

  • Prefer white_list in sensitive environments to reduce risk surface
  • Keep lists concise and review them regularly as your agent evolves
  • Combine with Tool Guard (content risk) and Tool Budget Limiter (cost control)