Agent SDKDeploymentSecure Deployment

Secure Deployment

An agent in production can act on your infrastructure with real consequences. The Syntic Agent SDK gives Amara the ability to read files, run commands, and call tools — powerful in development, but something you must deliberately constrain before exposing it to untrusted input or production systems. Secure deployment is about reducing what the agent can do to the minimum it needs to do.

Sandbox the workspace

Run agents against an isolated copy of the code and data they operate on, never directly against production stores. A dedicated container, virtual machine, or ephemeral checkout gives you a clean boundary: if a tool call misbehaves, the damage is contained to a disposable environment you can tear down and rebuild.

Scope the agent’s working directory tightly with the cwd option and mount only the paths it requires. Everything outside that directory should be unreachable at the filesystem level, not merely discouraged by the prompt.

Apply least-privilege permissions

Permissions are your primary control surface. Deny broad tool categories by default and allow only the specific operations a workload needs. Combine an allowlist with an approval callback for anything sensitive.

import { query } from "@syntic/agent-sdk";
 
const stream = query({
  prompt,
  options: {
    cwd: "/srv/workspace",
    allowedTools: ["Read", "Grep"],
    disallowedTools: ["Bash"],
  },
});
stream = query(
    prompt=prompt,
    options={
        "cwd": "/srv/workspace",
        "allowed_tools": ["Read", "Grep"],
        "disallowed_tools": ["Bash"],
    },
)

See Permissions for the full model.

Protect secrets and network egress

Never hardcode your Syntic API key. Inject SYNTIC_API_KEY from a secrets manager at runtime, rotate it regularly, and keep it out of logs, prompts, and error messages. Grant each deployment its own key so you can revoke one without disrupting others.

Restrict outbound network access to only what the agent requires — typically api.syntic.ai and any explicitly approved tool endpoints. Default-deny egress prevents a compromised or misdirected tool call from reaching arbitrary hosts, exfiltrating data, or pulling untrusted code. Pair egress controls with the hooks system to audit every tool invocation as it happens.