Skip to main content
Control which files and directories an agent can read or write to using declarative permission rules. Pass a list of rules to permissions= and the agent’s built-in filesystem tools respect them.
Permissions require deepagents>=1.9.1.
Permissions only apply to the built-in filesystem tools (ls, read_file, glob, grep, write_file, edit_file). Custom tools and MCP tools that access the filesystem are not covered. Permissions also do not apply to sandbox backends, which support arbitrary command execution via the execute tool.
Use permissions when you need path-based allow/deny rules on the built-in filesystem tools. Use backend policy hooks when you need custom validation logic (rate limiting, audit logging, content inspection) or need to control custom tools.

Basic usage

Pass a list of FilesystemPermission rules to createDeepAgent. Rules are evaluated in declaration order. The first matching rule wins. If no rule matches, the operation is allowed.

Rule structure

Each FilesystemPermission has three fields: Rules use first-match-wins evaluation: the first rule whose operations and paths match the current call determines the outcome. If no rule matches, the call is allowed (permissive default). Paths must be absolute (start with /) and cannot contain .. or ~. Invalid paths throw at agent construction time.

Examples

Isolate to a workspace directory

Allow reads and writes only under /workspace/ and deny everything else:

Protect specific files

Read-only memory

Allow the agent to read memory files but prevent it from modifying them. This is useful for organization-wide policies or shared knowledge bases that should only be updated by application code. See read-only vs writable memory for more context.

Deny all access

Block all reads and writes. This is a restrictive baseline you can layer more specific allow rules on top of:

Rule ordering

Because of first-match-wins, rule order matters. Place more specific rules before broader ones:

Subagent permissions

Subagents inherit the parent agent’s permissions by default. To give a subagent different permissions, set the permissions field in its spec. This replaces the parent’s rules entirely.
To explicitly grant a subagent unrestricted access, set permissions: []. An empty array overrides the parent rules with no restrictions. Omitting permissions inherits from the parent.

Composite backends

When using a CompositeBackend with a sandbox default, every permission path must be scoped under a known route prefix. Sandboxes support arbitrary command execution, so path-based restrictions alone cannot prevent filesystem access through shell commands. Scoping permissions to route-specific backends avoids this conflict.
Permissions that include paths outside any route throw at construction time: