feat(sdk): add permissions system for filesystem access control#2633
Merged
Nick Hollon (nick-hollon-lc) merged 9 commits intomainfrom Apr 10, 2026
Merged
feat(sdk): add permissions system for filesystem access control#2633Nick Hollon (nick-hollon-lc) merged 9 commits intomainfrom
Nick Hollon (nick-hollon-lc) merged 9 commits intomainfrom
Conversation
Introduce `FilesystemPermission` and `ToolPermission` dataclasses with first-match-wins evaluation and glob pattern matching via wcmatch. `FilesystemMiddleware` enforces path-level read/write rules; `ToolPermissionMiddleware` enforces tool-level rules at the `wrap_tool_call` boundary. Subagents inherit parent permissions unless they specify their own. Also fixes grep tool missing `validate_path` call on its path argument, which previously allowed path traversal bypasses on grep specifically.
Nick Hollon (nick-hollon-lc)
requested review from
Eugene Yurtsev (eyurtsev),
Hunter Lovell (hntrl) and
Sydney Runkle (sydney-runkle)
github-actions
bot
added
deepagents
Hunter Lovell (hntrl)
previously approved these changes
Apr 9, 2026
Comment on lines
+73
to
+74
| # Disable a tool entirely | ||
| ToolPermission(name="execute", mode="deny") |
Member
There was a problem hiding this comment.
would our guidance be to just remove the tool entirely? (e.g. configurability)
Contributor
Author
There was a problem hiding this comment.
not sure i totally uderstand this question. just an example of disabling a tool completely here
| from deepagents.permissions import ToolPermission | ||
|
|
||
| # Allow only pytest invocations, deny everything else | ||
| ToolPermission(name="execute", args={"command": "pytest *"}) |
Member
There was a problem hiding this comment.
is this just intended for pattern matching on basic tool call args? What happens if I have a tool schema thats not just dict[str, str]?
Contributor
Author
There was a problem hiding this comment.
yeah just for basic args. it will stringify the arg before attempting the comparison
…ything. use artifacts on tool message to pass out enough info for post filtering in the permission middleware
Nick Hollon (nick-hollon-lc)
changed the title
Sydney Runkle (sydney-runkle)
previously approved these changes
Apr 10, 2026
Collaborator
Sydney Runkle (sydney-runkle)
left a comment
Sydney Runkle (sydney-runkle)
left a comment
There was a problem hiding this comment.
excited about this!! great work, approving pending comments are addressed
fast follows -- return ToolMessage from all filesystem tools + status of error instead of just error strings for relevant cases
figure out what we're doing for ToolPermissions + execute stuff
…f error when we fail because permission denied
Collaborator
|
OK this looks pretty good!
|
Sydney Runkle (sydney-runkle)
approved these changes
Apr 10, 2026
Mason Daugherty (mdrxy)
added a commit
that referenced
this pull request
Apr 10, 2026
> [!CAUTION] > Merging this PR will automatically publish to **PyPI** and create a **GitHub release**. For the full release process, see [`.github/RELEASING.md`](https://github.com/langchain-ai/deepagents/blob/main/.github/RELEASING.md). --- _Everything below this line will be the GitHub release body._ --- ## [0.5.2](deepagents==0.5.1...deepagents==0.5.2) (2026-04-10) ### Features * Permissions system for filesystem access control ([#2633](#2633)) ([41dc759](41dc759)) * Scope permissions to routes for composite backends with sandbox default ([#2659](#2659)) ([6dd6122](6dd6122)) * Raise `ValueError` for permission paths without leading slash and path traversal ([#2665](#2665)) ([723d27d](723d27d)) * Implement `upload_files` for `StateBackend` ([#2661](#2661)) ([5798345](5798345)) ### Bug Fixes * Catch `PermissionError` in `FilesystemBackend` ripgrep ([#2571](#2571)) ([3d5d673](3d5d673)) --- _Everything above this line will be the GitHub release body._ --- > [!NOTE] > A **New Contributors** section is appended to the GitHub release notes automatically at publish time (see [Release Pipeline](https://github.com/langchain-ai/deepagents/blob/main/.github/RELEASING.md#release-pipeline), step 2). --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Mason Daugherty <github@mdrxy.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Examples
Read-only agent (no writes anywhere):
Sandbox the agent to a workspace directory:
Protect examples while allowing broad access:
Subagent with tighter permissions than the parent:
What it enforces
ls,read_file,glob,grep,write_file,edit_file) when the canonicalized path matches a deny rule. Paths are resolved viavalidate_path()to prevent traversal bypasses.ls,glob, andgrepresults usingToolMessage.artifact(the structured backend result object), then rebuilds the content string.permissionsby default. A subagent can specify its ownpermissionsfield, which replaces the parent's rules entirely.PermissionMiddlewareis placed last in the middleware stack so it sees all tools (including those injected by other middleware).What it does not enforce
executetool: shell commands can trivially bypass filesystem restrictions. Rather than silently failing, the middleware raisesNotImplementedErrorat init if the backend supports execution.ToolPermissionrules but they were deferred — pattern-matching tool arguments with globs is unsafe for shell commands and type coercion of non-string args is a footgun.