Class●Since v0.2

FilesystemBackend

Backend that reads and writes files directly from the filesystem.

Files are accessed using their actual filesystem paths. Relative paths are resolved relative to the current working directory. Content is read/written as plain text, and metadata (timestamps) are derived from filesystem stats.

Security Warning

This backend grants agents direct filesystem read/write access. Use with caution and only in appropriate environments.

Appropriate use cases:

Local development CLIs (coding assistants, development tools)
CI/CD pipelines (see security considerations below)

Inappropriate use cases:

Web servers or HTTP APIs - use StateBackend, StoreBackend, or SandboxBackend instead

Security risks:

Agents can read any accessible file, including secrets (API keys, credentials, .env files)
Combined with network tools, secrets may be exfiltrated via SSRF attacks
File modifications are permanent and irreversible

Recommended safeguards:

Enable Human-in-the-Loop (HITL) middleware to review sensitive operations
Exclude secrets from accessible filesystem paths (especially in CI/CD)
For production environments, prefer StateBackend, StoreBackend or SandboxBackend

In general, we expect this backend to be used with Human-in-the-Loop (HITL) middleware, or within a properly sandboxed environment if you need to run untrusted workloads.

Note

virtual_mode=True is primarily for virtual path semantics (for example with CompositeBackend). It can also provide path-based guardrails by blocking traversal (.., ~) and absolute paths outside root_dir, but it does not provide sandboxing or process isolation. The default (virtual_mode=False) provides no security even with root_dir set.

FilesystemBackend(
  self,
  root_dir: str | Path | None = None,
  virtual_mode: bool | None = None,
  max_file_size_mb: int = 10
)

Bases

BackendProtocol

Parameters

Name	Type	Description
`root_dir`	`str \| Path \| None`	Default:`None` Optional root directory for file operations. Defaults to the current working directory. When `virtual_mode=False` (default): Only affects relative path resolution. When `virtual_mode=True`: Acts as a virtual root for filesystem operations.
`virtual_mode`	`bool \| None`	Default:`None` Enable virtual path mode. Primary use case: stable, backend-independent path semantics when used with `CompositeBackend`, which strips route prefixes and forwards normalized paths to the routed backend. When `True`, all paths are treated as virtual paths anchored to `root_dir`. Path traversal (`..`, `~`) is blocked and all resolved paths are verified to remain within `root_dir`. When `False` (default), absolute paths are used as-is and relative paths are resolved under `root_dir`. This provides no security against an agent choosing paths outside `root_dir`. Absolute paths (e.g., `/etc/passwd`) bypass `root_dir` entirely Relative paths with `..` can escape `root_dir` Agents have unrestricted filesystem access
`max_file_size_mb`	`int`	Default:`10` Maximum file size in megabytes for operations like grep's Python fallback search. Files exceeding this limit are skipped during search. Defaults to 10 MB.

Constructors

constructor

__init__

Name	Type
root_dir	str \| Path \| None
virtual_mode	bool \| None
max_file_size_mb	int

Attributes

attribute

cwd

attribute

virtual_mode: virtual_mode

attribute

max_file_size_bytes

Methods

method

ls_info

List files and directories in the specified directory (non-recursive).

method

read

Read file content with line numbers.

method

write

Create a new file with content.

method

edit

Edit a file by replacing string occurrences.

method

grep_raw

Search for a literal text pattern in files.

Uses ripgrep if available, falling back to Python search.

method

glob_info

Find files matching a glob pattern.

method

upload_files

Upload multiple files to the filesystem.

method

download_files

Download multiple files from the filesystem.

Inherited fromBackendProtocol

Methods

Mals_info

—

Async version of ls_info.

Maread

—

Async version of read using native store async methods.

Magrep_raw

—

Async version of grep_raw.

Maglob_info

—

Async version of glob_info.

Mawrite

—

Async version of write using native store async methods.

Maedit

—

Async version of edit using native store async methods.

Maupload_files

—

Async version of upload_files.

Madownload_files

—

Async version of download_files.

View source on GitHub

FilesystemBackend

Bases

Parameters

Constructors

Attributes

Methods

Inherited fromBackendProtocol

Methods

LangChain Assistant

Menu

FilesystemBackend

Bases

Parameters

Constructors

Attributes

Methods

Inherited fromBackendProtocol

Methods

FilesystemBackend

Bases

Used in Docs

Parameters

Constructors

Attributes

Methods

Inherited fromBackendProtocol

Methods

Menu

FilesystemBackend

Bases

Used in Docs

Parameters

Constructors

Attributes

Methods

Inherited fromBackendProtocol

Methods