Skip to main content
Workspace sandboxing provides secure, isolated file access for agents, ensuring file operations stay within designated boundaries.
Two workspace concepts: The workspace= parameter on Agent (this page) sandboxes file-tool paths at the agent level. The Workspace Boundary gate (workspace_root on PermissionManager) enforces permission-engine rules for both file tools and shell commands at the rule level. Both can be used together for defence-in-depth.
The user chats with the agent; file tools stay confined to the workspace root.

Quick Start

1

Basic Bot with Workspace

2

Custom Workspace Configuration


How It Works

Workspace containment operates through three key mechanisms:

Configuration Options

Workspace Access Modes

Workspace Configuration

BotConfig Workspace Fields


Common Patterns

Scope Selection Guide

Advanced Path Operations

Read-Only Workspace


Best Practices

Use "session" (default) for most chat bots to isolate conversations. Use "shared" only when agents need to collaborate on files. Use "user" for personal assistants. Use "agent" for specialized single-purpose bots.
Workspaces reject filesystem root access, resolve symlinks to prevent macOS issues, and validate all path operations. Never bypass workspace containment in production deployments.
The default workspace structure is ~/.praisonai/workspaces/<scope>/<session_key>/. This ensures clean separation and predictable file organization across different deployment scenarios.
File tools fall back to os.getcwd() when no workspace is configured, maintaining compatibility with existing code. Bots automatically apply workspace containment for security.

Bot Default Tools

Auto-injected tools that work with workspaces

Self-Improving Skills

How skills interact with workspace containment