Skip to main content
Set a workspace root and any tool call touching a path outside it asks for extra approval — a single broad allow no longer lets the agent reach your whole machine.
This feature is introduced in PraisonAI PR #2575. The workspace_root parameter is set on PermissionManager directly. When workspace_root=None (the default), no boundary check runs and existing behaviour is unchanged.
The PermissionManager boundary described here is complementary to the EditTools fallback root introduced in PR #2981 — see File Editing → Constructor Parameters.

Quick Start

1

Enable workspace boundary

Create a PermissionManager with workspace_root and the boundary gate activates automatically:
When the manager checks cat /etc/passwd, it returns needs_approval=True — even if a broad bash:cat * → allow rule is set.
2

Pre-authorise an external directory

Add a rule to allow a specific external directory without prompting:

How It Works


What Triggers the Gate

Any path that resolves outside workspace_root triggers an external_dir: approval request.
Bare PATH-resolved command names like ls, rm, cat are not boundary-checked — only tokens that reference the filesystem by path. An executable named /tmp/tool.sh is checked; a bare ls is not.

Aggregation with Existing Rules

The workspace boundary fits into the same deny→ask→allow aggregation as all other permission checks. Deny always wins — an explicit deny on bash:rm * or external_dir:* beats the boundary ask, and an explicit deny cannot be overridden by a boundary allow.

Backward Compatibility

When workspace_root is None (the default), no boundary check runs and behaviour is 100% unchanged. Only opting in to workspace_root activates the gate — no existing code breaks.

Fail-Closed Behaviour

If path_safety cannot be imported, or if a path cannot be resolved (e.g. broken symlink, permission error), the boundary check fails closed — it emits an external_dir: → ask rather than silently allowing the operation. This is intentional and tested behaviour. Do not report it as a bug. If you see unexpected ask prompts in edge-case environments, check whether path resolution is failing.

Pre-Authorising External Directories


Best Practices

Point workspace_root at your checked-out repository path. The agent can freely read and write within the project; anything outside requires explicit pre-authorisation.
If your workflow legitimately reads from /data/ or /shared/, add external_dir:/data/* → allow. This is safer than using --approve-all-tools which bypasses the gate entirely.
Set external_dir:* → deny to hard-block all out-of-workspace access. No ask prompt appears — the operation is immediately rejected. Use this in high-security CI pipelines.
A bash:rm * → deny rule fires before the boundary check. You can still hard-block destructive commands regardless of whether the path is inside or outside the workspace.

Permissions Module

Programmatic PermissionManager API and configuration options

Command-Aware Permissions

How compound shell commands are decomposed and checked

Declarative Permissions

YAML, CLI, and Python permission policies

Interactive Approval

User-facing approval prompts and backends