This feature is introduced in PraisonAI PR #2575. The
workspace_root parameter is set on PermissionManager directly. When workspace_root=None (the default), no boundary check runs and existing behaviour is unchanged.PermissionManager boundary described here is complementary to the EditTools fallback root introduced in PR #2981 — see File Editing → Constructor Parameters.
Quick Start
1
Enable workspace boundary
Create a When the manager checks
PermissionManager with workspace_root and the boundary gate activates automatically:cat /etc/passwd, it returns needs_approval=True — even if a broad bash:cat * → allow rule is set.2
Pre-authorise an external directory
Add a rule to allow a specific external directory without prompting:
How It Works
What Triggers the Gate
Any path that resolves outsideworkspace_root triggers an external_dir: approval request.
Bare PATH-resolved command names like
ls, rm, cat are not boundary-checked — only tokens that reference the filesystem by path. An executable named /tmp/tool.sh is checked; a bare ls is not.Aggregation with Existing Rules
The workspace boundary fits into the same deny→ask→allow aggregation as all other permission checks.
Deny always wins — an explicit deny on
bash:rm * or external_dir:* beats the boundary ask, and an explicit deny cannot be overridden by a boundary allow.
Backward Compatibility
Whenworkspace_root is None (the default), no boundary check runs and behaviour is 100% unchanged. Only opting in to workspace_root activates the gate — no existing code breaks.
Fail-Closed Behaviour
Pre-Authorising External Directories
- CLI
- YAML
- Python
Best Practices
Set workspace_root to your project root in CI runners
Set workspace_root to your project root in CI runners
Point
workspace_root at your checked-out repository path. The agent can freely read and write within the project; anything outside requires explicit pre-authorisation.Combine with external_dir:* → deny for maximum safety
Combine with external_dir:* → deny for maximum safety
Set
external_dir:* → deny to hard-block all out-of-workspace access. No ask prompt appears — the operation is immediately rejected. Use this in high-security CI pipelines.Deny still wins over the boundary gate
Deny still wins over the boundary gate
A
bash:rm * → deny rule fires before the boundary check. You can still hard-block destructive commands regardless of whether the path is inside or outside the workspace.Related
Permissions Module
Programmatic PermissionManager API and configuration options
Command-Aware Permissions
How compound shell commands are decomposed and checked
Declarative Permissions
YAML, CLI, and Python permission policies
Interactive Approval
User-facing approval prompts and backends

