Documentation Index
Fetch the complete documentation index at: https://nvd-54.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
使用声明式权限规则控制智能体可以读写的文件和目录。将规则列表传递给 permissions=,智能体的内置文件系统工具将遵守这些规则。
权限仅适用于内置文件系统工具(ls、read_file、glob、grep、write_file、edit_file)。自定义工具和访问文件系统的 MCP 工具不在覆盖范围内。权限也不适用于沙箱后端,后者通过 execute 工具支持任意命令执行。
当你需要在内置文件系统工具上实施基于路径的允许/拒绝规则时,使用 permissions。当你需要自定义验证逻辑(速率限制、审计日志、内容检查)或需要控制自定义工具时,使用后端策略钩子。 基本用法
将 FilesystemPermission 规则列表传递给 create_deep_agent。规则按声明顺序评估。首条匹配的规则生效。如果没有规则匹配,操作被允许。
from deepagents import FilesystemPermission, create_deep_agent
# Read-only agent: deny all writes
agent = create_deep_agent(
model=model,
backend=backend,
permissions=[
FilesystemPermission(
operations=["write"],
paths=["/**"],
mode="deny",
),
],
)
规则结构
每个 FilesystemPermission 有三个字段:
| 字段 | 类型 | 说明 |
|---|
operations | list["read" | "write"] | 此规则适用的操作。"read" 覆盖 ls、read_file、glob、grep。"write" 覆盖 write_file、edit_file。 |
paths | list[str] | 用于匹配文件路径的 glob 模式(如 ["/workspace/**"])。支持 ** 进行递归匹配和 {a,b} 进行交替。 |
mode | "allow" | "deny" | 是否允许或拒绝匹配的操作。默认为 "allow"。 |
operations 和 paths 匹配当前调用的规则决定结果。如果没有规则匹配,调用被允许(宽容的默认行为)。
隔离到工作区目录
仅允许在 /workspace/ 下读写,拒绝其他所有操作:
agent = create_deep_agent(
model=model,
backend=backend,
permissions=[
FilesystemPermission(
operations=["read", "write"],
paths=["/workspace/**"],
mode="allow",
),
FilesystemPermission(
operations=["read", "write"],
paths=["/**"],
mode="deny",
),
],
)
保护特定文件
agent = create_deep_agent(
model=model,
backend=backend,
permissions=[
FilesystemPermission(
operations=["read", "write"],
paths=["/workspace/.env", "/workspace/examples/**"],
mode="deny",
),
FilesystemPermission(
operations=["read", "write"],
paths=["/workspace/**"],
mode="allow",
),
FilesystemPermission(
operations=["read", "write"],
paths=["/**"],
mode="deny",
),
],
)
只读记忆
允许智能体读取记忆文件但阻止修改。这对于组织范围的策略或应仅由应用代码更新的共享知识库很有用。参见只读与可写记忆了解更多背景。
from deepagents.backends import CompositeBackend, StateBackend, StoreBackend
agent = create_deep_agent(
model=model,
backend=CompositeBackend(
default=StateBackend(),
routes={
"/memories/": StoreBackend(
namespace=lambda rt: (rt.server_info.user.identity,),
),
"/policies/": StoreBackend(
namespace=lambda rt: (rt.context.org_id,),
),
},
),
permissions=[
FilesystemPermission(
operations=["write"],
paths=["/memories/**", "/policies/**"],
mode="deny",
),
],
)
拒绝所有访问
阻止所有读取和写入。这是一个限制性基线,你可以在其上叠加更具体的允许规则:
agent = create_deep_agent(
model=model,
backend=backend,
permissions=[
FilesystemPermission(
operations=["read", "write"],
paths=["/**"],
mode="deny",
),
],
)
规则排序
由于首次匹配生效,规则顺序很重要。将更具体的规则放在更宽泛的规则之前:
# Correct: deny .env, allow workspace, deny everything else
correct_permissions = [
FilesystemPermission(
operations=["read", "write"],
paths=["/workspace/.env"],
mode="deny",
),
FilesystemPermission(
operations=["read", "write"],
paths=["/workspace/**"],
mode="allow",
),
FilesystemPermission(
operations=["read", "write"],
paths=["/**"],
mode="deny",
),
]
# Bug: /workspace/** matches .env first, so the deny never triggers
incorrect_permissions = [
FilesystemPermission(
operations=["read", "write"],
paths=["/workspace/**"],
mode="allow",
),
FilesystemPermission(
operations=["read", "write"],
paths=["/workspace/.env"],
mode="deny", # never reached
),
FilesystemPermission(
operations=["read", "write"],
paths=["/**"],
mode="deny",
),
]
子智能体权限
子智能体默认继承父智能体的权限。要给子智能体不同的权限,在其规格中设置 permissions 字段。这会完全替换父级的规则。
agent = create_deep_agent(
model=model,
backend=backend,
permissions=[
FilesystemPermission(
operations=["read", "write"],
paths=["/workspace/**"],
mode="allow",
),
FilesystemPermission(
operations=["read", "write"],
paths=["/**"],
mode="deny",
),
],
subagents=[
{
"name": "auditor",
"description": "Read-only code reviewer",
"system_prompt": "Review the code for issues.",
"permissions": [
FilesystemPermission(
operations=["write"],
paths=["/**"],
mode="deny",
),
FilesystemPermission(
operations=["read"],
paths=["/workspace/**"],
mode="allow",
),
FilesystemPermission(
operations=["read"],
paths=["/**"],
mode="deny",
),
],
}
],
)
组合后端
当使用带有沙箱默认值的 CompositeBackend 时,每个权限路径必须限定在已知的路由前缀下。沙箱支持任意命令执行,因此仅靠基于路径的限制无法防止通过 Shell 命令进行文件系统访问。将权限限定到特定路由的后端可以避免此冲突。
from deepagents.backends import CompositeBackend
composite = CompositeBackend(
default=sandbox,
routes={"/memories/": memories_backend},
)
# Works: permissions are scoped to the /memories/ route
agent = create_deep_agent(
model=model,
backend=composite,
permissions=[
FilesystemPermission(
operations=["write"],
paths=["/memories/**"],
mode="deny",
),
],
)
NotImplementedError:
# Raises NotImplementedError: /workspace/** hits the sandbox default
try:
create_deep_agent(
model=model,
backend=composite,
permissions=[
FilesystemPermission(
operations=["write"],
paths=["/workspace/**"],
mode="deny",
),
],
)
except NotImplementedError:
pass
# Also raises: /** covers both routes and the default
try:
create_deep_agent(
model=model,
backend=composite,
permissions=[
FilesystemPermission(
operations=["read"],
paths=["/**"],
mode="deny",
),
],
)
except NotImplementedError:
pass
连接这些文档到 Claude、VSCode 等工具,通过 MCP 获取实时答案。 
