filesystem

FilesystemBackend: Read and write files directly from the filesystem.

Attributes

Functions

Classes

View source on GitHub

Standardized error codes for file upload/download operations.

These represent common, recoverable errors that an LLM can understand and potentially fix:

file_not_found: The requested file doesn't exist (download)
permission_denied: Access denied for the operation
is_directory: Attempted to download a directory as a file
invalid_path: Path syntax is malformed or contains invalid characters

Check if content is empty and return warning message.

Perform string replacement with occurrence validation.

Protocol for pluggable memory backends (single, unified).

Backends can store files in different locations (state, filesystem, database, etc.) and provide a uniform interface for file operations.

All file data is represented as dicts with the following structure::

{
    "content": str,  # Text content (utf-8) or base64-encoded binary
    "encoding": str,  # "utf-8" for text, "base64" for binary data
    "created_at": str,  # ISO format timestamp
    "modified_at": str,  # ISO format timestamp
}

Result from backend edit operations.

Data structure for storing file contents with metadata.

Result of a single file download operation.

The response is designed to allow partial success in batch operations.

The errors are standardized using FileOperationError literals for certain recoverable conditions for use cases that involve LLMs performing file operations.

Structured file listing info.

Minimal contract used across backends. Only path is required. Other fields are best-effort and may be absent depending on backend.

Result of a single file upload operation.

The response is designed to allow partial success in batch operations.

The errors are standardized using FileOperationError literals for certain recoverable conditions for use cases that involve LLMs performing file operations.

Result from backend glob operations.

A single match from a grep search.

Result from backend grep operations.

Result from backend ls operations.

Result from backend read operations.

Result from backend write operations.

Backend that reads and writes files directly from the filesystem.

Files are accessed using their actual filesystem paths. Relative paths are resolved relative to the current working directory. Content is read/written as plain text, and metadata (timestamps) are derived from filesystem stats.

Security Warning

This backend grants agents direct filesystem read/write access. Use with caution and only in appropriate environments.

Appropriate use cases:

Local development CLIs (coding assistants, development tools)
CI/CD pipelines (see security considerations below)

Inappropriate use cases:

Web servers or HTTP APIs - use StateBackend, StoreBackend, or SandboxBackend instead

Security risks:

Agents can read any accessible file, including secrets (API keys, credentials, .env files)
Combined with network tools, secrets may be exfiltrated via SSRF attacks
File modifications are permanent and irreversible

Recommended safeguards:

Enable Human-in-the-Loop (HITL) middleware to review sensitive operations
Exclude secrets from accessible filesystem paths (especially in CI/CD)
For production environments, prefer StateBackend, StoreBackend or SandboxBackend

In general, we expect this backend to be used with Human-in-the-Loop (HITL) middleware, or within a properly sandboxed environment if you need to run untrusted workloads.

Note

virtual_mode=True is primarily for virtual path semantics (for example with CompositeBackend). It can also provide path-based guardrails by blocking traversal (.., ~) and absolute paths outside root_dir, but it does not provide sandboxing or process isolation. The default (virtual_mode=False) provides no security even with root_dir set.

LangChain Assistant

Menu

filesystem

Attributes

Functions

Classes