Skip to main content
Deep Agents expose a filesystem surface to the agent via tools like ls, read_file, write_file, edit_file, glob, and grep. These tools operate through a pluggable backend. The read_file tool natively supports image files (.png, .jpg, .jpeg, .gif, .webp) across all backends, returning them as multimodal content blocks. The read_file tool natively supports binary files (images, PDFs, audio, video) across all backends, returning a ReadResult with typed content and mimeType. Sandboxes and the LocalShellBackend also provide an execute tool. This page explains how to:

Quickstart

Here are a few prebuilt filesystem backends that you can quickly use with your deep agent:
Built-in backendDescription
Defaultagent = create_deep_agent(model="google_genai:gemini-3.1-pro-preview")
Ephemeral in state. The default filesystem backend for an agent is stored in langgraph state. Note that this filesystem only persists for a single thread.
Local filesystem persistenceagent = create_deep_agent(model="google_genai:gemini-3.1-pro-preview", backend=FilesystemBackend(root_dir="/Users/nh/Desktop/"))
This gives the deep agent access to your local machine’s filesystem. You can specify the root directory that the agent has access to. Note that any provided root_dir must be an absolute path.
Durable store (LangGraph store)agent = create_deep_agent(model="google_genai:gemini-3.1-pro-preview", backend=StoreBackend())
This gives the agent access to long-term storage that is persisted across threads. This is great for storing longer term memories or instructions that are applicable to the agent over multiple executions.
Sandboxagent = create_deep_agent(model="google_genai:gemini-3.1-pro-preview", backend=sandbox)
Execute code in isolated environments. Sandboxes provide filesystem tools plus the execute tool for running shell commands. Choose from Modal, Daytona, Deno, or local VFS.
Local shellagent = create_deep_agent(model="google_genai:gemini-3.1-pro-preview", backend=LocalShellBackend(root_dir=".", env={"PATH": "/usr/bin:/bin"}))
Filesystem and shell execution directly on the host. No isolation—use only in controlled development environments. See security considerations below.
CompositeEphemeral by default, /memories/ persisted. The Composite backend is maximally flexible. You can specify different routes in the filesystem to point towards different backends. See Composite routing below for a ready-to-paste example.

Built-in backends

StateBackend (ephemeral)

import { createDeepAgent, StateBackend } from "deepagents";

// By default we provide a StateBackend
const agent = createDeepAgent();

// Under the hood, it looks like
const agent2 = createDeepAgent({
  backend: new StateBackend(),
});
How it works:
  • Stores files in LangGraph agent state for the current thread via StateBackend.
  • Persists across multiple agent turns on the same thread via checkpoints.
Best for:
  • A scratch pad for the agent to write intermediate results.
  • Automatic eviction of large tool outputs which the agent can then read back in piece by piece.
Note that this backend is shared between the supervisor agent and subagents, and any files a subagent writes will remain in the LangGraph agent state even after that subagent’s execution is complete. Those files will continue to be available to the supervisor agent and other subagents.

FilesystemBackend (local disk)

FilesystemBackend reads and writes real files under a configurable root directory.
This backend grants agents direct filesystem read/write access. Use with caution and only in appropriate environments.Appropriate use cases:
  • Local development CLIs (coding assistants, development tools)
  • CI/CD pipelines (see security considerations below)
Inappropriate use cases:
  • Web servers or HTTP APIs - use StateBackend, StoreBackend, or a sandbox backend instead
Security risks:
  • Agents can read any accessible file, including secrets (API keys, credentials, .env files)
  • Combined with network tools, secrets may be exfiltrated via SSRF attacks
  • File modifications are permanent and irreversible
Recommended safeguards:
  1. Enable Human-in-the-Loop (HITL) middleware to review sensitive operations.
  2. Exclude secrets from accessible filesystem paths (especially in CI/CD).
  3. Use a sandbox backend for production environments requiring filesystem interaction.
  4. Always use virtual_mode=True with root_dir to enable path-based access restrictions (blocks .., ~, and absolute paths outside root). Note that the default (virtual_mode=False) provides no security even with root_dir set.
import { createDeepAgent, FilesystemBackend } from "deepagents";

const agent = createDeepAgent({
  backend: new FilesystemBackend({ rootDir: ".", virtualMode: true }),
});
How it works:
  • Reads/writes real files under a configurable root_dir.
  • You can optionally set virtual_mode=True to sandbox and normalize paths under root_dir.
  • Uses secure path resolution, prevents unsafe symlink traversal when possible, can use ripgrep for fast grep.
Best for:
  • Local projects on your machine
  • CI sandboxes
  • Mounted persistent volumes

LocalShellBackend (local shell)

This backend grants agents direct filesystem read/write access and unrestricted shell execution on your host. Use with extreme caution and only in appropriate environments.Appropriate use cases:
  • Local development CLIs (coding assistants, development tools)
  • Personal development environments where you trust the agent’s code
  • CI/CD pipelines with proper secret management
Inappropriate use cases:
  • Production environments (such as web servers, APIs, multi-tenant systems)
  • Processing untrusted user input or executing untrusted code
Security risks:
  • Agents can execute arbitrary shell commands with your user’s permissions
  • Agents can read any accessible file, including secrets (API keys, credentials, .env files)
  • Secrets may be exposed
  • File modifications and command execution are permanent and irreversible
  • Commands run directly on your host system
  • Commands can consume unlimited CPU, memory, disk
Recommended safeguards:
  1. Enable Human-in-the-Loop (HITL) middleware to review and approve operations before execution. This is strongly recommended.
  2. Run in dedicated development environments only. Never use on shared or production systems.
  3. Use a sandbox backend for production environments requiring shell execution.
Note: virtual_mode=True provides no security with shell access enabled, since commands can access any path on the system.
import { createDeepAgent, LocalShellBackend } from "deepagents";

const backend = new LocalShellBackend({ workingDirectory: "." });
const agent = createDeepAgent({ backend });
How it works:
  • Extends FilesystemBackend with the execute tool for running shell commands on the host.
  • Commands run directly on your machine using subprocess.run(shell=True) with no sandboxing.
  • Supports timeout (default 120s), max_output_bytes (default 100,000), env, and inherit_env for environment variables.
  • Shell commands use root_dir as the working directory but can access any path on the system.
Best for:
  • Local coding assistants and development tools
  • Quick iteration during development when you trust the agent

StoreBackend (LangGraph store)

import { createDeepAgent, StoreBackend } from "deepagents";
import { InMemoryStore } from "@langchain/langgraph";

const store = new InMemoryStore();  // Good for local dev; omit for LangSmith Deployment
const agent = createDeepAgent({
  backend: new StoreBackend({
    namespace: (ctx) => [ctx.runtime.context.userId],
  }),
  store
});
When deploying to LangSmith Deployment, omit the store parameter. The platform automatically provisions a store for your agent.
The namespace parameter controls data isolation. For multi-user deployments, always set a namespace factory to isolate data per user or tenant.
How it works:
  • StoreBackend stores files in a LangGraph BaseStore provided by the runtime, enabling cross‑thread durable storage.
Best for:
  • When you already run with a configured LangGraph store (for example, Redis, Postgres, or cloud implementations behind BaseStore).
  • When you’re deploying your agent through LangSmith Deployment (a store is automatically provisioned for your agent).

Namespace factories

A namespace factory controls where StoreBackend reads and writes data. It receives a LangGraph Runtime and returns a tuple of strings used as the store namespace. Use namespace factories to isolate data between users, tenants, or assistants. Pass the namespace factory to the namespace parameter when constructing a StoreBackend: 
NamespaceFactory = Callable[[Runtime], tuple[str, ...]]
The Runtime provides:
  • rt.context — User-supplied context passed via LangGraph’s context schema (for example, user_id)
  • rt.serverInfo — Server-specific metadata when running on LangGraph Server (assistant ID, graph ID, authenticated user)
  • rt.executionInfo — Execution identity information (thread ID, run ID, checkpoint ID)
The Runtime argument is available in deepagents>=1.9.1. Earlier 1.9.x releases passed a BackendContext instead — see migrating from BackendContext below. rt.serverInfo and rt.executionInfo require deepagents>=1.9.0.
Common namespace patterns: 
import { StoreBackend } from "deepagents";

// Per-user: each user gets their own isolated storage
const backend = new StoreBackend({
  namespace: (rt) => [rt.serverInfo.user.identity],  
});

// Per-assistant: all users of the same assistant share storage
const backend = new StoreBackend({
  namespace: (rt) => [rt.serverInfo.assistantId],  
});

// Per-thread: storage scoped to a single conversation
const backend = new StoreBackend({
  namespace: (rt) => [rt.executionInfo.threadId],  
});
You can combine multiple components to create more specific scopes — for example, (user_id, thread_id) for per-user per-conversation isolation, or append a suffix like "filesystem" to disambiguate when the same scope uses multiple store namespaces. Namespace components must contain only alphanumeric characters, hyphens, underscores, dots, @, +, colons, and tildes. Wildcards (*, ?) are rejected to prevent glob injection.
The namespace parameter will be required in v1.9.0. Always set it explicitly for new code.
When no namespace factory is provided, the legacy default uses the assistant_id from LangGraph config metadata. This means all users of the same assistant share the same storage. For multi-user going to production, always provide a namespace factory.

CompositeBackend (router)

import { createDeepAgent, CompositeBackend, StateBackend, StoreBackend } from "deepagents";
import { InMemoryStore } from "@langchain/langgraph";

const store = new InMemoryStore();
const agent = createDeepAgent({
  backend: new CompositeBackend(
    new StateBackend(),
    {
      "/memories/": new StoreBackend(),
    }
  ),
  store,
});
How it works:
  • CompositeBackend routes file operations to different backends based on path prefix.
  • Preserves the original path prefixes in listings and search results.
Best for:
  • When you want to give your agent both ephemeral and cross-thread storage, a CompositeBackend allows you provide both a StateBackend and StoreBackend
  • When you have multiple sources of information that you want to provide to your agent as part of a single filesystem.
    • e.g. You have long-term memories stored under /memories/ in one Store and you also have a custom backend that has documentation accessible at /docs/.

Specify a backend

  • Pass a backend instance to createDeepAgent({ backend: ... }). The filesystem middleware uses it for all tooling.
  • The backend must implement AnyBackendProtocol (BackendProtocolV1 or BackendProtocolV2) — for example, new StateBackend(), new FilesystemBackend({ rootDir: "." }), new StoreBackend().
  • If omitted, the default is new StateBackend().
Before version 1.9.0, only BackendProtocol was supported which is now BackendProtocolV1. V1 backends are automatically adapted to V2 at runtime via adaptBackendProtocol(). No code changes are required to keep using existing V1 backends. To update to v2, see update existing backends to v2.

Route to different backends

Route parts of the namespace to different backends. Commonly used to persist /memories/* and keep everything else ephemeral. 
import { createDeepAgent, CompositeBackend, FilesystemBackend, StateBackend } from "deepagents";

const agent = createDeepAgent({
  backend: new CompositeBackend(
    new StateBackend(),
    {
      "/memories/": new FilesystemBackend({ rootDir: "/deepagents/myagent", virtualMode: true }),
    },
  ),
});
Behavior:
  • /workspace/plan.mdStateBackend (ephemeral)
  • /memories/agent.mdFilesystemBackend under /deepagents/myagent
  • ls, glob, grep aggregate results and show original path prefixes.
Notes:
  • Longer prefixes win (for example, route "/memories/projects/" can override "/memories/").
  • For StoreBackend routing, ensure a store is provided via create_deep_agent(model=..., store=...) or provisioned by the platform.

Use a virtual filesystem

Build a custom backend to project a remote or database filesystem (e.g., S3 or Postgres) into the tools namespace. Design guidelines:
  • Paths are absolute (/x/y.txt). Decide how to map them to your storage keys/rows.
  • Implement ls and glob efficiently (server-side filtering where available, otherwise local filter).
  • For external persistence (S3, Postgres, etc.), return files_update=None (Python) or omit filesUpdate (JS) in write/edit results — only in-memory state backends need to return a files update dict.
  • Use ls and glob as the method names.
  • All query methods (ls, read, readRaw, grep, glob) must return structured Result objects (e.g., LsResult, ReadResult) with an optional error field.
  • Support binary files in read() by returning Uint8Array content with the appropriate mimeType.
S3-style outline: 
import {
  type BackendProtocolV2,
  type LsResult,
  type ReadResult,
  type ReadRawResult,
  type GrepResult,
  type GlobResult,
  type WriteResult,
  type EditResult,
} from "deepagents";

class S3Backend implements BackendProtocolV2 {
  constructor(private bucket: string, private prefix: string = "") {
    this.prefix = prefix.replace(/\/$/, "");
  }

  private key(path: string): string {
    return `${this.prefix}${path}`;
  }

  async ls(path: string): Promise<LsResult> {
    // List objects under key(path); return { files: [...] }
    ...
  }

  async read(filePath: string, offset?: number, limit?: number): Promise<ReadResult> {
    // Fetch object; return { content, mimeType }
    // For binary files, return Uint8Array content
    ...
  }

  async readRaw(filePath: string): Promise<ReadRawResult> {
    // Return { data: FileData }
    ...
  }

  async grep(pattern: string, path?: string | null, glob?: string | null): Promise<GrepResult> {
    // Search text files; skip binary; return { matches: [...] }
    ...
  }

  async glob(pattern: string, path = "/"): Promise<GlobResult> {
    // Apply glob relative to path; return { files: [...] }
    ...
  }

  async write(filePath: string, content: string): Promise<WriteResult> {
    // Enforce create-only semantics; return { path: filePath, filesUpdate: null }
    ...
  }

  async edit(filePath: string, oldString: string, newString: string, replaceAll?: boolean): Promise<EditResult> {
    // Read → replace → write → return { path, occurrences }
    ...
  }
}
Postgres-style outline:
  • Table files(path text primary key, content text, mime_type text, created_at timestamptz, modified_at timestamptz)
  • Map tool operations onto SQL:
    • ls uses WHERE path LIKE $1 || '%' → return LsResult
    • glob filter in SQL or fetch then apply glob locally → return GlobResult
    • grep can fetch candidate rows by extension or last modified time, then scan lines (skip rows where mime_type is binary) → return GrepResult

Permissions

Use permissions to declaratively control which files and directories the agent can read or write. Permissions apply to the built-in filesystem tools and are evaluated before the backend is called. For the full set of options including rule ordering, subagent permissions, and composite backend interactions, see the permissions guide.

Add policy hooks

For custom validation logic beyond path-based allow/deny rules (rate limiting, audit logging, content inspection), enforce enterprise rules by subclassing or wrapping a backend. Block writes/edits under selected prefixes (subclass): 
import { FilesystemBackend, type WriteResult, type EditResult } from "deepagents";

class GuardedBackend extends FilesystemBackend {
  private denyPrefixes: string[];

  constructor({ denyPrefixes, ...options }: { denyPrefixes: string[]; rootDir?: string }) {
    super(options);
    this.denyPrefixes = denyPrefixes.map(p => p.endsWith("/") ? p : p + "/");
  }

  async write(filePath: string, content: string): Promise<WriteResult> {
    if (this.denyPrefixes.some(p => filePath.startsWith(p))) {
      return { error: `Writes are not allowed under ${filePath}` };
    }
    return super.write(filePath, content);
  }

  async edit(filePath: string, oldString: string, newString: string, replaceAll = false): Promise<EditResult> {
    if (this.denyPrefixes.some(p => filePath.startsWith(p))) {
      return { error: `Edits are not allowed under ${filePath}` };
    }
    return super.edit(filePath, oldString, newString, replaceAll);
  }
}
Generic wrapper (works with any backend): 
import {
  type BackendProtocolV2,
  type LsResult,
  type ReadResult,
  type ReadRawResult,
  type GrepResult,
  type GlobResult,
  type WriteResult,
  type EditResult,
} from "deepagents";

class PolicyWrapper implements BackendProtocolV2 {
  private denyPrefixes: string[];

  constructor(private inner: BackendProtocolV2, denyPrefixes: string[] = []) {
    this.denyPrefixes = denyPrefixes.map(p => p.endsWith("/") ? p : p + "/");
  }

  private isDenied(path: string): boolean {
    return this.denyPrefixes.some(p => path.startsWith(p));
  }

  ls(path: string): Promise<LsResult> { return this.inner.ls(path); }
  read(filePath: string, offset?: number, limit?: number): Promise<ReadResult> { return this.inner.read(filePath, offset, limit); }
  readRaw(filePath: string): Promise<ReadRawResult> { return this.inner.readRaw(filePath); }
  grep(pattern: string, path?: string | null, glob?: string | null): Promise<GrepResult> { return this.inner.grep(pattern, path, glob); }
  glob(pattern: string, path?: string): Promise<GlobResult> { return this.inner.glob(pattern, path); }

  async write(filePath: string, content: string): Promise<WriteResult> {
    if (this.isDenied(filePath)) return { error: `Writes are not allowed under ${filePath}` };
    return this.inner.write(filePath, content);
  }

  async edit(filePath: string, oldString: string, newString: string, replaceAll = false): Promise<EditResult> {
    if (this.isDenied(filePath)) return { error: `Edits are not allowed under ${filePath}` };
    return this.inner.edit(filePath, oldString, newString, replaceAll);
  }
}

Multimodal and binary files

V2 backends support binary files natively. When read() encounters a binary file (determined by MIME type from the file extension), it returns a ReadResult with Uint8Array content and the corresponding mimeType. Text files return string content.

Supported MIME types

CategoryExtensionsMIME types
Images.png, .jpg/.jpeg, .gif, .webp, .svg, .heic, .heifimage/png, image/jpeg, image/gif, image/webp, image/svg+xml, image/heic, image/heif
Audio.mp3, .wav, .aiff, .aac, .ogg, .flacaudio/mpeg, audio/wav, audio/aiff, audio/aac, audio/ogg, audio/flac
Video.mp4, .webm, .mpeg/.mpg, .mov, .avi, .flv, .wmv, .3gppvideo/mp4, video/webm, video/mpeg, video/quicktime, video/x-msvideo, video/x-flv, video/x-ms-wmv, video/3gpp
Documents.pdf, .ppt, .pptxapplication/pdf, application/vnd.ms-powerpoint, application/vnd.openxmlformats-officedocument.presentationml.presentation
Text.txt, .html, .json, .js, .ts, .py, etc.text/plain, text/html, application/json, etc.

Read binary files

const result = await backend.read("/workspace/screenshot.png");

if (result.error) {
  console.error(result.error);
} else if (result.content instanceof Uint8Array) {
  // Binary file — content is Uint8Array, mimeType is set
  console.log(`Binary file: ${result.mimeType}`); // "image/png"
} else {
  // Text file — content is string
  console.log(`Text file: ${result.mimeType}`); // "text/plain"
}

FileData format

FileData is the type used to store file content in state and store backends. 
type FileData =
  // Current format (v2)
  | {
      content: string | Uint8Array; // string for text, Uint8Array for binary
      mimeType: string;             // e.g. "text/plain", "image/png"
      created_at: string;           // ISO 8601 timestamp
      modified_at: string;          // ISO 8601 timestamp
    }
  // Legacy format (v1)
  | {
      content: string[];            // array of lines
      created_at: string;           // ISO 8601 timestamp
      modified_at: string;          // ISO 8601 timestamp
    };
Backends may encounter either format when reading from state or store. The framework handles both transparently. New writes default to the v2 format. During rolling deployments where older readers need the legacy format, pass fileFormat: "v1" to the backend constructor (e.g., new StoreBackend({ fileFormat: "v1" })).

Migrate from backend factories

The backend factory pattern is deprecated. Pass pre-constructed backend instances directly instead of factory functions.
Previously, backends like StateBackend and StoreBackend required a factory function that received a runtime object, because they needed runtime context (state, store) to operate. Backends now resolve this context internally via LangGraph’s get_config(), get_store(), and get_runtime() helpers, so you can pass instances directly.

What changed

Before (deprecated)After
backend=lambda rt: StateBackend(rt)backend=StateBackend()
backend=lambda rt: StoreBackend(rt)backend=StoreBackend()
backend=lambda rt: CompositeBackend(default=StateBackend(rt), ...)backend=CompositeBackend(default=StateBackend(), ...)
backend: (config) => new StateBackend(config)backend: new StateBackend()
backend: (config) => new StoreBackend(config)backend: new StoreBackend()

Deprecated APIs

DeprecatedReplacement
BackendFactory typePass a backend instance directly
BackendRuntime interfaceBackends resolve context internally
StateBackend(runtime, options?) constructor overloadnew StateBackend(options?)
StoreBackend(stateAndStore, options?) constructor overloadnew StoreBackend(options?)
filesUpdate field on WriteResult and EditResultState writes are now handled internally by the backend
The factory pattern still works at runtime and emits a deprecation warning. Update your code to use direct instances before the next major version.

Migration example

// Before (deprecated)
import { createDeepAgent, CompositeBackend, StateBackend, StoreBackend } from "deepagents";

const agent = createDeepAgent({
  backend: (config) => new CompositeBackend(
    new StateBackend(config),
    { "/memories/": new StoreBackend(config, {
      namespace: (rt) => [rt.serverInfo.user.identity],
    }) },
  ),
});

// After
const agent = createDeepAgent({
  backend: new CompositeBackend(
    new StateBackend(),
    { "/memories/": new StoreBackend({
      namespace: (rt) => [rt.serverInfo.user.identity],
    }) },
  ),
});

Migrating from BackendContext

In deepagents>=0.5.2 (Python) and deepagents>=1.9.1 (TypeScript), namespace factories receive a LangGraph Runtime directly instead of a BackendContext wrapper. The old BackendContext form still works via backwards-compatible .runtime and .state accessors, but those accessors emit a deprecation warning and will be removed in deepagents>=0.7. What changed:
  • The factory argument is now a Runtime, not a BackendContext.
  • Drop the .runtime accessor — for example, ctx.runtime.context.user_id becomes rt.server_info.user.identity.
  • There is no direct replacement for ctx.state. Namespace info should be read-only and stable for the lifetime of a run, whereas state is mutable and changes step-to-step—deriving a namespace from it risks data ending up under inconsistent keys. If you have a use case that requires reading agent state, please open an issue.
// Before (deprecated, removed in v0.7)
new StoreBackend({
  namespace: (ctx) => [ctx.runtime.context.userId],  
});

// After
new StoreBackend({
  namespace: (rt) => [rt.serverInfo.user.identity],  
});

Protocol reference

Backends must implement BackendProtocol. Required methods:
  • ls(path: str) -> LsResult
    • Return entries with at least path. Include is_dir, size, modified_at when available. Sort by path for deterministic output.
  • read(file_path: str, offset: int = 0, limit: int = 2000) -> ReadResult
    • Return file data on success. On missing file, return ReadResult(error="Error: File '/x' not found").
  • grep(pattern: str, path: Optional[str] = None, glob: Optional[str] = None) -> GrepResult
    • Return structured matches. On error, return GrepResult(error="...") (do not raise).
  • glob(pattern: str, path: str = "/") -> GlobResult
    • Return matched files as FileInfo entries (empty list if none).
  • write(file_path: str, content: str) -> WriteResult
    • Create-only. On conflict, return WriteResult(error=...). On success, set path and for state backends set files_update={...}; external backends should use files_update=None.
  • edit(file_path: str, old_string: str, new_string: str, replace_all: bool = False) -> EditResult
    • Enforce uniqueness of old_string unless replace_all=True. If not found, return error. Include occurrences on success.
Supporting types:
  • LsResult(error, entries)entries is a list[FileInfo] on success, None on failure.
  • ReadResult(error, file_data)file_data is a FileData dict on success, None on failure.
  • GrepResult(error, matches)matches is a list[GrepMatch] on success, None on failure.
  • GlobResult(error, matches)matches is a list[FileInfo] on success, None on failure.
  • WriteResult(error, path, files_update)
  • EditResult(error, path, files_update, occurrences)
  • FileInfo with fields: path (required), optionally is_dir, size, modified_at.
  • GrepMatch with fields: path, line, text.
  • FileData with fields: content (str), encoding ("utf-8" or "base64"), created_at, modified_at. :::
Backends implement BackendProtocolV2. All query methods return structured Result objects with { error?: string, ...data }.

Required methods

  • ls(path: string) → LsResult
    • List files and directories in the specified directory (non-recursive). Directories have a trailing / in their path and is_dir=true. Include is_dir, size, modified_at when available.
  • read(filePath: string, offset?: number, limit?: number) → ReadResult
    • Read file content. For text files, content is paginated by line offset/limit (default offset 0, limit 500). For binary files, the full raw Uint8Array content is returned with the mimeType field set. On missing file, return { error: "File '/x' not found" }.
  • readRaw(filePath: string) → ReadRawResult
    • Read file content as raw FileData. Returns the full file data including timestamps.
  • grep(pattern: string, path?: string | null, glob?: string | null) → GrepResult
    • Search file contents for a literal text pattern. Binary files (determined by MIME type) are skipped. On failure, return { error: "..." }.
  • glob(pattern: string, path?: string) → GlobResult
    • Return files matching a glob pattern as FileInfo entries.
  • write(filePath: string, content: string) → WriteResult
    • Create-only semantics. On conflict, return { error: "..." }. On success, set path and for state backends set filesUpdate={...}; external backends should use filesUpdate=null.
  • edit(filePath: string, oldString: string, newString: string, replaceAll?: boolean) → EditResult
    • Enforce uniqueness of oldString unless replaceAll=true. If not found, return error. Include occurrences on success.

Optional methods

  • uploadFiles(files: Array<[string, Uint8Array]>) → FileUploadResponse[] — Upload multiple files (for sandbox backends).
  • downloadFiles(paths: string[]) → FileDownloadResponse[] — Download multiple files (for sandbox backends).

Result types

TypeSuccess fieldsError field
ReadResultcontent?: string | Uint8Array, mimeType?: stringerror
ReadRawResultdata?: FileDataerror
LsResultfiles?: FileInfo[]error
GlobResultfiles?: FileInfo[]error
GrepResultmatches?: GrepMatch[]error
WriteResultpath?: stringerror
EditResultpath?: string, occurrences?: numbererror

Supporting types

  • FileInfopath (required), optionally is_dir, size, modified_at.
  • GrepMatchpath, line (1-indexed), text.
  • FileData — File content with timestamps. See FileData format.

Sandbox extension

SandboxBackendProtocolV2 extends BackendProtocolV2 with:
  • execute(command: string) → ExecuteResponse — Run a shell command in the sandbox.
  • readonly id: string — Unique identifier for the sandbox instance.

Update existing backends to V2

Method renames

V1 methodV2 methodReturn type change
lsInfo(path)ls(path)FileInfo[]LsResult
read(filePath, offset, limit)read(filePath, offset, limit)stringReadResult
readRaw(filePath)readRaw(filePath)FileDataReadRawResult
grepRaw(pattern, path, glob)grep(pattern, path, glob)GrepMatch[] | stringGrepResult
globInfo(pattern, path)glob(pattern, path)FileInfo[]GlobResult
write(...)write(...)Unchanged (WriteResult)
edit(...)edit(...)Unchanged (EditResult)

Type renames

V1 typeV2 type
BackendProtocolBackendProtocolV2
SandboxBackendProtocolSandboxBackendProtocolV2

Adaptation utilities

If you have existing V1 backends that you need to use with V2-only code, use the adaptation functions:
import { adaptBackendProtocol, adaptSandboxProtocol } from "deepagents";

// Adapt a V1 backend to V2
const v2Backend = adaptBackendProtocol(v1Backend);

// Adapt a V1 sandbox to V2
const v2Sandbox = adaptSandboxProtocol(v1Sandbox);
The framework auto-adapts V1 backends passed to createDeepAgent(). Manual adaptation is only needed when calling protocol methods directly.
Edit this page on GitHub or file an issue.
Connect these docs to Claude, VSCode, and more via MCP for real-time answers.