v2.6.2

A new Workspace toolkit gives agents structured access to a configurable root directory, with operations grouped by capability and destructive actions gated by human-in-the-loop confirmation by default. Read, list, and search run freely. Write, edit, move, delete, and shell pause for explicit approval before they execute. The toolkit is scoped to the directory you pass at construction, bounding an agent's blast radius to the path you specify.

Filesystem and shell access unlock the most useful "agent-as-coworker" patterns, including code generation, document editing, and operational scripts that touch real systems. Shipping these capabilities behind HITL by default makes it safe to put an agent in front of real work and expand write privileges progressively as confidence grows. The confirmation policy is configurable per action, so teams can tighten or loosen oversight without rewriting the agent.

Here's a minimal example. Reads run silently; writes pause for approval:

from agno.agent import Agent
from agno.tools.workspace import Workspace

agent = Agent(
    model=...,
    tools=[Workspace("/path/to/workspace")],
)

run = agent.run("Read draft.md and fix the typo on the line about typos.")

# Reads execute immediately. The edit pauses for confirmation.
while run.is_paused:
    for requirement in run.active_requirements:
        if requirement.needs_confirmation:
            # Inspect requirement.tool_execution, then confirm or reject.
            requirement.confirm()
    run = agent.continue_run(run_id=run.run_id, requirements=run.requirements)

In AgentOS, pauses surface as approval cards in the run timeline. In a plain script, you drive the confirmation loop yourself, as shown above.

See the full cookbook example for the complete pattern, including how to wire up an interactive prompt.