Gitpulse
Merged
Size
XL
Change Breakdown
Security50%
Refactor30%
Docs20%
#28297fix(core): Remove LocalFilesystemProvider, require computer use for filesystem access (no-changelog)

Direct server filesystem access removed from AI agent

AA
aalises
·Apr 10, 2026

AI agents can no longer read arbitrary server files. All filesystem access now requires users to explicitly run the @n8n/computer-use daemon and grant directory permissions.

The n8n AI agent previously included a direct server filesystem provider that could read files through Node.js filesystem calls. Without the N8N_INSTANCE_AI_FILESYSTEM_PATH environment variable configured, the agent had access to every file the n8n process could reach — including sensitive system files, environment variables, and database storage.

Filesystem access is now exclusively gated through the @n8n/computer-use gateway daemon. Users run npx @n8n/computer-use serve locally on their machine and explicitly choose which project directory to share. The agent can only read files the user has permitted.

The LocalFilesystemProvider class, its InstanceAiFilesystemService interface, four static filesystem tool files, and all related configuration and wiring have been removed. API settings no longer expose localGateway or localGatewayFallbackDirectory fields. The frontend settings UI no longer shows the yellow "local filesystem" indicator.

This change applies to the instance-ai module across the CLI backend and editor frontend. The LocalGateway and computer-use daemon infrastructure remain untouched — only the direct-access fallback was removed.

View Original GitHub Description

Summary

Remove LocalFilesystemProvider entirely from the instance AI module. Filesystem access now exclusively requires the @n8n/computer-use gateway daemon.

Why: The LocalFilesystemProvider gave the AI agent direct read access to the server's disk via Node.js fs/promises. Without explicit N8N_INSTANCE_AI_FILESYSTEM_PATH configuration, the agent could read any file the n8n process can access (/etc/passwd, .env, database files, etc.). The gateway model is inherently more secure — the user explicitly chooses which directory to share when starting the daemon.

What's removed:

  • LocalFilesystemProvider class and its test (CLI backend)
  • N8N_INSTANCE_AI_FILESYSTEM_PATH env var
  • InstanceAiFilesystemService interface and 4 static filesystem tool files (dead code after removing the only implementation)
  • localGateway and localGatewayFallbackDirectory from the API settings response and frontend stores
  • Local filesystem status block from the settings UI (yellow dot + fallback directory)

What stays (untouched):

  • Local Gateway / @n8n/computer-use — all SSE bridge infrastructure
  • localGatewayDisabled admin/user preference (controls whether the gateway is available)
  • N8N_INSTANCE_AI_GATEWAY_API_KEY env var
  • Local sandbox provider ('local' in SandboxProvider) — code execution, unrelated

⚠️ Naming clarification for reviewers

Several removed fields have confusing names that do NOT mean what they sound like:

Removed fieldWhat it actually meantWhat it sounds like
localGateway: boolean (API settings)"Is the local filesystem fallback available?""Is the gateway connected?"
localGatewayFallbackDirectory (API settings)Directory path for LocalFilesystemProviderSomething about gateway fallback
isLocalGatewayEnabled (frontend stores)"Is the local filesystem fallback active?""Is the gateway enabled?"

Gateway connection status was always tracked separately via SSE push events — these fields were exclusively about the now-removed local filesystem fallback.

Related Linear tickets, Github issues, and Community forum posts

https://linear.app/n8n/issue/AI-2359

Review / Merge checklist

  • I have seen this code, I have run this code, and I take responsibility for this code.
  • PR title and summary are descriptive. (conventions)
  • Docs updated or follow-up ticket created.
  • Tests included.
© 2026 · via Gitpulse