This list is verified against crates/tools/src/specs.rs (mvp_tool_specs)
and the permission-level mappings declared next to each spec.
Permission categories:
| Category | Default behavior in default mode |
|---|
| ReadOnly | Auto-allowed. |
| WriteWorkspace | Prompts for approval. Auto-allowed in acceptEdits. |
| FullAccess | Prompts for approval. Auto-allowed only in bypassPermissions / dontAsk. |
Plan mode (enter_plan_mode) blocks every WriteWorkspace and
FullAccess tool except writes to the plan file itself. The model must
call exit_plan_mode to leave plan mode.
Files & search
| Tool | Permission | Description |
|---|
read_file | ReadOnly | Read a file’s contents (default 2000-line cap, configurable). |
write_file | WriteWorkspace | Create or overwrite a file. |
edit_file | WriteWorkspace | Replace text within an existing file. |
delete_file | WriteWorkspace | Delete a single file (not directories). |
apply_patch | WriteWorkspace | Apply a fuzzy unified-diff patch across one or more files. |
glob_search | ReadOnly | Find files matching a glob pattern. |
grep_search | ReadOnly | Search file contents with regex (ripgrep-style). |
list_dir | ReadOnly | List directory entries with optional recursion. |
Shell & execution
| Tool | Permission | Description |
|---|
bash | FullAccess | Run a shell command, with optional timeout and background-execution. |
bash_session_start | FullAccess | Start an interactive shell session. |
bash_session_read | FullAccess | Read output from an interactive shell session. |
bash_session_write | FullAccess | Write input to an interactive shell session. |
bash_session_close | FullAccess | Close an interactive shell session. |
powershell | FullAccess | Run a PowerShell command (Windows or pwsh cross-platform). |
repl | FullAccess | Execute a code snippet (Python, Node, Ruby, Bash). |
sleep | ReadOnly | Pause execution for a specified duration. |
| Tool | Permission | Description |
|---|
web_fetch | ReadOnly | Fetch and analyze a web page. |
web_search | ReadOnly | Internet search with allowed/blocked domain filters. |
image_generation | WriteWorkspace | Generate images via the active provider’s image model. |
view_image | ReadOnly | Display an image file (auto or original resolution). |
notebook_edit | WriteWorkspace | Edit Jupyter notebook cells (insert / replace / delete). |
Planning & user interaction
| Tool | Permission | Description |
|---|
ask_user_question | ReadOnly | Ask the user a single question or batch with options. |
send_user_message | ReadOnly | Send a message to the user (normal or proactive). |
structured_output | ReadOnly | Emit structured JSON (used by the --output-schema fallback path). |
enter_plan_mode | ReadOnly | Enter plan-design mode (plan-file-only writes). |
exit_plan_mode | ReadOnly | Exit plan mode and request user approval. |
Sub-agents & tasks
| Tool | Permission | Description |
|---|
agent | ReadOnly | Spawn a sub-agent (explore or general type). |
agent_continue | ReadOnly | Send a follow-up message to an existing sub-agent. |
agent_status | ReadOnly | Query a sub-agent’s execution status. |
agent_stop | ReadOnly | Cancel a running sub-agent. |
task_create | ReadOnly | Create a task with subject and description. |
task_update | ReadOnly | Update task status, subject, or dependencies. Accepts single ({taskId, …}) or batch ({updates: […]}) form. |
task_list | ReadOnly | List all tasks. |
task_get | ReadOnly | Retrieve details for a single task. |
todo_write | ReadOnly | Overwrite the todo list. |
send_message | ReadOnly | Inter-agent messaging (target a specific agent or broadcast). |
spawn_agents_on_csv | FullAccess | Spawn agents in parallel from CSV rows with template substitution. |
MCP & workspace
| Tool | Permission | Description |
|---|
list_mcp_resources | ReadOnly | List available resources from configured MCP servers. |
read_mcp_resource | ReadOnly | Read a resource from an MCP server. |
lsp | ReadOnly | Drive the built-in LSP subsystem (definition, references, hover, diagnostics, …). |
enter_worktree | FullAccess | Create or enter a git worktree. |
exit_worktree | FullAccess | Exit a worktree and optionally remove it. |
Automation
| Tool | Permission | Description |
|---|
config | WriteWorkspace | Read or write CLI configuration settings. |
cron_create | WriteWorkspace | Schedule a recurring or one-time job. |
cron_delete | WriteWorkspace | Remove a scheduled job. |
cron_list | ReadOnly | List all scheduled jobs. |
skill | ReadOnly | Execute a skill by name. |
Notes
tool_search is intercepted by the runtime before it reaches the
agent’s tool dispatch path; it does not appear as a registered spec.read_file, glob_search, grep_search, and other ReadOnly tools are
always permitted in plan mode.image_generation requires that the active provider has an image
model configured. With no image model, the call is rejected with a
clear error.
