Every action the agent takes is a typed function call. The list below
is the full surface in v1 — there is no hidden eval-style escape
hatch.
Filesystem
| Tool | Description | Approval |
|---|
read_file(path, range?) | Read part or all of a file | None |
list_dir(path) | List a directory | None |
grep(pattern, glob?) | Project-wide ripgrep search | None |
apply_patch(diff) | Apply a unified diff | Per-patch |
write_file(path, content) | Overwrite a file | Per-file |
delete_file(path) | Move to OS trash | Per-file, never bypassable |
Terminal (L3 only)
| Tool | Description | Approval |
|---|
run_command(cmd, cwd?) | Execute a shell command | Per-command |
kill_process(pid) | Kill a process the agent started | None |
The terminal runs inside a sandboxed working directory pinned to the
project root. cd .. outside the project root is blocked.
Git
| Tool | Description | Approval |
|---|
git_status | git status --porcelain | None |
git_diff(staged?) | Show staged or unstaged diff | None |
git_commit(message) | Stage and commit current changes | Per-commit |
git_branch(name) | Create a branch | Per-branch |
Force-push and history rewrites are not exposed to the agent. You can
still do them yourself in the terminal.
LSP
| Tool | Description |
|---|
find_symbol(name) | Workspace-wide symbol search via LSP |
goto_definition(file, position) | Standard LSP go-to-definition |
references(symbol) | All references to a symbol |
- HTTP requests to arbitrary URLs.
- Reading environment variables (
.env is excluded by default).
- Writing outside the project root.
- Running daemons that survive the agent session.
