ChatGPT Local Agent MCP registers tools across eight categories — workspace, filesystem, shell, git, process, browser, screen, and desktop. Every tool call is gated by two independent checks: the MCP scope must be granted to the session, and the tool’s required policy mode must be at or below the server’s configuredDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/XxYouDeaDPunKxX/chatgpt-local-agent-mcp/llms.txt
Use this file to discover all available pages before exploring further.
GPT_FS_MCP_MAX_POLICY_MODE. Both conditions must be true for a tool to execute. This two-axis access model lets you grant ChatGPT read-only filesystem visibility without enabling shell execution, or enable git operations without opening desktop automation — each combination is independently controlled.
Tool categories
| Category | Required scope | Tool count | Description |
|---|---|---|---|
workspace | mcp:read | 1 | workspace profile information via workspace_info |
filesystem | mcp:read / mcp:write / mcp:patch / mcp:delete | 16 | read, write, patch, delete, search, hash, stat, tree |
shell | mcp:shell | 1 | direct shell command execution |
git | mcp:git | 3 | status, diff, and commit |
process | mcp:process | 7 | start, stop, kill, list, port_list, tail_log, wait_for_port |
browser | mcp:browser | 16 | sessions, navigation, interaction, screenshots, CDP |
screen | mcp:screen | 3 | window_list, screen_screenshot, screen_ocr |
desktop | mcp:desktop | 6 | mouse and keyboard automation |
Policy mode tiers
Policy modes are ordered from least to most permissive. A tool is available only when its required mode is at or below the server’s maximum policy mode setting.| Policy mode | Rank | Typical operations |
|---|---|---|
observe | 0 | Read-only introspection: stat, list, read, git status/diff, window list |
diagnose | 1 | Bounded scanning that may expose more surface: search, screen screenshot, browser wait |
edit | 2 | Low-risk filesystem mutations: mkdir |
operate | 3 | Process control, browser sessions, desktop interaction, shell execution |
destructive | 4 | File write/overwrite, move, copy, delete, apply patch, git commit, rollback |
A tool is available when both of these are true: the required scope is granted to the session, and the tool’s policy mode rank is ≤ the server’s configured
GPT_FS_MCP_MAX_POLICY_MODE rank.How tool availability is determined
When a tool call arrives, the runtime performs two sequential checks:- Scope check — the session’s granted scopes must include the tool’s
requiredScope. Scopes are granted at the MCP authorization layer and represent what capability categories have been unlocked. - Policy mode check — the tool’s
policyModemust rank at or belowGPT_FS_MCP_MAX_POLICY_MODE. This is a server-level ceiling that caps how destructive any individual tool call can be, regardless of granted scopes.
Full tool list
All tools registered by the server, in definition order:| # | Tool | Category | Required scope | Policy mode | Risk tags |
|---|---|---|---|---|---|
| 1 | workspace_info | workspace | mcp:read | observe | — |
| 2 | stat | filesystem | mcp:read | observe | path-disclosure |
| 3 | list_dir | filesystem | mcp:read | observe | path-disclosure |
| 4 | tree | filesystem | mcp:read | observe | path-disclosure |
| 5 | search | filesystem | mcp:read | diagnose | content-discovery |
| 6 | read_file | filesystem | mcp:read | observe | secret-read |
| 7 | read_many | filesystem | mcp:read | observe | secret-read |
| 8 | read_file_range | filesystem | mcp:read | observe | secret-read |
| 9 | stat_many | filesystem | mcp:read | observe | path-disclosure |
| 10 | hash | filesystem | mcp:read | observe | content-fingerprint |
| 11 | write_file | filesystem | mcp:write | destructive | file-write |
| 12 | apply_patch | filesystem | mcp:patch | destructive | patch, file-write |
| 13 | mkdir | filesystem | mcp:write | edit | filesystem-mutation |
| 14 | copy | filesystem | mcp:write | destructive | file-write, overwrite |
| 15 | move | filesystem | mcp:write | destructive | rename, overwrite |
| 16 | delete | filesystem | mcp:delete | destructive | delete, irreversible |
| 17 | rollback_backup | filesystem | mcp:write | destructive | rollback, file-write |
| 18 | git_status | git | mcp:git | observe | repo-state |
| 19 | git_diff | git | mcp:git | observe | repo-content |
| 20 | git_commit | git | mcp:git | destructive | commit, repo-mutation |
| 21 | start_process | process | mcp:process | operate | process, rce, long-running |
| 22 | tail_log | process | mcp:process | observe | log-read |
| 23 | wait_for_port | process | mcp:process | diagnose | network-probe |
| 24 | process_list | process | mcp:process | observe | process-disclosure |
| 25 | port_list | process | mcp:process | observe | network-disclosure |
| 26 | stop_process | process | mcp:process | operate | process-kill |
| 27 | process_kill | process | mcp:process | operate | process-kill |
| 28 | browser_session_create | browser | mcp:browser | operate | browser, network, process |
| 29 | browser_navigate | browser | mcp:browser | operate | browser, network |
| 30 | browser_snapshot | browser | mcp:browser | observe | browser-content, secret-read |
| 31 | browser_console | browser | mcp:browser | observe | browser-content, log-read |
| 32 | browser_network | browser | mcp:browser | observe | browser-content, network-disclosure |
| 33 | browser_wait | browser | mcp:browser | diagnose | browser-state |
| 34 | browser_click | browser | mcp:browser | operate | browser-action |
| 35 | browser_fill | browser | mcp:browser | operate | browser-action, form-input |
| 36 | browser_type | browser | mcp:browser | operate | browser-action, form-input |
| 37 | browser_press_key | browser | mcp:browser | operate | browser-action, keyboard |
| 38 | browser_screenshot | browser | mcp:browser | diagnose | browser-content, secret-read, screenshot |
| 39 | browser_page_list | browser | mcp:browser | observe | browser-state, secret-read |
| 40 | browser_page_select | browser | mcp:browser | operate | browser-state |
| 41 | browser_session_list | browser | mcp:browser | observe | browser-state |
| 42 | browser_session_close | browser | mcp:browser | operate | browser, process |
| 43 | browser_cdp_connect | browser | mcp:browser | operate | browser, cdp, existing-profile, secret-read |
| 44 | window_list | screen | mcp:screen | observe | screen-disclosure, window-title-disclosure |
| 45 | screen_screenshot | screen | mcp:screen | diagnose | screen-disclosure, secret-read |
| 46 | screen_ocr | screen | mcp:screen | diagnose | screen-disclosure, secret-read, ocr |
| 47 | desktop_mouse_position | desktop | mcp:desktop | observe | desktop-state, mouse |
| 48 | desktop_mouse_move | desktop | mcp:desktop | operate | desktop-action, mouse |
| 49 | desktop_mouse_click | desktop | mcp:desktop | operate | desktop-action, mouse, click |
| 50 | desktop_key_press | desktop | mcp:desktop | operate | desktop-action, keyboard |
| 51 | desktop_hotkey | desktop | mcp:desktop | operate | desktop-action, keyboard, hotkey |
| 52 | desktop_text_type | desktop | mcp:desktop | operate | desktop-action, keyboard, form-input |
| 53 | shell | shell | mcp:shell | operate | rce, process, network |
Tool category pages
Filesystem
stat, list_dir, tree, read_file, write_file, apply_patch, search, hash, copy, move, delete, rollback_backup
Git
git_status, git_diff, git_commit — all require mcp:git
Shell
Single shell tool with rce, process, and network risk tags
Process
start_process, stop_process, process_kill, process_list, port_list, tail_log, wait_for_port
Browser
16 tools covering sessions, navigation, interaction, screenshots, and CDP
Screen & Desktop
window_list, screen_screenshot, screen_ocr, mouse, keyboard automation
Related
- Scopes reference — how to grant and restrict tool category access
- Policy modes — how to set a maximum operation tier for the server