Skip to main content
Every action Claude Code can perform — reading a file, running a shell command, searching the web — is implemented as a tool. Tools are self-contained modules registered in src/tools.ts. Claude decides which tool to call, the permission layer checks whether to allow it, and the result is fed back into the next API turn.

How the tool loop works

User message


QueryEngine sends message to Anthropic API


Claude returns a tool_use block (tool name + input)


Permission layer checks the call
     │ allowed

Tool validates input with Zod schema


Tool executes and returns a result


Result is appended as tool_result and sent back to Claude


Claude continues (may call more tools or return final response)
This loop repeats until Claude returns a plain text response with no tool calls.

Tool anatomy

Every tool is a TypeScript module that exports an object conforming to the Tool interface defined in src/Tool.ts. The three required parts are:

1. Input schema (Zod)

Tools declare their inputs using Zod v4 schemas. The schema is compiled to JSON Schema and sent to the Anthropic API so Claude knows what arguments are valid. 
import { z } from 'zod/v4'

const inputSchema = z.object({
  path: z.string().describe('Absolute path to the file'),
  limit: z.number().optional().describe('Maximum lines to return'),
})

2. Permission declaration

Each tool declares whether it is read-only, mutating, or dangerous. This declaration is used by the permission layer to decide the default behavior before prompting the user.

3. Execute function

The execute function receives validated input and a ToolUseContext (working directory, abort signal, permission mode, etc.) and returns a result that Claude can read. 
async execute(input, context) {
  const content = await fs.readFile(input.path, 'utf8')
  return { type: 'text', text: content }
}

Tool registration

All tools are registered in src/tools.ts. Some tools are always included; others are conditionally loaded based on feature flags or environment variables: 
// Always registered
import { FileReadTool } from './tools/FileReadTool/FileReadTool.js'
import { BashTool } from './tools/BashTool/BashTool.js'

// Only registered when the PROACTIVE flag is enabled at build time
const SleepTool = feature('PROACTIVE') || feature('KAIROS')
  ? require('./tools/SleepTool/SleepTool.js').SleepTool
  : null

// Only for internal Anthropic users
const REPLTool = process.env.USER_TYPE === 'ant'
  ? require('./tools/REPLTool/REPLTool.js').REPLTool
  : null
MCP tools are registered dynamically at runtime when an MCP server connects.

Built-in tools

Tools for reading, writing, and editing files on disk.
ToolDescription
FileReadToolRead file contents; supports text, images, PDFs, and Jupyter notebooks
FileWriteToolCreate or overwrite a file
FileEditToolPartial file modification via exact string replacement
NotebookEditToolEdit individual cells in a Jupyter notebook
File read and write operations are subject to the permission model. Write and edit tools require explicit user approval in default mode.See File tools reference for full input schemas.
Tools for finding files and content across the codebase.
ToolDescription
GlobToolFind files by glob pattern (e.g., **/*.ts)
GrepToolContent search powered by ripgrep
ToolSearchToolDeferred tool discovery — finds the right tool for a task
GrepTool shells out to rg for performance. It supports full regex syntax and file-type filters.See Search tools reference for full input schemas.
Tools for executing shell commands and running processes.
ToolDescription
BashToolExecute a shell command in the current working directory
LSPToolQuery a Language Server Protocol server (hover, diagnostics, go-to-definition)
BashTool is the most permissive built-in tool. It runs arbitrary shell commands and is classified as dangerous — it will always prompt for approval in default mode unless you have added an allow rule.
Granting BashTool broad allow rules or running with bypassPermissions gives Claude unrestricted shell access. Only do this in isolated environments you control.
Tools for spawning sub-agents and coordinating multi-agent work.
ToolDescription
AgentToolSpawn a sub-agent with its own context window and tool set
SkillToolExecute a saved skill (reusable workflow)
TeamCreateToolCreate a team of parallel agents
TeamDeleteToolTear down a team
SendMessageToolSend a message between agents in a swarm
TaskCreateToolCreate a tracked task
TaskUpdateToolUpdate task status or output
TaskGetToolRead a task
TaskListToolList all tasks
EnterPlanModeToolSwitch to plan mode (propose without executing)
ExitPlanModeToolExit plan mode and resume execution
EnterWorktreeToolIsolate work to a git worktree
ExitWorktreeToolReturn from a git worktree
SleepToolPause execution (proactive mode)
See Agent tools reference for full input schemas and the Agent swarms guide.
Tools for fetching content from the web.
ToolDescription
WebFetchToolFetch a URL and return its content as text or markdown
WebSearchToolRun a web search and return results
See Web tools reference.
Tools exposed by connected Model Context Protocol servers.
ToolDescription
MCPToolInvoke a tool provided by an MCP server
ListMcpResourcesToolList resources available on an MCP server
ReadMcpResourceToolRead an MCP server resource
MCP tools are registered dynamically when servers connect and are namespaced by server name to avoid collisions. See MCP servers.

Tool permission levels

Tools declare one of three permission levels that determine the default approval behavior:
LevelExamplesDefault behavior
Read-onlyFileReadTool, GlobTool, GrepToolAuto-approved in most modes
MutatingFileWriteTool, FileEditToolPrompts user for approval
DangerousBashToolAlways prompts; classifier may pre-approve safe patterns
The permission level is a default. You can override it for specific tools or patterns using allow/deny rules in your settings. See Permission model.

Permission model

How every tool call is checked before execution.

File tools

Full reference for file read, write, and edit tools.

Search tools

Full reference for glob and grep tools.

MCP servers

Connect external tools via the Model Context Protocol.

Build docs developers (and LLMs) love

Get started for freeTalk to us