How to read this catalog
This page uses the module or class names that are directly registered ingetAllBaseTools() inside src/tools.ts.
For strict registry-level, per-item coverage, use:
For each tool, the table lists:
- Registration source
- What the tool does from the implementation role implied by its module
- Where its schema and prompt text live
- Whether approval is usually involved
- Notable gates or quirks visible in the registry
Always-present core tools
| Module | Purpose | Schema / prompt source | Approval notes | Registry notes |
|---|---|---|---|---|
AgentTool | Spawns or delegates work to subagents. | src/tools/AgentTool/ | High-risk. Delegation is permission-sensitive. | Always registered. Central to agentic workflows. |
TaskOutputTool | Emits structured task output back into the loop. | src/tools/TaskOutputTool/ | No separate user approval expected. | Internal output shaper. |
BashTool | Runs shell commands in the active workspace or sandbox. | src/tools/BashTool/ | One of the primary approval-gated tools. | Always present unless hidden behind REPL/simple mode presentation. |
GlobTool | File-name and path pattern search. | src/tools/GlobTool/ | Normally auto-allowed. | Omitted when embedded search tools are available in the build. |
GrepTool | Content search across files. | src/tools/GrepTool/ | Normally auto-allowed. | Omitted when embedded search tools are available. |
ExitPlanModeV2Tool | Exits plan mode and returns to normal execution. | src/tools/ExitPlanModeTool/ | May prompt depending on plan-mode policy. | Always available in this snapshot. |
FileReadTool | Reads file contents into context. | src/tools/FileReadTool/ | Usually auto-allowed inside workspace. | Core primitive. |
FileEditTool | Applies targeted in-place edits. | src/tools/FileEditTool/ | Approval-sensitive because it mutates files. | Core primitive. |
FileWriteTool | Writes or replaces full file contents. | src/tools/FileWriteTool/ | Approval-sensitive. | Core primitive. |
NotebookEditTool | Edits notebook-style files. | src/tools/NotebookEditTool/ | Approval-sensitive. | Separate from plain text editing. |
WebFetchTool | Fetches a specific URL. | src/tools/WebFetchTool/ | Domain and network policy can require approval. | Always present. |
TodoWriteTool | Writes task/todo state. | src/tools/TodoWriteTool/ | Usually low-risk. | Present even when task-v2 is disabled. |
WebSearchTool | Performs internet search. | src/tools/WebSearchTool/ | Subject to network policy. | Always present in this snapshot. |
TaskStopTool | Stops a running worker or task. | src/tools/TaskStopTool/ | Normally safe. | Used heavily in coordinator flows. |
AskUserQuestionTool | Interrupts for explicit user input. | src/tools/AskUserQuestionTool/ | User-facing by design. | Core interaction primitive. |
SkillTool | Invokes project or installed skills. | src/tools/SkillTool/ | Approval depends on the skill and its allowed tools. | Bridge between model and slash-command-style skills. |
EnterPlanModeTool | Switches the session into plan mode. | src/tools/EnterPlanModeTool/ | May prompt depending on session policy. | Always present. |
BriefTool | Produces condensed summaries / brief output. | src/tools/BriefTool/ | Low-risk. | Always registered. |
ListMcpResourcesTool | Lists MCP resources exposed by connected servers. | src/tools/ListMcpResourcesTool/ | Usually low-risk; depends on server trust. | Exposed separately from normal MCP tools. |
ReadMcpResourceTool | Reads a specific MCP resource. | src/tools/ReadMcpResourceTool/ | Low-to-medium risk depending on server and resource. | Always registered. |
ToolSearchTool | Searches the active tool space. | src/tools/ToolSearchTool/ | Low-risk. | Only present when optimistic tool search is enabled. |
Anthropic-internal or product-gated tools
| Module | Purpose | Gate visible in src/tools.ts | Approval notes | Notes |
|---|---|---|---|---|
ConfigTool | Anthropic-internal configuration surface. | USER_TYPE === 'ant' | Unknown externally. | Not expected in public builds. |
TungstenTool | Anthropic-internal tool surface. | USER_TYPE === 'ant' | Unknown externally. | Public behavior unclear in this version. |
SuggestBackgroundPRTool | Suggests background PR work. | USER_TYPE === 'ant' via lazy require | Likely approval-sensitive. | Internal-only feature path. |
REPLTool | Wraps primitive tools inside REPL mode. | USER_TYPE === 'ant' and REPL enabled | Replaces direct primitive tool exposure in REPL mode. | Registry hides REPL_ONLY_TOOLS when active. |
Feature-gated productivity and orchestration tools
| Module | Purpose | Gate | Approval notes | Notes |
|---|---|---|---|---|
TaskCreateTool | Creates task-v2 entries. | isTodoV2Enabled() | Low-risk metadata write. | Present only when task-v2 is on. |
TaskGetTool | Reads a task-v2 entry. | isTodoV2Enabled() | Low-risk. | Task-v2 read primitive. |
TaskUpdateTool | Updates a task-v2 entry. | isTodoV2Enabled() | Low-risk metadata write. | Task-v2 write primitive. |
TaskListTool | Lists task-v2 entries. | isTodoV2Enabled() | Low-risk. | Task-v2 enumeration primitive. |
SendMessageTool | Continues an existing worker with new instructions. | Always lazy-loaded | Medium risk; can redirect running agents. | Central to coordinator mode. |
ListPeersTool | Lists available peers. | UDS_INBOX feature | Low-risk. | Peer-to-peer integration path. |
TeamCreateTool | Creates an agent team / swarm. | isAgentSwarmsEnabled() | High-risk because it expands delegation. | Lazy-loaded to avoid cycles. |
TeamDeleteTool | Deletes an agent team / swarm. | isAgentSwarmsEnabled() | Medium risk. | Swarm teardown. |
VerifyPlanExecutionTool | Verifies completed work against a plan. | CLAUDE_CODE_VERIFY_PLAN === 'true' | Low-to-medium. | Explicit verification helper. |
WorkflowTool | Runs bundled or configured workflows. | WORKFLOW_SCRIPTS feature | Depends on workflow contents. | Initializes bundled workflows on load. |
SleepTool | Suspends or schedules delayed agent continuation. | PROACTIVE or KAIROS feature | Low-risk. | Also creates ephemeral progress updates. |
CronCreateTool | Creates a cron trigger. | AGENT_TRIGGERS feature | Medium-to-high, because it creates autonomous follow-up work. | Scheduling subsystem. |
CronDeleteTool | Deletes a cron trigger. | AGENT_TRIGGERS feature | Medium risk. | Scheduling cleanup. |
CronListTool | Lists cron triggers. | AGENT_TRIGGERS feature | Low-risk. | Scheduling inspection. |
RemoteTriggerTool | Creates or handles remote triggers. | AGENT_TRIGGERS_REMOTE feature | Medium-to-high. | Trigger bridge for remote execution. |
MonitorTool | Monitoring / watch-style automation. | MONITOR_TOOL feature | Medium risk. | Monitoring semantics are product-gated. |
SendUserFileTool | Sends a user file into another flow. | KAIROS feature | Medium risk because it transfers file data. | Product-specific. |
PushNotificationTool | Pushes a notification to the user. | KAIROS or KAIROS_PUSH_NOTIFICATION | Low-risk. | Notification channel. |
SubscribePRTool | Subscribes to PR activity. | KAIROS_GITHUB_WEBHOOKS feature | Medium risk due to external integration. | GitHub webhook-related. |
EnterWorktreeTool | Enters isolated worktree mode. | isWorktreeModeEnabled() | Medium-to-high. | Changes working execution environment. |
ExitWorktreeTool | Leaves worktree mode. | isWorktreeModeEnabled() | Medium risk. | Restores prior environment. |
Shell, browser, and debug surfaces
| Module | Purpose | Gate | Approval notes | Notes |
|---|---|---|---|---|
PowerShellTool | Windows-native shell execution. | isPowerShellToolEnabled() | Primary approval-gated tool on Windows. | Loaded lazily through getPowerShellTool(). |
WebBrowserTool | Richer browser automation than fetch/search. | WEB_BROWSER_TOOL feature | High-risk due to interactive browsing. | Separate from fetch/search. |
TerminalCaptureTool | Captures terminal-panel output. | TERMINAL_PANEL feature | Low-to-medium. | Tied to terminal panel UI. |
OverflowTestTool | Testing tool for overflow behavior. | OVERFLOW_TEST_TOOL feature | Testing only. | Non-production utility. |
CtxInspectTool | Context-collapse inspection and debugging. | CONTEXT_COLLAPSE feature | Low-risk. | Debug/inspection helper. |
SnipTool | History snipping / transcript surgery. | HISTORY_SNIP feature | Medium risk. | Affects transcript/history shape. |
TestingPermissionTool | Test-only permission surface. | NODE_ENV === 'test' | Testing only. | Never expected in normal usage. |
External-integration tools
| Module | Purpose | Gate | Approval notes | Notes |
|---|---|---|---|---|
LSPTool | Queries connected language servers for semantic code context. | ENABLE_LSP_TOOL | Usually low-risk read-only, but still external-process dependent. | Backed by src/services/lsp/. |
ListMcpResourcesTool | Lists MCP resources. | Always | Depends on server trust. | Separate from per-server MCP tools. |
ReadMcpResourceTool | Reads an MCP resource. | Always | Depends on server trust. | Resource channel, not action tool. |
Input schema pattern
Claude Code does not define tool inputs as ad hoc dictionaries. Each tool owns a Zod schema that is projected into prompt-facing JSON schema. Typical source locations are:schemas.tsprompt.tsconstants.ts- the tool module itself when the schema is small
src/tools/LSPTool/schemas.tssrc/tools/LSPTool/prompt.tssrc/tools/BashTool/src/tools/PowerShellTool/
Approval behavior by class of tool
The approval system is shared, but tool families predictably map to approval intensity:- File mutation:
FileEditTool,FileWriteTool,NotebookEditTool - Shell execution:
BashTool,PowerShellTool - Delegation and teams:
AgentTool,SendMessageTool,TeamCreateTool - Remote or browser actions:
WebBrowserTool, remote trigger tools - Read-only tools: file read, search, many MCP resource calls, most LSP usage
src/utils/permissions/permissions.ts and any tool-specific checks.
Registry-level quirks worth knowing
CLAUDE_CODE_SIMPLEcollapses the tool surface to a minimal set.- REPL mode replaces several primitive tools with
REPLTool. - Blanket deny rules can remove tools before the model even sees them.
ListMcpResourcesTool,ReadMcpResourceTool, and synthetic output tools are treated specially ingetTools().- Tool search is added optimistically and deferred at request time.