Every tool, every surface.
carlos registers 31 tools by default through NewDefaultRegistryWithBaseDirAndFrames. MCP servers contribute additional tools per frame. Every tool flows through the layered approval policy.
Filesystem (read)
Auto-approved by layer 1 of the permission model. Sandboxed by BaseDir when running inside a worktree.
| tool | what | approval |
|---|---|---|
read |
Read a file, optional line range. | builtin |
grep |
Pattern over a tree, ripgrep-style. | builtin |
glob |
Path pattern enumeration. | builtin |
Filesystem (mutate)
Always prompt unless the session has cached an Always answer.
| tool | what |
|---|---|
write |
Create or overwrite a file. Atomic write (temp + fsync + rename). |
edit |
Exact-string replace. Fails if old_string is not unique. |
Shell
| tool | what |
|---|---|
bash |
Non-PTY by default. Stdout and stderr captured, truncated at 8 KiB. 30s timeout. Exit code surfaced. A non-zero exit is not an error; it is part of the output the model needs to see. |
The workspace-trust classifier (internal/workspace/bash.go:IsReadOnly) carves out a narrow set of read-only verbs for auto-approval when the cwd is trusted. See Permissions.
Git (read-only)
Auto-approved by layer 1.
| tool | what |
|---|---|
git_status |
Working-tree state plus the branch summary. |
git_diff |
Unified diff between refs, the index, or the working tree. |
git_log |
Commit history with subject, author, and date. |
git_blame |
Line-by-line commit attribution for a file. |
git_show |
Single-commit detail including the full patch. |
Web
| tool | what |
|---|---|
web_fetch |
HTTP GET. HTML to text. Refuses non-http(s), private and loopback ranges (config-gated), non-text content types, and robots-disallowed URLs (override available). HEAD-then-GET; 5 MiB raw / 256 KiB extracted caps; 5-redirect ceiling; 5-minute robots cache. |
web_search |
SearchBackend interface. Implementations: Brave (when BRAVE_API_KEY is set), SearXNG (when SEARXNG_URL is set), DuckDuckGo HTML fallback. |
http_request |
Method-parametric REST, GraphQL, and webhook caller. |
code_search |
Concurrent fan-out to Codewiki, Context7, and DeepWiki. Defaults to carlos's own repo for self-reference. |
Introspection
| tool | what |
|---|---|
carlos_about |
Returns carlos's own state: vault path, active frame, all configured frames, capabilities, providers, user name. Auto-approved. Never leaks API keys. The carlos_about tool cards are hidden from chat (v0.7.7) to avoid clutter. |
Notes (configured vault, pinned)
Schema does not accept a vault: arg. Auto-approved by layer 1.
| tool | what |
|---|---|
notes_get |
Fetch a note by path or wikilink target. |
notes_search |
Full-text query over the configured vault. |
notes_backlinks |
Inbound wikilinks pointing at a note. |
notes_tagged |
Notes carrying a given tag. |
notes_neighbors |
Outgoing wikilink targets from a note. |
notes_recent |
Recently modified notes, newest first. |
notes_resolve |
Resolve a wikilink target to a concrete path. |
notes_write |
Append or overwrite a note in the configured vault. Scoped to the active frame's vault_subtree. |
notes_write is scoped to the active frame's vault_subtree. Cross-vault or cross-subtree writes are rejected and have to go through the generic write tool with full prompting.
Each tool supports a frame: arg (Phase F-11) for cross-frame fan-out with prefix labels.
Notes (arbitrary vault)
Schema requires a vault: arg. Always prompts.
| tool | what |
|---|---|
obsidian_get |
Fetch a note from any vault root. |
obsidian_search |
Full-text query against an arbitrary vault. |
obsidian_backlinks |
Inbound wikilinks within the named vault. |
obsidian_tagged |
Tag query within the named vault. |
obsidian_neighbors |
Outgoing wikilink targets within the named vault. |
obsidian_recent |
Recently modified notes from the named vault. |
obsidian_resolve |
Resolve a wikilink target inside the named vault. |
MCP-contributed tools
stdio servers register their tools under <server>__<tool> and inherit the standard approval path. Per-frame gating: top-level mcp_servers: list, each entry's optional frames: field restricts to a subset.
/mcp lists configured servers and the tools each contributed at boot.
Tool counter
carlos_about reports the exact count. The default registry is 31; counts grow as MCP servers register.