Tools, consent & undo
Tools let the model work on your real project. Safe reads run directly; file mutations, shell commands and MCP calls pass through consent controls.
Built-in tools
| Tool | Consent | Purpose |
|---|---|---|
| read_file | No | Read a UTF-8 file |
| list_files | No | List by glob |
| grep | No | Regex search |
| write_file | Yes | Create or overwrite |
| edit_file | Yes | Targeted fuzzy-tolerant edit |
| bash | Yes | Run a shell command |
| web_search | No | Search via DuckDuckGo |
| web_fetch | No | Fetch a URL as text |
Consent
Y — ONCE
Allow this single call.
A — SESSION
Always allow this tool for the current session.
N — DENY
Reject the call and tell the model.
/ALLOW
Allow all tools for the current session.
Privilege escalation guard
The bash tool refuses sudo, su, doas, pkexec, run0 and sudoedit as a hard policy—even when /allow is active—so an agent cannot obtain root on a computer or phone.
Diffs and undo
write_file and edit_file are recorded in an in-memory journal. Every change renders as a colored diff card with added and removed counts.
/undo # restore the previous content or remove a newly-created file