Skip to content

Built-in Tools

Noeta ships a set of built-in tools assembled from the filesystem pack, the web pack, the app pack, and (conditionally) memory and MCP tools. Tool names are provider-safe snake_case and are the exact strings the model calls.

Filesystem tools

Built by build_fs_tools() in noeta.tools.fs. Each tool carries a risk_level used by the PermissionGuard.

ToolRiskWhat it doesSource
readlowRead a workspace file (utf-8), optionally sliced by line offset / limit.noeta/tools/fs/read.py
globlowMatch a workspace-relative glob pattern and return matching paths.noeta/tools/fs/read.py
greplowRegex (re module) content search across the workspace.noeta/tools/fs/read.py
edithighReplace an exact, unique old substring in an existing file. Dry-run by default.noeta/tools/fs/edit.py
writehighWrite a file (create, or overwrite one previously read). Dry-run by default.noeta/tools/fs/edit.py
apply_patchhighApply a small batch of edits atomically — all succeed or none. Dry-run by default.noeta/tools/fs/patch.py
shell_runhighRun a shell command in the workspace. Mode-gated: ALLOWLIST by default, OFF removes the tool entirely.noeta/tools/fs/shell.py
shell_polllowCheck status / output of a background shell job.noeta/tools/fs/shell.py
shell_killhighStop a background shell job you started (SIGTERM → SIGKILL).noeta/tools/fs/shell.py
run_skill_scripthighRun an active skill's bundled script via an allowlisted interpreter.noeta/tools/fs/skill_script.py

Shell allowlist (default)

When shell_mode = ALLOWLIST, only these argv patterns pass:

  • git status / git diff
  • pytest / uv run pytest
  • npm test / pnpm test

Shell metacharacters (|, ;, &&, >, etc.) are rejected before tokenization. This is path-containment + an allowlist, not a process sandboxshell_run spawns external programs in the trusted workspace.

Web tools

ToolRiskWhat it doesSource
webfetchlowFetch a public web page over HTTP(S) and render it to Markdown. Always available.noeta/tools/web/fetch.py
web_searchlowRun a web search and return ranked hits as Markdown. Only mounted when NOETA_WEB_SEARCH_API_KEY is set.noeta/tools/web/search.py

App tools

ToolRiskWhat it doesSource
open_applowRender a workspace HTML app in the web "App" panel via the single-port preview gateway.noeta/tools/app/open_app.py

Memory tools

Mounted only when Capabilities.memory is enabled (only the main preset opens it).

ToolRiskWhat it doesSource
memory_writelowWrite a markdown memory file to the memory store.noeta/tools/memory.py
memory_readlowRead the full text of a stored memory on demand.noeta/tools/memory.py

MCP tools

Remote MCP tools appear dynamically as mcp__<alias>__<tool> when MCP servers are registered and enabled per session. See ADR: MCP connectors.

Tool risk levels

LevelMeaning
lowNo side effects outside the agent's own state. Always allowed.
highModifies the filesystem or spawns external processes. Subject to PermissionGuard approval.

Notes

  • There is no separate read_file / write_file / replace_text / list_dir / git_status / git_diff tool. Those old names were renamed (read / write / edit) or removed (list_dir). git status / git diff are allowlist rules inside shell_run.
  • The write tool accepts an optional allowed_path_globs workspace-relative whitelist at construction time (empty = unrestricted). edit and apply_patch ignore the whitelist.

Released under the MIT License.