Permissions & Tools
Agents can only access resources you explicitly allow through permissions. Each permission grants the agent one or more tools it can call during execution.
Built-in Tools
These tools are always available, regardless of permissions:
| Tool | Description |
|---|---|
files_list | List files in the persistent storage directory |
files_read | Read a file from persistent storage |
files_write | Write a file to persistent storage |
finish | End the agent execution with a response |
Tables
Grant the agent access to query and modify your database tables. Each table can have granular action control.
| Tool | Description |
|---|---|
tables_select_{table} | Query rows from the table |
tables_insert_{table} | Insert new rows |
tables_update_{table} | Update existing rows |
tables_delete_{table} | Delete rows |
Configure per table in the permissions picker — select which tables and which actions (select, insert, update, delete) the agent can perform.
Connections
Grant the agent access to external integrations (Slack, Stripe, Salesforce, etc.). Instead of creating a separate tool for each possible action, agents use a search and execute pattern:
| Tool | Description |
|---|---|
search_connection_actions | Search available actions for a connection (with regex and pagination) |
execute_connection_action | Execute a specific action on a connection |
The agent first searches for the right action, then executes it. Only actions from connections you explicitly permit are allowed.
Example flow:
- Agent calls
search_connection_actionswithconnection_name: "slack"andquery: "send.*message" - Gets a list of matching actions with their parameter schemas
- Calls
execute_connection_actionwith the chosen action name and parameters
Source Code
Grant the agent read-only access to your project's source code files. Useful for agents that need to analyze or reference your codebase.
| Tool | Description |
|---|---|
source_code_list | List source code files (filterable by glob pattern) |
source_code_read | Read a source code file |
You can restrict access to specific paths using a glob pattern (e.g., src/**/*.py).
Browser
When a browser session is provided, the agent gets tools for web automation:
| Tool | Description |
|---|---|
navigate | Navigate to a URL |
click | Click an element on the page |
type_text | Type text into an input field |
press_key | Press a keyboard key |
select_option | Select a dropdown option |
extract_text | Extract text from a page element (requires CSS selector) |
screenshot | Take a screenshot of the page |
wait | Wait for a duration or condition |
run_javascript | Execute JavaScript on the page |
list_downloads | List downloaded files |
move_download | Move a downloaded file to persistent storage |
Send Task
When the agent stage has workflow transitions to downstream stages, a send_task_* tool is automatically created for each transition:
| Tool | Description |
|---|---|
send_task_{type} | Send a task to the next stage in the workflow |
The agent must call send_task_* before calling finish to forward data to downstream stages. If it finishes without sending a task, the workflow stops at this stage.