Capability · Execution layer

35+ built-in tools. Unlimited MCP servers. A nine-point safety gate every call.

Agents act through tools, file ops, shell, web, memory, communication, integrations. Every call passes nine safety checks before execution. Reads parallelize, writes serialize, and runaway loops abort with diagnostics.

35+
Built-in tools
9
Safety checks per call
10-way
Read parallelism
Per-agent
Sandbox
packwolf.app · Tools
Live screenshot
Tools screenshot
The tools page. Built-in catalog, MCP servers, per-tool trust state, budget tracking, all inspectable.
What it actually does

The parts that make this work.

Nine-point gate, every call.

Allowlist, budget, approval, scope, injection scan, path validation, rate limit, SSRF check, trust state. The order matters, cheap checks fail fast, expensive ones run only when needed.

Reads run in parallel, writes serialize.

Up to ten read-tier tools run concurrently. Writes and dangerous operations queue sequentially so you don't get races between agents touching the same file.

Per-agent filesystem sandbox.

Each agent's file operations resolve into its own scoped workspace. A shared workspace exists for collaboration. Path validation makes escape attempts impossible to ignore.

Tool trust is earned.

After five consecutive approvals without rejection, a tool moves to trusted state. Trust is revoked instantly on rejection. This makes routine work fast without bypassing approvals on novel work.

MCP servers are first-class.

Any Model Context Protocol server merges into the registry alongside built-ins. Same safety gate, same audit trail. Switch tool providers without changing your agents.

Loop detection aborts runaways.

Runaway tool sequences are detected by signature and aborted with a diagnostic, not silently. The trace shows the loop pattern and the call that triggered the abort.

How it works

The path through tools.

  1. 01

    Model emits a tool call.

    The provider returns a structured tool_use block with arguments. The pipeline validates the schema before anything else.

  2. 02

    Safety gate runs nine checks.

    Allowlist (is this tool enabled for this agent?), budget (any quota left?), approval (does this need sign-off?), scope (is the path/resource in scope?), injection (does input contain injection signatures?), path (does the file path pass validation?), rate (within rate limit?), SSRF (is the URL safe?), trust (is the tool trusted, or should we pause for review?).

  3. 03

    Read tier parallelizes.

    Up to ten read-tier tools run concurrently. The pipeline waits on the slowest, then assembles results.

  4. 04

    Write tier serializes.

    Writes and dangerous operations queue. No simultaneous mutations from concurrent agents, the audit trail is always linear at the resource level.

  5. 05

    Result feeds back.

    Tool output truncates to a configured cap (so a giant file dump doesn't blow context), then returns to the model. Failures classify into the trace's failure taxonomy.

  6. 06

    Trust updates.

    On approval-bypassing tools, success increments the trust counter. Five clean runs in a row promotes the tool to trusted. A rejection resets the counter to zero.

Common questions

Things engineers actually ask.

Yes, but the shell tool runs inside a microVM (or process fallback) with scoped permissions, not on the host. Path validation, command allowlists, and rate limits all apply. Dangerous operations require approval by default.

Related capabilities
CapabilityApprovalsCapabilityObservabilityCapabilitySkills
Source: docs/AGENT_TOOLS.md

See it in your workspace.

Closed-beta cohorts are small. Tell us what you'd want this capability to handle for your team.

Request beta access