| .. | ||
| memory | ||
| web | ||
| exec-allowlist.test.ts | ||
| exec-allowlist.ts | ||
| exec-approval-cli.ts | ||
| exec-approval-types.ts | ||
| exec-safety.test.ts | ||
| exec-safety.ts | ||
| exec.ts | ||
| glob.test.ts | ||
| glob.ts | ||
| groups.ts | ||
| index.ts | ||
| policy.test.ts | ||
| policy.ts | ||
| process-registry.ts | ||
| process.ts | ||
| README.md | ||
| README.zh-CN.md | ||
| sessions-spawn.test.ts | ||
| sessions-spawn.ts | ||
Tools System
The tools system provides LLM agents with capabilities to interact with the external world. Tools are the "hands and feet" of an agent - without tools, an LLM can only generate text responses.
Architecture Overview
┌─────────────────────────────────────────────────────────────────┐
│ Tool Definition │
│ (AgentTool from @mariozechner/pi-agent-core) │
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ name │ │ description │ │ parameters │ │
│ │ label │ │ execute │ │ (TypeBox) │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ 3-Layer Policy Filter │
│ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Layer 1: Global Allow/Deny │ │
│ │ User customization via CLI or config │ │
│ └──────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Layer 2: Provider-Specific │ │
│ │ Different rules for different LLM providers │ │
│ └──────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Layer 3: Subagent Restrictions │ │
│ │ Limited tools for spawned child agents │ │
│ └──────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ Filtered Tools │
│ (passed to pi-agent-core) │
└─────────────────────────────────────────────────────────────────┘
Available Tools
| Tool | Name | Description |
|---|---|---|
| Read | read |
Read file contents |
| Write | write |
Write content to files |
| Edit | edit |
Edit existing files |
| Glob | glob |
Find files by pattern |
| Exec | exec |
Execute shell commands |
| Process | process |
Manage long-running processes |
| Web Fetch | web_fetch |
Fetch and extract content from URLs |
| Web Search | web_search |
Search the web (requires API key) |
| Memory Get | memory_get |
Retrieve a value from persistent memory |
| Memory Set | memory_set |
Store a value in persistent memory |
| Memory Delete | memory_delete |
Delete a value from persistent memory |
| Memory List | memory_list |
List all keys in persistent memory |
Note
: Memory tools require a
profileIdto be specified. They store data in the profile's memory directory.
Tool Groups
Groups provide shortcuts for allowing/denying multiple tools at once:
| Group | Tools |
|---|---|
group:fs |
read, write, edit, glob |
group:runtime |
exec, process |
group:web |
web_search, web_fetch |
group:memory |
memory_get, memory_set, memory_delete, memory_list |
group:core |
All of the above (excluding memory) |
Usage
CLI Usage
All commands use the unified multica CLI (or pnpm multica during development).
# Allow only specific tools
multica run --tools-allow group:fs,group:runtime "list files"
# Deny specific tools
multica run --tools-deny exec,process "read file.txt"
# Use tool groups
multica run --tools-allow group:fs "read config.json"
Programmatic Usage
import { Agent } from './runner.js';
const agent = new Agent({
tools: {
// Layer 1: Global allow/deny
allow: ['group:fs', 'group:runtime', 'web_fetch'],
deny: ['exec'],
// Layer 2: Provider-specific rules
byProvider: {
google: {
deny: ['exec', 'process'], // Google models can't use runtime tools
},
},
},
// Layer 3: Subagent mode
isSubagent: false,
});
Inspecting Tool Configuration
Use the tools CLI to inspect and test configurations:
# List all available tools
multica tools list
# List tools with allow rules
multica tools list --allow group:fs,group:runtime
# List tools with deny rules
multica tools list --deny exec
# Show all tool groups
multica tools groups
Policy System Details
Layer 1: Global Allow/Deny
User-specified allow/deny lists:
allow: Only these tools are available (supports group:* syntax)deny: These tools are blocked (takes precedence over allow)
If no allow list is specified, all tools are available by default.
Layer 2: Provider-Specific
Different LLM providers may have different capabilities or restrictions:
{
byProvider: {
google: { deny: ["exec"] }, // Gemini can't execute commands
anthropic: { allow: ["*"] }, // Claude has full access
}
}
Layer 3: Subagent Restrictions
When isSubagent: true, additional restrictions are applied to prevent spawned agents from accessing sensitive tools like session management.
Adding New Tools
-
Create a new file in
src/agent/tools/(e.g.,my-tool.ts) -
Define the tool using TypeBox for the schema:
import { Type } from '@sinclair/typebox';
import type { AgentTool } from '@mariozechner/pi-agent-core';
const MyToolSchema = Type.Object({
param1: Type.String({ description: 'Parameter description' }),
param2: Type.Optional(Type.Number()),
});
export function createMyTool(): AgentTool<typeof MyToolSchema> {
return {
name: 'my_tool',
label: 'My Tool',
description: 'What this tool does',
parameters: MyToolSchema,
execute: async (toolCallId, args) => {
// Implementation
return { result: 'success' };
},
};
}
- Register the tool in
src/agent/tools.ts:
import { createMyTool } from './tools/my-tool.js';
export function createAllTools(cwd: string): AgentTool<any>[] {
// ... existing tools
const myTool = createMyTool();
return [
...baseTools,
myTool as AgentTool<any>,
// ...
];
}
- Add the tool to appropriate groups in
groups.ts:
export const TOOL_GROUPS: Record<string, string[]> = {
'group:my_category': ['my_tool', 'other_tool'],
// ...
};
Testing
Run the policy system tests:
pnpm test src/agent/tools/policy.test.ts
Agent Profile Integration
Tools configuration can be defined in Agent Profile's config.json, allowing different agents to have different tool capabilities:
┌─────────────────────────────────────────────────────────────────┐
│ Super Multica Hub │
│ │
│ ┌───────────┐ ┌───────────┐ ┌───────────┐ │
│ │ Agent A │ │ Agent B │ │ Agent C │ │
│ │ Profile: │ │ Profile: │ │ Profile: │ │
│ │ coder │ │ reviewer │ │ devops │ │
│ │ │ │ │ │ │ │
│ │ tools: │ │ tools: │ │ tools: │ │
│ │ allow:fs │ │ deny:* │ │ allow:* │ │
│ └─────┬─────┘ └─────┬─────┘ └─────┬─────┘ │
│ │ │ │ │
└─────────┼────────────────┼────────────────┼─────────────────────┘
│ │ │
▼ ▼ ▼
┌──────────┐ ┌──────────┐ ┌──────────┐
│ Client │ │ Client │ │ Client │
└──────────┘ └──────────┘ └──────────┘
Each Agent's Profile can define its own tools configuration in config.json:
{
"tools": {
"allow": ["group:fs", "group:runtime"],
"deny": ["exec"]
},
"provider": "anthropic",
"model": "claude-sonnet-4-20250514"
}
See Profile README for full documentation.