Claude CodeTools

Tools

43 tools

Claude Code has 43 built-in tools, each implementing a unified Tool<Input, Output, Progress> interface. Tools are built via the buildTool() factory and validated with Zod schemas at runtime.

Tool Interface (Tool.ts)

interface Tool<Input, Output, Progress> {
  name: string
  aliases?: string[]              // backwards compatibility
  searchHint?: string             // for ToolSearch keyword matching
  inputSchema: ZodSchema          // validated at runtime
  strict?: boolean                // strict API mode

  // Core execution
  call(args, context, canUseTool, parentMessage, onProgress): Promise<ToolResult>

  // Metadata
  description(input, options): Promise<string>
  prompt(): string                // system prompt instructions
  userFacingName(): string        // display name for UI

  // Security
  validateInput(): ValidationResult
  checkPermissions(): PermissionResult
  isReadOnly(): boolean
  isDestructive(): boolean
  isConcurrencySafe(): boolean

  // Rendering
  renderToolUseMessage(): ReactNode
  renderToolResultMessage(): ReactNode
  getToolUseSummary(): string     // compact status display
  getActivityDescription(): string // "Reading src/foo.ts"

  // Limits
  maxResultSizeChars?: number     // triggers disk persistence if exceeded
}

Built-in Tools (43 total)

Bash
Execution

Shell commands with AST security analysis, sandbox, ML classifier

FileEdit
Modification

String find/replace with fuzzy matching and unified diff

FileWrite
Modification

Full content atomic file replacement

FileRead
Read

Read files with PDF, notebook, image handling

Grep
Search

Ripgrep-based content search with permission filtering

Glob
Search

Fast file pattern matching, mod-time sorted

Agent
Spawning

Isolated sub-agents with zero-cost cache sharing

Skill
Invocation

User-defined prompt templates from .md files

MCP
Proxy

Wraps external tools via Model Context Protocol

WebSearch
Search

Web search integration

WebFetch
Read

Fetch web page content

NotebookEdit
Modification

Jupyter notebook cell editing

Worktree
Isolation

Git worktree creation and cleanup

SendMessage
Comms

Inter-agent messaging

Task*
Management

Create, get, update, stop tracked subtasks

ToolSearch
Discovery

Deferred tool loading for large tool sets

LSP
Integration

Language Server Protocol queries

PowerShell
Execution

Windows PowerShell execution

Sleep
Utility

Async wait/delay

Exit*
Cleanup

Exit worktree/plan with safety checks

BashTool Deep Dive

The BashTool is the largest and most complex tool (~300KB across 5 files). It has multi-layered security to prevent dangerous command execution.

// Execution flow:
Input → validateInput()
     → checkPermissions() [bashToolHasPermission]
     → shouldUseSandbox()?
     → exec() via SandboxManager
     → Output parsing + image detection
     → Result persistence if >100K chars

// Security layers:
1. AST-based parsing (tree-sitter)
   → Detects dangerous patterns: redirection, pipes, subshells

2. ML classifier (opt-in)
   → AI evaluates command safety with confidence scoring
   → Can auto-approve safe patterns (git status, ls, etc.)

3. Permission rule matching
   → Exact: "git"
   → Prefix: "git *" (any git subcommand)
   → Wildcard: "*test*" (contains pattern)

4. Semantic analysis
   → Detects dangerous redirections to system files
   → Blocks shell config modifications (.bashrc, .zshrc)

5. Read-only constraints
   → Blocks write commands in non-privileged sessions
   → Prevents privilege escalation via package managers

// Key files:
bashPermissions.ts  — 98KB — Permission rules + classifier
bashSecurity.ts     — 102KB — Dangerous pattern detection
readOnlyValidation.ts — 68KB — Privilege escalation prevention
sedValidation.ts    — 21KB — Sed command validation
shouldUseSandbox.ts — Sandbox decision logic

FileEditTool

// Input schema:
{
  file_path: string    // absolute path
  old_string: string   // text to find
  new_string: string   // replacement text
  replace_all?: boolean // global replace
}

// Key features:
1. findActualString() — fuzzy matching
   → Quote-style preservation
   → Whitespace/indentation variations
   → Multiple match handling via exact-position lookup

2. Validation
   → File must exist or be newly created
   → File must have been read first (tracked via readFileState)
   → File timestamp must not have changed since read
   → Blocks team memory files with secrets

3. Side effects
   → Notifies LSP servers (triggers diagnostics)
   → Notifies VSCode SDK MCP
   → Updates file modification tracking
   → Discovers conditional skills by path pattern
   → Fires fileHistoryTrackEdit for versioning

Tool Orchestration Strategy

Tools declare isConcurrencySafe() to enable parallel execution. The orchestrator partitions tool calls into batches.

// toolOrchestration.ts — runTools() generator

1. Partition by concurrency safety:
   → Group consecutive read-only tools (Grep, Glob, Read)
   → Isolate write tools (Edit, Write, Bash)

2. Read-only batch: parallel execution
   → Up to 10 concurrent tool calls
   → No state interference between reads

3. Write batch: serial execution
   → One tool at a time
   → Context modifiers applied between calls
   → File state cache updated after each

4. Result collection:
   → Each tool returns ToolResult<Output>
   → data, newMessages, contextModifier, mcpMeta
   → Wrapped in tool_result block with tool_use_id pairing