This document describes how Friday should assemble, select, and execute agent tools.
Selection
The agent first evaluates the user message with a tool-use policy.
- If the user explicitly says not to use tools, no tools are exposed.
- Tool inventory questions expose the available tool surface so the model can answer from the current registry.
- URLs, current information, private account data, workspace files, codebase work, shell execution, tests, builds, debugging, mutation, browser actions, email, calendar, Drive, cron jobs, and similar external or mutable work require tools.
- Creative writing, rewriting, translation, summarization, and brainstorming are answered without tools unless the request also needs external access.
- If no rule requires tools and no skill is selected, the run is a direct answer: startup context is not loaded for tool use, and the provider receives no tools.
The default AgentService path builds the local tool set from the full local
registry and denies startup_files by default. It can then add dynamic tools
for bootstrap, heartbeat, and skills.
There is also a run-scoped tool assembler for plugin, MCP, LSP, client-hosted,
and tool-search catalog workflows. That path is available in the codebase, but
it is separate from the default AgentService tool factory.
Default Local Tools
These are the local tools in the default registry. A tool still has to pass policy, ranking, and run context before it is exposed to the provider.
| Tool | How it is used |
|---|---|
read |
Reads a UTF-8 file and returns line-numbered text. Records read state for later guarded writes. |
write |
Creates or overwrites a UTF-8 file. Existing files must be read earlier in the run. |
edit |
Applies an exact string replacement to a UTF-8 file after the file has been read. |
apply_patch |
Applies a unified diff to existing workspace files after affected files have been read. |
delete |
Deletes a file after it has been read. Directory deletion requires recursive=true and root paths are guarded. |
copy |
Copies one file to another path. Overwriting requires prior read state for the destination. |
move |
Moves or renames one file. The source must be read first; overwriting requires prior destination read state. |
inspect_file |
Inspects bytes, size, MIME type, previews, hashes, and direct PNG/JPEG/GIF/WebP image content when practical. |
find |
Finds files by glob pattern, excluding common generated directories such as node_modules and .git. |
exec |
Runs a shell command in the workspace with capped output, denied dangerous command patterns, abort support, and an execution timeout. |
process |
Lists, reads logs for, or kills background processes started by exec background=true. |
web_fetch |
Fetches an HTTP or HTTPS URL and returns readable text capped at 1 MB. |
cron |
Schedules, lists, updates, removes, manually runs, inspects runs for, or wakes Gateway-owned cron jobs through the task scheduler module. |
task |
Starts an immediate in-memory background task by calling the background task module; this is the tool for “run a task in background”. |
open_browser |
Opens an HTTP or HTTPS URL in the user’s default browser. |
browser |
Controls the managed browser: lifecycle, tabs, navigation, snapshots, screenshots, and element actions. |
cron_add, cron_list, and cron_remove exist as legacy helper exports, but
they are not part of the current default local tool registry exposed by
AgentService.
Dynamic Tools
These tools are added only when the corresponding runtime condition applies.
| Tool or family | When it appears |
|---|---|
startup_files |
Added only for pending primary bootstrap runs. During bootstrap, it is the only local tool exposed. |
heartbeat_respond |
Added for heartbeat runs when heartbeat tool reporting is enabled. |
execute_skill |
Added when skill discovery selects an executable skill that is not read from a file-backed location. |
| Media generation tools | Added when a text-to-speech, text-to-video, or text-to-image module is configured with a capable provider/model and runtime adapter. |
| Plugin tools | Available through the run-scoped assembler when plugin tools are included by policy. |
| MCP tools | Available through the run-scoped assembler when MCP tools are explicitly included. |
| LSP tools | Available through the run-scoped assembler when an LSP runtime supplies capabilities. |
| Client tools | Available through the run-scoped assembler when the client provides hosted tool definitions. |
tool_search |
Searches hidden tools when run-scoped tool-search compaction is enabled. |
tool_describe |
Returns schema and metadata for a hidden tool when tool-search compaction is enabled. |
tool_call |
Executes a hidden tool through the same wrapped execution path when tool-search compaction is enabled. |
Scheduling And Background Tasks
cron is the agent-facing tool for the task scheduler module documented in
scheduled.md. Use it for future, delayed, recurring,
reminder, wake, and manual-run scheduling. The agent should not emulate
scheduling with sleep loops, shell loops, long-running polling, or model-side
timers.
Use cron only when the request is actually scheduled.
Use task for immediate background task creation through the background task
module documented in background.md. When the user
asks to “run a task in background”, the agent should call task so the request
goes through a registered background task handler.
Use text_to_image when the user asks the agent to generate, edit, or vary an
image and store the result in the workspace as part of the current turn. The
tool should be a thin wrapper around the text-to-image module documented in
text-to-image.md. It accepts prompt instructions, safe
generation options, safe input asset references, and a workspace-relative output
path or output directory. It must validate that every generated file stays
inside the workspace, then return normalized local image references.
Long-running or background image work should still go through task with the
registered image.create task type.
Media and ML module tools, such as TTS, STT, text-to-image, video, sound, OCR, or embedding tools, should be thin wrappers around their module services. They must not own credentials, provider/model selection, or provider-specific request payloads.
Prompt Narrowing
The default service path narrows the candidate list for each turn.
- Explicit no-tool requests return no prompt tools.
- Tool inventory requests skip narrowing and expose all currently available tools.
- Bootstrap runs expose only
startup_files. - Otherwise, tool selection is forced and capped at 8 prompt tools by default.
- Discovery filters disabled tools, tools without required permissions, tools above the current safety level, and tools outside privacy constraints.
- Ranking scores tools by request term matches, inferred category, memory preferences, recent success, schema specificity, reliability, cost, latency, and safety.
- File mutation tools
write,edit,apply_patch,delete,copy, andmoveautomatically keepreadavailable when it exists. - Skill selection can force a skill’s required or allowed tools into the prompt.
File-backed skills also force
readwhen needed. - Heartbeat runs can force
heartbeat_respondinto the prompt.
The system prompt lists only the selected tools for the turn. When narrowing selects ranked tools, a compact tool-card section is added with purpose, when-to-use guidance, when-not-to-use guidance, required inputs, safety notes, and an example call. The provider receives only each selected tool’s name, description, and JSON schema.
Use
The model chooses whether to call one of the tools that were exposed for the turn. The runtime does not force a tool call.
When a provider streams a tool call, the runtime collects the call id, tool name, and JSON argument deltas. Invalid JSON is returned to the model as a tool error and the tool is not executed. A call to a tool name that was not exposed for the turn is also returned as a tool error.
Before execution, identical calls are tracked per turn. The third identical call and later receive a warning. After more than 5 identical calls, execution is vetoed and the model receives a loop-detector error. Legacy approval markers are recorded for tools that require approval, but the current path does not pause the agent loop for an approval prompt.
Execution then goes through the managed tool path.
- Arguments are extracted from the raw call, sanitized against the input schema, normalized, and validated.
- Unknown fields or missing required fields produce a clarification-style tool error instead of executing.
- Common values are normalized where supported, such as numeric strings, email
casing, currency casing, units, and relative dates like
todayortomorrowin the session timezone. - Input schema validation runs before the tool executes.
- Per-tool rate limits and the per-turn tool-call limit are enforced.
- Tools run with an abort signal. Managed execution has a default timeout and transient failures can retry with backoff.
- Tool outputs are validated against the output schema.
- Prompt-injection-like tool output is treated as untrusted and normalized before it is returned to the model.
- Empty, partial, stale, contradictory, or otherwise suspicious output can add warnings.
- Tool calls are audited with sensitive values redacted.
Tool results are appended to the transcript as tool messages. The agent loop then calls the provider again with the updated transcript. This repeats until the provider stops calling tools, the run is cancelled, the context is compacted after one overflow retry, or the max iteration limit is reached.
Tool lifecycle events are streamed to the renderer: call start, argument deltas, parsed input, result, status, duration, and displayable output text. Run logs record selected tool names, the tool-policy reason, phase durations, iterations, and tool-call outcomes.