// reference · 04

Tools and exit criteria

The agent acts through tools with validated args and try/except — a tool never brings the loop down. Each carries metadata (category · tier · sensitivity); an anti-…

Sensitivity and handling

sensitivityhandling
saferuns directly (read, list, recall…)
sensitivego/no-go per mode (write, edit, process_write/kill, spawn, browse…)
dangerousalways goes through approval (run_shell, process_start)

Tool registry

categorytools
conversationrespond (terminal)
fileread_file · write_file* · edit_file* · list_dir · find_files
shellrun_shell †
processprocess_start † · poll · wait · log · list · write* · signal* · kill*
memoryremember · recall_memory · remember_user
skilluse_skill
subagentspawn*
webbrowse*
mediagenerate_image
controlfinish_setup · task_complete · task_blocked · need_input

Background processes

The process_* group runs long commands without blocking the turn, with on-disk state that survives a restart, an interactive PTY (process_write sends stdin), notify_on_complete and watch_patterns. All under the same sandbox policy as run_shell.

Exit criteria

The criteria the harness verifies before accepting task_complete (the -e flag of okami task, repeatable):

params file_exists:<path> criterion The file exists in the workspace. file_contains:<path>:<text> criterion The file exists AND contains the text. shell_ok:<cmd> criterion The command exits 0 (e.g. pytest -q). ui_gate criterion The UI-contract verification gate passes.

Approval classification

classify() assigns a category + risk to an action. Actions that trigger go/no-go:

categorytrigger · risk
identity_filewriting SOUL/VOICE/PERSONA · high
env_file / secret_filewriting .env, *.key/.pem, credentials · high
destructive_shellrm -rf, mkfs, dd to /dev · critical
sudo / publishsudo · npm/pip/cargo publish · high
git_push / network_writegit push · curl -X POST/PUT/DELETE · medium
system_changechmod, docker rm/rmi/system prune · medium

Open this page in the interactive docs