tool_restrictions
Whether agents can be restricted to specific tools via allowlists, denylists, tool categories, or per-tool configuration maps.
Type: bool Content type: agents
Provider Support
Section titled “Provider Support”| Provider | Supported | Mechanism |
|---|---|---|
| claude-code | ✓ | tools allowlist and disallowedTools denylist in frontmatter; Agent(type) syntax restricts which subagent types a main-thread agent can spawn |
| copilot-cli | ✓ | tools field with cross-provider alias system (execute/shell/Bash, read/Read, edit/Edit, etc.); ["*"] grants all tools; unrecognized names silently ignored |
| cursor | ✓ | readonly frontmatter flag restricts an agent to read-only tools; fine-grained per-tool allow/deny lists are not documented. |
| factory-droid | ✓ | categorical tool policy using named categories (filesystem, shell, search, browser, web_fetch); differs from per-tool allowlists used by other providers |
| kiro | ✓ | tools array with exact names, wildcards (computer_*), or MCP-namespaced refs (mcp:serverName:toolName); toolsSettings for per-tool config objects |
| opencode | ✓ | The permission frontmatter map configures ask/allow/deny per tool, replacing the deprecated tools allow/deny map. |
| roo-code | ✓ | groups array declares which tool groups (e.g., read, edit, browser, command, mcp) the mode may use; group entries may be strings or objects with fileRegex restrictions |
| codex | ✗ | role config layers override model/settings but no explicit tool allowlist or denylist in role definitions |
| crush | ✗ | not documented |
| windsurf | ✗ | not documented |
| zed | ✗ | not documented |