tool_restrictions
Whether agents can be restricted to specific tools via allowlists, denylists, tool categories, or per-tool configuration maps.
Type: bool Content type: agents
Provider Support
Section titled “Provider Support”| Provider | Supported | Mechanism |
|---|---|---|
| claude-code | ✓ | tools allowlist and disallowedTools denylist in frontmatter; if both set, disallowedTools applied first then tools resolved against remaining pool; Agent(type) syntax in tools allowlist restricts which subagent types a main-thread agent can spawn |
| copilot-cli | ✓ | tools field with cross-provider alias system (execute/shell/Bash, read/Read, edit/Edit, etc.); ["*"] grants all tools; unrecognized names silently ignored |
| cursor | ✓ | readonly frontmatter flag restricts an agent to read-only tools; fine-grained per-tool allow/deny lists are not documented. |
| factory-droid | ✓ | tools field accepts a category string (read-only, edit, execute, web, mcp), an explicit array of tool IDs (["Read", "Edit", "Execute"], case-sensitive), or omission for all tools; TodoWrite is automatically included for all droids |
| gemini-cli | ✓ | tools array in frontmatter; supports wildcards: '*' for all built-in and MCP tools, 'mcp_*' for all MCP tools, 'mcp_<server-name>_*' for tools from a single MCP server. If omitted, the subagent inherits the full tool set from the parent session. |
| kiro | ✓ | tools array with exact names, wildcards (computer_*), or MCP-namespaced refs (@server_name); allowedTools list for tools requiring no user approval; toolsSettings map for per-tool behavioral config |
| opencode | ✓ | The permission frontmatter map configures ask/allow/deny per tool using named permission keys (read, edit, bash, glob, grep, list, task, external_directory, todowrite, webfetch, websearch, lsp, skill, question, doom_loop) or wildcard glob patterns against tool names. Keys that support fine-grained control (read, edit, glob, grep, list, bash, task, external_directory, lsp, skill) accept either a shorthand action string or an object of glob/pattern → action. |
| roo-code | ✓ | groups array declares which tool groups (e.g., read, edit, browser, command, mcp) the mode may use; group entries may be strings or objects with fileRegex restrictions |
| amp | ✗ | not documented |
| cline | ✗ | not documented |
| codex | ✗ | role config layers override model/settings but no explicit tool allowlist or denylist in role definitions |
| crush | ✗ | not documented |
| pi | ✗ | not documented |
| windsurf | ✗ | not documented |
| zed | ✗ | not documented |