Skip to content
Agentic Control Plane

The Coding Agent Tool Surface Index

Every agent harness that speaks a modern LLM API declares its full tool list in every single request — the model can’t call a tool it can’t see. That means an agent’s real capability surface isn’t in its documentation; it’s in its traffic. This page indexes those surfaces, per client, captured from live requests — the declared surface, not the marketed one.

Surfaces drift: harnesses lazy-load tools mid-session, MCP servers connect, updates add families. The captures below are maintained by the same drift detection we run in production — when a client’s declaration changes, this page is due an update.

Verdicts follow the posture argued in Which Claude Code tools should you deny out of the box?: allow the core loop, deny the outward tail until first need, gate the irreversible.

At a glance

ClientTools declaredCan send / publishCan schedule itselfSpawns sub-agentsBrowser control
Claude Code (v2.1, captured 2026-07)76Yes — messages, push, published web pagesYes — cron + wakeupsYes — local, remote, multi-agent workflowsYes — 21 tools, acts in the user's logged-in browser when the extension is connected
OpenAI Codex CLI (v0.142, captured 2026-07)17No first-party send/publish toolsNoNo first-party spawn (plugins can add)No
OpenClaw / Zed / SDK agentsCaptures pending — same method applies to anything speaking the Messages or Responses API.

The headline isn’t that one number is bigger. It’s that the two harnesses embody different philosophies: Codex ships a tight execution core and pushes everything else to plugins; Claude Code ships a broad standing surface — including families most users have never watched it invoke.

Claude Code — 76 tools declared

Captured from a live session, Claude Code 2.1.x with the Chrome extension and claude.ai connectors available. Three distinct layers:

Core harness — 35 tools

The coding loop and its scaffolding. Grouped by blast radius, with the out-of-box verdict:

FamilyToolsOut of the box
Read-onlyRead Grep Glob CronList TaskList TaskGet TaskOutput ListMcpResourcesTool ReadMcpResourceTool ReadMcpResourceDirTool MonitorALLOW
Local writeEdit Write NotebookEdit TaskCreate TaskUpdate TaskStop EnterWorktree ExitWorktreeALLOW
ExecutionBashALLOW + sandbox
Network readWebFetch WebSearchFLAG
SendSendMessage PushNotificationDENY until needed
PublishArtifact (hosted public pages) DesignSync ReportFindingsDENY
ScheduleCronCreate CronDelete ScheduleWakeupDENY
SpawnAgent Workflow RemoteTriggerFLAG local ok · deny remote
Interaction / metaAskUserQuestion Skill EnterPlanMode ExitPlanModeALLOW

Browser control — 21 tools (when the Chrome extension is connected)

navigate, computer (click/type/screenshot), form_input, file_upload, javascript_tool, read_page, get_page_text, read_console_messages, read_network_requests, tab management, shortcuts, GIF recording, and more.

This is the largest single grant in the surface and the least discussed: these tools act as the user, in the user’s logged-in browser. A form_input + javascript_tool pair is authenticated action on any site the user has a session with. Verdict: ASK — the reads (screenshot, page text) are defensible to allow; anything that clicks, types, uploads, or executes JS deserves a human gate.

Connectors — 20 tools (claude.ai MCP servers)

OAuth flows and actions for Gmail, Google Calendar, Google Drive, Notion, Canva, job boards, and custom servers. Each authenticate pair is the doorway to a whole account. Verdict: ASK, case-by-case — a connector your workflow doesn’t use is pure downside standing open.

OpenAI Codex CLI — 17 tools declared

Captured from Codex 0.142.x via the Responses API. A deliberately tighter core:

FamilyToolsOut of the box
Executionexec_command write_stdin apply_patchALLOW + sandbox
Network readweb_searchFLAG
Planning / goalsupdate_plan create_goal get_goal update_goalALLOW
Mediaimage_generation view_imageALLOW
Plugins / MCPtool_search list_available_plugins_to_install request_plugin_install list_mcp_resources list_mcp_resource_templates read_mcp_resourceFLAG plugin install = surface growth
Interactionrequest_user_inputALLOW

Two things worth noticing. First, no first-party send/schedule/publish family at all — Codex’s outward surface arrives via plugins, which makes request_plugin_install the tool to watch: it’s not dangerous itself, it’s how the surface grows. Second, exec_command/write_stdin are a full interactive shell — the sandbox posture carries all the weight.

How to capture your own

You don’t need special tooling to check any of this: dump one request body from your harness (a logging proxy or mitmproxy session will do), list the tools array, and you have your real surface. Diff it across sessions and you have drift detection.

Doing that continuously — every declaration captured, every change diffed, every tool a click to allow, flag, deny, or gate — is what ACP does. One command, and this page’s tables become a live, governable view of your own agents:

curl -sf https://agenticcontrolplane.com/install.sh | bash

Captures dated 2026-07. Surfaces change with client versions — if you spot a drift we haven’t indexed yet, tell us.