Agent tools
The default builtin tools available inside managed runs.
Managed runs inject the complete builtin tool set into the agent by default:
bash,code_execution— run shell commands / model-written snippetsread_file,write_file,edit_file— file read/create/patchgrep,glob— search file contents and pathshead,tail— read bounded file slicesls,stat,wc— list a directory, inspect path metadata, count lines/words/bytesweb_fetch,web_search— fetch a URL / managed web searchtodo_write— maintain a todo listsubagent,subagent_result— delegate to and read back from child runs (see Subagents)bash_output,bash_kill— manage background bash jobswait,git— bounded idle-yield and first-class git
Toggling builtins
Set includeBuiltinTools: false to inject NO builtins — useful for a pure-MCP
or pure-custom run where every tool comes from mcpServers or tools.
includeBuiltinTools defaults to true.
Cherry-picking builtins
The tools list accepts both custom tool bundles and BUILTIN tool references
(bare name strings, preferably BuiltinTools.<name>). Use builtin references
to pick a narrow subset alongside includeBuiltinTools: false.
The final tool list is ordered: resolved builtin tools, then custom tools, then MCP tools.
Custom tools
Attach your own tool in tools as a bundle built with Tool.fromFiles(...) (an
explicit { entry, files }) or Tool.fromPath(dir) (a directory with a
tool.json at its root). The bundle's entry must be a JS module — a
.js/.mjs/.cjs file present in the bundle that default-exports a function
or an object with an execute method. This is validated at authoring time, so
a non-JS entry (e.g. a run.sh) is rejected right where you build the tool, not
opaquely mid-run when the runtime's module loader would fail to import it.
Networking is open by default within the platform's managed egress ceiling and
a fixed SSRF deny-list. web_fetch and web_search reach the network over a
managed, SSRF-guarded path that is not governed by environment.networking,
so their hosts never need to be listed in a limited allowlist. Setting
environment.networking.mode to limited restricts only the agent's own
arbitrary egress (e.g. a curl in bash); the built-in web tools keep working.
See Networking for the full two-layer model.
Disable builtins
import { Models } from "@aexhq/sdk";
await aex.run({
model: Models.CLAUDE_HAIKU_4_5,
message: "Use only the declared MCP tools.",
mcpServers,
includeBuiltinTools: false,
apiKeys: { anthropic: process.env.ANTHROPIC_API_KEY! }
});