D2.1 through D2.4 designed tools, their failure contracts, their distribution, and the wiring of external MCP servers. This chapter steps back to the tools an agent already has on the first turn — the fixed built-in roster — and the permission machinery that decides whether any given one actually fires. The exam angle is recognition: the exact roster, the read-versus-write execution split, the six modes, the evaluation order, and one high-value trap where a developer thinks they have locked an agent down and have not.

Do I know this already? Diagnostic

Answer these confidently and you can skim ahead to Exam essentials; if any is shaky, read closely — each is developed below.

Name the six core built-in tools. Does allowed_tools=["read"] pre-approve the file reader?
Which built-in tools may run concurrently, and what single property decides it?
Name the six permission modes; which one restricts the agent to read-only tools?
In what order does the SDK evaluate hooks, deny rules, the permission mode, allow rules, and canUseTool?
You set allowed_tools=["Read"] and permission_mode="bypassPermissions". What can the agent actually do?

Check your answers

Read, Write, Edit, Grep, Glob, Bash — names are matched exactly, so allowed_tools=["read"] pre-approves nothing (the tool is Read).
Read-only tools (Read, Glob, Grep) may run concurrently; the deciding property is whether a tool is read-only or state-modifying — Edit, Write, and Bash run sequentially.
default, acceptEdits, plan, dontAsk, bypassPermissions, auto (TypeScript-only) — plan restricts the agent to read-only tools.
Hooks → Deny rules → Permission mode → Allow rules → canUseTool — deny rules and hooks sit above the mode, so they bind even under bypassPermissions.
Every tool, including Bash, Write, and Edit — allowed_tools only pre-approves and never restricts; the allowlist is not a sandbox.

The built-in tool roster

Every agent starts with a fixed roster of built-in tools — the SDK ships roughly fourteen of them, in six categories, identical to those that power Claude Code. [Official] Agent SDK overview · AnthropicT1-official original How the agent loop works · AnthropicT1-official original The six that do the everyday work of reading and changing a codebase are Read, Write, Edit (file operations), Grep, Glob (search), and Bash (execution). The parity with Claude Code is explicit: “The SDK includes the same tools that power Claude Code,” [Official] How the agent loop works · AnthropicT1-official original and “Everything that makes Claude Code powerful is available in the SDK.” [Official] Agent SDK overview · AnthropicT1-official original Beyond this built-in set sit MCP server tools (Chapter D2.4) and your own custom tools; this chapter is about the built-ins every agent has from the start.

These names are exact — they appear verbatim in allowed_tools / allowedTools rules and as the tool_use.name block in messages, so Read is the tool and read is not. [Official] How the agent loop works · AnthropicT1-official original

Read-only and state-modifying tools run differently

The roster splits along a line that the runtime cares about: whether a tool reads state or changes it. Read-only tools — Read, Glob, Grep, and MCP tools marked read-only — can run concurrently; tools that modify state — Edit, Write, and Bash — run sequentially to avoid conflicts. Custom tools default to sequential execution and opt into parallelism by setting readOnlyHint in their annotations. [Official] How the agent loop works · AnthropicT1-official original

Gating the tools: six permission modes

Having a tool in the roster does not mean it fires. When the model requests a tool, the active permission mode is consulted, and there are six: default, acceptEdits, plan, dontAsk, bypassPermissions, and auto (TypeScript-only). [Official] Configure permissions · AnthropicT1-official original Two are worth memorizing for the exam because they change the tool surface directly: plan restricts the agent to read-only tools, so it explores and proposes a plan without editing source files; acceptEdits auto-approves file edits and filesystem commands (mkdir, touch, rm, rmdir, mv, cp, sed) — but only inside cwd plus additionalDirectories, and paths outside that scope, or protected paths, still prompt. [Official] Configure permissions · AnthropicT1-official original

Concept ·

Mode	What it does to the tool surface
`default`	No auto-approvals; unmatched tools hit your `canUseTool` callback (no callback ⇒ deny).
`acceptEdits`	Auto-approves edits + filesystem commands (`mkdir`/`touch`/`rm`/`rmdir`/`mv`/`cp`/`sed`) inside `cwd`/`additionalDirectories`; other `Bash` follows default rules.
`plan`	Read-only tools only; no edits to source files.
`dontAsk`	Anything not pre-approved by rules is denied; `canUseTool` is never called.
`bypassPermissions`	All tools run without prompts — but deny rules, explicit `ask` rules, and hooks still apply. Cannot run as root on Unix.
`auto` (TS only)	A model classifier approves or denies each call.

Allow and deny rules — and the five-step order

Within a mode, allow and deny rules pre-approve or block specific tools and calls. A bare name and a scoped pattern behave differently: allowed_tools=["Read", "Grep"] auto-approves those tools; disallowed_tools=["Bash"] removes Bash from the request entirely, so the model never sees it; and disallowed_tools=["Bash(rm *)"] keeps Bash available but denies any rm * call — in every mode, including bypassPermissions. [Official] Configure permissions · AnthropicT1-official original All of this resolves through a fixed sequence: “When Claude requests a tool, the SDK checks permissions in this order: 1. Hooks. 2. Deny rules. 3. Permission mode. 4. Allow rules. 5. canUseTool callback.” [Official] Configure permissions · AnthropicT1-official original

Why a deny rule beats bypassPermissions Worked example

An agent runs under permission_mode="bypassPermissions" (chosen to suppress prompts in a headless run) with a guardrail: disallowed_tools=["Bash(rm -rf *)"]. The model requests Bash(rm -rf /data). Walk the five-step order:

Hooks — any PreToolUse hook runs first; suppose none match.
Deny rules — Bash(rm -rf *) matches → denied, here, before the mode is ever consulted.
(Permission mode — never reached for this call.)
(Allow rules — never reached.)
(canUseTool — never reached.)

The rm -rf is blocked even though the mode is bypassPermissions, because deny rules (step 2) and hooks (step 1) sit above the mode (step 3). Flip it around to see the trap: allowed_tools=["Read"] lives at step 4, below the mode — so under bypassPermissions the mode approves everything at step 3 and the allowlist is never consulted. Order is everything: forbid high (hooks/deny), permit low (allow rules).

The high-value trap lives in the gap between pre-approving and restricting. allowed_tools only pre-approves the tools you list; it does not filter everything else out. Set allowed_tools=["Read"] alongside permission_mode="bypassPermissions" and the agent “still approves every tool, including Bash, Write, and Edit.” [Official] Configure permissions · AnthropicT1-official original The allowlist was never a sandbox.

The day-to-day use of these tools — the muscle memory of Read, Edit, and Bash inside a working session — is the handbook’s territory (the Use book’s chapter on Claude Code’s toolset); this chapter is the architect’s exam angle on the roster and the permission surface that gates it.

Practice

Exercise solutions

Solution ↑ Exercise

C. allowed_tools pre-approves the tools you list; it never restricts the ones you omit. Paired with bypassPermissions, the configuration “still approves every tool, including Bash, Write, and Edit” — the allowlist is silently irrelevant (it sits at step 4 of the evaluation order, below the mode at step 3). A is the core misconception (treating the allowlist as a filter). B confuses this with acceptEdits, which is the mode that auto-approves filesystem commands — bypassPermissions approves everything, not just filesystem ops. D invents a conflict; the two settings combine without error, which is exactly why the trap is dangerous. The fix: drop bypassPermissions and use permission_mode="plan" (read-only tools only), or keep a stricter mode and add a deny rule such as disallowed_tools=["Write", "Edit", "Bash"] — deny rules block even under bypassPermissions. Reach for the allowlist to permit, and for the mode or a deny rule to forbid.

Solution ↑ Exercise

The three Read calls may run concurrently; the Edit must run on its own (sequentially). The deciding property is whether a tool is read-only or state-modifying: read-only tools (Read, Glob, Grep) can run in parallel because they cannot conflict, while state-modifying tools (Edit, Write, Bash) run sequentially to avoid clobbering each other. So the runtime can fan out the three reads at once, then run the single edit after.

Solution ↑ Exercise

(a) plan mode — it restricts the agent to read-only tools, so it can explore and propose changes but cannot edit any source file, with no allow/deny list to maintain. (b) acceptEdits — it auto-approves file edits and filesystem commands (mkdir/rmdir/mv/…) inside cwd plus additionalDirectories, while paths outside that scope (and protected paths) still prompt. plan forbids edits entirely; acceptEdits permits them but only within the working scope.

Exam essentials

The roster is fixed and the names are exact — Read, Write, Edit, Grep, Glob, Bash are the six core built-ins (of ~14), identical to Claude Code’s; they appear verbatim in allow/deny rules and as tool_use.name, and a mis-cased name matches nothing.
Read vs write decides parallelism — read-only tools (Read/Glob/Grep) run concurrently; state-modifying tools (Edit/Write/Bash) run sequentially; custom tools default to sequential and opt in via readOnlyHint. Orthogonal to D2.3’s disable_parallel_tool_use.
Six permission modes — default, acceptEdits, plan, dontAsk, bypassPermissions, auto (TS). plan = read-only; acceptEdits = auto-approve edits + filesystem ops (mkdir/touch/rm/rmdir/mv/cp/sed) inside cwd/additionalDirectories, prompt outside.
Five-step evaluation order — Hooks → Deny rules → Permission mode → Allow rules → canUseTool. Deny rules and hooks fire before the mode, so they bind even under bypassPermissions; allow rules fire after it, so the mode can override them.
The allowlist trap — allowed_tools pre-approves, it does not restrict; with bypassPermissions it approves everything regardless. Confine with plan mode or a deny rule, never with the allowlist alone.

Part 2 · D2 Review

5 exercises across 5 chapters — interleaved review.

d2-01-tool-interfaces

d2-01-ex-consolidate-vs-split A teammate ships three tools — `get_customer_by_id`, `list_customer_transactions`, and `list_customer_notes` — and reports that the agent often calls only the first and then stalls. You may redesign the interface. Propose a single consolidated tool (give its name, a one-sentence description, and the boundary it draws), and name the two interface principles your redesign applies.

d2-02-structured-errors

d2-02-ex-channel-and-content Your booking tool (exposed over MCP) receives a departure date in the past. A colleague wants to return a JSON-RPC `-32602 Invalid params` error. (a) Which channel is correct, and why? (b) Write the one-sentence error content the tool should return. (c) Would `strict: true` have prevented this particular failure? Explain. (d) If the same tool were called directly over the Claude Messages API instead of MCP, what changes about the *spelling* of the failure flag?

d2-03-tool-choice-distribution

d2-03-ex-mode-selection You are building an agent that (a) must produce a JSON classification by calling your `record_decision` tool on every turn with valid inputs, and (b) you also want extended thinking enabled so it reasons first. A colleague sets `tool_choice: {"type": "tool", "name": "record_decision"}`. What goes wrong? What configuration gets you the *schema-valid guaranteed* tool call, and what must you give up to also keep thinking?

d2-04-mcp-configuration

d2-04-ex-scope-and-secret Your team needs a `postgres` MCP server available to everyone who clones the repo, but the connection string must not be committed. (a) Which scope and file do you use, and what `claude mcp add` flag sets that scope? (b) Show the `env` field using the documented expansion syntax. (c) A teammate later adds the *same* server name in their personal `~/.claude.json`. Which definition wins on their machine, and why?

d2-05-builtin-tools

d2-05-ex-allowlist-vs-bypass A developer wants a "read-only" agent for an automated audit. They configure it with `allowed_tools=["Read"]`, reasoning that listing only `Read` confines the agent to reading. To suppress every approval prompt in the headless run, they also set `permission_mode="bypassPermissions"`. Which tools can the agent actually use, and what is the one-line fix that would genuinely confine it? - **A.** Only `Read`; `bypassPermissions` still honors the allowlist, so the agent stays read-only as intended. - **B.** `Read` plus the filesystem commands (`mkdir`, `rm`, `mv`, `cp`) that `bypassPermissions` auto-approves. - **C.** Every tool, including `Bash`, `Write`, and `Edit`; `allowed_tools` only pre-approves and never restricts. - **D.** No tools; `allowed_tools=["Read"]` and `bypassPermissions` conflict, so the query raises an error.