MCP Tools Reference
cmdop mcp stdio advertises the same tool catalog the local agent uses. Whatever Claude Desktop or Cursor see on this page, cmdop chat also sees — there is no separate “MCP-only” surface.
Every tool call from an MCP client routes through the permission gate. Floor checks (protected paths, dangerous shell signatures) apply unconditionally.
How to read this page
Each tool entry lists:
- Name — what the MCP client calls.
- Category — terminal, file-read, logs, remote-dispatch, board, meta.
- Inputs — JSON Schema sketch (full schema ships on every turn).
- Returns — the shape of the response.
- Gate — what the gate inspects (tool name plus the argument it matches against).
Terminal and system tools
| Tool | Inputs | Returns | Gate matches |
|---|---|---|---|
execute_command | command: string, cwd?: string, timeout_ms?: int | {stdout, stderr, exit_code} | command |
shell_tasks | (none) | [{id, command, started_at, status}] | n/a |
shell_kill | task_id: string, signal?: string | {killed: bool} | task_id (audited) |
write_file | path: string, content: string | {bytes_written} | path |
open_file | path: string | {opened: bool} | path |
download_file | url: string, dest: string | {path, bytes} | dest |
Floor-blocked patterns include rm -rf /, fork bombs, redirects to block devices, writes to .env / .git / ~/.ssh, and absolute paths under /etc, /System, ~/Library/Keychains.
{
"name": "execute_command",
"input_schema": {
"type": "object",
"properties": {
"command": { "type": "string" },
"cwd": { "type": "string" },
"timeout_ms": { "type": "integer", "minimum": 1, "maximum": 600000 }
},
"required": ["command"]
}
}File-read tools
| Tool | Inputs | Returns |
|---|---|---|
read_file | path: string, start?: int, end?: int | {content, truncated} |
grep | pattern: string, path: string, glob?: string | [{file, line, text}] |
glob | pattern: string, cwd?: string | {matches: [string]} |
list_dir | path: string | [{name, type, size}] |
Read-only by definition. Floor still enforces protected paths — even reading ~/.ssh/id_rsa is denied.
Logs
| Tool | Inputs | Returns |
|---|---|---|
read_logs | since_minutes?: int, level?: string, match?: string | {lines: [string]} |
Tails the local daemon log file, with optional level and substring filter. Useful for the agent to self-diagnose.
Remote dispatch — the high-leverage section
These tools turn a single MCP entry on your laptop into reach across the whole fleet. Full theory lives in Agent Communication.
| Tool | Inputs | Returns | Gate matches |
|---|---|---|---|
connect | operation: string, hostname?: string, … | varies by operation | hostname |
ssh_session | operation: open|send|read|close|list, session_id?, command? | varies | hostname (open) |
ask_agent | hostname: string, prompt: string, timeout_ms?: int | {text, tool_calls} | hostname |
ask_agent_stream | same as ask_agent | streamed events | hostname |
ask_agents | hostnames: [string], prompt: string, per_host_timeout_ms?: int, total_timeout_ms?: int | {by_host: {...}, timed_out: [...]} | hostname (per host) |
The connect dispatcher accepts these operations:
list— enumerate machines in the active workspace.exec— one-shot remote command.share— mint a share link.key_set,key_show,key_clear— workspace API key management.workspace_list,workspace_use,workspace_sync— multi-workspace control.whoami— return the local hostname and matched machine ID.
{
"name": "ask_agents",
"input_schema": {
"type": "object",
"properties": {
"hostnames": { "type": "array", "items": { "type": "string" } },
"prompt": { "type": "string" },
"per_host_timeout_ms": { "type": "integer", "minimum": 1000, "maximum": 300000 },
"total_timeout_ms": { "type": "integer", "minimum": 1000, "maximum": 600000 }
},
"required": ["hostnames", "prompt"]
}
}Board tools
Backed by the workspace board store. Same data the desktop Board tab and cmdop issue ... use.
| Tool | Inputs | Returns |
|---|---|---|
issue_list | status?: string, assignee?: string | [{id, title, status, ...}] |
issue_get | id: string | {id, title, body, comments, ...} |
issue_create | title: string, body?: string, assignee?: string | {id, url} |
issue_update | id: string, body?, status?, assignee? | {ok: true} |
issue_close | id: string, reason?: string | {ok: true} |
Meta tools
| Tool | Inputs | Returns |
|---|---|---|
todo_write | items: [{text, done}] | rendered task list block |
skill_list | (none) | [{name, origin, description}] |
skill_run | name: string, prompt: string | sub-session result |
delegate_task | prompt: string, tools?: [string] | sub-session result |
task_status | task_id: string | {status, ...} |
permissions_helper | operation: explain|show_policy|show_audit_context|suggest_rule, … | varies |
permissions_helper is read-only except for suggest_rule, which routes to the modal — the agent can ask for permission but cannot self-grant.
Schema stability
Tool descriptors ship on every turn, so an MCP client always sees the current shapes. Tool names do not change without a major version bump. If a name disappears between releases, treat that as a breaking change and check the changelog.