A Qor without tools is a chat bot. A Qor with tools can read files, browse the web, send emails, open PRs, query databases, generate images, automate browsers, and delegate to other Qors. Tools are the difference.

The taxonomy

Research & web

research, scrape, crawl, web_fetch, weather, flight_search.

Filesystem & code

filesystem, exec, apply_patch, lsp_bridge, codebase_digest, project_registry, glob, grep.

Browser automation

Selector primitives + browse_and_act + computer_use for canvas-heavy UIs.

Media

TTS, STT, image generation, image understanding, screen share.

Data

sql_query, read_document, storage, email, memory, sessions.

Delegation

delegate_to_agent, manage_agents — coordinate your agent team.

Safety

safety, ssrf, outbound_gate, policy, sandbox_mode.

Custom + MCP

Write your own in Go, or plug in any MCP server.

Anatomy of a tool call

{
  "tool": "web_fetch",
  "args": { "url": "https://example.com/article" }
}
The gateway:
1

Validates

Args parsed against a JSONSchema. Unknown args rejected.
2

Checks allowlist

Is this Qor allowed to call this tool? Approvals required if destructive.
3

Runs

Tool’s Execute method runs. For some tools this shells out (browser, code exec). Others are in-process.
4

Audits

Every tool call + result → audit log.
5

Returns

Result (ForLLM + ForUser halves — widget emission →).

Allowlists — the security knob

Each Qor has a tools_allowed list. By default: all tools except destructive ones. Recommended for specialised Qors: 
# Researcher Qor
tools_allowed:
  - research
  - scrape
  - web_fetch
  - read_document
  - memory_search

# Coder Qor
tools_allowed:
  - filesystem
  - exec          # requires approval
  - apply_patch
  - lsp_bridge
  - codebase_digest
  - project_registry
  - glob
  - grep
Restricting tools is the first defence against prompt injection. A research Qor with no exec can’t be tricked into running rm -rf. Security model →

Approvals

Tools marked destructive=true require human approval at each call unless the Qor is in approval_required: false mode. Destructive defaults:
  • exec — runs arbitrary commands
  • apply_patch — modifies source files
  • send_email — outbound communication
  • send_message — outbound IM
  • delete_file, drop_table, etc.
See approvals →.

Writing your own tool

Two paths:

Go tool in-repo

Fastest, most powerful. Implement the Tool interface, register in the tool registry. Ships with the next build.

MCP server

Language-agnostic. Expose tools via the Model Context Protocol; Qorven discovers and wires them automatically.

Where next

How tools work

Deep-dive on the execution model.

Approvals

Gating destructive operations.

Deny lists

Per-Qor allowlists + install-wide bans.

Custom tools

Adding a tool to Qorven.