moha gives Claude 16 tools. Each one declares its side effects as an EffectSet — the permission system uses these to decide whether to auto-approve or prompt you before execution.
All filesystem tools are scoped to the directory where you launched moha. Paths that resolve outside the workspace are refused.
Tool Catalog
| Tool | Effects | Timeout | Streaming |
|---|---|---|---|
read | ReadFs | 20s | — |
edit | ReadFs + WriteFs | 20s | ✓ |
write | WriteFs | 20s | ✓ |
bash | Exec | subprocess | ✓ |
grep | ReadFs | 45s | — |
glob | ReadFs | 30s | — |
list_dir | ReadFs | 20s | — |
todo | Pure | 5s | ✓ |
web_fetch | Net | 30s | — |
web_search | Net | 20s | — |
find_definition | ReadFs | 30s | — |
diagnostics | Exec | subprocess | — |
git_status | ReadFs | 20s | — |
git_diff | ReadFs | 20s | — |
git_log | ReadFs | 20s | — |
git_commit | WriteFs | 30s | ✓ |
Command Execution
bash executes inside bwrap (Linux) / sandbox-exec (macOS) — workspace + system libs + network are reachable; ~/.ssh, /etc, other projects are read-only.
File Editing
edit applies a targeted string replacement to an existing file. Shows you a diff before applying. Preferred over write for modifications — the model is nudged toward surgical edits rather than full-file rewrites.
All file writes are atomic: write → fsync → rename. A crash mid-write never leaves a half-written file.
MCP Tools
moha supports the Model Context Protocol. Add servers globally in ~/.config/moha/mcp.json or per-project in .moha/mcp.json. moha launches them at startup and adds their tools to the catalog.
Permission Profiles
moha uses an effect-based permission system. Tools declare what they do (read files, write files, hit the network, run subprocesses), and a single policy function decides whether to auto-approve or prompt you — based on your active profile.
Three profiles control how much autonomy Claude gets. Cycle between them with S-Tab during a session.
Ask (default)
Read-only inspection is trusted (otherwise every read/grep/glob would prompt and the agent loop becomes unusable). Everything that mutates state, runs code, or touches the network requires your approval.
moha --profile ask
Write (autonomous)
Everything auto-approves. Claude reads, writes, runs commands, and hits the network without asking. Use this when you trust the model and want maximum speed.
moha --profile write
Minimal (locked down)
Prompts for everything that touches the outside world — including file reads. Only pure in-memory operations (todo) auto-approve.
moha --profile minimal
Trust Matrix
The complete permission table. The policy is a constexpr function verified by static_assert at compile time.
| Effect | Write | Ask | Minimal |
|---|---|---|---|
| Pure | ✓ auto | ✓ auto | ✓ auto |
| ReadFs | ✓ auto | ✓ auto | ⚠ prompt |
| WriteFs | ✓ auto | ⚠ prompt | ⚠ prompt |
| Net | ✓ auto | ⚠ prompt | ⚠ prompt |
| Exec | ✓ auto | ⚠ prompt | ⚠ prompt |
Key properties:
- Write is fully autonomous. Every effect is allowed, no prompt is ever shown.
- Ask trusts reads. ReadFs and Pure auto-approve. Exec/WriteFs/Net prompt.
- Minimal prompts for everything except Pure. Even file reads require approval.
- Exec dominates. Any tool with Exec prompts under every non-Write profile, regardless of other effects.
Parallel Safety
When Claude dispatches multiple tool calls, the scheduler checks effect compatibility:
- ReadFs + ReadFs: safe — read-read never races
- ReadFs + Net: safe — no shared state
- WriteFs + anything: serialized — filesystem mutations need exclusive access
- Exec + anything: serialized — model controls what the subprocess does
This rule is derived from the capability model and verified at compile time, not sprinkled through the runtime.