Defining tools
Tools are defined using the@tool decorator. Each tool needs:
- A description (guides the LLM on when to use it)
- Pydantic models for input and output
- An async function that performs the action
Why Pydantic models?
Input models:- Define the schema the LLM sees
- Validate tool inputs automatically
- Provide clear descriptions via
Field(description=...)
- Ensure type safety
- Make outputs JSON-serializable for durability
- Document what the tool returns
Using tools with agents
Add tools to an agent’stools parameter:
- LLM analyzes the request
- LLM decides to call
get_weatherwithcity="Tokyo" - Agent automatically executes the tool
- Agent feeds the tool output back to the LLM
- LLM generates a natural language response
Tools are workflows
Under the hood, tools are workflows. This means:- Tools are durable - If a tool fails mid-execution, it resumes from the last completed step
- Tool results are cached - On agent replay, completed tools return cached results (no re-execution)
- Tools can use workflow features - Call other workflows, wait for events, use steps
Tool approval
Tools can require human approval before executing. When a tool hasapproval="always", Polos suspends the workflow before running the tool, presents an approval form to the user, and only proceeds if the user approves. If the user rejects, the agent receives an error with optional feedback and can adjust its approach.
Approval values
| Value | Behavior |
|---|---|
"always" | Suspends before every call. The user sees the tool name, input, and can approve or reject with feedback. |
"none" | No approval required. The tool runs immediately. |
| Not set (default) | Same as "none" - no approval required. |
What happens during approval
When a tool withapproval="always" is called:
- The workflow suspends with a
_formcontaining the tool name and input - The user is prompted to approve or reject the call
- If approved, the tool executes normally
- If rejected, the agent receives an error:
Tool "send_email" was rejected by the user.with any feedback the user provided - The agent can read the feedback and try a different approach
Sandbox tool approval
Sandbox tools have additional approval mechanisms beyond theapproval parameter:
- Exec security controls command execution via
securitymode ("approval-always","allowlist", or"allow-always"). See Exec Security. - File approval controls write/edit operations via
file_approval/fileApproval("always"or"none"). Defaults to"always"in local mode. - Path restriction controls read-only tools (read, glob, grep) accessing files outside the workspace - these suspend for approval automatically.
Error handling
When tools encounter errors, the agent feeds the error back to the LLM so it can correct mistakes or try alternative approaches.- Sees the error message
- Understands what went wrong
- Can retry with corrected inputs
- Or explain the limitation to the user
Multiple tools
Agents can use multiple tools in a single conversation:- Call
search_web("Python tutorials") - Process the results
- Call
send_email(to="alice@example.com", subject="...", body="...") - Return confirmation
Tool descriptions
Write clear tool descriptions to help the LLM understand when to use each tool:- Describe what the tool does
- Mention when it should be used
- Include key parameters in the description
- Use active voice (“Get weather data” not “This gets weather data”)
Field descriptions
Use PydanticField to document input parameters:
Tool durability in practice
Because tools are workflows, they benefit from durability:- On retry,
downloadreturns cached data (no re-download) transformexecutes for the first time- Agent continues without losing progress
Key takeaways
- Tools are workflows - They’re durable and can use all workflow features
- Use Pydantic models for input and output
- Errors are feedback - Tools return errors to the LLM, which can correct and retry
- Write clear descriptions - Help the LLM understand when and how to use tools
- Use
approval="always"for sensitive operations - Require human approval before execution