# Implementation Plan

## Phase 3: Tool Execution
- `Tool` trait, `ToolRegistry`, core tools (`read_file`, `write_file`, `shell_exec`)
- Tool definitions in API requests, parse tool-use responses
- Approval gate: core -> TUI pending event -> user approve/deny -> result back
- Working directory confinement + path validation (no Landlock yet)
- **Done when:** Claude can read, modify files, and run commands with user approval

## Phase 4: Sandboxing
- Landlock: read-only system, read-write project dir, network blocked
- Tools execute through `Sandbox`, never directly
- `:net on/off` toggle, state in status bar
- Graceful degradation on older kernels
- **Done when:** Writes outside project dir fail; network toggle works