Skip to main content
Reacher exposes six tools to Claude. Each tool is a single self-contained file in src/tools/. They share a common registration pattern but are otherwise fully independent — no shared state, no cross-tool dependencies.

Design philosophy

The surface area is intentional. Rather than shipping a dedicated tool for every API (GitHub, Linear, Notion, Jira…), Reacher ships one authenticated HTTP proxy — fetch_external — and lets you add any API by adding its domain to an allowlist. Claude already knows REST APIs. It just needs a way to call them with your credentials without you pasting tokens into every prompt. The result is six tools that cover the full infrastructure loop:
  • Discover your machines (tailscale_status)
  • Execute commands on them (ssh_exec)
  • Call any allowed API (fetch_external)
  • Search GitHub activity (github_search)
  • Persist knowledge across conversations (gist_kb)
  • Automate web tasks (browser)

Tool registration pattern

Every tool in src/tools/*.js exports four things: 
export const name = 'tool_name'
export const description = '...'
export const schema = { param: z.string().describe('...') } // Zod shape
export async function handler(args, ...envArgs) { ... }
All tools are registered in src/mcp-server.js via server.tool(name, description, schema, handler). The server wraps each handler to inject the appropriate environment variables (API keys, allowed domains) so Claude never receives them directly. 
// Example from mcp-server.js
server.tool(sshExec.name, sshExec.description, sshExec.schema, async args => {
  const result = await sshExec.handler(args)
  await auditLog(sshExec.name, args, result)
  return { content: [{ type: 'text', text: JSON.stringify(result, null, 2) }] }
})
Each handler receives only the env vars it needs — not the full environment — following a least-privilege principle.

Tools summary

ToolWhat it doesKey use case
ssh_execRun shell commands on any Tailscale deviceManage servers, check logs, run deployments
tailscale_statusList all devices with online/offline status, IPs, OSDiscover hostnames before SSHing, debug connectivity
fetch_externalProxy HTTP requests with injected auth per domainCall GitHub, Jira, or any API without pasting tokens
github_searchSearch GitHub for pull requests or commitsFind work by author and date range with minimal output
gist_kbRead/write a private knowledge base backed by GitHub GistsPersist notes, configs, and context across conversations
browserControl a headless browser via CDP using agent-browser CLIScrape pages, fill forms, take snapshots, automate web tasks

All tools

ssh_exec

Execute shell commands on remote Tailscale devices. Supports Linux and Windows (cmd/PowerShell), with a command blocklist and directory allowlist.

tailscale_status

List every device in your Tailscale network with IPs, OS, online status, and last-seen time.

fetch_external

Authenticated HTTP proxy with per-domain token injection. Add any API by adding one line to your config.

github_search

Search GitHub for pull requests or commits by author and date range, with clean minimal output.

gist_kb

Persistent knowledge base backed by private GitHub Gists. Read, write, list, and delete entries across conversations.

browser

CDP-based headless browser control via the agent-browser CLI. Navigate, click, fill forms, and take snapshots.