What a Chat conversation can reach
| Capability | Scope |
|---|---|
| Web search | Same options and rules as the other tabs; depends on your provider or a configured search server. See Web search. |
| Web fetch | Runs in the app on the device, never inside a sandbox. Every fetch is checked against coworkEgressAllowedHosts; with no allowlist configured, fetch is disabled. See Web fetch. |
| Attached files | Read-only access to files the user attaches to the conversation. Each attachment is copied or hard-linked into the conversation’s local uploads directory; Claude cannot reach anything else on disk. |
| Scratch directory | A per-conversation working directory where Claude can create and edit files (documents, data files, HTML artifacts) and offer them to the user for download or preview. |
| Managed MCP servers | The servers you provision via managedMcpServers are available in Chat with the same approval model as the other tabs: a tool’s toolPolicy of "allow" pre-approves it, "blocked" blocks it, and "ask" requires user approval on every call. A tool with no policy asks the user, who can allow it once or grant standing approval, as in the other tabs. |
| Clarifying questions | Claude can present multiple-choice questions to the user (the AskUserQuestion tool). |
| Code execution | Off by default. When you enable advanced file analysis, Claude can additionally run code in an offline local sandbox against attached files. |
disabledBuiltinTools and builtinToolPolicy apply in Chat the same way they do in the other tabs. For example, adding "WebFetch" removes web fetch from Chat conversations too.
What a Chat conversation cannot do
In a Chat conversation, Claude cannot:- Read or write the filesystem beyond the conversation’s own uploads and scratch directories. Chat conversations never receive folder access: the tool for requesting folder access is removed, and the app refuses folder grants to a Chat conversation even when requested through internal interfaces.
- Run code on the host. There is no shell access. With advanced file analysis off (the default), the sandbox VM is never started for Chat; with it on, code runs only inside the offline sandbox described below, never on the host itself.
- Act without asking. Chat conversations always run in the default permission mode. Auto mode and other reduced-supervision modes are rejected for Chat regardless of
autoModeEnabled. - Create or run scheduled tasks, or list the ones that exist.
- Escalate into an agentic session. The tools that launch Code sessions or dispatch background agent tasks are removed. When a request needs capabilities Chat doesn’t have, Claude says so and suggests starting the task in Cowork instead.
- Read other conversations. The tools that list sessions or read other sessions’ transcripts are removed, so a Chat conversation cannot search or quote your other chats, Cowork sessions, or Code sessions.
- Use or write memory. Chat conversations neither read nor write the local memory that Cowork sessions maintain.
Advanced file analysis
By default, Chat can read attached files only in the formats Claude understands natively. SettingchatAdvancedFileAnalysisEnabled to true lets Claude also run code against attachments. This is useful for spreadsheets, PowerPoint files, and other formats that need parsing, and for inline data analysis on attached data.
The execution environment is intentionally narrower than the Cowork sandbox:
- Code runs in the same isolated local VM that Cowork uses. For Chat, the VM starts only when analysis is coming: on the first analysis call, or at the start of a turn with files attached.
- The sandbox has no network access. This is unconditional for Chat and independent of
coworkEgressAllowedHosts: an allowlist that opens egress for Cowork sessions does not open it for Chat analysis. - The only conversation data the sandbox sees is the conversation’s attached files (read-only) and its scratch directory (writable), plus read-only reference material bundled by the app. No user folders, no memory, no other sessions’ data.
- Each command runs independently; results land in the scratch directory, where Claude can offer them to the user as downloads or artifacts.
toolPolicy configuration and the user’s approvals, or, if you have enabled content capture, in telemetry to your own collector.
Advanced file analysis uses the same shell tool as Cowork’s sandbox, so adding
"Bash" to disabledBuiltinTools disables it even when chatAdvancedFileAnalysisEnabled is true. Running it requires the sandbox VM bundle, which the app downloads from Anthropic unless you deployed the offline installer (see required egress paths).Configuration
| Key | Default | Effect |
|---|---|---|
chatTabEnabled | off | Shows the Chat tab. Chat is opt-in: the tab appears only when this key is explicitly true. |
chatAdvancedFileAnalysisEnabled | off | Allows code execution on attached files in the offline sandbox, as described above. Has no effect unless the Chat tab is enabled. |
chatTabEnabled happens in the app’s main process: when the key is unset or false, the tab is hidden, and the app additionally refuses to start or continue a Chat conversation, including conversations created before an admin turned the key off.
The rule that at least one surface must stay enabled counts the Chat tab only when chatTabEnabled is explicitly true: a configuration that disables the Cowork and Code tabs without enabling Chat re-enables the Cowork tab with a validation warning, rather than leaving users with an empty app. With chatTabEnabled set to true, a chat-only configuration is valid.