The docs and examples push you towards granting the agent permission to call tools *every time*. This means your API key, your tool credentials, and your function arguments are all in Anthropic's logs by default. The agent decides to call, the SDK executes.

Why is there no first-class, out-of-the-box pattern where the model only *suggests* a tool call, and my local code decides whether to execute it? The SDK forces a trust decision on every tool use: you must allow the agent to act, or you must break the flow with manual intervention.

The security model this implies is flawed for anything beyond a toy:
* It expands the TCB (Trusted Computing Base) to include Anthropic's runtime. A compromise or bug there leads to direct tool execution.
* It provides no native mechanism for step-level authorization. You can't easily say "this tool for this user in this context" without wrapping everything.
* Attack surface: every tool is now exposed via the agent's reasoning, not your business logic. An injection or prompt leak could lead to unintended tool use.

The workaround is to implement a "dry run" or "validation" layer yourself, which defeats the point of an SDK. The default should be local control; remote execution should be an explicit, auditable grant.

- TL