Yes — the agent has typed MCP tools for the everyday document operations, and it uses the exact same tools the UI buttons call. Anything you can do in the app, you can ask the agent to do for you.
What you can ask:
- "Rename this to Smith NDA — final" — renameDocument changes the display name without touching the bytes or content hash. - "Move this into Matter 24-1234" — addDocumentToCollection. Kodori has no folder tree, so "moving" is changing Collection membership. Kodori can also cross-pin: leave it in the original Collection AND add it to a new one. - "Take it out of the Closed Matters cabinet" — removeDocumentFromCollection. - "Tag this confidential, this is privileged correspondence" — setDocumentSensitivity. The agent always asks for a reason and captures it on the audit log. - "Add NDA, 2024, BigCo as keywords" — setDocumentMetadata merges into the document's metadata jsonb. Pass null to delete a key. - "Move this to trash" / "delete this draft" — tombstoneDocument. The bytes stay in object storage; the audit trail is preserved during the retention window. Refuses on any active legal hold. - "Restore the doc I deleted yesterday" — restoreDocument. Tenant owner / admin only. - "Mark v2 as the Final draft" — setVersionLabel. - "Flag the signed copy as significant" — setVersionSignificance. - "Apply the Smith v. Acme hold to this" — addDocumentToLegalHold. "Release the hold" — releaseLegalHold (after capturing the release reason). - "Set retention to Tax records — 7 years" — setDocumentRetentionClass. - "Defer this another year, we still need it" — deferRetention.
Guardrails the agent enforces:
- For any consequential mutation (delete, restore, sensitivity change, retention change, hold change, bulk operation over 10 items), the agent states the plan and asks for your reason before calling the tool. It will not invent a reason on your behalf. - Held documents refuse to delete (tombstoneDocument) and refuse to lower their sensitivity (setDocumentSensitivity). The agent surfaces the refusal as a clear "release the hold first" message. - Permission checks fire on every tool call. The agent can only see and mutate what you can see and mutate — there is no agent-bypass. - Every tool call writes an event with actorKind="agent" so you can answer "what did the AI do this week?" with a single audit-log filter.
What the agent cannot do (yet):
- Hard-purge a document (separate retention sweep, not the agent's job). - Promote a teammate's role (use /members for that — explicit human action). - Issue or revoke an API key (admin-only UI today).
If you ask for one of these, the agent will tell you the right place to do it instead of pretending to act.