Non-interactive execution mode for deepagents CLI.
Provides run_non_interactive which runs a single user task against the
agent graph, streams results to stdout, and exits with an appropriate code.
Shell commands are gated by an optional allow-list. When no allow-list is
set, shell is disabled and all other tool calls are auto-approved via the
auto_approve flag. When an allow-list is provided, shell is enabled and
all tool calls (shell and non-shell) pass through HITL, where non-shell
tools are approved unconditionally and shell commands are validated against
the list.
An optional quiet mode (--quiet / -q) redirects all console output to
stderr, leaving stdout exclusively for the agent's response text.
Note: in non-interactive mode (-n), auto-approval is determined solely by
whether a --shell-allow-list is present, not by the --auto-approve CLI
flag. See run_non_interactive for details.
The default agent name used when no -a flag is provided.
Tool names recognized as shell/command-execution tools.
Only 'execute' is registered by the SDK and CLI backends in practice.
'bash' and 'shell' are legacy names carried over and kept as
backwards-compatible aliases.
Create a CLI-configured agent with flexible options.
This is the main entry point for creating a deepagents CLI agent, usable both internally and from external code (e.g., benchmarking frameworks).
Build a full LangSmith thread URL if tracing is configured.
Combines get_langsmith_project_name and fetch_langsmith_project_url
into a single convenience helper.
Create a chat model.
Uses init_chat_model for standard providers, or imports a custom
BaseChatModel subclass when the provider has a class_path in config.
Supports provider:model format (e.g., 'anthropic:claude-sonnet-4-5')
for explicit provider selection, or bare model names for auto-detection.
Check if a shell command is in the allow-list.
The allow-list matches against the first token of the command (the executable name). This allows read-only commands like ls, cat, grep, etc. to be auto-approved.
SECURITY: This function rejects commands containing dangerous shell patterns (command substitution, redirects, process substitution, etc.) BEFORE parsing, to prevent injection attacks that could bypass the allow-list.
Generate a new 8-char hex thread ID.
Get AsyncSqliteSaver for the global database.
Fetch content from a URL and convert HTML to markdown format.
This tool fetches web page content and converts it to clean markdown text, making it easy to read and process HTML content. After receiving the markdown, you MUST synthesize the information into a natural, helpful response for the user.
Make HTTP requests to APIs and web services.
Search the web using Tavily for current information and documentation.
This tool searches the web and returns relevant results. After receiving results, you MUST synthesize the information into a natural, helpful response for the user.
Run a single task non-interactively and exit.
When no shell_allow_list is configured, shell execution is disabled
and all other tool calls are auto-approved (no HITL prompts). When an
allow-list is provided, shell execution is enabled but gated by the
list; commands not in the list are rejected with an error message sent
back to the agent.
Note: _build_non_interactive_header makes a synchronous network call
to LangSmith (via fetch_langsmith_project_url) to resolve the thread
URL. This blocks the event loop briefly at startup.
Collect file operation metrics during a CLI interaction.
Raised when model configuration or creation fails.
Raised when the HITL interrupt loop exceeds _MAX_HITL_ITERATIONS rounds.
Mutable state accumulated while iterating over the agent stream.
