Configuration, constants, and model creation.
Hide version and local-install details in the splash screen when enabled.
Maps each non-normal mode to its trigger character.
Maps each non-normal mode to its display glyph shown in the prompt/UI.
Glyph set for terminals with full Unicode support.
Glyph set for terminals limited to 7-bit ASCII.
Character limit for tool argument values in the UI.
Longer values are truncated with an ellipsis by truncate_value
in tool_display.
Default LangGraph runnable config.
Sets recursion_limit to 1000 to accommodate deeply nested agent graphs without
hitting the default LangGraph ceiling.
Fixed ls_agent_kind literal identifying the coding-agent trace class.
Stable ls_integration id for this plugin (unchanged for backward-compat).
User-facing ls_agent_runtime name.
Version of the coding-agent trace-metadata contract this build emits.
Sentinel value returned by parse_shell_allow_list for --shell-allow-list=all.
Strictly read-only PTC allowlist for interpreter_ptc="safe".
Limited to tools that are not in _add_interrupt_on() to begin with, so
exposing them through PTC does not introduce a new HITL bypass. Network
tools (web_search, fetch_url), subagent dispatch (task), shell
execution (execute), and file writes (write_file, edit_file, MCP
write tools) are deliberately excluded — they are HITL-gated outside the
REPL, and PTC bypasses interrupt_on, so including them would silently
escalate privileges. Users who need network or subagent access from inside
the REPL must list those tools explicitly (which signals intent at config
time) or use interpreter_ptc="all" with the unsafe acknowledgement.
Sentinel string for interpreter_ptc="all" — resolved at agent-build time
from the live tool list. Requires interpreter_ptc_acknowledge_unsafe=True
when auto_approve is False.
Sentinel string for interpreter_ptc="safe" — expanded from
INTERPRETER_PTC_SAFE_PRESET.
Internal carrier key for the --max-retries CLI flag.
cli_main stashes the flag value under this key in the model_params dict it
forwards to the run, and create_model pops it before constructing the model.
This lets the CLI value ride the existing model_params/extra_kwargs carrier
to the one place that authoritatively resolves the provider, where it can be
folded under the provider's resolved retry-param name (see
_resolve_retry_param_name) rather than a hardcoded max_retries.
The key is internal-only: it is popped before reaching any model constructor and is never serialized or surfaced to users. It is deliberately unlikely to collide with a real constructor kwarg name.
Literal substrings that indicate shell injection risk.
Used by contains_dangerous_patterns to reject commands that embed arbitrary
execution via redirects, substitution operators, or control characters — even
when the base command is on the allow-list.
Read-only commands auto-approved in non-interactive mode.
Only includes readers and formatters — shells, editors, interpreters, package
managers, network tools, archivers, and anything on GTFOBins/LOOBins is
intentionally excluded. File-write and injection vectors are blocked separately
by DANGEROUS_SHELL_PATTERNS.
Return whether env var name is set to a recognizably truthy value.
Unlike bool(os.environ.get(name)), this does not treat "0" or
"false" as enabled. Use this for on/off flags where the user would
reasonably expect VAR=0 to mean "disabled".
Resolve the current git branch with a filesystem-first strategy.
Return and clear the pending orphaned-tracing notice, if any.
Restore caller tracing flags in an environment passed to user code.
Apply a /auth-stored LangSmith key, tracing, and redaction now.
Return the longest mode prefix and mode for text, if any.
Longer prefixes win so multi-character triggers like !! are matched
before their single-character prefixes (!).
Get the glyph set for the current charset mode.
Reset the glyphs and charset-mode caches (for testing).
Check whether the terminal is in ASCII charset mode.
Convenience wrapper so widgets can branch on charset without importing
both _detect_charset_mode and CharsetMode.
Return the terminal-appropriate label for the newline keyboard shortcut.
Prefers Shift+Enter when the terminal is known to support the kitty
keyboard protocol, either via conservative terminal-identity heuristics
or the DEEPAGENTS_CODE_KITTY_KEYBOARD override. Falls back to
Option+Enter on macOS and Ctrl+J elsewhere — both survive legacy
terminals that strip the shift modifier from Enter.
Get the appropriate banner for the current charset mode.
Build the shared coding-agent-v1 trace-metadata block.
Implements the coding-agent-v1 contract (LSEN-277) for Deep Agents Code:
one helper that stamps the identity block, plugin/runtime versions, turn
markers, and repo/git/cwd attribution. The seven identity/version keys and
thread_id are always present; the optional keys whose value is unknown are
omitted (per the contract), so callers can pass None for any of them.
Because Deep Agents Code is itself the runtime — there is no separate CLI
package — ls_integration_version and ls_agent_runtime_version both come
from the deepagents-code package version (__version__). The underlying
deepagents SDK version is surfaced separately as
dcode_client_deepagents_version by build_stream_config.
Scope-restricted contract keys are intentionally NOT produced here:
approval_policy (root/interrupted only) and ls_subagent_id /
ls_subagent_type (subagent only). This metadata propagates trace-wide
through the LangGraph stream config (and, for subagents, the per-key config
merge of langgraph#7926 / deepagents#3634), so any key placed here lands on
every descendant run. Emitting a run-type-scoped key would therefore leak it
onto run types outside its contract appliesTo set — a hard validator
failure — and the LangGraph runtime exposes no clean per-run-type metadata
seam to scope them. See build_stream_config for the full rationale.
Build the LangGraph stream config dict.
Stamps the shared coding-agent-v1 trace-metadata contract (LSEN-277) via
build_coding_agent_metadata — identity block, plugin/runtime versions,
turn markers, and repo/git/cwd attribution — onto metadata. Metadata set
here propagates trace-wide to every run in the graph (root, llm, tool, and
subagent subgraphs), which is exactly what the contract's "always" and
"where-known" keys require, so the helper output is stamped once here.
Scope-restricted contract keys are deliberately not emitted. approval_policy
(root/interrupted only) and ls_subagent_id / ls_subagent_type (subagent
only) cannot live in this trace-wide metadata: LangGraph propagates each key
to all descendant runs (per-key config merge, langgraph#7926 /
deepagents#3634), so they would leak onto run types outside their contract
appliesTo set and fail validation. This runtime exposes no clean
per-run-type metadata seam to scope them, so they are omitted by design
rather than leaked. (Subagent runs still inherit the parent/root thread_id
and all required keys, satisfying the contract's grouping rule.)
Also injects the dcode version into metadata["lc_versions"] so LangSmith
traces can be correlated with specific releases. create_deep_agent supplies
the SDK version through the compiled graph config, and LangChain merges
nested metadata dictionaries so both versions survive at stream time.
Also records dcode_client_deepagents_version as a dcode-client diagnostic.
This describes the Deep Agents package installed alongside the TUI, which
can differ from a remote graph's Deep Agents runtime version.
Parse shell allow-list from string.
Check if a command contains dangerous shell patterns.
These patterns can be used to bypass allow-list validation by embedding
arbitrary commands within seemingly safe commands. The check includes
both literal substring patterns (redirects, substitution operators, etc.)
and regex patterns for bare variable expansion ($VAR) and the background
operator (&).
Check if a shell command is in the allow-list.
The allow-list matches against the first token of the command (the executable name). This allows read-only commands like ls, cat, grep, etc. to be auto-approved.
When allow_list is the SHELL_ALLOW_ALL sentinel, all non-empty commands
are approved unconditionally — dangerous pattern checks are skipped.
SECURITY: For regular allow-lists, this function rejects commands containing dangerous shell patterns (command substitution, redirects, process substitution, etc.) BEFORE parsing, to prevent injection attacks that could bypass the allow-list.
Resolve the LangSmith project name if tracing is configured.
Checks for the required API key and tracing environment variables.
When both are present, resolves the project name with priority:
settings.deepagents_langchain_project (from
DEEPAGENTS_CODE_LANGSMITH_PROJECT), then LANGSMITH_PROJECT from the
environment (note: this may already have been overridden at bootstrap time
to match DEEPAGENTS_CODE_LANGSMITH_PROJECT), then 'deepagents-code'.
Return whether LangSmith secret redaction is enabled for agent traces.
Install the LangSmith SDK secret anonymizer for active agent tracing.
This is a fail-closed security control: when redaction is requested but the redacting client cannot be installed, tracing is disabled rather than risk uploading unredacted secrets to LangSmith.
Extra LangSmith project names to dual-write agent traces to.
Parses DEEPAGENTS_CODE_LANGSMITH_REPLICA_PROJECTS (comma-separated) into a
de-duplicated, order-preserving list.
The single extra LangSmith project to mirror agent runs to, if configured.
dcode agent runs execute inside the LangGraph server subprocess, so the only
way to mirror them to another project is the server's own replica path: the
SDK forwards a langsmith_tracing project in the run-create request, and the
server wraps the run in a tracing_context whose write replicas are that
project plus the server's primary project. Client-side callbacks and
tracing_context(replicas=...) cannot reach the run because it is created
server-side, not in the app process.
Implementation detail (subject to change): as of langgraph-api 0.10.0 this
happens in langgraph_api.stream and langgraph_api.models.run.
The server mirrors to exactly one extra project, so when
DEEPAGENTS_CODE_LANGSMITH_REPLICA_PROJECTS lists several, only the first is
used and the rest are dropped with a warning.
Summarize LangSmith tracing configuration for diagnostics.
Reads only the local environment and the active LangSmith profile; never
contacts the network and never exposes secret values. All fields are
resolved prefix-/profile-aware so the report matches what the runtime does
after bootstrap, even though dcode doctor runs before it.
Fetch the LangSmith project URL, raising on any failure.
Successful results are cached at module level so repeated calls do not make additional network requests.
The network call runs in a daemon thread with a hard timeout of
_LANGSMITH_URL_LOOKUP_TIMEOUT_SECONDS, so this function blocks the
calling thread for at most that duration even if LangSmith is unreachable.
Fetch the LangSmith project URL, returning None on any failure.
Thin back-compat wrapper around fetch_langsmith_project_url_or_raise
for passive callers (status banners, non-interactive output) that just
want a URL-or-nothing answer. Interactive callers that need to tell the
user why the lookup failed should use the raising variant directly.
Build a full LangSmith thread URL if tracing is configured.
Combines get_langsmith_project_name and fetch_langsmith_project_url
into a single convenience helper.
Reset the LangSmith URL cache (for testing).
Get the default coding agent instructions.
These are the immutable base instructions that cannot be modified by the agent. Long-term memory (AGENTS.md) is handled separately by the middleware.
Auto-detect provider from model name.
Intentionally duplicates a subset of LangChain's
_attempt_infer_model_provider because we need to resolve the provider
before calling init_chat_model in order to:
init_chat_model.Create a chat model.
Uses init_chat_model for standard providers, or imports a custom
BaseChatModel subclass when the provider has a class_path in config.
Supports provider:model format (e.g., 'openai:gpt-5.5')
for explicit provider selection, or bare model names for auto-detection.
Validate that the model has required capabilities for deepagents.
Checks the model's profile (if available) to ensure it supports tool calling, which is required for agent functionality. Issues warnings for models without profiles or with limited context windows.
Parsed origin remote attribution for coding-agent-v1 traces.
A NamedTuple so callers can still unpack positionally or index, while the
field names keep the slot order from being load-bearing at every call site.
Character set mode for TUI display.
Character glyphs for TUI display.
Global settings and environment detection for deepagents-code.
This class is initialized once at startup and provides access to:
Offline snapshot of LangSmith tracing configuration for diagnostics.
Carries only presence/identity facts — never API keys or other secret
values — so it is safe to render in dcode doctor output.
Base class for typed LangSmith project URL lookup failures.
Concrete subclasses (LangSmithImportError, LangSmithLookupTimeoutError,
LangSmithApiError) let interactive callers like /trace show the user
the actual cause instead of collapsing every failure into a generic
"could not reach LangSmith" message.
The langsmith package is not installed.
The LangSmith project URL lookup exceeded its hard timeout.
The LangSmith SDK call raised — auth, 404, network, etc.
Wraps the underlying SDK exception in __cause__.
The LangSmith project does not exist yet (lookup returned 404).
Projects are created lazily on the first ingested trace, so this is expected before any run has flushed and should be surfaced as an informational message rather than an error.
Result of creating a chat model, bundling the model with its metadata.
This separates model creation from settings mutation so callers can decide when to commit the metadata to global settings.