Agent Mode (Auto-Execution)

Note

Agent Mode is available on the Team plan and above.

Overview

Agent Mode lets DeepIntShield run approved tool calls for you automatically, so you don’t make a separate execute call for each tool. Use it when you want an autonomous agent loop instead of the explicit review-and-execute workflow.

Caution

Streaming Not Supported: Agent Mode is not compatible with streaming responses. Use non-streaming chat and responses endpoints when Agent Mode is enabled.

When Agent Mode is enabled:

1. LLM returns tool calls in its response
2. DeepIntShield automatically executes auto-executable tools
3. Results are fed back to the LLM
4. Loop continues until no more tool calls OR max depth reached
5. Non-auto-executable tools are returned to your application for approval

Caution

Agent Mode requires explicit configuration. Tools must be marked as auto-executable via tools_to_auto_execute. By default, no tools are auto-executed.

---

Configuration

Agent Mode requires two configurations:

1. tools_to_execute: Which tools are available (whitelist)
2. tools_to_auto_execute: Which tools can run automatically (subset of above)

Tools To Execute vs Tools To Auto Execute

Field	Purpose	Semantics
tools_to_execute	Tools available to the LLM	["*"] = all, [] = none, ["a", "b"] = specific
tools_to_auto_execute	Tools that run without approval	Same semantics, must be subset of tools_to_execute

Note

A tool in tools_to_auto_execute that is NOT in tools_to_execute will be ignored. The execute list takes precedence.

---

Gateway Setup

Configuring Auto-Execute Tools

1. Navigate to MCP Gateway in the left sidebar
2. Click on a client to open its configuration sheet
3. Scroll to the Available Tools section
4. For each tool, toggle the Automatically execute tool switch
5. Click Save Changes to apply

The auto-execute configuration is managed per-client, allowing fine-grained control over which tools run automatically vs. requiring manual approval.

Global Agent Settings

Max depth and other agent settings - max_agent_depth, tool_execution_timeout, and code_mode_binding_level - are managed from the MCP Gateway settings in the Web UI. Adjust them there to change how deep the agent loop can run and how long each tool execution may take.

---

Agent Mode Behavior

Max Depth

The max_agent_depth setting limits how many iterations the agent can perform:

• Default: 10 iterations
• Each LLM call that produces tool calls counts as one iteration
• When max depth is reached, the current response is returned (may contain pending tool calls)

Parallel Execution

When the model requests several auto-executable tools at once, they run concurrently, so a turn with multiple independent tool calls finishes about as fast as its slowest call.

Mixed Auto/Non-Auto Tools

When a single response mixes auto-executable and non-auto-executable tools, DeepIntShield runs the auto-executable ones and then hands the request back to you so you can approve the rest. The response you receive has:

• A content field with a JSON summary of the tools that already ran
• The pending tools (the ones you have not allow-listed) in tool_calls
• finish_reason set to "stop"

{
  "choices": [{
    "index": 0,
    "finish_reason": "stop",
    "message": {
      "role": "assistant",
      "content": "The Output from allowed tools calls is - {\"filesystem-list_directory\":\"[\\\"file1.go\\\", \\\"file2.go\\\"]\"}\n\nNow I shall call these tools next...",
      "tool_calls": [{
        "id": "call_pending",
        "type": "function",
        "function": {
          "name": "filesystem-write_file",
          "arguments": "{\"path\": \"output.txt\", \"content\": \"...\"}"
        }
      }]
    }
  }]
}

Note

The content field contains a JSON summary of executed tool results. The tool_calls array contains only the non-auto-executable tools that require your approval. The finish_reason is set to "stop" to exit the agent loop.

Your application then:

1. Parse the content field to see what was already executed
2. Review the pending non-auto-executable tools in tool_calls
3. Execute or reject them manually
4. Continue the conversation with results

---

Security Considerations

Caution

Be careful which tools you mark as auto-executable. Dangerous operations like write_file, delete_file, execute_command should typically require human approval.

Recommended Patterns

Safe for Auto-Execute:

• Read operations (read_file, list_directory)
• Search/query operations (search, fetch_url)
• Non-destructive information gathering

Require Human Approval:

• Write operations (write_file, create_file)
• Delete operations (delete_file, delete_record)
• Execute operations (run_command, execute_script)
• Operations with side effects (sending emails, making purchases)

Example: Safe Configuration

{
  "tools_to_execute": ["*"],
  "tools_to_auto_execute": [
    "read_file",
    "list_directory",
    "search",
    "get_weather"
  ]
}

---

Tool Execution Timeout

Individual tool executions are bounded by tool_execution_timeout:

• Default: 30 seconds
• If a tool exceeds the timeout, an error result is returned
• The agent loop continues with the error result

Adjust the timeout (for example, to 60s) from the MCP Gateway settings in the Web UI.

---

Next Steps

Code Mode

Let AI write code to orchestrate multiple tools

Open →

Tool Filtering

Control tool availability per request

Open →