Skip to content

Commit 9f27437

Browse files
authored
Merge pull request #3694 from docker/docs/p1-coverage
docs: add Sessions, Code Mode, headless/CI guide, and expand the CLI reference
2 parents 2567aef + ecdc185 commit 9f27437

7 files changed

Lines changed: 482 additions & 11 deletions

File tree

docs/configuration/agents/index.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@ agents:
3232
add_prompt_files: [list] # Optional: include additional prompt files
3333
add_description_parameter: bool # Optional: add description to tool schema
3434
redact_secrets: boolean # Optional: scrub detected secrets out of tool args, outgoing chat messages, and tool output
35-
code_mode_tools: boolean # Optional: enable code mode tool format
35+
code_mode_tools: boolean # Optional: let the agent write JavaScript to orchestrate tool calls (see Code Mode)
3636
max_iterations: int # Optional: max tool-calling loops
3737
max_consecutive_tool_calls: int # Optional: max identical consecutive tool calls
3838
max_old_tool_call_tokens: int # Optional: token budget for old tool call content (disabled unless positive)
@@ -96,7 +96,7 @@ agents:
9696
| `add_prompt_files` | array | ✗ | List of file paths whose contents are appended to the system prompt. Useful for including coding standards, guidelines, or additional context. |
9797
| `add_description_parameter` | boolean | ✗ | When `true`, adds agent descriptions as a parameter in tool schemas. Helps with tool selection in multi-agent scenarios. |
9898
| `redact_secrets` | boolean | ✗ | When `true`, scrubs detected secrets (API keys, tokens, private keys, etc.) out of tool-call arguments, outgoing chat messages, and tool output before they reach a tool, the model, or downstream consumers. See [Redacting Secrets](#redacting-secrets) below. |
99-
| `code_mode_tools` | boolean | ✗ | When `true`, formats tool responses in a code-optimized format with structured output schemas. Useful for MCP gateway and programmatic access. |
99+
| `code_mode_tools` | boolean | ✗ | When `true`, replaces the agent's individual tools with a single tool that runs a JavaScript script calling as many of them as needed in one turn. See [Code Mode](../../features/code-mode/index.md). |
100100
| `max_iterations` | int | ✗ | Maximum number of tool-calling loops. Default: unlimited (0). Set this to prevent infinite loops. |
101101
| `max_consecutive_tool_calls` | int | ✗ | Maximum consecutive identical tool calls before the agent is terminated, preventing degenerate loops. Default: `5`. |
102102
| `max_old_tool_call_tokens` | int | ✗ | Maximum number of tokens to keep from old tool call arguments and results. Older tool calls beyond this budget have their content replaced with a placeholder, saving context space. Tokens are approximated as `len/4`. Truncation is disabled by default; set a positive value to enable it. Set to `-1` to disable truncation (unlimited). |

docs/configuration/permissions/index.md

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -104,7 +104,7 @@ Permissions support glob-style patterns with optional argument matching:
104104
| -------------- | ------------------------------ |
105105
| `shell` | Exact match for `shell` tool |
106106
| `read_*` | Any tool starting with `read_` |
107-
| `mcp:github:*` | Any GitHub MCP tool |
107+
| `github_*` | Any GitHub MCP tool |
108108
| `*` | All tools |
109109

110110
### Argument Matching
@@ -219,13 +219,13 @@ Control MCP tools by their qualified names:
219219
permissions:
220220
allow:
221221
# Allow all GitHub read operations
222-
- "mcp:github:get_*"
223-
- "mcp:github:list_*"
224-
- "mcp:github:search_*"
222+
- "github_get_*"
223+
- "github_list_*"
224+
- "github_search_*"
225225
deny:
226226
# Block destructive GitHub operations
227-
- "mcp:github:delete_*"
228-
- "mcp:github:close_*"
227+
- "github_delete_*"
228+
- "github_close_*"
229229
```
230230

231231
## Combining with Hooks

docs/data/nav.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -122,6 +122,8 @@
122122
url: /features/snapshots/
123123
- title: Kanban Board
124124
url: /features/board/
125+
- title: Sessions
126+
url: /features/sessions/
125127
- title: CLI Reference
126128
url: /features/cli/
127129
- title: MCP Mode
@@ -140,6 +142,8 @@
140142
url: /features/evaluation/
141143
- title: Skills
142144
url: /features/skills/
145+
- title: Code Mode
146+
url: /features/code-mode/
143147
- title: Remote MCP Servers
144148
url: /features/remote-mcp/
145149

@@ -220,6 +224,8 @@
220224
url: /guides/go-sdk/
221225
- title: Managing Context & Compaction
222226
url: /guides/compaction/
227+
- title: Running Agents Headless & in CI
228+
url: /guides/headless/
223229
- label: Community
224230
items:
225231
- title: Contributing

docs/features/cli/index.md

Lines changed: 80 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -30,14 +30,14 @@ $ docker agent run [config] [message...] [flags]
3030
| `-a, --agent <name>` | Run a specific agent from the config |
3131
| `--yolo` | Auto-approve tool calls (unless explicitly denied) |
3232
| `--model <ref>` | Override model(s). Use `provider/model` for all agents, or `agent=provider/model` for specific agents. Comma-separate multiple overrides. |
33-
| `--session <id>` | Resume a previous session. Supports relative refs (`-1` = last, `-2` = second to last). An explicit ID that does not exist yet is created with that ID, so a supervisor can own the session ID upfront and reuse it across runs. |
33+
| `--session <id>` | Resume a previous session. Supports relative refs (`-1` = newest by creation time, `-2` = second-newest, … — creation order, not last-used). An explicit ID that does not exist yet is created with that ID, so a supervisor can own the session ID upfront and reuse it across runs. |
3434
| `-s, --session-db <path>` | Path to the SQLite session database (default: `<data-dir>/session.db`, so `~/.cagent/session.db` unless `--data-dir` is set) |
3535
| `--session-read-only` | Open the TUI in read-only mode: conversation history is displayed but no new messages can be sent to the LLM. Cannot be used with `--exec`. |
3636
| `--prompt-file <path>` | Include file contents as additional system context (repeatable) |
3737
| `--attach <path>` | Attach an image file to the initial message |
3838
| `--dry-run` | Initialize the agent without executing anything (useful for validating a config) |
39-
| `--remote <addr>` | Use a remote runtime at the given address instead of running the agent locally |
40-
| `--listen <addr>` | Expose this run's control plane over HTTP so an external process can drive the running TUI (send follow-ups, stream events, read the title). Accepts `host:port` or `unix://`, `npipe://`, `fd://`. See the [API Server](../api-server/index.md#listen). |
39+
| `--remote <addr>` | Use a remote runtime at the given address instead of running the agent locally. Mutually exclusive with `--sandbox`, `--worktree`, `--worktree-pr`, `--worktree-base`, `--session`, `--session-db`, `--record`, and `--fake` — a remote runtime owns its own session storage and execution environment, so these local-only concerns don't apply. |
40+
| `--listen <addr>` | Expose this run's control plane over HTTP so an external process can drive the running TUI (send follow-ups, stream events, read the title). Accepts `host:port` or `unix://`, `npipe://`, `fd://`. Hidden from `docker agent run --help` — like `debug`, it's a stable but advanced/automation-oriented flag rather than a day-to-day one. See the [API Server](../api-server/index.md#listen) guide for the full walkthrough. |
4141
| `--lean` | Use a simplified, non-alternate-screen TUI. Unlike the default full-screen TUI, this renders inline in the normal terminal buffer — useful in environments where an alternate screen is unwanted (e.g. inside tmux panes, CI with a tty, or log-friendly pipelines). Displays an ASCII art banner on startup. |
4242
| `--app-name <name>` | Override the application name label shown in the TUI (status bar, window title, "/exit" notifications). |
4343
| `--sidebar` | Control sidebar visibility. Set to `--sidebar=false` to hide the sidebar and disable the Ctrl+B toggle (default: `true`). |
@@ -177,6 +177,16 @@ $ docker agent new --model openai/gpt-5
177177
$ docker agent new --model dmr/ai/gemma3-qat:12B --max-iterations 15
178178
```
179179

180+
### `docker agent getting-started`
181+
182+
Run a short (about 2 minutes), skippable interactive tour inside the chat UI: sending messages, approving tool calls, the command palette (<kbd>Ctrl</kbd>+<kbd>K</kbd>), slash commands, and how agents are configured. Aliased as `docker agent tour`. Requires an interactive terminal.
183+
184+
```bash
185+
$ docker agent getting-started
186+
```
187+
188+
Replay it anytime with this command, or with the `/getting-started` slash command inside a running TUI session.
189+
180190
### `docker agent models`
181191

182192
List models available for use with `--model`. By default only shows models for providers you have credentials for. Aliases: `docker agent models list`, `docker agent models ls`.
@@ -577,6 +587,72 @@ $ docker agent sandbox deny api.example.com
577587
578588
Entries are unioned with the gateway, the kit-resolved tool install hosts, and any `runtime.network_allowlist` declared by the agent. The launch summary lists every source separately so you can see which holes were punched by which layer.
579589

590+
### `docker agent debug`
591+
592+
Troubleshooting subcommands for inspecting how an agent config resolves and generating diagnostic output — useful when a config isn't behaving the way you expect. `debug` doesn't appear in `docker agent --help` (it's a diagnostic surface, not a day-to-day command), but every subcommand below is stable and fully supported.
593+
594+
```bash
595+
$ docker agent debug <subcommand> [flags]
596+
```
597+
598+
| Subcommand | Description |
599+
| ---------- | ----------- |
600+
| `config <agent-file>` | Print the fully-resolved, canonical form of an agent's configuration (defaults applied, references resolved). |
601+
| `toolsets <agent-file>` | List every toolset each agent in the config exposes, with each tool's name and description. |
602+
| `skills <agent-file>` | List the skills discovered for each agent, marking forked skills. |
603+
| `title <agent-file> <question>` | Generate a session title for `<question>` using the same title-generation path the TUI uses (including any configured `title_model`), without starting a session. See [Session Titles](../sessions/index.md#session-titles). |
604+
| `auth` | Print parsed Docker Desktop authentication info from the locally stored JWT (subject, issuer, expiry, username/email). Add `--json` for machine-readable output. |
605+
| `oauth list` | List stored MCP OAuth tokens (resource, scope, expiry, redacted access token). Add `--json` for machine-readable output. |
606+
| `oauth remove <resource-url>` | Remove a stored MCP OAuth token. |
607+
| `oauth login <agent-file> <mcp-name>` | Perform an interactive OAuth login for a remote MCP server declared in the config, by its name or URL. See [Remote MCP Servers](../remote-mcp/index.md). |
608+
609+
```bash
610+
# Examples
611+
$ docker agent debug config agent.yaml
612+
$ docker agent debug toolsets agent.yaml
613+
$ docker agent debug skills agent.yaml
614+
$ docker agent debug title agent.yaml "How do I configure a fallback model?"
615+
$ docker agent debug auth --json
616+
$ docker agent debug oauth list
617+
$ docker agent debug oauth login agent.yaml github
618+
```
619+
620+
> [!WARNING]
621+
> **`debug auth --json` prints the full bearer token**
622+
>
623+
> The text output of `debug auth` truncates the token to a short preview, but `--json` includes the complete, unredacted JWT in its `token` field. Never paste `debug auth --json` output into logs, issue trackers, or bug reports — anyone with that token can act as you against Docker Desktop's backend. Use the plain-text output (or redact the `token` field yourself) when sharing diagnostic output.
624+
625+
The `config`, `toolsets`, `skills`, and `title` subcommands also accept [runtime configuration flags](#runtime-configuration-flags) (`--working-dir`, `--models-gateway`, …); `title` additionally accepts `--model` to override the model used to resolve the config before generating the title.
626+
627+
### `docker agent completion`
628+
629+
Generate a shell completion script for `bash`, `zsh`, `fish`, or `powershell`.
630+
631+
```bash
632+
$ docker agent completion <bash|zsh|fish|powershell>
633+
634+
# Examples
635+
# Bash: load for the current session
636+
$ source <(docker agent completion bash)
637+
638+
# Zsh: install permanently (adjust the path for your $fpath)
639+
$ docker agent completion zsh > "${fpath[1]}/_docker-agent"
640+
```
641+
642+
Run `docker agent completion <shell> --help` for shell-specific installation instructions.
643+
644+
### Self-update
645+
646+
When installed from a standalone GitHub release binary, Docker Agent can opt in to updating itself. It's disabled by default; set `DOCKER_AGENT_AUTO_UPDATE` to a truthy value (`1`, `true`, `yes`, `on`) to enable it for a command or a shell session:
647+
648+
```bash
649+
$ DOCKER_AGENT_AUTO_UPDATE=1 docker agent run
650+
```
651+
652+
When enabled, every command checks the latest GitHub release before running. If a newer release exists, an interactive session asks whether to install it; a non-interactive session (CI, piped input) proceeds automatically. On yes, Docker Agent downloads the asset for your OS/architecture, verifies its checksum, replaces the current binary, and re-executes with the same arguments. The whole mechanism is fail-safe: any failure at any step falls back to running the current binary. Self-update never triggers for `version`, `help`, `--help`/`-h` (including per-subcommand help), `completion`, or the Docker CLI plugin metadata handshake.
653+
654+
See [Optional Self-Updates](../../getting-started/installation/index.md#optional-self-updates) for the full walkthrough. Docker Desktop and Homebrew installs already manage updates and don't need this.
655+
580656
## Global Flags
581657

582658
These flags are available on every `docker agent` command:
@@ -616,6 +692,7 @@ These flags are accepted by every command that loads an agent (`run`, `run --exe
616692
| `--hook-session-end <cmd>` | Add a session-end hook command (repeatable). |
617693
| `--hook-on-user-input <cmd>` | Add an on-user-input hook command (repeatable). |
618694
| `--hook-stop <cmd>` | Add a stop hook command, fired when the model finishes responding (repeatable). |
695+
| `--mcp-oauth-redirect-uri <url>` | Public HTTPS URL to advertise as the OAuth `redirect_uri` for MCP servers running in unmanaged OAuth mode. When set, docker-agent drives PKCE and the code exchange in-process instead of expecting the client to. See [Remote MCP](../remote-mcp/index.md) for details. |
619696

620697
## Agent References
621698

0 commit comments

Comments
 (0)