> ## Documentation Index
> Fetch the complete documentation index at: https://docs.flashduty.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Agent

> The Agent resource lets AI SRE connect to external agent ecosystems. The currently supported type is A2A (Agent-to-Agent) — delegating tasks to remote agents as well as exposing an Agent Card so external clients can call Flashduty's AI SRE in reverse, enabling incident / war-room integration and bidirectional event streams.

<Info>
  **Private beta**: AI SRE is currently in private beta. Pro or higher accounts can apply for free beta access through the [AI SRE private beta application form](https://c9xudyniiq.feishu.cn/share/base/form/shrcn0ngCfdoygiaHnAT80BfZiH); after approval, Flashduty will add your account to the whitelist. Features and the UI may change during the beta.
</Info>

## Overview

***

**Agent** is the resource category that connects AI SRE to external agent ecosystems. The currently supported type is **A2A (Agent-to-Agent)** — a standard protocol that lets different agents call one another (more agent types may be added later). A2A works in two directions:

<CardGroup cols={2}>
  <Card title="Outbound" icon="arrow-up-right-from-square">
    **Remote A2A agents** registered in the list. AI SRE **delegates** tasks to them via the standard A2A protocol — for example, an external agent specializing in metrics analysis or integrated with an internal system.
  </Card>

  <Card title="Inbound" icon="arrow-down-to-bracket">
    AI SRE itself is also an A2A agent and exposes an **Agent Card**. External A2A clients can fill in that Card URL to **call Flashduty's AI SRE in reverse**, enabling incident / war-room integration and bidirectional event streams.
  </Card>
</CardGroup>

Delegation does not make you wait: after AI SRE hands a task to a remote agent, the conversation continues immediately, so you can keep working or delegate several tasks at once. When the remote agent finishes, its result appears in the conversation as a new message. Each A2A delegation appears in the conversation stream as a **task card** carrying an `A2A` badge, showing the remote agent name, task intent, run status (initializing / in progress / completed / failed / interrupted), and usage metrics such as tool call count, tokens, and elapsed time. Click the card to view the full delegation trace in the right-hand panel.

<Tip>
  **Instructions are the agent-selection signal.** Before delegating, AI SRE sees a list of available agents where each entry is `name: instructions`. Do not treat this as one line of display copy; use the form's multi-line editor to write prescriptive guidance (for example, "USE THIS FIRST for …" or "prefer-over-X when …") that clearly states **when to prefer this agent, what it excels at, and what it is not suited for**. The more precise the instructions, the better AI SRE can delegate the right task to the right agent.
</Tip>

The A2A agent list and management entry point are on the **Plugins → Agents** page (menu tab labeled **Agents**).

<Note>
  **Agents covers two distinct concepts.** This page (Agents) currently manages **A2A Agents** (external agent-to-agent calls). The other concept is the **Subagent** — a platform-built-in task executor that AI SRE dispatches on demand within a session. Subagents have no create / edit entry point; you only observe their behavior in sessions. See "[Subagent](#subagent)" below.
</Note>

## Subagent

***

A **Subagent** is a platform **built-in** task executor. During an investigation, AI SRE can **dispatch** a self-contained subtask to a Subagent that completes it independently — dispatch always goes through the single long-running tool `agent_dispatch`, rather than exposing a separate tool per Subagent.

The platform ships several **bootstrap Subagents** that work out of the box:

| Name      | Role                                                                                                                                                                                                                                                                         |
| --------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `general` | General-purpose worker with full tool access. Use it to offload work whose intermediate steps would otherwise pollute the parent's context (long reports, multi-file edits, end-to-end builds, repeated probing). Dispatch several in parallel for independent units of work |
| `explore` | Read-only investigator restricted to `grep` / `glob` / `read`; it cannot write or execute. Returns a compact summary rather than raw search output — ideal for locating evidence inside a codebase or knowledge dump                                                         |

**In the conversation**: each dispatch also appears as a **task card** in the conversation stream and shares the same status lifecycle as an A2A delegation (initializing / in progress / completed / failed / interrupted). The difference is the badge — a Subagent task card carries an `Agent` badge, whereas an A2A delegation carries an `A2A` badge.

**Runtime limits**:

* **Concurrency cap**: a session runs **at most 20 Subagents concurrently** (`TaskMaxConcurrentPerSession = 20`). This caps how many run at the same instant, not how many a session dispatches over its lifetime — completing one frees a slot, so total work is unbounded. Dispatching past the cap errors (`too many active subagents (… running, limit 20)`), prompting the model to stop and wait for the running ones to finish before dispatching the rest.
* **Nesting depth**: a dispatch chain nests **at most 3 levels deep** (`TaskMaxNestingDepth = 3`), preventing a Subagent from spawning itself indefinitely.

<Note>
  **Subagents currently have no user-facing create / management UI.** They are a built-in runtime capability: you can observe Subagent task cards and their sub-session traces within a session, but you cannot add, edit, or delete a Subagent the way you can an A2A Agent. This page (Agents) currently manages only A2A Agents.
</Note>

## Registering an Outbound A2A Agent

***

On the A2A Agents list page, click **Add A2A Agent** and fill in the form:

| Field                             | Type           | Default  | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| --------------------------------- | -------------- | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Name                              | string         | —        | A2A agent identifier (e.g., `metrics-analyzer`). Required                                                                                                                                                                                                                                                                                                                                                                                                                                 |
| Scope                             | Account / Team | —        | Scope: **Account** (visible account-wide) or a specific **Team** (visible and editable only to members of that team). Required — see "Scope" below                                                                                                                                                                                                                                                                                                                                        |
| Instructions                      | string         | —        | The agent-selection signal shown to AI SRE. It is inserted into AI SRE's system prompt and available-agent list to decide when to call this A2A agent. Required; write prescriptive guidance that explains when to use the agent, its capability boundaries, and when not to use it. Maximum 2,000 characters                                                                                                                                                                             |
| Card URL                          | string         | —        | The Agent Card URL of the remote A2A agent, or just the service origin for agents that follow the default well-known location (for example, `https://agents.example.com`). If the URL includes a path, the platform reads that exact URL; if only an origin is provided, it resolves `/.well-known/agent-card.json` by A2A convention. Required. The platform validates that it is a legitimate http/https address and rejects loopback, private, link-local, or cloud-metadata addresses |
| Auth Type                         | enum           | `none`   | Credential type attached to outbound requests: `none` / `bearer` (Bearer Token) / `api_key` (custom Header + Key)                                                                                                                                                                                                                                                                                                                                                                         |
| Streaming                         | bool           | on       | Whether to communicate with the remote agent in streaming mode                                                                                                                                                                                                                                                                                                                                                                                                                            |
| User Auth Mode                    | enum           | `shared` | See "Auth Modes" below                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| Skip TLS certificate verification | bool           | off      | Shown only when the Card URL uses HTTPS. Enable only when the remote endpoint uses a self-signed certificate inside a controlled network; this skips certificate-chain and hostname verification                                                                                                                                                                                                                                                                                          |
| Allow OAuth discovery over HTTP   | bool           | off      | Required only when "Per-user OAuth" is selected and the Card URL is a non-local HTTP URL. Use only in controlled test environments; after you enable it, the Safari service can fetch OAuth metadata from that host                                                                                                                                                                                                                                                                       |

### Using the FlashAI Template

**FlashAI** is the observability analysis product in the Flashcat / 快猫星云 family. It can also be connected as a remote A2A agent for AI SRE. On the A2A Agents page, expand the **Connect FlashAI observability analysis** panel to create an A2A agent from the FlashAI template.

The FlashAI template is not a blanket rule that sends every observability question to FlashAI. It configures FlashAI as the delegation target for **Flashcat / 快猫星云-originated alert and incident investigation**. For alerts or incidents from Flashcat products such as Event Wall / 事件墙, Firemap / 灭火图, and Polaris / 北极星, AI SRE should prefer delegating analysis to FlashAI.

The template prefills multi-line instructions. Its core routing rules are:

* Prefer FlashAI when the user is investigating an alert, incident, fault, or alert group that clearly originates from Flashcat / 快猫星云.
* Event Wall / 事件墙 alert events, incidents, and alert groups are positive routing signals.
* Firemap / 灭火图 faults are positive routing signals, especially fields such as `fault_type=firemap` or `rule_prod=firemap`.
* Polaris / 北极星 faults are positive routing signals, especially fields such as `fault_type=polaris`, `rule_prod=polaris`, or the internal marker `rule_prod=northstar`.
* Flashcat alerts from `n9e.alert` should also be delegated to FlashAI when they carry fault metadata such as `rule_prod`, `rule_config.detail_url`, `workspace`, `fault_type`, `fault_workspace`, `fault_detail_url`, or `fault_condition`.
* Do not use FlashAI by default for generic metrics, logs, traces, topology, or performance questions that do not include Flashcat / 快猫星云 alert context, a Flashcat URL, product markers, or the fault fields above. Use the available local tools or the customer's actual observability source instead.

Prepare FlashAI first:

<Steps>
  <Step title="Confirm the version">
    FlashAI must be `release-24` or later.
  </Step>

  <Step title="Configure FlashAI /config">
    Open `/config` in the FlashAI / Flashcat console (for example, `https://demo.flashcat.cloud/config`), add `a2a_server_base_url`, and set it to the current FlashAI access domain, for example `https://demo.flashcat.cloud`.
  </Step>

  <Step title="Confirm network reachability">
    If FlashAI uses a private-network address, only a BYOC Runner deployed in that network can reach it. If cloud Sandbox also needs to call FlashAI, use a publicly reachable domain and configure an allowlist as needed. This is the same network-reachability rule used for MCP SSE endpoints in Sandbox.
  </Step>
</Steps>

After FlashAI is prepared, enter the **FlashAI domain** in the panel (for example, `demo.flashcat.cloud`) and click **Use this template**. The page opens the **Add A2A Agent** form and prefills:

* Name: generated from the domain, for example `flashai-demo`
* Instructions: multi-line delegation guidance for AI SRE, explaining which Flashcat alerts/incidents should prefer FlashAI and which generic observability questions should not.
* Card URL: generated from the domain:

```text theme={null}
https://demo.flashcat.cloud/api/fc-model/a2a/.well-known/agent-card.json
```

The template only prefills common values. You still choose the **Scope** (Account or Team) and configure authentication in the form. A2A agents can be installed multiple times for different scopes, so the FlashAI panel does not disappear just because one FlashAI agent already exists. Agent names must still be unique within the account; if the same FlashAI domain needs to be installed more than once, adjust the name in the form.

<Tip>
  Do not remove the instructions generated by the FlashAI template unless you have more precise ones. Whether AI SRE proactively calls a remote A2A agent depends mainly on the selection signal provided by the name and instructions; when the instructions are too short or too generic, AI SRE may keep reasoning locally or incorrectly delegate ordinary metrics / logs questions to FlashAI.
</Tip>

### Auth Modes

A2A agents support three credential-supply modes that determine how credentials are provided when different users call the same remote agent:

<AccordionGroup>
  <Accordion title="Shared (shared, default)" icon="users">
    All users share the same credentials, configured under Auth Type (Bearer Token or API Key). Suitable for teams that share a single remote account.
  </Accordion>

  <Accordion title="Per-user secret (per_user_secret)" icon="key">
    Each user provides their own key on first use; the key is encrypted and stored at the account level. Configure the Header name (required), placeholder, and help link (optional) in the Key Schema to guide users on first call.
  </Accordion>

  <Accordion title="Per-user OAuth (per_user_oauth)" icon="shield-halved">
    Each user authorizes via the OAuth 2.1 flow; an authorization window pops up automatically on the first call to this A2A agent, and credentials are stored per user after completion.
  </Accordion>
</AccordionGroup>

<Note>
  For security reasons, saved sensitive fields (such as `token`, `api_key`, and `client_secret`) are returned **masked** when read. When editing, leaving a sensitive field blank means "keep the current value" — not "clear it." The stored credential is only overwritten when you explicitly change it.
</Note>

<Warning>
  Use HTTPS for per-user OAuth discovery whenever possible. Enable "Allow OAuth discovery over HTTP" for a non-local HTTP Card URL only in controlled test environments. If an HTTPS endpoint uses a self-signed certificate, enable "Skip TLS certificate verification" only temporarily and only inside a trusted network.
</Warning>

## Inbound: Letting External Agents Call AI SRE

***

Expand the "**Let External Agents Call Flashduty's AI SRE**" panel at the top of the A2A Agents page to get the **Agent Card** URL for this account's AI SRE:

```
https://api.flashcat.cloud/safari/a2a/ai-sre/agent-card
```

Add that URL to any A2A client to call Flashduty's AI SRE agent via the A2A protocol.

**Authentication**: add `Fd-App-Key: <your app_key>` in the request header (or use the `?app_key=` query parameter). The capabilities declared on the Agent Card include:

| Capability (Skill)     | Description                                                                                            |
| ---------------------- | ------------------------------------------------------------------------------------------------------ |
| `investigate_incident` | End-to-end root-cause analysis for a Flashduty incident, correlating logs, metrics, and recent changes |
| `analyze_logs`         | Query and summarize logs for a target service within a specified time window                           |
| `analyze_metrics`      | Query and summarize metrics for a target service within a specified time window                        |

<Tip>
  The Agent Card also declares Flashduty's "run options" A2A extension: callers can override `incognito` (whether to hide the session from the session list; hidden by default), `visibility` (`private` / `account`), and the environment (`cloud` / `byoc` and a specific `environment_id`) in `message.metadata`. This extension is optional — plain A2A clients can ignore it and call normally.
</Tip>

### Incident and War-Room Integration

When a session **enters via an incident route** (e.g., AI SRE is triggered from an incident or war room), the platform binds the corresponding incident to the session and brings it in as context, anchoring troubleshooting to the correct incident from the start. Based on this, AI SRE can use built-in skills during the conversation to further act on the incident — reading incident details, querying the timeline, creating / viewing war rooms, linking changes, and more. For automatic war-room diagnosis on the IM side, see [IM Integration](/en/ai-sre/im).

<Warning>
  **Automatic incident integration** for A2A is currently supported conceptually and is under active development: automatic incident binding is not yet fully available, and bidirectional event streams across agents will be progressively completed with each release. Do not treat this as a fully available capability — during private beta, only features that have been explicitly enabled should be relied upon.
</Warning>

## Creating and Managing

***

The full lifecycle of A2A agents is managed on the **Plugins → Agents** page.

<AccordionGroup>
  <Accordion title="Create" icon="plus">
    Click **Add A2A Agent**, fill in the name, scope, instructions, Card URL, auth settings, and save. You must select a definite scope (account or team) before submitting — the submit button remains disabled until a scope is chosen.
  </Accordion>

  <Accordion title="Enable / Disable" icon="toggle-on">
    Use the toggle in the list to switch an A2A agent's enabled state. Only **enabled** agents appear in AI SRE's available-agent list and can receive delegated tasks; disabling one makes it immediately invisible to delegation.
  </Accordion>

  <Accordion title="Inspect / Edit" icon="pen-to-square">
    Click any row in the list to open the form, where you can view and edit the name, instructions, scope, Card URL, auth configuration, streaming, and auth mode. The form is **read-only** when you do not have edit permission.
  </Accordion>

  <Accordion title="Delete" icon="trash">
    Remove an A2A agent from the current scope. **Active sessions that delegated to it will fail.** Deletion requires confirmation.
  </Accordion>

  <Accordion title="Filter by scope" icon="filter">
    The scope filter bar at the top of the list lets you switch between "All", "Account only", and "Specific team", making it easy to focus on relevant resources when managing many. Each row also has a label showing its scope (account / team name).
  </Accordion>
</AccordionGroup>

## Scope

***

A2A agents share the same **two-level scope** model as other resources (skills, Knowledge Packs, MCP, environments), divided into account level and team level:

| Scope         | Visibility                            |
| ------------- | ------------------------------------- |
| Account level | Visible to all members in the account |
| Team level    | Visible only to members of that team  |

**Edit permissions**: the account owner or account admin can edit any agent; team members can edit team-level agents **in their own team**; there is no creator-retains-rights exception. When you do not have edit permission, the corresponding row in the list is **read-only**.

**Create and reassign**: to create a new team-level agent, you must belong to the target team; account-level creation is limited to the account owner or admins. When editing an existing agent, the account owner or admins can move it to any team to recover resources left behind by empty teams or departed members; regular members can move it only to teams they belong to.

**Runtime visibility**: at session start, AI SRE's available-agent list shows only **account-level** resources plus resources belonging to the **team bound to the current session** (e.g., the team carried in by an incident / war room, or explicitly selected in the UI). A team's skills, MCP servers, and A2A agents are only mounted into the current session on demand after the agent reads that team's knowledge during an investigation. **The account is the only security perimeter at runtime; team is simply an ownership and editing tag.**

## Related Pages

***

<CardGroup cols={2}>
  <Card title="Console" icon="comments" href="/en/ai-sre/sessions">
    Observe A2A delegation task cards and their sub-session panels within a session.
  </Card>

  <Card title="MCP (External Tools)" icon="plug" href="/en/ai-sre/mcp">
    Connect external tools to agents to expand their capability boundary during tasks.
  </Card>

  <Card title="Manage Knowledge" icon="book" href="/en/ai-sre/knowledge">
    Use DUTY.md and Knowledge Packs to provide agents with team context and troubleshooting experience.
  </Card>

  <Card title="IM Platform" icon="comment-dots" href="/en/ai-sre/im">
    @ AI SRE in an IM group and learn about automatic war-room incident diagnosis.
  </Card>

  <Card title="Overview" icon="gauge-high" href="/en/ai-sre/overview">
    Understand AI SRE's overall capabilities and positioning.
  </Card>
</CardGroup>
