Agents & MCP

The sidebar's Agents section groups every page related to Model Context Protocol server governance and agentic workflow oversight: MCP Servers, Tool Calls, Sessions, Approval Queue, and Analytics. (The Playground is a separate top-level destination beside Dashboard, gated by dvara.flightdeck.playground.enabled.)

MCP servers

Open Agents → MCP Servers in the sidebar.

Server list

Lists every registered MCP server with server ID, tenant, transport type, URL, status (color-coded pill — green for ACTIVE, amber for SUSPENDED, red for DISABLED), tool count, tags, and actions. Auto-refreshes every 10 seconds. Use the Tenant dropdown filter to narrow the list.

**Figure 1.** MCP servers list with code-search and filesystem

Create / edit server

Click New Server to register a new MCP server with:

Server ID — human-readable slug, unique per tenant (e.g. code-search, web-browser)
Tenant ID — the tenant this server belongs to (required on create)
Transport — protocol type (HTTP_SSE)
URL — MCP server endpoint URL (required)
Credential Ref — vault path for server credentials (optional, e.g. vault://secret/mcp/code-search)
Tags — comma-separated tags for categorization (optional)
Status — ACTIVE, SUSPENDED, or DISABLED (edit only)

:::note SSRF protection on tenant-supplied URLs

The gateway connects to the MCP server URL server-side — on health check, on tool sync, and on every tool call routed through the proxy. When a tenant registers a server through tenant self-service, the URL is validated at save time: it must be an http/https endpoint that does not resolve to a loopback, private, link-local, or cloud-metadata address (e.g. 127.0.0.1, 10.0.0.0/8, 192.168.0.0/16, 169.254.169.254). Tool sync in particular returns the upstream response, so this prevents a tenant using a registered server as a server-side request forgery primitive to read internal services or cloud metadata. As defense-in-depth, operators should also run a network egress policy.

:::

In edit mode, the right panel shows:

Health Check — click Check Health to test server connectivity. Displays reachable status, HTTP status code, and latency.
Tool Catalog — table of cached tool definitions (name and description). Click Sync Tools to fetch the latest tool list from the MCP server.

**Figure 3.** MCP server edit page with synced tool catalog showing four tools

Tool sync

Click Sync Tools in the edit form to fetch the tool catalog from the MCP server. Required before the approval queue can match rules against tool names. Requires enterprise license.

MCP tool calls

Open Agents → Tool Calls in the sidebar. Requires enterprise license.

Tool call list

A table of MCP tool call records with timestamp, tenant, session ID, server ID, tool name, operation, HTTP status, latency, policy decision, PII flags, and error info. Auto-refreshes every 5 seconds. Filters: narrow by tenant, session ID, server ID, and tool name.

Tool call detail

Click any row to expand it and view the full tool call record including trace ID, user ID, response bytes, error code, and error message.

Summary view

The summary endpoint aggregates tool call statistics by server and tool, showing total calls, error counts, and average latency per tool.

MCP tool calls list with one row expanded into a detail panel showing trace ID, latency, HTTP status, and policy decision — **Figure 5.** Clicking a tool-call row pops the detail panel beside it — the trace ID lets you correlate the call across the LLM turn that triggered it, the MCP server response, and any policy / approval gate that fired in between. Use this to investigate a flagged session or to verify policy enforcement after a customer report.

Agent sessions

Open Agents → Sessions in the sidebar. Requires enterprise license.

Session list

Lists every agent session with session ID, tenant, status (active / inactive), tool call count, error count, total latency, distinct servers, distinct tools, first seen, and last seen timestamps. Auto-refreshes every 5 seconds.

Filters:

Tenant — dropdown filter
Active — toggle to show only active sessions
Search — search by session ID

Session detail

Click any session row to navigate to the detail page (/mcp/sessions/{id}), which includes:

Summary stats bar:

Average latency per tool call
Error rate (errors / total calls)
Session duration (first seen → last seen)
Total response bytes

Distinct tools: a table of all tools invoked in this session with call counts.

Timeline: a chronological timeline of all tool calls in the session, auto-refreshing every 3 seconds. Each entry shows timestamp, server ID and tool name, HTTP status (color-coded), latency, PII badges (if PII detected in args or response), policy decision badge (ALLOW / DENY), and error details.

Kill session

Click Kill Session to terminate an active session. This blocks all future tool calls for the session, returning 403 with code: mcp_agent_session_killed for any subsequent requests. Requires confirmation.

JSON export

Click Export JSON to download the full session record with all tool calls as a JSON file — handy for post-incident analysis or sharing with security teams.

Approval queue

Open Agents → Approval Queue in the sidebar. The sidebar item carries a live red badge with the pending count, refreshed every 5 seconds. Requires enterprise license.

The approval queue is the human-in-the-loop gate for sensitive MCP tool calls. When a tool call matches an approval rule (configured by setting approval.required-tools or approval.required-servers in the tenant metadata), the request blocks until an admin approves or denies it, or the configured timeout elapses.

Pending tab

Lists pending approval requests with event ID, tenant, server ID, tool name, session ID, user ID, matched rules, requested time, and expires-at time. Auto-refreshes every 3 seconds. Each row has Approve and Deny buttons — clicking either resolves the pending request and unblocks the waiting tool call.

History tab

Lists resolved approvals with event ID, tenant, server ID, tool name, action (approve / deny, color-coded badge), requested time, resolved time, and elapsed time. Auto-refreshes every 10 seconds.

Nav badge

The Approval Queue navigation item displays a live badge count of pending approvals, updated every 5 seconds. No reason to keep the page open — glance at the badge.

Analytics dashboard

Open Agents → Analytics in the sidebar. Requires enterprise license.

The analytics dashboard provides aggregate insights into agent behavior across all sessions.

Summary cards

Four top-level stats: total sessions, total tool calls, overall error rate, and average session duration.

Session outcomes

A donut chart showing the distribution of session outcomes (completed, killed, timed out, errored).

Approval funnel

A bar chart showing the approval pipeline: requested, approved, denied, timed out.

Agent leaderboard

A table of the top 20 sessions ranked by tool call count, showing session ID, tenant, tool calls, errors, distinct tools, and duration. Auto-refreshes every 10 seconds.

Tool call heatmap

A server-by-tool matrix showing call counts as a heatmap. Helps identify which tools are most heavily used on which servers. Auto-refreshes every 10 seconds.

Policy firing frequency

Shows how often different policy rules are triggered across agent sessions — useful for spotting noisy rules or unused guardrails.

MCP servers​

Server list​

Create / edit server​

Tool sync​

MCP tool calls​

Tool call list​

Tool call detail​

Summary view​

Agent sessions​

Session list​

Session detail​

Kill session​

JSON export​

Approval queue​

Pending tab​

History tab​

Nav badge​

Analytics dashboard​

Summary cards​

Session outcomes​

Approval funnel​

Agent leaderboard​

Tool call heatmap​

Policy firing frequency​