Core Concepts
Agentic Jobs
Agentic Jobs are repeatable, configurable units of AI-agent work. Each job is a definition — a prompt, a set of granted tools, a trigger, a target repository, and injected environment secrets — that runs CodeCargo's code-editor agent to perform an expected task on your behalf. Every execution is recorded as an agent run, so you can review progress and history in the same run viewer used by other agent features.
Entitlement Required
Agentic Jobs require the AGENTIC_JOBS entitlement. Contact your CodeCargo administrator if the feature is not visible in your organization.
Scopes and Identity
Every Agentic Job has a scope that determines which identity it runs as and who can manage it.
| Scope | Runs as | Who can create / manage |
|---|---|---|
| Org-scoped | The org's GitHub App identity | Org Admin or Architect (AgenticJobsManage permission) |
| Project-scoped | The job's owner (the user who created it), using their linked GitHub identity | Project Editor or higher; owner must hold at least Write on the target repo when write tools are granted |
Org-scoped jobs are not tied to any project. Project-scoped jobs are owned by the user who created them — commits and pull requests are attributed to that user. If the owner loses org membership, loses repo access, or their GitHub link lapses, the job fails closed rather than silently downgrading to the org identity.
Creating an Agentic Job
Org-scoped job
- Navigate to Agentic Jobs in the organization sidebar.
- Click New Agentic Job.
- Fill in the job definition form (see Job Configuration below).
- Click Create.
Project-scoped job
- Open a project and navigate to its Agentic Jobs tab.
- Click New Agentic Job.
- Fill in the job definition form. The target repository must belong to the project.
- Click Create.
Repository requirement
Project-scoped jobs must target a repository that is part of the project. The repository picker only shows repositories within the project's scope.
Job Configuration
Prompt
The system prompt that instructs the agent what to do on each run. Write it as you would a detailed task description — the agent reads this every time the job fires.
Tools
Select which tools the agent is allowed to use. Granting write tools (for example, creating pull requests or pushing commits) to a project-scoped job requires that the job owner holds at least Write access on the target repository at the time the job runs.
MCP Server Access
In addition to built-in tools, an Agentic Job can be granted access to specific MCP servers from your organization's catalog. Only servers an Org Admin has enabled in Organization Settings → MCP Servers are available to grant.
When you add an MCP server grant to a job, you choose a subset of that server's tools — up to its configured tool cap. This subset is validated at authoring time and frozen on the job's thread, so the exact same tools are available on every turn of every run. If the server's overall tool cap is later narrowed, tools removed from the cap are automatically revoked from the job's grant the next time it runs.
At dispatch time, CodeCargo resolves each grant into a live connection: credentials are injected in transport form, and CargoWall receives a per-run allow rule for the server's host so the agent can reach it.
Trigger
Choose when the job fires:
| Trigger | Description |
|---|---|
| Manual | Run on demand only — no automatic execution |
| Scheduled | Run on a recurring schedule |
| GitHub Release | Fire when a new release is published on the target repository |
Target Repository
The repository the agent works in. For org-scoped jobs, any repository accessible to the GitHub App is available. For project-scoped jobs, only repositories within the project are shown.
Secrets
Inject environment variables into the agent's runtime. Secret values are write-only — you can set or replace them, but you cannot read them back after saving. Use secrets to provide API keys, tokens, or other sensitive values the agent needs to complete its task.
Running a Job
To trigger a job manually:
- Open the job's detail page.
- Click Run Now.
- The run appears in the Run History tab and opens in the agent run viewer.
Scheduled and trigger-based jobs fire automatically according to their configuration. All runs — manual or automatic — appear in run history.
Run History
Each execution of an Agentic Job creates an agent run. Open the Run History tab on a job's detail page to see the full history. Click any run to open the agent run viewer, where you can:
- Watch the activity timeline stream in real time while the run is active
- Review the completion or blocker summary once the run finishes
- Inspect child runs spawned by the lead agent (see Fan-out runs below)
Fan-out Runs
For jobs that involve multiple repositories or parallel tasks, the lead agent can spawn child runs using the SpawnChildRun tool. Each child run executes in its own workspace and appears as a linked run under the parent. This lets a single job coordinate work across many targets — for example, a release-log watcher that fans out a separate fixer task per affected repository.
Editing and Deleting a Job
From a job's detail page:
- Click Edit to update the prompt, tools, trigger, repository, or secrets.
- Click Delete (or use the Delete Job dialog) to permanently remove the job and its configuration. Run history is preserved.
Secret replacement
Editing a job's secrets replaces the stored values. There is no way to retrieve a previously saved secret value — store secrets in your organization's secret manager before saving them here.
Permissions Reference
| Action | Required permission |
|---|---|
| Create / manage org-scoped jobs | AgenticJobsManage (Org Admin or Architect) |
| Create / manage project-scoped jobs | Project Editor or higher |
| Run a job manually | Same as create / manage for that scope |
| View job detail and run history | Any org member with project access (project-scoped) or org member (org-scoped) |
