CodeCargo logo

Core Concepts

Agentic Jobs

Agentic Jobs are repeatable, configurable units of AI-agent work. Each job is a definition — a prompt, a set of granted tools, a trigger, a target repository, and injected environment secrets — that runs CodeCargo's code-editor agent to perform an expected task on your behalf. Every execution is recorded as an agent run, so you can review progress and history in the same run viewer used by other agent features.

Entitlement Required

Agentic Jobs require the AGENTIC_JOBS entitlement. Contact your CodeCargo administrator if the feature is not visible in your organization.


Scopes and Identity

Every Agentic Job has a scope that determines which identity it runs as and who can manage it.

ScopeRuns asWho can create / manage
Org-scopedThe org's GitHub App identityOrg Admin or Architect (AgenticJobsManage permission)
Project-scopedThe job's owner (the user who created it), using their linked GitHub identityProject Editor or higher; owner must hold at least Write on the target repo when write tools are granted

Org-scoped jobs are not tied to any project. Project-scoped jobs are owned by the user who created them — commits and pull requests are attributed to that user. If the owner loses org membership, loses repo access, or their GitHub link lapses, the job fails closed rather than silently downgrading to the org identity.


Creating an Agentic Job

Org-scoped job

  1. Navigate to Agentic Jobs in the organization sidebar.
  2. Click New Agentic Job.
  3. Fill in the job definition form (see Job Configuration below).
  4. Click Create.

Project-scoped job

  1. Open a project and navigate to its Agentic Jobs tab.
  2. Click New Agentic Job.
  3. Fill in the job definition form. The target repository must belong to the project.
  4. Click Create.

Repository requirement

Project-scoped jobs must target a repository that is part of the project. The repository picker only shows repositories within the project's scope.


Job Configuration

Prompt

The system prompt that instructs the agent what to do on each run. Write it as you would a detailed task description — the agent reads this every time the job fires.

Tools

Select which tools the agent is allowed to use. Granting write tools (for example, creating pull requests or pushing commits) to a project-scoped job requires that the job owner holds at least Write access on the target repository at the time the job runs.

MCP Server Access

In addition to built-in tools, an Agentic Job can be granted access to specific MCP servers from your organization's catalog. Only servers an Org Admin has enabled in Organization Settings → MCP Servers are available to grant.

When you add an MCP server grant to a job, you choose a subset of that server's tools — up to its configured tool cap. This subset is validated at authoring time and frozen on the job's thread, so the exact same tools are available on every turn of every run. If the server's overall tool cap is later narrowed, tools removed from the cap are automatically revoked from the job's grant the next time it runs.

At dispatch time, CodeCargo resolves each grant into a live connection: credentials are injected in transport form, and CargoWall receives a per-run allow rule for the server's host so the agent can reach it.

Trigger

Choose when the job fires:

TriggerDescription
ManualRun on demand only — no automatic execution
ScheduledRun on a recurring schedule
GitHub ReleaseFire when a new release is published on the target repository

Target Repository

The repository the agent works in. For org-scoped jobs, any repository accessible to the GitHub App is available. For project-scoped jobs, only repositories within the project are shown.

Secrets

Inject environment variables into the agent's runtime. Secret values are write-only — you can set or replace them, but you cannot read them back after saving. Use secrets to provide API keys, tokens, or other sensitive values the agent needs to complete its task.


Running a Job

To trigger a job manually:

  1. Open the job's detail page.
  2. Click Run Now.
  3. The run appears in the Run History tab and opens in the agent run viewer.

Scheduled and trigger-based jobs fire automatically according to their configuration. All runs — manual or automatic — appear in run history.


Run History

Each execution of an Agentic Job creates an agent run. Open the Run History tab on a job's detail page to see the full history. Click any run to open the agent run viewer, where you can:

  • Watch the activity timeline stream in real time while the run is active
  • Review the completion or blocker summary once the run finishes
  • Inspect child runs spawned by the lead agent (see Fan-out runs below)

Fan-out Runs

For jobs that involve multiple repositories or parallel tasks, the lead agent can spawn child runs using the SpawnChildRun tool. Each child run executes in its own workspace and appears as a linked run under the parent. This lets a single job coordinate work across many targets — for example, a release-log watcher that fans out a separate fixer task per affected repository.


Editing and Deleting a Job

From a job's detail page:

  • Click Edit to update the prompt, tools, trigger, repository, or secrets.
  • Click Delete (or use the Delete Job dialog) to permanently remove the job and its configuration. Run history is preserved.

Secret replacement

Editing a job's secrets replaces the stored values. There is no way to retrieve a previously saved secret value — store secrets in your organization's secret manager before saving them here.


Permissions Reference

ActionRequired permission
Create / manage org-scoped jobsAgenticJobsManage (Org Admin or Architect)
Create / manage project-scoped jobsProject Editor or higher
Run a job manuallySame as create / manage for that scope
View job detail and run historyAny org member with project access (project-scoped) or org member (org-scoped)
Previous
Agent Console