Core Concepts
MCP Servers
CodeCargo maintains an organization-wide catalog of Model Context Protocol (MCP) servers. Once a server is registered and vetted, you can grant it — along with a specific subset of its tools — to individual Agentic Jobs. The same curated, enabled set of servers can also be published as a spec-compliant MCP registry that GitHub Copilot can consume directly.
Permission Required
Managing the MCP server catalog requires the organization administration permission (OrgAdminister). Only Org Admins can register, vet, enable, or remove servers.
Org MCP Catalog
Navigate to Organization Settings → MCP Servers to manage your catalog. From here you can register a custom server or import one from the upstream GitHub MCP registry.
Registering a Server
When you add a server, you configure:
| Field | Description |
|---|---|
| Transport / Location | How CodeCargo connects to the server |
| Egress allowlist | The hosts CargoWall permits the server to reach |
| Tool cap | The maximum set of tools this server exposes for grants |
| Credential kind | How the server authenticates outbound requests |
Importing from the GitHub MCP Registry
Instead of registering a server from scratch, you can import one from the upstream GitHub MCP registry. Imported entries retain their registry provenance and are pinned to a specific version. A daily background refresh checks for upstream changes and flags entries with drift for you to re-vet — imported servers never update automatically.
Enabling a Server
A newly registered or imported server starts disabled. Review and harden its configuration, then enable it. Only enabled servers can be granted to Agentic Jobs.
Credentials
Credential values are write-only — once saved, they are encrypted and cannot be read back, and are injected only at job dispatch time. If a server's credential kind is GITHUB_APP, CodeCargo mints a short-lived, run-scoped GitHub App installation token for each run instead of storing a static secret.
Granting MCP Access to Agentic Jobs
Once a server is enabled, it becomes available to grant to an Agentic Job. A grant pairs a server with a specific subset of its tools, and that tool subset is frozen on the job's thread so it stays identical across every turn of a run. See Agentic Jobs → MCP Server Access for how to configure grants.
If a server's tool cap is later narrowed, any tools removed from the cap are automatically revoked from existing grants the next time the job runs.
GitHub-Consumable Registry
CodeCargo can serve your organization's enabled MCP servers as a standards-compliant MCP registry (v0.1) that GitHub Copilot can fetch directly.
Accessing the Registry
The registry is served anonymously (with CORS enabled) behind an unguessable capability URL:
/mcp-registry/{token}
Navigate to Organization Settings → MCP Servers to find your organization's registry base URL.
Using It with GitHub Copilot
A Copilot organization admin pastes the base URL into their Copilot MCP registry allowlist. Copilot then fetches <base URL>/v0.1/servers from that base URL itself — no manual server-by-server configuration is required on the Copilot side.
Credentials Are Never Served
The registry never exposes a stored credential value. For servers that require a secret, the registry response includes only a placeholder indicating that a secret header is required — Copilot users must supply their own value.
