CodeCargo logo

Core Concepts

MCP Servers

CodeCargo maintains an organization-wide catalog of Model Context Protocol (MCP) servers. Once a server is registered and vetted, you can grant it — along with a specific subset of its tools — to individual Agentic Jobs. The same curated, enabled set of servers can also be published as a spec-compliant MCP registry that GitHub Copilot can consume directly.

Permission Required

Managing the MCP server catalog requires the organization administration permission (OrgAdminister). Only Org Admins can register, vet, enable, or remove servers.


Org MCP Catalog

Navigate to Organization Settings → MCP Servers to manage your catalog. From here you can register a custom server or import one from the upstream GitHub MCP registry.

Registering a Server

When you add a server, you configure:

FieldDescription
Transport / LocationHow CodeCargo connects to the server
Egress allowlistThe hosts CargoWall permits the server to reach
Tool capThe maximum set of tools this server exposes for grants
Credential kindHow the server authenticates outbound requests

Importing from the GitHub MCP Registry

Instead of registering a server from scratch, you can import one from the upstream GitHub MCP registry. Imported entries retain their registry provenance and are pinned to a specific version. A daily background refresh checks for upstream changes and flags entries with drift for you to re-vet — imported servers never update automatically.

Enabling a Server

A newly registered or imported server starts disabled. Review and harden its configuration, then enable it. Only enabled servers can be granted to Agentic Jobs.

Credentials

Credential values are write-only — once saved, they are encrypted and cannot be read back, and are injected only at job dispatch time. If a server's credential kind is GITHUB_APP, CodeCargo mints a short-lived, run-scoped GitHub App installation token for each run instead of storing a static secret.


Granting MCP Access to Agentic Jobs

Once a server is enabled, it becomes available to grant to an Agentic Job. A grant pairs a server with a specific subset of its tools, and that tool subset is frozen on the job's thread so it stays identical across every turn of a run. See Agentic Jobs → MCP Server Access for how to configure grants.

If a server's tool cap is later narrowed, any tools removed from the cap are automatically revoked from existing grants the next time the job runs.


GitHub-Consumable Registry

CodeCargo can serve your organization's enabled MCP servers as a standards-compliant MCP registry (v0.1) that GitHub Copilot can fetch directly.

Accessing the Registry

The registry is served anonymously (with CORS enabled) behind an unguessable capability URL:

/mcp-registry/{token}

Navigate to Organization Settings → MCP Servers to find your organization's registry base URL.

Using It with GitHub Copilot

A Copilot organization admin pastes the base URL into their Copilot MCP registry allowlist. Copilot then fetches <base URL>/v0.1/servers from that base URL itself — no manual server-by-server configuration is required on the Copilot side.

Credentials Are Never Served

The registry never exposes a stored credential value. For servers that require a secret, the registry response includes only a placeholder indicating that a secret header is required — Copilot users must supply their own value.

Previous
Agentic Jobs