Skip to content

Cloud agents overview

Every organisation gets a set of pre-built specialist agents with sensible defaults — system prompts, models, tool sets, and assigned skills already wired up. You don’t have to design agents from scratch to start using the platform; the cloud agents cover the common engineering tasks out of the box.

This page is the index — what each agent does and when to call which. For configuration details see Configure agents; for testing see Testing agents with chat.

All six are user-facing (visible in the dashboard agent picker and chat) and callable from any surface that talks to the AI API — direct chat, workflow tool nodes, Slack bots, and via the orchestrator’s call_agent.

Agent Role Posture Model Best for
code Implementation. Writes code and tests, runs the suite. Full tool access Sonnet Default. Use when changes are needed.
plan Investigation, analysis, design proposals before code. Read + writes to docs/plans/ Sonnet Architecturally complex changes. Hand off to code afterward.
security Threat modelling, vulnerability assessment, compliance. (Gov variant adds ISM / ES8 / WCAG / Privacy Principles knowledge.) Read + writes to docs/plans/ Opus Auth changes, data handling, network boundaries, PR-scale security reviews.
review Code review — readability, maintainability, performance, correctness, security, accessibility. Severity-classified with Blocker / Warning / Nit. Read + writes to docs/plans/ Sonnet Substantive code reviews and audits.
debug Systematic root-cause analysis. Four-phase methodology — no fixes without root cause first. Read + writes to docs/plans/ Opus Bugs you can’t reproduce, intermittent failures, production incidents.
supply-chain Third-party dependency risk — CVEs, release age, compromise signals, criticality, always-on pinning audit. See the dedicated page. Read + (gated) dispatch Sonnet Scheduled audits, Dependabot/Renovate PR reviews, ad-hoc CVE queries.

The non-code agents are deliberately read-only with respect to source files — they produce findings, plans, and reviews; they hand off implementation to code via the handoff protocol. The supply-chain agent additionally has an optional gated dispatch capability for pinning remediation — see its dedicated page.

You want to Use
Add a feature or fix a bug end-to-end code
Design before you build plan → hand off to code
Review a PR for quality review
Review a PR for security risk specifically security
Root-cause a flaky or intermittent failure debug
Find out if a CVE affects your repo supply-chain
Run a weekly dependency-risk sweep supply-chain on a scheduled workflow
Review every Dependabot / Renovate PR automatically supply-chain on a webhook workflow

If you’re unsure, start with code for changes, review for assessments, and supply-chain for anything dependency-related.

There are four entry points; they all end up at the same /v1/agents/{agentId}/chat endpoint server-side:

Entry point How
Direct chat The dashboard’s chat panel (see Testing), or POST /v1/agents/{id}/chat directly.
Workflow tool node A workflow that needs the agent’s reasoning calls it from a tool node — see Workflows → Get started.
Slack bot Each Slack bot is bound to one agent (usually the orchestrator). The bound agent answers DMs and @mentions and can delegate to specialists. See Slack bots — agents and routing.
call_agent (delegation) One agent invoking another — used by the orchestrator and inside autonomous jobs to delegate to specialists like supply-chain.

You’ll also see quantgov-code-orchestrator / quantcode-orchestrator in API listings — these are dispatch-only routing agents with no direct GitHub or file-writing tools. Their job is to receive a task (typically from Slack), pick the right specialist via call_agent, or launch a real autonomous job via quant_autonomous_start. They’re hidden from the user-facing agent picker because you normally interact with the specialists, not the router.

When you ping a Slack bot, you’re (almost always) hitting the orchestrator, which delegates to the right specialist for you. The behaviour is consistent with calling the specialist directly.

The pre-built agents are a starting point. Per-org overlays let you adjust an agent’s system prompt, tool allow-list, or skill assignments without forking the agent definition — see Configure agents.