Cloud agents overview
Every organisation gets a set of pre-built specialist agents with sensible defaults — system prompts, models, tool sets, and assigned skills already wired up. You don’t have to design agents from scratch to start using the platform; the cloud agents cover the common engineering tasks out of the box.
This page is the index — what each agent does and when to call which. For configuration details see Configure agents; for testing see Testing agents with chat.
The specialists
Section titled “The specialists”All six are user-facing (visible in the dashboard agent picker and chat) and callable from any surface that talks to the AI API — direct chat, workflow tool nodes, Slack bots, and via the orchestrator’s call_agent.
| Agent | Role | Posture | Model | Best for |
|---|---|---|---|---|
code |
Implementation. Writes code and tests, runs the suite. | Full tool access | Sonnet | Default. Use when changes are needed. |
plan |
Investigation, analysis, design proposals before code. | Read + writes to docs/plans/ |
Sonnet | Architecturally complex changes. Hand off to code afterward. |
security |
Threat modelling, vulnerability assessment, compliance. (Gov variant adds ISM / ES8 / WCAG / Privacy Principles knowledge.) | Read + writes to docs/plans/ |
Opus | Auth changes, data handling, network boundaries, PR-scale security reviews. |
review |
Code review — readability, maintainability, performance, correctness, security, accessibility. Severity-classified with Blocker / Warning / Nit. |
Read + writes to docs/plans/ |
Sonnet | Substantive code reviews and audits. |
debug |
Systematic root-cause analysis. Four-phase methodology — no fixes without root cause first. | Read + writes to docs/plans/ |
Opus | Bugs you can’t reproduce, intermittent failures, production incidents. |
supply-chain |
Third-party dependency risk — CVEs, release age, compromise signals, criticality, always-on pinning audit. See the dedicated page. | Read + (gated) dispatch | Sonnet | Scheduled audits, Dependabot/Renovate PR reviews, ad-hoc CVE queries. |
The non-code agents are deliberately read-only with respect to source files — they produce findings, plans, and reviews; they hand off implementation to code via the handoff protocol. The supply-chain agent additionally has an optional gated dispatch capability for pinning remediation — see its dedicated page.
When to call which
Section titled “When to call which”| You want to | Use |
|---|---|
| Add a feature or fix a bug end-to-end | code |
| Design before you build | plan → hand off to code |
| Review a PR for quality | review |
| Review a PR for security risk specifically | security |
| Root-cause a flaky or intermittent failure | debug |
| Find out if a CVE affects your repo | supply-chain |
| Run a weekly dependency-risk sweep | supply-chain on a scheduled workflow |
| Review every Dependabot / Renovate PR automatically | supply-chain on a webhook workflow |
If you’re unsure, start with code for changes, review for assessments, and supply-chain for anything dependency-related.
How calls reach an agent
Section titled “How calls reach an agent”There are four entry points; they all end up at the same /v1/agents/{agentId}/chat endpoint server-side:
| Entry point | How |
|---|---|
| Direct chat | The dashboard’s chat panel (see Testing), or POST /v1/agents/{id}/chat directly. |
Workflow tool node |
A workflow that needs the agent’s reasoning calls it from a tool node — see Workflows → Get started. |
| Slack bot | Each Slack bot is bound to one agent (usually the orchestrator). The bound agent answers DMs and @mentions and can delegate to specialists. See Slack bots — agents and routing. |
call_agent (delegation) |
One agent invoking another — used by the orchestrator and inside autonomous jobs to delegate to specialists like supply-chain. |
The orchestrator (behind the scenes)
Section titled “The orchestrator (behind the scenes)”You’ll also see quantgov-code-orchestrator / quantcode-orchestrator in API listings — these are dispatch-only routing agents with no direct GitHub or file-writing tools. Their job is to receive a task (typically from Slack), pick the right specialist via call_agent, or launch a real autonomous job via quant_autonomous_start. They’re hidden from the user-facing agent picker because you normally interact with the specialists, not the router.
When you ping a Slack bot, you’re (almost always) hitting the orchestrator, which delegates to the right specialist for you. The behaviour is consistent with calling the specialist directly.
Customising
Section titled “Customising”The pre-built agents are a starting point. Per-org overlays let you adjust an agent’s system prompt, tool allow-list, or skill assignments without forking the agent definition — see Configure agents.
