User Guide: Agentic SDLC - EyevinnOSC/community GitHub Wiki
Agentic SDLC
Agentic SDLC is a feature that attaches an AI agent to a My Apps custom application. Once enabled, the agent bootstraps a CLAUDE.md (or equivalent context file) in your repository and then runs on a regular schedule to perform autonomous software development lifecycle tasks: reviewing code, creating PRs, triaging issues, and keeping the project moving between human sessions.
What It Does
When you enable Agentic SDLC for a My App, OSC:
- Runs a bootstrap task that clones your repository, writes a context file (
CLAUDE.md), and pushes it back to the repository via git. - Creates a scheduled agent task that runs the agent on a recurring basis (e.g. daily) with access to your source code and OSC services via MCP.
You can monitor both tasks from the My Agent Tasks page.
Prerequisites
- An OSC account on a paid plan (Personal, Professional, or Business)
- A My Apps custom application with a Source URL pointing to a git repository
- A git token with write access to that repository (needed for the bootstrap commit and subsequent PR creation)
- Agent credentials configured in My Agent Tasks (an Anthropic API key or Claude OAuth token)
Bring your own AI subscription: Agentic SDLC runs agents using your own Anthropic or OpenAI subscription directly. OSC charges zero on AI tokens. You pay the provider (Anthropic or OpenAI) at their standard rates.
Enable from My Apps
For apps that have a Source URL configured (GitHub or Gitea) but Agentic SDLC not yet enabled, the My Apps list row shows a small Enable Agentic SDLC link (with a sparkle icon) directly beneath the SDLC status cell. Clicking this link opens the app detail panel to the enable dialog so you can activate the feature without first navigating into the app.
- Go to My Apps and click on your application to open the detail panel.
- Locate the Agentic SDLC column (or cell) in the app row. If agent credentials are not yet configured, the toggle switch appears disabled with a tooltip: "Configure agent credentials first". Click the disabled switch to open the enable dialog, which will guide you through setting up credentials as a first step.
- Once credentials are configured, the toggle is enabled. Click it to open the Enable Agentic SDLC dialog.
- If you have configured credentials for both Claude (Anthropic) and Codex (OpenAI) in My Agent Tasks, the dialog shows a radio group to select the agent runtime: "Claude (Anthropic)" or "Codex (OpenAI)". Choose the runtime you want to use. If only one credential type is configured, the runtime is selected automatically and no radio group appears.
- A dialog field asks for a git token with write access to your repository. Enter the token and click Enable.
- The cell changes to Setting up... with a spinner while the bootstrap task runs. Once the bootstrap task completes successfully, the status changes to Active.
If the bootstrap task fails, the cell shows a Failed chip. You can re-enable after fixing the underlying issue (typically a missing or invalid git token, or a git push failure).
Reviewing and Acting on Requests
Once Agentic SDLC is active, the agent creates tickets in a Gitea repository that OSC manages on your behalf. You can review and act on those tickets directly from the OSC dashboard without needing to open Gitea.
The Requests Tab
When Agentic SDLC is active for an app, a View SDLC requests shortcut button (git pull-request icon) appears directly in the My Apps list row for that app. Clicking it navigates straight to the requests view without opening the detail panel first.
You can also open the detail panel for your app in My Apps and switch to the Requests tab. Each row represents one SDLC request submitted by you or the agent.
Click any row to open the Request Detail Drawer, which shows:
- The request title and current status badge
- A link to open the ticket directly in Gitea
- Comments left by the agent (rendered as Markdown), including the agent's implementation plan
- Sub-tasks with their individual statuses and links to the pull requests created by the agent. Each sub-task also shows a View task in My Agent Tasks link that opens the corresponding agent task run directly in the My Agent Tasks page.
Approving, Revising, or Cancelling a Planned Request
After the triage agent analyses a new request it sets the status to planned and posts a detailed implementation plan as a comment. At this point the drawer shows three action buttons:
| Button | What it does |
|---|---|
| Approve | Gives the agent the go-ahead to implement the plan. The agent starts creating sub-tasks and opening pull requests immediately. |
| Revise | Opens a text field where you can explain what you want changed in the plan. The agent re-triages with your feedback and produces a revised plan for you to review again. |
| Cancel | Cancels the request. The agent closes the ticket without taking any further action. |
You only see these buttons when the request is in the planned state. Requests that are already in-progress, completed, or cancelled do not show action buttons.
Submitting a New Request
To submit a new feature request or bug report, click New Request above the Requests table. Fill in a title and description, then click Submit. The triage agent picks up the ticket and creates a plan within minutes.
Viewing Pull Requests
When the implementation agent finishes work on a sub-task, it opens a pull request. For apps hosted on GitHub, the PR link points to the GitHub pull request. For Gitea-hosted apps, the link goes to the Gitea pull request. Both appear in the sub-task accordion inside the Request Detail Drawer.
Accessing the Gitea Web UI
OSC manages a private Gitea instance for your app where SDLC tickets, labels, and activity are stored. You can log into the Gitea web UI directly to browse issues, manage labels, or review the full history.
Via MCP (AI Agent):
Get the Gitea credentials for my app called myapp
The get-myapp-git-credentials tool returns the Gitea URL, admin username, password, and a direct link to the login page.
If you need to rotate the admin password (for example, after sharing credentials or as a routine security measure):
Rotate the Gitea credentials for my app called myapp
The rotate-myapp-git-credentials tool generates a new password, updates it in Gitea, and returns the new credentials.
Note: Gitea credential retrieval is only available for apps where Agentic SDLC has been enabled. Apps provisioned before this feature was introduced may need to rotate credentials once to generate the stored password.
Enable via MCP
If you have an AI agent connected to OSC via MCP, you can enable Agentic SDLC with a natural language request:
Enable Agentic SDLC for my app called myapp
Or use the enable-agentic-sdlc tool directly:
Enable Agentic SDLC for app ID myapp-abc123 using source URL https://github.com/myorg/myapp
The agent accepts an optional gitToken when the repository is private or the app's stored credentials lack write access.
Check Status
What is the Agentic SDLC status for my app called myapp?
The get-agentic-sdlc-status tool returns:
| Field | Description |
|---|---|
status |
initializing, active, failed, or disabled |
initTaskId |
ID of the bootstrap agent task |
scheduleTaskId |
ID of the recurring scheduled agent task |
enabledAt |
Timestamp when Agentic SDLC was enabled |
| Bootstrap run status | Status of the most recent bootstrap run |
| Last weekly run status | Status of the most recent scheduled run |
Disable
To stop autonomous SDLC activity for an app, toggle the switch off in the My Apps detail panel, or use MCP:
Disable Agentic SDLC for my app called myapp
Disabling removes both the bootstrap task and the scheduled task. The CLAUDE.md (or AGENTS.md) that was written to your repository is not removed; it stays in the repo as a useful context file for future manual or automated agent sessions.
Auto-Deploy
The Auto-Deploy add-on automatically redeploys your My App whenever a pull request is merged to the main branch. It creates a manual-trigger agent task that calls the restart-my-app MCP tool on your behalf.
Auto-Deploy requires:
- Agentic SDLC already enabled for the app
- A paid plan (Personal, Professional, or Business)
Enabling Auto-Deploy
Via the web console:
- Go to My Apps and open the app detail page.
- In the Agentic SDLC section, toggle Automatic deployment to prod on.
Via MCP (AI Agent):
Enable auto-deploy for my app called myapp
When enabled, OSC creates a manual schedule-type agent task that redeploys the app. The task waits for a "running" build status and reports the public URL on completion.
Disabling Auto-Deploy
Toggle Automatic deployment to prod off in the app detail panel or ask your AI agent to disable it. The underlying task is deleted and the autoDeployEnabled flag is cleared.
Stage/Prod Pipeline
The Stage/Prod Pipeline extends Agentic SDLC with a formal two-environment promotion model. OSC manages two additional apps alongside your development app:
- Stage app — tracks the
mainbranch and always reflects the latest merged changes - Prod app — pinned to a specific version tag; only advances when you explicitly release
When the agent merges a pull request, the stage app updates automatically. You call Release to Prod when you are ready to cut a new production version. The agent tags the repository at the current stage HEAD, bumps the patch version, and pins the prod app to that tag.
Both GitHub-hosted and Gitea-hosted apps are supported.
Initialising Stage and Prod Apps
Via the web console:
- Open the detail page for your app in My Apps.
- Go to the Settings tab.
- In the Agentic SDLC section, click Initialise Stage/Prod Pipeline.
- OSC creates a stage app (tracking
main) and a prod app (pinned to the current HEAD asv0.1.0).
Via MCP:
Initialise the stage/prod pipeline for my app called myapp
The agent calls enable-app-stage-prod, which requires Agentic SDLC to be enabled first. The tool returns initStageTaskId and initStageRunId for tracking pipeline initialisation. Once initialised, get-agentic-sdlc-status returns the stageAppId and prodAppId fields alongside the existing status fields.
Releasing to Production
When the stage app is stable and you are ready to promote it to production:
Via the web console:
- Open the Settings tab for your app.
- Click Release to Prod. Optionally enter a version string to override the auto-incremented patch version.
Via MCP:
Release the current stage to production for my app called myapp
The agent creates a git tag at the stage HEAD (e.g. v1.4.0), pins the prod app to that tag, and updates currentProdVersion in the SDLC state.
Pinning an App to a Specific Source Ref
You can manually pin any My App to a specific branch, tag, or commit SHA using the PATCH /myapps/:appId/source-ref endpoint or via MCP:
Pin my app called myapp to the tag v1.3.0
Pass null as the sourceRef to unpin the app and revert to tracking HEAD on the default branch.
Stage/Prod State Fields
get-agentic-sdlc-status returns additional fields when the pipeline is active:
| Field | Description |
|---|---|
stageAppId |
ID of the managed stage app |
prodAppId |
ID of the managed prod app |
currentStageVersion |
Git ref the stage app is currently tracking |
currentProdVersion |
Version tag the prod app is pinned to |
releaseProdRunId |
Agent task ID for the most recent release-to-prod run |
Available MCP Tools
| Tool | Description |
|---|---|
enable-agentic-sdlc |
Enable autonomous SDLC for a My App; accepts appId, optional sourceUrl, gitToken, agentType, and model |
disable-agentic-sdlc |
Disable Agentic SDLC and remove the associated agent tasks |
get-agentic-sdlc-status |
Get current status, task IDs, last-run results, and stage/prod state for a given app |
get-myapp-git-credentials |
Retrieve Gitea admin credentials (URL, username, password, login URL) for an app's managed git repository |
rotate-myapp-git-credentials |
Rotate the Gitea admin password and return fresh credentials |
create-myapp-sdlc-issue |
Programmatically ingest SDLC issues for an app; used internally by the Security Audit scanner to report findings and available for custom tooling integrations |
enable-app-stage-prod |
Enable the stage/prod pipeline for a My App; requires Agentic SDLC to be active first. Returns initStageTaskId and initStageRunId for monitoring initialisation. Once enabled, use release-myapp-to-prod and rollback-myapp-prod. |
enable-auto-deploy |
Enable auto-deploy for a My App (requires Agentic SDLC to be active and a paid plan) |
disable-auto-deploy |
Disable auto-deploy and remove the associated agent task |
Status Reference
| Status | Meaning |
|---|---|
initializing |
Bootstrap task is running; CLAUDE.md is being written and pushed |
active |
Bootstrap completed; scheduled agent runs are active |
failed |
Bootstrap task failed; check logs in My Agent Tasks |
disabled |
Agentic SDLC is not enabled for this app |
Security Audit Add-On
The Agentic SDLC has an optional weekly security audit add-on. When enabled, it runs a set of automated security scanners against your app's source every Monday and converts each new finding into a standard SDLC ticket that flows through the same triage, approve, and implement pipeline.
See Agentic SDLC Security Audit for setup and details.
Related Resources
- Agentic SDLC Security Audit — Weekly automated CVE, secret, and Dockerfile scanning
- My Agent Tasks — Create and manage AI agent tasks
- Managing Custom Apps — Restart, rebuild, HA, and domain settings
- AI-Assisted App Management — Full list of AI capabilities for My Apps
- Deploy or Publish Your Application — Getting started with My Apps