What This Does
This article explains how LoopIQ MCP tools help compatible AI clients and LoopIQ Helix work with governed LoopIQ context and actions. MCP stands for Model Context Protocol. It allows AI clients to discover and call tools exposed by LoopIQ, such as reading records, creating records, searching data, or retrieving operational context. In LoopIQ, MCP is the governed operating interface into release governance, delivery work, compliance evidence, and remediation workflows. It is designed to make AI assistance useful without bypassing tenant isolation, permissions, approvals, or audit trails.When to Use MCP
Use LoopIQ MCP when you want an AI assistant or MCP-compatible client to:- search LoopIQ records from a governed AI workspace
- retrieve release, certification, evidence, risk, and work item context
- inspect provider blockers and evidence gaps before a release decision
- draft remediation work from real findings
- create approved LoopIQ records through governed tools
- connect Helix conversations to reliable backend actions
- preserve tenant, user, workflow, request, and trace context across tool calls
Important Safety Model
MCP access should follow the same principles as the main LoopIQ application:- organization and tenant context must be respected
- user identity determines allowed access
- tools must not leak data across organizations
- write actions must be auditable
- high-impact actions should require approval
- repeated requests should be idempotent where possible
- structured errors should explain what failed and why
MCP URL
Your administrator will provide the correct MCP server URL and authentication method. For LoopIQ production:https://ai.loopiq.comis the LoopIQ AI domain.https://ai.loopiq.com/mcpis the MCP endpoint when your AI client requires the MCP server path.
If you are using Helix inside the LoopIQ web app or mobile app, you do not normally configure the MCP URL yourself. Helix sends requests through the LoopIQ backend so policy, approval, auth propagation, and audit handling stay consistent.
Dynamic Organization Context
LoopIQ MCP should operate in dynamic tenant mode. The organization should be determined from the authenticated user and selected organization, not from a fixed tenant setting. If a user belongs to more than one organization, be explicit about the intended organization before listing, creating, or updating records.Before You Begin
Make sure:- your organization has MCP enabled
- you have a valid access token or supported authentication method
- your AI client supports MCP
- your role has permission to access the data or actions you plan to use
- the organization context is clear if you belong to more than one organization
- your administrator has confirmed whether your client should use the base server URL or the
/mcpendpoint path
How to Use MCP Tools Safely
- Connect your compatible AI client to the LoopIQ MCP server.
- Authenticate with the identity or token provided by your organization.
- List available tools.
- Start with read-only tools such as search, list, or retrieve actions.
- Confirm that returned data belongs to the expected organization.
- Use create or update tools only when you understand the effect.
- Review generated changes in LoopIQ.
- Disconnect or rotate credentials if access is no longer needed.
Common MCP Tool Categories
LoopIQ MCP tools may include:- read tools for releases, work items, applications, modules, certifications, controls, and evidence
- search tools for finding records by title, ID, owner, provider, status, or release context
- release governance tools for certification evidence, blockers, gaps, and readiness
- remediation tools for creating approved parent stories and child tasks
- evidence graph tools for refreshing and retrieving provider-normalized evidence
- administrative or diagnostic tools when enabled by tenant policy
Governed Write Actions
Some MCP tools are read-only. Others can create or update LoopIQ records. Write actions should use the same safety pattern as the LoopIQ app:- tenant and user context are propagated with the request
- the tool receives a structured payload
- high-impact actions can require approval
- approved actions include an approval ID
- idempotency keys help prevent duplicate writes
- structured errors explain why an action failed
- audit details are returned after execution
Remediation Work-package Tool
Helix can use the MCP toolloopiq_create_remediation_work_package to convert release blockers into work items.
This tool creates:
- one parent remediation story
- child tasks linked to the real parent story ID
- audit details for the approved execution
- the release and certification are correct
- the team or owner is correct
- the blocker records are real and release-scoped
- each child task has a clear title and purpose
- evidence or provider finding references are included where available
- the approval card includes an approval ID and idempotency key
Good Use Cases
MCP tools are useful for:- searching LoopIQ records from an AI workspace
- summarizing related work items
- preparing release readiness context
- finding compliance evidence
- reviewing service request or incident context
- drafting follow-up actions from existing records
- connecting AI assistance to governed LoopIQ workflows
Avoid These Patterns
Do not use MCP tools to:- bypass LoopIQ permissions
- expose customer or organization data to unauthorized AI clients
- create production-affecting changes without review
- use stale or shared bearer tokens
- mix data from multiple organizations in one prompt unless explicitly authorized
- create remediation work from invented or unrelated backlog items

