Skip to main content

What This Does

This article explains how LoopIQ MCP tools help compatible AI clients and LoopIQ Helix work with governed LoopIQ context and actions. MCP stands for Model Context Protocol. It allows AI clients to discover and call tools exposed by LoopIQ, such as reading records, creating records, searching data, or retrieving operational context. In LoopIQ, MCP is the governed operating interface into release governance, delivery work, compliance evidence, and remediation workflows. It is designed to make AI assistance useful without bypassing tenant isolation, permissions, approvals, or audit trails.

When to Use MCP

Use LoopIQ MCP when you want an AI assistant or MCP-compatible client to:
  • search LoopIQ records from a governed AI workspace
  • retrieve release, certification, evidence, risk, and work item context
  • inspect provider blockers and evidence gaps before a release decision
  • draft remediation work from real findings
  • create approved LoopIQ records through governed tools
  • connect Helix conversations to reliable backend actions
  • preserve tenant, user, workflow, request, and trace context across tool calls
For normal LoopIQ web usage, most users do not need to connect to MCP directly. Helix uses backend-governed MCP workflows where enabled.

Important Safety Model

MCP access should follow the same principles as the main LoopIQ application:
  • organization and tenant context must be respected
  • user identity determines allowed access
  • tools must not leak data across organizations
  • write actions must be auditable
  • high-impact actions should require approval
  • repeated requests should be idempotent where possible
  • structured errors should explain what failed and why

MCP URL

Your administrator will provide the correct MCP server URL and authentication method. For LoopIQ production:
  • https://ai.loopiq.com is the LoopIQ AI domain.
  • https://ai.loopiq.com/mcp is the MCP endpoint when your AI client requires the MCP server path.
Use the exact URL your administrator provides. Some clients ask for the base server URL, while others require the full MCP endpoint.
If you are using Helix inside the LoopIQ web app or mobile app, you do not normally configure the MCP URL yourself. Helix sends requests through the LoopIQ backend so policy, approval, auth propagation, and audit handling stay consistent.

Dynamic Organization Context

LoopIQ MCP should operate in dynamic tenant mode. The organization should be determined from the authenticated user and selected organization, not from a fixed tenant setting. If a user belongs to more than one organization, be explicit about the intended organization before listing, creating, or updating records.

Before You Begin

Make sure:
  • your organization has MCP enabled
  • you have a valid access token or supported authentication method
  • your AI client supports MCP
  • your role has permission to access the data or actions you plan to use
  • the organization context is clear if you belong to more than one organization
  • your administrator has confirmed whether your client should use the base server URL or the /mcp endpoint path

How to Use MCP Tools Safely

  1. Connect your compatible AI client to the LoopIQ MCP server.
  2. Authenticate with the identity or token provided by your organization.
  3. List available tools.
  4. Start with read-only tools such as search, list, or retrieve actions.
  5. Confirm that returned data belongs to the expected organization.
  6. Use create or update tools only when you understand the effect.
  7. Review generated changes in LoopIQ.
  8. Disconnect or rotate credentials if access is no longer needed.

Common MCP Tool Categories

LoopIQ MCP tools may include:
  • read tools for releases, work items, applications, modules, certifications, controls, and evidence
  • search tools for finding records by title, ID, owner, provider, status, or release context
  • release governance tools for certification evidence, blockers, gaps, and readiness
  • remediation tools for creating approved parent stories and child tasks
  • evidence graph tools for refreshing and retrieving provider-normalized evidence
  • administrative or diagnostic tools when enabled by tenant policy
The exact tool list depends on your tenant configuration, role, and the client you are using.

Governed Write Actions

Some MCP tools are read-only. Others can create or update LoopIQ records. Write actions should use the same safety pattern as the LoopIQ app:
  • tenant and user context are propagated with the request
  • the tool receives a structured payload
  • high-impact actions can require approval
  • approved actions include an approval ID
  • idempotency keys help prevent duplicate writes
  • structured errors explain why an action failed
  • audit details are returned after execution
When Helix proposes an MCP action, review the tool name and payload before approving. The payload should reference the records you expect, not generic or unrelated backlog items.

Remediation Work-package Tool

Helix can use the MCP tool loopiq_create_remediation_work_package to convert release blockers into work items. This tool creates:
  • one parent remediation story
  • child tasks linked to the real parent story ID
  • audit details for the approved execution
Use this pattern when remediation requires multiple tasks under one trackable story. It is safer than creating each task independently because the parent is created first and the child tasks are attached to the correct parent in the same approved transaction. Before approving this tool, confirm:
  • the release and certification are correct
  • the team or owner is correct
  • the blocker records are real and release-scoped
  • each child task has a clear title and purpose
  • evidence or provider finding references are included where available
  • the approval card includes an approval ID and idempotency key

Good Use Cases

MCP tools are useful for:
  • searching LoopIQ records from an AI workspace
  • summarizing related work items
  • preparing release readiness context
  • finding compliance evidence
  • reviewing service request or incident context
  • drafting follow-up actions from existing records
  • connecting AI assistance to governed LoopIQ workflows

Avoid These Patterns

Do not use MCP tools to:
  • bypass LoopIQ permissions
  • expose customer or organization data to unauthorized AI clients
  • create production-affecting changes without review
  • use stale or shared bearer tokens
  • mix data from multiple organizations in one prompt unless explicitly authorized
  • create remediation work from invented or unrelated backlog items

Troubleshooting

No Tools Are Listed

Confirm the MCP URL, authentication token, and organization access.

Tools Return No Data

Check organization context, permissions, filters, and whether the relevant records exist in LoopIQ.

A Tool Returns Access Denied

Your role may not include the required permission. Contact an organization administrator.

A Write Action Is Pending

The action may be waiting for approval. Review the approval card in Helix and approve or reject the proposed payload.

A Write Action Did Not Create Records

Check for expired authentication, missing permissions, rejected approval, wrong tenant context, or a duplicate idempotency key.

Helix Says an Action Is Pending Approval

Review the approval card in Helix. Confirm the tool name, approval ID, payload, tenant, release, certification, and expected records. Approve only if the payload is grounded in the records you expect.

A Release Readiness Answer Looks Incomplete

Ask Helix which evidence graph records, providers, failed controls, and evidence gaps it read. If provider evidence is missing or stale, refresh the release certification evidence graph before approving remediation actions.