Diligent Issues,
composed by an agent.
98 tools covering BOTH the classic HighBond issues surface and the new Issue Manager app. Classic side: full CRUD on issues + actions + comments, analytics composites, bulk ops (dry-run by default), inventory-centric data dictionary. Issue Manager side (new): 22 live tools driven by a Playwright-captured OIDC session — types, templates, SLAs, issues, search, statistics. 18 write-path tools documented with their exact endpoints, ready to wire. Sibling of the Projects MCP.
~/.local/share/diligent-issues-mcp
Node.js 20+, no sudo
Re-run to update
Three layers, one conversation.
The server is designed so an LLM can navigate it without memorizing tool names. A meta layer describes itself; a harmonization layer handles the complex PRD workflows; a primitive layer exposes every Issue Manager endpoint with built-in rate-limiting, caching, and role-aware errors.
Meta & control plane
Health check, session metrics, capability discovery, auto-pagination, reference cache warmup. The agent learns what it has before it guesses.
Smart ingest layer
Schema detection, template + SLA coverage discovery, subject sync, brain canonical comparison. Surfaces configuration gaps across issue types.
Primitive layer
CRUD for issues, actions, types, templates, SLAs, and relationships. Status transitions respect the role × status matrix.
Rate-limited client
Token-bucket rate limiter (600 req/hr, 6 req/sec), exponential backoff retry, structured error classification, and per-call observability metrics.
Composite tools
Issue dashboard, SLA breach metrics, schema detection — multi-call composites that build full reporting views in one tool invocation.
Name resolution
Every tool accepts human-readable names or numeric IDs. Cached resolution with 5-minute TTL. Ambiguous matches return a disambiguation table.
Two-tier response cache
Every list/get is cached in-memory (per-resource TTL) and persisted to ~/.cache/diligent-issues-mcp/cache.json. Reloaded on next process start — Claude Code's short-lived stdio MCPs actually keep their work. Writes invalidate affected keys automatically.
Role-aware edits
Edits respect the 8-role × 9-status permission matrix. Title is immutable after creation. DELETE is hard-blocked — use DISCARDED transition.
Nine states, two tracks.
Every issue follows a single status machine. Audit-finding types branch into a two-step publication path; everything else goes through the standard remediation track. DISCARDED is terminal from any non-closed state.
Eight roles, tight boundaries.
The role consolidation of 2026-03-02 merged the old Issue manager into Type manager. The Watchers role landed 2026-04-10 — view + comment only. All other roles map to verbs the MCP exposes as dedicated tools.
Diligent One Admin
Tenant admin. Assigns Type managers. Auto-granted admin rights on Issue Manager.
Type Manager
Manages all issues for a specific type. Edit/assign/decline/discard (except DRAFT/CLOSED/DISCARDED).
Issue Owner
Owns a specific issue. Configures the workflow. Can also serve as Type manager.
Action Owner
Executes one action at a time (system-wide). Cannot self-reassign.
Issue Reporter
Any user. Creates and submits new issues. Edit rights only in DRAFT.
Watcher new · 2026-04-10
View + comment. No edits, no assignments, no status changes.
Action Approver
Approves / declines completed actions. Optional per action.
Issue Approver
Approves / declines the whole issue after all actions are complete.
Capabilities overview.
Full CRUD on issues
List, get, create (via project), update, close / reopen, publish / unpublish, dashboard, flat export. Server-side filter on closed; everything else client-side.
Full CRUD on actions
List per-issue or tenant-wide, get, create (nested POST), update, close / reopen, reassign. Required-field validation discovered live.
Action comments
List + add (type action_comments, HTML auto-wrapping for plain text), plus a composite issue conversation view that walks every action on one issue.
Analytics composites
Owner workload, action pipeline, aging buckets, stuck issues, type health, project health, SLA adherence, personal pulse — all in one call.
Bulk ops + validation
Bulk close / publish / reassign — dry-run by default. Pre-flight validators flag missing required fields and invalid enum values before mutating.
Data dictionary
Inventory-centric schema tools: enumerate + walk + introspect all 8 recognized inventories. build_data_dictionary emits a full tenant schema for Brain ingest.
Brain comparison
Read Riskapture-Knowledge canonicals; diff observed vs canonical attributes (aligned / only-in-brain / only-in-observed / type-conflicts).
Issue Manager stubs
16 tools map to documented Issue Manager app verbs (watchers, templates, SLAs, 9-state transitions). They return structured FEATURE_NOT_AVAILABLE until the app's API ships — ready to be wired to real handlers.
All tools.
| Tool | Description |
|---|---|
| issues_health_check | API connectivity, response time, session metrics |
| issues_get_session_metrics | Call counts, errors, retries, average duration |
| issues_reset_session_metrics | Reset counters for a new job |
| issues_list_capabilities | Tool inventory by category with descriptions |
| issues_warmup_reference_cache | Pre-fetch issue types, users, groups |
| issues_query_all | Auto-paginate any JSON:API resource collection |
Classic HighBond issues. Required fields on create (live-discovered): title, description, deficiency_type, owner. severity and deficiency_type are tenant-specific enums — use issues_discover_allowed_values first.
| Tool | Description |
|---|---|
| issues_list_issues | Tenant-wide with server-side closed filter + client-side severity/type/owner/overdue/project filters |
| issues_get_issue | Full detail with project + owner_user sideload |
| issues_create_issue | Create via project-nested POST MUTATES |
| issues_update_issue | PATCH — send full attribute set (identity-only patches 422) MUTATES |
| issues_close_issue | Convenience: closed=true MUTATES |
| issues_reopen_issue | Convenience: closed=false MUTATES |
| issues_publish_issue | Convenience: published=true MUTATES |
| issues_unpublish_issue | Convenience: published=false MUTATES |
| issues_get_issue_dashboard | Composite — severity, by-deficiency, by-project top 10, overdue list |
| issues_export_flat | Flat dictionary export with delta mode (updated_since) |
Classic HighBond management actions (nested under issues). Required fields on create (live-discovered): title, due_date, owner_name, owner_email. Optional owner_user_id binds a platform user relationship.
| Tool | Description |
|---|---|
| issues_list_issue_actions | Actions on one issue |
| issues_list_actions_across_issues | Walk tenant-wide with owner/status/priority filters (N+1 — cap with max_issues) |
| issues_get_action | Full action detail |
| issues_create_action | Nested POST under issue MUTATES |
| issues_update_action | PATCH with full attribute set MUTATES |
| issues_close_action | closed=true + completed_date=today MUTATES |
| issues_reopen_action | closed=false + completed_date=null MUTATES |
| issues_reassign_action | Swap owner_user relationship MUTATES |
Comments live on actions, not on issues. Resource type is action_comments; attribute is message_content (HTML). Plain-text input auto-wrapped in <p>…</p>.
| Tool | Description |
|---|---|
| issues_list_action_comments | Comments chronologically on one action |
| issues_add_action_comment | Post a new comment MUTATES |
| issues_get_issue_conversation | Composite — walk every action on an issue and return a single chronological transcript |
Multi-call composites that build full operational views — one tool invocation, complete dashboards. All read-only, all walk the cached tenant.
| Tool | Description |
|---|---|
| issues_get_owner_workload | Per-owner: open / closed / overdue / severity mix / open action count |
| issues_get_action_pipeline | Funnel by status × priority, median / p90 in-flight age |
| issues_get_aging_buckets | 0–7 / 8–30 / 31–90 / 91–180 / 180+ days since identified |
| issues_find_stuck_issues | Open issues with no update for N days (default 30) |
| issues_get_type_health | Per-deficiency-type: open / closed / overdue / avg days-to-close |
| issues_get_project_health | Per-project roll-up with severity breakdown |
| issues_get_sla_adherence | Client-side compute on closed issues — on-time / early / late / overrun stats |
| issues_get_user_pulse | My open issues + my open actions + overdue — by owner name |
Every bulk tool is dry-run by default. Pre-flight validators check required fields and enum membership against the live tenant so you catch problems before burning a write call.
| Tool | Description |
|---|---|
| issues_bulk_close_issues | closed=true on many IDs (dry_run default true) MUTATES |
| issues_bulk_publish_issues | published=true on many IDs MUTATES |
| issues_bulk_close_actions | closed=true + completed_date=today MUTATES |
| issues_bulk_reassign_actions | Reassign every open action owned by X to Y MUTATES |
| issues_discover_allowed_values | Sample existing data → observed severity / deficiency_type / priority / status enums |
| issues_validate_create_payload | Pre-flight check for issue create against tenant enums + required fields |
| issues_validate_action_payload | Pre-flight check for action create including due-date vs issue-due-date warning |
Inventory-centric schema tools — 8 recognized inventories (issues, actions, action_comments, users, groups, roles, entities, workflows). Emergent schema detection: dataType, population rate, distinct values, samples. Brain-canonical comparison is read-only.
| Tool | Description |
|---|---|
| issues_list_canonical_inventories | Enumerate recognized inventories with list endpoints + parent chains |
| issues_list_inventory_records | Walk all records of one inventory tenant-wide (respects parent chain) |
| issues_get_inventory_schema | Emergent schema — dataType, population rate, distinct values, samples |
| issues_build_data_dictionary | Composite — full tenant dictionary across every inventory, one call |
| issues_list_brain_canonical_inventories | READ-ONLY list of Riskapture Brain canonicals from Riskapture-Knowledge |
| issues_compare_inventory_to_brain | READ-ONLY diff: aligned / only-in-brain / only-in-observed / type-conflicts |
| Tool | Description |
|---|---|
| issues_schema_detection | Population rate per attribute, observed enums, custom_attribute terms |
| issues_subject_sync | Full or delta (updated_since) sync of all issues |
| issues_find_duplicate_issues | Cross-project dedup with Levenshtein scoring |
| Tool | Description |
|---|---|
| issues_list_users | All platform users |
| issues_list_groups | User groups |
| issues_list_roles | Platform roles |
| issues_list_entities | Organizational entities |
| issues_api_raw | Generic JSON:API call — DELETE blocked ESCAPE HATCH |
Two-tier cache (in-memory + on-disk at ~/.cache/diligent-issues-mcp/cache.json) — reloaded on next process start so Claude Code's short-lived stdio MCPs actually keep their work. Writes invalidate affected keys automatically.
| Tool | Description |
|---|---|
| issues_cache_status | Keys by prefix, bytes, hit/miss/write counters, disk file path |
| issues_clear_cache | Purge scope: all / reference / instances / brain |
Every tool documented in the Issue Manager help docs whose API endpoint returns 404 on every tenant we probed. Each returns a structured FEATURE_NOT_AVAILABLE error with a help-doc URL. Ready to be wired to real handlers when the app's API surface is published.
| Tool | Description |
|---|---|
| issues_list_types | Issue types (Administration) STUB |
| issues_get_type | Issue type detail + subtypes + type-dependent fields STUB |
| issues_list_templates | Issue templates (Settings) STUB |
| issues_list_slas | SLA configs keyed by (type, severity) STUB |
| issues_add_watcher | Watchers role (2026-04-10) STUB |
| issues_remove_watcher | STUB |
| issues_list_issue_relationships | Cross-app relationships STUB |
| issues_add_relationship | Link to Risk / Control / Asset / Audit STUB |
| issues_transition_issue | DRAFT / IN REVIEW / REMEDIATION PLANNING / IN REMEDIATION / TO BE APPROVED / CLOSED / DISCARDED STUB |
| issues_assign_owner | Type manager assigns Issue owner STUB |
| issues_add_comment | Comment on an issue (classic API only has action comments) STUB |
| issues_start_action | Action owner starts action STUB |
| issues_mark_action_done | Action owner marks done STUB |
| issues_approve_action | Approver approves STUB |
| issues_decline_action | Approver declines STUB |
| issues_initiate_workflow | Parallel / Sequential workflow initiation STUB |
Environment variables.
false to disable the response cache (default on)~/.cache/diligent-issues-mcp)~/projects/Riskapture-Knowledge.Regional base URLs: US, Canada, Europe, Asia, Australia, Africa, Japan, South America. Token type must be Diligent One Platform (full API) — Analytics / Activity Logs tokens will fail authentication.
Sibling MCPs — same bearer token, different surfaces: Projects MCP, ERM MCP.
Hard rules.
close_issue / close_action instead.title + description + deficiency_type + owner. Actions require title + due_date + owner_name + owner_email. Use the validators before creating.severity and deficiency_type values are tenant + project-type-specific. Call issues_discover_allowed_values first.filter[closed]=true|false works server-side. Everything else filters client-side.application/vnd.api+json. Cursor-based pagination via links.next — never integer page numbers.?include=project and ?include=owner_user return data. Other includes are accepted (200) but return empty included[].issues_bulk_* tool defaults to dry_run=true. Explicitly set dry_run=false to execute.Getting started.
1. Install via the one-liner above, or clone from GitHub
2. Mint a Diligent One Platform bearer token at Profile → Application tokens
3. Restart Claude Code: /mcp reset diligent-issues
4. Start with issues_health_check to verify connectivity
5. Run issues_list_capabilities to see all available tools
6. Use issues_warmup_reference_cache before bulk operations
7. Try issues_get_issue_dashboard for a one-call view of severity, status, and overdue issues