Diligent Projects,
composed by an agent.
58 tools across 12 categories. Introspect projects schema, build one canonical view per inventory (Project, Objective, Risk, Control, Walkthrough, Test, Issue, Sign-off, Questionnaire, Response), compare to the Riskapture GRC Brain (read-only), and write back terminology and attribute values. Scoped to classic Projects; does not cover AuditAI.
~/.local/share/diligent-3rdrisk-mcp
Node.js 20+, no sudo
Re-run to update
Three layers, one conversation.
The server is designed so an LLM can navigate it without memorizing tool names. A meta layer describes itself; a harmonization layer handles the complex PRD workflows; a primitive layer exposes every API endpoint.
Meta & control plane
Health check, session metrics, capability discovery, schema introspection, auto-pagination, reference cache warmup. The agent learns what it has before it guesses.
Harmonization layer
PRD-defined tools: schema detection, config discovery, subject sync, procedure sync, cross-project deduplication. The intelligence that makes Projects data canonical.
Primitive layer
Raw CRUD for projects, objectives, risks, controls, issues, frameworks, walkthroughs, tests, planning files, sign-offs, users, and platform config.
Rate-limited client
Token-bucket rate limiter (600 req/hr, 6 req/sec), exponential backoff retry, structured error classification, and per-call observability metrics.
Composite tools
Risk-control matrix, issue dashboard, project summary, control assessment status — multi-call composites that build complete views in one tool invocation.
Name resolution
Every tool accepts human-readable names or numeric IDs. Cached resolution with 5-minute TTL. Ambiguous matches return a disambiguation table.
Two-tier response cache
Every list/get is cached in-memory (per-resource TTL) and persisted to ~/.cache/diligent-3rdrisk-mcp/cache.json. Reloaded on next process start — Claude Code's short-lived stdio MCPs actually keep their work. 17× measured speedup on warm runs. Writes invalidate affected keys automatically; manual purge via thirdrisk_clear_cache.
Capabilities overview.
Project Lifecycle
Create projects (Workplan or Internal Control workflow), set up planning, manage statuses, conclude with ratings, archive. 20,000 project limit per org.
Frameworks
Inspect and build Risk-Control Matrix templates. Frameworks are "abstract projects" — same schema, no instantiation data. Import sections into projects with linked sync.
Fieldwork
List and inspect objectives, risks, controls. View walkthroughs (design effectiveness) and tests (operating effectiveness). Track control performance schedules.
Issue Management
List issues by severity and project, view remediation details, get overdue dashboards. Severity breakdown and aging analysis in one composite call.
Schema Harmonization
PRD-defined: introspect all project type schemas, detect template vs ad hoc usage, sync all subjects, find duplicates with Levenshtein scoring.
Platform Admin
Users, groups, roles, workflows, organizational entities. Generic API escape hatch for uncovered endpoints (DELETE blocked).
All tools.
| Tool | Description |
|---|---|
| thirdrisk_health_check | API connectivity, response time, session metrics |
| thirdrisk_get_session_metrics | Call counts, errors, retries, average duration |
| thirdrisk_reset_session_metrics | Reset counters for a new job |
| thirdrisk_list_capabilities | Tool inventory by category with descriptions |
| thirdrisk_warmup_reference_cache | Pre-fetch project types & workflows |
| thirdrisk_query_all | Auto-paginate any JSON:API resource collection |
| Tool | Description |
|---|---|
| thirdrisk_list_projects | List all projects with status filter |
| thirdrisk_get_project | Full project details — accepts name or ID |
| thirdrisk_create_project | Create a new project MUTATES |
| thirdrisk_update_project | Update project fields (name, status, opinion, dates, tags) MUTATES |
| thirdrisk_list_project_types | Available project types with workflow info |
| thirdrisk_get_project_type | Project type detail with terminology config |
| Tool | Description |
|---|---|
| thirdrisk_list_objectives | Objectives (sections) within a project |
| thirdrisk_get_objective | Full objective detail with related entity IDs |
| thirdrisk_get_objective_detail | Objective + all nested risks, controls, narratives |
| Tool | Description |
|---|---|
| thirdrisk_list_risks | All risks, optionally filtered by objective |
| thirdrisk_get_risk | Full risk detail with custom attributes & factors |
| thirdrisk_get_risk_heat_map | Impact x Likelihood matrix across project or all |
| Tool | Description |
|---|---|
| thirdrisk_list_controls | All controls/procedures, optionally by objective |
| thirdrisk_get_control | Full control detail with UI link |
| thirdrisk_list_walkthroughs | Design effectiveness assessments |
| thirdrisk_get_walkthrough | Walkthrough detail |
| thirdrisk_list_control_tests | Operating effectiveness tests (filter by round) |
| thirdrisk_get_control_test | Control test detail |
| thirdrisk_list_questionnaire_responses | Control performance questionnaire responses |
| thirdrisk_get_control_assessment_status | Composite: control assessment status across a project |
| Tool | Description |
|---|---|
| thirdrisk_list_frameworks | All framework templates |
| thirdrisk_get_framework | Framework detail — accepts name or ID |
| thirdrisk_list_framework_objectives | Objectives within a framework |
| thirdrisk_list_framework_planning_files | Planning files in a framework |
| thirdrisk_get_risk_control_matrix | Composite: full Objective-Risk-Control denormalized matrix |
| Tool | Description |
|---|---|
| thirdrisk_list_issues | All issues with severity/project/type filter |
| thirdrisk_get_issue | Full issue with description, recommendation, remediation |
| thirdrisk_get_issue_dashboard | Composite: severity breakdown + overdue + status pipeline |
| Tool | Description |
|---|---|
| thirdrisk_get_planning | Project planning info (background, purpose, scope) |
| thirdrisk_list_planning_files | Planning files for a project |
| thirdrisk_get_planning_file | Planning file detail |
| thirdrisk_list_signoffs | Workpaper sign-off records |
| Tool | Description |
|---|---|
| thirdrisk_list_users | All platform users |
| thirdrisk_list_groups | User groups |
| thirdrisk_list_roles | Platform roles |
| thirdrisk_list_workflows | Configured workflows |
| thirdrisk_list_entities | Organizational entities |
| thirdrisk_list_entity_categories | Entity categories |
| thirdrisk_api_raw | Generic JSON:API call — DELETE blocked ESCAPE HATCH |
| Tool | Description |
|---|---|
| thirdrisk_schema_detection | Introspect all project type schemas, attribute defs, framework templates |
| thirdrisk_config_discovery | Template vs ad hoc analysis, schema consistency scoring |
| thirdrisk_subject_sync | Full/delta sync of all subjects across project types |
| thirdrisk_procedure_sync | Sync procedures + assessment results (walkthroughs, tests) |
| thirdrisk_find_duplicate_subjects | Cross-project deduplication with Levenshtein scoring |
| thirdrisk_get_project_summary | Composite: full project dashboard with counts and issue breakdown |
Classic Projects has ten inventory kinds (project, objective, risk, control, walkthrough, control_test, issue, signoff, questionnaire, questionnaire_response). These tools build one flat canonical view per inventory, introspect the emergent schema from live data (data type, mandatory rate, population rate, enum values, precision, USER detection via *_user relationships), compare to the Riskapture GRC Brain (read-only), and support terminology + value writes. Falls back to per-project nested walks when a flat endpoint 404s on a specific tenant.
| Tool | Description |
|---|---|
| thirdrisk_list_canonical_inventories | Enumerate the 10 inventory kinds with their list endpoints and parent chains |
| thirdrisk_list_inventory_records | List every instance of one inventory tenant-wide, tagged with its project of origin |
| thirdrisk_get_inventory_schema | Introspect one inventory's emergent schema — dataType / mandatoryRate / populationRate / enumValues / precision |
| thirdrisk_build_data_dictionary | Composite — walks every inventory, returns a structured data dictionary for the whole tenant |
| thirdrisk_list_brain_canonical_inventories | READ-ONLY list of the Riskapture Brain canonical inventories (from services/grc-brain/knowledge/domains/*/inventories/*.yaml) |
| thirdrisk_compare_inventory_to_brain | READ-ONLY diff: aligned / only-in-brain / only-in-projects / type-conflicts |
| thirdrisk_update_project_type_terminology (n/a) | PATCH the *_terms config on a project type — all 18 terminology keys writable MUTATES |
| thirdrisk_set_subject_custom_attribute (n/a) | Update the value of an EXISTING custom_attribute on a subject. Returns ATTRIBUTE_NOT_DEFINED when the term isn't defined (the public API can't add definitions — use the UI tools below) MUTATES |
Admin surface: user lifecycle, role assignment, access-domain membership. Bulk import: dry-run-by-default validation + commit loops for third parties, contracts, and users. Flat export for downstream ingest.
| Tool | Description |
|---|---|
| thirdrisk_admin_assign_role | Add one or more roles to a user MUTATES |
| thirdrisk_admin_unassign_role | Remove roles from a user MUTATES |
| thirdrisk_admin_replace_roles | Replace the full set of roles on a user MUTATES |
| thirdrisk_admin_assign_access_domain | Add access domains to a user MUTATES |
| thirdrisk_admin_audit_user_permissions | Composite report: every user's roles and access domains in one view |
| thirdrisk_bulk_import_third_parties | Dry-run (default) or commit batch of third-party creates MUTATES |
| thirdrisk_bulk_import_contracts | Dry-run (default) or commit batch of contract creates MUTATES |
| thirdrisk_bulk_import_users | Dry-run (default) or commit batch of user creates MUTATES |
| thirdrisk_export_flat | Flatten any resource to plain rows (id + attributes) for CSV/Brain ingest |
Two-tier cache wraps every list/get call. Tier 1 is in-memory with per-resource TTL (15m reference, 10m entities + UI schema, 5m projects / frameworks, 2m record lists, ∞ Brain YAML). Tier 2 persists to ~/.cache/diligent-3rdrisk-mcp/cache.json so a fresh MCP process on the next Claude Code turn reloads instantly. Writes invalidate affected keys automatically. Measured 17× speedup on warm runs (2.07 s → 0.12 s for thirdrisk_get_inventory_schema(risk, sample_limit=50)).
| Tool | Description |
|---|---|
| thirdrisk_cache_status | Keys by prefix, bytes, hit/miss/write counters, disk file path |
| thirdrisk_clear_cache | Purge all / reference / instances / ui-schema / brain — or the whole cache |
Environment variables.
false to disable the response cache (default on)~/.cache/diligent-3rdrisk-mcp)(n/a — 3rdRisk has no UI write tools) tools)piedpiper)Regional base URLs: US, Canada, Europe, Asia, Australia, Africa, Japan, South America.
Looking for ERM configuration and data tools? They moved to the Diligent ERM MCP — same bearer token, different server.
Hard rules.
application/vnd.api+json content type. Cursor-based pagination via links.next.?include=resource_type. Returns data in included[].Getting started.
1. Install via the one-liner above, or clone from GitHub
2. Set your environment variables (API token from Admin Hub > API Access Tokens)
3. Restart Claude Code: /mcp reset diligent-3rdrisk
4. Start with thirdrisk_health_check to verify connectivity
5. Run thirdrisk_list_capabilities to see all available tools
6. Use thirdrisk_warmup_reference_cache before bulk operations