DocsIntegrationsMCP Governance Server

MCP Governance Server

Connect AI agents to your governance program using the Model Context Protocol. Agent REST endpoints, MCP tools, ontology export, and governance bundles.

What Is MCP?

The Model Context Protocol (MCP) is an open standard, originated by Anthropic, for connecting AI assistants to external data sources and tools. Instead of copying governance data into prompts or fine-tuning models on your policies, MCP gives agents structured, authenticated access to live data.

Dictiva's MCP governance server exposes your governance program as a set of tools, resources, and prompts that any MCP-compatible client can consume. AI agents can search statements, query glossary terms, export ontology graphs, and compile signed policy bundles -- all through the same tenant-scoped, RBAC-enforced API that powers the Dictiva web application.

Prerequisites

Before connecting an MCP client, you need:

Business or Enterprise plan -- MCP agent access is gated to Business tier and above. Lower-tier plans receive 403 Forbidden on agent endpoints.
API key with correct scopes -- Create a key at Settings > API Keys with at least statement:read, glossary:read, and assembly:read. Add statement:write only if the agent needs to modify data.
Dictiva instance running -- Either https://app.dictiva.com (production) or your local development server.

Quick Start

Add the Dictiva governance server to your MCP client configuration. For Claude Code, add this to your .mcp.json:

{
  "mcpServers": {
    "dictiva-governance": {
      "command": "npx",
      "args": ["tsx", "webapp/scripts/mcp-governance-server.ts"],
      "env": {
        "DICTIVA_API_KEY": "dv_live_...",
        "DICTIVA_BASE_URL": "https://app.dictiva.com"
      }
    }
  }
}

Replace dv_live_... with your actual API key. The server communicates over stdio -- no network ports to configure.

For local development, set DICTIVA_BASE_URL to http://localhost:3100.

Agent REST Endpoints

The MCP server wraps a set of agent-specific REST endpoints under /api/agent/. These endpoints are available on Business and Enterprise plans. Requests from lower-tier plans receive 403 Forbidden with reason: "mcp_access_required".

Endpoint	Description
`GET /api/agent/statements`	Search statements by governance dimension with agent guidance
`GET /api/agent/glossary`	Search glossary terms with ontology metadata
`GET /api/agent/ontology`	Export glossary as ontology graph (JSON or JSON-LD)
`GET /api/agent/bundles/{id}`	Compile assembly into signed governance bundle

Example: Search Agent-Applicable Statements

curl -H "Authorization: Bearer dv_live_abc123..." \
     "https://app.dictiva.com/api/agent/statements?applies_to=agent&per_page=5"

You can call these endpoints directly with an API key, but the MCP tools below provide a richer, structured interface for AI agents.

Available Tools

The MCP server exposes six governance tools:

Tool	Description	Required Scope
`search_statements`	Search governance statements by actor applicability, enforcement mode, domain, maturity level, or free text. Returns paginated results with metadata.	`statement:read`
`get_assembly_bundle`	Compile an assembly (policy, standard, or procedure) into a machine-readable bundle with a signed manifest. Used for automated compliance checking.	`assembly:read`
`search_glossary`	Search glossary terms with full ontology metadata including machine keys, aliases, term types, and cross-references.	`glossary:read`
`list_applicable_policies_for_actor`	List all policies that apply to a specific actor type (e.g., "data engineer", "security analyst"). Filters by enforcement mode and domain.	`statement:read`
`export_ontology`	Export the full glossary as an ontology graph in JSON or JSON-LD format. Includes term relationships, hierarchies, and linked governance statements.	`glossary:read`
`get_statement_guidance`	Get agent-specific guidance for a single statement: required actions, approval chain, escalation procedures, and related controls.	`statement:read`

Example: Searching Statements

An MCP client invokes search_statements like any other tool call:

{
  "tool": "search_statements",
  "arguments": {
    "query": "data retention",
    "domain": "data-governance",
    "enforcement": "mandatory",
    "page": 1,
    "perPage": 10
  }
}

The server returns matching statements with full metadata:

{
  "data": [
    {
      "id": "550e8400-e29b-41d4-a716-446655440000",
      "code": "DG-RET-001",
      "title": "Data Retention Period Definition",
      "body": "All data assets must have a defined retention period...",
      "domain": "data-governance",
      "enforcement": "mandatory",
      "maturityLevel": "foundational"
    }
  ],
  "meta": {
    "page": 1,
    "perPage": 10,
    "total": 23,
    "totalPages": 3
  }
}

Resources

The server exposes one resource:

governance-summary -- Provides a high-level overview of your governance program:

Total statement count by domain
Glossary term statistics (total terms, term types, coverage)
Enforcement distribution (mandatory, recommended, optional)
Assembly counts by type (policy, standard, procedure)
Last-updated timestamps

Agents use this resource to understand the scope and shape of your governance data before making targeted tool calls.

Prompts

Two built-in prompts help agents perform common governance tasks:

compliance-check

Checks a planned action against applicable governance policies.

Arguments:

action -- Description of the planned action (e.g., "Store customer PII in a third-party analytics tool")
actorType -- The role performing the action (e.g., "data analyst")
domain -- Optional domain filter (e.g., "data-privacy")

The prompt retrieves applicable statements, evaluates the action against each one, and returns a structured compliance assessment with pass/fail results and remediation guidance.

policy-summary

Summarizes the governance posture for a specific domain.

Arguments:

domain -- The governance domain to summarize (e.g., "information-security")

Returns statement counts by enforcement level, maturity distribution, gap analysis against common frameworks, and key policy highlights.

Authentication

All MCP tool calls are authenticated via the API key set in DICTIVA_API_KEY. The server passes this as a Bearer token in every HTTP request to the Dictiva agent API.

Key Format

API keys follow the format dv_live_... (production) or dv_test_... (test mode). Create keys at Settings > API Keys in the Dictiva web application.

Scope Enforcement

Each tool requires specific permission scopes. If the API key lacks a required scope, the server returns an error with the missing scope name. Assign the minimum scopes needed for your agent's use case.

Tenant Isolation

API keys are scoped to a single tenant. The MCP server can only access governance data within that tenant's workspace. There is no cross-tenant access.

Response Format

Paginated Responses

Tools that return lists (search_statements, search_glossary, list_applicable_policies_for_actor) use paginated responses:

{
  "data": [...],
  "meta": {
    "page": 1,
    "perPage": 20,
    "total": 147,
    "totalPages": 8
  }
}

Pass page and perPage arguments to navigate through results.

Flat Responses

Tools that return single objects (get_assembly_bundle, export_ontology, get_statement_guidance) return flat JSON with a stats field summarizing the response:

{
  "bundle": { ... },
  "manifest": { ... },
  "stats": {
    "statementCount": 42,
    "generatedAt": "2026-03-29T12:00:00Z"
  }
}

Rate Limits

MCP requests count toward your API key's rate limit. Limits are per-key, fixed-window (60 seconds):

Plan	Requests per Minute
Business	100
Enterprise	500

Every response includes rate limit headers:

X-RateLimit-Limit -- Maximum requests per window
X-RateLimit-Remaining -- Requests left in the current window
X-RateLimit-Reset -- Unix timestamp when the window resets
X-RateLimit-Window -- Window duration in seconds (60)

MCP requests are metered separately from browser API requests in the usage dashboard at Settings > Billing > API & MCP Usage.

Troubleshooting

DICTIVA_API_KEY required

The DICTIVA_API_KEY environment variable is not set in your MCP client configuration. Add it to the env block in .mcp.json.

401 Unauthorized

The API key is invalid, expired, or revoked. Generate a new key at Settings > API Keys.

403 Forbidden -- missing scopes

The API key lacks the permission scope required by the tool you called. Edit the key's scopes or create a new key with the correct permissions.

403 Forbidden -- mcp_access_required

Your tenant is on a Community or Professional plan. MCP agent access requires the Business or Enterprise plan. See Billing & Plans for upgrade options.

Connection refused

The MCP server cannot reach the Dictiva API at the configured DICTIVA_BASE_URL. Verify the URL is correct and the Dictiva instance is running. For local development, ensure the dev server is started on the expected port.

Timeout on large ontology exports

The export_ontology tool can take several seconds for tenants with large glossaries. Increase your MCP client's tool timeout if you receive timeout errors. The default Dictiva API timeout is 30 seconds.

Next Steps

Create an API key with the scopes your agent needs
Explore the interactive API docs to understand the underlying endpoints
Review RBAC configuration to control who can create API keys
Check your plan to confirm MCP access is enabled