Portfolio·Enterprise lane

Blue Prism v7
MCP Server

A standalone Model Context Protocol server that gives an LLM agent governed access to a Blue Prism v7 Enterprise estate, entirely over the supported v7 REST API. It exposes the estate as a tight surface of agent tools: visibility reads, derived insight, and capability-gated control actions. Names go in, UUIDs stay underneath. Reads come back in an answer-shaped envelope the model can trust on a large estate, with personal data scrubbed before any text reaches it. No database reads.

3 tiers · 20+ tools
Visibility, insight, governed control
7.0.1 → 7.5.1
Verified against the official OpenAPI specs
440 tests
Coverage-gated in CI
0
Database reads. The supported REST API only.
The problem

SS&C is building MCP natively into Blue Prism Next Generation through its AI Gateway. v7 Enterprise gets none of it, and that is the large installed base most estates still run. There is no native agentic path to a v7 estate, and no public or community MCP server fills the gap.

So the estates that would benefit most from an agent that can read run history, explain a failure, and safely act on it are exactly the ones with no supported way to connect one. The window matters. v7 customers are the ones migrating over the next few years, and they need the capability now, not after a platform migration.

Approach

A standalone, independently versioned package that sits on the documented v7 REST API only, with no database coupling and no support liability. The v7 client at its core was first proven inside the Insight dashboard, which sources all of its data from the same API, then extracted here as a reusable engine. Authentication is OAuth2 client-credentials against the Blue Prism Authentication Server, one implementation covering 7.2 through 7.5.1.

The surface is designed as estate primitives, not a copy of a dashboard's MI views. Reads return a relevance-sorted envelope so a million-item estate can never blow the model's context. The differentiated value is a governed action surface: every control action is gated by the service account's actual permissions, defaults to a dry run that returns the exact change it would make, and is audited before the write is issued. It runs end to end with no estate and no credentials in mock mode, so the whole surface can be evaluated risk-free.

Architecture
Client → MCP server → v7 REST API → estate. Three tool tiers, guardrails on the path of every action, and one rule underneath it all: no database reads.
What it gives an agent

Why did this run fail?

get_session_log with errors_only returns just the exception-handling stages of one session, newest first and PII-scrubbed, so the cause surfaces without dragging the whole log back.

What is breaking across the estate?

estate_exception_summary groups exceptions across every queue in one call, folding messages that differ only in personal data into one bucket and recording which queues each failure hits.

Is the programme keeping up?

throughput_summary gives per-process session outcomes over a window, and estate_health rolls up resource status with the licence limits-versus-usage block. Capacity pressure is a single call.

Can it act, safely?

The control tier can retry an item, stop a session, or trigger a schedule. It registers only the actions the service account's permissions allow, runs as a previewed dry run unless explicitly confirmed, and writes an audit line first.

The tool surface

Designed as estate primitives, not a copy of a dashboard’s MI views. Single-purpose tool descriptions drive better model tool-selection.

Visibility

read

The estate as primitives: queues, items, sessions, run logs, schedules, resources, processes, and the topology around them.

list_queues / get_queuelist_queue_items / get_queue_itemlist_item_attemptslist_sessions / get_sessionget_session_loglist_resourceslist_scheduleslist_processeslist_queue_configurationslist_resource_poolslist_environment_variableslist_process_groups

Insight

derived reads

Client-side aggregations the v7 API has no endpoint for: the dominant failure mode, throughput, and the licence picture in a single call.

exception_summaryestate_exception_summarythroughput_summaryestate_healthlicense_entitlement

Control

off by default

The differentiator: a governed action surface. Capability-gated, dry-run by default, and audited before the write. Registered only when explicitly enabled.

retry_queue_itemdefer_queue_itemstart_processstop_sessionset_schedule_enabledtrigger_schedulestop_schedule
A worked scenario

An agent diagnoses a failed run and proposes a fix, without touching the estate.

The tiers compose. A single question, “what is failing and what do we do about it?”, walks down from the estate-wide view to the single failing stage to a previewed remediation, then stops at the boundary where a human decides.

  1. 01
    estate_exception_summary(window: last 24h)

    One SAP timeout dominates the estate, hitting the Finance, HR and Ops queues at once. It surfaces as a single grouped finding rather than three.

  2. 02
    get_session_log(session, errors_only: true)

    Just the exception-handling stages of the failing run, newest first and PII-scrubbed, so the cause is read without dragging the whole log back.

  3. 03
    defer_queue_item(item, dry_run: true)

    The exact change it would make is returned for review. Nothing is written. The estate stays untouched until a human confirms with dry_run: false.

The agent returns the dominant failure mode, the root-cause stage, and the exact remediation it would apply, then waits. Nothing changes until someone confirms.

The governance contract

Three layers sit between the model and a write. Every one fails loud rather than degrading.

Read-only management information is what a dashboard does. The value of an MCP server on v7 Enterprise is a governed action surface, one an estate owner can hand to an agent without handing over the keys.

Capability gating

At registration the resolver reads the service account's permissions and registers only the actions it can actually execute. A tool the account cannot run does not exist as far as the model is concerned. A failed permissions read refuses to start.

Dry-run by default

Every action takes dry_run = True. The default call resolves names, validates inputs, and returns the exact write it would issue, without sending anything. Changing the estate takes an explicit dry_run = False.

Append-only audit

Enabling actions requires an audit path. There is no opt-out. The attempt line is written before the write is issued, so no change can outrun its record. Audit carries ids, names and dates only, never payloads or exception text.

No database readsPII scrubbed at the boundaryCapability-gatedDry-run by defaultAudited before the writeFails loud, never degrades
An embeddable engine

The core is a library other systems can embed.

The same logic that backs the MCP tools is exposed as a plain Engine facade, so a host can embed it in-process without the stdio transport. Each read returns the full relevance-sorted records, already scrubbed, name-resolved, and validated, leaving paging and shaping to the host. A thread-safe, injectable cache lets a long-lived multi-threaded host share one client across workers. The MCP server is one adapter over that engine.

from blue_prism_mcp import Engine, BPClient, BPConfig, build_scrubber

config = BPConfig.from_env()
engine = Engine(BPClient(config), build_scrubber(config))

ranked = engine.list_queues()      # full scrubbed records, relevance-sorted
for queue in ranked.records:
    ...                            # apply your own representation
Engineering & rigour

Verified against the spec

The surface was mapped field-by-field to the official OpenAPI specs for 7.0.1 through 7.5.1. It supports 7.2 and above, and degrades gracefully where a single read needs a newer estate, rather than raising the floor for everyone.

Light by default

The base install is two dependencies: the MCP runtime and an HTTP client. Presidio-backed PII is an optional extra, so a team without a PII risk, or with its own redaction, is never forced to carry a 1GB NER model.

Pluggable PII, fail-loud

A Scrubber protocol with three shipped tiers: a no-op, a zero-dependency regex tier for the pattern-shaped UK FS identifiers, and a Presidio NER tier. The requested backend must load at startup or the server refuses to run.

Scale-safe by contract

Every list returns an envelope: items plus meta (total, returned, truncated, sorted_by), with a server-side relevance sort and a limit. A million-item estate can never blow the model's context, and the model always knows how much it did not see.

Names in, UUIDs underneath

Every v7 entity id is a UUID, and agents speak in names. Tools accept the name (“the Invoices queue”) and resolve it to its id against the list endpoints, so the model never has to hold a UUID to act.

Runs with no estate

Mock mode runs the whole tool surface against an in-memory estate with no credentials, so the artifact can be evaluated end to end in any MCP client risk-free. The stdio handshake is byte-clean and 440 tests gate coverage in CI.

Stack
Python 3.11+
Library + console script
MCP (FastMCP)
stdio server + tools
Blue Prism v7 REST API
Live estate data
OAuth2 client-credentials
Auth Server bearer
Microsoft Presidio
Optional PII scrubbing
requests
HTTP client (light base)
pytest + coverage
Test suite, CI-gated
GitHub Actions
CI — ruff + pytest gate
Provenance

The v7 client at the core of this server was first proven inside Insight, the operational dashboard, which sources its entire estate from the same REST API with no database reads. The tool shapes (the relevance-sorted envelope, ISO validation, boundary PII scrubbing) were validated there, then extracted here as the standalone, reusable library the dashboard was always implicitly built on.

PortfolioEnterprise lane