OMG QA runs a Model Context Protocol server, so an AI coding agent — Claude Code, Cursor, Codex, or anything MCP-compatible — can search, read, create, and move findings without leaving its context. The agent works the same data your team does, with the same permissions.
Model Context Protocol is an open standard for connecting AI agents to external tools. Instead of pasting logs into a chat, the agent calls typed tools directly. OMG QA exposes its quality workflow as MCP tools so an agent can, for example, "find the open Safari checkout regression, read its trace, and re-open it" in one turn.
The MCP endpoint is:
First, generate an API key under Account → API keys. Keys are project-scoped by default (least privilege): the agent can only see and act on the one project you pick — it cannot read or touch findings in any other project, enforced on the server. Grant it only the scopes it needs (a read-only key can search and read but never mutate); “entire workspace” is a deliberate, broader choice. Then paste one of the configs below and replace the token.
Add the server with a single command (or drop the JSON into ~/.claude.json).
Use --scope user to make it available in every repo on your machine, or
--scope project to register it only for the current repo (writes a
.mcp.json in that repo — handy when each repo maps to a different workspace):
The API key already binds to one workspace, so no other header is needed —
in particular you do not send X-Org-Slug (that is only for interactive user logins).
Add to ~/.cursor/mcp.json (or the project's .cursor/mcp.json):
/.well-known/mcp (also at /mcp/manifest) — it lists the server name,
description, every tool and how to authenticate.
list_projects returns only it, and any
search_findings / create_finding / finding lookup for another project
is rejected on the server (not found / forbidden). A
workspace-scoped key (the broader, opt-in choice) instead lets the agent pick a project
per call via list_projects + projectId.--scope project (each repo's
.mcp.json carries its own project key), or give each a distinct name —
omgqa-acme, omgqa-globex.| Tool | What it does |
|---|---|
list_projects | List the projects in the current organization. |
search_findings | List/filter findings in a project by status, paged. |
search_findings_text | Full-text search findings across the org. |
find_similar_findings | Semantic neighbours of a finding (duplicate detection). |
get_finding_details | Get the full details of a finding by id. |
get_finding_evidence | List a finding's evidence attachments (metadata). |
download_evidence | Short-lived download URL for an attachment's bytes (screenshots, traces, logs). |
list_test_runs | List recent automated test runs for a project (read). |
get_project_analytics | Release-readiness rollup for a project (read). |
create_finding | File a new finding (type, severity, priority, description). |
transition_finding | Move a finding through its workflow (e.g. triage → in progress → resolved). |
upload_evidence | Attach evidence to a finding (returns an upload URL). |
complete_evidence | Confirm an evidence upload finished (after PUTting the bytes). |
add_comment | Add a comment (or internal note) to a finding. |
request_retest | Move a finding to ReadyForRetest after a fix ships. |
link_pr | Link a pull request / commit / issue to a finding. |
The write tools (create_finding, transition_finding, upload_evidence,
add_comment, request_retest, link_pr) all run through the same
agent governance gate: the per-agent policy (read-only / approval / autonomous),
the tool allow-list and the hourly cap are enforced, and every decision is audited.
Giving an agent write access shouldn't mean giving up control. Every agent (API key) acts under an explicit, per-key governance policy rather than ambient trust — directly addressing OWASP "excessive agency". The policy has four independent dials:
Read-only blocks all mutating tools. Approval (the safe default) queues each write for an admin to approve in the app, then runs it. Autonomous lets writes apply immediately — still inside the key's scopes and allow-list.
Restrict a key to a named subset of tools (e.g. let it create_finding and
add_comment but never transition_finding). An empty list means
"all tools the key's scopes already permit".
An optional per-agent ceiling on write actions per hour bounds the blast radius of a runaway or compromised agent.
An org-wide policy can tighten every agent at once, and each gate decision — allowed, queued, denied, or rate-limited — is written to the tamper-evident audit log.
Already running an agentic test tool? Post its output straight to OMG QA and it lands as test runs and findings (failures dedupe into findings automatically). One endpoint, one adapter per source:
| Source | Adapter | Payload |
|---|---|---|
generic | Full | OMG QA normalized JSON: { run, results[], findings[] }. |
playwright-mcp | Full | Playwright JSON report (suites → specs → tests → results). |
momentic | Documented | { run, results[] } — name, status, durationMs, error. |
mabl | Documented | { metadata, testResults[] } — name, status, failureReason. |
qawolf | Documented | { runs[] } — name, status, url, error. |
The generic adapter lets any tool integrate today by emitting the normalized shape; the named adapters map a vendor payload onto it. Either way, ingestion reuses the same create paths as the rest of OMG QA, so de-duplication applies.
A coding agent fixing a regression might chain:
OMG QA — Capture Every Finding. Fix Faster.