Diligent Activity Center MCP

What this is

Activity Center is Diligent's dashboards-and-reports product (an embedded Amazon QuickSight experience over Projects + Results data). This MCP exposes the full surface as tools, so an AI agent can list dashboards, drill into Issues/Actions, take snapshots, schedule reports, and audit sharing.

No public AC API. The Diligent Developer Portal does not document an Activity Center API (verified 2026-04-27). This MCP discovered 5 reverse-engineered endpoints on the per-tenant subdomain backend and confirmed by 404-probing that ~40 operations (snapshot, schedule, share, dashboard CRUD, visual export, filters) are QuickSight-iframe-native with no Diligent-side wrapper. Architecture:

HighBond REST (Bearer PAT) — for Projects/Results/Issues data the dashboards render (drill-through, in-page Issue/Action edits).
AC backend JSON (activity-centers-api.<region>.com) — 5 confirmed endpoints: /session, /dashboards, /dashboards/{slug}/embed, /authoring/embed_url, /orgs/board_sites.
QuickSight iframe — for snapshot/schedule/share/authoring operations. These return FEATURE_LIVES_IN_QUICKSIGHT_IFRAME with workaround pointer. Drive via ac_open_preset or ac_get_authoring_embed_url + Playwright frameLocator.

Full surface analysis in knowledge/16-api-surface-notes.md.

Install

curl -fsSL https://mcp-activity-center.riskapture.ai/install.sh | bash

Then copy .env.example to .env and fill in the credentials. Required: AC_BASE_URL, AC_API_TOKEN, AC_ORG_ID, AC_TENANT_URL, AC_UI_EMAIL, AC_UI_PASSWORD, AC_UI_ORG.

Architecture

HighBond client

src/api-client.js — JSON:API v1.0 + token-bucket rate limiter (6/sec, 600/hr) + exponential backoff. Same shape as the sibling Projects/Issues MCPs.

AC subdomain client

src/ac-client.js — Cookie-authed REST client for activity-centers-api.<region>.com. Sends browser-style Origin/Referer/Sec-Fetch-* headers. One-shot 401/403 re-login retry.

OIDC session

src/ui-session.js, src/ac-session.js — Headless Playwright OIDC login, lands on the AC tenant subdomain to mint cookies. Cached at ~/.cache/diligent-activity-center-mcp/session-<org>.json, mode 0600.

QuickSight driver

src/quicksight-driver.js — Playwright fallback for iframe-bound operations (snapshot trigger, share modal, schedule modal). Lazy-loaded; reuses the OIDC session.

Two-tier cache

src/cache.js — In-memory + persistent JSON. Per-key TTL (5 min for AC dashboards, 15 min for templates/roles, 2 min for instances). Survives MCP process restarts.

Schema introspection

src/tools-schema-canonical.js — 8 canonical inventories: dashboard, preset, template, dataset, snapshot, schedule, share, role. Live for the first 4; Phase 5b for the rest.

Tool catalogue

Live (50) — call against the real backend today

Group	Tools
Meta + Cache (8)	`ac_health_check`, `ac_list_capabilities`, `ac_get_session_metrics`, `ac_reset_session_metrics`, `ac_warmup_reference_cache`, `ac_query_all`, `ac_cache_status`, `ac_clear_cache`
Presets (4)	`ac_list_presets`, `ac_get_preset`, `ac_open_preset`, `ac_get_dashboard_last_refresh`
Dashboards (read) (2)	`ac_list_dashboards`, `ac_get_dashboard`
Datasets (catalogue) (2)	`ac_list_datasets`, `ac_get_dataset`
Templates (7)	`ac_list_templates`, `ac_get_template_moodys`, `ac_get_template_cyber_risk`, `ac_get_template_market_insights`, `ac_get_template_financial_netsuite`, `ac_get_template_sox`, `ac_get_template_diligent_360`
Board sites (4) — new in 5b	`ac_list_board_sites`, `ac_get_board_site`, `ac_smart_match_board_site`, `ac_get_authoring_embed_url`
Issues & Actions (5)	`ac_list_issues_in_dashboard`, `ac_update_issue_inline`, `ac_list_actions_in_dashboard`, `ac_update_action_inline`, `ac_get_issues_actions_dashboard`
Admin (read) (6)	`ac_get_session`, `ac_get_subscription_tier`, `ac_get_region_info`, `ac_get_author_count`, `ac_list_app_roles`, `ac_get_app_role`
Snapshots (validation) (1)	`ac_connect_snapshot_to_boards_site` — validates the boardSiteId target against `/orgs/board_sites` (the snapshot half is QuickSight-native; tool fails fast if site doesn't exist)
Bulk export (1)	`ac_export_inventory_flat` — flat CSV-ready dump of dashboards + templates + board sites + session
Schema (5)	`ac_list_canonical_inventories`, `ac_list_inventory_records`, `ac_get_inventory_schema`, `ac_build_data_dictionary`, `ac_compare_inventory_to_brain`
Smart-match + validators (5)	`ac_smart_match_dashboard`, `ac_smart_match_template`, `ac_smart_match_user`, `ac_smart_match_dataset`, `ac_validate_schedule_payload`, `ac_validate_share_payload`

Stubs (46) — split into two clearly-documented categories

Error code	Group	Disposition
`FEATURE_LIVES_IN_QUICKSIGHT_IFRAME` (40)	Dashboard CRUD (5)	Verified 2026-04-27: these operations have no Diligent-side endpoint (404 on every probe). They are QuickSight-native — the AC SPA loads QuickSight in an iframe and these buttons live there. To automate, drive the QS iframe via Playwright `frameLocator`. Phase 5c work, deferred. The two validators (`ac_validate_schedule_payload`, `ac_validate_share_payload`) work today as pre-flight checks.
	Datasets mutations (5)
	Visuals + sheets + exports (6)
	Filters (2)
	Snapshots — non-validation (4)
	Scheduled reports (8)
	Sharing (5)
	Bulk mutations (5)
`FEATURE_NOT_AVAILABLE` (5)	Admin role mutations (3)	Platform Admin UI not yet recorded.
`FEATURE_NOT_AVAILABLE` (5)	Board-site CREATE/DELETE (2)	UI exists at `/settings → Add` but Save click hit a client-side validation we don't yet match. Recorder rerun needed.
`BRAIN_NOT_SEEDED` (1)	`ac_compare_inventory_to_brain`	Riskapture-Knowledge has no AC canonical seed yet. Seed it and the diff works.

Knowledge base

20 thematic markdown files in knowledge/ capture the AC product surface — preset slugs, app permissions, hard limits, region availability, the absence of a public API, the QuickSight primer, and so on. Tools cite knowledge files in their JSDoc, so the documentation stays auditable.

Source documents are crawled from help.diligentoneplatform.com by scripts/crawl-help-docs.mjs. Re-run with npm run crawl-docs.

Reverse-engineering the AC subdomain

The AC backend (activity-centers-api.diligentoneplatform.com) is undocumented but real. The MCP discovers and catalogues its endpoints with two scripts:

# 1. Playwright walks the live UI and records all network traffic
npm run record-session

# 2. Parser sanitises the HAR into a committed catalogue
npm run derive-endpoints
# → docs/ac-endpoints.md (committed, no secrets)
# → docs/ac-network.har  (gitignored — contains cookies, tokens, PII)

Smoke test

83 scenarios across three categories run against the live Pied Piper tenant (https://piedpiper.activity-centers.diligentoneplatform.com):

npm run smoke
# or, to skip the live writeback round-trip:
SKIP_WRITEBACK=1 npm run smoke

Category	Count	What it covers
live	40	Every functional tool: health, presets, dashboards, datasets, templates, board sites, admin, schema, smart-match, validators, issues/actions read paths, plus the partial-live `ac_connect_snapshot_to_boards_site` target validator.
stub-contract	48	40 stubs assert the `FEATURE_LIVES_IN_QUICKSIGHT_IFRAME` shape; 5 assert `FEATURE_NOT_AVAILABLE`; 3 conditional/variant (BRAIN_NOT_SEEDED, conditional inventory routes). Catches regressions where stubs crash or silently return empty.
writeback	1	Live mutation round-trip on an unpublished issue: PATCH description → readback verifies → revert PATCH. `finally` block ensures revert runs even on assertion failure; original value logged to stderr if revert itself fails.

Result on 2026-04-27: 89/89 passing. Reports written to ~/.cache/diligent-activity-center-mcp/smoke/<timestamp>.json with per-scenario breakdown.

Sibling MCPs

Diligent Issues MCP — Issue Manager + classic HighBond Issues
Diligent Projects MCP — classic Projects / Frameworks
Diligent ERM MCP — Enterprise Risk Manager
Diligent 3rd-Risk MCP — third-party risk
Diligent Entities MCP — corporate entities, shareholdings (private repo)