AppGenie Compliance MCP - Documentation

Service URL: https://compliance.appgenie.com.au . AWS region: ap-southeast-2 . Identity provider: WorkOS AuthKit . Last updated: 2026-06-01.

Contents

Overview
Requirements
Sign up and tiers
Connect from Claude
Connect from ChatGPT
Connect directly (power users)
Tools reference
Output modes
Tiers and billing
Usage limits
Disconnect and delete
Support
Changelog

1. Overview

The AppGenie Compliance MCP server is a Model Context Protocol service that exposes AppGenie's customer-scoped controlled compliance catalogue to AI assistants. The intended user is a compliance owner, delivery engineer or quality lead who is using an AI assistant for delivery work and needs the assistant to apply a real, cited compliance overlay rather than invent framework wording.

The MCP exposes two tools (see Tools reference):

get_appgenie_compliance_health - service status and content scope
query_appgenie_compliance - the compliance overlay for a delivery question

The catalogue served is the customer-scoped AppGenie bundle. The service is operational guidance, not legal advice, and is not a certification scheme. Use of paid framework packs requires an entitled subscription tier (see Tiers and billing).

2. Requirements

You need one of the following:

Claude Desktop or claude.ai with connector support.
ChatGPT with Apps SDK or custom-connector support.
Any MCP-capable client that supports the November 2025 MCP authorization profile (OAuth 2.1 with DCR or CIMD) - including VS Code MCP, Cursor and direct HTTP / JSON-RPC clients.

You also need an AppGenie Compliance MCP account. Accounts are created via self-serve signup; see Sign up and tiers.

Self-serve signup creates a trial customer with the full self-serve pack ladder (baseline plus ISO 9001, AI-Controlled Delivery, NIST and Operational Assurance) and a 10,000-request monthly cap for 14 days. After the trial expires, the customer is lazily downgraded to the Free / Baseline tier (baseline pack only, 100 requests per month) unless a paid tier has been activated via Stripe checkout. Enterprise (which includes ISO 27001, FedRAMP and IRAP) is sales-led.

On first OAuth sign-in via a connected client, a fresh customer record is auto-provisioned and linked to the email returned by WorkOS. Existing customers who hold a migration-period AppGenie Bearer token are linked to their OAuth identity automatically on first sign-in (link-by-email) without losing entitlements, plan or Stripe linkage.

4. Connect from Claude

Claude Desktop

Open Claude Desktop -> Settings -> Connectors.
Add connector. Server URL: https://compliance.appgenie.com.au.
Claude reads the OAuth protected-resource metadata, discovers the authorization server (https://astounding-insight-87.authkit.app), and registers itself via Client ID Metadata Document (CIMD) automatically. No client_id is required.
Sign in or sign up via the hosted AuthKit page. Email-verified sign-up issues an immediate trial token.
Claude lists the two tools. Ask a delivery question that touches compliance - Claude invokes the MCP when it needs the overlay.

claude.ai (web)

Same connector URL via the connectors panel. The OAuth flow is identical and uses the same AuthKit-hosted page.

If sign-up email verification does not arrive: WorkOS sends from workos-mail.com by default and some domains spam-filter it. Use a non-corporate email for the first sign-up, or contact support to have your account verified manually.

5. Connect from ChatGPT

In ChatGPT, open Settings -> Connectors -> Add custom connector (Apps SDK).
Server URL: https://compliance.appgenie.com.au.
ChatGPT completes the same OAuth handshake via CIMD against the AppGenie AuthKit instance. Confirm consent on the hosted page.
The two tools become available to the chat thread. Note: until the AppGenie connector is promoted out of OpenAI development review status, tools may not surface to chats even with a successful OAuth connection. Production listing is in flight.

6. Connect directly (power users)

The MCP is a standard JSON-RPC 2.0 service over HTTPS. Use it from any client that can speak MCP, or directly from a script.

Unauthenticated requests are rejected with HTTP 401 and an RFC 9728 hint:

$ curl -i -X POST https://compliance.appgenie.com.au/mcp \
    -H "Content-Type: application/json" \
    -d '{"jsonrpc":"2.0","method":"tools/list","id":1}'

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer resource_metadata="https://compliance.appgenie.com.au/.well-known/oauth-protected-resource"

The protected-resource metadata advertises the authorization server:

$ curl -s https://compliance.appgenie.com.au/.well-known/oauth-protected-resource
{
  "resource": "https://compliance.appgenie.com.au",
  "authorization_servers": ["https://astounding-insight-87.authkit.app"],
  "bearer_methods_supported": ["header"]
}

Follow the OAuth 2.1 authorization-code flow against the authorization server, then call the MCP with the resulting access token as a Bearer credential:

POST /mcp HTTP/1.1
Host: compliance.appgenie.com.au
Authorization: Bearer eyJhbGc...
Content-Type: application/json

{"jsonrpc":"2.0","method":"tools/call","params":{"name":"get_appgenie_compliance_health"},"id":1}

7. Tools reference

`get_appgenie_compliance_health`

Reports service status and the content scope of the deployed catalogue. No parameters.

Response shape:

{
  "status": "ok",
  "service": "appgenie-compliance-mcp",
  "runtime_source": "/var/task/standards/rag.zip",
  "distribution_scope": "customer",
  "distribution_scope_enforced": true,
  "entitlement_model": "subscription_tier",
  "document_count": 89,
  "clause_count": 2224,
  "required_indexes_present": true,
  "source_tree_sha256": "sha256:...",
  "payload_sha256": "sha256:..."
}

`query_appgenie_compliance`

Returns the compliance overlay for a delivery request. The assistant should call this before producing the work product when the request touches governed software, AI, DevOps, testing, requirements, release, governance or compliance topics.

Parameters:

Name	Type	Required	Description
`tenant_id`	string	yes	Tenant identifier the assistant is acting for.
`query`	string	yes	The user's actual request, passed verbatim.
`user_id`	string	no	Requesting user identifier, for audit context.
`purpose`	enum	no	`standards_question`, `implementation_guidance`, `evidence_mapping`, `gap_assessment`, `release_readiness`.
`profile`	string	no	Compliance profile id: `baseline-commercial`, `iso-9001`, `iso-27001`, `ai-controlled-delivery`, `fedramp`, `irap`, `nist-800-53`. Paid profiles require entitlement.
`framework_pack`	string	no	Pack code: `baseline`, `iso-9001`, `iso-27001`, `ai-controlled`, `nist`, `fedramp`, `irap`. Paid packs require entitlement.
`requested_output`	enum	no	See Output modes. Default `cited_answer`.
`answer_style`	enum	no	`brief`, `normal`, `detailed`, `audit`. Default `normal`.
`include_diagnostics`	boolean	no	Returns the full diagnostic control bundle. Requires admin / enterprise permission.

Example call:

{
  "jsonrpc": "2.0",
  "method": "tools/call",
  "params": {
    "name": "query_appgenie_compliance",
    "arguments": {
      "tenant_id": "acme",
      "query": "Draft an ISO 9001 work product acceptance checklist for the next sprint.",
      "profile": "iso-9001",
      "requested_output": "checklist",
      "answer_style": "normal"
    }
  },
  "id": 1
}

Example successful response (truncated):

{
  "status": "allowed",
  "answer": "Compliance checklist for profile iso-9001 (content scope: customer)...",
  "selected_profile": "iso-9001",
  "distribution_scope": "customer",
  "enforcement_decision": "Proceed",
  "required_register_entries": [ ... ],
  "required_evidence_classes": [ ... ],
  "sources": [ ... ]
}

Example denied response on unentitled paid pack:

{
  "status": "denied",
  "reason": "Profile 'iso-27001' is not included in the current subscription tier.",
  "subscription_tier": "trial",
  "required_pack": "iso-27001",
  "available_packs": ["baseline"],
  "upgrade_required": true,
  "purchase_path": "self_serve"
}

8. Output modes

Mode	Returns	Tier
`cited_answer`	Cited answer in prose with the overlay applied. Default.	Free
`overlay_only`	The overlay decisions and required-register / evidence / risk / incident lists, without prose.	Free
`sources_only`	Just the standards cited. Useful for "what should I read" requests.	Free
`checklist`	A complete-every-item checklist for the work product, including register, evidence and enforcement gates.	Trial, ISO 9001, Professional, Enterprise
`artefact_constraints`	The MUST / MUST NOT constraints the generated work product must satisfy.	Trial, ISO 9001, Professional, Enterprise
`evidence_pack`	An evidence pack outline with required classes, registers, risks and incidents.	Trial, ISO 9001, Professional, Enterprise
`diagnostic_bundle`	Diagnostic control bundle for advanced inspection. Requires admin / enterprise permission.	Enterprise / admin

9. Tiers and billing

Billing is handled by Stripe. The MCP issues a checkout link on first denied request to a paid pack via the purchase_path field; a Stripe Customer Portal link is available for plan changes and invoice history.

Available checkout endpoints (used by the connecting client, not directly by the assistant):

POST /signup - email signup; sends verification.
POST /signup/verify - completes verification and issues a trial token.
POST /billing/checkout - returns a Stripe Checkout URL for a self-serve plan.
GET /billing/portal - returns a Stripe Customer Portal URL.
POST /contact-sales - records a sales-led enquiry (Government / Defence / Enterprise).

10. Usage limits

Each tier carries a monthly request limit enforced on the request path. When the limit is reached the MCP returns HTTP 429 with a structured response containing the current usage, the limit and a purchase path. Usage resets at the start of the next calendar month.

HTTP/1.1 429 Too Many Requests
Content-Type: application/json

{
  "status": "denied",
  "reason": "monthly_quota_exceeded",
  "answer": "The monthly request limit for this subscription has been reached (10000/10000). Usage resets at the start of the next calendar month. Upgrade the subscription tier for a higher limit.",
  "subscription_tier": "trial",
  "upgrade_required": true,
  "purchase_path": "self_serve"
}

11. Disconnect and delete

Disconnect from a client

Claude Desktop / claude.ai: Settings -> Connectors -> remove the AppGenie Compliance MCP entry. This revokes the OAuth refresh token on the client side.
ChatGPT: Settings -> Connectors -> remove the custom connector.
Direct HTTP clients: discard the access and refresh tokens; revoke at the authorization server if your client supports the revocation endpoint.

Cancel the subscription

Open the Stripe Customer Portal link from the billing endpoint or your latest receipt and cancel the subscription. Access continues until the end of the current billing period and then downgrades automatically to the baseline tier.

Delete the account

Email info@appgenie.com.au from the email associated with the account, with the subject "Compliance MCP account deletion". We confirm the request, cancel any active subscription, delete the customer record and associated usage telemetry, and confirm completion. Billing records retained by Stripe follow Stripe's retention policy.

12. Support

Email info@appgenie.com.au with the subject "Compliance MCP support" and include:

Your account email.
The client you are connecting from (Claude Desktop, ChatGPT, custom).
The behaviour observed and the behaviour expected.
If applicable, the x-appgenie-request-id response header value from a failing call.

Response targets: business hours, AEST. Critical service outages are tracked against the AppGenie incident process; status updates go to the support email.

13. Changelog

Material service changes are recorded here.

2026-06-01 - Documentation page published. OAuth 2.1 production cutover (WorkOS AuthKit at astounding-insight-87.authkit.app) and customer-facing internal-corpus disclosure removed.