Every MCP tool call runs as you, scoped to the team you selected at sign-in. Marking a control complete or creating a task writes to your live Keldyn workspace, so review the agent’s proposed changes before you approve them.
Before you start
Connect the MCP server
Follow Keldyn MCP server to connect Claude Code, Cursor, or another MCP client, and sign in to the team that owns the use case you want to work on.
Open your repository
Run the agent from the repository you want to assess so it can read your code while it talks to Keldyn.
The loop at a glance
| Phase | What happens | Key MCP tools |
|---|---|---|
| 1. Read the controls | Pull the controls (the “constitution”) for the use case and their requirements | list-controls, get-control |
| 2. Analyze the code | Search the repo (or just your current changes) for implementation evidence | review-codebase, review-changes, collect-evidence (prompts) |
| 3. Mark what’s done | Set satisfied controls to Implemented with evidence text | update-control |
| 4. Open the gaps | Create remediation tasks linked to the partial/failing controls | create-task |
| 5. Address the tasks | Make code changes, then verify and close out | update-task, update-control |
1. Read the controls (get the “constitution”)
Start by pulling the controls that apply to the use case and reading their requirements — description, implementation guidance, acceptance criteria, and developer prompts.list-controls (scoped with useCaseId) to enumerate controls and their current status, then get-control per rcmId for the full requirement text.
2. Analyze the codebase for evidence
Now point the agent at your repository and ask it which controls the code already satisfies. The MCP server ships built-in prompts for exactly this:review-codebase— reviews the whole repo (or a scoped path/package) against your controls. Use it for an initial, full assessment of a use case.review-changes— reviews only your current changes (your working diff / a branch) against the controls, instead of the entire codebase. Use it during day-to-day development and in code review to catch control impacts before you merge.collect-evidence— scans for positive evidence that code-related controls are satisfied, then asks you to confirm before saving.
- Addressed — code fully satisfies the control’s technical acceptance criteria.
- Partially addressed — code contributes but gaps remain (or it needs infra/policy evidence).
- Not addressed — no supporting code, or the control is out of scope for the codebase.
3. Mark satisfied controls as Implemented
For each control in the Addressed bucket, have the agent write concrete, file-referenced evidence and flip the status to complete withupdate-control.
update-control tool accepts:
| Field | Purpose |
|---|---|
rcmId | The control to update (e.g. IAM6, A.5.15). |
useCaseId | Scope the update to this use case’s tracking. |
status | todo (Pending Review), in_progress, complete (Implemented), or ignored (Not Applicable). |
evidenceText | Implementation notes / evidence (reference the files and line ranges). |
assignedTo / finding | Optionally set the control owner or a finding. |
4. Open tasks for the gaps
For each partially addressed control, have the agent create a remediation task and link it to the control withrcmId so it shows up against that control in Keldyn.
create-task links to the control at creation when you pass rcmId:
| Field | Purpose |
|---|---|
name | Short, action-oriented task title (required). |
description | Current state, the gap, and the remediation steps (reference files). |
priority | URGENT, HIGH, MEDIUM (default), or LOW. |
rcmId | The control this task remediates — set it so the task is linked. |
assignedUserId / deadline / timeEstimate | Optional ownership and scheduling. |
Write the gap and remediation into the task description while the analysis is fresh. A task that says “login enforces TOTP at the API, but the web credentials flow never sends the code — add a TOTP step to the login page” is actionable months later; “fix MFA” is not.
5. Address the tasks in code
Switch the agent into an implementation mode and work the tasks. A tight loop:Pick a task
Use
list-tasks (filter by priority or state) and get-task to pull the full description and its linked control.Implement the change
Make the code change described in the task. Keep it scoped to what the control needs, and add or update tests.
Verify
Re-run the analysis (or
collect-evidence) and your tests to confirm the change actually satisfies the control’s acceptance criteria.Putting it together
A single end-to-end prompt can kick off the whole loop; the agent will pause for your approval before it writes anything back to Keldyn:Next steps
Keldyn MCP server
Connect your AI tool and see the full catalog of tools and built-in prompts.
Frameworks & controls
Understand how controls, statuses, and coverage work across the org and each use case.
Evidence & audits
Attach evidence to controls and manage audits and certifications.
Working with a use case
Generate an architecture and track control progress inside the workspace.