qtest-mcp
Enables AI tools to safely query and manage qTest test management data through an MCP server with a token portal and guardrails against destructive operations.
README
qTest MCP Server + Token Portal
Production-ready starter scaffold for a qTest MCP server deployable on OpenShift.
See OPERATIONS_AND_ACCESS_CONTROL.md for environment-specific run/deploy instructions and no-DB access control design.
Access control is scope-based and enforced per MCP tool call. tools/list is filtered by token scopes.
Optional service-token minting endpoint: POST /api/auth/generate-service-token (requires X-Admin-Token matching MCP_ADMIN_TOKEN).
What this project provides
- A web portal where a user enters qTest username/password once.
- The backend exchanges those credentials for a qTest bearer token.
- The portal returns a personal MCP access token for AI tools.
- AI clients connect to this MCP server using the personal token.
- The MCP server exposes safe qTest tools only.
- Guardrails block destructive operations such as deleting projects, users, releases, test cases, test runs, requirements, modules, attachments, and cycles.
High-level architecture
User Browser
|
| HTTPS
v
Token Portal / FastAPI
|
| qTest username/password used once
v
qTest Auth API
|
| qTest bearer token
v
Encrypted token store
|
| personal MCP token
v
AI Chatbot / MCP Client
|
| Authorization: Bearer <personal_mcp_token>
v
qTest MCP Server
|
| Guardrailed qTest API calls
v
qTest Manager
Safe MCP tools included
- qtest_list_projects
- qtest_get_project
- qtest_search_test_cases
- qtest_get_test_case
- qtest_create_test_case
- qtest_update_test_case
- qtest_search_requirements
- qtest_update_requirement
- qtest_list_requirement_test_cases
- qtest_get_test_run
- qtest_list_test_runs
- qtest_get_defect
- qtest_list_defects_changed_since
- qtest_create_defect
- qtest_create_defect_from_test_run
- qtest_add_comment
Explicitly blocked
- delete_project
- delete_user
- delete_test_case
- delete_requirement
- delete_test_run
- delete_release
- delete_cycle
- delete_module
- delete_attachment
- bulk_delete
- user/admin/permission modification
Local development
cp .env.example .env
python -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
uvicorn app.main:app --reload
Portal:
http://localhost:8000/
MCP endpoint:
http://localhost:8000/mcp
Health:
http://localhost:8000/healthz
http://localhost:8000/readyz
MCP smoke test
Run a quick protocol check against the local MCP endpoint:
python scripts/mcp_smoke_test.py --base-url http://127.0.0.1:8000
Run authenticated checks using an existing personal MCP token:
python scripts/mcp_smoke_test.py --base-url http://127.0.0.1:8000 --token <personal_mcp_token>
Mint a personal token and run authenticated checks in one command:
python scripts/mcp_smoke_test.py --base-url http://127.0.0.1:8000 --username <qtest_username> --password <qtest_password>
Optionally test one tool call:
python scripts/mcp_smoke_test.py --base-url http://127.0.0.1:8000 --token <personal_mcp_token> --tool-name qtest_get_project --tool-args '{"project_id": 123}'
Generate a one-shot capability report (safe probes only):
python scripts/mcp_capability_report.py --base-url http://127.0.0.1:8000 --token <personal_mcp_token> --project-id <project_id>
Capability report with token minting and optional IDs:
python scripts/mcp_capability_report.py --base-url http://127.0.0.1:8000 --username <qtest_username> --password <qtest_password> --project-id <project_id> --test-run-id <test_run_id> --requirement-id <requirement_id> --defect-id <defect_id> --parent-id <cycle_or_suite_id>
Run mutation probes (create/update/comment) as well:
python scripts/mcp_capability_report.py --base-url http://127.0.0.1:8000 --token <personal_mcp_token> --project-id <project_id> --include-mutations
OpenShift deployment
oc new-project qtest-mcp
oc apply -f openshift/secret.yaml
oc apply -f openshift/configmap.yaml
oc apply -f openshift/deployment.yaml
oc apply -f openshift/service.yaml
oc apply -f openshift/route.yaml
Production hardening checklist
- Use OpenShift TLS route.
- Store encryption key in OpenShift Secret or external vault.
- Replace SQLite with PostgreSQL.
- Enable network policy to qTest domain only.
- Enable structured logs and audit logs.
- Rotate personal MCP tokens.
- Add SSO/OIDC in front of the portal if available.
- Use short-lived qTest tokens if your qTest tenant supports it.
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.