lewing.helix.mcp 0.7.4

.NET 10.0 This package targets .NET 10.0. The package is compatible with this framework or higher. 
{
  "servers": {
    "lewing.helix.mcp": {
      "type": "stdio",
      "command": "dnx",
      "args": ["lewing.helix.mcp@0.7.4", "--yes"]
    }
  }
}
This package contains an MCP Server. The server can be used in VS Code by copying the generated JSON to your VS Code workspace's .vscode/mcp.json settings file. 
dotnet tool install --global lewing.helix.mcp --version 0.7.4
This package contains a .NET tool you can call from the shell/command line. 
dotnet new tool-manifest
                    


                            if you are setting up this repo
                        

                    

                
dotnet tool install --local lewing.helix.mcp --version 0.7.4
This package contains a .NET tool you can call from the shell/command line. 
#tool dotnet:?package=lewing.helix.mcp&version=0.7.4
                    


                    

                
nuke :add-package lewing.helix.mcp --version 0.7.4

helix.mcp

An increasingly inaccurately named CLI and MCP server for AI agents investigating .NET CI/CD failures across Helix and Azure DevOps.

Built with Squadmeet the squad.

Why?

AI agents investigating CI failures in dotnet repos (runtime, sdk, aspnetcore, etc.) hit two problems:

  1. Raw APIs return too much data. A single Helix console log can be megabytes. The Azure DevOps build timeline returns hundreds of records. Dumping this into a context window wastes tokens and drowns the signal.
  2. Every agent starts from scratch. When multiple agents — or the same agent across tool calls — inspect the same build, each one repeats the same API calls and downloads.

hlx solves both:

  • Return less, return better. Tools like helix_search and azdo_search_log search in place and return only matching lines with context — agents never download a full log. helix_status returns structured failure summaries instead of raw JSON. Default tail limits (500 lines), filter parameters (failed by default), and maxMatches caps keep responses focused.
  • Cache everything, share across processes. A local SQLite cache sits between agents and the APIs. Different MCP server instances (one per IDE window/terminal) share the same cache, so the second agent to inspect a job gets instant results. Smart TTLs track job lifecycle — running jobs cache briefly (15–30s), completed jobs cache for hours.

Zero config — public dotnet CI works out of the box. Install and go.

Context-Efficient Design

Every tool is designed to minimize token consumption in agent context windows:

Technique How it helps
Tail limits helix_logs and azdo_log return the last N lines (default 500), not the full log
Pattern search helix_search and azdo_search_log search outside agent context and return matching lines with configurable context — no full ingestion
Failure-first defaults helix_status, azdo_timeline, azdo_test_results default to showing only failures
Structured JSON Failure summaries, test results, and timeline data come pre-parsed — no agent-side text extraction
Batch operations helix_batch_status checks up to 50 jobs in one call; helix_find_files scans N work items instead of N+1 API calls
Ranked search azdo_search_log can search all build logs, ranking by failure likelihood and stopping early when maxMatches is reached
Idempotent annotations Read-only tools marked safe for retry and caching — clients can optimize scheduling and error recovery

Investigation Path

  • When repo workflows vary, start with helix_ci_guide(repo) for the repo-specific path and search patterns.
  • Use helix_parse_uploaded_trx only when the work item uploads structured test results to Helix (runtime CoreCLR, XHarness device tests).
  • Otherwise use azdo_test_runsazdo_test_results for structured results, or helix_search when the signal is in console output.

Cross-Process Caching

 IDE / Agent processes          hlx stdio MCP servers
┌─────────────┐               ┌──────────────┐
│  VS Code    │──────────────▶│  hlx pid 1   │──┐
│  Copilot CLI│──────────────▶│  hlx pid 2   │──┤
│  Other agent│──────────────▶│  hlx pid 3   │──┤
└─────────────┘               └──────────────┘  │
                                                 ▼
                                          ┌─────────────┐    miss    ┌─────────────────┐
                                          │ Cache Layer  │──────────▶│ Helix / AzDO API│
                                          │  Cache hit?  │◀──────────│                 │
                                          └──────┬───────┘  response └─────────────────┘
                                            hit  │
                                                 ▼
                                     ┌───────────────────────┐
                                     │  SQLite + Disk shared  │
                                     │  ┌─────────┬────────┐ │
                                     │  │SQLite DB │Artifact│ │
                                     │  │WAL mode  │ files  │ │
                                     │  └─────────┴────────┘ │
                                     │                       │
                                     │  Auth isolation:       │
                                     │  cache-a1b2c3/         │
                                     │  cache-d4e5f6/         │
                                     │  public/               │
                                     └───────────────────────┘
  • SQLite WAL mode — multiple processes read/write the same DB safely with busy timeout
  • Smart TTLs — running jobs: 15–30s, completed jobs: 1–4h, console logs for running jobs: never cached. AzDO in-progress builds use dual-key freshness with incremental log fetching (delta-append)
  • Auth-isolated storage — each unique token gets its own cache directory (cache-{hash}/). Unauthenticated requests use public/. No cross-token leakage
  • LRU eviction — 1 GB cap (configurable via HLX_CACHE_MAX_SIZE_MB), artifact files expire after 7 days without access
Setting Default Env var
Max cache size 1 GB HLX_CACHE_MAX_SIZE_MB (set to 0 to disable)
Cache location (Windows) %LOCALAPPDATA%\hlx\
Cache location (Linux/macOS) $XDG_CACHE_HOME/hlx/ 
hlx cache status   # Show cache size, entry count, oldest/newest entries
hlx cache clear    # Wipe all cached data

MCP Tools

Helix Tools (9)

Tool Description
helix_status Job pass/fail summary with failure categorization. Filter: failed (default), passed, all.
helix_batch_status Status for up to 50 jobs at once with aggregate totals.
helix_logs Console log content (last N lines, default 500).
helix_search Search a console log or uploaded file for repo-specific failure patterns without downloading the full content.
helix_files List uploaded files for a work item, grouped by type.
helix_find_files Search across work items for files matching a glob (*.binlog, *.trx, *.dmp).
helix_work_item Detailed work item info (exit code, state, machine, duration, failure category).
helix_download Download files from a work item or direct blob URL. Supports glob patterns for work-item downloads.
helix_parse_uploaded_trx Parse TRX/xUnit XML files uploaded to Helix blob storage into test names, outcomes, and error messages.

AzDO Tools (11)

Tool Description
azdo_build Build details (status, result, branch, timing, URL). Accepts URLs or integer IDs.
azdo_builds List recent builds. Filter by branch, PR, definition, status.
azdo_timeline Build timeline (stages, jobs, tasks). Filter: failed (default) or all.
azdo_log Log content for a specific build step (last N lines, default 500).
azdo_search_log Search a specific build log or all ranked build logs for a pattern with context lines.
azdo_search_timeline Search timeline records by name or issue pattern.
azdo_changes Commits/changes associated with a build.
azdo_test_runs Test run summaries (total, passed, failed counts).
azdo_test_results Individual test results. Defaults to failed tests only (top 200).
azdo_artifacts Build artifacts with pattern filtering (e.g., *.binlog).
azdo_test_attachments Test result attachments (screenshots, logs, dumps).

MCP Resources

MCP resources are URI-addressable data that clients can discover and read without invoking a tool.

Resource URI Description
ci://profiles Overview of CI investigation patterns for all .NET repositories.
ci://profiles/{repo} CI investigation guide for a specific .NET repository (e.g., ci://profiles/runtime).

These provide the same CI investigation guides available via the helix_ci_guide tool, exposed as client-discoverable resources for browsing and caching.

Authentication

Helix

No auth needed for public Helix jobs (dotnet open-source CI). For private jobs:

hlx login          # Opens browser, prompts for token, stores via git credential
hlx auth-status    # Check current auth status
hlx logout         # Remove stored token

Token resolution: HELIX_ACCESS_TOKEN env var → stored credential via git credential → error with helpful message.

Azure DevOps

The AzDO tools work anonymously against public projects (for example dnceng-public/public). For private orgs (for example devdiv/DevDiv), authentication is required.

Credential chain (tried in order):

  1. AZDO_TOKEN environment variable — both PATs and Entra access tokens are auto-detected:
    • PATs (Personal Access Tokens): sent as Basic auth. Needs Build(read) + Test(read) scopes.
    • Entra/JWT tokens: sent as Bearer auth.
  2. Azure CLI credential (AzureCliCredential from Azure.Identity) — uses your az login session. Works for any org your Azure identity has access to.
  3. az CLI subprocess — falls back to az account get-access-token if Azure.Identity isn't available.
  4. Anonymous — no auth header. Works for public projects only.

When auth fails, the error tells you what was tried and how to fix it:

Can't access devdiv/DevDiv — authentication required (401).

Current auth: anonymous (no credentials found)

To resolve:
• Run 'az login' (if your Azure identity has access to this org)
• Set AZDO_TOKEN to a Personal Access Token with Build(read) + Test(read) scopes

Pass tokens via MCP config:

{
  "servers": {
    "hlx": {
      "type": "stdio",
      "command": "dotnet",
      "args": ["dnx", "--yes", "lewing.helix.mcp"],
      "env": {
        "HELIX_ACCESS_TOKEN": "your-helix-token",
        "AZDO_TOKEN": "your-azdo-pat-or-entra-token"
      }
    }
  }
}

The HTTP MCP server supports per-request auth via Authorization: Bearer <token> headers, with isolated cache per client. Set HLX_API_KEY to gate server access.

Installation

The dotnet-dnceng plugin bundles hlx alongside related MCP servers (Azure DevOps, Maestro, binlog) and CI analysis skills — one install, batteries included:

copilot extensions install lewing/agent-plugins/plugins/dotnet-dnceng

This gives your agent helix_* and azdo_* tools plus skills for CI failure analysis, codeflow tracing, and dependency flow debugging.

Run with dnx (no install needed)

dnx lewing.helix.mcp

dnx (new in .NET 10) auto-downloads and runs NuGet tool packages. MCP mode is the default when no subcommand is given.

Install as global tool

dotnet tool install -g lewing.helix.mcp

After installation, hlx is available as a command. See the CLI reference for standalone usage.

Build from source

git clone https://github.com/lewing/helix.mcp.git
cd helix.mcp
dotnet build   # Requires .NET 10 SDK

The Microsoft.DotNet.Helix.Client package comes from the dotnet-eng feed. The included nuget.config references it.

MCP Configuration

Add to your MCP client config:

{
  "servers": {
    "hlx": {
      "type": "stdio",
      "command": "dotnet",
      "args": ["dnx", "--yes", "lewing.helix.mcp"]
    }
  }
}

If installed as a global tool, use "command": "hlx" with "args": [] instead.

Client Config file Top-level key
VS Code / GitHub Copilot .vscode/mcp.json servers
Claude Desktop (macOS) ~/Library/Application Support/Claude/claude_desktop_config.json mcpServers
Claude Desktop (Windows) %APPDATA%\Claude\claude_desktop_config.json mcpServers
Claude Code / Cursor .cursor/mcp.json mcpServers

VS Code uses servers. Claude Desktop, Claude Code, and Cursor use mcpServers — the rest is identical.

For HTTP (remote/shared servers):

{
  "servers": {
    "hlx": {
      "type": "http",
      "url": "http://localhost:3001"
    }
  }
}

Security

  • Safe XML parsing — DTD processing prohibited, XmlResolver disabled, 50 MB character limit (XXE/billion-laughs protection)
  • Path traversal protection — all cache/download paths sanitized and validated against designated roots
  • URL scheme validation — only HTTP/HTTPS accepted for downloads
  • File search toggle — set HLX_DISABLE_FILE_SEARCH=true to disable content search tools
  • Credential storage — tokens managed by OS keychain via git credential, never stored in plaintext
  • Cache sensitivity — cached CI logs may contain secrets; treat the cache directory as sensitive. Tokens are never cached — only an irreversible 8-char hash is used for directory isolation

Known Issues

  • File listing uses ListFiles endpoint — avoids a known bug in the Details endpoint where file URIs are broken for subdirectories and unicode filenames (dotnet/dnceng#6072).

Requirements

  • .NET 10 SDK

License

MIT

NuGet

Product Compatible and additional computed target framework versions.
.NET net10.0 is compatible.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

This package has no dependencies.

Version Downloads Last Updated
0.7.4 215 5/25/2026
0.7.3 189 5/22/2026
0.7.2 214 5/21/2026
0.7.1 58 5/21/2026
0.7.0 58 5/21/2026
0.6.0 733 5/8/2026
0.5.4 446 3/29/2026
0.5.3 106 3/29/2026
0.5.2 185 3/19/2026
0.5.1 105 3/19/2026
0.5.0 136 3/16/2026
0.4.1 119 3/15/2026
0.4.0 111 3/14/2026
0.3.5 111 3/12/2026
0.3.4 113 3/12/2026
0.3.3 106 3/12/2026
0.3.2 117 3/10/2026
0.3.1 107 3/10/2026
0.3.0 113 3/9/2026
0.2.1 118 3/3/2026
Loading failed