MCP Integrations

MCP integrations connect Neo to external services that expose a Model Context Protocol server. Once connected, Neo can use those services as tools during a task, with credentials managed centrally in Pulumi Cloud.

MCP integrations are configured at the organization level by an administrator. Once enabled, they are available to all Neo tasks in the organization.

What you can do with MCP integrations

MCP integrations give Neo direct access to the systems your team uses to define, observe, and operate infrastructure: issue trackers, observability platforms, runbook wikis, and on-call tooling. Neo can pick up a ticket from Linear or Jira and write the matching infrastructure changes; during an investigation it can query real traces and metrics rather than reasoning from documentation; and runbooks, incident records, and on-call schedules are first-class inputs rather than things someone has to paste in.

Supported integrations are Atlassian (Jira and Confluence), Datadog, Honeycomb, Linear, PagerDuty, and Supabase. Each one becomes a set of tools Neo can call during a task, with credentials managed centrally in Pulumi Cloud.

Enabling an MCP integration

To enable an integration, navigate to Neo Settings, select Integrations, select the integration, and provide the required credentials.

Each MCP integration connects Neo to the service’s MCP server, which means Neo can use the full set of tools that service exposes through MCP.

Credential storage

Integration credentials are encrypted at rest in Pulumi Cloud using a per-organization encryption key. When a task needs to connect to an integration, Pulumi Cloud decrypts the credentials at task time, constructs the appropriate authentication headers, and connects to the service on Neo’s behalf. Credentials are never exposed to the language model and are never embedded in task state.

Disabling an integration

To remove an integration from your organization, navigate to Neo Settings, select Integrations, find the integration, and select Remove.

Disabling an integration deletes its stored credentials and immediately prevents any new tasks from using it. Tasks that are already running will lose access to the integration the next time Neo tries to use it.

Per-task control

By default, every task inherits all integrations the organization has enabled. If you want to narrow Neo’s focus for a specific task (for example, running a deployment review without giving Neo access to your issue tracker), you can toggle individual integrations off from the task composer before starting the conversation. The toggles only affect the current task; the org-level configuration is unchanged.

If an integration fails

Integrations are resolved independently at the start of each message. If credentials for one integration can’t be retrieved, or its MCP server is unreachable, Neo logs a warning, skips that integration, and continues the task with the remaining ones. A single broken integration won’t stop a task from running.

If Neo tries to use an integration that isn’t available (for example, because the credentials were removed or expired), it will surface the failure in the conversation and continue with its other tools.

Configuration

Atlassian (Jira and Confluence)

1. In admin.atlassian.com, open Rovo MCP
   • Enable API token authentication
   • Add https://*.pulumi.com/** as an allowed domain
2. Open Directory, then Service Accounts
3. Create a service account and give it user access to each product you want Neo to access
4. Create a credential for the service account with type API and assign the necessary roles
5. In Neo, enter the Service Account API Token and your Site URL (e.g., https://yoursite.atlassian.net)

Datadog

1. In Organization Settings, open Service Accounts and create a service account with read-only access
2. On the service account’s details page, create an App Key and make sure to include the MCP read scope
3. In Organization Settings, open API Keys and create an API Key
4. Identify your Datadog site, the domain you use to access Datadog (for example, datadoghq.com is us1, datadoghq.eu is eu1). Supported codes: us1, us3, us5, eu1, ap1, ap2.
5. In Neo, enter the Datadog site code, API Key, and App Key

Honeycomb

1. In Honeycomb, navigate to Account, then Team Settings, then API Keys
2. Select Create Management API Key and give it a name (e.g., “MCP Integration”)
3. Choose the Model Context Protocol and Environments scopes, then grant permissions:
   • Read: Required for all Honeycomb MCP operations. Make sure to grant read for both MCP and Environments.
   • Write: Required for the create_board tool.
4. Copy the Key ID and Key Secret. You will not be able to see them again.
5. In Neo, enter the Key ID and Key Secret in the corresponding fields

Linear

1. In Linear, open Settings, then Security & Access
2. Select New API Key, give it a name, and choose the permissions Neo needs:
   • Read: required for all integrations Neo performs through Linear
   • Create issues and Create comments: required if you want Neo to file or comment on issues
   • Write or Admin: required if you want Neo to update or delete existing issues
3. Optionally limit the key to specific teams using the team-access controls
4. In Neo, enter the API Key

PagerDuty

1. In PagerDuty, open your user profile and select User Settings
2. Select Create API User Token and give it a name (e.g., “Neo Integration”). The token inherits the user’s existing PagerDuty permissions, so its access matches whatever the user can already see in the PagerDuty UI.
3. Check Read-only API Key if you don’t want Neo to be able to create or modify incidents, schedules, or escalation policies
4. Copy the token
5. In Neo, enter the User API Token

Supabase

1. On supabase.com, open Account Preferences, then Access Tokens
2. Select Generate New Token, give it a name, and copy the token
3. In Neo, enter the Access Token