Appearance

Alerts

Reference for the 8 CryptoComply MCP tools in the Alerts family.

Tools in this group

alert_assign

Read-only: no.

Assign an alert to an organization member (or self-assign by omitting assigned_to_user_id). Fires the alert.assigned_to_me notification to the assignee when not self-assigning.

Two-step write tool. First call without confirm_token returns a dry-run preview + a 60-second token. Second call with the same arguments + confirm_token applies the change. On success: {status: "ok", alert_id, assigned_to_user_id, assigned_to_email}.

Parameters

  • organization_id (int, required) — Organization the alert belongs to.
  • alert_id (int, required) — Alert id (from alert_list.results[].id).
  • assigned_to_user_id (int | None, optional) — User id to assign the alert to. Obtain from member_list. Omit to self-assign to the authenticated caller.
  • confirm_token (str | None, optional) — Token from a prior dry-run call. Omit on the first call.

alert_bulk_assign

Read-only: no.

Assign multiple alerts to the same user in one call. Common triage move when a senior analyst grabs the morning queue. Pass assigned_to_user_id to assign to someone specific, or omit it to self-assign.

Two-step write tool. Each id is processed individually; per-row failures do not abort the batch.

On success: {status: "ok", succeeded: [...], failed: [{alert_id, error}]}.

Parameters

  • organization_id (int, required) — Organization the alerts belong to.
  • alert_ids (list, required) — Alert ids to assign.
  • assigned_to_user_id (int | None, optional) — User id (from member_list). Omit to self-assign to the caller.
  • confirm_token (str | None, optional) — Token from a prior dry-run call. Omit on the first call.

alert_bulk_resolve

Read-only: no.

Resolve multiple alerts in a single call (close or escalate). Useful for end-of-day triage where the analyst has decided a batch of watchlist or blockchain-address alerts can all be closed as false positives, or all escalated for additional review.

Two-step write tool. The dry-run reports the count + sample of the affected alerts. On commit, each id is processed individually through AlertService.update — a per-row failure does not abort the batch.

On success: {status: "ok", succeeded: [...], failed: [{alert_id, error}]}.

Parameters

  • organization_id (int, required) — Organization the alerts belong to.
  • alert_ids (list, required) — Alert ids to resolve.
  • new_status (Literal, required) — Target status: closed or escalated.
  • notes (str | None, optional) — Resolution notes appended to every alert in the batch.
  • confirm_token (str | None, optional) — Token from a prior dry-run call. Omit on the first call.

alert_evidence_retrieve

Read-only: yes.

Get the underlying evidence that triggered an alert. The payload shape depends on alert type:

  • watchlist: list of ProfileInquiry hits (inquired_name, result_name, record_type, resolution, created_at).
  • blockchain_address: previous and current BlockchainAddressInquiry (risk, total_exposure_usd, http_code, created_at).
  • negative_news: only news_found_count is available — per-article evidence is not stored.

Use after alert_retrieve when the analyst wants to drill into the specific hits / risk diff that caused the alert.

Parameters

  • organization_id (int, required) — Organization the alert belongs to.
  • alert_id (int, required) — Alert id.

alert_list

Read-only: yes.

List alerts for an organization across all subtypes (watchlist hits, blockchain-address risk changes, negative-news). Use when the user asks about alerts, items needing review, or what's on their plate today. Combine status=open with assigned_to_me=true to triage your queue.

Returns {count, limit, offset, has_more, results: [AlertSummary]} where each row is {id, type, name, status, assigned_to_user_id, profile_id, blockchain_address_id, created_at, updated_at} — exactly one of profile_id / blockchain_address_id is populated per the alert's type.

Parameters

  • organization_id (int, required) — Organization to list alerts for.
  • status (Optional, optional) — Filter by alert status: open, closed, escalated, or under_review.
  • alert_type (Optional, optional) — Filter by alert subtype.
  • profile_id (int | None, optional) — Filter by associated profile id.
  • assigned_to_user_id (int | None, optional) — Filter by the user the alert is assigned to.
  • assigned_to_me (bool | None, optional) — True = restrict to alerts assigned to the caller.
  • unassigned (bool | None, optional) — True = only alerts with no assignee (assigned_to IS NULL). False = only alerts with an assignee. Omit for both. Standard triage filter.
  • opened_more_than_days_ago (int | None, optional) — Restrict to alerts created strictly more than N days ago. Used for SLA hygiene queries like 'show me alerts open more than 7 days'.
  • name_contains (str | None, optional) — Case-insensitive substring match on the alert name.
  • updated_after (datetime.datetime | None, optional) — Only include alerts modified at or after this UTC timestamp.
  • created_after (datetime.datetime | None, optional) — Only include alerts created at or after this UTC timestamp.
  • created_before (datetime.datetime | None, optional) — Only include alerts created before this UTC timestamp.
  • sort_by (Literal, optional) — Sort order. Prefix with '-' for descending (e.g. '-created_at' for newest first).
  • limit (int, optional) — Max results (1-100).
  • offset (int, optional) — Results to skip for pagination.

alert_resolve

Read-only: no.

Resolve an alert by transitioning it to closed or escalated.

Two-step write tool. First call without confirm_token returns a dry-run preview + a 60-second token. Second call with the same arguments + confirm_token applies the change. The dry-run response includes _meta.ui.resourceUri = "ui://diff_confirm" for clients that render the MCP Apps iframe; clients without App support read preview as plain text and ask the user verbally.

Closed alerts stamp closed_by / closed_date / reviewed_by. Escalated alerts fire the alert.escalated notification event to org members.

On success: {status: "ok", alert_id, new_status}.

Parameters

  • organization_id (int, required) — Organization the alert belongs to.
  • alert_id (int, required) — Alert id (from alert_list.results[].id).
  • new_status (Literal, required) — Target status: closed or escalated.
  • notes (str | None, optional) — Optional resolution notes appended to the alert.
  • confirm_token (str | None, optional) — Token from a prior dry-run call. Omit on the first call.

alert_retrieve

Read-only: yes.

Get full details of one alert including subtype-specific evidence.

Returns an AlertDetail whose payload is a discriminated union: WatchlistPayload (profile match + hit counts by resolution), BlockchainAddressPayload (prev→current risk with inquiry refs), or NegativeNewsPayload (profile + news_found_count). The top-level type field tells you which payload variant to expect.

Parameters

  • organization_id (int, required) — Organization the alert belongs to.
  • alert_id (int, required) — Alert id (from alert_list.results[].id).

alert_update_notes

Read-only: no.

Update an alert's free-text notes without changing its status. Use to attach rationale or context before resolving — separate from alert_resolve so notes-only edits don't require the dry-run / confirm dance.

On success: {status: "ok", alert_id}.

Parameters

  • organization_id (int, required) — Organization the alert belongs to.
  • alert_id (int, required) — Alert id.
  • notes (str, required) — New notes body. Pass an empty string to clear.