# Nexus MCP Test Cases ## ๐ŸŸข Identity Shard โ€” Active Directory Test the core lookup tools first since those are the ones we just fixed. ### User lookups Look up the AD user "jsmith" Find the Active Directory account for email "john.smith@wheels.com" Search for AD users matching "martinez" ### Group tools List all Active Directory groups Get the members of the AD group "CN=IT-Admins,OU=Groups,DC=wheels,DC=com" ### Account hygiene (the ones we just fixed) Show me all disabled accounts in Active Directory Find AD accounts that haven't logged in for 90 days Show stale accounts inactive for more than 60 days *** ## ๐ŸŸข Identity Shard โ€” Microsoft Entra ID List users in Entra ID Get the Entra ID user for "john.smith@wheels.com" List all Entra ID groups Show me all Entra ID service principals Get the Conditional Access policies from Entra ID Show recent sign-in logs from Entra ID List users flagged as risky in Entra ID Identity Protection *** ## ๐ŸŸก Workday Shard List workers in Workday Get the Workday worker record for employee ID "EMP001" Find the Workday worker with email "john.smith@wheels.com" List all supervisory organizations in Workday Show open positions in Workday *** ## ๐ŸŸก Audit Shard (the most interesting ones) These are your cross-system drift tools โ€” great for confirming the full pipeline works end-to-end. Scan for terminated workers who still have active AD accounts Run a job title drift scan between Workday and Active Directory Check for department mismatches between Workday and AD Scan for name variance mismatches between Workday and AD Show me the last 20 Nexus audit log entries Give me Nexus audit statistics *** ## ๐Ÿ”ด Stub Shards (these should return empty or stub responses, not errors) These confirm your feature flag / holding pattern works correctly โ€” the server should accept the call and return gracefully. List incidents from BMC Helix Track FedEx shipment "449044304137821" List assets from Lansweeper Show me Intune managed devices *** ## ๐Ÿงช Suggested Test Order (most value, least noise) Run them in this order for a clean "smoke test" progression: | # | Command | What it validates | | - | ----------------------------------------------------- | ---------------------------------------------- | | 1 | `Show me all disabled accounts in Active Directory` | Fixed `query_users` path โœ… | | 2 | `Find stale AD accounts inactive for 90 days` | Fixed `find_stale_users` rename โœ… | | 3 | `Search for AD users matching "smith"` | Fixed `search_users_by_name` rename โœ… | | 4 | `Find the AD user with email "john.smith@wheels.com"` | Fixed `ad_get_user_by_email` path โœ… | | 5 | `List all Active Directory groups` | Confirms mock path + WIS-018 holding pattern โœ… | | 6 | `Scan for terminated workers still active in AD` | Confirms cross-shard audit works โœ… | | 7 | `Show me the last 20 Nexus audit log entries` | Confirms SOC 2 logging is active โœ… | | 8 | `List incidents from BMC Helix` | Confirms stub shards fail gracefully โœ… | *** ## One thing to watch for If any tool returns an **empty list `[]` that you didn't expect**, check: * Is `USE_MOCK=true` confirmed in the MCP server output? * Does the mock data in `mock_data.py` have entries for that tool? If a tool **errors** instead of returning empty, that's a real bug worth capturing โ€” paste the error here and we'll triage it.