MCP Access

Connect your IDE's AI agent (Claude Code, Claude Desktop, Cursor, Windsurf) to infracodebase. Your agent gets your org's coding guidelines, the rulesets that govern your repos, and CI compliance findings, so it can reason about infrastructure code with the same governance context the web app applies. With a read-and-write token it can also create workspaces, link them to GitHub repos, and update attached resources.

Quick start

1. Create a token. Go to Settings → Access Tokens and click Create token. The post-creation modal shows the token plus pre-filled snippets for each client.

2. Install in your IDE. Snippets below use a placeholder token. The create-token modal pre-fills your real one.

bash

claude mcp add --scope user --transport http infracodebase https://app.example.com/api/mcp \
  --header "Authorization: Bearer icb_pat_..."

--scope user registers infracodebase for every project. Without it, the server shows as disconnected when you cd into a different repo. Run /mcp in any session to confirm.

3. Try it. cd into a repo linked to an infracodebase workspace and ask:

"What governs this repo?"

The agent calls get_workspace_context and gets the workspace's guidelines, rulesets, and latest compliance state in one round-trip.

Make your agent actually use it

Connecting MCP is necessary but not sufficient. The agent has to choose to call the tools.

The MCP server returns initialization instructions. Claude Code injects them into its system prompt every turn, so no extra setup is needed there. Other clients either don't consume the field or do it inconsistently; the durable channel is a project-level rules file. Commit one so the agent has the context every turn:

Cursor's rules format moved to .cursor/rules/*.mdc files in 2026. The legacy .cursorrules is deprecated.

markdown

---
description: infracodebase governance for IaC
alwaysApply: true
---

This repo is governed by infracodebase. The `infracodebase` MCP server exposes the org's coding guidelines, rulesets, and CI compliance state.

Before writing or modifying any infrastructure-as-code (Terraform, Pulumi, CloudFormation, Bicep, Kubernetes, Ansible), including bootstrapping a new IaC project in an empty repo:
- Call `get_workspace_context` first. Pass the git remote URL.
- If `status: "unlinked"`, STOP and ask: "Want me to create a new workspace for this repo, or link to an existing one?" Wait for the user's explicit answer. Then call `create_workspace` or `list_workspaces` + `link_workspace_to_repo` based on their choice. Before calling `create_workspace`, present the proposed config (name, resources, GitHub connection) and wait for explicit approval. Do not write IaC until the workspace is set up.
- For every ruleset returned, call `get_ruleset_details` and follow the rules as hard constraints. Rulesets with `rule_summary.ci_blocking > 0` will fail CI on violation.
- Cite the ruleset and rule when a rule drives a decision.
- Surface compliance findings via `list_compliance_findings` before suggesting a push.

Tools available

A read-only token can call any tool in the first group. A read and write token can also call the second group. Pick the scope when you create the token.

Read-only

Tool	Purpose
`get_workspace_context`	Front door. Resolves repo → workspace, returns coding guidelines, ruleset metadata, and latest compliance state.
`get_ruleset_details`	Full rule contents for one ruleset.
`get_compliance_evaluation`	A specific compliance evaluation (latest by default, or by id / commit SHA).
`list_compliance_findings`	Per-rule findings (optionally filtered by status).
`get_compliance_eval_spec`	The CI evaluator's framing, so local advisory reasoning can mirror it.
`list_enterprises`	Your enterprises with role and workspace count.
`list_workspaces`	Workspaces you can access (optionally filtered to one enterprise).
`list_enterprise_resources`	Rulesets, MCP servers, and workflows available to attach to a workspace.
`list_github_installations`	GitHub orgs your enterprise is connected to.
`list_github_repos`	Repos visible through a GitHub connection.

Read and write

Tool	Purpose
`create_workspace`	Create a workspace, attach resources, optionally link it to a GitHub repo in one call.
`link_workspace_to_repo`	Connect an existing workspace to a GitHub repo.
`update_workspace_resources`	Add or remove rulesets, MCP servers, and workflows on a workspace.

infracodebase never sees your local files.

Manage and revoke tokens

Settings → Access Tokens. Click the trash icon to revoke; it takes effect immediately. Tokens default to 90 days; presets go up to 1 year, or "never".

Troubleshooting

401 Unauthorized: token is missing, malformed, revoked, or expired. Check the Authorization header value starts with Bearer icb_pat_.
429 Too Many Requests: exceeded the per-token rate limit (120 req/min). Back off and retry.
MCP shows as disconnected when you cd to a different repo: registered at project (local) scope. Re-add with --scope user (Claude Code) or use the global config path (Cursor / Windsurf / Claude Desktop).
get_workspace_context returns status: "unlinked": the repo isn't configured as a workspace in infracodebase. Set it up in the web app.
get_workspace_context returns status: "no_access": a workspace exists but your token's user can't see it. Ask an admin for membership.