MCP
Connect your IDE's AI agent (Claude Code, Claude Desktop, Cursor, Windsurf) to infracodebase. Your agent gets your org's coding guidelines, the rulesets that govern your repos, and CI compliance findings, so it can reason about infrastructure code with the same governance context the web app applies. With a read-and-write token it can also create workspaces, link them to GitHub repos, and update attached resources.
Quick start
1. Get a token. See Access Tokens for how to create one. Personal access tokens are the right default for IDE use; enterprise tokens work too for shared automation.
2. Install in your IDE. Snippets below use a placeholder token. The post-creation modal in the web app pre-fills your real one.
claude mcp add --scope user --transport http infracodebase https://app.example.com/api/mcp \
--header "Authorization: Bearer icb_pat_..."
--scope user registers infracodebase for every project. Without it, the server shows as disconnected when you cd into a different repo. Run /mcp in any session to confirm.
3. Try it. cd into a repo linked to an infracodebase workspace and ask:
"What governs this repo?"
The agent calls get_workspace_context and gets the workspace's guidelines, rulesets, and latest compliance state in one round-trip.
Make your agent actually use it
Connecting MCP is necessary but not sufficient. The agent has to choose to call the tools.
The MCP server returns initialization instructions. Claude Code injects them into its system prompt every turn, so no extra setup is needed there. Other clients either don't consume the field or do it inconsistently; the durable channel is a project-level rules file. Commit one so the agent has the context every turn:
Cursor's rules format moved to .cursor/rules/*.mdc files in 2026. The legacy .cursorrules is deprecated.
---
description: infracodebase governance for IaC
alwaysApply: true
---
This repo is governed by infracodebase. The `infracodebase` MCP server exposes the org's coding guidelines, rulesets, and CI compliance state.
Before writing or modifying any infrastructure-as-code (Terraform, Pulumi, CloudFormation, Bicep, Kubernetes, Ansible), including bootstrapping a new IaC project in an empty repo:
- Call `get_workspace_context` first. Pass the git remote URL.
- If `status: "unlinked"`, STOP and ask: "Want me to create a new workspace for this repo, or link to an existing one?" Wait for the user's explicit answer. Then call `create_workspace` or `list_workspaces` + `link_workspace_to_repo` based on their choice. Before calling `create_workspace`, present the proposed config (name, resources, GitHub connection) and wait for explicit approval. Do not write IaC until the workspace is set up.
- For every ruleset returned, call `get_ruleset_details` and follow the rules as hard constraints. Rulesets with `rule_summary.ci_blocking > 0` will fail CI on violation.
- Cite the ruleset and rule when a rule drives a decision.
- Surface compliance findings via `list_compliance_findings` before suggesting a push.
Tools available
A read-only token can call any tool in the first group. A read and write token can also call the second group. Personal tokens pick a coarse read vs. execute scope; enterprise tokens stamp the underlying permissions directly. See Access Tokens for the full permission model.
Read-only
| Tool | Purpose |
|---|---|
get_workspace_context | Front door. Resolves repo → workspace, returns coding guidelines, ruleset metadata, and latest compliance state. |
get_ruleset_details | Full rule contents for one ruleset. |
get_compliance_evaluation | A specific compliance evaluation (latest by default, or by id / commit SHA). |
list_compliance_findings | Per-rule findings (optionally filtered by status). |
get_compliance_eval_spec | The CI evaluator's framing, so local advisory reasoning can mirror it. |
list_enterprises | Your enterprises with role and workspace count. |
list_workspaces | Workspaces you can access (optionally filtered to one enterprise). |
list_enterprise_resources | Rulesets, MCP servers, and workflows available to attach to a workspace. |
list_github_installations | GitHub orgs your enterprise is connected to. |
list_github_repos | Repos visible through a GitHub connection. |
Read and write
| Tool | Purpose |
|---|---|
create_workspace | Create a workspace, attach resources, optionally link it to a GitHub repo in one call. |
link_workspace_to_repo | Connect an existing workspace to a GitHub repo. |
update_workspace_resources | Add or remove rulesets, MCP servers, and workflows on a workspace. |
infracodebase never sees your local files.
Managing tokens
To rotate, revoke, or audit tokens, see Access Tokens. Revocation is immediate.
Troubleshooting
- MCP shows as disconnected when you
cdto a different repo: registered at project (local) scope. Re-add with--scope user(Claude Code) or use the global config path (Cursor / Windsurf / Claude Desktop). get_workspace_contextreturnsstatus: "unlinked": the repo isn't configured as a workspace in infracodebase. Set it up in the web app.get_workspace_contextreturnsstatus: "no_access": a workspace exists but your token's user (or the enterprise token's workspace scope) can't see it. Ask an admin for access.401,403, or429from the MCP endpoint: token-side issues. See Troubleshooting in Access Tokens.