Casper exposes typed MCP tools that return structured JSON against the in-memory graph built from your Terraform repo at startup. Casper never writes Terraform or AWS resources; render_graph is the one tool that touches disk, and only to write a local HTML graph. The graph hot-reloads on every .tf / .tfstate change via fsnotify, so the answers your agent gets are always up to date with the current files on disk.
Installing the npm package auto-detects every MCP client on your machine - Claude Code, Claude Desktop, Cursor, and Codex - and wires each one up at user scope. Quick walks through the install + restart flow. Manual gives you the raw config snippet for each client if you’d rather wire it up by hand.
init command. Install auto-wires every MCP client it detects.Auto-detects Claude Code, Claude Desktop, Cursor, and Codex on your machine and wires each one up. No init command needed.
Quit and reopen Claude Code, Claude Desktop, Cursor, or Codex CLI. The Casper server starts automatically. The graph view (casper/graph.html) materializes the first time you run /casper or call render_graph.
In Claude Code, run /casper for a guided session. In any client, just ask infra questions. The agent will reach for Casper's tools.
The graph renders to casper/graph.html and stays in sync as your Terraform changes. Delete it and it regenerates within ~5 seconds.
Everything Casper exposes - every tool, every answer - is backed by a single in-memory data structure called the context graph. It’s a typed view of your Terraform infrastructure that the agent queries instead of reading raw files.
The graph is a directed, attributed graph held in memory by the MCP server for the duration of the session. Every Terraform concept becomes a typed entity:
On startup Casper runs a four-stage pipeline against the directory you point it at:
Walk the tree, collect every .tf and .tfstate file (skipping vendored modules and .terraform caches).
Use HashiCorp's HCL parser to extract resource blocks, attributes, references, and module calls into typed records.
Resolve cross-file references and depends_on into directed edges. Module calls are wired to their definitions.
Compute conventions, evaluate policies, and build the lookup tables that power every MCP tool.
An fsnotify watcher runs alongside the server. Any save, edit, or delete of a .tf or .tfstate file triggers a debounced rescan and atomic graph swap. The next tool call always sees the current state of your repo - no restart, no manual reload.
Casper resolves resources, references, modules, policies, and state once at parse time, then tools query the graph instead of rereading raw Terraform. Token cost stays flat regardless of repo size, dependency walks are O(1) per hop, and policies and drift detection have a structured surface to evaluate against.
Casper checks org policy on every simulate_impact call. If the repo has any .rego files, they’re the source of truth (compatible with existing Conftest libraries). Otherwise Casper falls back to a simple YAML format in .casper/policies.yaml. Zero config either way.
On startup Casper walks the repo for .rego files; falls back to .casper/policies.yaml when none exist.
Rego policies are compiled once via the embedded OPA engine. YAML rules are parsed into typed checks.
Every simulate_impact and dump_graph call evaluates the loaded engine against affected resources.
The agent reads policy_violations[] in the response and fixes its own draft before applying.
Casper recursively scans the repo for *.rego files (skipping .git, .terraform, node_modules, vendor, testdata). Every file becomes a loaded policy. The embedded OPA evaluator compiles them once at startup. As soon as any .rego file is found, YAML argument rules are disabled; workflow rules in .casper/policies.yaml keep firing.
package policy
deny[msg] {
input.type == "aws_s3_bucket"
input.attributes.acl == "public-read"
msg := sprintf("s3 bucket %s is public-read", [input.identifier])
}{
"type": "aws_s3_bucket",
"identifier": "aws_s3_bucket.data",
"attributes": { "bucket": "my-bucket", "acl": "private", ... },
"tags": { "env": "prod", "owner": "platform" }
}For teams that aren’t already on OPA, Casper ships a simple YAML format. Each rule names a Terraform resource type, declares one or more argument constraints, and gives a human-readable message the agent can quote back when it asks you to confirm a fix. Loaded only when no .rego files exist in the repo.
policies:
- id: rds-deletion-protection
resource: aws_db_instance
rules:
- arg: deletion_protection
must_equal: "true"
message: "RDS instances must have deletion_protection enabled"
- id: rds-backup-retention
resource: aws_db_instance
rules:
- arg: backup_retention_period
min_value: 7
message: "RDS instances must retain backups for at least 7 days"
- id: everything-needs-an-owner
resource: "*" # apply to every resource type
rules:
- arg: owner
required: true
message: "All resources must have an owner argument"must_equalArgument must be present and equal to this valuedeletion_protection: "true"must_not_equalArgument, if present, must not equal this valueacl: "public-read"requiredArgument must be present and non-emptydescription: requiredmin_valueArgument must parse as a number >= this valuebackup_retention_period: 7Multiple rules in one policy AND together. Each violation appears as its own entry in the response, so the agent gets full diagnostics on the first call.
Workflow rules don’t enforce arguments. They classify the change itself and route it to a decision: allow, require_approval, require_security_review, or block. The agent reads the decision and follows it.
workflow_rules:
- id: prod-database-destroy-block
when:
env: prod
resource_type_family: database
operation: destroy
decision: block
reason: "DB destroys in prod require a manual ticket"
- id: prod-changes-require-approval
when:
env: prod
operation: [create, modify, destroy]
decision: require_approval
- id: iam-needs-security-review
when:
resource_type_family: iam
decision: require_security_reviewA rule fires when every non-empty field in when: matches. Empty fields are wildcards. For a single change the strictest decision wins overall: block > require_security_review > require_approval > allow.
Every simulate_impact response carries a policy_violations[] array and a workflow_decision object. The agent’s system prompt tells it to read these before presenting the change to you.
{
"summary": "1 created, 0 modified, 0 in blast radius",
"created": [...],
"policy_violations": [
{
"policy_id": "rds-deletion-protection",
"resource": "aws_db_instance.orders_replica",
"type": "aws_db_instance",
"message": "RDS instances must have deletion_protection enabled",
"details": "argument \"deletion_protection\" must be \"true\" (not set)"
}
],
"workflow_decision": {
"decision": "require_approval",
"matched_rules": [
{ "id": "prod-changes-require-approval", "reason": "env=prod, operation=create" }
],
"blocked": false
}
}YAML policies in .casper/policies.yaml are reread automatically on every rescan. Adding or removing .rego files requires a server restart for now — the embedded OPA evaluator compiles policies once at startup. Hot-swap is a follow-up.
Casper builds its graph from .tf code alone with zero credentials. Two tools want more: drift detection and remote state fetching. Both are read-only.
describe_live_stateRDS, EC2, S3, IAM, Lambda, EKS — Describe* / Get* APIs for drift checks against Terraform state.Tool returns an error explaining setup.S3 backend state fetchers3:GetObject on the bucket / key declared in `terraform { backend "s3" {} }` blocks in your .tf files.Backend discovery still runs; fetch logs as `status: failed` with AccessDenied. Graph stays code-only.list_state_sourcesReports the status of the S3 backend fetcher above.Works either way — surfaces the failure.No other tool touches AWS. Everything else runs against the in-memory graph.
Casper reads AWS credentials from environment variables. Set one of the two standard sets below and Casper inherits them automatically — same as aws cli or Terraform.
export AWS_ACCESS_KEY_ID=AKIA...
export AWS_SECRET_ACCESS_KEY=...
# optional, for temporary STS credentials:
export AWS_SESSION_TOKEN=...CLI clients (Claude Code, Codex) inherit your shell environment, so exporting the variables in the same terminal is enough.
GUI clients (Claude Desktop, Cursor on macOS) are launched by the OS and don’t see your shell env. Put the variables in the MCP client config’s env block instead:
{
"mcpServers": {
"casper": {
"command": "casper-mcp",
"args": ["serve", "--dir", "."],
"env": {
"AWS_ACCESS_KEY_ID": "AKIA...",
"AWS_SECRET_ACCESS_KEY": "..."
}
}
}
}Whichever identity you give Casper, it only calls Describe*, Get*, and List* APIs. Casper never writes to AWS. Use the minimal permissions in the next section.
Two minimal IAM policies depending on which tools you want to use. Attach both to the role (or user) Casper authenticates as.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::your-state-bucket/*"
},
{
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:*:*:key/your-state-key-id"
}
]
}The kms:Decrypt statement is only needed if your state bucket uses KMS encryption (most do). Scope the resource ARN to the specific key when possible.
Cover the AWS service families Casper supports today. You can start narrow (only what your repo actually uses) and grow over time.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances",
"rds:DescribeDBClusters",
"rds:DescribeDBSubnetGroups",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeInstances",
"s3:GetBucketLocation",
"s3:GetBucketVersioning",
"s3:GetBucketTagging",
"iam:GetRole",
"lambda:GetFunction",
"eks:DescribeCluster"
],
"Resource": "*"
}]
}AWS managed policy arn:aws:iam::aws:policy/ReadOnlyAccess also works as a coarse alternative — it’s broader than Casper needs but easy to attach.
If you use Option B (assume role), the target role needs a trust policy allowing your developer identity (or CI identity) to assume it.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/developer"
},
"Action": "sts:AssumeRole"
}]
}The full surface area — everything Casper reads from .casper/config.yaml for AWS.
Credentials are env-only (see the previous section). The config file is just for one knob:
cloud.aws.regionsnoList of regions to query for describe_live_state. Defaults to [us-east-1]. The S3 backend fetcher overrides this per-backend using each backend block’s declared region.cloud.aws.role_arnnoOptional role to assume before every AWS call. Casper uses your env-provided credentials as the base identity, then calls sts:AssumeRole to switch into this role. Useful for cross-account or least-privilege patterns.cloud:
aws:
regions: [us-east-1, ap-south-1]If you don’t need AWS at all, skip the file entirely. Casper still runs; describe_live_state returns a clear configuration-needed error and S3 backend fetches degrade to a logged failure visible in list_state_sources.
Returns a bundled view of the graph for a given intent: matching resources, similar HCL examples, reusable modules, and the conventions the codebase already follows. One call replaces what would otherwise be three or four targeted lookups.
intentstringyesFree-text description of what you're trying to build or understand.get_context({ intent: "postgres read replica" }){
"existing_resources": [
{ "Identifier": "aws_db_instance.orders_primary", "Type": "aws_db_instance" }
],
"similar_examples": [
{ "Identifier": "aws_db_instance.orders_replica", "Attributes": { "arguments": { ... } } }
],
"modules": [
{ "Identifier": "modules/rds", "Type": "terraform_module" }
],
"conventions": [
{ "Identifier": "modules/rds:aws_db_instance", "Type": "terraform_convention" }
]
}Searches the graph for resources by name, type, provider, tag, or attribute. Returns up to `limit` matches with full arguments and source path.
querystringnoFree-text query matched against name, type, tags, attributes. Optional if you pass type or provider.typestringnoRestrict to a single Terraform resource type (e.g. aws_db_instance).providerstringnoRestrict to a single provider (aws, kubernetes, datadog, …).limitnumbernoMax results. Default 25, max 200.find_resource({ query: "orders_primary", type: "aws_db_instance" }){
"matches": [
{
"ID": "tfres_c235ce39db5e57b52cf0da98",
"Type": "aws_db_instance",
"Provider": "aws",
"Identifier": "aws_db_instance.orders_primary",
"Source": "/path/to/repo/services/orders",
"Attributes": { "arguments": { "engine": "postgres", "instance_class": "var.instance_class" } }
}
],
"truncated": false
}Returns every Terraform provider in use across the repo with a resource count and the top resource types per provider. A cheap, high-signal summary of what's deployed.
list_providers({}){
"provider_count": 2,
"providers": [
{
"provider": "aws",
"resource_count": 214,
"top_types": [
{ "type": "aws_iam_policy", "count": 42 },
{ "type": "aws_security_group", "count": 31 },
{ "type": "aws_s3_bucket", "count": 18 }
]
},
{
"provider": "datadog",
"resource_count": 12,
"top_types": [
{ "type": "datadog_monitor", "count": 9 },
{ "type": "datadog_dashboard", "count": 3 }
]
}
]
}Returns dependencies for a given Casper resource ID — both what it depends on (upstream) and what depends on it (downstream).
resource_idstringyesCasper resource ID returned by find_resource or get_context.limitnumbernoMax results. Default 50, max 500.get_dependencies({ resource_id: "tfres_c235ce39db5e57b52cf0da98" }){
"dependencies": [
{
"Direction": "dependency",
"Kind": "reference",
"Resource": { "Identifier": "aws_security_group.app", "Type": "aws_security_group" }
},
{
"Direction": "dependent",
"Kind": "reference",
"Resource": { "Identifier": "aws_db_instance.orders_replica", "Type": "aws_db_instance" }
}
]
}Finds existing resources or modules that match a natural-language description and returns them as concrete examples to base new code on. Synonym expansion handles common abbreviations (rds → aws_db_instance, vpc → aws_vpc, replica → replicate_source_db).
descriptionstringyesNatural-language description (e.g. "read replica", "postgres database", "security group").find_similar({ description: "read replica" })[
{
"Identifier": "aws_db_instance.orders_replica",
"Type": "aws_db_instance",
"Attributes": {
"arguments": {
"replicate_source_db": "aws_db_instance.orders_primary.identifier",
"instance_class": "var.instance_class"
}
}
}
]Discovers reusable modules in the codebase that match a given intent. Each result includes the module path, its inputs and outputs, and a usage snippet.
intentstringyesDescription of what is being built.get_module_for({ intent: "create a postgres database with backups" })[
{
"path": "modules/rds",
"inputs": ["name", "engine", "instance_class", "backup_retention"],
"outputs": ["endpoint", "arn"],
"example_call": "module \"db\" {\n source = \"./modules/rds\"\n ...\n}"
}
]Returns existing resources of a given type so the agent can see the actual arguments, tag style, and patterns this codebase uses for that type.
resource_typestringyesTerraform resource type (e.g. aws_db_instance, aws_security_group).get_conventions({ resource_type: "aws_db_instance" })[
{
"Identifier": "aws_db_instance.orders_primary",
"Attributes": {
"arguments": {
"engine": "postgres",
"engine_version": "15.4",
"instance_class": "var.instance_class",
"deletion_protection": "true"
}
}
}
]Parses proposed HCL and returns a structured impact report: created/modified resources with arg diffs, blast radius, broken references, similar real examples, reversibility context, and any policy violations.
codestringyesProposed Terraform HCL — one or more resource blocks.simulate_impact({
code: "resource \"aws_db_instance\" \"replica\" { replicate_source_db = aws_db_instance.primary.identifier }"
}){
"summary": "1 created, 0 modified, 1 in blast radius",
"created": [{ "identifier": "aws_db_instance.replica", ... }],
"blast_radius": [{ "identifier": "aws_db_instance.primary" }],
"warnings": [],
"policy_violations": [
{
"policy_id": "rds-deletion-protection",
"resource": "aws_db_instance.replica",
"message": "RDS instances must have deletion_protection enabled"
}
]
}Resolves a set of resources from a natural-language intent or explicit IDs, calls read-only AWS Describe APIs for each, and returns per-resource drift between Terraform state and what AWS currently has.
intentstringnoNatural-language description (e.g. "orders database"). Resolved via graph search + one-hop dependency walk.resource_idsstring[]noExplicit Casper resource identifiers. Skips graph resolution. At least one of intent or resource_ids is required.describe_live_state({ intent: "orders database" }){
"scope_resources": ["aws_db_instance.orders_primary"],
"resources": [
{
"identifier": "aws_db_instance.orders_primary",
"type": "aws_db_instance",
"drift": [
{ "field": "backup_retention_period", "terraform_value": "7", "aws_value": "14" }
]
}
]
}Lists every remote Terraform state backend Casper discovered in this repo's .tf files, along with the last fetch status. Failed fetches include the verbatim error so the cause (usually AWS auth, wrong bucket/key, or NoSuchKey) is obvious.
list_state_sources({}){
"total": 2,
"loaded": 1,
"failed": 1,
"sources": [
{
"type": "s3",
"identity": "s3://acme-tfstate/prod/terraform.tfstate",
"bucket": "acme-tfstate",
"key": "prod/terraform.tfstate",
"region": "us-east-1",
"declared_in": "envs/prod/backend.tf",
"status": "loaded",
"resource_count": 214,
"edge_count": 318
},
{
"type": "s3",
"identity": "s3://acme-tfstate/staging/terraform.tfstate",
"bucket": "acme-tfstate",
"key": "staging/terraform.tfstate",
"region": "us-east-1",
"declared_in": "envs/staging/backend.tf",
"status": "failed",
"error": "AccessDenied: User is not authorized to perform s3:GetObject",
"resource_count": 0,
"edge_count": 0
}
]
}Returns the complete graph — every resource, every edge, every policy violation per resource. Intentionally verbose; use only for full-repo audits or when bootstrapping a UI.
dump_graph({}){
"fetched_at": "2026-05-14T09:30:00Z",
"resource_count": 247,
"dep_count": 318,
"resources": [ /* every resource */ ],
"dependencies": [ /* every edge */ ]
}Materializes the in-memory graph to an interactive HTML file (default casper/graph.html). The only tool that writes a file. After the first call, the file auto-updates on every .tf / .tfstate change. Used by the /casper slash command so the user has a fresh visual alongside the conversation.
render_graph({}){
"status": "rendered",
"path": "/Users/you/repo/casper/graph.html",
"scanned_dir": "/Users/you/repo",
"resource_count": 247,
"edge_count": 318
}