readtheplan
local MCP preview

Secure AI-agent integrations

Local MCP Terraform reviewer.

Give your AI coding agent a Terraform/SOC 2 reviewer that runs locally and never uploads raw plans. The preview exposes readtheplan analysis to MCP clients over stdio, so plan JSON stays on your workstation or inside CI.

Local-first No raw plan upload No hosted MCP service No accounts or billing

Use it when an agent opens a Terraform PR and needs a second set of deterministic checks: risky replacements, identity or network changes, control-review context, and an auditor-friendly summary before humans approve.

Request pilot setup

Placeholder inbox: pilot-contact@example.com. Replace the configured pilot handoff address before production use.

Install

Run the MCP server locally.

The MCP extra installs the optional runtime. Start the server from the repository or workspace where your MCP client should resolve local plan paths. 

pip install "readtheplan[mcp]"
readtheplan mcp

Tool surface today

Analyze and gate.

The preview exposes two MCP tools: analyze_plan and agent_gate. Both accept a local plan_path. analyze_plan returns the same JSON summary as readtheplan analyze --format json plan.json, while agent_gate returns the rtp-agent-gate-v1 contract from readtheplan agent-gate plan.json.

The agent_gate contract includes decision (proceed/warn/block), allowed_next_actions, prohibited_next_actions, and pr_comment — a pre-formatted Markdown summary that avoids raw plan JSON. Review it before posting to public PRs because resource addresses can still reveal environment details.

Evidence generation, signature verification, signing, framework selection, customer rule overlays, and --no-rules stay in the CLI for now.

Client config examples

Use the same local command from your MCP client.

These blocks show common MCP stdio shape. They are configuration examples, not verified compatibility claims for every client version.

Client Example block Notes
Claude Desktop {"mcpServers":{"readtheplan":{"command":"readtheplan","args":["mcp"]}}} Add under the client's MCP server configuration file.
Cursor {"readtheplan":{"command":"readtheplan","args":["mcp"]}} Use the client's stdio MCP server settings.
Windsurf {"readtheplan":{"command":"readtheplan","args":["mcp"]}} Adapt to the current local MCP configuration shape.
Generic MCP client command: readtheplan; args: ["mcp"] Start a stdio server process in the workspace with the plan file.

Demo workflow

Review a Terraform PR without moving the plan.

  1. Generate plan JSON locally: terraform plan -out=tfplan, then terraform show -json tfplan > plan.json.
  2. Start your MCP client with readtheplan mcp configured as a local stdio server.
  3. Ask the agent to call agent_gate for plan.json.
  4. Use proceed, warn, or block before approving, requesting changes, merging, or applying.

Agent gate result

Proceed, warn, or block.

The agent can stop on dangerous or irreversible changes, require reviewer evidence for warning-tier changes, and produce an auditor-friendly PR comment. The raw Terraform JSON remains local; the MCP preview does not add a backend, storage layer, cloud relay, or hosted plan analysis.

Demo prompts

Prompts for Terraform and SOC 2 review.

Prompt Use Copy
PR reviewer Terraform pull request review Call agent_gate on plan.json. Follow the allowed and prohibited next actions, then draft the PR comment for the Terraform author.
SOC 2 evidence prep Control-owner handoff Use the readtheplan MCP result to prepare SOC 2 change-review evidence notes. Group findings by access control, change management, monitoring, confidentiality, and availability themes.
Dangerous change triage Release risk escalation Find replacements, deletes, public exposure changes, key or identity changes, and retention decreases. Explain why each item needs human approval before apply.
Auditor-friendly summary Plain-language evidence narrative Turn the MCP analysis into an auditor-friendly summary with changed resources, risk tiers, control themes, reviewer decision points, and follow-up evidence needed.

Custom MCP pilots

Productized integrations stay local-first.

Pilot setup can help an infra or compliance team connect a local MCP client to one Terraform repository, tune review prompts, and decide which workflows belong in CLI evidence rather than the preview MCP tool. Future adapters can normalize CloudFormation, Packer, Ansible, Kubernetes, Pulumi, AWS CDK, and Azure/GCP/Oracle IaC into the gate contract, but this preview is Terraform-first today.

Request pilot setup

No raw Terraform plan is attached or submitted.

  • Custom engagement items can include auth design, least privilege, audit logs, deployment guidance, and support.
  • The OSS preview does not include those production controls by default.
  • No hosted MCP service. No hosted plan analysis. No raw Terraform plan upload, no accounts, and no billing.