RecourseOS gates tool access. Agent must get permission before calling mutation tools.
1 · Intent
AI AgentClaude, Cursor, bots
Humanterraform, aws, kubectl
CI / PRGitHub Actions, Atlantis
2 · Client
MCP ClientDiscovers tools
CLI
CI Adapter
Local UIReports, history
3 · RecourseOS
MCP ServerFront door for agents
AdaptersTF, shell, MCP
EngineRules, classifier
-Blockunrecoverable
!Reviewambiguous
+Allowrecoverable
4 · Tools
MCP Toolscreate, update, delete
Terraform
Shell / CLI
CloudAWS, GCP, Azure, K8s
EvidenceRead-only enrichment
PolicyApproval, audit
Example response
{ "decision": "block", "tier": "unrecoverable", "resource": "aws_db_instance.main", "reason": "skip_final_snapshot=true" }