Consequence layer for AI agents
Check recoverability before destructive actions
Website · MCP Setup · Console · Coverage
Recourse is an MCP server that evaluates Terraform plans, shell commands, and tool calls before execution. It returns structured facts — recoverability tier, evidence assessment, and risk level — so callers can make context-aware decisions. Agents call Recourse before they act; humans see what the agent checked.
One config block. Works with Claude Desktop, Claude Code, Cursor, and any MCP-compatible client.
{
"mcpServers": {
"recourseos": {
"command": "npx",
"args": ["-y", "recourse-cli@latest", "mcp", "serve"]
}
}
}The server exposes five tools:
| Tool | Purpose |
|---|---|
recourse_evaluate_terraform |
Check Terraform plans before terraform apply |
recourse_evaluate_shell |
Check shell commands before execution |
recourse_evaluate_mcp_call |
Check other MCP tool calls before invocation |
recourse_evaluate_with_evidence |
Re-evaluate with verification evidence |
recourse_supported_resources |
List resources with deterministic rules |
Plus a resource agents can read:
| Resource | Purpose |
|---|---|
recourse://instructions |
Safety protocol — when to call, how to interpret results |
Each tool returns:
- riskAssessment: engine's summary read —
allow,warn,escalate, orblock - recoverability: tier and reasoning for each mutation
- evidence: what was found, what's missing, what's needed for confident classification
- crossActionRisks: dangerous patterns where individual actions are safe but their combination is unrecoverable (e.g., deleting a backup + the database it backs up)
The engine emits facts. Callers interpret them in context — a block assessment in staging might be acceptable; in production it might require approval.
Terraform plan says:
- aws_db_instance.main will be destroyed
Recourse tells the agent what that means:
aws_db_instance.main
recoverability: unrecoverable
reason: skip_final_snapshot=true, backup_retention_period=0, deletion_protection=false
riskAssessment: block
The agent can interpret these facts: "Recourse assessed this as block-level risk — deletes the database with no backup. Should I proceed?"
That's different from "I deleted your production database."
Agents can read the built-in safety protocol from recourse://instructions. Or use this prompt:
Before executing destructive operations, call RecourseOS:
- Shell commands → recourse_evaluate_shell
- Terraform plans → recourse_evaluate_terraform
- Other MCP tools → recourse_evaluate_mcp_call
Interpret the riskAssessment:
- allow: proceed
- warn: proceed with caution, inform user
- escalate: stop and ask user for approval
- block: do not proceed without human review
If escalate/block includes verificationSuggestions, run those commands
and call recourse_evaluate_with_evidence to potentially upgrade the assessment.
For humans running preflight checks directly:
npm install -g recourse-cli@latest
recourse --versionRun a preflight check:
recourse preflight shell 'aws s3 rm s3://prod-audit-logs --recursive'Or run without installing:
npx -y recourse-cli@latest preflight shell 'aws s3 rm s3://prod-audit-logs --recursive'terraform plan -out=plan.bin
terraform show -json plan.bin > plan.json
recourse plan plan.jsonOpen the interactive terminal UI:
recourse tui
recourse tui --source shell --input 'aws s3 rm s3://prod-audit-logs --recursive'Fail CI if a plan contains unrecoverable changes:
recourse plan plan.json --fail-on unrecoverableBLAST RADIUS REPORT
===================
DIRECT CHANGES
X DELETE aws_db_instance.main
Recoverability: unrecoverable
skip_final_snapshot=true, no backup retention; data will be lost
X DELETE google_storage_bucket.audit
Recoverability: recoverable-from-backup
GCS bucket versioning is enabled; object generations may be recoverable
~ DELETE azurerm_role_assignment.reader
Recoverability: reversible
Azure role assignment/definition is config-only and can be reapplied
SUMMARY
Unrecoverable: 1 resource
Recoverable (backup): 1 resource
Reversible: 1 resource
| Tier | Label | Meaning |
|---|---|---|
| 1 | reversible |
Can be undone with another apply or API call. |
| 2 | recoverable-with-effort |
Can be recreated, but requires coordinated work. |
| 3 | recoverable-from-backup |
Requires a backup, snapshot, version, or retention window. |
| 4 | unrecoverable |
Data, identity, key material, or recovery points may be permanently lost. |
| 5 | needs-review |
Evidence is insufficient to classify safely. |
Known resources use hand-written deterministic rules and remain authoritative.
AWS: RDS, DynamoDB, S3, EBS, EFS, EC2, Lambda, AMIs, VPCs, security groups, EIPs, load balancers, Route53, IAM, KMS, Secrets Manager, SNS/SQS, CloudWatch logs, ElastiCache, Neptune.
GCP: Cloud Storage (versioning), Cloud SQL (protection, backups), BigQuery, Secret Manager, IAM, service accounts, DNS, persistent disks, snapshots, KMS, GKE.
Azure: Storage accounts (soft delete), Azure SQL/MSSQL, PostgreSQL/MySQL Flexible Server, MariaDB, Cosmos DB, Key Vault, role assignments, Azure AD, DNS, managed disks, AKS.
For unknown resource types, Recourse uses a three-layer classification system:
- Exact mappings: ~180 manually verified resource → category mappings across AWS, GCP, Azure, and OCI.
- BitNet classifier: A 1-bit quantized neural network trained on 400+ resource types across 10+ cloud providers.
- Pattern fallback: Regex-based classification for the long tail.
Production accuracy is 90.5% on a held-out test set. Low-confidence classifications return needs-review rather than false approval.
recourse plan plan.json
recourse plan plan.json --state terraform.tfstate
recourse plan plan.json --format json
recourse plan plan.json --classifierrecourse explain plan.json aws_db_instance.main
recourse explain plan.json aws_db_instance.main --format jsonrecourse evaluate terraform plan.json --classifier
recourse evaluate shell 'aws s3 rm s3://prod-audit-logs --recursive'
recourse evaluate mcp '{"server":"aws","tool":"s3.delete_bucket","arguments":{"bucket":"prod-audit-logs"}}'recourse preflight terraform plan.json --classifier
recourse preflight shell 'kubectl delete namespace payments'
recourse preflight mcp mcp-call.jsonrecourse tui
recourse tui --source shell --input 'aws s3 rm s3://prod-audit-logs --recursive'
recourse tui --source terraform --input plan.json --classifierrecourse mcp serveSee docs/mcp-setup.md for full setup and docs/agent-interface.md for the schema reference.
Automatically check RecourseOS before dangerous shell commands execute. Add to your shell profile:
eval "$(recourse wrap)"Now rm, aws, kubectl, and terraform commands check RecourseOS first:
rm -rf /tmp/important
# recourse: escalate - Recoverability needs human review
# Proceed? [y/N]Or execute with explicit checking:
recourse exec "rm -rf /tmp/test"Every evaluation response includes a cryptographic attestation (Ed25519 signature). Verify with:
recourse verify attestation.jsonOr pipe from stdin:
cat response.json | jq '.attestation' | recourse verify -recourse evidence aws-s3 prod-audit-logs --region us-east-1 > s3-evidence.json
recourse evidence aws-rds prod-db --region us-east-1 > rds-evidence.json
recourse evaluate shell 'aws s3 rb s3://prod-audit-logs --force' \
--aws-s3-evidence s3-evidence.jsonSupported: aws-s3, aws-rds, aws-dynamodb, aws-iam-role, aws-kms-key.
recourse resourcesnpm install
npm run build
npm test
npm run test:allRegenerate docs after changing resource handlers:
npm run docs:allRecourse analyzes the plan, state, command, and evidence you provide. It cannot:
- Prove that out-of-band backups exist unless evidence is supplied.
- Inspect every object, row, secret, or dependency behind a resource.
- Guarantee cross-account or cross-region recovery.
- Predict races between planning and applying.
- Replace human review for opaque destructive resources.
The safety posture is conservative: when evidence is incomplete, Recourse returns higher-risk assessments (escalate or block) rather than understating risk.
MIT