Debug Your Infrastructure From Your Agent
Atmos Pro now hosts a Model Context Protocol server at
https://atmos-pro.com/mcp. Once installed, your agentic editor — Claude Code, Codex, Cursor, Continue, Cline — can answer questions about your workspace's drift, deployments, workflow runs, audit log, and more, directly. No more bouncing between editor and dashboard to find out what broke.Here's why this is interesting. Because Atmos Pro keeps the full history of every run, your agent isn't limited to "what's failing right now?" It can answer:
- When did this start failing? Walk back through workflow runs to find the first red one.
- Is it flapping? Drifted–remediated–drifted patterns over time, not just the current state.
- Why did it fail?
explain_workflow_failurereturns a structured{ category, suggestedAction }so your agent routes on intent, not regex over logs. - What's our overall stability? Repo and workspace analytics, deltas vs. previous periods.
That's the loop: triage → root-cause → trend → fix — without leaving your editor.
claude-code
MCP: atmos-pro connected
██████╗ ██╗ █████╗ ██╗ ██╗ ██████╗ ███████╗██╔════╝ ██║ ██╔══██╗ ██║ ██║ ██╔══██╗ ██╔════╝██║ ██║ ███████║ ██║ ██║ ██║ ██║ █████╗██║ ██║ ██╔══██║ ██║ ██║ ██║ ██║ ██╔══╝╚██████╗ ███████╗ ██║ ██║ ╚██████╔╝ ██████╔╝ ███████╗ ╚═════╝ ╚══════╝ ╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚══════╝ ██████╗ ██████╗ ██████╗ ███████╗██╔════╝ ██╔═══██╗ ██╔══██╗ ██╔════╝██║ ██║ ██║ ██║ ██║ █████╗██║ ██║ ██║ ██║ ██║ ██╔══╝╚██████╗ ╚██████╔╝ ██████╔╝ ███████╗ ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝
✻ Welcome to Claude Code
/help for commands
MCP: atmos-pro connected
>
Install
Claude Code
Pick whichever you prefer — they do the same thing. A browser opens for sign-in and consent on first use.
Option 1 — Claude CLI
Stored in ~/.claude.json under this project. Not shared, not committed.
claude mcp add --transport http atmos-pro https://qa-3.atmos-pro.com/mcpor
Option 2 — Edit ~/.claude.json (user scope) or .mcp.json (project scope)
{
"mcpServers": {
"atmos-pro": {
"type": "http",
"url": "https://qa-3.atmos-pro.com/mcp"
}
}
}Tool Catalog
Tools shipping today are mostly read-only, with one scoped action for drift remediation. Every resource has a filterable
list_<noun> and a single-row get_<noun> — failing instances, pending approvals, running deployments and so on are filter arguments, not separate tools.| What you want to do | Tools |
|---|---|
| Triage and remediate drift | list_instances (filter statusFilter: ['drifted','error']), get_instance, remediate_drift, list_stacks, list_components, list_repairs, list_repair_connections, list_recommendations |
| Inspect a workflow run | list_workflow_runs (filters: approvalState, trigger, command, status, instanceId, …), get_workflow_run |
| Diagnose a failed run end-to-end | list_jobs, list_job_summaries, get_workflow_run_logs (defaults to the failed step's last 200 lines), explain_workflow_failure |
| Trace deployments back to commits and PRs | list_deployments, get_deployment, list_pull_requests (filter by component or stack), get_pull_request, list_commits |
| Diagnose permissions and audit history | list_my_permissions, list_permissions, get_permission, list_permission_errors, list_audit_log_entries, get_audit_log_entry |
| Embed status in your repos | list_badge_types, list_badge_tokens, render_badge |
| Compare against previous periods | get_repo_analytics (per-repo Analytics tab), get_workspace_insights (workspace Insights page) |
| Ground context | get_workspace, get_repo, get_stack, get_component, list_entitlements, list_egress_ips, get_setup_checklist |
Additional mutations (approve/reject runs, dispatch arbitrary workflows, comment on PRs) follow once the surface stabilizes — they require a separate consent step in the browser.
remediate_drift is the first scoped MCP action: it dispatches the configured Atmos Pro remediation workflow for a visible instance, requires ws:instances:remediate_drift, and records the call in the audit log. Manual drift detection in the web UI is also separated from instance metadata updates with ws:instances:detect_drift.Authentication
No PAT to paste, no API key in your
.env, no static credential to rotate. OAuth still issues tokens — that's how OAuth works — but you never see, copy, or manage them. The browser handles the handshake, your OS keychain stores the result, and one click in Settings → MCP Clients revokes any client.Concretely:
- Tokens are short-lived. Access tokens expire in ≤1 hour. Refresh tokens last 30 days and rotate on every use.
- Tokens are scoped. You choose the workspace and the permissions at install time, not the client author.
- Tokens are revocable. One click in
Settings → MCP Clientscascades through the entire rotation chain immediately. The next request from that client returns 401. - Destructive operations are unreachable. Workspace deletion, billing changes, webhook configuration, and repository deletion are blocked at the actor-type guard, regardless of any scope claim.
- Every tool call is audited.
actor_type=mcp_client, the client name, the tool, and (redacted) arguments are recorded — you can see exactly what your agent has been doing.
The standard underneath is OAuth 2.1 with Dynamic Client Registration (RFC 7591) and PKCE (RFC 7636) — the same one Linear, Sentry, Notion, and Cloudflare use for their hosted MCPs.
Learn More
- Install instructions — full per-client guide.
- What MCP unlocks for your agent — concepts and the MTTR loop.
- MCP server configuration — OAuth flow, full tool catalog, security details, revocation.
