infrawise
Infrawise is a deterministic infrastructure intelligence MCP server that gives AI coding assistants deep, accurate awareness of your AWS infrastructure, databases, and code query patterns.
Infrastructure Overview (
get_infra_overview): Compact snapshot of all services — databases, queues, topics, secrets, lambdas, and high-severity findings. Ideal as a first call before any infrastructure task.Full Graph Summary (
get_graph_summary): Complete infrastructure graph with every node (tables, functions, lambdas, queues), edge (queries, scans, triggers), and all findings across all severity levels.Analyze a Function (
analyze_function): Deep-dive into a named function or Lambda handler — tables accessed, query methods (scan vs. query), queue publishing, secret access, and correct event shapes for each trigger type (SQS, DynamoDB Streams, Kinesis, EventBridge).Suggest DynamoDB GSI (
suggest_gsi): Ready-to-use GSI definition (index name, partition key, projection type, billing mode) for a given table and attribute.Suggest PostgreSQL Index (
postgres_index_suggestions): ExactCREATE INDEX CONCURRENTLYSQL including partial index variant andANALYZEreminder.Suggest MongoDB Index (
suggest_mongo_index): Exactdb.collection.createIndex()command with compound and text index variants.Suggest MySQL Index (
mysql_index_suggestions): ExactALTER TABLE ADD INDEXSQL including composite variant and EXPLAIN guidance.SQS Queue Details (
get_queue_details): All queues with DLQ presence, encryption status, approximate message count, and retention settings.SNS Topic Details (
get_topic_details): All topics with subscription count and encryption status.Secrets Overview (
get_secrets_overview): All Secrets Manager secrets with rotation status and interval — values never returned.SSM Parameter Overview (
get_parameter_overview): All SSM Parameter Store parameters with type and tier — values never returned.Lambda Overview (
get_lambda_overview): All Lambda functions with runtime, memory, timeout, environment variable key names (values never returned), and event source trigger details.EventBridge Details (
get_eventbridge_details): All EventBridge rules with state, schedule/event patterns, and target Lambda function names.S3 Overview (
get_s3_overview): All S3 buckets with versioning, encryption, public access configuration, and security findings — object contents never included.CloudWatch Log Errors (
get_log_errors): Recent error pattern summaries grouped by log group with counts and frequencies, with optional log group filtering — raw log messages never returned.
Provides tools to suggest exact createIndex commands for MongoDB collections based on query patterns.
Provides tools to suggest exact ALTER TABLE ADD INDEX SQL for MySQL tables and detect missing indexes.
Provides tools to suggest exact CREATE INDEX SQL for PostgreSQL tables and detect missing indexes.
Infrawise
sidd27.github.io/infrawise — Understand your infrastructure, not just your code.
Infrawise gives AI coding assistants deterministic infrastructure awareness.
It statically analyzes your codebase, cloud infrastructure, and database schemas, then exposes that context through MCP so tools like Claude Code can understand your actual tables, indexes, query patterns, and service relationships instead of guessing from source files alone.
Why this exists
New software developers don't write wrong code. Claude Code writes wrong code and they ship it. Infrawise is the only thing standing between Claude Code's generated output and a production incident.
AI coding assistants can read your source files but have no deterministic knowledge of your infrastructure. They do not know which GSIs exist, how tables are partitioned, which functions already trigger scans, or where indexes are missing. So they guess.
Infrawise replaces guessing with infrastructure-aware context.
Without Infrawise, an AI assistant might:
Suggest a
.scan()on your Orders table that has 50M rowsRecommend adding a GSI on
statusthat you already haveWrite a
SELECT *when you need to keep query cost lowNot notice that 5 functions are already hammering the same partition key
With Infrawise, it knows:
Your exact table schemas, partition keys, sort keys, and GSIs
Which functions query which tables and how
Which patterns are already flagged as high severity
The exact
CREATE INDEXSQL or GSI config for your tables — not generic advice
Related MCP server: Cost Management MCP
What Infrawise is not
Infrawise is not an AI agent framework, an infrastructure provisioning tool, an observability platform, or a cloud management dashboard.
It is a deterministic infrastructure intelligence layer for AI-assisted development.
Installation
npm install -g infrawiseor use without installing:
npx infrawise start --claudeQuick start
cd your-project
infrawise start --claudeThat's it. Infrawise will:
Probe your environment and generate
infrawise.yaml(first time only — asks which AWS profile to use only if you have several)Scan your AWS services, databases, and codebase
Write
.mcp.jsonso your editor auto-connects on every future launchOpen Claude Code with all 16 MCP tools ready
Every time after:
claude # no infrawise command needed — editor manages the connectionAnalysis is cached for 24 hours. When the cache is stale, infrawise serve --stdio (spawned automatically by your editor) refreshes it at session start. File changes are detected within the session and the code graph is updated automatically.
Findings (3 total)
1. [HIGH] Full table scan detected on DynamoDB table "Orders"
listAllOrders() scans without any filter — reads every item in the table.
Recommendation: Replace Scan with Query using a partition key or add a GSI.
2. [MEDIUM] PostgreSQL table "users" has no index on column "email"
Filtering on "email" causes sequential scans.
Recommendation: CREATE INDEX CONCURRENTLY idx_users_email ON users(email);
3. [MEDIUM] DynamoDB table "Sessions" accessed by 6 distinct code paths
High access concentration may create hot partition issues at scale.Using with AI coding assistants
Claude Code (recommended)
infrawise start --claudeWrites .mcp.json to your project root and opens Claude Code. Claude Code reads .mcp.json automatically on every launch and manages the infrawise serve --stdio process — no server to start, no ports to configure.
Cursor
infrawise start --cursorWrites .cursor/mcp.json and opens Cursor. All 16 infrawise tools are available in Cursor's MCP panel.
Any editor (no flag)
infrawise startWrites .mcp.json and exits. Open whichever editor you prefer — point it at infrawise serve --stdio --config /path/to/infrawise.yaml as an MCP server command.
HTTP transport (alternative)
If your editor or workflow requires an HTTP MCP endpoint instead of stdio:
infrawise serve # starts server at http://localhost:3000/mcpAdd to your editor's MCP config:
{
"mcpServers": {
"infrawise": {
"url": "http://localhost:3000/mcp"
}
}
}MCP tools
Tool | What it provides |
| Complete snapshot — all services, counts, high-severity findings, and a |
| Full infrastructure graph — all nodes, edges, and findings |
| Issues in a specific function — scans, missing indexes, N+1, trigger event shapes |
| Exact GSI config for a DynamoDB table + attribute |
| Exact |
| Exact |
| Exact |
| SQS queues — DLQ status, encryption, FIFO type, visibility timeout, message counts |
| API Gateway APIs (REST, HTTP, WebSocket) — routes, HTTP methods, paths, and Lambda integrations |
| SNS topics — subscription counts, protocols, and filter policies (required message attributes per subscription) |
| Secrets Manager — names and rotation status (values never included) |
| SSM Parameter Store — names, types, tiers (values never included) |
| Lambda functions — runtime, memory, timeout, triggers (SQS/SNS/DynamoDB/Kinesis/MSK/EventBridge/S3), env var key names |
| EventBridge rules — name, state, schedule/event pattern, target functions |
| S3 buckets — versioning, encryption, public access, event notifications |
| CloudWatch error patterns and counts (no raw log messages) |
CLI reference
Command | What it does |
| Primary command — probe env, generate config, analyze, write editor MCP config |
| Same as above, then opens Claude Code |
| Same as above, then opens Cursor |
| Run the guided setup wizard instead of auto-discovery |
| Delete |
| Force a full re-scan — useful after major infrastructure changes |
| CI gate — analyze and exit non-zero when findings reach the threshold severity |
| Start the MCP server — HTTP by default, or |
| Diagnostic escape hatch — validate AWS/DB access, config, and repo scan |
infrawise analyze options
Flag | Description |
| Path to |
| Repository to scan (default: current directory) |
| Skip reading/writing the cache |
| Save findings as a markdown report, e.g. |
| Only show findings at or above this level: |
# Export a shareable findings report
infrawise analyze --output report.md
# Only show high-severity issues
infrawise analyze --severity high
# High-severity issues only, saved to a file
infrawise analyze --severity high --output report.mdinfrawise check options (CI/CD)
check runs a fresh analysis and sets a non-zero exit code when blocking findings exist, so it can gate a pipeline without an AI editor.
Flag | Description |
| Path to |
| Repository to scan (default: current directory) |
| Severity that fails the build: |
# Block a deploy if any high-severity finding exists (exit 1)
infrawise check
# Stricter gate — fail on medium and above
infrawise check --fail-on mediuminfrawise serve options
Flag | Description |
| Path to |
| Use stdio transport (for editors via |
| Port to listen on, HTTP only (default: |
Configuration
infrawise.yaml is generated by infrawise start (or infrawise start --interactive for the guided wizard) and lives in your repo root. Every service must be explicitly enabled: true — infrawise never connects to anything not listed in config.
Connection strings support ${ENV_VAR} substitution so passwords never need to be committed:
postgres:
enabled: true
connectionString: postgresql://infrawise_ro:${DB_PASSWORD}@host:5432/mydbFull example:
project: payments-service
aws:
profile: default # AWS profile from ~/.aws/credentials
region: ap-south-1
dynamodb:
enabled: true
includeTables: # omit to include all tables
- Orders
- Users
postgres:
enabled: true
connectionString: postgresql://infrawise_ro:${DB_PASSWORD}@host:5432/mydb
mysql:
enabled: false
connectionString: ''
mongodb:
enabled: false
connectionString: ''
sqs:
enabled: true
sns:
enabled: true
ssm:
enabled: true
paths: [] # filter by prefix e.g. ["/myapp/prod"]
secretsManager:
enabled: true
lambda:
enabled: true
includeFunctions: # omit to include all functions
- myFunction
- anotherFunction
eventbridge:
enabled: true
rds:
enabled: false
s3:
enabled: false
apiGateway:
enabled: false
cloudwatchLogs:
enabled: false
logGroupPrefixes: []
windowHours: 24
analysis:
sampleSize: 100
hotPartitionThreshold: 5
hotPartitionThresholds:
high-traffic-table: 12AWS setup
Infrawise is read-only. Minimum IAM policy required:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["dynamodb:ListTables", "dynamodb:DescribeTable"],
"Resource": "*"
}
]
}For SSO profiles, log in before running infrawise:
aws sso login --profile myprofilePostgreSQL setup (optional)
Create a read-only user for infrawise:
CREATE USER infrawise_ro WITH PASSWORD 'yourpassword';
GRANT CONNECT ON DATABASE yourdb TO infrawise_ro;
GRANT USAGE ON SCHEMA public TO infrawise_ro;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO infrawise_ro;For Amazon RDS: allow inbound on port 5432 from your machine's IP in the security group.
Analysis capabilities
Infrawise has two analysis layers:
Infrastructure analysis (all languages)
Works from AWS APIs, database schema introspection, and IaC files — no dependency on application code:
Service | What it checks |
DynamoDB schema | Tables, GSIs, partition keys |
PostgreSQL / MySQL schema | Tables, indexes, column types |
MongoDB schema | Collections, indexes |
SQS | Missing DLQs, unencrypted queues, large backlogs, FIFO detection, visibility timeout vs Lambda timeout mismatch |
SNS | Subscription filter policies — required message attributes per subscription |
Apache Kafka (kafkajs) | Producer/consumer topic mapping from code — any broker (self-hosted, Confluent, Redpanda, MSK); distinct from the MSK Lambda trigger |
Secrets Manager | Missing secret rotation |
Lambda | Default memory (128 MB), high timeouts, triggers (SQS/SNS/DynamoDB/Kinesis/MSK/EventBridge/S3), missing DLQ on trigger source |
S3 | Public access blocking (verify), missing versioning, missing encryption |
EventBridge | Rules, schedules, event patterns, target Lambda functions |
API Gateway | REST, HTTP, and WebSocket APIs — routes, methods, Lambda integrations |
RDS | Publicly accessible, no backups, unencrypted, no deletion protection, single-AZ |
CloudWatch Logs | Log groups with no retention policy |
Terraform / CloudFormation / CDK | IaC drift vs deployed state |
Code correlation analysis (TypeScript / JavaScript)
Uses ts-morph AST analysis to detect which functions call which tables and how:
Analyzer | Severity | What it detects |
Full Table Scan (DynamoDB) | High |
|
Missing GSI | Medium | Queries on attributes without a matching GSI |
Hot Partition | Medium | 5+ distinct code paths hitting the same table |
Missing Index (PostgreSQL) | Medium | Tables queried without indexes |
N+1 Query | High | Repeated query patterns from ORM loops |
Large SELECT | Low |
|
Missing MySQL Index | Medium | MySQL tables queried without indexes |
MySQL Full Table Scan | High | Full table scan patterns in MySQL queries |
Missing Mongo Index | Medium | Collections queried without secondary indexes |
Collection Scan | High |
|
Pipeline: scan in consumer | High / Verify | Full scan inside an event-triggered Lambda handler (High when the lambda-to-code link is IaC-proven, Verify when name-matched) |
Pipeline: repeated table access | Medium / Verify | Same table read by 2+ functions in one service pipeline |
Pipeline: missing DLQ hop | Medium | Mid-pipeline queue (has producer and consumer) with no Dead Letter Queue |
Non-TypeScript/JavaScript projects still get full value from infrastructure-level analyzers — code correlation (function-to-table mapping, N+1 patterns) is skipped.
The scanner supports: AWS SDK v3/v2 for DynamoDB, pg/Prisma/Knex for PostgreSQL, mysql2/Knex for MySQL, driver/Mongoose for MongoDB, AWS SDK v3 for SQS/SNS/SSM/Secrets/Lambda, and kafkajs for Kafka topics (producer/consumer).
How it works
Infrawise scans your repository and infrastructure metadata
A graph engine maps services, schemas, indexes, and query patterns
Rule-based analyzers detect infrastructure and query anti-patterns
The resulting context is exposed through MCP
AI coding assistants query this context while generating code
Deterministic analysis
Infrawise does not use an LLM to analyze your infrastructure. All extraction and analysis are deterministic: AST parsing, schema introspection, rule-based analyzers, and graph correlation. LLMs are only consumers of the generated context through MCP.
Security
Read-only — never writes to AWS or your database, never executes DDL
Local-first — everything runs on your machine, nothing sent to external servers
No telemetry — zero data collection
Credentials — uses your existing AWS credential chain, never stored by infrawise
🔒 Security & Project Naming Note
You might see this package flagged on certain supply-chain security scanners under "deceptive naming." This is a false positive triggered by automated tools because of the prefix "infra." This project is completely safe, independent, and unaffiliated with any commercial trademarks.
Architecture overview
Source layout
src/
types.ts Shared type definitions
core/ Config (Zod + YAML), logger (Pino), local cache
graph/ Graph engine — nodes, edges, builder
adapters/
aws/ DynamoDB, S3, Lambda, SQS/SNS/SSM/Secrets/EventBridge/RDS/APIGateway, CloudWatch
db/ PostgreSQL, MySQL, MongoDB
iac/ Terraform, CDK, CloudFormation (local file parsing)
analyzers/ 29 rule-based analyzers
context/ Repository scanner (ts-morph AST)
server/ Fastify MCP server (@modelcontextprotocol/sdk, Streamable HTTP)
cli/ CLI commands (Commander.js)Current limitations
Code-level correlation supports TypeScript and JavaScript only
Dynamically constructed queries may not always be resolved statically
Runtime tracing is not yet implemented
Large monorepos may require future incremental analysis optimization
Roadmap
Feature roadmap is tracked in the GitHub Project. Feature requests and upvotes welcome.
Demo
The demo/localstack/ directory runs infrawise against real AWS APIs emulated locally via LocalStack — an open-source tool that spins up a full AWS environment in Docker so you can test AWS integrations at zero cost, with no real AWS account needed. See demo/localstack/README.md for setup instructions.
Contributing
See CONTRIBUTING.md for a full walkthrough — including how to add a new service adapter, a new analyzer, and the PR checklist.
Releasing
pnpm release patch # 0.1.2 → 0.1.3 (bug fixes)
pnpm release minor # 0.1.2 → 0.2.0 (new features, backwards compatible)
pnpm release major # 0.1.2 → 1.0.0 (breaking changes)
pnpm release 1.5.0 # explicit versionBumps package.json, commits, tags, pushes, and creates a draft GitHub release with notes from commit messages. Then publish the draft on GitHub to trigger npm publish.
License
MIT
Maintenance
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Sidd27/infrawise'
If you have feedback or need assistance with the MCP directory API, please join our Discord server