hcp
Claude Code plugin for hcpctl — the CLI for Optum's HCP Platform Resource Manager (PRM). Provides safe read/write/inspect/apply workflows over hundreds of resource kinds spanning Azure, GCP, AWS, and on-prem infrastructure with mandatory dry-run safety on writes.
By Thomas Hudak ([email protected])
Plugin Structure
Installation
Install this plugin using the Claude Code CLI:
claude plugin install hcp@otc-awesome-llmVerification
After installation, verify the plugin is loaded:
claude plugin listDocumentation
hcp
Claude Code plugin for HCP Platform Resource Manager — the CLI for HCP's Platform Resource Manager (PRM), managing hundreds of resource kinds across Azure, GCP, AWS, and on-prem infrastructure.
hcpctl is a kubectl-like CLI for Optum's Healthcare Cloud Platform (HCP). This HCP plugin teaches Claude how to use hcpctl for infrastructure discovery, resource management, and operational tasks.
Prerequisites
hcpctlbinary installed (v1.1.24+) — locate withwhich hcpctl(path varies by platform/install method)- Authenticated to PRM via
hcpctl login(Azure AD OAuth2)
Commands
| Command | Description |
|---|---|
/hcp-explore | Explore resource kinds, search by name, view schemas |
/hcp-search | List and filter resources by kind, namespace, labels, state |
/hcp-inspect | Deep inspection — details, history, permissions, actions, cost |
/hcp-apply | Create/update resources with mandatory dry-run safety |
/hcp-context | Manage authentication and PRM context switching |
Resource Kind Categories
| Category | Examples | Count |
|---|---|---|
| API Gateway / Stargate | stargate.api.v1, hcp.workspace.v1 | ~21 |
| Kafka & Streaming | kafka-cluster-v1, topic-v1 | ~14 |
| HCC Data Platform | hcc-dataplatform-kafka-topic-v1 | ~14 |
| HCDP Identities | hcdp-identity-v2-kafka, hcdp-subscription-v2-snowflake | ~25 |
| Snowflake / SDRP | sdrp.compute.database.v1, sdrp.common.warehouse.v1 | ~34 |
| Kubernetes | kubernetes-namespace-v1, naas-v1 | ~15 |
| Elasticsearch | elasticsearch-cluster-v1, elasticsearch-platform-saas-deployment-v1 | ~10 |
| Cassandra / CosmosDB | cassandra-cluster-v1, cosmosdb-database-v1 | ~8 |
| Databases | db-mysql.v1, atlas-cluster.v1, gcp-cloudsql.v1 | ~12 |
| Compute / VMs | compute-vm.v1, azure-vm.v1, vdi.desktop-kind.v1 | ~11 |
| Cloud Accounts | cloud-account.v2, dce.v1, azure-rg-v1 | ~9 |
| Networking | net.vpc.v1, dns.record.v1, fw.traffic.v1 | ~12 |
| CAS Networking | cas.network.azu.vnet.v1, cas.managed-network.gcp.vpc.v2 | ~26 |
| CAS Ingress | cas.ingress.load-balancer.v1, cas.ingress.waf.v1 | ~8 |
| Security / Certs | certificate-v2, secret.v2, sso-azure.v1 | ~13 |
| HCP Auth / Policy | hcp.auth.functional.role.v1, hcp.auth.policy.bundle.v1 | ~10 |
| HCP Events | hcp.event.v1, hcp.event.subscription.v1 | ~14 |
| Observability | alert-definition-v1, prometheus-v1 | ~7 |
| Entity Builder | entity-builder-v3, ebaas-deploy-v1 | ~25 |
| Databricks (UDLP) | udlp.dbw.v1, udlp.dbw-cluster.v1 | ~12 |
| DevOps Tooling | ghec.repo.v2, tfe.workspace.v1 | ~7 |
| App Middleware | nginx.v1, azure.appservice.v1, jenkins-v1 | ~9 |
| Storage | object-storage.v1, nas-storage.v1 | ~4 |
| + 12 more categories | BDPaaS, CDC, TDSaaS, CAIP, FDS, PowerBI, etc. | ~60 |
Usage Examples
Explore available resource kinds
/hcp-explore kafka
List Kubernetes namespaces in a specific namespace
/hcp-search kubernetes-namespace-v1 -n my-team
Inspect a resource
/hcp-inspect abc-123-def --history
Create a resource with safety
/hcp-apply my-resource.yaml
This will automatically dry-run first, show what will change, and ask for confirmation.
Switch PRM context
/hcp-context switch prm-stage
Safety Model
All write operations (create, apply, patch, rm, action) enforce a dry-run-first workflow:
- Claude always runs
--dry-runbefore any write - Results are shown to the user for review
- Only after explicit confirmation is the real operation executed
- Dangerous operations (
--hard-delete,--hard-update) require additional confirmation
Authentication
hcpctl uses Azure AD OAuth2 by default. Run hcpctl login to authenticate (opens browser). The plugin checks auth status before operations and guides re-authentication when tokens expire.
| Context | Environment |
|---|---|
prm-prod | Production (prm.optum.com) |
prm-stage | Staging (prm-stg.optum.com) |
prm-dev | Development (prm-dev.optum.com) |

