@thotischner/observability-mcp 1.4.0 → 1.5.1

package/dist/sdk/manifest-schema.js

@@ -33,4 +33,15 @@ export const manifestSchema = z.object({
         serverVersion: z.string().optional(),
     })
         .optional(),
+    // Subresource-integrity-style digest of the plugin entry file
+    // ("sha256-<base64>"). When the server runs with VERIFY_PLUGINS=true
+    // this MUST be present and match the on-disk entry, and the manifest
+    // itself MUST carry a valid detached signature. Airgapped-friendly:
+    // verification is fully offline against a local trust-root key.
+    integrity: z
+        .string()
+        .regex(/^sha256-[A-Za-z0-9+/]+=*$/, {
+        message: 'integrity must be "sha256-<base64>"',
+    })
+        .optional(),
 });

package/dist/tools/context-seam.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/tools/context-seam.test.js

@@ -0,0 +1,23 @@
+import { describe, it } from "node:test";
+import assert from "node:assert/strict";
+import { readFileSync, readdirSync } from "node:fs";
+import { fileURLToPath } from "node:url";
+import { dirname, join } from "node:path";
+// Keystone guard: every tool handler must accept the RequestContext seam.
+// This prevents a new handler (or a refactor) from silently bypassing the
+// request-scoped context that access-control / scoping / audit attach to.
+const here = dirname(fileURLToPath(import.meta.url));
+describe("RequestContext seam", () => {
+    const handlerFiles = readdirSync(here).filter((f) => f.endsWith(".ts") && !f.endsWith(".test.ts"));
+    for (const file of handlerFiles) {
+        const src = readFileSync(join(here, file), "utf8");
+        const hasHandler = /export\s+(async\s+)?function\s+\w*Handler\s*\(/.test(src);
+        if (!hasHandler)
+            continue;
+        it(`${file}: handler accepts a RequestContext`, () => {
+            assert.match(src, /_ctx:\s*RequestContext/, `${file} exports a *Handler but does not thread RequestContext — ` +
+                `add the ctx seam (see context.ts)`);
+            assert.match(src, /from "\.\.\/context\.js"/, `${file} must import from ../context.js`);
+        });
+    }
+});

package/dist/tools/detect-anomalies.d.ts

@@ -1,4 +1,5 @@
 import type { ConnectorRegistry } from "../connectors/registry.js";
+import { type RequestContext } from "../context.js";
 export declare const detectAnomaliesDefinition: {
     name: "detect_anomalies";
     description: string;
@@ -25,7 +26,7 @@ export declare function detectAnomaliesHandler(registry: ConnectorRegistry, args
     service?: string;
     duration?: string;
     sensitivity?: string;
-}): Promise<{
+}, _ctx?: RequestContext): Promise<{
     content: {
         type: "text";
         text: string;

package/dist/tools/detect-anomalies.js

@@ -1,4 +1,6 @@
-import { detectRecentAnomaly } from "../analysis/anomaly.js";
+import { defaultContext } from "../context.js";
+import { detectAnomaly, classifyMetric } from "../analysis/anomaly.js";
+import { rankRootCause } from "../analysis/correlator.js";
 export const detectAnomaliesDefinition = {
     name: "detect_anomalies",
     description: "Scan for anomalies across all monitored services (or a specific service). Detects metric deviations using z-score analysis against recent baseline, checks log error spikes, and correlates signals across metrics and logs. Returns anomalies with severity ratings and cross-signal correlations.",
@@ -26,8 +28,12 @@ const SENSITIVITY_THRESHOLDS = {
     medium: 2.0,
     high: 1.5,
 };
-const KEY_METRICS = ["cpu", "error_rate", "latency_p99", "request_rate"];
-export async function detectAnomaliesHandler(registry, args) {
+const KEY_METRICS = ["cpu", "memory", "error_rate", "latency_p99", "request_rate"];
+// Patterns that signal a serious incident even at warn level and even when
+// the overall error ratio is low (e.g. a memory leak emits a handful of
+// "OutOfMemoryWarning" lines long before it turns into 5xx errors).
+const CRITICAL_LOG_PATTERN = /\b(out\s?of\s?memory|oom|outofmemory|heap (usage|exhaust)|memory leak|panic|fatal|deadlock|segfault|stack overflow|cannot allocate)\b/i;
+export async function detectAnomaliesHandler(registry, args, _ctx = defaultContext()) {
     const duration = args.duration || "10m";
     const threshold = SENSITIVITY_THRESHOLDS[args.sensitivity || "medium"] || 2.0;
     // Discover services to scan
@@ -56,18 +62,21 @@ export async function detectAnomaliesHandler(registry, args) {
             for (const metric of KEY_METRICS) {
                 try {
                     const result = await connector.queryMetrics({ service: serviceName, metric, duration });
-                    const values = result.values.map((v) => v.value);
-                    const anomaly = detectRecentAnomaly(values, 5, threshold);
+                    const points = result.values.map((v) => ({ timestamp: v.timestamp, value: v.value }));
+                    const anomaly = detectAnomaly(points, {
+                        threshold,
+                        metricKind: classifyMetric(metric),
+                    });
                     if (anomaly.isAnomaly) {
-                        const deviationPercent = anomaly.baselineAvg === 0
+                        const deviationPercent = anomaly.baselineValue === 0
                             ? 100
-                            : Math.round(((anomaly.recentAvg - anomaly.baselineAvg) / anomaly.baselineAvg) * 100);
+                            : Math.round(((anomaly.recentValue - anomaly.baselineValue) / anomaly.baselineValue) * 100);
                         allAnomalies.push({
                             metric,
-                            severity: Math.abs(anomaly.zScore) >= 3 ? "high" : Math.abs(anomaly.zScore) >= 2 ? "medium" : "low",
-                            description: `${metric} is ${anomaly.zScore.toFixed(1)}σ ${anomaly.zScore > 0 ? "above" : "below"} baseline (${anomaly.baselineAvg.toFixed(2)} → ${anomaly.recentAvg.toFixed(2)})`,
-                            currentValue: anomaly.recentAvg,
-                            baselineValue: anomaly.baselineAvg,
+                            severity: Math.abs(anomaly.score) >= 6 ? "high" : Math.abs(anomaly.score) >= 4 ? "medium" : "low",
+                            description: `${metric}: ${anomaly.reason}`,
+                            currentValue: anomaly.recentValue,
+                            baselineValue: anomaly.baselineValue,
                             deviationPercent,
                             source: connector.name,
                             service: serviceName,
@@ -85,6 +94,21 @@ export async function detectAnomaliesHandler(registry, args) {
                 continue;
             try {
                 const logs = await connector.queryLogs({ service: serviceName, duration, limit: 500 });
+                // Critical-pattern scan — independent of the error-ratio gate, so a
+                // warn-level OOM/leak signal is not silently dropped.
+                const criticalPattern = logs.summary.topPatterns.find((p) => CRITICAL_LOG_PATTERN.test(p));
+                if (criticalPattern) {
+                    allAnomalies.push({
+                        metric: "log_critical_pattern",
+                        severity: "high",
+                        description: `Critical log pattern detected: "${criticalPattern}"`,
+                        currentValue: logs.summary.errorCount + logs.summary.warnCount,
+                        baselineValue: 0,
+                        deviationPercent: 100,
+                        source: connector.name,
+                        service: serviceName,
+                    });
+                }
                 if (logs.summary.errorCount > 5) {
                     const errorRatio = logs.summary.total > 0
                         ? logs.summary.errorCount / logs.summary.total
@@ -123,10 +147,22 @@ export async function detectAnomaliesHandler(registry, args) {
             }
         }
     }
+    // Dependency-aware root-cause ranking. The service graph / change markers
+    // are empty here (no trace source wired yet); ranking then degrades to
+    // severity-weighted ordering and still names the most likely culprit
+    // instead of just listing "both signals bad".
+    const rootCause = allAnomalies.length > 0
+        ? rankRootCause(allAnomalies.map((a) => ({
+            service: a.service,
+            metric: a.metric,
+            severity: a.severity,
+        })))
+        : { ranked: [], summary: "" };
     const result = {
         scannedServices: serviceNames.length,
         anomalies: allAnomalies,
         correlations: allCorrelations,
+        rootCause,
         summary: allAnomalies.length === 0
             ? "All services healthy — no anomalies detected."
             : `${allAnomalies.length} anomal${allAnomalies.length === 1 ? "y" : "ies"} detected across ${[...new Set(allAnomalies.map((a) => a.service))].length} service(s).`,

package/dist/tools/get-service-health.d.ts

@@ -1,4 +1,5 @@
 import type { ConnectorRegistry } from "../connectors/registry.js";
+import { type RequestContext } from "../context.js";
 import type { HealthThresholds } from "../types.js";
 export declare function setHealthThresholds(t: HealthThresholds): void;
 export declare const getServiceHealthDefinition: {
@@ -17,7 +18,7 @@ export declare const getServiceHealthDefinition: {
 };
 export declare function getServiceHealthHandler(registry: ConnectorRegistry, args: {
     service: string;
-}): Promise<{
+}, _ctx?: RequestContext): Promise<{
     content: {
         type: "text";
         text: string;

package/dist/tools/get-service-health.js

@@ -1,3 +1,4 @@
+import { defaultContext } from "../context.js";
 import { calculateHealthScore } from "../analysis/health.js";
 import { detectRecentAnomaly } from "../analysis/anomaly.js";
 import { sanitizeForLog } from "../util/sanitize.js";
@@ -19,7 +20,7 @@ export const getServiceHealthDefinition = {
         required: ["service"],
     },
 };
-export async function getServiceHealthHandler(registry, args) {
+export async function getServiceHealthHandler(registry, args, _ctx = defaultContext()) {
     const metricsConnectors = registry.getBySignal("metrics");
     const logConnectors = registry.getBySignal("logs");
     // Gather metrics

package/dist/tools/handlers.test.js

@@ -3,6 +3,7 @@ import assert from "node:assert/strict";
 import { ConnectorRegistry } from "../connectors/registry.js";
 import { listSourcesHandler } from "./list-sources.js";
 import { listServicesHandler } from "./list-services.js";
+import { detectAnomaliesHandler } from "./detect-anomalies.js";
 // --- Mock Connector ---
 function createMockConnector(overrides) {
     return {
@@ -136,3 +137,75 @@ describe("listServicesHandler", () => {
         assert.equal(data.total, 0);
     });
 });
+describe("detectAnomaliesHandler — A5 memory/OOM coverage", () => {
+    const flatMemory = () => ({
+        source: "prom1", service: "payment-service", metric: "memory", unit: "bytes",
+        values: Array.from({ length: 40 }, (_, i) => ({
+            timestamp: new Date(Date.now() - (40 - i) * 9000).toISOString(),
+            value: 1.3e8 + (i % 3) * 1e6, // noisy, no trend → no metric anomaly
+        })),
+        summary: { current: 1.3e8, average: 1.3e8, min: 1.28e8, max: 1.33e8, trend: "stable" },
+    });
+    it("scans the memory metric (now in KEY_METRICS)", async () => {
+        const requested = [];
+        const reg = createRegistryWithMocks([
+            createMockConnector({
+                name: "prom1", type: "prometheus", signalType: "metrics",
+                listServices: async () => [{ name: "payment-service", source: "prom1", signalType: "metrics" }],
+                queryMetrics: async ({ metric }) => {
+                    requested.push(metric);
+                    return flatMemory();
+                },
+            }),
+        ]);
+        await detectAnomaliesHandler(reg, {});
+        assert.ok(requested.includes("memory"), `memory not scanned; got ${requested.join(",")}`);
+    });
+    it("flags a warn-level OOM log pattern below the error-rate gate", async () => {
+        const reg = createRegistryWithMocks([
+            createMockConnector({
+                name: "prom1", type: "prometheus", signalType: "metrics",
+                listServices: async () => [{ name: "payment-service", source: "prom1", signalType: "metrics" }],
+                queryMetrics: async () => flatMemory(),
+            }),
+            createMockConnector({
+                name: "loki1", type: "loki", signalType: "logs",
+                queryLogs: async () => ({
+                    source: "loki1", service: "payment-service", entries: [],
+                    // Only 4 warn-level lines: errorCount below the >5 gate, ratio tiny.
+                    summary: {
+                        total: 800, errorCount: 4, warnCount: 4,
+                        topPatterns: ["OutOfMemoryWarning: heap usage exceeding threshold (4x)"],
+                    },
+                }),
+            }),
+        ]);
+        const result = await detectAnomaliesHandler(reg, {});
+        const data = JSON.parse(result.content[0].text);
+        const crit = data.anomalies.find((a) => a.metric === "log_critical_pattern");
+        assert.ok(crit, "expected a log_critical_pattern anomaly for the OOM warning");
+        assert.equal(crit.service, "payment-service");
+        assert.equal(crit.severity, "high");
+        assert.equal(data.rootCause.ranked[0].service, "payment-service");
+        assert.notEqual(data.summary, "All services healthy — no anomalies detected.");
+    });
+    it("does not flag benign warn patterns", async () => {
+        const reg = createRegistryWithMocks([
+            createMockConnector({
+                name: "prom1", type: "prometheus", signalType: "metrics",
+                listServices: async () => [{ name: "order-service", source: "prom1", signalType: "metrics" }],
+                queryMetrics: async () => flatMemory(),
+            }),
+            createMockConnector({
+                name: "loki1", type: "loki", signalType: "logs",
+                queryLogs: async () => ({
+                    source: "loki1", service: "order-service", entries: [],
+                    summary: { total: 500, errorCount: 1, warnCount: 2, topPatterns: ["cache miss for key user:42"] },
+                }),
+            }),
+        ]);
+        const result = await detectAnomaliesHandler(reg, {});
+        const data = JSON.parse(result.content[0].text);
+        assert.equal(data.anomalies.length, 0);
+    });
+});

package/dist/tools/list-services.d.ts

@@ -1,4 +1,5 @@
 import type { ConnectorRegistry } from "../connectors/registry.js";
+import { type RequestContext } from "../context.js";
 export declare const listServicesDefinition: {
     name: "list_services";
     description: string;
@@ -14,7 +15,7 @@ export declare const listServicesDefinition: {
 };
 export declare function listServicesHandler(registry: ConnectorRegistry, args: {
     filter?: string;
-}): Promise<{
+}, _ctx?: RequestContext): Promise<{
     content: {
         type: "text";
         text: string;

package/dist/tools/list-services.js

@@ -1,3 +1,4 @@
+import { defaultContext } from "../context.js";
 export const listServicesDefinition = {
     name: "list_services",
     description: "List all monitored services discovered across all connected backends. Returns service names, their data sources, and signal types (metrics/logs).",
@@ -11,7 +12,7 @@ export const listServicesDefinition = {
         },
     },
 };
-export async function listServicesHandler(registry, args) {
+export async function listServicesHandler(registry, args, _ctx = defaultContext()) {
     const connectors = registry.getAll();
     const allServices = [];
     for (const connector of connectors) {

package/dist/tools/list-sources.d.ts

@@ -1,4 +1,5 @@
 import type { ConnectorRegistry } from "../connectors/registry.js";
+import { type RequestContext } from "../context.js";
 export declare const listSourcesDefinition: {
     name: "list_sources";
     description: string;
@@ -7,7 +8,7 @@ export declare const listSourcesDefinition: {
         properties: {};
     };
 };
-export declare function listSourcesHandler(registry: ConnectorRegistry): Promise<{
+export declare function listSourcesHandler(registry: ConnectorRegistry, _ctx?: RequestContext): Promise<{
     content: {
         type: "text";
         text: string;

package/dist/tools/list-sources.js

@@ -1,3 +1,4 @@
+import { defaultContext } from "../context.js";
 export const listSourcesDefinition = {
     name: "list_sources",
     description: "List all configured observability backends and their connection status. Use this to discover what data sources are available.",
@@ -6,7 +7,7 @@ export const listSourcesDefinition = {
         properties: {},
     },
 };
-export async function listSourcesHandler(registry) {
+export async function listSourcesHandler(registry, _ctx = defaultContext()) {
     const healthResults = await registry.healthCheckAll();
     const connectors = registry.getAll();
     const sources = connectors.map((c) => ({

package/dist/tools/query-logs.d.ts

@@ -1,4 +1,5 @@
 import type { ConnectorRegistry } from "../connectors/registry.js";
+import { type RequestContext } from "../context.js";
 export declare const queryLogsDefinition: {
     name: "query_logs";
     description: string;
@@ -35,7 +36,7 @@ export declare function queryLogsHandler(registry: ConnectorRegistry, args: {
     duration?: string;
     level?: string;
     limit?: number;
-}): Promise<{
+}, _ctx?: RequestContext): Promise<{
     content: {
         type: "text";
         text: string;

package/dist/tools/query-logs.js

@@ -1,3 +1,4 @@
+import { defaultContext } from "../context.js";
 import { validateDuration, validateServiceName, errorResponse } from "./validation.js";
 export const queryLogsDefinition = {
     name: "query_logs",
@@ -29,7 +30,7 @@ export const queryLogsDefinition = {
         required: ["service"],
     },
 };
-export async function queryLogsHandler(registry, args) {
+export async function queryLogsHandler(registry, args, _ctx = defaultContext()) {
     const svcErr = validateServiceName(args.service);
     if (svcErr)
         return errorResponse(svcErr);

package/dist/tools/query-metrics.d.ts

@@ -1,4 +1,5 @@
 import type { ConnectorRegistry } from "../connectors/registry.js";
+import { type RequestContext } from "../context.js";
 export declare const queryMetricsDefinition: {
     name: "query_metrics";
     description: string;
@@ -35,7 +36,7 @@ export declare function queryMetricsHandler(registry: ConnectorRegistry, args: {
     duration?: string;
     source?: string;
     groupBy?: string;
-}): Promise<{
+}, _ctx?: RequestContext): Promise<{
     content: {
         type: "text";
         text: string;

package/dist/tools/query-metrics.js

@@ -1,3 +1,4 @@
+import { defaultContext } from "../context.js";
 import { validateDuration, validateMetricName, validateServiceName, errorResponse } from "./validation.js";
 export const queryMetricsDefinition = {
     name: "query_metrics",
@@ -29,7 +30,14 @@ export const queryMetricsDefinition = {
         required: ["service", "metric"],
     },
 };
-export async function queryMetricsHandler(registry, args) {
+export async function queryMetricsHandler(registry, args, _ctx = defaultContext()) {
+    // Coarse single-tenant source scoping: if the principal is restricted to a
+    // source allow-list, deny an explicit out-of-scope source.
+    if (_ctx.allowedSources &&
+        args.source &&
+        !_ctx.allowedSources.includes(args.source)) {
+        return errorResponse(`forbidden: source "${args.source}" is not in your allowed sources`);
+    }
     const svcErr = validateServiceName(args.service);
     if (svcErr)
         return errorResponse(svcErr);

package/dist/ui/index.html

@@ -122,6 +122,7 @@
     .badge::before { content: ''; width: 6px; height: 6px; border-radius: 50%; background: currentColor; box-shadow: 0 0 6px currentColor; }
     .badge-ok  { background: var(--success-soft); color: var(--success); border: 1px solid rgba(74,222,128,0.25); }
     .badge-err { background: var(--danger-soft);  color: var(--danger);  border: 1px solid rgba(239,91,110,0.30); }
+    .hidden { display: none !important; }
 
     .nav { display: flex; gap: 2px; margin-left: var(--sp-6); }
     .nav-btn {
@@ -490,6 +491,7 @@
       <button class="nav-btn active" data-page="dashboard" onclick="showPage('dashboard')">Dashboard</button>
       <button class="nav-btn" data-page="sources" onclick="showPage('sources')">Sources</button>
       <button class="nav-btn" data-page="services" onclick="showPage('services')">Services</button>
+      <button class="nav-btn" data-page="connectors" onclick="showPage('connectors')">Connectors</button>
       <button class="nav-btn" data-page="health" onclick="showPage('health')">Health</button>
       <button class="nav-btn" data-page="settings" onclick="showPage('settings')">Settings</button>
     </div>
@@ -549,6 +551,40 @@
       <div class="card"><div class="card-header"><h2>Discovered Services</h2></div><div id="services-list"><div class="empty">Loading...</div></div></div>
     </div>
 
+    <!-- ===== Connectors ===== -->
+    <div class="page" id="page-connectors">
+      <div class="card" style="padding:0;">
+        <div class="tabs">
+          <button class="tab-btn active" onclick="showTab('installed')">Installed</button>
+          <button class="tab-btn" onclick="showTab('hub')">Connector Hub</button>
+          <button class="tab-btn" onclick="showTab('upload')">Upload bundle</button>
+        </div>
+
+        <!-- Installed Tab -->
+        <div class="tab-content active" id="tab-installed" style="padding:20px;">
+          <div class="card-header" style="margin-bottom:12px"><h2>Installed connectors</h2><button class="btn btn-ghost btn-sm" onclick="loadConnectors()">Refresh</button></div>
+          <div id="conn-installed"><div class="empty">Loading...</div></div>
+        </div>
+
+        <!-- Connector Hub Tab -->
+        <div class="tab-content" id="tab-hub" style="padding:20px;">
+          <div class="card-header" style="margin-bottom:12px"><h2>Available from the Connector Hub</h2>
+            <a class="btn btn-ghost btn-sm" href="https://thotischner.github.io/observability-mcp/hub/" target="_blank" rel="noopener">Open Hub ↗</a></div>
+          <div id="conn-hub"><div class="empty">Loading...</div></div>
+        </div>
+
+        <!-- Upload bundle Tab -->
+        <div class="tab-content" id="tab-upload" style="padding:20px;">
+          <div class="card-header" style="margin-bottom:12px"><h2>Upload a connector bundle</h2></div>
+          <p class="empty" style="margin:0 0 12px">Install a signed connector <code>.tgz</code> directly — handy for air-gapped environments. The bundle is always verified against the configured trust root before it is loaded.</p>
+          <div style="display:flex;gap:8px;align-items:center;flex-wrap:wrap">
+            <input type="file" id="conn-upload-file" accept=".tgz,.tar.gz,application/octet-stream">
+            <button class="btn btn-primary btn-sm" onclick="uploadConnector(this)">Upload &amp; install</button>
+          </div>
+        </div>
+      </div>
+    </div>
+
     <!-- ===== Health ===== -->
     <div class="page" id="page-health">
       <div id="health-cards" style="display:grid; grid-template-columns: repeat(auto-fill, minmax(340px, 1fr)); gap: 16px;">
@@ -744,12 +780,88 @@ function showPage(name) {
   document.querySelector(`.nav-btn[data-page="${name}"]`).classList.add('active');
   if(name==='settings') loadSettingsData();
   if(name==='health') loadHealthData();
+  if(name==='connectors') loadConnectors();
+}
+
+function escHtml(s){return String(s==null?'':s).replace(/[&<>"]/g,c=>({'&':'&amp;','<':'&lt;','>':'&gt;','"':'&quot;'}[c]));}
+
+async function loadConnectors(){
+  const inst=document.getElementById('conn-installed');
+  const hub=document.getElementById('conn-hub');
+  try {
+    const d=await(await fetch('/api/connectors')).json();
+    const cs=(d.connectors||[]);
+    inst.innerHTML = cs.length ? cs.map(c=>{
+      const caps=Object.entries(c.capabilities||{}).filter(([,v])=>v).map(([k])=>k).join(', ')||'—';
+      return `<div class="card" style="margin:0 0 10px">
+        <div class="card-header"><h2 style="font-size:15px">${escHtml(c.displayName)}
+          <span class="badge">${escHtml(c.source)}</span>
+          ${c.version?`<span class="badge">v${escHtml(c.version)}</span>`:''}</h2></div>
+        <div style="color:var(--text-muted);font-size:13px">${escHtml(c.description)||'<em>no description</em>'}</div>
+        <div style="font-size:12px;color:var(--text-muted);margin-top:6px">type <code>${escHtml(c.name)}</code> · signals ${(c.signalTypes||[]).map(escHtml).join(', ')||'—'} · ${escHtml(caps)}</div>
+      </div>`;
+    }).join('') : '<div class="empty">No connectors loaded.</div>';
+  } catch(e){ inst.innerHTML='<div class="empty">Failed to load connectors.</div>'; }
+
+  try {
+    const d=await(await fetch('/api/hub/catalog')).json();
+    if(d.error){ hub.innerHTML=`<div class="empty">Hub catalog unreachable (${escHtml(d.url)}).<br>Set <code>HUB_CATALOG_URL</code> for a mirror. ${escHtml(d.error)}</div>`; return; }
+    const cs=(d.connectors||[]);
+    hub.innerHTML = cs.length ? cs.map(c=>{
+      const v=(c.versions&&c.versions[0])||{};
+      const ver=c.latest||v.version||'';
+      const status = c.installed
+        ? `<span class="badge badge-ok">installed${c.installedVersion?` v${escHtml(c.installedVersion)}`:''}</span>`
+        : (c.builtin?'<span class="badge">builtin</span>':'<span class="badge">available</span>');
+      const cmd = c.builtin
+        ? `# ${escHtml(c.displayName)} ships in the server image — no install needed.`
+        : `curl -fsSL -o plugin-signing.pub.pem https://raw.githubusercontent.com/ThoTischner/observability-mcp/main/docs/plugin-signing.pub.pem\nomcp plugin install ${escHtml(c.name)}@${escHtml(ver)} --trust-root plugin-signing.pub.pem`;
+      const id='ci-'+c.name;
+      return `<div class="card" style="margin:0 0 10px">
+        <div class="card-header"><h2 style="font-size:15px">${escHtml(c.displayName)}
+          <span class="badge">${escHtml(c.tier)}</span> ${status}</h2>
+          ${c.installed||c.builtin?'':`<span style="display:flex;gap:6px"><button class="btn btn-primary btn-sm" onclick="installConnector('${escHtml(c.name)}',this)">Install</button><button class="btn btn-ghost btn-sm" onclick="document.getElementById('${id}').classList.toggle('hidden')">CLI…</button></span>`}</div>
+        <div style="color:var(--text-muted);font-size:13px">${escHtml(c.description)}</div>
+        <div style="font-size:12px;color:var(--text-muted);margin-top:6px">type <code>${escHtml(c.name)}</code> · signals ${(c.signalTypes||[]).map(escHtml).join(', ')||'—'} · latest <code>${escHtml(ver)||'—'}</code></div>
+        <pre id="${id}" class="hidden" style="margin-top:8px;background:var(--surface-2);padding:10px;border-radius:6px;font-size:12px;overflow:auto">${escHtml(cmd)}</pre>
+      </div>`;
+    }).join('') : '<div class="empty">Catalog empty.</div>';
+  } catch(e){ hub.innerHTML='<div class="empty">Failed to reach the hub catalog.</div>'; }
+}
+
+async function installConnector(name, btn){
+  if(btn){ btn.disabled=true; btn.textContent='Installing…'; }
+  try {
+    const r=await fetch('/api/connectors/install',{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify({name})});
+    const d=await r.json().catch(()=>({}));
+    if(r.ok){ toast(`Installed ${name}${d.version?(' v'+d.version):''}`); loadConnectors(); loadTypes(); }
+    else if(r.status===403){ toast('UI install disabled — use the CLI tab, or set ENABLE_UI_INSTALL=true + PLUGIN_TRUST_ROOT.'); if(btn){btn.disabled=false;btn.textContent='Install';} }
+    else { toast('Install failed: '+(d.error||r.status)); if(btn){btn.disabled=false;btn.textContent='Install';} }
+  } catch(e){ toast('Install error: '+e.message); if(btn){btn.disabled=false;btn.textContent='Install';} }
+}
+async function uploadConnector(btn){
+  const inp=document.getElementById('conn-upload-file');
+  const f=inp&&inp.files&&inp.files[0];
+  if(!f){ toast('Choose a connector .tgz first'); return; }
+  if(btn){ btn.disabled=true; btn.textContent='Uploading…'; }
+  try {
+    const r=await fetch('/api/connectors/upload',{method:'POST',headers:{'Content-Type':'application/octet-stream'},body:f});
+    const d=await r.json().catch(()=>({}));
+    if(r.ok){ toast(`Installed ${d.name||'connector'}${d.version?(' v'+d.version):''}`); inp.value=''; loadConnectors(); loadTypes(); }
+    else if(r.status===403){ toast('UI install disabled — set ENABLE_UI_INSTALL=true + PLUGIN_TRUST_ROOT.'); }
+    else { toast('Upload failed: '+(d.error||r.status)); }
+  } catch(e){ toast('Upload error: '+e.message); }
+  finally { if(btn){btn.disabled=false;btn.textContent='Upload & install';} }
 }
 function showTab(name) {
-  document.querySelectorAll('.tab-content').forEach(t=>t.classList.remove('active'));
-  document.querySelectorAll('.tab-btn').forEach(b=>b.classList.remove('active'));
-  document.getElementById('tab-'+name).classList.add('active');
-  event.target.classList.add('active');
+  // Scope to the tab group's card so independent tab sets (Settings,
+  // Connectors) don't reset each other.
+  const scope = (event && event.target.closest('.card')) || document;
+  scope.querySelectorAll('.tab-content').forEach(t=>t.classList.remove('active'));
+  scope.querySelectorAll('.tab-btn').forEach(b=>b.classList.remove('active'));
+  const el = document.getElementById('tab-'+name);
+  if (el) el.classList.add('active');
+  if (event && event.target) event.target.classList.add('active');
   if(name==='metrics') populateMetricsSourceSelect();
 }
 function closeModal(id) { document.getElementById(id).classList.remove('open'); }
@@ -1124,6 +1236,9 @@ async function loadInfo(){
   }catch{/* server too old or /api/info disabled */}
 }
 
+// Show the endpoint the user is actually reaching the server through
+// (localhost, a port-forward, or an ingress) — not a hardcoded host.
+document.getElementById('mcp-url').textContent = window.location.origin + '/mcp';
 (async()=>{await loadTypes();await refresh();await loadInfo();setInterval(refresh,15000);})();
 </script>
 

package/package.json

@@ -1,14 +1,18 @@
 {
   "name": "@thotischner/observability-mcp",
-  "version": "1.4.0",
+  "version": "1.5.1",
   "description": "Unified observability gateway for AI agents — one MCP server for Prometheus, Loki, and any backend",
   "type": "module",
-  "license": "MIT",
+  "license": "Apache-2.0",
   "mcpName": "io.github.ThoTischner/observability-mcp",
   "repository": {
     "type": "git",
     "url": "https://github.com/ThoTischner/observability-mcp"
   },
+  "homepage": "https://github.com/ThoTischner/observability-mcp#readme",
+  "bugs": {
+    "url": "https://github.com/ThoTischner/observability-mcp/issues"
+  },
   "keywords": [
     "mcp",
     "observability",
@@ -18,7 +22,15 @@
     "anomaly-detection"
   ],
   "bin": {
-    "observability-mcp": "./dist/index.js"
+    "observability-mcp": "./dist/index.js",
+    "omcp": "./dist/cli/index.js"
+  },
+  "exports": {
+    ".": "./dist/index.js",
+    "./analysis": {
+      "types": "./dist/analysis/index.d.ts",
+      "default": "./dist/analysis/index.js"
+    }
   },
   "files": [
     "dist",
@@ -26,12 +38,13 @@
   ],
   "scripts": {
     "dev": "tsx watch src/index.ts",
-    "build": "tsc && cp -r src/ui dist/ui",
+    "build": "tsc && rm -rf dist/ui && cp -r src/ui dist/ui",
     "start": "node dist/index.js"
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.12.0",
     "express": "^5.2.1",
+    "express-rate-limit": "^7.5.0",
     "js-yaml": "^4.1.0",
     "prom-client": "^15.1.0",
     "zod": "^4.4.3"
@@ -41,7 +54,7 @@
     "@types/js-yaml": "^4.0.9",
     "@types/node": "^25.7.0",
     "openapi-types": "^12.1.3",
-    "tsx": "^4.19.0",
+    "tsx": "^4.22.0",
     "typescript": "^6.0.3"
   },
   "overrides": {