@thotischner/observability-mcp 1.4.1 → 1.5.1

package/dist/tools/detect-anomalies.js

@@ -1,4 +1,6 @@
-import { detectRecentAnomaly } from "../analysis/anomaly.js";
+import { defaultContext } from "../context.js";
+import { detectAnomaly, classifyMetric } from "../analysis/anomaly.js";
+import { rankRootCause } from "../analysis/correlator.js";
 export const detectAnomaliesDefinition = {
     name: "detect_anomalies",
     description: "Scan for anomalies across all monitored services (or a specific service). Detects metric deviations using z-score analysis against recent baseline, checks log error spikes, and correlates signals across metrics and logs. Returns anomalies with severity ratings and cross-signal correlations.",
@@ -26,8 +28,12 @@ const SENSITIVITY_THRESHOLDS = {
     medium: 2.0,
     high: 1.5,
 };
-const KEY_METRICS = ["cpu", "error_rate", "latency_p99", "request_rate"];
-export async function detectAnomaliesHandler(registry, args) {
+const KEY_METRICS = ["cpu", "memory", "error_rate", "latency_p99", "request_rate"];
+// Patterns that signal a serious incident even at warn level and even when
+// the overall error ratio is low (e.g. a memory leak emits a handful of
+// "OutOfMemoryWarning" lines long before it turns into 5xx errors).
+const CRITICAL_LOG_PATTERN = /\b(out\s?of\s?memory|oom|outofmemory|heap (usage|exhaust)|memory leak|panic|fatal|deadlock|segfault|stack overflow|cannot allocate)\b/i;
+export async function detectAnomaliesHandler(registry, args, _ctx = defaultContext()) {
     const duration = args.duration || "10m";
     const threshold = SENSITIVITY_THRESHOLDS[args.sensitivity || "medium"] || 2.0;
     // Discover services to scan
@@ -56,18 +62,21 @@ export async function detectAnomaliesHandler(registry, args) {
             for (const metric of KEY_METRICS) {
                 try {
                     const result = await connector.queryMetrics({ service: serviceName, metric, duration });
-                    const values = result.values.map((v) => v.value);
-                    const anomaly = detectRecentAnomaly(values, 5, threshold);
+                    const points = result.values.map((v) => ({ timestamp: v.timestamp, value: v.value }));
+                    const anomaly = detectAnomaly(points, {
+                        threshold,
+                        metricKind: classifyMetric(metric),
+                    });
                     if (anomaly.isAnomaly) {
-                        const deviationPercent = anomaly.baselineAvg === 0
+                        const deviationPercent = anomaly.baselineValue === 0
                             ? 100
-                            : Math.round(((anomaly.recentAvg - anomaly.baselineAvg) / anomaly.baselineAvg) * 100);
+                            : Math.round(((anomaly.recentValue - anomaly.baselineValue) / anomaly.baselineValue) * 100);
                         allAnomalies.push({
                             metric,
-                            severity: Math.abs(anomaly.zScore) >= 3 ? "high" : Math.abs(anomaly.zScore) >= 2 ? "medium" : "low",
-                            description: `${metric} is ${anomaly.zScore.toFixed(1)}σ ${anomaly.zScore > 0 ? "above" : "below"} baseline (${anomaly.baselineAvg.toFixed(2)} → ${anomaly.recentAvg.toFixed(2)})`,
-                            currentValue: anomaly.recentAvg,
-                            baselineValue: anomaly.baselineAvg,
+                            severity: Math.abs(anomaly.score) >= 6 ? "high" : Math.abs(anomaly.score) >= 4 ? "medium" : "low",
+                            description: `${metric}: ${anomaly.reason}`,
+                            currentValue: anomaly.recentValue,
+                            baselineValue: anomaly.baselineValue,
                             deviationPercent,
                             source: connector.name,
                             service: serviceName,
@@ -85,6 +94,21 @@ export async function detectAnomaliesHandler(registry, args) {
                 continue;
             try {
                 const logs = await connector.queryLogs({ service: serviceName, duration, limit: 500 });
+                // Critical-pattern scan — independent of the error-ratio gate, so a
+                // warn-level OOM/leak signal is not silently dropped.
+                const criticalPattern = logs.summary.topPatterns.find((p) => CRITICAL_LOG_PATTERN.test(p));
+                if (criticalPattern) {
+                    allAnomalies.push({
+                        metric: "log_critical_pattern",
+                        severity: "high",
+                        description: `Critical log pattern detected: "${criticalPattern}"`,
+                        currentValue: logs.summary.errorCount + logs.summary.warnCount,
+                        baselineValue: 0,
+                        deviationPercent: 100,
+                        source: connector.name,
+                        service: serviceName,
+                    });
+                }
                 if (logs.summary.errorCount > 5) {
                     const errorRatio = logs.summary.total > 0
                         ? logs.summary.errorCount / logs.summary.total
@@ -123,10 +147,22 @@ export async function detectAnomaliesHandler(registry, args) {
             }
         }
     }
+    // Dependency-aware root-cause ranking. The service graph / change markers
+    // are empty here (no trace source wired yet); ranking then degrades to
+    // severity-weighted ordering and still names the most likely culprit
+    // instead of just listing "both signals bad".
+    const rootCause = allAnomalies.length > 0
+        ? rankRootCause(allAnomalies.map((a) => ({
+            service: a.service,
+            metric: a.metric,
+            severity: a.severity,
+        })))
+        : { ranked: [], summary: "" };
     const result = {
         scannedServices: serviceNames.length,
         anomalies: allAnomalies,
         correlations: allCorrelations,
+        rootCause,
         summary: allAnomalies.length === 0
             ? "All services healthy — no anomalies detected."
             : `${allAnomalies.length} anomal${allAnomalies.length === 1 ? "y" : "ies"} detected across ${[...new Set(allAnomalies.map((a) => a.service))].length} service(s).`,

package/dist/tools/get-service-health.d.ts

@@ -1,4 +1,5 @@
 import type { ConnectorRegistry } from "../connectors/registry.js";
+import { type RequestContext } from "../context.js";
 import type { HealthThresholds } from "../types.js";
 export declare function setHealthThresholds(t: HealthThresholds): void;
 export declare const getServiceHealthDefinition: {
@@ -17,7 +18,7 @@ export declare const getServiceHealthDefinition: {
 };
 export declare function getServiceHealthHandler(registry: ConnectorRegistry, args: {
     service: string;
-}): Promise<{
+}, _ctx?: RequestContext): Promise<{
     content: {
         type: "text";
         text: string;

package/dist/tools/get-service-health.js

@@ -1,3 +1,4 @@
+import { defaultContext } from "../context.js";
 import { calculateHealthScore } from "../analysis/health.js";
 import { detectRecentAnomaly } from "../analysis/anomaly.js";
 import { sanitizeForLog } from "../util/sanitize.js";
@@ -19,7 +20,7 @@ export const getServiceHealthDefinition = {
         required: ["service"],
     },
 };
-export async function getServiceHealthHandler(registry, args) {
+export async function getServiceHealthHandler(registry, args, _ctx = defaultContext()) {
     const metricsConnectors = registry.getBySignal("metrics");
     const logConnectors = registry.getBySignal("logs");
     // Gather metrics

package/dist/tools/handlers.test.js

@@ -3,6 +3,7 @@ import assert from "node:assert/strict";
 import { ConnectorRegistry } from "../connectors/registry.js";
 import { listSourcesHandler } from "./list-sources.js";
 import { listServicesHandler } from "./list-services.js";
+import { detectAnomaliesHandler } from "./detect-anomalies.js";
 // --- Mock Connector ---
 function createMockConnector(overrides) {
     return {
@@ -136,3 +137,75 @@ describe("listServicesHandler", () => {
         assert.equal(data.total, 0);
     });
 });
+describe("detectAnomaliesHandler — A5 memory/OOM coverage", () => {
+    const flatMemory = () => ({
+        source: "prom1", service: "payment-service", metric: "memory", unit: "bytes",
+        values: Array.from({ length: 40 }, (_, i) => ({
+            timestamp: new Date(Date.now() - (40 - i) * 9000).toISOString(),
+            value: 1.3e8 + (i % 3) * 1e6, // noisy, no trend → no metric anomaly
+        })),
+        summary: { current: 1.3e8, average: 1.3e8, min: 1.28e8, max: 1.33e8, trend: "stable" },
+    });
+    it("scans the memory metric (now in KEY_METRICS)", async () => {
+        const requested = [];
+        const reg = createRegistryWithMocks([
+            createMockConnector({
+                name: "prom1", type: "prometheus", signalType: "metrics",
+                listServices: async () => [{ name: "payment-service", source: "prom1", signalType: "metrics" }],
+                queryMetrics: async ({ metric }) => {
+                    requested.push(metric);
+                    return flatMemory();
+                },
+            }),
+        ]);
+        await detectAnomaliesHandler(reg, {});
+        assert.ok(requested.includes("memory"), `memory not scanned; got ${requested.join(",")}`);
+    });
+    it("flags a warn-level OOM log pattern below the error-rate gate", async () => {
+        const reg = createRegistryWithMocks([
+            createMockConnector({
+                name: "prom1", type: "prometheus", signalType: "metrics",
+                listServices: async () => [{ name: "payment-service", source: "prom1", signalType: "metrics" }],
+                queryMetrics: async () => flatMemory(),
+            }),
+            createMockConnector({
+                name: "loki1", type: "loki", signalType: "logs",
+                queryLogs: async () => ({
+                    source: "loki1", service: "payment-service", entries: [],
+                    // Only 4 warn-level lines: errorCount below the >5 gate, ratio tiny.
+                    summary: {
+                        total: 800, errorCount: 4, warnCount: 4,
+                        topPatterns: ["OutOfMemoryWarning: heap usage exceeding threshold (4x)"],
+                    },
+                }),
+            }),
+        ]);
+        const result = await detectAnomaliesHandler(reg, {});
+        const data = JSON.parse(result.content[0].text);
+        const crit = data.anomalies.find((a) => a.metric === "log_critical_pattern");
+        assert.ok(crit, "expected a log_critical_pattern anomaly for the OOM warning");
+        assert.equal(crit.service, "payment-service");
+        assert.equal(crit.severity, "high");
+        assert.equal(data.rootCause.ranked[0].service, "payment-service");
+        assert.notEqual(data.summary, "All services healthy — no anomalies detected.");
+    });
+    it("does not flag benign warn patterns", async () => {
+        const reg = createRegistryWithMocks([
+            createMockConnector({
+                name: "prom1", type: "prometheus", signalType: "metrics",
+                listServices: async () => [{ name: "order-service", source: "prom1", signalType: "metrics" }],
+                queryMetrics: async () => flatMemory(),
+            }),
+            createMockConnector({
+                name: "loki1", type: "loki", signalType: "logs",
+                queryLogs: async () => ({
+                    source: "loki1", service: "order-service", entries: [],
+                    summary: { total: 500, errorCount: 1, warnCount: 2, topPatterns: ["cache miss for key user:42"] },
+                }),
+            }),
+        ]);
+        const result = await detectAnomaliesHandler(reg, {});
+        const data = JSON.parse(result.content[0].text);
+        assert.equal(data.anomalies.length, 0);
+    });
+});

package/dist/tools/list-services.d.ts

@@ -1,4 +1,5 @@
 import type { ConnectorRegistry } from "../connectors/registry.js";
+import { type RequestContext } from "../context.js";
 export declare const listServicesDefinition: {
     name: "list_services";
     description: string;
@@ -14,7 +15,7 @@ export declare const listServicesDefinition: {
 };
 export declare function listServicesHandler(registry: ConnectorRegistry, args: {
     filter?: string;
-}): Promise<{
+}, _ctx?: RequestContext): Promise<{
     content: {
         type: "text";
         text: string;

package/dist/tools/list-services.js

@@ -1,3 +1,4 @@
+import { defaultContext } from "../context.js";
 export const listServicesDefinition = {
     name: "list_services",
     description: "List all monitored services discovered across all connected backends. Returns service names, their data sources, and signal types (metrics/logs).",
@@ -11,7 +12,7 @@ export const listServicesDefinition = {
         },
     },
 };
-export async function listServicesHandler(registry, args) {
+export async function listServicesHandler(registry, args, _ctx = defaultContext()) {
     const connectors = registry.getAll();
     const allServices = [];
     for (const connector of connectors) {

package/dist/tools/list-sources.d.ts

@@ -1,4 +1,5 @@
 import type { ConnectorRegistry } from "../connectors/registry.js";
+import { type RequestContext } from "../context.js";
 export declare const listSourcesDefinition: {
     name: "list_sources";
     description: string;
@@ -7,7 +8,7 @@ export declare const listSourcesDefinition: {
         properties: {};
     };
 };
-export declare function listSourcesHandler(registry: ConnectorRegistry): Promise<{
+export declare function listSourcesHandler(registry: ConnectorRegistry, _ctx?: RequestContext): Promise<{
     content: {
         type: "text";
         text: string;

package/dist/tools/list-sources.js

@@ -1,3 +1,4 @@
+import { defaultContext } from "../context.js";
 export const listSourcesDefinition = {
     name: "list_sources",
     description: "List all configured observability backends and their connection status. Use this to discover what data sources are available.",
@@ -6,7 +7,7 @@ export const listSourcesDefinition = {
         properties: {},
     },
 };
-export async function listSourcesHandler(registry) {
+export async function listSourcesHandler(registry, _ctx = defaultContext()) {
     const healthResults = await registry.healthCheckAll();
     const connectors = registry.getAll();
     const sources = connectors.map((c) => ({

package/dist/tools/query-logs.d.ts

@@ -1,4 +1,5 @@
 import type { ConnectorRegistry } from "../connectors/registry.js";
+import { type RequestContext } from "../context.js";
 export declare const queryLogsDefinition: {
     name: "query_logs";
     description: string;
@@ -35,7 +36,7 @@ export declare function queryLogsHandler(registry: ConnectorRegistry, args: {
     duration?: string;
     level?: string;
     limit?: number;
-}): Promise<{
+}, _ctx?: RequestContext): Promise<{
     content: {
         type: "text";
         text: string;

package/dist/tools/query-logs.js

@@ -1,3 +1,4 @@
+import { defaultContext } from "../context.js";
 import { validateDuration, validateServiceName, errorResponse } from "./validation.js";
 export const queryLogsDefinition = {
     name: "query_logs",
@@ -29,7 +30,7 @@ export const queryLogsDefinition = {
         required: ["service"],
     },
 };
-export async function queryLogsHandler(registry, args) {
+export async function queryLogsHandler(registry, args, _ctx = defaultContext()) {
     const svcErr = validateServiceName(args.service);
     if (svcErr)
         return errorResponse(svcErr);

package/dist/tools/query-metrics.d.ts

@@ -1,4 +1,5 @@
 import type { ConnectorRegistry } from "../connectors/registry.js";
+import { type RequestContext } from "../context.js";
 export declare const queryMetricsDefinition: {
     name: "query_metrics";
     description: string;
@@ -35,7 +36,7 @@ export declare function queryMetricsHandler(registry: ConnectorRegistry, args: {
     duration?: string;
     source?: string;
     groupBy?: string;
-}): Promise<{
+}, _ctx?: RequestContext): Promise<{
     content: {
         type: "text";
         text: string;

package/dist/tools/query-metrics.js

@@ -1,3 +1,4 @@
+import { defaultContext } from "../context.js";
 import { validateDuration, validateMetricName, validateServiceName, errorResponse } from "./validation.js";
 export const queryMetricsDefinition = {
     name: "query_metrics",
@@ -29,7 +30,14 @@ export const queryMetricsDefinition = {
         required: ["service", "metric"],
     },
 };
-export async function queryMetricsHandler(registry, args) {
+export async function queryMetricsHandler(registry, args, _ctx = defaultContext()) {
+    // Coarse single-tenant source scoping: if the principal is restricted to a
+    // source allow-list, deny an explicit out-of-scope source.
+    if (_ctx.allowedSources &&
+        args.source &&
+        !_ctx.allowedSources.includes(args.source)) {
+        return errorResponse(`forbidden: source "${args.source}" is not in your allowed sources`);
+    }
     const svcErr = validateServiceName(args.service);
     if (svcErr)
         return errorResponse(svcErr);

package/package.json

@@ -1,9 +1,9 @@
 {
   "name": "@thotischner/observability-mcp",
-  "version": "1.4.1",
+  "version": "1.5.1",
   "description": "Unified observability gateway for AI agents — one MCP server for Prometheus, Loki, and any backend",
   "type": "module",
-  "license": "MIT",
+  "license": "Apache-2.0",
   "mcpName": "io.github.ThoTischner/observability-mcp",
   "repository": {
     "type": "git",
@@ -25,6 +25,13 @@
     "observability-mcp": "./dist/index.js",
     "omcp": "./dist/cli/index.js"
   },
+  "exports": {
+    ".": "./dist/index.js",
+    "./analysis": {
+      "types": "./dist/analysis/index.d.ts",
+      "default": "./dist/analysis/index.js"
+    }
+  },
   "files": [
     "dist",
     "config"
@@ -37,6 +44,7 @@
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.12.0",
     "express": "^5.2.1",
+    "express-rate-limit": "^7.5.0",
     "js-yaml": "^4.1.0",
     "prom-client": "^15.1.0",
     "zod": "^4.4.3"