@thotischner/observability-mcp 1.8.1 → 3.0.0

package/dist/openapi.js

@@ -23,6 +23,10 @@ const SOURCE_SCHEMA = {
         },
         tls: { type: "object", additionalProperties: true },
         signalType: { type: "string", enum: ["metrics", "logs", "traces"] },
+        tenant: {
+            type: "string",
+            description: "Tenant this source belongs to. Omitted = global (visible to every tenant). Tagged sources are visible only inside their named tenant; cross-tenant probes return 404 with no existence leak.",
+        },
     },
     additionalProperties: true,
 };
@@ -60,21 +64,27 @@ export function buildOpenApiSpec(version) {
             "/api/sources": {
                 get: {
                     tags: ["sources"],
-                    summary: "List configured sources with live health.",
+                    summary: "List configured sources with live health (tenant-scoped).",
+                    description: "Non-admin callers see only their own tenant's sources + globals (untagged). Admins (users:delete) see every source; pass ?tenant=X for an admin drill-down to that tenant + globals. Anonymous mode bypasses scoping (single-tenant default).",
+                    parameters: [
+                        { name: "tenant", in: "query", schema: { type: "string" }, description: "Admin-only tenant drill-down (silently ignored for non-admins, who are scoped to their own tenant)." },
+                    ],
                     responses: {
                         "200": {
-                            description: "Sources with status, latency, signal type.",
+                            description: "Sources with status, latency, signal type. The `tenant` field is present when the source is tagged.",
                             content: { "application/json": { schema: { type: "array", items: SOURCE_SCHEMA } } },
                         },
                     },
                 },
                 post: {
                     tags: ["sources"],
-                    summary: "Add a new source.",
+                    summary: "Add a new source (tenant-aware).",
+                    description: "Body may include `tenant` to tag the source. Non-admins may only create within their own tenant; setting body.tenant to another value returns 403. Admins may leave tenant unset (global) or set any value.",
                     requestBody: { required: true, content: { "application/json": { schema: SOURCE_SCHEMA } } },
                     responses: {
                         "201": { description: "Source created." },
                         "400": { description: "Validation error." },
+                        "403": { description: "Non-admin attempting to create in another tenant." },
                         "409": { description: "Source with that name already exists." },
                     },
                 },
@@ -107,14 +117,23 @@ export function buildOpenApiSpec(version) {
                 parameters: [{ name: "name", in: "path", required: true, schema: { type: "string" } }],
                 put: {
                     tags: ["sources"],
-                    summary: "Replace an existing source.",
+                    summary: "Replace an existing source (tenant-aware).",
+                    description: "Non-admin probes of a cross-tenant source return 404 (no existence leak — same posture as /api/products). Non-admins attempting to reassign body.tenant return 403. Admins may move sources between tenants.",
                     requestBody: { required: true, content: { "application/json": { schema: SOURCE_SCHEMA } } },
-                    responses: { "200": { description: "Updated." }, "404": { description: "Not found." } },
+                    responses: {
+                        "200": { description: "Updated." },
+                        "403": { description: "Non-admin attempting tenant reassignment." },
+                        "404": { description: "Not found (or hidden by tenant scope)." },
+                    },
                 },
                 delete: {
                     tags: ["sources"],
                     summary: "Remove a source.",
-                    responses: { "204": { description: "Removed." }, "404": { description: "Not found." } },
+                    description: "Cross-tenant deletes return 404 (no existence leak).",
+                    responses: {
+                        "204": { description: "Removed." },
+                        "404": { description: "Not found (or hidden by tenant scope)." },
+                    },
                 },
             },
             "/api/source-types": {
@@ -129,6 +148,35 @@ export function buildOpenApiSpec(version) {
                     },
                 },
             },
+            "/api/tools/registry": {
+                get: {
+                    tags: ["products"],
+                    summary: "MCP tool catalogue — name + category + one-line summary, used by the Products picker.",
+                    description: "Static metadata derived from REGISTERED_TOOLS. The Products modal pulls this to populate a multi-select picker grouped by category (discovery / query / diagnose / topology); the server-side typo guard (PR #343) stays as defence-in-depth.",
+                    responses: {
+                        "200": {
+                            description: "Tool registry.",
+                            content: { "application/json": { schema: {
+                                        type: "object",
+                                        properties: {
+                                            tools: {
+                                                type: "array",
+                                                items: {
+                                                    type: "object",
+                                                    required: ["name", "category", "summary"],
+                                                    properties: {
+                                                        name: { type: "string" },
+                                                        category: { type: "string", enum: ["discovery", "query", "diagnose", "topology"] },
+                                                        summary: { type: "string" },
+                                                    },
+                                                },
+                                            },
+                                        },
+                                    } } },
+                        },
+                    },
+                },
+            },
             "/api/services": {
                 get: {
                     tags: ["services"],
@@ -478,11 +526,12 @@ export function buildOpenApiSpec(version) {
             "/api/policy": {
                 get: {
                     tags: ["auth"],
-                    summary: "Read-only view of the active RBAC policy (admin-only). Dry-run probe with ?resource=&action=&roles=.",
+                    summary: "Read-only view of the active RBAC policy (admin-only). Dry-run probe with ?resource=&action=&roles=[&tenant=].",
                     parameters: [
                         { name: "roles", in: "query", required: false, schema: { type: "string" }, description: "Comma-separated role names to probe. Defaults to none (treated as anonymous → always denied)." },
                         { name: "resource", in: "query", required: false, schema: { type: "string" }, description: "Resource to probe. Pair with `action` to enter dry-run mode." },
                         { name: "action", in: "query", required: false, schema: { type: "string" }, description: "Action to probe. Pair with `resource` to enter dry-run mode." },
+                        { name: "tenant", in: "query", required: false, schema: { type: "string" }, description: "Tenant to probe under (dry-run only). Defaults to the caller's session tenant; admins may override to probe verdicts for any tenant — exactly how to debug tenant-conditional Rego rules under the OPA engine." },
                     ],
                     responses: {
                         "200": {
@@ -493,6 +542,7 @@ export function buildOpenApiSpec(version) {
                                         type: "object",
                                         properties: {
                                             engine: { type: "string", description: "Identifier of the active engine: 'builtin', 'file:<path>', 'opa:<url>'." },
+                                            tenantAware: { type: "boolean", description: "True when the active engine honours session.tenant on .evaluate() — i.e. OPA. Built-in / file-loaded engines ignore tenant ctx (false)." },
                                             policy: { type: "object", additionalProperties: true },
                                             roles: { type: "array", items: { type: "string" } },
                                             note: { type: "string" },
@@ -502,6 +552,7 @@ export function buildOpenApiSpec(version) {
                                                     roles: { type: "array", items: { type: "string" } },
                                                     resource: { type: "string" },
                                                     action: { type: "string" },
+                                                    tenant: { type: "string", description: "Tenant the probe ran under (echoed from ?tenant= or the caller's session)." },
                                                     allowed: { type: "boolean" },
                                                     reason: { type: "string" },
                                                 },
@@ -515,6 +566,97 @@ export function buildOpenApiSpec(version) {
                     },
                 },
             },
+            "/api/policy/roles/{name}": {
+                put: {
+                    tags: ["auth"],
+                    summary: "Upsert a role in the file-backed RBAC policy (admin-only, file engine only).",
+                    description: "Writes through OMCP_RBAC_POLICY_FILE atomically. 409 if the active engine isn't `file:…` or the env var is unset. Permissions are validated against VALID_RESOURCES + VALID_ACTIONS; unknown values return 422 with code OMCP_POLICY_UNKNOWN_RESOURCE / OMCP_POLICY_UNKNOWN_ACTION. On success the in-memory PolicyEngine is hot-swapped — existing gates pick up the new policy without a server restart.",
+                    parameters: [
+                        { name: "name", in: "path", required: true, schema: { type: "string" } },
+                    ],
+                    requestBody: {
+                        required: true,
+                        content: { "application/json": { schema: {
+                                    type: "object",
+                                    required: ["permissions"],
+                                    properties: { permissions: { type: "array", items: { type: "object", properties: {
+                                                    resource: { type: "string" },
+                                                    action: { type: "string" },
+                                                } } } },
+                                } } },
+                    },
+                    responses: {
+                        "200": { description: "Role saved + hot-swapped." },
+                        "400": { description: "Body shape invalid OR role name pattern rejected." },
+                        "403": { description: "Missing users:delete permission (admin-only)." },
+                        "409": { description: "Active engine isn't `file:…`, or OMCP_RBAC_POLICY_FILE unset (codes: OMCP_POLICY_ENGINE_NOT_FILE / OMCP_POLICY_FILE_NOT_SET)." },
+                        "422": { description: "Unknown resource or action (codes: OMCP_POLICY_UNKNOWN_RESOURCE / OMCP_POLICY_UNKNOWN_ACTION)." },
+                    },
+                },
+            },
+            "/api/users/{username}/roles": {
+                put: {
+                    tags: ["auth"],
+                    summary: "Update a local user's role assignments (admin-only, file-backed).",
+                    description: "Writes through OMCP_USERS_FILE. Roles are validated against the active policy engine's role catalogue; unknown role names return 422 with OMCP_USER_UNKNOWN_ROLE. The in-memory user store is refreshed atomically after the file write so the next login picks up the new roles without a server restart.",
+                    parameters: [
+                        { name: "username", in: "path", required: true, schema: { type: "string" } },
+                    ],
+                    requestBody: {
+                        required: true,
+                        content: { "application/json": { schema: {
+                                    type: "object",
+                                    required: ["roles"],
+                                    properties: { roles: { type: "array", items: { type: "string" } } },
+                                } } },
+                    },
+                    responses: {
+                        "200": { description: "Roles updated." },
+                        "400": { description: "Body must be { roles: string[] }." },
+                        "403": { description: "Missing users:delete permission (admin-only)." },
+                        "404": { description: "User not found OR users file unreadable." },
+                        "409": { description: "OMCP_USERS_FILE is not configured — basic-mode user roles can't be edited via the API." },
+                        "422": { description: "tools[] references unknown role names. Body includes `unknown` + `available`; error code OMCP_USER_UNKNOWN_ROLE." },
+                    },
+                },
+            },
+            "/api/subjects": {
+                get: {
+                    tags: ["auth"],
+                    summary: "Aggregated subjects view — local users + API-key names + OIDC group mappings (admin-only).",
+                    description: "Read-only catalogue of the principals an OMCP deployment knows about. Three independent sources: OMCP_USERS_FILE (users), OMCP_API_KEYS (apiKeys), OMCP_OIDC_ROLE_MAP (oidcGroups). Tokens + password hashes are never returned — only metadata.",
+                    responses: {
+                        "200": {
+                            description: "Subjects payload.",
+                            content: { "application/json": { schema: {
+                                        type: "object",
+                                        properties: {
+                                            users: { type: "array", items: { type: "object", properties: {
+                                                        username: { type: "string" }, name: { type: "string" },
+                                                        roles: { type: "array", items: { type: "string" } },
+                                                        tenant: { type: "string" },
+                                                    } } },
+                                            apiKeys: { type: "array", items: { type: "object", properties: {
+                                                        name: { type: "string" }, tenant: { type: "string" },
+                                                        productId: { type: "string" },
+                                                        bypassRedaction: { type: "boolean" },
+                                                        allowedSources: { type: "array", items: { type: "string" } },
+                                                    } } },
+                                            oidcGroups: { type: "array", items: { type: "object", properties: {
+                                                        claim: { type: "string" }, role: { type: "string" },
+                                                    } } },
+                                            sources: { type: "object", properties: {
+                                                    users: { type: ["string", "null"] },
+                                                    apiKeys: { type: ["string", "null"] },
+                                                    oidcGroups: { type: ["string", "null"] },
+                                                } },
+                                        },
+                                    } } },
+                        },
+                        "403": { description: "Missing users:delete permission (admin-only)." },
+                    },
+                },
+            },
             "/api/products": {
                 get: {
                     tags: ["products"],
@@ -542,6 +684,25 @@ export function buildOpenApiSpec(version) {
                         "403": { description: "Missing products:read permission." },
                     },
                 },
+                post: {
+                    tags: ["products"],
+                    summary: "Create a new product (strict create — 409 on conflict; PUT for upsert).",
+                    description: "Strict create-only variant of PUT. Same tenancy + typo-guard posture. Returns 409 when a product with body.id already exists. Body must include id + name; tools[] entries must reference registered MCP tool names (typo → 422).",
+                    requestBody: {
+                        required: true,
+                        content: { "application/json": { schema: { type: "object", additionalProperties: true } } },
+                    },
+                    responses: {
+                        "201": { description: "Created.", content: { "application/json": { schema: { type: "object", properties: {
+                                            product: { type: "object", additionalProperties: true },
+                                            persisted: { type: "boolean" },
+                                        } } } } },
+                        "400": { description: "Body invalid (missing id / shape rejected by validateProduct)." },
+                        "403": { description: "Missing products:write permission, or non-admin attempting to create in another tenant." },
+                        "409": { description: "Product with that id already exists — use PUT to update." },
+                        "422": { description: "tools[] references unknown tool names. Body includes `unknown` + `available`; error code OMCP_PRODUCT_UNKNOWN_TOOL." },
+                    },
+                },
             },
             "/api/products/{id}": {
                 get: {
@@ -577,6 +738,7 @@ export function buildOpenApiSpec(version) {
                         "400": { description: "Body shape invalid (validateProduct rejected — typo, unknown key, wrong type, ...)." },
                         "403": { description: "Missing products:write permission, or non-admin attempting to write into another tenant." },
                         "404": { description: "Existing product belongs to a different tenant (non-admin)." },
+                        "422": { description: "tools[] references unknown tool names. Body includes `unknown` + `available`; error code OMCP_PRODUCT_UNKNOWN_TOOL." },
                     },
                 },
                 delete: {
@@ -592,6 +754,52 @@ export function buildOpenApiSpec(version) {
                     },
                 },
             },
+            "/api/products/{id}/preview": {
+                get: {
+                    tags: ["products"],
+                    summary: "Agent preview — the filtered tools/list a credential bound to this product would receive.",
+                    description: "Same tenancy + staging filter as GET /api/products/{id}. Returns the product's branding/identity metadata + the registered MCP tools after applying its tools allow-list. The UI uses this for the per-card 'Preview as agent' affordance.",
+                    parameters: [
+                        { name: "id", in: "path", required: true, schema: { type: "string" } },
+                    ],
+                    responses: {
+                        "200": {
+                            description: "Preview payload.",
+                            content: { "application/json": { schema: {
+                                        type: "object",
+                                        required: ["product", "unrestricted", "tools"],
+                                        properties: {
+                                            product: {
+                                                type: "object",
+                                                properties: {
+                                                    id: { type: "string" },
+                                                    name: { type: "string" },
+                                                    version: { type: "string" },
+                                                    branding: { type: "object", additionalProperties: true },
+                                                    tenant: { type: "string" },
+                                                    status: { type: "string" },
+                                                },
+                                            },
+                                            unrestricted: { type: "boolean", description: "True when the product has no tools allow-list — the bound agent sees every registered tool." },
+                                            tools: {
+                                                type: "array",
+                                                items: {
+                                                    type: "object",
+                                                    properties: {
+                                                        name: { type: "string" },
+                                                        category: { type: "string", enum: ["discovery", "query", "diagnose", "topology"] },
+                                                        summary: { type: "string" },
+                                                    },
+                                                },
+                                            },
+                                        },
+                                    } } },
+                        },
+                        "404": { description: "Not found (or hidden by tenant / staging scope)." },
+                        "403": { description: "Missing products:read permission." },
+                    },
+                },
+            },
             "/api/catalog": {
                 get: {
                     tags: ["catalog"],

package/dist/openapi.test.js

@@ -13,6 +13,7 @@ test("openapi — every user-visible /api path is documented", () => {
         "/api/sources/{name}",
         "/api/sources/{name}/metrics",
         "/api/source-types",
+        "/api/tools/registry",
         "/api/settings",
         "/api/health-thresholds",
         "/api/me",
@@ -24,9 +25,13 @@ test("openapi — every user-visible /api path is documented", () => {
         "/api/audit",
         "/api/usage",
         "/api/policy",
+        "/api/subjects",
+        "/api/users/{username}/roles",
+        "/api/policy/roles/{name}",
         "/api/catalog",
         "/api/products",
         "/api/products/{id}",
+        "/api/products/{id}/preview",
         "/api/info",
         "/api/openapi.json",
     ];
@@ -62,3 +67,32 @@ test("openapi — info.version is the version string the caller passed in", () =
     const spec = buildOpenApiSpec("9.9.9-test");
     assert.equal(spec.info?.version, "9.9.9-test");
 });
+test("openapi — SOURCE_SCHEMA exposes the tenant field (tenant-aware sources contract)", () => {
+    // Source entries gained a `tenant` field when per-tenant connector
+    // scoping shipped. The spec is the contract operators write
+    // generated clients against — drift = broken downstream clients.
+    const spec = buildOpenApiSpec("test-1.0.0");
+    // SOURCE_SCHEMA is inlined into both `items` of GET /api/sources and
+    // the requestBody of POST/PUT — pick the GET response, the canonical
+    // read path.
+    const sources = spec.paths?.["/api/sources"]?.get;
+    const items = sources.responses["200"].content["application/json"].schema.items;
+    assert.ok(items.properties.tenant, "SOURCE_SCHEMA must document `tenant` (added when per-tenant scoping shipped)");
+});
+test("openapi — /api/sources GET documents the admin `?tenant=` drill-down query param", () => {
+    const spec = buildOpenApiSpec("test-1.0.0");
+    const get = spec.paths?.["/api/sources"]?.get;
+    const params = get.parameters || [];
+    const tenantParam = params.find((p) => p.name === "tenant" && p.in === "query");
+    assert.ok(tenantParam, "GET /api/sources must document the admin `?tenant=` drill-down param");
+});
+test("openapi — /api/policy GET documents the `?tenant=` probe param + `tenantAware` snapshot field", () => {
+    const spec = buildOpenApiSpec("test-1.0.0");
+    const get = spec.paths?.["/api/policy"]?.get;
+    const params = get.parameters || [];
+    assert.ok(params.some((p) => p.name === "tenant" && p.in === "query"), "GET /api/policy must document the `?tenant=` probe param");
+    const schema = get.responses["200"].content["application/json"].schema;
+    assert.ok(schema.properties.tenantAware, "snapshot must document the `tenantAware` field");
+    const dryRun = schema.properties.dryRun;
+    assert.ok(dryRun?.properties?.tenant, "dryRun must echo the `tenant` field so operators see which tenant the verdict ran under");
+});

package/dist/postmortem/synthesizer.d.ts

@@ -0,0 +1,83 @@
+export interface AnomalySample {
+    ts: string;
+    service: string;
+    score: number;
+    method: string;
+    severity: string;
+    signal?: string;
+}
+export interface BlastRadiusNode {
+    id: string;
+    kind: string;
+    name: string;
+    /** Whether this node is the suspected root cause (the input service). */
+    root?: boolean;
+}
+export interface TraceSummary {
+    traceId: string;
+    rootName: string;
+    rootService: string;
+    durationMs: number;
+    hasError: boolean;
+}
+export interface PostmortemInput {
+    /** Suspected root-cause service (the operator's first guess). */
+    service: string;
+    /** Rolling window the incident took place in, e.g. "2h", "6h". */
+    window: string;
+    /** Tenant the incident occurred in. */
+    tenant: string;
+    /** RFC-3339 start + end of the incident window for human display. */
+    fromIso: string;
+    toIso: string;
+    /** Live anomaly samples within the window. */
+    anomalies: AnomalySample[];
+    /** Blast-radius graph at peak. */
+    blastRadius: {
+        nodes: BlastRadiusNode[];
+        edges: Array<{
+            from: string;
+            to: string;
+            relation: string;
+        }>;
+    };
+    /** Trace summaries (top by duration). */
+    traces: TraceSummary[];
+    /** Optional log-error summary lines, e.g. ["payment-service: 412 5xx in window"]. */
+    logHighlights?: string[];
+}
+export interface PostmortemReport {
+    service: string;
+    window: string;
+    fromIso: string;
+    toIso: string;
+    /** Compact synopsis the UI puts at the top of the report. */
+    synopsis: string;
+    /** Markdown body of the full report. */
+    markdown: string;
+    /** Structured form for callers that want to render their own UI. */
+    sections: {
+        timeline: Array<{
+            ts: string;
+            service: string;
+            score: number;
+            severity: string;
+            method: string;
+        }>;
+        blastRadius: {
+            nodes: BlastRadiusNode[];
+            edgeCount: number;
+        };
+        topTraces: TraceSummary[];
+        contributingSignals: Array<{
+            signal: string;
+            count: number;
+            meanScore: number;
+        }>;
+        followUps: string[];
+        logHighlights: string[];
+    };
+}
+/** Synthesise one report from already-fetched primitives. Pure
+ *  compute — no I/O. */
+export declare function synthesizePostmortem(input: PostmortemInput): PostmortemReport;

package/dist/postmortem/synthesizer.js

@@ -0,0 +1,205 @@
+// Auto-post-mortem synthesizer — Phase F19.
+//
+// Stitches together the existing observability primitives — anomaly
+// history (F15), blast-radius (F13/topology), trace summaries (F13),
+// log-derived error patterns (existing query_logs) — into a single
+// markdown report a human (or LLM) can read in one shot.
+//
+// The synthesizer is pure-ish: it accepts the upstream queries as
+// injected functions so the tool layer can compose them without the
+// synthesizer depending on the entire ConnectorRegistry API. Tests
+// inject fake data and don't need a live demo stack.
+/** Synthesise one report from already-fetched primitives. Pure
+ *  compute — no I/O. */
+export function synthesizePostmortem(input) {
+    const timeline = [...input.anomalies]
+        .sort((a, b) => a.ts.localeCompare(b.ts))
+        .map((a) => ({ ts: a.ts, service: a.service, score: a.score, severity: a.severity, method: a.method }));
+    const contributingSignals = aggregateBySignal(input.anomalies);
+    const peakScore = input.anomalies.reduce((m, a) => Math.max(m, a.score), 0);
+    const errorTraces = input.traces.filter((t) => t.hasError).length;
+    const peakNode = input.blastRadius.nodes.find((n) => n.root) ?? input.blastRadius.nodes[0];
+    const blastSize = input.blastRadius.nodes.length;
+    const followUps = inferFollowUps(input, { peakScore, errorTraces, blastSize });
+    const synopsis = synopsisFor(input, peakScore, errorTraces, blastSize);
+    const markdown = renderMarkdown({
+        input,
+        timeline,
+        contributingSignals,
+        peakNode,
+        peakScore,
+        errorTraces,
+        blastSize,
+        followUps,
+        synopsis,
+    });
+    return {
+        service: input.service,
+        window: input.window,
+        fromIso: input.fromIso,
+        toIso: input.toIso,
+        synopsis,
+        markdown,
+        sections: {
+            timeline,
+            blastRadius: { nodes: input.blastRadius.nodes, edgeCount: input.blastRadius.edges.length },
+            topTraces: input.traces.slice(0, 10),
+            contributingSignals,
+            followUps,
+            logHighlights: input.logHighlights ?? [],
+        },
+    };
+}
+function aggregateBySignal(anomalies) {
+    const groups = new Map();
+    for (const a of anomalies) {
+        const sig = a.signal ?? a.method;
+        const prev = groups.get(sig);
+        if (prev)
+            prev.push(a.score);
+        else
+            groups.set(sig, [a.score]);
+    }
+    return [...groups.entries()]
+        .map(([signal, scores]) => ({
+        signal,
+        count: scores.length,
+        meanScore: Math.round((scores.reduce((s, x) => s + x, 0) / scores.length) * 100) / 100,
+    }))
+        .sort((a, b) => b.meanScore - a.meanScore);
+}
+function inferFollowUps(input, ctx) {
+    const out = [];
+    if (input.anomalies.length === 0) {
+        out.push("No anomaly history found for this service in the window — confirm OMCP_ANOMALY_HISTORY_REMOTE_WRITE is wired and Prometheus is scraping the same TSDB.");
+        return out;
+    }
+    if (ctx.peakScore >= 0.9) {
+        out.push(`Peak anomaly score ${ctx.peakScore} is critical — review the detector's threshold for service '${input.service}' and consider whether the chosen method (${dominantMethod(input.anomalies)}) suits this signal's distribution.`);
+    }
+    if (ctx.errorTraces > 0) {
+        out.push(`${ctx.errorTraces} trace(s) carried error spans during the window — drill into the slowest via \`query_traces(service="${input.service}", errorsOnly=true)\`.`);
+    }
+    if (ctx.blastSize > 5) {
+        out.push(`Blast radius spans ${ctx.blastSize} nodes — verify that the dependency edges are still accurate (a stale topology snapshot can blow up the radius and miss the real cause).`);
+    }
+    if ((input.logHighlights ?? []).length > 0) {
+        out.push("Log highlights above point at concrete error patterns — promote the recurring ones to an alert or SLO so the next regression catches itself.");
+    }
+    if (out.length === 0) {
+        out.push("All signals look stable for this window — consider closing the incident as a transient anomaly or expanding the time window.");
+    }
+    return out;
+}
+function dominantMethod(anomalies) {
+    const c = new Map();
+    for (const a of anomalies)
+        c.set(a.method, (c.get(a.method) ?? 0) + 1);
+    return [...c.entries()].sort((a, b) => b[1] - a[1])[0]?.[0] ?? "unknown";
+}
+function synopsisFor(input, peakScore, errorTraces, blastSize) {
+    const anomalyCount = input.anomalies.length;
+    if (anomalyCount === 0) {
+        return `No anomalies recorded for service '${input.service}' between ${input.fromIso} and ${input.toIso}. Either the window was clean, or the history sink wasn't writing at the time.`;
+    }
+    return [
+        `Service '${input.service}' produced ${anomalyCount} anomaly sample(s) between ${input.fromIso} and ${input.toIso}, peaking at ${peakScore}.`,
+        `Blast radius at peak covered ${blastSize} node(s); ${errorTraces} trace(s) carried error spans.`,
+    ].join(" ");
+}
+function renderMarkdown(ctx) {
+    const { input, timeline, contributingSignals, peakNode, peakScore, errorTraces, followUps, synopsis } = ctx;
+    const lines = [];
+    lines.push(`# Post-mortem — ${input.service}`);
+    lines.push("");
+    lines.push(`> **Window:** \`${input.fromIso}\` → \`${input.toIso}\` (\`${input.window}\`)  `);
+    lines.push(`> **Tenant:** \`${input.tenant}\`  `);
+    lines.push(`> **Generated by:** observability-mcp \`generate_postmortem\``);
+    lines.push("");
+    lines.push("## Synopsis");
+    lines.push("");
+    lines.push(synopsis);
+    lines.push("");
+    lines.push("## Anomaly timeline");
+    lines.push("");
+    if (timeline.length === 0) {
+        lines.push("_No anomaly samples in this window._");
+    }
+    else {
+        lines.push("| ts | service | score | severity | method |");
+        lines.push("|---|---|---|---|---|");
+        for (const t of timeline.slice(0, 20)) {
+            lines.push(`| \`${t.ts}\` | \`${t.service}\` | ${t.score} | ${t.severity} | ${t.method} |`);
+        }
+        if (timeline.length > 20)
+            lines.push(`| … | _${timeline.length - 20} more rows_ |  |  |  |`);
+    }
+    lines.push("");
+    lines.push("## Blast radius at peak");
+    lines.push("");
+    if (peakNode) {
+        lines.push(`Root node: **\`${peakNode.name}\`** (\`${peakNode.kind}\`).`);
+    }
+    else {
+        lines.push("_Topology snapshot empty._");
+    }
+    lines.push("");
+    if (input.blastRadius.nodes.length > 0) {
+        lines.push("| node | kind |");
+        lines.push("|---|---|");
+        for (const n of input.blastRadius.nodes.slice(0, 30)) {
+            lines.push(`| \`${n.name}\`${n.root ? " *(root)*" : ""} | \`${n.kind}\` |`);
+        }
+    }
+    lines.push("");
+    lines.push(`Edges in radius: **${input.blastRadius.edges.length}**.`);
+    lines.push("");
+    lines.push("## Contributing signals (ranked)");
+    lines.push("");
+    if (contributingSignals.length === 0) {
+        lines.push("_No anomaly samples to rank._");
+    }
+    else {
+        lines.push("| signal | samples | mean score |");
+        lines.push("|---|---|---|");
+        for (const s of contributingSignals.slice(0, 10)) {
+            lines.push(`| \`${s.signal}\` | ${s.count} | ${s.meanScore} |`);
+        }
+    }
+    lines.push("");
+    lines.push("## Related traces");
+    lines.push("");
+    if (input.traces.length === 0) {
+        lines.push("_No traces returned for the window. Configure a Tempo / Jaeger source if traces are expected._");
+    }
+    else {
+        lines.push("| trace | service | duration ms | error |");
+        lines.push("|---|---|---|---|");
+        for (const t of input.traces.slice(0, 10)) {
+            lines.push(`| \`${t.traceId}\` | \`${t.rootService}\` | ${t.durationMs} | ${t.hasError ? "yes" : "no"} |`);
+        }
+        if (errorTraces > 0)
+            lines.push(`\n_${errorTraces} of the returned traces carried error spans._`);
+    }
+    lines.push("");
+    if ((input.logHighlights ?? []).length > 0) {
+        lines.push("## Log highlights");
+        lines.push("");
+        for (const l of input.logHighlights)
+            lines.push(`- ${l}`);
+        lines.push("");
+    }
+    lines.push("## Suggested follow-ups");
+    lines.push("");
+    for (const f of followUps)
+        lines.push(`- ${f}`);
+    lines.push("");
+    lines.push("---");
+    lines.push("");
+    lines.push(`*Generated by observability-mcp \`generate_postmortem\` — see \`docs/postmortems.md\` for the prompt sources.*`);
+    lines.push("");
+    // Bound the chunk to keep memory predictable; the rendered report
+    // is normally a few KB but a pathological 10k-sample timeline
+    // could approach MB without the slice() caps above.
+    return lines.join("\n");
+}