@thotischner/observability-mcp 1.8.1 → 3.0.1

package/dist/sdk/hooks.js

@@ -0,0 +1,72 @@
+// Plugin lifecycle hooks — interpose on every tool / resource /
+// prompt invocation the gateway dispatches. Plugins declare hooks in
+// their manifest; the HookRegistry resolves them on load and the
+// dispatcher fires them around each call.
+//
+// Hooks land here as part of Phase F7 so Phase F9 (virtual servers)
+// and Phase F10 (federation) can interpose without duplicating
+// dispatch logic.
+/** Mutable, in-process registry. Plugin loaders push entries here;
+ *  the dispatcher reads `fire()` per call.
+ *
+ *  Hot-swap-safe: a re-registration with the same (pluginName, kind)
+ *  replaces the prior entry — used by /api/connectors/install for
+ *  zero-downtime hook updates. */
+export class HookRegistry {
+    entries = [];
+    /** Register or replace a hook entry. Returns the resolved registration. */
+    register(entry) {
+        this.entries = this.entries.filter((e) => !(e.pluginName === entry.pluginName && e.kind === entry.kind));
+        this.entries.push({
+            ...entry,
+            priority: entry.priority ?? 100,
+            mode: entry.mode ?? "enforce",
+        });
+        return entry;
+    }
+    /** Remove all entries owned by a plugin (e.g. on uninstall). */
+    unregisterPlugin(pluginName) {
+        const before = this.entries.length;
+        this.entries = this.entries.filter((e) => e.pluginName !== pluginName);
+        return before - this.entries.length;
+    }
+    /** All entries for a hook kind in priority order. */
+    list(kind) {
+        return this.entries
+            .filter((e) => e.kind === kind && e.mode !== "disabled")
+            .sort((a, b) => (a.priority ?? 100) - (b.priority ?? 100));
+    }
+    /** Snapshot of every registration regardless of kind (for diagnostics). */
+    all() {
+        return [...this.entries];
+    }
+    /** Fire every hook of the given kind in priority order. Each hook
+     *  receives the (possibly mutated) payload from the previous one.
+     *  Short-circuits on first `allow:false`. */
+    async fire(kind, ctx, initialPayload, logger = (l, m) => console[l === "warn" ? "warn" : "log"](m)) {
+        let payload = initialPayload;
+        for (const entry of this.list(kind)) {
+            try {
+                const r = await entry.handler({ ...ctx, kind }, payload);
+                if (!r.allow) {
+                    return r;
+                }
+                if (r.payload)
+                    payload = r.payload;
+            }
+            catch (err) {
+                const msg = err instanceof Error ? err.message : String(err);
+                if (entry.mode === "permissive") {
+                    logger("warn", `hook ${entry.pluginName}/${kind} threw (permissive): ${msg}`);
+                    continue;
+                }
+                // enforce: block the call.
+                return {
+                    allow: false,
+                    reason: `hook ${entry.pluginName}/${kind} failed: ${msg}`,
+                };
+            }
+        }
+        return { allow: true, payload };
+    }
+}

package/dist/sdk/hooks.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/sdk/hooks.test.js

@@ -0,0 +1,159 @@
+import { test } from "node:test";
+import assert from "node:assert/strict";
+import { HookRegistry } from "./hooks.js";
+function ctx(target = "list_services") {
+    return {
+        principal: "alice",
+        tenant: "default",
+        kind: "tool_pre_invoke",
+        target,
+    };
+}
+test("HookRegistry.register: adds an entry with defaults applied", () => {
+    const r = new HookRegistry();
+    r.register({
+        pluginName: "p1",
+        kind: "tool_pre_invoke",
+        handler: () => ({ allow: true }),
+    });
+    const list = r.list("tool_pre_invoke");
+    assert.equal(list.length, 1);
+    assert.equal(list[0]?.priority, 100);
+    assert.equal(list[0]?.mode, "enforce");
+});
+test("HookRegistry.register: re-registering same (plugin,kind) replaces prior entry", () => {
+    const r = new HookRegistry();
+    r.register({ pluginName: "p", kind: "tool_pre_invoke", priority: 10, handler: () => ({ allow: true }) });
+    r.register({ pluginName: "p", kind: "tool_pre_invoke", priority: 20, handler: () => ({ allow: true }) });
+    const list = r.list("tool_pre_invoke");
+    assert.equal(list.length, 1);
+    assert.equal(list[0]?.priority, 20);
+});
+test("HookRegistry.list: orders by priority (lower runs first)", () => {
+    const r = new HookRegistry();
+    r.register({ pluginName: "a", kind: "tool_pre_invoke", priority: 50, handler: () => ({ allow: true }) });
+    r.register({ pluginName: "b", kind: "tool_pre_invoke", priority: 10, handler: () => ({ allow: true }) });
+    r.register({ pluginName: "c", kind: "tool_pre_invoke", priority: 99, handler: () => ({ allow: true }) });
+    const names = r.list("tool_pre_invoke").map((e) => e.pluginName);
+    assert.deepEqual(names, ["b", "a", "c"]);
+});
+test("HookRegistry.list: disabled hooks are filtered out", () => {
+    const r = new HookRegistry();
+    r.register({ pluginName: "a", kind: "tool_pre_invoke", handler: () => ({ allow: true }) });
+    r.register({ pluginName: "b", kind: "tool_pre_invoke", mode: "disabled", handler: () => ({ allow: true }) });
+    const names = r.list("tool_pre_invoke").map((e) => e.pluginName);
+    assert.deepEqual(names, ["a"]);
+});
+test("HookRegistry.unregisterPlugin: drops every entry for a plugin", () => {
+    const r = new HookRegistry();
+    r.register({ pluginName: "p", kind: "tool_pre_invoke", handler: () => ({ allow: true }) });
+    r.register({ pluginName: "p", kind: "tool_post_invoke", handler: () => ({ allow: true }) });
+    r.register({ pluginName: "q", kind: "tool_pre_invoke", handler: () => ({ allow: true }) });
+    const dropped = r.unregisterPlugin("p");
+    assert.equal(dropped, 2);
+    assert.equal(r.all().length, 1);
+    assert.equal(r.all()[0]?.pluginName, "q");
+});
+test("HookRegistry.fire: chains payload mutations and returns the final", async () => {
+    const r = new HookRegistry();
+    r.register({
+        pluginName: "a",
+        kind: "tool_pre_invoke",
+        priority: 10,
+        handler: (_c, p) => ({ allow: true, payload: { ...p, a: 1 } }),
+    });
+    r.register({
+        pluginName: "b",
+        kind: "tool_pre_invoke",
+        priority: 20,
+        handler: (_c, p) => ({ allow: true, payload: { ...p, b: 2 } }),
+    });
+    const result = await r.fire("tool_pre_invoke", ctx(), { initial: true });
+    assert.equal(result.allow, true);
+    assert.deepEqual(result.payload, { initial: true, a: 1, b: 2 });
+});
+test("HookRegistry.fire: first allow:false short-circuits subsequent hooks", async () => {
+    const r = new HookRegistry();
+    let sawSecond = false;
+    r.register({
+        pluginName: "a",
+        kind: "tool_pre_invoke",
+        priority: 10,
+        handler: () => ({ allow: false, reason: "denied by policy" }),
+    });
+    r.register({
+        pluginName: "b",
+        kind: "tool_pre_invoke",
+        priority: 20,
+        handler: () => {
+            sawSecond = true;
+            return { allow: true };
+        },
+    });
+    const result = await r.fire("tool_pre_invoke", ctx(), {});
+    assert.equal(result.allow, false);
+    assert.equal(result.reason, "denied by policy");
+    assert.equal(sawSecond, false);
+});
+test("HookRegistry.fire: enforce-mode throw blocks the chain", async () => {
+    const r = new HookRegistry();
+    let sawSecond = false;
+    r.register({
+        pluginName: "a",
+        kind: "tool_pre_invoke",
+        handler: () => {
+            throw new Error("boom");
+        },
+    });
+    r.register({
+        pluginName: "b",
+        kind: "tool_pre_invoke",
+        priority: 200,
+        handler: () => {
+            sawSecond = true;
+            return { allow: true };
+        },
+    });
+    const result = await r.fire("tool_pre_invoke", ctx(), {});
+    assert.equal(result.allow, false);
+    assert.match(result.reason ?? "", /boom/);
+    assert.equal(sawSecond, false);
+});
+test("HookRegistry.fire: permissive-mode throw is logged + chain continues with prior payload", async () => {
+    const r = new HookRegistry();
+    r.register({
+        pluginName: "a",
+        kind: "tool_pre_invoke",
+        priority: 10,
+        handler: (_c, p) => ({ allow: true, payload: { ...p, a: 1 } }),
+    });
+    r.register({
+        pluginName: "b",
+        kind: "tool_pre_invoke",
+        priority: 20,
+        mode: "permissive",
+        handler: () => {
+            throw new Error("intermittent failure");
+        },
+    });
+    r.register({
+        pluginName: "c",
+        kind: "tool_pre_invoke",
+        priority: 30,
+        handler: (_c, p) => ({ allow: true, payload: { ...p, c: 3 } }),
+    });
+    const logs = [];
+    const result = await r.fire("tool_pre_invoke", ctx(), {}, (lvl, m) => {
+        if (lvl === "warn")
+            logs.push(m);
+    });
+    assert.equal(result.allow, true);
+    assert.deepEqual(result.payload, { a: 1, c: 3 });
+    assert.equal(logs.length, 1);
+    assert.match(logs[0] ?? "", /b\/tool_pre_invoke/);
+});
+test("HookRegistry.fire: no hooks => allow with the initial payload", async () => {
+    const r = new HookRegistry();
+    const result = await r.fire("tool_pre_invoke", ctx(), { x: 1 });
+    assert.deepEqual(result, { allow: true, payload: { x: 1 } });
+});

package/dist/sdk/index.d.ts

@@ -1,6 +1,8 @@
 export type { ObservabilityConnector } from "../connectors/interface.js";
 export { manifestSchema } from "./manifest-schema.js";
 export type { ValidatedConnectorManifest } from "./manifest-schema.js";
+export { HookRegistry } from "./hooks.js";
+export type { HookKind, HookContext, HookPayload, HookResult, HookRegistration, } from "./hooks.js";
 export type { SignalType, SourceConfig, SourceAuth, SourceTls, ConnectorHealth, ServiceInfo, MetricInfo, MetricQuery, MetricResult, MetricSummary, DataPoint, LogQuery, LogResult, LogEntry, LogSummary, MetricDefinition, Resource, Edge, TopologySnapshot, TopologyChangeEvent, TopologyChangeListener, } from "../types.js";
 /**
  * Manifest shape declared in a plugin's `manifest.json`. The server
@@ -40,6 +42,19 @@ export interface ConnectorManifest {
      * server runs with VERIFY_PLUGINS=true. See docs/plugin-architecture.md.
      */
     integrity?: string;
+    /**
+     * Lifecycle hooks the plugin wants auto-registered on load. Each
+     * entry points to a module path INSIDE the plugin's bundled files;
+     * the loader imports its default export and registers it on the
+     * gateway's HookRegistry. Mirrors the Zod manifestSchema in
+     * mcp-server/src/sdk/manifest-schema.ts. See Q10 / phase-q-sprint.md.
+     */
+    hooks?: Array<{
+        kind: "tool_pre_invoke" | "tool_post_invoke" | "resource_pre_fetch" | "resource_post_fetch" | "prompt_pre_fetch" | "prompt_post_fetch";
+        module: string;
+        priority?: number;
+        mode?: "enforce" | "permissive" | "disabled";
+    }>;
 }
 /**
  * The default export shape a connector plugin module must provide.

package/dist/sdk/index.js

@@ -11,3 +11,4 @@
 // against that package and an `observabilityMcp.compat.serverVersion`
 // constraint in their package.json (see docs/plugin-architecture.md).
 export { manifestSchema } from "./manifest-schema.js";
+export { HookRegistry } from "./hooks.js";

package/dist/sdk/manifest-schema.d.ts

@@ -25,5 +25,22 @@ export declare const manifestSchema: z.ZodObject<{
         serverVersion: z.ZodOptional<z.ZodString>;
     }, z.core.$strip>>;
     integrity: z.ZodOptional<z.ZodString>;
+    hooks: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        kind: z.ZodEnum<{
+            tool_pre_invoke: "tool_pre_invoke";
+            tool_post_invoke: "tool_post_invoke";
+            resource_pre_fetch: "resource_pre_fetch";
+            resource_post_fetch: "resource_post_fetch";
+            prompt_pre_fetch: "prompt_pre_fetch";
+            prompt_post_fetch: "prompt_post_fetch";
+        }>;
+        module: z.ZodString;
+        priority: z.ZodOptional<z.ZodNumber>;
+        mode: z.ZodOptional<z.ZodEnum<{
+            enforce: "enforce";
+            permissive: "permissive";
+            disabled: "disabled";
+        }>>;
+    }, z.core.$strip>>>;
 }, z.core.$strip>;
 export type ValidatedConnectorManifest = z.infer<typeof manifestSchema>;

package/dist/sdk/manifest-schema.js

@@ -44,4 +44,25 @@ export const manifestSchema = z.object({
         message: 'integrity must be "sha256-<base64>"',
     })
         .optional(),
+    // Lifecycle hooks the plugin wants to fire at. Each entry points to
+    // a module path INSIDE the plugin's bundled files. The loader
+    // resolves the module relative to the plugin root, imports its
+    // default export as the handler, and registers it on the gateway's
+    // HookRegistry. Hot-reloadable: install/upgrade of a plugin
+    // re-registers its hooks without restart.
+    hooks: z
+        .array(z.object({
+        kind: z.enum([
+            "tool_pre_invoke",
+            "tool_post_invoke",
+            "resource_pre_fetch",
+            "resource_post_fetch",
+            "prompt_pre_fetch",
+            "prompt_post_fetch",
+        ]),
+        module: z.string().min(1),
+        priority: z.number().int().optional(),
+        mode: z.enum(["enforce", "permissive", "disabled"]).optional(),
+    }))
+        .optional(),
 });

package/dist/tools/context-seam.test.js

@@ -15,7 +15,12 @@ describe("RequestContext seam", () => {
         if (!hasHandler)
             continue;
         it(`${file}: handler accepts a RequestContext`, () => {
-            assert.match(src, /_ctx:\s*RequestContext/, `${file} exports a *Handler but does not thread RequestContext — ` +
+            // Accept both the read-and-use form (`ctx: RequestContext`) and
+            // the historic placeholder form (`_ctx: RequestContext`) — the
+            // seam is the same; the underscore was only there to silence
+            // unused-param lints. Handlers that actually consume the ctx
+            // (tenant-aware tools, post-E7) drop it.
+            assert.match(src, /\b_?ctx:\s*RequestContext/, `${file} exports a *Handler but does not thread RequestContext — ` +
                 `add the ctx seam (see context.ts)`);
             assert.match(src, /from "\.\.\/context\.js"/, `${file} must import from ../context.js`);
         });

package/dist/tools/detect-anomalies.d.ts

@@ -22,11 +22,22 @@ export declare const detectAnomaliesDefinition: {
         };
     };
 };
+export interface AnomalyHistorySink {
+    record(entry: {
+        ts: string;
+        service: string;
+        tenant: string;
+        score: number;
+        method: string;
+        severity: string;
+        signal?: string;
+    }): Promise<void> | void;
+}
 export declare function detectAnomaliesHandler(registry: ConnectorRegistry, args: {
     service?: string;
     duration?: string;
     sensitivity?: string;
-}, _ctx?: RequestContext): Promise<{
+}, ctx?: RequestContext, history?: AnomalyHistorySink): Promise<{
     content: {
         type: "text";
         text: string;

package/dist/tools/detect-anomalies.js

@@ -33,12 +33,13 @@ const KEY_METRICS = ["cpu", "memory", "error_rate", "latency_p99", "request_rate
 // the overall error ratio is low (e.g. a memory leak emits a handful of
 // "OutOfMemoryWarning" lines long before it turns into 5xx errors).
 const CRITICAL_LOG_PATTERN = /\b(out\s?of\s?memory|oom|outofmemory|heap (usage|exhaust)|memory leak|panic|fatal|deadlock|segfault|stack overflow|cannot allocate)\b/i;
-export async function detectAnomaliesHandler(registry, args, _ctx = defaultContext()) {
+export async function detectAnomaliesHandler(registry, args, ctx = defaultContext(), history) {
     const duration = args.duration || "10m";
     const threshold = SENSITIVITY_THRESHOLDS[args.sensitivity || "medium"] || 2.0;
-    // Discover services to scan
-    const metricsConnectors = registry.getBySignal("metrics");
-    const logConnectors = registry.getBySignal("logs");
+    // Discover services to scan — tenant-scoped.
+    const tenantConnectors = registry.getByTenant(ctx.tenant);
+    const metricsConnectors = tenantConnectors.filter((c) => c.signalType === "metrics");
+    const logConnectors = tenantConnectors.filter((c) => c.signalType === "logs");
     let serviceNames = [];
     if (args.service) {
         serviceNames = [args.service];
@@ -71,9 +72,10 @@ export async function detectAnomaliesHandler(registry, args, _ctx = defaultConte
                         const deviationPercent = anomaly.baselineValue === 0
                             ? 100
                             : Math.round(((anomaly.recentValue - anomaly.baselineValue) / anomaly.baselineValue) * 100);
+                        const severityLabel = Math.abs(anomaly.score) >= 6 ? "high" : Math.abs(anomaly.score) >= 4 ? "medium" : "low";
                         allAnomalies.push({
                             metric,
-                            severity: Math.abs(anomaly.score) >= 6 ? "high" : Math.abs(anomaly.score) >= 4 ? "medium" : "low",
+                            severity: severityLabel,
                             description: `${metric}: ${anomaly.reason}`,
                             currentValue: anomaly.recentValue,
                             baselineValue: anomaly.baselineValue,
@@ -81,6 +83,25 @@ export async function detectAnomaliesHandler(registry, args, _ctx = defaultConte
                             source: connector.name,
                             service: serviceName,
                         });
+                        // Phase P1: mirror the score to the TSDB sink (no-op if no
+                        // sink wired). Best-effort — a slow / down sink must never
+                        // block the detector loop, which is why we don't await.
+                        if (history) {
+                            try {
+                                void history.record({
+                                    ts: new Date().toISOString(),
+                                    service: serviceName,
+                                    tenant: ctx.tenant || "default",
+                                    score: Math.abs(anomaly.score),
+                                    method: anomaly.method === "seasonal" ? "seasonality"
+                                        : anomaly.method === "robust-z" ? "mad"
+                                            : anomaly.method,
+                                    severity: severityLabel === "high" ? "critical" : severityLabel === "medium" ? "warn" : "info",
+                                    signal: metric,
+                                });
+                            }
+                            catch { /* swallow — best-effort */ }
+                        }
                     }
                 }
                 catch {

package/dist/tools/generate-postmortem.d.ts

@@ -0,0 +1,35 @@
+import type { ConnectorRegistry } from "../connectors/registry.js";
+import { type RequestContext } from "../context.js";
+export declare const generatePostmortemDefinition: {
+    name: "generate_postmortem";
+    description: string;
+    inputSchema: {
+        type: "object";
+        properties: {
+            service: {
+                type: string;
+                description: string;
+            };
+            duration: {
+                type: string;
+                description: string;
+            };
+            format: {
+                type: string;
+                description: string;
+            };
+        };
+        required: string[];
+    };
+};
+export declare function generatePostmortemHandler(registry: ConnectorRegistry, args: {
+    service: string;
+    duration?: string;
+    format?: string;
+}, ctx?: RequestContext): Promise<{
+    content: {
+        type: "text";
+        text: string;
+    }[];
+    isError: boolean;
+}>;

package/dist/tools/generate-postmortem.js

@@ -0,0 +1,191 @@
+// generate_postmortem — Phase F19a.
+//
+// Stitches together anomaly history (F15), trace summaries (F13),
+// and the topology blast-radius (existing get_blast_radius
+// machinery) into a single markdown post-mortem report.
+//
+// The synthesizer is pure compute (see ./../postmortem/synthesizer);
+// this handler is just the orchestration: pull each upstream
+// primitive in parallel, hand the result to the synthesizer.
+import { defaultContext } from "../context.js";
+import { validateDuration, validateServiceName, errorResponse } from "./validation.js";
+import { synthesizePostmortem, } from "../postmortem/synthesizer.js";
+export const generatePostmortemDefinition = {
+    name: "generate_postmortem",
+    description: [
+        "Stitch the gateway's primitives (anomaly history, blast-radius, traces, log highlights) into a single markdown post-mortem report for one service over a given window.",
+        "When to use: after an incident, when the operator or LLM wants 'one document the on-call can read in 60 seconds' instead of poking the individual tools.",
+        "Prerequisites: anomaly history requires OMCP_ANOMALY_HISTORY_REMOTE_WRITE configured AND a Prometheus source pointed at the same TSDB (see docs/anomaly-history.md). Traces require a Tempo / Jaeger source. Blast-radius requires a topology provider.",
+        "Behavior: read-only. Returns BOTH a structured JSON shape AND a markdown body suitable to paste straight into a ticket. Output is capped (timeline truncated to 20 rows in the markdown, 30 nodes in the blast radius table, 10 traces) — the structured shape carries the full data.",
+        "Related: `get_anomaly_history` for the raw scores; `query_traces` for individual traces; `get_blast_radius` for the topology.",
+    ].join(" "),
+    inputSchema: {
+        type: "object",
+        properties: {
+            service: { type: "string", description: "Suspected root-cause service (the operator's first guess)." },
+            duration: { type: "string", description: "Rolling window the incident took place in, e.g. '1h', '6h'. Default '1h'." },
+            format: { type: "string", description: "Output format: 'markdown' (default) or 'json'." },
+        },
+        required: ["service"],
+    },
+};
+export async function generatePostmortemHandler(registry, args, ctx = defaultContext()) {
+    const svcErr = validateServiceName(args.service);
+    if (svcErr)
+        return errorResponse(svcErr);
+    const duration = args.duration || "1h";
+    const durationErr = validateDuration(duration);
+    if (durationErr)
+        return errorResponse(durationErr);
+    const now = new Date();
+    const fromIso = new Date(now.getTime() - parseDurationMs(duration)).toISOString();
+    const toIso = now.toISOString();
+    // Parallel-fetch every upstream primitive. Each fetch swallows
+    // its own errors and returns an empty result — the post-mortem
+    // must always synthesise SOMETHING (even "no signal found").
+    const [anomalies, traces, blastRadius, logHighlights] = await Promise.all([
+        fetchAnomalies(registry, args.service, duration, ctx),
+        fetchTraces(registry, args.service, duration, ctx),
+        fetchBlastRadius(registry, args.service, ctx),
+        fetchLogHighlights(registry, args.service, duration, ctx),
+    ]);
+    const report = synthesizePostmortem({
+        service: args.service,
+        window: duration,
+        tenant: ctx.tenant || "default",
+        fromIso,
+        toIso,
+        anomalies,
+        blastRadius,
+        traces,
+        logHighlights,
+    });
+    if ((args.format || "markdown").toLowerCase() === "json") {
+        return {
+            content: [{ type: "text", text: JSON.stringify(report) }],
+            isError: false,
+        };
+    }
+    // Default: return the markdown body. The structured sections live
+    // in JSON if the caller asked for them.
+    return {
+        content: [{ type: "text", text: report.markdown }],
+        isError: false,
+    };
+}
+function parseDurationMs(d) {
+    const m = d.match(/^(\d+)([smhd])$/);
+    if (!m)
+        return 60 * 60 * 1000;
+    const n = parseInt(m[1], 10);
+    const unit = m[2];
+    return unit === "s" ? n * 1000
+        : unit === "m" ? n * 60_000
+            : unit === "h" ? n * 3_600_000
+                : n * 86_400_000;
+}
+async function fetchAnomalies(registry, service, duration, ctx) {
+    const metric = `omcp_anomaly_score{service="${escLabel(service)}"}`;
+    for (const c of registry.getByTenant(ctx.tenant).filter((x) => typeof x.queryMetrics === "function")) {
+        try {
+            const r = await c.queryMetrics({ service, metric, duration });
+            if (r && r.values && r.values.length > 0) {
+                return r.values.map((v) => ({
+                    ts: typeof v.timestamp === "number" ? new Date(v.timestamp).toISOString() : String(v.timestamp),
+                    service,
+                    score: typeof v.value === "number" ? v.value : Number(v.value) || 0,
+                    method: "mad",
+                    severity: "warn",
+                }));
+            }
+        }
+        catch {
+            /* fall through to next source */
+        }
+    }
+    return [];
+}
+async function fetchTraces(registry, service, duration, ctx) {
+    for (const c of registry.getByTenant(ctx.tenant).filter((x) => typeof x.queryTraces === "function")) {
+        try {
+            const r = await c.queryTraces({ service, duration, limit: 10 });
+            if (r && r.traces && r.traces.length > 0) {
+                return r.traces.map((t) => ({
+                    traceId: t.traceId,
+                    rootName: t.rootName,
+                    rootService: t.rootService,
+                    durationMs: t.durationMs,
+                    hasError: t.hasError,
+                }));
+            }
+        }
+        catch {
+            /* fall through */
+        }
+    }
+    return [];
+}
+async function fetchBlastRadius(registry, service, ctx) {
+    // We don't have a direct "give me blast radius for service X" helper at
+    // this layer — the existing get_blast_radius is a tool that takes a
+    // resource id. For the post-mortem we settle for the full topology
+    // snapshot of the caller's tenant and let the synthesizer mark the
+    // suspect-named node as root. Future F19b can plumb the real walker.
+    for (const c of registry.getByTenant(ctx.tenant)) {
+        if (typeof c.getTopologySnapshot !== "function")
+            continue;
+        try {
+            const snap = await c.getTopologySnapshot();
+            if (!snap?.resources?.length)
+                continue;
+            // Pick nodes whose name matches the suspected service (case-
+            // insensitive substring is conservative-enough for the
+            // synopsis; the real walker can be precise later).
+            const needle = service.toLowerCase();
+            const matching = snap.resources.filter((r) => r.name?.toLowerCase().includes(needle) ||
+                (r.labels && Object.values(r.labels).some((v) => String(v).toLowerCase() === needle)));
+            if (matching.length === 0)
+                continue;
+            const matchedIds = new Set(matching.map((r) => r.id));
+            const connected = snap.edges.filter((e) => matchedIds.has(e.from) || matchedIds.has(e.to));
+            const neighborIds = new Set([
+                ...matching.map((r) => r.id),
+                ...connected.map((e) => e.from),
+                ...connected.map((e) => e.to),
+            ]);
+            const nodes = snap.resources
+                .filter((r) => neighborIds.has(r.id))
+                .map((r) => ({
+                id: r.id,
+                kind: r.kind,
+                name: r.name,
+                root: matchedIds.has(r.id),
+            }));
+            return {
+                nodes,
+                edges: connected.map((e) => ({ from: e.from, to: e.to, relation: e.relation })),
+            };
+        }
+        catch {
+            /* fall through */
+        }
+    }
+    return { nodes: [], edges: [] };
+}
+async function fetchLogHighlights(registry, service, duration, ctx) {
+    for (const c of registry.getByTenant(ctx.tenant).filter((x) => typeof x.queryLogs === "function")) {
+        try {
+            const r = await c.queryLogs({ service, duration, limit: 5 });
+            if (r?.summary?.errorCount && r.summary.errorCount > 0) {
+                return [`${service}: ${r.summary.errorCount} error log line(s) in window (source: ${r.source}).`];
+            }
+        }
+        catch {
+            /* skip */
+        }
+    }
+    return [];
+}
+function escLabel(v) {
+    return v.replace(/\\/g, "\\\\").replace(/"/g, '\\"');
+}