@thotischner/observability-mcp 3.0.1 → 3.1.1

package/dist/auth/revocation.test.js

@@ -0,0 +1,136 @@
+import { test } from "node:test";
+import assert from "node:assert/strict";
+import { mkdtempSync, readFileSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { RevocationStore } from "./revocation.js";
+function tmpFile(name = "revocations.jsonl") {
+    const dir = mkdtempSync(join(tmpdir(), "omcp-revoke-"));
+    return join(dir, name);
+}
+test("memory store revokes a single session by sid", async () => {
+    const store = await RevocationStore.create();
+    assert.equal(store.persistent, false);
+    assert.equal(store.isRevoked({ sub: "alice", iat: 1000, sid: "s1" }), false);
+    await store.revokeSession("s1");
+    assert.equal(store.isRevoked({ sub: "alice", iat: 1000, sid: "s1" }), true);
+    // A different session of the same subject is untouched.
+    assert.equal(store.isRevoked({ sub: "alice", iat: 1000, sid: "s2" }), false);
+});
+test("session without a sid is never caught by a session-kind revocation", async () => {
+    const store = await RevocationStore.create();
+    await store.revokeSession("s1");
+    assert.equal(store.isRevoked({ sub: "alice", iat: 1000 }), false);
+});
+test("subject revocation catches sessions issued at or before the cutoff", async () => {
+    let clock = 5000;
+    const store = await RevocationStore.create({ now: () => clock });
+    await store.revokeSubject("bob");
+    // Issued before the cutoff → revoked.
+    assert.equal(store.isRevoked({ sub: "bob", iat: 4999, sid: "old" }), true);
+    // Issued in the same second → revoked (intent: kill what exists now).
+    assert.equal(store.isRevoked({ sub: "bob", iat: 5000, sid: "same" }), true);
+    // Issued after the cutoff (fresh login) → valid again.
+    assert.equal(store.isRevoked({ sub: "bob", iat: 5001, sid: "new" }), false);
+    // A different subject is unaffected.
+    assert.equal(store.isRevoked({ sub: "carol", iat: 1, sid: "x" }), false);
+});
+test("re-revoking a subject only widens the cutoff window", async () => {
+    let clock = 100;
+    const store = await RevocationStore.create({ now: () => clock });
+    await store.revokeSubject("dave"); // cutoff 100
+    clock = 200;
+    await store.revokeSubject("dave"); // cutoff 200
+    assert.equal(store.isRevoked({ sub: "dave", iat: 150, sid: "mid" }), true);
+    assert.equal(store.isRevoked({ sub: "dave", iat: 201, sid: "after" }), false);
+});
+test("entries persist to disk and reload into a fresh store", async () => {
+    const path = tmpFile();
+    const store = await RevocationStore.create({ path, now: () => 7000 });
+    await store.revokeSession("sid-a", { reason: "stolen laptop", by: "admin" });
+    await store.revokeSubject("eve", { reason: "offboarded" });
+    assert.equal(store.size, 2);
+    const reloaded = await RevocationStore.create({ path });
+    assert.equal(reloaded.size, 2);
+    assert.equal(reloaded.isRevoked({ sub: "x", iat: 1, sid: "sid-a" }), true);
+    assert.equal(reloaded.isRevoked({ sub: "eve", iat: 6999, sid: "z" }), true);
+    assert.equal(reloaded.isRevoked({ sub: "eve", iat: 7001, sid: "z" }), false);
+});
+test("persisted file is JSONL and carries the metadata", async () => {
+    const path = tmpFile();
+    const store = await RevocationStore.create({ path, now: () => 42 });
+    await store.revokeSession("sid-meta", { reason: "test", by: "root" });
+    const lines = readFileSync(path, "utf8").trim().split("\n");
+    assert.equal(lines.length, 1);
+    const entry = JSON.parse(lines[0]);
+    assert.deepEqual(entry, {
+        kind: "session",
+        value: "sid-meta",
+        revokedAt: 42,
+        reason: "test",
+        by: "root",
+    });
+});
+test("malformed and partial lines are skipped on load", async () => {
+    const path = tmpFile();
+    writeFileSync(path, [
+        JSON.stringify({ kind: "session", value: "good", revokedAt: 1 }),
+        "not json at all",
+        JSON.stringify({ kind: "bogus", value: "x", revokedAt: 1 }), // bad kind
+        JSON.stringify({ kind: "subject", value: "", revokedAt: 1 }), // empty value
+        JSON.stringify({ kind: "subject", value: "u", revokedAt: "nope" }), // bad ts
+        "", // blank
+        JSON.stringify({ kind: "subject", value: "frank", revokedAt: 500 }),
+    ].join("\n"));
+    const store = await RevocationStore.create({ path });
+    // Only the two well-formed entries survived.
+    assert.equal(store.size, 2);
+    assert.equal(store.isRevoked({ sub: "x", iat: 1, sid: "good" }), true);
+    assert.equal(store.isRevoked({ sub: "frank", iat: 400, sid: "y" }), true);
+});
+test("missing file is treated as an empty blocklist", async () => {
+    const path = join(mkdtempSync(join(tmpdir(), "omcp-revoke-")), "does-not-exist.jsonl");
+    const store = await RevocationStore.create({ path });
+    assert.equal(store.size, 0);
+    assert.equal(store.isRevoked({ sub: "a", iat: 1, sid: "s" }), false);
+    // First write creates the file.
+    await store.revokeSession("s");
+    assert.equal(readFileSync(path, "utf8").trim().split("\n").length, 1);
+});
+test("file under a non-existent directory is created on first write", async () => {
+    const dir = mkdtempSync(join(tmpdir(), "omcp-revoke-"));
+    const path = join(dir, "nested", "deep", "revocations.jsonl");
+    const store = await RevocationStore.create({ path });
+    await store.revokeSession("s");
+    assert.equal(readFileSync(path, "utf8").trim().split("\n").length, 1);
+});
+test("list() returns a defensive copy in file order", async () => {
+    const store = await RevocationStore.create({ now: () => 9 });
+    await store.revokeSession("a");
+    await store.revokeSubject("b");
+    const list = store.list();
+    assert.equal(list.length, 2);
+    assert.equal(list[0].kind, "session");
+    assert.equal(list[1].kind, "subject");
+    // Mutating the returned array/objects must not corrupt the store.
+    list[0].value = "tampered";
+    list.push({ kind: "session", value: "ghost", revokedAt: 0 });
+    assert.equal(store.list().length, 2);
+    assert.equal(store.list()[0].value, "a");
+});
+test("concurrent revokes all land on disk without interleaving", async () => {
+    const path = tmpFile();
+    const store = await RevocationStore.create({ path, now: () => 1 });
+    await Promise.all(Array.from({ length: 20 }, (_, i) => store.revokeSession(`s${i}`)));
+    const lines = readFileSync(path, "utf8").trim().split("\n");
+    assert.equal(lines.length, 20);
+    // Every line is independently parseable (no torn writes).
+    for (const line of lines) {
+        assert.doesNotThrow(() => JSON.parse(line));
+    }
+});
+test("reason/by are omitted from the entry when not supplied", async () => {
+    const store = await RevocationStore.create({ now: () => 3 });
+    const entry = await store.revokeSession("s");
+    assert.deepEqual(entry, { kind: "session", value: "s", revokedAt: 3 });
+});

package/dist/auth/session.d.ts

@@ -25,6 +25,13 @@ export interface SessionPayload {
     tenant?: string;
     /** Optional list of role identifiers — used by later phases for RBAC. */
     roles?: string[];
+    /** Per-session random identifier. Minted at issue time. Lets the
+     *  revocation blocklist (see ./revocation.ts) drop a single session
+     *  without rotating the signing secret. Optional for backward compat:
+     *  cookies issued before this field existed still verify and simply
+     *  can't be revoked individually (a subject-wide revocation still
+     *  catches them via `iat`). */
+    sid?: string;
     /** Issued-at, seconds since epoch. */
     iat: number;
     /** Hard expiry, seconds since epoch. */

package/dist/auth/session.js

@@ -37,6 +37,10 @@ export function issueSession(identity, cfg, now = Math.floor(Date.now() / 1000))
         email: identity.email,
         tenant: identity.tenant,
         roles: identity.roles,
+        // 16 random bytes ≈ 128 bits — collision-free across any realistic
+        // session population, and enough entropy that a sid can't be guessed
+        // to forge a revocation target for another user's session.
+        sid: randomBytes(16).toString("base64url"),
         iat: now,
         exp: now + ttl,
     };
@@ -93,6 +97,8 @@ function isSessionPayload(v) {
         return false;
     if (o.roles !== undefined && !(Array.isArray(o.roles) && o.roles.every((r) => typeof r === "string")))
         return false;
+    if (o.sid !== undefined && typeof o.sid !== "string")
+        return false;
     if (o.email !== undefined && typeof o.email !== "string")
         return false;
     if (o.tenant !== undefined && typeof o.tenant !== "string")

package/dist/auth/session.test.js

@@ -1,5 +1,6 @@
 import { test } from "node:test";
 import assert from "node:assert/strict";
+import { createHmac } from "node:crypto";
 import { issueSession, verifySession, setCookieHeader, clearCookieHeader, readCookie, generateSecret, DEFAULT_COOKIE_NAME, } from "./session.js";
 const secret = "a".repeat(48);
 test("issueSession + verifySession — round-trips identity", () => {
@@ -12,6 +13,26 @@ test("issueSession + verifySession — round-trips identity", () => {
     assert.equal(verified.sub, "alice");
     assert.deepEqual(verified.roles, ["operator"]);
 });
+test("issueSession mints a unique sid that round-trips through verify", () => {
+    const now = 1_700_000_000;
+    const a = issueSession({ sub: "alice", name: "Alice" }, { secret }, now);
+    const b = issueSession({ sub: "alice", name: "Alice" }, { secret }, now);
+    assert.ok(a.payload.sid, "expected a sid");
+    assert.notEqual(a.payload.sid, b.payload.sid, "each session gets its own sid");
+    const verified = verifySession(a.cookie, { secret }, now + 1);
+    assert.ok(verified);
+    assert.equal(verified.sid, a.payload.sid);
+});
+test("verifySession — a legacy cookie without a sid still verifies", () => {
+    const now = 1_700_000_000;
+    // Hand-craft a payload lacking sid (pre-Q17 shape) and sign it.
+    const payload = { sub: "alice", name: "Alice", iat: now, exp: now + 3600 };
+    const payloadStr = Buffer.from(JSON.stringify(payload)).toString("base64url");
+    const sig = createHmac("sha256", secret).update(payloadStr).digest("base64url");
+    const verified = verifySession(`${payloadStr}.${sig}`, { secret }, now + 1);
+    assert.ok(verified, "legacy cookie should still verify");
+    assert.equal(verified.sid, undefined);
+});
 test("issueSession + verifySession — round-trips email when present", () => {
     const now = 1_700_000_000;
     const { cookie } = issueSession({ sub: "alice", name: "Alice", email: "alice@example.test", roles: ["operator"] }, { secret }, now);

package/dist/conformance/mcp-2025-11-25.test.js

@@ -113,6 +113,20 @@ test("MCP 2025-11-25: tools/list returns a Tool[] each with name + inputSchema",
         assert.ok(t.inputSchema && typeof t.inputSchema === "object", `tool ${t.name} missing inputSchema`);
     }
 });
+test("MCP 2025-11-25: query_logs advertises labels + aggregate params (issue #415)", opts, async () => {
+    // Regression guard for the v3.1.0 ship gap: the labels/aggregate handler
+    // code existed but the inline MCP schema in createMcpServer never declared
+    // them, so a live tools/list omitted them and the SDK stripped them from
+    // calls — a silent no-op. Assert the live server advertises both.
+    const session = await newSession();
+    const { response } = await jsonRpc("tools/list", {}, { id: 2, session });
+    const r = response.result;
+    const queryLogs = r.tools?.find((t) => t.name === "query_logs");
+    assert.ok(queryLogs, "query_logs tool must be advertised");
+    const props = queryLogs.inputSchema?.properties ?? {};
+    assert.ok("labels" in props, "query_logs must advertise a `labels` param (issue #415 #1)");
+    assert.ok("aggregate" in props, "query_logs must advertise an `aggregate` param (issue #415 #2)");
+});
 test("MCP 2025-11-25: tools/call dispatches and returns CallToolResult", opts, async () => {
     const session = await newSession();
     const { response } = await jsonRpc("tools/call", { name: "list_sources", arguments: {} }, { id: 3, session });

package/dist/connectors/interface.d.ts

@@ -1,4 +1,4 @@
-import type { SignalType, ConnectorHealth, ServiceInfo, MetricInfo, MetricQuery, MetricResult, LogQuery, LogResult, TraceQuery, TraceResult, SourceConfig, MetricDefinition, Resource, Edge, TopologySnapshot, TopologyChangeListener } from "../types.js";
+import type { SignalType, ConnectorHealth, ServiceInfo, MetricInfo, MetricQuery, MetricResult, LogQuery, LogResult, LogAggregateQuery, LogAggregateResult, TraceQuery, TraceResult, SourceConfig, MetricDefinition, Resource, Edge, TopologySnapshot, TopologyChangeListener } from "../types.js";
 export interface ObservabilityConnector {
     readonly name: string;
     readonly type: string;
@@ -14,6 +14,10 @@ export interface ObservabilityConnector {
     listAvailableMetrics?(service: string): Promise<MetricInfo[]>;
     queryMetrics?(params: MetricQuery): Promise<MetricResult>;
     queryLogs?(params: LogQuery): Promise<LogResult>;
+    /** Optional server-side log aggregation (count/sum/topk). Backends that
+     *  can push aggregation down (Loki → LogQL metric queries) implement it;
+     *  the query_logs tool routes here when an `aggregate` arg is present. */
+    queryLogAggregate?(params: LogAggregateQuery): Promise<LogAggregateResult>;
     /** Optional traces capability — Tempo / Jaeger / OTLP backends
      *  implement this. The MCP `query_traces` tool fans out to every
      *  connector that has it. */

package/dist/connectors/loki.d.ts

@@ -1,5 +1,48 @@
 import type { ObservabilityConnector } from "./interface.js";
-import type { SourceConfig, ConnectorHealth, ServiceInfo, MetricDefinition, LogQuery, LogResult, SignalType } from "../types.js";
+import type { SourceConfig, ConnectorHealth, ServiceInfo, MetricDefinition, LogQuery, LogResult, LogAggregateQuery, LogAggregateResult, SignalType } from "../types.js";
+/** Escape a value for a double-quoted LogQL string literal. Backslash and
+ *  quote first (breakout chars), then control chars — a raw newline/tab in
+ *  a Go-style `"..."` literal is a parse error, so emit the escape sequence. */
+export declare function escapeLogQLValue(value: string): string;
+/**
+ * Compile a `labels` equality map into LogQL label-filter expressions that
+ * run AFTER `| json`, e.g. `{...} | json | method="GET" | status="200"`.
+ * Placed after the json parse so fields the pipeline extracts (not just
+ * stream labels) are filterable. Keys are sorted for deterministic output.
+ * Reusable, side-effect-free unit — also the basis for the Q-LOG2
+ * aggregation path and a future named-LogQL catalog. Callers validate the
+ * map (see validateLogLabels); this only escapes values.
+ */
+export declare function logqlLabelFilters(labels: Record<string, string> | undefined): string;
+/**
+ * Derive a log level from an HTTP status code when the line carries no
+ * explicit level: 5xx → error, 4xx → warn. Returns undefined otherwise so
+ * the caller keeps its existing fallback chain.
+ */
+export declare function levelFromStatus(status: unknown): "error" | "warn" | undefined;
+/** Parse a `<n><m|h|d>` duration into seconds. Returns null when malformed. */
+export declare function parseDurationSeconds(duration: string): number | null;
+/** Pick a bucket size (seconds) that yields ~60 points across the window,
+ *  floored at 60s, so a count_over_time range query isn't absurdly dense. */
+export declare function defaultBucketSeconds(durationSeconds: number): number;
+export interface AggregateLogQL {
+    logql: string;
+    /** instant (vector) for sum/topk; range (matrix) for count_over_time. */
+    mode: "instant" | "range";
+    /** Step for the range query, e.g. "300s". Only set when mode === "range". */
+    step?: string;
+}
+/**
+ * Wrap a stream+pipeline expression (`{sel} | json | …`) in a LogQL metric
+ * aggregation. Pure + side-effect-free so it's unit-testable without a
+ * backend. `by` labels are assumed pre-validated (label-name shape).
+ */
+export declare function buildAggregateLogQL(streamPipeline: string, agg: {
+    op: "count_over_time" | "sum" | "topk";
+    by?: string[];
+    k?: number;
+    step?: string;
+}, duration: string): AggregateLogQL;
 export declare class LokiConnector implements ObservabilityConnector {
     readonly type = "loki";
     readonly signalType: SignalType;
@@ -17,6 +60,7 @@ export declare class LokiConnector implements ObservabilityConnector {
     disconnect(): Promise<void>;
     listServices(): Promise<ServiceInfo[]>;
     queryLogs(params: LogQuery): Promise<LogResult>;
+    queryLogAggregate(params: LogAggregateQuery): Promise<LogAggregateResult>;
     private getLabelValues;
     private resolveServiceSelector;
     private parseLine;

package/dist/connectors/loki.js

@@ -1,6 +1,84 @@
 import { buildTlsAgent } from "./tls.js";
 const DEFAULT_SERVICE_LABELS = ["service_name", "service", "job", "app", "container"];
 const LABEL_CACHE_TTL_MS = 60_000;
+/** Escape a value for a double-quoted LogQL string literal. Backslash and
+ *  quote first (breakout chars), then control chars — a raw newline/tab in
+ *  a Go-style `"..."` literal is a parse error, so emit the escape sequence. */
+export function escapeLogQLValue(value) {
+    return value
+        .replace(/\\/g, "\\\\")
+        .replace(/"/g, '\\"')
+        .replace(/\n/g, "\\n")
+        .replace(/\r/g, "\\r")
+        .replace(/\t/g, "\\t");
+}
+/**
+ * Compile a `labels` equality map into LogQL label-filter expressions that
+ * run AFTER `| json`, e.g. `{...} | json | method="GET" | status="200"`.
+ * Placed after the json parse so fields the pipeline extracts (not just
+ * stream labels) are filterable. Keys are sorted for deterministic output.
+ * Reusable, side-effect-free unit — also the basis for the Q-LOG2
+ * aggregation path and a future named-LogQL catalog. Callers validate the
+ * map (see validateLogLabels); this only escapes values.
+ */
+export function logqlLabelFilters(labels) {
+    if (!labels)
+        return "";
+    return Object.keys(labels)
+        .sort()
+        .map((k) => ` | ${k}="${escapeLogQLValue(labels[k])}"`)
+        .join("");
+}
+/**
+ * Derive a log level from an HTTP status code when the line carries no
+ * explicit level: 5xx → error, 4xx → warn. Returns undefined otherwise so
+ * the caller keeps its existing fallback chain.
+ */
+export function levelFromStatus(status) {
+    const n = typeof status === "number" ? status : parseInt(String(status ?? ""), 10);
+    if (!Number.isFinite(n))
+        return undefined;
+    if (n >= 500 && n <= 599)
+        return "error";
+    if (n >= 400 && n <= 499)
+        return "warn";
+    return undefined;
+}
+/** Parse a `<n><m|h|d>` duration into seconds. Returns null when malformed. */
+export function parseDurationSeconds(duration) {
+    const m = /^(\d+)([mhd])$/.exec(duration);
+    if (!m)
+        return null;
+    const v = parseInt(m[1], 10);
+    return m[2] === "m" ? v * 60 : m[2] === "h" ? v * 3600 : v * 86400;
+}
+/** Pick a bucket size (seconds) that yields ~60 points across the window,
+ *  floored at 60s, so a count_over_time range query isn't absurdly dense. */
+export function defaultBucketSeconds(durationSeconds) {
+    return Math.max(60, Math.floor(durationSeconds / 60));
+}
+/**
+ * Wrap a stream+pipeline expression (`{sel} | json | …`) in a LogQL metric
+ * aggregation. Pure + side-effect-free so it's unit-testable without a
+ * backend. `by` labels are assumed pre-validated (label-name shape).
+ */
+export function buildAggregateLogQL(streamPipeline, agg, duration) {
+    const durSec = parseDurationSeconds(duration) ?? 3600;
+    const byClause = agg.by && agg.by.length ? ` by (${agg.by.join(", ")})` : "";
+    if (agg.op === "count_over_time") {
+        const stepSec = (agg.step && parseDurationSeconds(agg.step)) || defaultBucketSeconds(durSec);
+        const inner = `count_over_time(${streamPipeline} [${stepSec}s])`;
+        const logql = byClause ? `sum${byClause} (${inner})` : inner;
+        return { logql, mode: "range", step: `${stepSec}s` };
+    }
+    // sum / topk: count over the whole window, then aggregate → instant vector.
+    const totals = `sum${byClause} (count_over_time(${streamPipeline} [${durSec}s]))`;
+    if (agg.op === "topk") {
+        const k = agg.k && agg.k > 0 ? Math.floor(agg.k) : 10;
+        return { logql: `topk(${k}, ${totals})`, mode: "instant" };
+    }
+    return { logql: totals, mode: "instant" };
+}
 export class LokiConnector {
     type = "loki";
     signalType = "logs";
@@ -94,14 +172,13 @@ export class LokiConnector {
         // matches the real stream.
         const { label: matchedLabel, value: rawValue } = await this.resolveServiceSelector(params.service);
         const service = this.escapeLogQLValue(rawValue);
-        let logql = `{${matchedLabel}="${service}"}`;
+        let logql = `{${matchedLabel}="${service}"} | json`;
         if (params.level) {
-            const level = this.escapeLogQLValue(params.level);
-            logql += ` | json | level="${level}"`;
-        }
-        else {
-            logql += ` | json`;
+            logql += ` | level="${this.escapeLogQLValue(params.level)}"`;
         }
+        // Structured equality filters (method/status/url/environment/…) — run
+        // after `| json` so backend-extracted fields are selectable.
+        logql += logqlLabelFilters(params.labels);
         if (params.query) {
             const query = this.escapeLogQLRegex(params.query);
             logql += ` |~ \`${query}\``;
@@ -114,9 +191,16 @@ export class LokiConnector {
             const labels = stream.stream;
             for (const [ts, line] of stream.values) {
                 const parsed = this.parseLine(line);
+                // Prefer an explicit level; otherwise derive one from an HTTP
+                // status field (5xx→error, 4xx→warn) so structured access logs
+                // that carry `status` but no `level` are still filterable/triaged.
+                const level = parsed.level ||
+                    labels.level ||
+                    levelFromStatus(parsed.status ?? labels.status) ||
+                    "unknown";
                 entries.push({
                     timestamp: new Date(parseInt(ts) / 1_000_000).toISOString(),
-                    level: parsed.level || labels.level || "unknown",
+                    level,
                     message: parsed.msg || line,
                     labels,
                 });
@@ -140,6 +224,54 @@ export class LokiConnector {
             },
         };
     }
+    async queryLogAggregate(params) {
+        const { start, end } = this.parseTimeRange(params.duration);
+        const { label: matchedLabel, value: rawValue } = await this.resolveServiceSelector(params.service);
+        const service = this.escapeLogQLValue(rawValue);
+        // Same stream + pipeline prefix as queryLogs (reuses the Q-LOG1 unit),
+        // minus the level filter (aggregation groups, it doesn't level-filter).
+        let pipeline = `{${matchedLabel}="${service}"} | json`;
+        pipeline += logqlLabelFilters(params.labels);
+        if (params.query) {
+            pipeline += ` |~ \`${this.escapeLogQLRegex(params.query)}\``;
+        }
+        const { logql, mode, step } = buildAggregateLogQL(pipeline, { op: params.op, by: params.by, k: params.k, step: params.step }, params.duration);
+        const by = params.by ?? [];
+        const series = [];
+        if (mode === "instant") {
+            const url = `/loki/api/v1/query?query=${encodeURIComponent(logql)}&time=${end}000000000`;
+            const data = await this.apiGet(url);
+            for (const r of data?.data?.result || []) {
+                const v = Array.isArray(r.value) ? Number(r.value[1]) : NaN;
+                series.push({ labels: r.metric || {}, value: Number.isFinite(v) ? v : 0 });
+            }
+            // topk is already ordered by Loki; sort sum desc for a stable, useful view.
+            series.sort((a, b) => (b.value ?? 0) - (a.value ?? 0));
+        }
+        else {
+            // `step` from the builder is `<n>s`; the query_range step param wants seconds.
+            const stepSec = step ? parseInt(step, 10) || 60 : 60;
+            const url = `/loki/api/v1/query_range?query=${encodeURIComponent(logql)}` +
+                `&start=${start}000000000&end=${end}000000000&step=${stepSec}`;
+            const data = await this.apiGet(url);
+            for (const r of data?.data?.result || []) {
+                const points = (r.values || []).map(([ts, val]) => ({
+                    t: Math.round(Number(ts) * 1000),
+                    value: Number(val),
+                }));
+                series.push({ labels: r.metric || {}, points });
+            }
+        }
+        return {
+            source: this.name,
+            op: params.op,
+            by,
+            step: mode === "range" ? step : undefined,
+            mode,
+            series,
+            note: "Aggregate mode: `limit` does not apply (results are grouped counts, not raw rows).",
+        };
+    }
     // --- Private helpers ---
     async getLabelValues(label) {
         const cached = this.labelValuesCache.get(label);
@@ -204,7 +336,8 @@ export class LokiConnector {
         return { start: now - seconds, end: now };
     }
     escapeLogQLValue(value) {
-        return value.replace(/\\/g, "\\\\").replace(/"/g, '\\"');
+        // Delegate to the canonical module-level escaper (single source of truth).
+        return escapeLogQLValue(value);
     }
     escapeLogQLRegex(value) {
         // Escape backslash first (so we don't double-escape sequences we add),