@thotischner/observability-mcp 3.1.1 → 3.2.0

package/dist/tools/validation.js

@@ -73,6 +73,33 @@ export function validateLogLabels(labels) {
     }
     return null;
 }
+/**
+ * Validate a structured `labels` filter map for query_metrics. The rules are
+ * identical to the log-label validator (valid Prometheus label names, bounded
+ * map size + value length, fail-closed) — metric labels compile to PromQL
+ * label-equality matchers and the values are escaped for PromQL at injection
+ * time, exactly as the log path escapes for LogQL.
+ */
+export const validateMetricLabels = validateLogLabels;
+/**
+ * Validate a raw PromQL/LogQL passthrough string. The capability gate (is raw
+ * query allowed at all) lives at the handler; this only bounds the shape:
+ * non-empty string, length-capped so a crafted query can't build a
+ * pathological request. The query is sent verbatim to the backend (that is the
+ * point of a passthrough), so there is no syntax check — an invalid query just
+ * yields the backend's own parse error.
+ */
+export function validateRawQuery(raw) {
+    if (raw === undefined)
+        return null;
+    if (typeof raw !== "string")
+        return "raw_query must be a string.";
+    if (raw.trim().length === 0)
+        return "raw_query must not be empty.";
+    if (raw.length > 8192)
+        return "raw_query too long (max 8192 chars).";
+    return null;
+}
 const AGGREGATE_OPS = new Set(["count_over_time", "sum", "topk"]);
 /**
  * Validate the query_logs `aggregate` spec. Fail-closed, like the labels

package/dist/tools/validation.test.js

@@ -1,6 +1,6 @@
 import { describe, it } from "node:test";
 import assert from "node:assert/strict";
-import { validateDuration, validateServiceName, sanitizeLabelValue, validateLogLabels, validateLogAggregate, errorResponse } from "./validation.js";
+import { validateDuration, validateServiceName, sanitizeLabelValue, validateLogLabels, validateLogAggregate, validateMetricLabels, validateRawQuery, errorResponse } from "./validation.js";
 describe("validateLogAggregate (Q-LOG2)", () => {
     it("accepts undefined and valid specs", () => {
         assert.equal(validateLogAggregate(undefined), null);
@@ -54,6 +54,29 @@ describe("validateLogLabels (Q-LOG1)", () => {
         assert.ok(validateLogLabels(many));
     });
 });
+describe("validateRawQuery (R4, issue #415 #3)", () => {
+    it("accepts undefined (not requested) and a normal query", () => {
+        assert.equal(validateRawQuery(undefined), null);
+        assert.equal(validateRawQuery('sum(rate(http_requests_total[5m]))'), null);
+    });
+    it("rejects non-strings, empty/whitespace, and over-long", () => {
+        assert.ok(validateRawQuery(42));
+        assert.ok(validateRawQuery(""));
+        assert.ok(validateRawQuery("   "));
+        assert.ok(validateRawQuery("x".repeat(8193)));
+    });
+});
+describe("validateMetricLabels (R3, issue #415 #4)", () => {
+    it("accepts undefined and a valid map (same rules as log labels)", () => {
+        assert.equal(validateMetricLabels(undefined), null);
+        assert.equal(validateMetricLabels({ status: "500", route: "/checkout" }), null);
+    });
+    it("rejects invalid label names and bad values, fail-closed", () => {
+        assert.ok(validateMetricLabels({ "a-b": "x" }));
+        assert.ok(validateMetricLabels({ status: 500 }));
+        assert.ok(validateMetricLabels("nope"));
+    });
+});
 describe("validateDuration", () => {
     it("accepts valid durations", () => {
         assert.equal(validateDuration("5m"), null);

package/dist/types.d.ts

@@ -102,6 +102,11 @@ export interface MetricQuery {
     duration: string;
     step?: string;
     groupBy?: string;
+    labels?: Record<string, string>;
+    /** Raw PromQL, run verbatim over query_range — bypasses the curated metric
+     *  catalog/selector. When set, `metric`/`groupBy`/`labels`/`service` are
+     *  ignored. Gated by the OMCP_RAW_QUERY capability at the tool layer. */
+    rawQuery?: string;
 }
 export interface LogQuery {
     service: string;
@@ -115,6 +120,11 @@ export interface LogQuery {
      *  environment, …) become first-class selectors instead of brittle
      *  free-text regex. */
     labels?: Record<string, string>;
+    /** Raw LogQL log-selector query, run verbatim — bypasses the curated
+     *  stream-selector/pipeline construction. When set, `service`/`labels`/
+     *  `level`/`query` are ignored. Gated by the OMCP_RAW_QUERY capability at
+     *  the tool layer. For metric LogQL (count_over_time/…) use `aggregate`. */
+    rawQuery?: string;
 }
 /** Server-side log aggregation (Q-LOG2). Pushes count/group/topk down to
  *  the backend's metric-query path so an agent gets a *number*, not a

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@thotischner/observability-mcp",
-  "version": "3.1.1",
+  "version": "3.2.0",
   "description": "Unified observability gateway for AI agents — one MCP server for Prometheus, Loki, and any backend",
   "type": "module",
   "license": "Apache-2.0",