@thotischner/observability-mcp 3.4.0 → 3.6.0

package/dist/index.js

@@ -25,6 +25,7 @@ import { resolveSessionStore } from "./transport/sessionStore.js";
 import { generateNonce, enforcedCsp, reportOnlyCsp, reportingEndpointsHeader, reportToHeader, summariseViolation, cspStrictReportFromEnv, CSP_NONCE_PLACEHOLDER, } from "./security/csp.js";
 import { createScimStore } from "./scim/store.js";
 import { registerScimRoutes } from "./scim/routes.js";
+import { projectProvisioning } from "./scim/provisioning-view.js";
 import { BuiltinPolicyEngine } from "./auth/policy/engine.js";
 import { loadPolicyFromFile, writePolicyFile, PolicyLoadError, VALID_RESOURCES, VALID_ACTIONS } from "./auth/policy/loader.js";
 import { OpaPolicyEngine } from "./auth/policy/opa.js";
@@ -1692,6 +1693,14 @@ async function main() {
         }
         res.json(result);
     });
+    // --- /api/provisioning — read-only view of SCIM-provisioned identities --
+    // Set below when SCIM is enabled (OMCP_SCIM_TOKEN). Lets the dashboard show
+    // the IdP-pushed Users/Groups without exposing the token-gated /scim/v2 API
+    // to a browser session. Read-only; never returns secrets.
+    let provisioningStore = null;
+    app.get("/api/provisioning", need("users", "delete"), (_req, res) => {
+        res.json(projectProvisioning(provisioningStore));
+    });
     // --- /api/subjects — aggregated principals catalogue ------------------
     // The third k8s-shaped RBAC view: who the deployment knows about.
     // Three independent sources, returned in three independent arrays so
@@ -2285,6 +2294,8 @@ async function main() {
                 redis: scimRedis,
                 redisKey: process.env.OMCP_SCIM_REDIS_KEY?.trim(),
             });
+            // Expose the same store (read-only) to the dashboard's /api/provisioning.
+            provisioningStore = scimStore;
             registerScimRoutes(app, {
                 store: scimStore,
                 bearerToken: scimToken,

package/dist/openapi.js

@@ -659,6 +659,36 @@ export function buildOpenApiSpec(version) {
                     },
                 },
             },
+            "/api/provisioning": {
+                get: {
+                    tags: ["auth"],
+                    summary: "Read-only view of SCIM-provisioned Users/Groups (admin-only).",
+                    description: "Mirrors the directory an identity provider has pushed via SCIM 2.0 (/scim/v2). Read-only and secret-free — never returns the SCIM bearer token. When SCIM is not enabled (no OMCP_SCIM_TOKEN), returns configured:false with an explanatory note rather than a 404.",
+                    responses: {
+                        "200": {
+                            description: "Provisioning payload.",
+                            content: { "application/json": { schema: {
+                                        type: "object",
+                                        properties: {
+                                            configured: { type: "boolean" },
+                                            users: { type: "array", items: { type: "object", properties: {
+                                                        userName: { type: "string" }, displayName: { type: "string" },
+                                                        active: { type: "boolean" },
+                                                        groups: { type: "array", items: { type: "string" } },
+                                                        externalId: { type: "string" },
+                                                    } } },
+                                            groups: { type: "array", items: { type: "object", properties: {
+                                                        displayName: { type: "string" }, members: { type: "integer" },
+                                                        externalId: { type: "string" },
+                                                    } } },
+                                            note: { type: "string" },
+                                        },
+                                    } } },
+                        },
+                        "403": { description: "Missing users:delete permission (admin-only)." },
+                    },
+                },
+            },
             "/api/subjects": {
                 get: {
                     tags: ["auth"],

package/dist/postmortem/synthesizer.d.ts

@@ -45,6 +45,13 @@ export interface PostmortemInput {
     traces: TraceSummary[];
     /** Optional log-error summary lines, e.g. ["payment-service: 412 5xx in window"]. */
     logHighlights?: string[];
+    /** Optional custom report template (issue: v3.3 candidate). When set, the
+     *  markdown body is rendered by interpolating `{{placeholder}}` tokens
+     *  instead of the built-in layout. Unset → the default report (unchanged).
+     *  Available tokens: service, window, from, to, tenant, synopsis, timeline,
+     *  blastRadius, signals, traces, logHighlights, followUps. An unknown token
+     *  is left verbatim so a typo is visible rather than silently dropped. */
+    template?: string;
 }
 export interface PostmortemReport {
     service: string;
@@ -81,3 +88,20 @@ export interface PostmortemReport {
 /** Synthesise one report from already-fetched primitives. Pure
  *  compute — no I/O. */
 export declare function synthesizePostmortem(input: PostmortemInput): PostmortemReport;
+type RenderCtx = {
+    input: PostmortemInput;
+    timeline: PostmortemReport["sections"]["timeline"];
+    contributingSignals: PostmortemReport["sections"]["contributingSignals"];
+    peakNode: BlastRadiusNode | undefined;
+    peakScore: number;
+    errorTraces: number;
+    blastSize: number;
+    followUps: string[];
+    synopsis: string;
+};
+/** Build the `{{token}}` → markdown-block map for a custom template. */
+export declare function buildTemplateVars(ctx: RenderCtx): Record<string, string>;
+/** Interpolate `{{token}}` placeholders. An unknown token is left verbatim so
+ *  a typo is visible in the output rather than silently producing a blank. */
+export declare function renderTemplate(template: string, vars: Record<string, string>): string;
+export {};

package/dist/postmortem/synthesizer.js

@@ -22,7 +22,7 @@ export function synthesizePostmortem(input) {
     const blastSize = input.blastRadius.nodes.length;
     const followUps = inferFollowUps(input, { peakScore, errorTraces, blastSize });
     const synopsis = synopsisFor(input, peakScore, errorTraces, blastSize);
-    const markdown = renderMarkdown({
+    const renderCtx = {
         input,
         timeline,
         contributingSignals,
@@ -32,7 +32,12 @@ export function synthesizePostmortem(input) {
         blastSize,
         followUps,
         synopsis,
-    });
+    };
+    // Default layout unless the operator supplied a custom template — the
+    // default path is byte-for-byte unchanged.
+    const markdown = input.template
+        ? renderTemplate(input.template, buildTemplateVars(renderCtx))
+        : renderMarkdown(renderCtx);
     return {
         service: input.service,
         window: input.window,
@@ -203,3 +208,51 @@ function renderMarkdown(ctx) {
     // could approach MB without the slice() caps above.
     return lines.join("\n");
 }
+/** Build the `{{token}}` → markdown-block map for a custom template. */
+export function buildTemplateVars(ctx) {
+    const { input, timeline, contributingSignals, peakNode, errorTraces, followUps, synopsis } = ctx;
+    const timelineBlock = timeline.length === 0
+        ? "_No anomaly samples in this window._"
+        : ["| ts | service | score | severity | method |", "|---|---|---|---|---|",
+            ...timeline.slice(0, 20).map((t) => `| \`${t.ts}\` | \`${t.service}\` | ${t.score} | ${t.severity} | ${t.method} |`),
+            ...(timeline.length > 20 ? [`| … | _${timeline.length - 20} more rows_ |  |  |  |`] : [])].join("\n");
+    const brLines = [];
+    brLines.push(peakNode ? `Root node: **\`${peakNode.name}\`** (\`${peakNode.kind}\`).` : "_Topology snapshot empty._");
+    if (input.blastRadius.nodes.length > 0) {
+        brLines.push("", "| node | kind |", "|---|---|", ...input.blastRadius.nodes.slice(0, 30).map((n) => `| \`${n.name}\`${n.root ? " *(root)*" : ""} | \`${n.kind}\` |`));
+    }
+    brLines.push("", `Edges in radius: **${input.blastRadius.edges.length}**.`);
+    const blastRadiusBlock = brLines.join("\n");
+    const signalsBlock = contributingSignals.length === 0
+        ? "_No anomaly samples to rank._"
+        : ["| signal | samples | mean score |", "|---|---|---|",
+            ...contributingSignals.slice(0, 10).map((s) => `| \`${s.signal}\` | ${s.count} | ${s.meanScore} |`)].join("\n");
+    const tracesBlock = input.traces.length === 0
+        ? "_No traces returned for the window. Configure a Tempo / Jaeger source if traces are expected._"
+        : ["| trace | service | duration ms | error |", "|---|---|---|---|",
+            ...input.traces.slice(0, 10).map((t) => `| \`${t.traceId}\` | \`${t.rootService}\` | ${t.durationMs} | ${t.hasError ? "yes" : "no"} |`),
+            ...(errorTraces > 0 ? [`\n_${errorTraces} of the returned traces carried error spans._`] : [])].join("\n");
+    const logHighlightsBlock = (input.logHighlights ?? []).length === 0
+        ? "_No log highlights._"
+        : input.logHighlights.map((l) => `- ${l}`).join("\n");
+    const followUpsBlock = followUps.map((f) => `- ${f}`).join("\n");
+    return {
+        service: input.service,
+        window: input.window,
+        from: input.fromIso,
+        to: input.toIso,
+        tenant: input.tenant,
+        synopsis,
+        timeline: timelineBlock,
+        blastRadius: blastRadiusBlock,
+        signals: signalsBlock,
+        traces: tracesBlock,
+        logHighlights: logHighlightsBlock,
+        followUps: followUpsBlock,
+    };
+}
+/** Interpolate `{{token}}` placeholders. An unknown token is left verbatim so
+ *  a typo is visible in the output rather than silently producing a blank. */
+export function renderTemplate(template, vars) {
+    return template.replace(/\{\{\s*([a-zA-Z][\w]*)\s*\}\}/g, (whole, key) => Object.prototype.hasOwnProperty.call(vars, key) ? vars[key] : whole);
+}

package/dist/postmortem/synthesizer.test.js

@@ -139,3 +139,30 @@ test("synthesizePostmortem: report carries the input window + iso bounds back in
     assert.equal(r.fromIso, "2026-06-06T00:00:00.000Z");
     assert.equal(r.toIso, "2026-06-06T01:00:00.000Z");
 });
+test("custom template: tokens are interpolated; default path unchanged when no template", () => {
+    const data = input({
+        anomalies: [anomaly("2026-06-06T00:10:00Z", 0.7, "mad", "warn", "cpu")],
+        blastRadius: { nodes: [{ id: "n1", kind: "pod", name: "payment-1", root: true }], edges: [] },
+        logHighlights: ["payment: 5xx spike"],
+    });
+    // Default (no template) still produces the built-in report.
+    const def = synthesizePostmortem(data);
+    assert.match(def.markdown, /^# Post-mortem — payment/);
+    // Custom template interpolates the known tokens.
+    const tpl = "INCIDENT {{service}} ({{window}})\n\n{{synopsis}}\n\nTIMELINE:\n{{timeline}}\n\nFOLLOWUPS:\n{{followUps}}\n\nLOGS:\n{{logHighlights}}";
+    const out = synthesizePostmortem({ ...data, template: tpl }).markdown;
+    assert.match(out, /^INCIDENT payment \(1h\)/);
+    assert.ok(!out.includes("# Post-mortem"), "custom template replaces the default layout");
+    assert.match(out, /TIMELINE:\n\| ts \| service \| score/);
+    assert.match(out, /LOGS:\n- payment: 5xx spike/);
+    assert.ok(out.includes(def.synopsis), "synopsis token expands to the computed synopsis");
+});
+test("custom template: unknown token is left verbatim (visible typo, not silent blank)", () => {
+    const out = synthesizePostmortem({ ...input(), template: "{{service}} / {{nope}}" }).markdown;
+    assert.equal(out, "payment / {{nope}}");
+});
+test("custom template: empty sections render their placeholder text, not a crash", () => {
+    const out = synthesizePostmortem({ ...input(), template: "T:{{timeline}} L:{{logHighlights}}" }).markdown;
+    assert.match(out, /T:_No anomaly samples in this window\._/);
+    assert.match(out, /L:_No log highlights\._/);
+});

package/dist/scim/provisioning-view.d.ts

@@ -0,0 +1,23 @@
+import type { IScimStore } from "./store.js";
+export interface ProvisioningUserView {
+    userName: string;
+    displayName: string;
+    active: boolean;
+    groups: string[];
+    externalId?: string;
+}
+export interface ProvisioningGroupView {
+    displayName: string;
+    members: number;
+    externalId?: string;
+}
+export interface ProvisioningView {
+    configured: boolean;
+    users: ProvisioningUserView[];
+    groups: ProvisioningGroupView[];
+    note?: string;
+}
+/** Project the SCIM store into the compact, secret-free shape the UI renders.
+ *  A null store (SCIM not enabled) yields configured:false + an explanatory
+ *  note, NOT an error — the dashboard shows "how to enable" instead of a 404. */
+export declare function projectProvisioning(store: IScimStore | null): ProvisioningView;

package/dist/scim/provisioning-view.js

@@ -0,0 +1,27 @@
+// Read-only projection of the SCIM store for the dashboard's Provisioning
+// sub-tab (/api/provisioning). Pure + secret-free: only the fields the UI
+// table renders, never the SCIM bearer token or anything sensitive. Kept
+// separate from the route handler so it's unit-testable without booting the app.
+const NOT_CONFIGURED_NOTE = "SCIM provisioning is not enabled. Set OMCP_SCIM_TOKEN (and OMCP_SCIM_BACKEND/store) " +
+    "to let an identity provider push Users/Groups — this view then mirrors that directory.";
+/** Project the SCIM store into the compact, secret-free shape the UI renders.
+ *  A null store (SCIM not enabled) yields configured:false + an explanatory
+ *  note, NOT an error — the dashboard shows "how to enable" instead of a 404. */
+export function projectProvisioning(store) {
+    if (!store) {
+        return { configured: false, users: [], groups: [], note: NOT_CONFIGURED_NOTE };
+    }
+    const users = store.listUsers().map((u) => ({
+        userName: u.userName,
+        displayName: u.displayName || u.name?.formatted || "",
+        active: u.active !== false,
+        groups: (u.groups || []).map((g) => g.display || g.value),
+        externalId: u.externalId,
+    }));
+    const groups = store.listGroups().map((g) => ({
+        displayName: g.displayName,
+        members: (g.members || []).length,
+        externalId: g.externalId,
+    }));
+    return { configured: true, users, groups };
+}

package/dist/scim/provisioning-view.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/scim/provisioning-view.test.js

@@ -0,0 +1,51 @@
+import { describe, it } from "node:test";
+import assert from "node:assert/strict";
+import { projectProvisioning } from "./provisioning-view.js";
+const meta = { resourceType: "User", created: "", lastModified: "", location: "" };
+function storeWith(users, groups) {
+    // Only listUsers/listGroups are exercised by the projection.
+    return { listUsers: () => users, listGroups: () => groups };
+}
+describe("projectProvisioning", () => {
+    it("returns configured:false + a note when the store is null (SCIM not enabled)", () => {
+        const v = projectProvisioning(null);
+        assert.equal(v.configured, false);
+        assert.deepEqual(v.users, []);
+        assert.deepEqual(v.groups, []);
+        assert.match(v.note ?? "", /OMCP_SCIM_TOKEN/);
+    });
+    it("projects users to a compact, secret-free shape", () => {
+        const store = storeWith([{
+                schemas: [], id: "u1", userName: "alice@x.com", active: true,
+                displayName: "Alice", groups: [{ value: "g1", display: "Admins" }],
+                externalId: "ext-1", meta: { ...meta },
+            }], []);
+        const v = projectProvisioning(store);
+        assert.equal(v.configured, true);
+        assert.deepEqual(v.users, [{
+                userName: "alice@x.com", displayName: "Alice", active: true,
+                groups: ["Admins"], externalId: "ext-1",
+            }]);
+        // No secret/raw fields leaked.
+        assert.ok(!("schemas" in v.users[0]) && !("meta" in v.users[0]));
+    });
+    it("active defaults to true when unset; displayName falls back to name.formatted", () => {
+        const store = storeWith([{ schemas: [], id: "u2", userName: "bob", name: { formatted: "Bob B" }, meta: { ...meta } }], []);
+        const v = projectProvisioning(store);
+        assert.equal(v.users[0].active, true);
+        assert.equal(v.users[0].displayName, "Bob B");
+        assert.deepEqual(v.users[0].groups, []);
+    });
+    it("active:false is preserved", () => {
+        const store = storeWith([{ schemas: [], id: "u3", userName: "carol", active: false, meta: { ...meta } }], []);
+        assert.equal(projectProvisioning(store).users[0].active, false);
+    });
+    it("projects groups with a member count, not the member list", () => {
+        const store = storeWith([], [{
+                schemas: [], id: "g1", displayName: "Admins",
+                members: [{ value: "u1" }, { value: "u2" }], externalId: "grp-1", meta: { ...meta },
+            }]);
+        const v = projectProvisioning(store);
+        assert.deepEqual(v.groups, [{ displayName: "Admins", members: 2, externalId: "grp-1" }]);
+    });
+});

package/dist/scim/query.d.ts

@@ -0,0 +1,32 @@
+export interface ScimFilter {
+    attr: string;
+    op: "eq";
+    /** Comparison value: a string, or a boolean for `active eq true`. */
+    value: string | boolean;
+}
+/** Parse a SCIM `filter` expression. Returns null for an empty/absent filter,
+ *  or throws {unsupported:true} for a syntactically-valid filter we don't
+ *  implement (a non-eq operator) so the caller can answer 400, not 200. */
+export declare function parseScimFilter(raw: string | undefined): ScimFilter | null;
+export interface ScimListResult<T> {
+    resources: T[];
+    totalResults: number;
+    startIndex: number;
+    itemsPerPage: number;
+}
+/**
+ * Apply a SCIM `eq` filter + startIndex/count pagination to a resource list.
+ * `filter`/`startIndex`/`count` are the raw query-string values.
+ *
+ * - filter: only `eq` (string, case-insensitive; or boolean for `active`).
+ * - startIndex: 1-based (SCIM); clamped to >= 1; default 1.
+ * - count: page size; clamped to [0, 1000]; absent → all remaining.
+ *
+ * Throws a {scimUnsupported:true} error for a non-eq filter so the route can
+ * return 400 rather than a misleading full list.
+ */
+export declare function applyScimList<T extends Record<string, unknown>>(all: T[], q: {
+    filter?: string;
+    startIndex?: string;
+    count?: string;
+}): ScimListResult<T>;

package/dist/scim/query.js

@@ -0,0 +1,73 @@
+// SCIM 2.0 list query: filter + pagination (RFC 7644 §3.4.2).
+//
+// Identity providers (Entra, Okta) reconcile by issuing
+//   GET /Users?filter=userName eq "alice@example.com"
+// and page large directories with startIndex/count. Without filter support a
+// provider has to pull the whole list and match client-side — slow and, for
+// Okta, a hard requirement. We support the `eq` operator on top-level string
+// attributes (userName, displayName, externalId, id) plus `active eq true`,
+// which covers what Entra/Okta actually send. Other operators are reported as
+// unsupported (400) rather than silently returning everything — silence here
+// would make a provider think "no match" when it means "not implemented".
+/** Parse a SCIM `filter` expression. Returns null for an empty/absent filter,
+ *  or throws {unsupported:true} for a syntactically-valid filter we don't
+ *  implement (a non-eq operator) so the caller can answer 400, not 200. */
+export function parseScimFilter(raw) {
+    if (!raw || !raw.trim())
+        return null;
+    const s = raw.trim();
+    // <attr> eq "value"   |   <attr> eq true|false
+    const m = /^([A-Za-z][\w.]*)\s+(eq)\s+(?:"([^"]*)"|(true|false))$/i.exec(s);
+    if (!m) {
+        // Either an unsupported operator (co, sw, gt, …) or malformed. Signal
+        // unsupported so the route returns 400 instead of an all-rows 200.
+        const err = new Error(`Unsupported or malformed SCIM filter: ${raw}`);
+        err.scimUnsupported = true;
+        throw err;
+    }
+    const attr = m[1];
+    const value = m[3] !== undefined ? m[3] : m[4].toLowerCase() === "true";
+    return { attr, op: "eq", value };
+}
+/** Read a top-level attribute off a SCIM resource for `eq` comparison.
+ *  Only flat attributes are supported (userName/displayName/externalId/id/
+ *  active) — nested paths (name.familyName) aren't part of the eq surface. */
+function attrValue(resource, attr) {
+    // Case-insensitive attribute match per the SCIM spec (attribute names are
+    // case-insensitive); providers send `userName`, some send `username`.
+    const key = Object.keys(resource).find((k) => k.toLowerCase() === attr.toLowerCase());
+    return key ? resource[key] : undefined;
+}
+/**
+ * Apply a SCIM `eq` filter + startIndex/count pagination to a resource list.
+ * `filter`/`startIndex`/`count` are the raw query-string values.
+ *
+ * - filter: only `eq` (string, case-insensitive; or boolean for `active`).
+ * - startIndex: 1-based (SCIM); clamped to >= 1; default 1.
+ * - count: page size; clamped to [0, 1000]; absent → all remaining.
+ *
+ * Throws a {scimUnsupported:true} error for a non-eq filter so the route can
+ * return 400 rather than a misleading full list.
+ */
+export function applyScimList(all, q) {
+    const filter = parseScimFilter(q.filter);
+    let filtered = all;
+    if (filter) {
+        filtered = all.filter((r) => {
+            const v = attrValue(r, filter.attr);
+            if (typeof filter.value === "boolean")
+                return Boolean(v) === filter.value;
+            // String eq is case-insensitive per the SCIM spec for these attrs.
+            return v !== undefined && String(v).toLowerCase() === filter.value.toLowerCase();
+        });
+    }
+    const total = filtered.length;
+    const startIndex = Math.max(1, Number.parseInt(q.startIndex ?? "1", 10) || 1);
+    const from = startIndex - 1;
+    const rawCount = q.count === undefined ? undefined : Number.parseInt(q.count, 10);
+    const count = rawCount === undefined || Number.isNaN(rawCount)
+        ? undefined
+        : Math.min(1000, Math.max(0, rawCount));
+    const page = count === undefined ? filtered.slice(from) : filtered.slice(from, from + count);
+    return { resources: page, totalResults: total, startIndex, itemsPerPage: page.length };
+}

package/dist/scim/query.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/scim/query.test.js

@@ -0,0 +1,71 @@
+import { describe, it } from "node:test";
+import assert from "node:assert/strict";
+import { parseScimFilter, applyScimList } from "./query.js";
+describe("parseScimFilter", () => {
+    it("returns null for absent/empty filter", () => {
+        assert.equal(parseScimFilter(undefined), null);
+        assert.equal(parseScimFilter("   "), null);
+    });
+    it("parses string eq (case-insensitive op)", () => {
+        assert.deepEqual(parseScimFilter('userName eq "alice@x.com"'), { attr: "userName", op: "eq", value: "alice@x.com" });
+        assert.deepEqual(parseScimFilter('displayName EQ "Admins"'), { attr: "displayName", op: "eq", value: "Admins" });
+    });
+    it("parses boolean eq for active", () => {
+        assert.deepEqual(parseScimFilter("active eq true"), { attr: "active", op: "eq", value: true });
+        assert.deepEqual(parseScimFilter("active eq false"), { attr: "active", op: "eq", value: false });
+    });
+    it("throws scimUnsupported for non-eq operators / malformed", () => {
+        for (const f of ['userName co "a"', 'userName sw "a"', 'userName pr', 'garbage']) {
+            assert.throws(() => parseScimFilter(f), (e) => e.scimUnsupported === true, `expected unsupported for: ${f}`);
+        }
+    });
+});
+describe("applyScimList", () => {
+    const users = [
+        { id: "1", userName: "alice@x.com", active: true },
+        { id: "2", userName: "bob@x.com", active: false },
+        { id: "3", userName: "carol@x.com", active: true },
+    ];
+    it("no filter, no pagination → all rows, correct envelope", () => {
+        const r = applyScimList(users, {});
+        assert.equal(r.totalResults, 3);
+        assert.equal(r.startIndex, 1);
+        assert.equal(r.itemsPerPage, 3);
+        assert.equal(r.resources.length, 3);
+    });
+    it("eq filter matches case-insensitively on the value", () => {
+        const r = applyScimList(users, { filter: 'userName eq "ALICE@X.COM"' });
+        assert.equal(r.totalResults, 1);
+        assert.equal(r.resources[0].id, "1");
+    });
+    it("eq filter with no match → empty, totalResults 0 (not all rows)", () => {
+        const r = applyScimList(users, { filter: 'userName eq "nobody@x.com"' });
+        assert.equal(r.totalResults, 0);
+        assert.equal(r.resources.length, 0);
+    });
+    it("boolean eq filters on active", () => {
+        assert.equal(applyScimList(users, { filter: "active eq true" }).totalResults, 2);
+        assert.equal(applyScimList(users, { filter: "active eq false" }).totalResults, 1);
+    });
+    it("pagination: startIndex + count slice; totalResults is the pre-page count", () => {
+        const r = applyScimList(users, { startIndex: "2", count: "1" });
+        assert.equal(r.totalResults, 3);
+        assert.equal(r.startIndex, 2);
+        assert.equal(r.itemsPerPage, 1);
+        assert.equal(r.resources[0].id, "2");
+    });
+    it("count=0 returns an empty page but the real totalResults", () => {
+        const r = applyScimList(users, { count: "0" });
+        assert.equal(r.totalResults, 3);
+        assert.equal(r.resources.length, 0);
+    });
+    it("filter + pagination compose", () => {
+        const r = applyScimList(users, { filter: "active eq true", startIndex: "2", count: "5" });
+        assert.equal(r.totalResults, 2); // alice + carol
+        assert.equal(r.resources.length, 1); // from index 2 of the 2 matches
+        assert.equal(r.resources[0].id, "3");
+    });
+    it("propagates the unsupported-filter error for the route to 400", () => {
+        assert.throws(() => applyScimList(users, { filter: 'userName co "x"' }), (e) => e.scimUnsupported === true);
+    });
+});

package/dist/scim/routes.js

@@ -4,7 +4,7 @@
 //   GET    /scim/v2/ServiceProviderConfig
 //   GET    /scim/v2/ResourceTypes
 //   GET    /scim/v2/Schemas
-//   GET    /scim/v2/Users        list (no filter support yet)
+//   GET    /scim/v2/Users        list (filter: <attr> eq "x"; startIndex/count)
 //   GET    /scim/v2/Users/:id
 //   POST   /scim/v2/Users
 //   PATCH  /scim/v2/Users/:id    minimal: replace top-level attrs
@@ -20,6 +20,7 @@
 import { timingSafeEqual } from "node:crypto";
 import { SCIM_SCHEMA_LIST_RESPONSE, SCIM_SCHEMA_USER, SCIM_SCHEMA_GROUP, scimError, } from "./types.js";
 import { ScimNotFoundError, ScimValidationError } from "./store.js";
+import { applyScimList } from "./query.js";
 const constantTimeBearerMatch = (raw, expected) => {
     if (!raw)
         return false;
@@ -57,7 +58,7 @@ export function registerScimRoutes(app, deps) {
             documentationUri: "https://thotischner.github.io/observability-mcp/scim-provisioning/",
             patch: { supported: true },
             bulk: { supported: false, maxOperations: 0, maxPayloadSize: 0 },
-            filter: { supported: false, maxResults: 200 },
+            filter: { supported: true, maxResults: 200 },
             changePassword: { supported: false },
             sort: { supported: false },
             etag: { supported: false },
@@ -108,14 +109,25 @@ export function registerScimRoutes(app, deps) {
         });
     });
     // ---- Users ----
-    app.get("/scim/v2/Users", (_req, res) => {
+    app.get("/scim/v2/Users", (req, res) => {
         const users = store.listUsers().map((u) => withGroups(u, store));
+        let page;
+        try {
+            page = applyScimList(users, req.query);
+        }
+        catch (e) {
+            if (e.scimUnsupported) {
+                res.status(400).json(scimError(400, e.message));
+                return;
+            }
+            throw e;
+        }
         res.json({
             schemas: [SCIM_SCHEMA_LIST_RESPONSE],
-            totalResults: users.length,
-            itemsPerPage: users.length,
-            startIndex: 1,
-            Resources: users,
+            totalResults: page.totalResults,
+            itemsPerPage: page.itemsPerPage,
+            startIndex: page.startIndex,
+            Resources: page.resources,
         });
     });
     app.get("/scim/v2/Users/:id", (req, res) => {
@@ -157,14 +169,25 @@ export function registerScimRoutes(app, deps) {
         res.status(204).end();
     });
     // ---- Groups ----
-    app.get("/scim/v2/Groups", (_req, res) => {
+    app.get("/scim/v2/Groups", (req, res) => {
         const groups = store.listGroups();
+        let page;
+        try {
+            page = applyScimList(groups, req.query);
+        }
+        catch (e) {
+            if (e.scimUnsupported) {
+                res.status(400).json(scimError(400, e.message));
+                return;
+            }
+            throw e;
+        }
         res.json({
             schemas: [SCIM_SCHEMA_LIST_RESPONSE],
-            totalResults: groups.length,
-            itemsPerPage: groups.length,
-            startIndex: 1,
-            Resources: groups,
+            totalResults: page.totalResults,
+            itemsPerPage: page.itemsPerPage,
+            startIndex: page.startIndex,
+            Resources: page.resources,
         });
     });
     app.get("/scim/v2/Groups/:id", (req, res) => {

package/dist/tools/generate-postmortem.d.ts

@@ -1,5 +1,7 @@
 import type { ConnectorRegistry } from "../connectors/registry.js";
 import { type RequestContext } from "../context.js";
+/** Test seam: reset the cached template (so tests can vary the env). */
+export declare function _resetPostmortemTemplateCache(): void;
 export declare const generatePostmortemDefinition: {
     name: "generate_postmortem";
     description: string;

package/dist/tools/generate-postmortem.js

@@ -7,9 +7,37 @@
 // The synthesizer is pure compute (see ./../postmortem/synthesizer);
 // this handler is just the orchestration: pull each upstream
 // primitive in parallel, hand the result to the synthesizer.
+import { readFileSync } from "node:fs";
 import { defaultContext } from "../context.js";
 import { validateDuration, validateServiceName, errorResponse } from "./validation.js";
 import { synthesizePostmortem, } from "../postmortem/synthesizer.js";
+// Optional operator-supplied report template (v3.3 candidate). Set
+// OMCP_POSTMORTEM_TEMPLATE to a file of `{{token}}` placeholders to override
+// the built-in layout; unset → the default report. Read once and cached; a
+// read error falls back to the default (logged once) rather than failing the
+// tool — a broken template must not break incident reporting.
+let _templateCache;
+function loadPostmortemTemplate(env = process.env) {
+    if (_templateCache !== undefined)
+        return _templateCache ?? undefined;
+    const path = env.OMCP_POSTMORTEM_TEMPLATE?.trim();
+    if (!path) {
+        _templateCache = null;
+        return undefined;
+    }
+    try {
+        _templateCache = readFileSync(path, "utf8");
+    }
+    catch (err) {
+        console.error("OMCP_POSTMORTEM_TEMPLATE unreadable, using the built-in layout:", err instanceof Error ? err.message : err);
+        _templateCache = null;
+    }
+    return _templateCache ?? undefined;
+}
+/** Test seam: reset the cached template (so tests can vary the env). */
+export function _resetPostmortemTemplateCache() {
+    _templateCache = undefined;
+}
 export const generatePostmortemDefinition = {
     name: "generate_postmortem",
     description: [
@@ -59,6 +87,7 @@ export async function generatePostmortemHandler(registry, args, ctx = defaultCon
         blastRadius,
         traces,
         logHighlights,
+        template: loadPostmortemTemplate(),
     });
     // Which primitives actually carried data. A post-mortem synthesised from
     // ZERO signal still renders a full, authoritative-looking document — an

package/dist/tools/generate-postmortem.test.js

@@ -1,7 +1,10 @@
 import { describe, it } from "node:test";
 import assert from "node:assert/strict";
+import { writeFileSync, mkdtempSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
 import { ConnectorRegistry } from "../connectors/registry.js";
-import { generatePostmortemHandler } from "./generate-postmortem.js";
+import { generatePostmortemHandler, _resetPostmortemTemplateCache } from "./generate-postmortem.js";
 // R5 — a post-mortem built from ZERO signal (no anomaly/traces/topology/log
 // backend) must label itself, not render as an authoritative finding.
 describe("generatePostmortemHandler — no-signal honesty (R5)", () => {
@@ -20,3 +23,50 @@ describe("generatePostmortemHandler — no-signal honesty (R5)", () => {
         assert.deepEqual(report.coverage, { anomalies: false, traces: false, topology: false, logs: false });
     });
 });
+describe("generatePostmortemHandler — custom template via OMCP_POSTMORTEM_TEMPLATE (C3)", () => {
+    it("renders the operator's template when the env file is set; falls back when unset", async () => {
+        const dir = mkdtempSync(join(tmpdir(), "pm-tpl-"));
+        const file = join(dir, "tpl.md");
+        writeFileSync(file, "## Incident: {{service}} over {{window}}\n\n{{synopsis}}");
+        const prev = process.env.OMCP_POSTMORTEM_TEMPLATE;
+        try {
+            process.env.OMCP_POSTMORTEM_TEMPLATE = file;
+            _resetPostmortemTemplateCache();
+            const reg = new ConnectorRegistry();
+            const md = (await generatePostmortemHandler(reg, { service: "payment", duration: "2h" })).content[0].text;
+            // The custom template body is used (the no-signal honesty banner may
+            // still prepend it — that's deliberate and template-independent).
+            assert.match(md, /## Incident: payment over 2h/);
+            assert.ok(!md.includes("# Post-mortem —"), "custom template replaces the default layout");
+            // Unset → back to the built-in layout.
+            delete process.env.OMCP_POSTMORTEM_TEMPLATE;
+            _resetPostmortemTemplateCache();
+            const md2 = (await generatePostmortemHandler(reg, { service: "payment", duration: "2h" })).content[0].text;
+            assert.match(md2, /# Post-mortem — payment/);
+        }
+        finally {
+            if (prev === undefined)
+                delete process.env.OMCP_POSTMORTEM_TEMPLATE;
+            else
+                process.env.OMCP_POSTMORTEM_TEMPLATE = prev;
+            _resetPostmortemTemplateCache();
+            rmSync(dir, { recursive: true, force: true });
+        }
+    });
+    it("an unreadable template path falls back to the default layout, doesn't throw", async () => {
+        const prev = process.env.OMCP_POSTMORTEM_TEMPLATE;
+        try {
+            process.env.OMCP_POSTMORTEM_TEMPLATE = "/nonexistent/nope.md";
+            _resetPostmortemTemplateCache();
+            const md = (await generatePostmortemHandler(new ConnectorRegistry(), { service: "x", duration: "1h" })).content[0].text;
+            assert.match(md, /# Post-mortem — x/);
+        }
+        finally {
+            if (prev === undefined)
+                delete process.env.OMCP_POSTMORTEM_TEMPLATE;
+            else
+                process.env.OMCP_POSTMORTEM_TEMPLATE = prev;
+            _resetPostmortemTemplateCache();
+        }
+    });
+});

package/dist/ui/index.html

@@ -2226,6 +2226,7 @@ curl -X PUT http://localhost:3000/api/enterprise/catalog \
         <button class="pol-subtab" role="tab" aria-controls="pol-pane-roles" data-pol-tab="roles" onclick="polSetTab('roles')">Roles</button>
         <button class="pol-subtab" role="tab" aria-controls="pol-pane-bindings" data-pol-tab="bindings" onclick="polSetTab('bindings')">Bindings</button>
         <button class="pol-subtab" role="tab" aria-controls="pol-pane-subjects" data-pol-tab="subjects" onclick="polSetTab('subjects')">Subjects</button>
+        <button class="pol-subtab" role="tab" aria-controls="pol-pane-provisioning" data-pol-tab="provisioning" onclick="polSetTab('provisioning')">Provisioning</button>
         <button class="pol-subtab" role="tab" aria-controls="pol-pane-batch" data-pol-tab="batch" onclick="polSetTab('batch')">Batch evaluate</button>
       </nav>
 
@@ -2326,6 +2327,21 @@ curl -X PUT http://localhost:3000/api/enterprise/catalog \
         <div id="pol-subjects-body" class="content"><div class="empty">Loading…</div></div>
       </div>
 
+      <!-- Provisioning sub-tab (C2b) — read-only view of the SCIM-provisioned
+           Users/Groups an identity provider has pushed via /scim/v2. -->
+      <div class="card pol-pane" id="pol-pane-provisioning" role="tabpanel" hidden>
+        <div class="card-header"><h2>Provisioning
+          <button class="info" aria-label="About provisioning"
+            data-title="SCIM provisioning"
+            data-info="Read-only view of the Users and Groups an identity provider (Entra, Okta) has pushed via SCIM 2.0 at /scim/v2. Enable by setting OMCP_SCIM_TOKEN. This dashboard never exposes the SCIM bearer token; the IdP reconciles directly against the /scim/v2 endpoints."
+            onclick="infoPop(this)">?</button>
+          <span style="flex:1"></span>
+          <input id="pol-provisioning-filter" type="search" class="input" placeholder="Filter…"
+            style="max-width:220px" oninput="polRenderProvisioning()" aria-label="Filter provisioned identities">
+        </div>
+        <div id="pol-provisioning-body" class="content"><div class="empty">Loading…</div></div>
+      </div>
+
       <!-- Batch evaluate sub-tab (P4) — wraps POST /api/policy/dry-run-batch
            into a UI: subjects × resources × actions multi-select,
            one click renders a green/red heat-map matrix the user
@@ -3148,10 +3164,76 @@ function polSetTab(name) {
   // Lazy-load Subjects on first visit — it has its own endpoint
   // so deferring the fetch keeps the page-enter cost low.
   if (name === 'subjects') polLoadSubjects();
+  if (name === 'provisioning') polLoadProvisioning();
   if (name === 'bindings') polLoadBindings();
   if (name === 'batch') polBatchInit();
 }
 
+// --- Provisioning sub-tab (C2b) — read-only SCIM Users/Groups view ---
+let POL_PROVISIONING = null;
+async function polLoadProvisioning() {
+  const body = document.getElementById('pol-provisioning-body');
+  if (!body) return;
+  if (POL_PROVISIONING) { polRenderProvisioning(); return; }
+  try {
+    const r = await fetch('/api/provisioning');
+    if (!r.ok) {
+      body.innerHTML = '<div class="empty">Provisioning view requires the <code>users:delete</code> permission (admin role).</div>';
+      return;
+    }
+    POL_PROVISIONING = await r.json();
+    polRenderProvisioning();
+  } catch (e) {
+    body.innerHTML = '<div class="empty">Provisioning unavailable: ' + escHtml(String(e && e.message || e)) + '</div>';
+  }
+}
+function polRenderProvisioning() {
+  const body = document.getElementById('pol-provisioning-body');
+  const j = POL_PROVISIONING;
+  if (!body || !j) return;
+  if (!j.configured) {
+    body.innerHTML = '<div class="pol-subjects-empty" style="padding:var(--sp-4)">'
+      + escHtml(j.note || 'SCIM provisioning is not enabled.') + '</div>';
+    return;
+  }
+  const q = (document.getElementById('pol-provisioning-filter')?.value || '').toLowerCase();
+  const match = (s) => !q || String(s).toLowerCase().includes(q);
+  const users = (j.users || []).filter((u) => match(u.userName) || match(u.displayName) || (u.groups || []).some(match));
+  const groups = (j.groups || []).filter((g) => match(g.displayName));
+
+  const usersHtml = users.map((u) => `
+    <tr>
+      <td><code>${escHtml(u.userName)}</code></td>
+      <td>${escHtml(u.displayName || '') || '<span class="t-sm" style="opacity:.5">—</span>'}</td>
+      <td>${u.active ? '<span class="pill">active</span>' : '<span class="pill" style="background:var(--warning-soft);color:var(--warning)">inactive</span>'}</td>
+      <td>${(u.groups || []).map((g) => `<span class="pill">${escHtml(g)}</span>`).join(' ') || '<span class="t-sm" style="opacity:.5">—</span>'}</td>
+    </tr>`).join('');
+  const groupsHtml = groups.map((g) => `
+    <tr>
+      <td><code>${escHtml(g.displayName)}</code></td>
+      <td>${g.members}</td>
+    </tr>`).join('');
+
+  const usersTbl = usersHtml
+    ? `<table class="data-table" style="width:100%"><thead><tr><th>Username</th><th>Display name</th><th>Status</th><th>Groups</th></tr></thead><tbody>${usersHtml}</tbody></table>`
+    : `<div class="pol-subjects-empty">${q ? 'No users match the filter.' : 'No provisioned users yet — the identity provider has not pushed any.'}</div>`;
+  const groupsTbl = groupsHtml
+    ? `<table class="data-table" style="width:100%"><thead><tr><th>Group</th><th>Members</th></tr></thead><tbody>${groupsHtml}</tbody></table>`
+    : `<div class="pol-subjects-empty">${q ? 'No groups match the filter.' : 'No provisioned groups yet.'}</div>`;
+
+  body.innerHTML = `
+    <div class="pol-subjects-section">
+      <h3>Users <span class="pol-subjects-count">${(j.users || []).length}</span>
+        <span class="pol-subjects-source">via SCIM /scim/v2/Users</span></h3>
+      ${usersTbl}
+    </div>
+    <div class="pol-subjects-section">
+      <h3>Groups <span class="pol-subjects-count">${(j.groups || []).length}</span>
+        <span class="pol-subjects-source">via SCIM /scim/v2/Groups</span></h3>
+      ${groupsTbl}
+    </div>`;
+}
+
 // --- Batch evaluate sub-tab (P4) ---
 //
 // One round-trip to POST /api/policy/dry-run-batch with the

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@thotischner/observability-mcp",
-  "version": "3.4.0",
+  "version": "3.6.0",
   "description": "Unified observability gateway for AI agents — one MCP server for Prometheus, Loki, and any backend",
   "type": "module",
   "license": "Apache-2.0",