vmware-log-insight 1.6.1__tar.gz

vmware_log_insight-1.6.1/.gitignore

@@ -0,0 +1,23 @@
+__pycache__/
+*.py[cod]
+*$py.class
+*.egg-info/
+dist/
+build/
+.eggs/
+*.egg
+.venv/
+venv/
+.env
+*.log
+.pytest_cache/
+.ruff_cache/
+htmlcov/
+.coverage
+config.yaml
+.agents/
+.claude/
+.trae/
+skills-lock.json
+tests/fixtures/token_corpus/
+.DS_Store

vmware_log_insight-1.6.1/Dockerfile

@@ -0,0 +1,14 @@
+FROM python:3.12-slim
+
+WORKDIR /app
+
+RUN pip install --no-cache-dir uv
+
+COPY pyproject.toml .
+COPY README.md .
+COPY vmware_log_insight/ vmware_log_insight/
+COPY mcp_server/ mcp_server/
+
+RUN uv pip install --system .
+
+CMD ["vmware-log-insight", "mcp"]

vmware_log_insight-1.6.1/PKG-INFO

@@ -0,0 +1,88 @@
+Metadata-Version: 2.4
+Name: vmware-log-insight
+Version: 1.6.1
+Summary: VMware Aria Operations for Logs (vRealize Log Insight) read-only log search, aggregation, and alert queries — MCP + CLI
+Author-email: Wei Zhou <wei-wz.zhou@broadcom.com>
+License-Expression: MIT
+Keywords: ai-ops,aria,log-insight,logs,mcp,siem,vmware,vrealize
+Classifier: Development Status :: 4 - Beta
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Topic :: System :: Logging
+Classifier: Topic :: System :: Monitoring
+Requires-Python: >=3.10
+Requires-Dist: httpx<1.0,>=0.27
+Requires-Dist: mcp[cli]<2.0,>=1.10
+Requires-Dist: python-dotenv<2.0,>=1.0
+Requires-Dist: pyyaml<7.0,>=6.0
+Requires-Dist: rich<15.0,>=13.0
+Requires-Dist: typer<1.0,>=0.12
+Requires-Dist: vmware-policy<2.0,>=1.0.0
+Description-Content-Type: text/markdown
+
+<!-- mcp-name: io.github.zw008/vmware-log-insight -->
+
+# VMware Log Insight
+
+> **Disclaimer**: Community-maintained open-source project, **not affiliated with,
+> endorsed by, or sponsored by VMware, Inc. or Broadcom Inc.** "VMware", "vSphere",
+> and "Aria" are trademarks of Broadcom. Source is publicly auditable under the MIT license.
+
+Read-only log search and aggregation for **VMware Aria Operations for Logs**
+(formerly vRealize Log Insight) — the appliance that collects syslog from ESXi
+hosts, vCenter, and VMs. The centralized-log data source for the VMware skill
+family. **Strictly non-destructive**: it queries, it never writes.
+
+## Companion Skills
+
+| Need | Skill |
+|---|---|
+| Raw centralized logs + spikes | **vmware-log-insight** (this) |
+| vCenter events & alarms | [vmware-monitor](https://github.com/zw008/VMware-Monitor) |
+| Metrics, anomalies, capacity | [vmware-aria](https://github.com/zw008/VMware-Aria) |
+| Incident correlation / root cause | [vmware-debug](https://github.com/zw008/VMware-Debug) — feed it `log_search` output |
+| VM lifecycle / operations | [vmware-aiops](https://github.com/zw008/VMware-AIops) |
+
+## Install
+
+```bash
+uv tool install vmware-log-insight
+mkdir -p ~/.vmware-log-insight
+cp config.example.yaml ~/.vmware-log-insight/config.yaml   # edit host/username/provider
+echo 'VMWARE_LOG_INSIGHT_PROD_PASSWORD=...' > ~/.vmware-log-insight/.env
+chmod 600 ~/.vmware-log-insight/.env
+vmware-log-insight doctor
+```
+
+## MCP Tools (7 — all read-only)
+
+| Tool | What |
+|---|---|
+| `log_search` | Search events by time window + text + filters |
+| `log_aggregate` | Count/aggregate over time bins, with z-score spike detection |
+| `log_fields` | List extracted fields usable in filters |
+| `log_version` | Appliance version/build |
+| `alert_list` / `alert_get` / `alert_history` | Query defined alerts and their trigger history |
+
+## Workflows
+
+- **Find errors fast** — `vmware-log-insight search -q error -l 1h`.
+- **Where did logs burst?** — `vmware-log-insight aggregate -q error -l 6h --bin-ms 300000`, read `spikes[]`, then `search` the spike window.
+- **Root cause** — pass `log_search` results (plus vCenter events from vmware-monitor and metrics from vmware-aria) to **vmware-debug** `incident_timeline`.
+
+## Troubleshooting
+
+- `401 on /sessions` → check username/password/`provider` and the `VMWARE_LOG_INSIGHT_<TARGET>_PASSWORD` env var.
+- `503 everywhere` → appliance starting up; `doctor` reports it as a status, not a crash.
+- Empty results → widen `--last`; default API port is **9543** (set `port` if different).
+
+## Security
+
+Read-only by construction. Credentials in `~/.vmware-log-insight/.env` (`chmod 600`);
+plaintext passwords auto-obfuscated to grep-safe `b64:` (obfuscation, not
+encryption — inject from a secret manager for real secrecy). TLS on by default.
+See [SECURITY.md](SECURITY.md).
+
+## License
+
+MIT.

vmware_log_insight-1.6.1/README-CN.md

@@ -0,0 +1,51 @@
+<!-- mcp-name: io.github.zw008/vmware-log-insight -->
+
+# VMware Log Insight（中文）
+
+> **声明**：本项目为社区维护的开源项目，**与 VMware, Inc. 或 Broadcom Inc. 无任何隶属、
+> 背书或赞助关系。** "VMware"、"vSphere"、"Aria" 为 Broadcom 商标。源码以 MIT 许可证公开可审计。
+
+面向 **VMware Aria Operations for Logs**（原 vRealize Log Insight，集中收集 ESXi / vCenter /
+VM syslog 的日志平台）的**只读**日志检索与聚合。VMware skill 家族的集中日志数据源。
+**严格无破坏性**：只查询，从不写入。
+
+## 配套 Skill
+
+| 需求 | Skill |
+|---|---|
+| 原始集中日志 + 突刺 | **vmware-log-insight**（本项目） |
+| vCenter 事件与告警 | vmware-monitor |
+| 指标 / 异常 / 容量 | vmware-aria |
+| 故障关联 / 根因 | vmware-debug（把 `log_search` 结果喂给它） |
+
+## 安装
+
+```bash
+uv tool install vmware-log-insight
+mkdir -p ~/.vmware-log-insight
+cp config.example.yaml ~/.vmware-log-insight/config.yaml   # 填写 host/username/provider
+echo 'VMWARE_LOG_INSIGHT_PROD_PASSWORD=...' > ~/.vmware-log-insight/.env
+chmod 600 ~/.vmware-log-insight/.env
+vmware-log-insight doctor
+```
+
+## MCP 工具（7 个，全只读）
+
+`log_search`（按时间窗 + 文本 + 字段过滤检索）、`log_aggregate`（按时间桶聚合 + z-score
+突刺检测）、`log_fields`、`log_version`、`alert_list` / `alert_get` / `alert_history`。
+
+## 常用工作流
+
+- **快速找错**：`vmware-log-insight search -q error -l 1h`
+- **日志何时突增**：`vmware-log-insight aggregate -q error -l 6h --bin-ms 300000`，看 `spikes[]`，再 `search` 突刺时间窗
+- **根因定位**：把 `log_search` 结果（连同 vmware-monitor 的 vCenter 事件、vmware-aria 的指标）交给 **vmware-debug** 的 `incident_timeline`
+
+## 安全
+
+结构上只读。凭据存于 `~/.vmware-log-insight/.env`（`chmod 600`）；明文密码首次加载自动
+转为 grep 不可见的 `b64:` 形式（**是混淆不是加密**——真合规请从 secret manager 注入）。
+默认开启 TLS 校验。详见 [SECURITY.md](SECURITY.md)。
+
+## 许可证
+
+MIT。

vmware_log_insight-1.6.1/README.md

@@ -0,0 +1,66 @@
+<!-- mcp-name: io.github.zw008/vmware-log-insight -->
+
+# VMware Log Insight
+
+> **Disclaimer**: Community-maintained open-source project, **not affiliated with,
+> endorsed by, or sponsored by VMware, Inc. or Broadcom Inc.** "VMware", "vSphere",
+> and "Aria" are trademarks of Broadcom. Source is publicly auditable under the MIT license.
+
+Read-only log search and aggregation for **VMware Aria Operations for Logs**
+(formerly vRealize Log Insight) — the appliance that collects syslog from ESXi
+hosts, vCenter, and VMs. The centralized-log data source for the VMware skill
+family. **Strictly non-destructive**: it queries, it never writes.
+
+## Companion Skills
+
+| Need | Skill |
+|---|---|
+| Raw centralized logs + spikes | **vmware-log-insight** (this) |
+| vCenter events & alarms | [vmware-monitor](https://github.com/zw008/VMware-Monitor) |
+| Metrics, anomalies, capacity | [vmware-aria](https://github.com/zw008/VMware-Aria) |
+| Incident correlation / root cause | [vmware-debug](https://github.com/zw008/VMware-Debug) — feed it `log_search` output |
+| VM lifecycle / operations | [vmware-aiops](https://github.com/zw008/VMware-AIops) |
+
+## Install
+
+```bash
+uv tool install vmware-log-insight
+mkdir -p ~/.vmware-log-insight
+cp config.example.yaml ~/.vmware-log-insight/config.yaml   # edit host/username/provider
+echo 'VMWARE_LOG_INSIGHT_PROD_PASSWORD=...' > ~/.vmware-log-insight/.env
+chmod 600 ~/.vmware-log-insight/.env
+vmware-log-insight doctor
+```
+
+## MCP Tools (7 — all read-only)
+
+| Tool | What |
+|---|---|
+| `log_search` | Search events by time window + text + filters |
+| `log_aggregate` | Count/aggregate over time bins, with z-score spike detection |
+| `log_fields` | List extracted fields usable in filters |
+| `log_version` | Appliance version/build |
+| `alert_list` / `alert_get` / `alert_history` | Query defined alerts and their trigger history |
+
+## Workflows
+
+- **Find errors fast** — `vmware-log-insight search -q error -l 1h`.
+- **Where did logs burst?** — `vmware-log-insight aggregate -q error -l 6h --bin-ms 300000`, read `spikes[]`, then `search` the spike window.
+- **Root cause** — pass `log_search` results (plus vCenter events from vmware-monitor and metrics from vmware-aria) to **vmware-debug** `incident_timeline`.
+
+## Troubleshooting
+
+- `401 on /sessions` → check username/password/`provider` and the `VMWARE_LOG_INSIGHT_<TARGET>_PASSWORD` env var.
+- `503 everywhere` → appliance starting up; `doctor` reports it as a status, not a crash.
+- Empty results → widen `--last`; default API port is **9543** (set `port` if different).
+
+## Security
+
+Read-only by construction. Credentials in `~/.vmware-log-insight/.env` (`chmod 600`);
+plaintext passwords auto-obfuscated to grep-safe `b64:` (obfuscation, not
+encryption — inject from a secret manager for real secrecy). TLS on by default.
+See [SECURITY.md](SECURITY.md).
+
+## License
+
+MIT.

vmware_log_insight-1.6.1/RELEASE_NOTES.md

@@ -0,0 +1,31 @@
+## v1.6.1 (2026-06-24) — initial release
+
+First release of **vmware-log-insight**: read-only log search and aggregation for
+VMware Aria Operations for Logs (vRealize Log Insight). The centralized-log data
+source for the VMware skill family.
+
+### Added
+- **7 read-only MCP tools**: `log_search` (time-window + text + filter event
+  search), `log_aggregate` (COUNT/UCOUNT/AVG/… time series with z-score spike
+  detection), `log_fields`, `log_version`, `alert_list`, `alert_get`,
+  `alert_history`.
+- **Typer CLI** mirroring the tools: `search`, `aggregate`, `fields`,
+  `alert list/get/history`, `doctor`, `mcp`, `version`.
+- **Session auth** (`POST /api/v2/sessions`, Bearer token, TTL refresh) with
+  **centralized HTTP error translation** to teaching `LogInsightApiError`
+  (status + path + fix hint); transient 502/503/504 + transport errors retry once,
+  401 re-auths once, 4xx are not retried (CLAUDE.md 错误恢复三层 / 踩坑 #37).
+- **Path-encoded constraint builder** with human duration shorthand ("1h", "30m",
+  "7d") and URL-escaped values; never issues an unbounded query (defaults to last hour).
+- **`.env` password obfuscation** built in from day one: plaintext `*_PASSWORD`
+  auto-rewritten to grep-safe `b64:` via python-dotenv's own parser (obfuscation,
+  not encryption; secret-manager injection documented). CLAUDE.md 踩坑 #38.
+- **Spec-conformance test** (踩坑 #36): AST-scans every HTTP call against the
+  official API index in `tests/eval/spec/` so a hallucinated endpoint fails CI.
+- Regression evals: MCP tool exposure (踩坑 #34), read-only invariant, b64 parity.
+
+### Notes
+- Strictly **read-only** — no ingest/write tools.
+- Exact v2 response schemas are parsed defensively across documented wire variants;
+  confirmation against a live appliance's `/rest-api` reference is tracked in BACKLOG
+  (same real-hardware-verification status as VKS `/wcp/login`).

vmware_log_insight-1.6.1/SECURITY.md

@@ -0,0 +1,55 @@
+# Security Policy
+
+## Disclaimer
+
+This is a community-maintained open-source project and is **not affiliated with,
+endorsed by, or sponsored by VMware, Inc. or Broadcom Inc.** "VMware", "vSphere",
+and "Aria" are trademarks of Broadcom. Source code is publicly auditable at
+[github.com/zw008/VMware-Log-Insight](https://github.com/zw008/VMware-Log-Insight)
+under the MIT license.
+
+## Reporting Vulnerabilities
+
+Report security issues via a GitHub private security advisory on the repository,
+or by email to the maintainer. Please do not open public issues for security bugs.
+
+## Security Design
+
+### Read-only by construction
+This skill exposes **no write tools**. It only queries the Log Insight appliance
+(events, aggregations, fields, alerts); it cannot ingest, edit, or delete logs or
+alerts. There is no destructive surface to gate.
+
+### Credential management
+- Passwords are loaded from `~/.vmware-log-insight/.env` (`chmod 600`), never from
+  `config.yaml` and never via MCP messages.
+- Per-target convention: `VMWARE_LOG_INSIGHT_<TARGET>_PASSWORD`.
+- **At-rest obfuscation**: plaintext `*_PASSWORD` values in `.env` are auto-rewritten
+  to a grep-safe `b64:` form on first load (via python-dotenv's own parser, so the
+  stored value never drifts). This is **obfuscation, not encryption** — for real
+  secrecy, inject from a secret manager (Vault/CyberArk/AWS Secrets Manager/K8s
+  Secret) into the env var at process start instead of storing `.env`.
+
+### SSL/TLS verification
+On by default (`verify_ssl: true`). Disable only for self-signed lab appliances.
+
+### Transitive dependencies
+Depends on `vmware-policy` (shared audit + `@vmware_tool` decorator + `sanitize`).
+Read-tool calls are recorded to the shared audit DB (`~/.vmware/audit.db`).
+
+### Prompt-injection protection
+All text returned from the appliance passes through `sanitize()` (truncation +
+C0/C1 control-character stripping) before reaching the agent.
+
+## Static Analysis
+
+```bash
+uvx bandit -r vmware_log_insight/ mcp_server/
+```
+
+Release bar: 0 Medium-or-higher severity findings.
+
+## Supported Versions
+
+The latest released version receives security fixes. Versions are kept aligned
+across the VMware skill family.

vmware_log_insight-1.6.1/config.example.yaml

@@ -0,0 +1,25 @@
+# VMware Log Insight (Aria Operations for Logs) Configuration
+# Copy to ~/.vmware-log-insight/config.yaml and edit
+
+targets:
+  prod:
+    host: loginsight.example.com
+    username: admin
+    port: 9543            # public API port (default 9543)
+    verify_ssl: true
+    provider: Local       # Local | ActiveDirectory | <vIDM provider name>
+  lab:
+    host: 10.0.0.50
+    username: admin
+    port: 9543
+    verify_ssl: false
+    provider: Local
+
+default_target: prod
+
+# Passwords are loaded from environment variables (never stored here):
+#   VMWARE_LOG_INSIGHT_PROD_PASSWORD=xxx
+#   VMWARE_LOG_INSIGHT_LAB_PASSWORD=xxx
+# Or from ~/.vmware-log-insight/.env (chmod 600). Plaintext passwords there are
+# auto-rewritten to a grep-safe b64: form on first load (obfuscation, NOT
+# encryption). For real at-rest secrecy, inject from a secret manager instead.

vmware_log_insight-1.6.1/docker-compose.yml

@@ -0,0 +1,8 @@
+services:
+  vmware-log-insight-mcp:
+    build: .
+    volumes:
+      - ~/.vmware-log-insight:/root/.vmware-log-insight:ro
+    environment:
+      - VMWARE_LOG_INSIGHT_CONFIG=/root/.vmware-log-insight/config.yaml
+    stdin_open: true

vmware_log_insight-1.6.1/examples/mcp-configs/claude-code.json

@@ -0,0 +1,11 @@
+{
+  "mcpServers": {
+    "vmware-log-insight": {
+      "command": "uvx",
+      "args": ["--from", "vmware-log-insight", "vmware-log-insight-mcp"],
+      "env": {
+        "VMWARE_LOG_INSIGHT_CONFIG": "~/.vmware-log-insight/config.yaml"
+      }
+    }
+  }
+}

vmware_log_insight-1.6.1/mcp_server/__init__.py

@@ -0,0 +1 @@
+"""stdio MCP server package for vmware-log-insight."""

vmware_log_insight-1.6.1/mcp_server/_shared.py

@@ -0,0 +1,61 @@
+"""Shared MCP plumbing for the vmware-log-insight tool modules.
+
+Tool functions live in ``mcp_server/tools/*.py`` and register onto the single
+``mcp`` instance defined here. This module imports nothing from the tool
+packages (tools import *from* ``_shared``, never the reverse) to avoid a circular
+import. ``mcp_server/server.py`` re-exports these so the historical import paths
+keep resolving.
+"""
+
+import logging
+import os
+from pathlib import Path
+from typing import Any, Optional
+
+from mcp.server.fastmcp import FastMCP
+from vmware_policy import sanitize
+
+from vmware_log_insight.config import load_config
+from vmware_log_insight.connection import ConnectionManager, LogInsightApiError
+
+logger = logging.getLogger("mcp_server")
+
+
+def _safe_error(exc: Exception, tool: str) -> str:
+    """Return an agent-safe error string; log full detail server-side only.
+
+    LogInsightApiError (the connection layer's teaching errors) and intentional
+    validation errors pass through; anything else is masked so raw response
+    bodies / host:port pairs never reach the agent.
+    """
+    logger.error("Tool %s failed", tool, exc_info=True)
+    if isinstance(
+        exc,
+        (LogInsightApiError, ValueError, FileNotFoundError, KeyError, PermissionError, ConnectionError),
+    ):
+        return sanitize(str(exc), 300)
+    return f"{type(exc).__name__}: operation failed."
+
+
+mcp = FastMCP(
+    "vmware-log-insight",
+    instructions=(
+        "VMware Aria Operations for Logs (vRealize Log Insight): read-only log "
+        "search, aggregation/spike detection, field discovery, and alert queries. "
+        "Feed results to vmware-debug's incident_timeline to correlate with events "
+        "from other sources. For vCenter events/alarms use vmware-monitor; for "
+        "metrics/anomalies use vmware-aria."
+    ),
+)
+
+_conn_mgr: Optional[ConnectionManager] = None
+
+
+def _get_connection(target: Optional[str] = None) -> Any:
+    """Return a LogInsightClient, lazily initialising the connection manager."""
+    global _conn_mgr  # noqa: PLW0603
+    if _conn_mgr is None:
+        config_path_str = os.environ.get("VMWARE_LOG_INSIGHT_CONFIG")
+        config_path = Path(config_path_str) if config_path_str else None
+        _conn_mgr = ConnectionManager(load_config(config_path))
+    return _conn_mgr.connect(target)

vmware_log_insight-1.6.1/mcp_server/server.py

@@ -0,0 +1,86 @@
+"""MCP server for VMware Log Insight (Aria Operations for Logs) — read-only.
+
+Thin entrypoint: importing the tool modules runs their ``@mcp.tool`` decorators
+(registering the 7 read tools on the shared ``mcp`` instance), re-exports the
+shared plumbing and every tool function so ``from mcp_server.server import mcp,
+<fn>`` keeps resolving (踩坑 #17), and exposes ``main()``.
+
+Tool categories
+---------------
+* **Logs** (4, read-only): log_search, log_aggregate, log_fields, log_version
+  — ``mcp_server/tools/logs.py``
+* **Alerts** (3, read-only): alert_list, alert_get, alert_history
+  — ``mcp_server/tools/alerts.py``
+
+Security: stdio transport (local only, no listener); credentials come from
+env/.env, never MCP messages; all API text passes through sanitize().
+For vCenter events/alarms use vmware-monitor; for metrics use vmware-aria.
+"""
+
+import logging
+import sys
+
+# Shared plumbing — re-exported so `from mcp_server.server import _safe_error,
+# mcp, _get_connection` (and monkeypatch targets) keep resolving.
+from mcp_server._shared import (  # noqa: F401
+    _get_connection,
+    _safe_error,
+    logger,
+    mcp,
+)
+
+# Importing the tool modules runs their @mcp.tool decorators (registration).
+from mcp_server.tools import (  # noqa: F401
+    alerts,
+    logs,
+)
+
+# Re-export every tool function so `mcp_server.server.<tool>` resolves (tests
+# call e.g. `server.log_search(...)` and patch `server._get_connection`).
+from mcp_server.tools.alerts import (  # noqa: F401
+    alert_get,
+    alert_history,
+    alert_list,
+)
+from mcp_server.tools.logs import (  # noqa: F401
+    log_aggregate,
+    log_fields,
+    log_search,
+    log_version,
+)
+
+__all__ = [
+    "mcp",
+    "main",
+    "_safe_error",
+    "_get_connection",
+    "log_search",
+    "log_aggregate",
+    "log_fields",
+    "log_version",
+    "alert_list",
+    "alert_get",
+    "alert_history",
+]
+
+
+def main() -> None:
+    """Start the MCP server using stdio transport.
+
+    Guards Python < 3.11: FastMCP schema reflection over tool signatures is
+    unreliable on 3.10 with older mcp/pydantic (踩坑 #33).
+    """
+    if sys.version_info < (3, 11):
+        sys.exit(
+            "vmware-log-insight MCP server requires Python >= 3.11. Reinstall: "
+            "uv tool install --python 3.11 --force vmware-log-insight"
+        )
+    logging.basicConfig(
+        level=logging.WARNING,
+        format="%(asctime)s %(name)s %(levelname)s %(message)s",
+    )
+    mcp.run()
+
+
+if __name__ == "__main__":
+    main()

vmware_log_insight-1.6.1/mcp_server/tools/__init__.py

@@ -0,0 +1 @@
+"""MCP tool modules for vmware-log-insight (all read-only)."""

vmware_log_insight-1.6.1/mcp_server/tools/alerts.py

@@ -0,0 +1,62 @@
+"""ALERT tools (3, read-only): alert_list, alert_get, alert_history."""
+
+from typing import Optional
+
+from vmware_policy import vmware_tool
+
+from mcp_server._shared import mcp
+
+_READ = {"readOnlyHint": True, "destructiveHint": False, "idempotentHint": True, "openWorldHint": True}
+
+
+@mcp.tool(annotations=_READ)
+@vmware_tool(risk_level="low")
+def alert_list(
+    name_filter: Optional[str] = None, limit: int = 50, target: Optional[str] = None
+) -> list[dict]:
+    """[READ] List defined Log Insight alerts.
+
+    name_filter = optional case-insensitive substring on alert name. limit = max
+    results (default 50). target = target name from config. Returns [{id, name,
+    enabled, info}]; pass an id to alert_get. Read-only — this skill never
+    creates/edits/deletes alerts."""
+    from mcp_server import server
+
+    try:
+        from vmware_log_insight.ops.alerts import list_alerts
+
+        return list_alerts(server._get_connection(target), name_filter=name_filter, limit=limit)
+    except Exception as e:
+        return [{"error": server._safe_error(e, "alert_list"), "hint": "Run 'vmware-log-insight doctor'."}]
+
+
+@mcp.tool(annotations=_READ)
+@vmware_tool(risk_level="low")
+def alert_get(alert_id: str, target: Optional[str] = None) -> dict:
+    """[READ] Get full details for one alert by id (from alert_list). target =
+    target name from config. Returns the alert's sanitized detail. Read-only."""
+    from mcp_server import server
+
+    try:
+        from vmware_log_insight.ops.alerts import get_alert
+
+        return get_alert(server._get_connection(target), alert_id)
+    except Exception as e:
+        return {"error": server._safe_error(e, "alert_get"), "hint": "Run 'vmware-log-insight doctor'."}
+
+
+@mcp.tool(annotations=_READ)
+@vmware_tool(risk_level="low")
+def alert_history(alert_id: str, limit: int = 50, target: Optional[str] = None) -> list[dict]:
+    """[READ] List recent trigger-history records for an alert.
+
+    alert_id = the alert id (from alert_list). limit = max records (default 50).
+    target = target name from config. Returns [{timestamp_ms, info}]. Read-only."""
+    from mcp_server import server
+
+    try:
+        from vmware_log_insight.ops.alerts import get_alert_history
+
+        return get_alert_history(server._get_connection(target), alert_id, limit=limit)
+    except Exception as e:
+        return [{"error": server._safe_error(e, "alert_history"), "hint": "Run 'vmware-log-insight doctor'."}]