fix(tools): replace promql.exec with metrics-data.read

Author: tembleking

README.md

@@ -110,82 +110,82 @@ The server dynamically filters the available tools based on the permissions asso
 
 - **`kubernetes_list_clusters`**
   - **Description**: Lists the cluster information for all clusters or just the cluster specified.
-  - **Required Permission**: `promql.exec`
+  - **Required Permission**: `metrics-data.read`
   - **Sample Prompt**: "List all kubernetes clusters" or "Show me info for cluster 'production-gke'"
 
 - **`kubernetes_list_nodes`**
   - **Description**: Lists the node information for all nodes, all nodes from a cluster or just the node specified.
-  - **Required Permission**: `promql.exec`
+  - **Required Permission**: `metrics-data.read`
   - **Sample Prompt**: "List all kubernetes nodes in the cluster 'production-gke'" or "Show me info for node 'node-123'"
 
 - **`kubernetes_list_workloads`**
   - **Description**: Lists all the workloads that are in a particular state, desired, ready, running or unavailable. The LLM can filter by cluster, namespace, workload name or type.
-  - **Required Permission**: `promql.exec`
+  - **Required Permission**: `metrics-data.read`
   - **Sample Prompt**: "List all desired workloads in the cluster 'production-gke' and namespace 'default'"
 
 - **`kubernetes_list_pod_containers`**
   - **Description**: Retrieves information from a particular pod and container.
-  - **Required Permission**: `promql.exec`
+  - **Required Permission**: `metrics-data.read`
   - **Sample Prompt**: "Show me info for pod 'my-pod' in cluster 'production-gke'"
 
 - **`kubernetes_list_cronjobs`**
   - **Description**: Retrieves information from the cronjobs in the cluster.
-  - **Required Permission**: `promql.exec`
+  - **Required Permission**: `metrics-data.read`
   - **Sample Prompt**: "List all cronjobs in cluster 'prod' and namespace 'default'"
 
 - **`troubleshoot_kubernetes_list_top_unavailable_pods`**
   - **Description**: Shows the top N pods with the highest number of unavailable or unready replicas in a Kubernetes cluster, ordered from highest to lowest.
-  - **Required Permission**: `promql.exec`
+  - **Required Permission**: `metrics-data.read`
   - **Sample Prompt**: "Show the top 20 unavailable pods in cluster 'production'"
 
 - **`troubleshoot_kubernetes_list_top_restarted_pods`**
   - **Description**: Lists the pods with the highest number of container restarts in the specified scope (cluster, namespace, workload, or individual pod). By default, it returns the top 10.
-  - **Required Permission**: `promql.exec`
+  - **Required Permission**: `metrics-data.read`
   - **Sample Prompt**: "Show the top 10 pods with the most container restarts in cluster 'production'"
 
 - **`troubleshoot_kubernetes_list_top_400_500_http_errors_in_pods`**
   - **Description**: Lists the pods with the highest rate of HTTP 4xx and 5xx errors over a specified time interval, allowing filtering by cluster, namespace, workload type, and workload name.
-  - **Required Permission**: `promql.exec`
+  - **Required Permission**: `metrics-data.read`
   - **Sample Prompt**: "Show the top 20 pods with the most HTTP errors in cluster 'production'"
 
 - **`troubleshoot_kubernetes_list_top_network_errors_in_pods`**
   - **Description**: Shows the top network errors by pod over a given interval, aggregated by cluster, namespace, workload type, and workload name. The result is an average rate of network errors per second.
-  - **Required Permission**: `promql.exec`
+  - **Required Permission**: `metrics-data.read`
   - **Sample Prompt**: "Show the top 10 pods with the most network errors in cluster 'production'"
 
 - **`troubleshoot_kubernetes_list_count_pods_per_cluster`**
   - **Description**: List the count of running Kubernetes Pods grouped by cluster and namespace.
-  - **Required Permission**: `promql.exec`
+  - **Required Permission**: `metrics-data.read`
   - **Sample Prompt**: "List the count of running Kubernetes Pods in cluster 'production'"
 
 - **`troubleshoot_kubernetes_list_underutilized_pods_by_cpu_quota`**
   - **Description**: List Kubernetes pods with CPU usage below 25% of the quota limit.
-  - **Required Permission**: `promql.exec`
+  - **Required Permission**: `metrics-data.read`
   - **Sample Prompt**: "Show the top 10 underutilized pods by CPU quota in cluster 'production'"
 
 - **`troubleshoot_kubernetes_list_underutilized_pods_by_memory_quota`**
   - **Description**: List Kubernetes pods with memory usage below 25% of the limit.
-  - **Required Permission**: `promql.exec`
+  - **Required Permission**: `metrics-data.read`
   - **Sample Prompt**: "Show the top 10 underutilized pods by memory quota in cluster 'production'"
 
 - **`troubleshoot_kubernetes_list_top_cpu_consumed_by_workload`**
   - **Description**: Identifies the Kubernetes workloads (all containers) consuming the most CPU (in cores).
-  - **Required Permission**: `promql.exec`
+  - **Required Permission**: `metrics-data.read`
   - **Sample Prompt**: "Show the top 10 workloads consuming the most CPU in cluster 'production'"
 
 - **`troubleshoot_kubernetes_list_top_cpu_consumed_by_container`**
   - **Description**: Identifies the Kubernetes containers consuming the most CPU (in cores).
-  - **Required Permission**: `promql.exec`
+  - **Required Permission**: `metrics-data.read`
   - **Sample Prompt**: "Show the top 10 containers consuming the most CPU in cluster 'production'"
 
 - **`troubleshoot_kubernetes_list_top_memory_consumed_by_workload`**
   - **Description**: Lists memory-intensive workloads (all containers).
-  - **Required Permission**: `promql.exec`
+  - **Required Permission**: `metrics-data.read`
   - **Sample Prompt**: "Show the top 10 workloads consuming the most memory in cluster 'production'"
 
 - **`troubleshoot_kubernetes_list_top_memory_consumed_by_container`**
   - **Description**: Lists memory-intensive containers.
-  - **Required Permission**: `promql.exec`
+  - **Required Permission**: `metrics-data.read`
   - **Sample Prompt**: "Show the top 10 containers consuming the most memory in cluster 'production'"
 
    ## Requirements

internal/infra/mcp/tools/README.md

@@ -9,22 +9,22 @@ The handler filters tools dynamically based on the Sysdig user's permissions. Ea
 | `get_event_process_tree` | `tool_get_event_process_tree.go` | Retrieve the process tree for an event when available. | `policy-events.read` | “Show the process tree behind event `abc123`.” |
 | `run_sysql` | `tool_run_sysql.go` | Execute caller-supplied Sysdig SysQL queries safely. | `sage.exec`, `risks.read` | “Run the following SysQL…”. |
 | `generate_sysql` | `tool_generate_sysql.go` | Convert natural language to SysQL via Sysdig Sage. | `sage.exec` (does not work with Service Accounts) | “Create a SysQL to list S3 buckets.” |
-| `kubernetes_list_clusters` | `tool_kubernetes_list_clusters.go` | Lists Kubernetes cluster information. | `promql.exec` | "List all Kubernetes clusters" |
-| `kubernetes_list_nodes` | `tool_kubernetes_list_nodes.go` | Lists Kubernetes node information. | `promql.exec` | "List all Kubernetes nodes in the cluster 'production-gke'" |
-| `kubernetes_list_workloads` | `tool_kubernetes_list_workloads.go` | Lists Kubernetes workload information. | `promql.exec` | "List all desired workloads in the cluster 'production-gke' and namespace 'default'" |
-| `kubernetes_list_pod_containers` | `tool_kubernetes_list_pod_containers.go` | Retrieves information from a particular pod and container. | `promql.exec` | "Show me info for pod 'my-pod' in cluster 'production-gke'" |
-| `kubernetes_list_cronjobs` | `tool_kubernetes_list_cronjobs.go` | Retrieves information from the cronjobs in the cluster. | `promql.exec` | "List all cronjobs in cluster 'prod' and namespace 'default'" |
-| `troubleshoot_kubernetes_list_top_unavailable_pods` | `tool_troubleshoot_kubernetes_list_top_unavailable_pods.go` | Shows the top N pods with the highest number of unavailable or unready replicas. | `promql.exec` | "Show the top 20 unavailable pods in cluster 'production'" |
-| `troubleshoot_kubernetes_list_top_restarted_pods` | `tool_troubleshoot_kubernetes_list_top_restarted_pods.go` | Lists the pods with the highest number of container restarts. | `promql.exec` | "Show the top 10 pods with the most container restarts in cluster 'production'" |
-| `troubleshoot_kubernetes_list_top_400_500_http_errors_in_pods` | `tool_troubleshoot_kubernetes_list_top_400_500_http_errors_in_pods.go` | Lists the pods with the highest rate of HTTP 4xx and 5xx errors over a specified time interval. | `promql.exec` | "Show the top 20 pods with the most HTTP errors in cluster 'production'" |
-| `troubleshoot_kubernetes_list_top_network_errors_in_pods` | `tool_troubleshoot_kubernetes_list_top_network_errors_in_pods.go` | Shows the top network errors by pod over a given interval. | `promql.exec` | "Show the top 10 pods with the most network errors in cluster 'production'" |
-| `troubleshoot_kubernetes_list_count_pods_per_cluster` | `tool_troubleshoot_kubernetes_list_count_pods_per_cluster.go` | List the count of running Kubernetes Pods grouped by cluster and namespace. | `promql.exec` | "List the count of running Kubernetes Pods in cluster 'production'" |
-| `troubleshoot_kubernetes_list_underutilized_pods_by_cpu_quota` | `tool_troubleshoot_kubernetes_list_underutilized_pods_by_cpu_quota.go` | List Kubernetes pods with CPU usage below 25% of the quota limit. | `promql.exec` | "Show the top 10 underutilized pods by CPU quota in cluster 'production'" |
-| `troubleshoot_kubernetes_list_underutilized_pods_by_memory_quota` | `tool_troubleshoot_kubernetes_list_underutilized_pods_by_memory_quota.go` | List Kubernetes pods with memory usage below 25% of the limit. | `promql.exec` | "Show the top 10 underutilized pods by memory quota in cluster 'production'" |
-| `troubleshoot_kubernetes_list_top_cpu_consumed_by_workload` | `tool_troubleshoot_kubernetes_list_top_cpu_consumed_by_workload.go` | Identifies the Kubernetes workloads (all containers) consuming the most CPU (in cores). | `promql.exec` | "Show the top 10 workloads consuming the most CPU in cluster 'production'" |
-| `troubleshoot_kubernetes_list_top_cpu_consumed_by_container` | `tool_troubleshoot_kubernetes_list_top_cpu_consumed_by_container.go` | Identifies the Kubernetes containers consuming the most CPU (in cores). | `promql.exec` | "Show the top 10 containers consuming the most CPU in cluster 'production'" |
-| `troubleshoot_kubernetes_list_top_memory_consumed_by_workload` | `tool_troubleshoot_kubernetes_list_top_memory_consumed_by_workload.go` | Lists memory-intensive workloads (all containers). | `promql.exec` | "Show the top 10 workloads consuming the most memory in cluster 'production'" |
-| `troubleshoot_kubernetes_list_top_memory_consumed_by_container` | `tool_troubleshoot_kubernetes_list_top_memory_consumed_by_container.go` | Lists memory-intensive containers. | `promql.exec` | "Show the top 10 containers consuming the most memory in cluster 'production'" |
+| `kubernetes_list_clusters` | `tool_kubernetes_list_clusters.go` | Lists Kubernetes cluster information. | `metrics-data.read` | "List all Kubernetes clusters" |
+| `kubernetes_list_nodes` | `tool_kubernetes_list_nodes.go` | Lists Kubernetes node information. | `metrics-data.read` | "List all Kubernetes nodes in the cluster 'production-gke'" |
+| `kubernetes_list_workloads` | `tool_kubernetes_list_workloads.go` | Lists Kubernetes workload information. | `metrics-data.read` | "List all desired workloads in the cluster 'production-gke' and namespace 'default'" |
+| `kubernetes_list_pod_containers` | `tool_kubernetes_list_pod_containers.go` | Retrieves information from a particular pod and container. | `metrics-data.read` | "Show me info for pod 'my-pod' in cluster 'production-gke'" |
+| `kubernetes_list_cronjobs` | `tool_kubernetes_list_cronjobs.go` | Retrieves information from the cronjobs in the cluster. | `metrics-data.read` | "List all cronjobs in cluster 'prod' and namespace 'default'" |
+| `troubleshoot_kubernetes_list_top_unavailable_pods` | `tool_troubleshoot_kubernetes_list_top_unavailable_pods.go` | Shows the top N pods with the highest number of unavailable or unready replicas. | `metrics-data.read` | "Show the top 20 unavailable pods in cluster 'production'" |
+| `troubleshoot_kubernetes_list_top_restarted_pods` | `tool_troubleshoot_kubernetes_list_top_restarted_pods.go` | Lists the pods with the highest number of container restarts. | `metrics-data.read` | "Show the top 10 pods with the most container restarts in cluster 'production'" |
+| `troubleshoot_kubernetes_list_top_400_500_http_errors_in_pods` | `tool_troubleshoot_kubernetes_list_top_400_500_http_errors_in_pods.go` | Lists the pods with the highest rate of HTTP 4xx and 5xx errors over a specified time interval. | `metrics-data.read` | "Show the top 20 pods with the most HTTP errors in cluster 'production'" |
+| `troubleshoot_kubernetes_list_top_network_errors_in_pods` | `tool_troubleshoot_kubernetes_list_top_network_errors_in_pods.go` | Shows the top network errors by pod over a given interval. | `metrics-data.read` | "Show the top 10 pods with the most network errors in cluster 'production'" |
+| `troubleshoot_kubernetes_list_count_pods_per_cluster` | `tool_troubleshoot_kubernetes_list_count_pods_per_cluster.go` | List the count of running Kubernetes Pods grouped by cluster and namespace. | `metrics-data.read` | "List the count of running Kubernetes Pods in cluster 'production'" |
+| `troubleshoot_kubernetes_list_underutilized_pods_by_cpu_quota` | `tool_troubleshoot_kubernetes_list_underutilized_pods_by_cpu_quota.go` | List Kubernetes pods with CPU usage below 25% of the quota limit. | `metrics-data.read` | "Show the top 10 underutilized pods by CPU quota in cluster 'production'" |
+| `troubleshoot_kubernetes_list_underutilized_pods_by_memory_quota` | `tool_troubleshoot_kubernetes_list_underutilized_pods_by_memory_quota.go` | List Kubernetes pods with memory usage below 25% of the limit. | `metrics-data.read` | "Show the top 10 underutilized pods by memory quota in cluster 'production'" |
+| `troubleshoot_kubernetes_list_top_cpu_consumed_by_workload` | `tool_troubleshoot_kubernetes_list_top_cpu_consumed_by_workload.go` | Identifies the Kubernetes workloads (all containers) consuming the most CPU (in cores). | `metrics-data.read` | "Show the top 10 workloads consuming the most CPU in cluster 'production'" |
+| `troubleshoot_kubernetes_list_top_cpu_consumed_by_container` | `tool_troubleshoot_kubernetes_list_top_cpu_consumed_by_container.go` | Identifies the Kubernetes containers consuming the most CPU (in cores). | `metrics-data.read` | "Show the top 10 containers consuming the most CPU in cluster 'production'" |
+| `troubleshoot_kubernetes_list_top_memory_consumed_by_workload` | `tool_troubleshoot_kubernetes_list_top_memory_consumed_by_workload.go` | Lists memory-intensive workloads (all containers). | `metrics-data.read` | "Show the top 10 workloads consuming the most memory in cluster 'production'" |
+| `troubleshoot_kubernetes_list_top_memory_consumed_by_container` | `tool_troubleshoot_kubernetes_list_top_memory_consumed_by_container.go` | Lists memory-intensive containers. | `metrics-data.read` | "Show the top 10 containers consuming the most memory in cluster 'production'" |
 
 # Adding a New Tool
 

internal/infra/mcp/tools/tool_kubernetes_list_clusters.go

@@ -32,7 +32,7 @@ func (t *KubernetesListClusters) RegisterInServer(s *server.MCPServer) {
 		mcp.WithOutputSchema[map[string]any](),
 		mcp.WithReadOnlyHintAnnotation(true),
 		mcp.WithDestructiveHintAnnotation(false),
-		WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries.
+		WithRequiredPermissions("metrics-data.read"),
 	)
 	s.AddTool(tool, t.handle)
 }

internal/infra/mcp/tools/tool_kubernetes_list_cronjobs.go

@@ -35,7 +35,7 @@ func (t *KubernetesListCronjobs) RegisterInServer(s *server.MCPServer) {
 		mcp.WithOutputSchema[map[string]any](),
 		mcp.WithReadOnlyHintAnnotation(true),
 		mcp.WithDestructiveHintAnnotation(false),
-		WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries.
+		WithRequiredPermissions("metrics-data.read"),
 	)
 	s.AddTool(tool, t.handle)
 }

internal/infra/mcp/tools/tool_kubernetes_list_nodes.go

@@ -34,7 +34,7 @@ func (t *KubernetesListNodes) RegisterInServer(s *server.MCPServer) {
 		mcp.WithOutputSchema[map[string]any](),
 		mcp.WithReadOnlyHintAnnotation(true),
 		mcp.WithDestructiveHintAnnotation(false),
-		WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries.
+		WithRequiredPermissions("metrics-data.read"),
 	)
 	s.AddTool(tool, t.handle)
 }

internal/infra/mcp/tools/tool_kubernetes_list_pod_containers.go

@@ -40,7 +40,7 @@ func (t *KubernetesListPodContainers) RegisterInServer(s *server.MCPServer) {
 		mcp.WithOutputSchema[map[string]any](),
 		mcp.WithReadOnlyHintAnnotation(true),
 		mcp.WithDestructiveHintAnnotation(false),
-		WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries.
+		WithRequiredPermissions("metrics-data.read"),
 	)
 	s.AddTool(tool, t.handle)
 }

internal/infra/mcp/tools/tool_kubernetes_list_workloads.go

@@ -44,7 +44,7 @@ func (t *KubernetesListWorkloads) RegisterInServer(s *server.MCPServer) {
 		mcp.WithOutputSchema[map[string]any](),
 		mcp.WithReadOnlyHintAnnotation(true),
 		mcp.WithDestructiveHintAnnotation(false),
-		WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries.
+		WithRequiredPermissions("metrics-data.read"),
 	)
 	s.AddTool(tool, t.handle)
 }

internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_count_pods_per_cluster.go

@@ -34,7 +34,7 @@ func (t *TroubleshootKubernetesListCountPodsPerCluster) RegisterInServer(s *serv
 		mcp.WithOutputSchema[map[string]any](),
 		mcp.WithReadOnlyHintAnnotation(true),
 		mcp.WithDestructiveHintAnnotation(false),
-		WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries.
+		WithRequiredPermissions("metrics-data.read"),
 	)
 	s.AddTool(tool, t.handle)
 }

internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_400_500_http_errors_in_pods.go

@@ -38,7 +38,7 @@ func (t *TroubleshootKubernetesListTop400500HttpErrorsInPods) RegisterInServer(s
 		mcp.WithOutputSchema[map[string]any](),
 		mcp.WithReadOnlyHintAnnotation(true),
 		mcp.WithDestructiveHintAnnotation(false),
-		WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries.
+		WithRequiredPermissions("metrics-data.read"),
 	)
 	s.AddTool(tool, t.handle)
 }

internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_cpu_consumed_by_container.go

@@ -36,7 +36,7 @@ func (t *TroubleshootKubernetesListTopCPUConsumedByContainer) RegisterInServer(s
 		mcp.WithOutputSchema[map[string]any](),
 		mcp.WithReadOnlyHintAnnotation(true),
 		mcp.WithDestructiveHintAnnotation(false),
-		WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries.
+		WithRequiredPermissions("metrics-data.read"),
 	)
 	s.AddTool(tool, t.handle)
 }