refactor!: remove Sysdig Secure tools, redirect to @sysdig/secure-mcp-server

BREAKING CHANGE: list_runtime_events, get_event_info and get_event_process_tree
have been removed from this server. Use the dedicated @sysdig/secure-mcp-server
npm package for Sysdig Secure workflows. SysQL tools (generate_sysql, run_sysql)
remain because they target both Monitor and Secure datasets.

Author: alecron

AGENTS.md

@@ -4,13 +4,13 @@ This document is a comprehensive guide for an AI agent tasked with developing an
 
 ## 1. Project Overview
 
-**Sysdig MCP Server** is a Go-based Model Context Protocol (MCP) server that exposes Sysdig Secure platform capabilities to LLMs. It provides tools for querying runtime security events, Kubernetes metrics, and executing SysQL queries through multiple transport protocols (stdio, streamable-http, SSE).
+**Sysdig MCP Server** is a Go-based Model Context Protocol (MCP) server that exposes Sysdig Monitor platform capabilities to LLMs. It provides tools for querying Kubernetes metrics and executing SysQL queries through multiple transport protocols (stdio, streamable-http, SSE). Sysdig Secure-specific tools live in the separate [@sysdig/secure-mcp-server](https://www.npmjs.com/package/@sysdig/secure-mcp-server) package.
 
 ### 1.1. Quick Facts
 
 | Topic | Details |
 | --- | --- |
-| **Purpose** | Expose vetted Sysdig Secure workflows to LLMs through MCP tools. |
+| **Purpose** | Expose vetted Sysdig Monitor workflows (plus shared SysQL tooling) to LLMs through MCP tools. |
 | **Tech Stack** | Go 1.25+, `mcp-go`, Cobra CLI, Ginkgo/Gomega, `golangci-lint`, Nix. |
 | **Entry Point** | `cmd/server/main.go` (Cobra CLI that wires config, Sysdig client, etc.). |
 | **Dev Shell** | `nix develop` provides a consistent development environment. |
@@ -32,10 +32,10 @@ direnv allow
 
 ### 2.2. Required Environment Variables
 
-The server requires API credentials to connect to Sysdig Secure.
+The server requires API credentials to connect to the Sysdig platform.
 
-- `SYSDIG_MCP_API_HOST`: Sysdig Secure instance URL (e.g., `https://us2.app.sysdig.com`).
-- `SYSDIG_MCP_API_TOKEN`: Sysdig Secure API token.
+- `SYSDIG_MCP_API_HOST`: Sysdig instance URL (e.g., `https://us2.app.sysdig.com`).
+- `SYSDIG_MCP_API_TOKEN`: Sysdig API token.
 
 For a full list of optional variables (e.g., for transport configuration), see the project's `README.md`.
 
@@ -133,16 +133,6 @@ fix: correct API endpoint URL
 chore: update dependencies
 ```
 
-### 4.5. Known Flaky Integration Tests
-
-The process tree integration tests in `internal/infra/sysdig/client_process_tree_integration_test.go` use a **hardcoded event ID** that points to a real Sysdig event. Since Sysdig events have a retention period, this event will eventually be deleted and the tests will fail with a `not found` error.
-
-**How to fix it:**
-
-1. Use the `list_runtime_events` MCP tool (or the Sysdig API) to find a recent runtime event that originates from a **syscall/workload source** (not cloud/cloudtrail), as only these have process trees. Filter for `category = "runtime"` and `source = "syscall"`.
-2. Verify the event has a process tree by calling `get_event_process_tree` with the event ID.
-3. Update the `eventID` variable in the test's `BeforeEach` block with the new event ID.
-
 ## 5. Guides & Reference
 
 *   **Tools & New Tool Creation:** See `internal/infra/mcp/tools/README.md`

README.md

@@ -2,6 +2,13 @@
 
 [![App Test](https://github.com/sysdiglabs/sysdig-mcp-server/actions/workflows/publish.yaml/badge.svg?branch=main)](https://github.com/sysdiglabs/sysdig-mcp-server/actions/workflows/publish.yaml)
 
+> [!IMPORTANT]
+> **Breaking change — this MCP server now focuses on Sysdig Monitor.**
+>
+> Starting with the next major release, the dedicated Sysdig Secure tools (`list_runtime_events`, `get_event_info`, `get_event_process_tree`) have been removed from this server. For Sysdig Secure use cases, install the new **[@sysdig/secure-mcp-server](https://www.npmjs.com/package/@sysdig/secure-mcp-server)** package, which provides comprehensive coverage of Sysdig Secure capabilities.
+>
+> The SysQL tools (`generate_sysql`, `run_sysql`) remain available here because they can be used against both Monitor and Secure datasets.
+
 ---
 
 ## Table of contents
@@ -28,14 +35,16 @@
 
 ## Description
 
-This is an implementation of an [MCP (Model Context Protocol) Server](https://modelcontextprotocol.io/quickstart/server) to allow different LLMs to query information from the Sysdig platform (Monitor and Secure). New tools and functionalities will be added over time following semantic versioning. The goal is to provide a simple and easy-to-use interface for querying information from the Sysdig platform using LLMs.
+This is an implementation of an [MCP (Model Context Protocol) Server](https://modelcontextprotocol.io/quickstart/server) that exposes Sysdig Monitor capabilities to LLMs, plus the cross-cutting SysQL tooling. New tools and functionalities will be added over time following semantic versioning. The goal is to provide a simple and easy-to-use interface for querying information from the Sysdig platform using LLMs.
+
+For Sysdig Secure-specific workflows, use the dedicated [@sysdig/secure-mcp-server](https://www.npmjs.com/package/@sysdig/secure-mcp-server).
 
 ## Quickstart Guide
 
 Get up and running with the Sysdig MCP Server quickly using our pre-built Docker image.
 
 1. **Get your API Token**:
-    Go to your Sysdig instance and navigate to **Settings > Sysdig Secure API** (or **Sysdig Monitor API**). Either a Sysdig Secure or Sysdig Monitor API token works. This token is required to authenticate requests to the Sysdig Platform (See the [Configuration](#configuration) section for more details).
+    Go to your Sysdig instance and navigate to **Settings > Sysdig Monitor API**. This token is required to authenticate requests to the Sysdig Platform (See the [Configuration](#configuration) section for more details).
 
 2. **Configure your MCP client**:
 
@@ -133,28 +142,6 @@ The server dynamically filters the available tools based on the permissions asso
 
 > **Note:** When a time window is provided, the underlying PromQL is wrapped in the aggregation appropriate for each tool (`avg_over_time`, `max_over_time`, `min_over_time`, `increase`, etc.) and evaluated at `end`. See [`internal/infra/mcp/tools/README.md`](./internal/infra/mcp/tools/README.md) for the per-tool aggregation table.
 
-### Sysdig Secure
-
-- **`list_runtime_events`**
-  - **Description**: List runtime security events from the last given hours, optionally filtered by severity level.
-  - **Required Permission**: `policy-events.read`
-  - **Sample Prompt**: "Show me high severity events from the last 2 hours in cluster1"
-
-- **`get_event_info`**
-  - **Description**: Retrieve detailed information for a specific security event by its ID.
-  - **Required Permission**: `policy-events.read`
-  - **Sample Prompt**: "Get full details for event ID 123abc"
-
-- **`get_event_process_tree`**
-  - **Description**: Retrieve the process tree for a specific event (if available).
-  - **Required Permission**: `policy-events.read`
-  - **Sample Prompt**: "Get the process tree for event ID abc123"
-
-- **`run_sysql`**
-  - **Description**: Execute a pre-written SysQL query directly (use only when user provides explicit query).
-  - **Required Permission**: `sage.exec`, `risks.read`
-  - **Sample Prompt**: "Run this query: MATCH CloudResource WHERE type = 'aws_s3_bucket' LIMIT 10"
-
 ### Sysdig Monitor & Sysdig Secure
 
 - **`generate_sysql`**
@@ -163,6 +150,11 @@ The server dynamically filters the available tools based on the permissions asso
   - **Sample Prompt**: "List top 10 pods by memory usage in the last hour"
   - **Note**: The `generate_sysql` tool currently does not work with Service Account tokens and will return a 500 error. For this tool, use an API token assigned to a regular user account.
 
+- **`run_sysql`**
+  - **Description**: Execute a pre-written SysQL query directly (use only when user provides explicit query).
+  - **Required Permission**: `sage.exec`, `risks.read`
+  - **Sample Prompt**: "Run this query: MATCH CloudResource WHERE type = 'aws_s3_bucket' LIMIT 10"
+
 ## Requirements
 - [Go](https://go.dev/doc/install) 1.26 or higher (if running without Docker).
 
@@ -224,7 +216,6 @@ To use the MCP server tools, your API token needs specific permissions in Sysdig
 | Permission           | Sysdig UI Permission Name                   |
 |----------------------|---------------------------------------------|
 | `metrics-data.read`  | Data Access Settings: "Metrics Data" (Read) |
-| `policy-events.read` | Threats: "Policy Events" (Read)             |
 | `risks.read`         | Risks: "Access to risk feature" (Read)      |
 | `sage.exec`          | SysQL: "AI Query Generation" (Exec)         |
 

cmd/server/main.go

@@ -113,9 +113,6 @@ func setupHandler(sysdigClient sysdig.ExtendedClientWithResponsesInterface) *mcp
 	systemClock := clock.NewSystemClock()
 	handler := mcp.NewHandler(Version, sysdigClient)
 	handler.RegisterTools(
-		tools.NewToolListRuntimeEvents(sysdigClient, systemClock),
-		tools.NewToolGetEventInfo(sysdigClient),
-		tools.NewToolGetEventProcessTree(sysdigClient),
 		tools.NewToolRunSysql(sysdigClient),
 		tools.NewToolGenerateSysql(sysdigClient),
 

internal/infra/mcp/tools/README.md

@@ -23,20 +23,14 @@ The handler filters tools dynamically based on the Sysdig user's permissions. Ea
 | `k8s_list_underutilized_pods_cpu_quota` | `tool_k8s_list_underutilized_pods_cpu_quota.go` | List Kubernetes pods with CPU usage below 25% of the quota limit. | `metrics-data.read` | "Show the top 10 underutilized pods by CPU quota in cluster 'production'" |
 | `k8s_list_underutilized_pods_memory_quota` | `tool_k8s_list_underutilized_pods_memory_quota.go` | List Kubernetes pods with memory usage below 25% of the limit. | `metrics-data.read` | "Show the top 10 underutilized pods by memory quota in cluster 'production'" |
 
-### Sysdig Secure
-
-| Tool | File | Capability | Required Permissions | Useful Prompts |
-|---|---|---|---|---|
-| `list_runtime_events` | `tool_list_runtime_events.go` | Query runtime events with filters, cursor, scope. | `policy-events.read` | "Show high severity runtime events from last 2h." |
-| `get_event_info` | `tool_get_event_info.go` | Pull full payload for a single policy event. | `policy-events.read` | "Fetch event `abc123` details." |
-| `get_event_process_tree` | `tool_get_event_process_tree.go` | Retrieve the process tree for an event when available. | `policy-events.read` | "Show the process tree behind event `abc123`." |
-| `run_sysql` | `tool_run_sysql.go` | Execute caller-supplied Sysdig SysQL queries safely. | `sage.exec`, `risks.read` | "Run the following SysQL…". |
-
 ### Sysdig Monitor & Sysdig Secure
 
 | Tool | File | Capability | Required Permissions | Useful Prompts |
 |---|---|---|---|---|
 | `generate_sysql` | `tool_generate_sysql.go` | Convert natural language to SysQL via Sysdig Sage. | `sage.exec` (does not work with Service Accounts) | "Create a SysQL to list S3 buckets." |
+| `run_sysql` | `tool_run_sysql.go` | Execute caller-supplied Sysdig SysQL queries safely. | `sage.exec`, `risks.read` | "Run the following SysQL…". |
+
+> Dedicated Sysdig Secure tools (runtime events, event details, process trees) live in the separate [@sysdig/secure-mcp-server](https://www.npmjs.com/package/@sysdig/secure-mcp-server) package.
 
 ## Historical range (start / end)