feat: add start/end parameters for historical queries on k8s_list_* tools

Author: dangaiden

README.md

@@ -180,6 +180,20 @@ You can also set the following variables to override the default configuration:
 - `SYSDIG_MCP_LISTENING_PORT`: The port for the server when it is deployed using remote protocols (`streamable-http`, `sse`). Defaults to: `8080`
 - `SYSDIG_MCP_LISTENING_HOST`: The host for the server when it is deployed using remote protocols (`streamable-http`, `sse`). Defaults to all interfaces (`:port`). Set to `127.0.0.1` for local-only access.
 - `SYSDIG_MCP_STATELESS`: Enable stateless mode for `streamable-http` transport, where each request is self-contained with no session tracking (useful for AWS Bedrock AgentCore). Defaults to: `false`.
+- `SYSDIG_MCP_MAX_INTERVAL`: Maximum historical window accepted by the `k8s_list_*` Monitor tools when `start`/`end` are supplied. Go duration string (e.g. `24h`, `168h`). Defaults to: `168h` (7 days).
+
+### Historical range on Monitor tools
+
+All Sysdig Monitor `k8s_list_*` tools accept optional `start` / `end` RFC3339 parameters
+(e.g. `2026-04-16T00:00:00Z`). When omitted, tools return the current snapshot (unchanged
+behaviour). When provided, the underlying PromQL is wrapped in the aggregation appropriate
+for each tool (`avg_over_time`, `max_over_time`, `min_over_time`, `increase`, etc.) and
+evaluated at `end`. The window cannot exceed `SYSDIG_MCP_MAX_INTERVAL`. See
+[`internal/infra/mcp/tools/README.md`](./internal/infra/mcp/tools/README.md) for the
+per-tool aggregation table.
+
+The legacy `interval` parameter on `k8s_list_top_http_errors_in_pods` and
+`k8s_list_top_network_errors_in_pods` is deprecated; prefer `start`/`end`.
 
 You can find your API token in the Sysdig UI under **Settings > Sysdig Secure API** (or **Sysdig Monitor API**). Make sure to copy the token as it will not be shown again.
 

cmd/server/main.go

@@ -119,22 +119,22 @@ func setupHandler(sysdigClient sysdig.ExtendedClientWithResponsesInterface) *mcp
 		tools.NewToolRunSysql(sysdigClient),
 		tools.NewToolGenerateSysql(sysdigClient),
 
-		tools.NewK8sListClusters(sysdigClient),
-		tools.NewK8sListNodes(sysdigClient),
-		tools.NewK8sListCronjobs(sysdigClient),
-		tools.NewK8sListWorkloads(sysdigClient),
-		tools.NewK8sListPodContainers(sysdigClient),
-		tools.NewK8sListTopUnavailablePods(sysdigClient),
-		tools.NewK8sListTopRestartedPods(sysdigClient),
-		tools.NewK8sListTopHttpErrorsInPods(sysdigClient),
-		tools.NewK8sListTopNetworkErrorsInPods(sysdigClient),
-		tools.NewK8sListCountPodsPerCluster(sysdigClient),
-		tools.NewK8sListUnderutilizedPodsCPUQuota(sysdigClient),
-		tools.NewK8sListTopCPUConsumedWorkload(sysdigClient),
-		tools.NewK8sListTopCPUConsumedContainer(sysdigClient),
-		tools.NewK8sListUnderutilizedPodsMemoryQuota(sysdigClient),
-		tools.NewK8sListTopMemoryConsumedWorkload(sysdigClient),
-		tools.NewK8sListTopMemoryConsumedContainer(sysdigClient),
+		tools.NewK8sListClusters(sysdigClient, systemClock),
+		tools.NewK8sListNodes(sysdigClient, systemClock),
+		tools.NewK8sListCronjobs(sysdigClient, systemClock),
+		tools.NewK8sListWorkloads(sysdigClient, systemClock),
+		tools.NewK8sListPodContainers(sysdigClient, systemClock),
+		tools.NewK8sListTopUnavailablePods(sysdigClient, systemClock),
+		tools.NewK8sListTopRestartedPods(sysdigClient, systemClock),
+		tools.NewK8sListTopHttpErrorsInPods(sysdigClient, systemClock),
+		tools.NewK8sListTopNetworkErrorsInPods(sysdigClient, systemClock),
+		tools.NewK8sListCountPodsPerCluster(sysdigClient, systemClock),
+		tools.NewK8sListUnderutilizedPodsCPUQuota(sysdigClient, systemClock),
+		tools.NewK8sListTopCPUConsumedWorkload(sysdigClient, systemClock),
+		tools.NewK8sListTopCPUConsumedContainer(sysdigClient, systemClock),
+		tools.NewK8sListUnderutilizedPodsMemoryQuota(sysdigClient, systemClock),
+		tools.NewK8sListTopMemoryConsumedWorkload(sysdigClient, systemClock),
+		tools.NewK8sListTopMemoryConsumedContainer(sysdigClient, systemClock),
 	)
 	return handler
 }

internal/infra/mcp/tools/README.md

@@ -38,6 +38,41 @@ The handler filters tools dynamically based on the Sysdig user's permissions. Ea
 |---|---|---|---|---|
 | `generate_sysql` | `tool_generate_sysql.go` | Convert natural language to SysQL via Sysdig Sage. | `sage.exec` (does not work with Service Accounts) | "Create a SysQL to list S3 buckets." |
 
+## Historical range (start / end)
+
+All Sysdig Monitor `k8s_list_*` tools accept two optional parameters:
+
+- `start` — RFC3339 timestamp, e.g. `2026-04-16T00:00:00Z`
+- `end` — RFC3339 timestamp, e.g. `2026-04-16T01:00:00Z`
+
+When omitted, tools return an instant snapshot (current behaviour). When provided,
+the underlying PromQL is wrapped in the aggregation appropriate for each tool and
+evaluated at `end`:
+
+| Tool group | Wrapping applied when windowed |
+|---|---|
+| CPU / memory usage, underutilized quota, pod count | `avg_over_time(metric[Ns])` |
+| Top restarted pods | `increase(kube_pod_container_status_restarts_total[Ns])` |
+| Top unavailable pods | `min_over_time(kube_workload_status_unavailable[Ns]) >= 1` (Sysdig-canonical pattern — requires continuous unavailability for the entire window) |
+| HTTP / network errors | `sum_over_time(metric[Ns]) / N` (rate per second) |
+| Inventory tools (clusters, nodes, workloads, pod_containers, cronjobs) | `max_over_time(metric[Ns]) > 0` (workloads with status=ready/desired/running drop the `> 0` guard) |
+
+Validation rules (helper: `time_window.go`):
+
+- `end` without `start` → error.
+- `start` without `end` → `end` defaults to now.
+- `end <= start` → error.
+- `end > now + 60s` → error (60 s grace for client clock skew).
+- `end - start > SYSDIG_MCP_MAX_INTERVAL` (default **168 h / 7 d**) → error.
+
+Windowed queries carry a 60 s client-side PromQL `Timeout` to fail fast before the
+Sysdig edge proxy's own 80–90 s cut-off.
+
+The `interval` parameter on `k8s_list_top_http_errors_in_pods` and
+`k8s_list_top_network_errors_in_pods` is deprecated; `start`/`end` take precedence
+when both are present. An explicit `interval` emits a deprecation warning to the
+server log.
+
 # Adding a New Tool
 
 1.  **See other tools:** Check how other tools are implemented so you can have the context on how they should look like.

internal/infra/mcp/tools/test_helpers_test.go

@@ -0,0 +1,32 @@
+package tools_test
+
+import (
+	"time"
+
+	. "github.com/onsi/gomega"
+
+	"github.com/sysdiglabs/sysdig-mcp-server/internal/infra/sysdig"
+)
+
+// newWindowedQueryParams constructs the GetQueryV1Params value that a windowed tool
+// invocation is expected to produce: Query string, Time = end.Unix() via FromQueryTime1,
+// and a 60s Timeout. Panics via Gomega if building the QueryTime fails — this only runs
+// in tests so the panic is the shortest useful path.
+func newWindowedQueryParams(query string, end time.Time) sysdig.GetQueryV1Params {
+	var qt sysdig.Time
+	Expect(qt.FromQueryTime1(end.Unix())).To(Succeed())
+	timeout := sysdig.Timeout("60s")
+	return sysdig.GetQueryV1Params{
+		Query:   query,
+		Time:    &qt,
+		Timeout: &timeout,
+	}
+}
+
+// mergeLimit attaches a Limit field to an existing GetQueryV1Params value.
+// Used by tools that set params.Limit (memory_*, count_pods, underutilized_*).
+func mergeLimit(p sysdig.GetQueryV1Params, limit int) sysdig.GetQueryV1Params {
+	lq := sysdig.LimitQuery(limit)
+	p.Limit = &lq
+	return p
+}

internal/infra/mcp/tools/time_window.go

@@ -0,0 +1,131 @@
+package tools
+
+import (
+	"fmt"
+	"os"
+	"time"
+
+	"github.com/mark3labs/mcp-go/mcp"
+	"github.com/sysdiglabs/sysdig-mcp-server/internal/infra/clock"
+	"github.com/sysdiglabs/sysdig-mcp-server/internal/infra/sysdig"
+)
+
+const (
+	maxIntervalEnvVar     = "SYSDIG_MCP_MAX_INTERVAL"
+	defaultMaxInterval    = 168 * time.Hour // 7 days
+	futureClockSkewGrace  = 60 * time.Second
+	windowedQueryTimeout  = "60s"
+	timeParamStart        = "start"
+	timeParamEnd          = "end"
+	startParamDescription = "Start of the query window as an RFC3339 timestamp (e.g. 2026-04-01T00:00:00Z). When omitted, the tool returns an instant snapshot (current behavior). When provided without end, end defaults to now."
+	endParamDescription   = "End of the query window as an RFC3339 timestamp (e.g. 2026-04-01T01:00:00Z). Requires start. Must not be more than 60s in the future."
+)
+
+// TimeWindow is a resolved, validated [Start, End] pair for a historical PromQL query.
+// A zero-value TimeWindow means no window was requested — the caller should emit its
+// existing instant query and leave GetQueryV1Params.Time nil.
+type TimeWindow struct {
+	Start time.Time
+	End   time.Time
+}
+
+// IsZero reports whether no time window was requested.
+func (w TimeWindow) IsZero() bool {
+	return w.Start.IsZero() && w.End.IsZero()
+}
+
+// RangeSelector returns the PromQL range-selector literal for this window, e.g. "[3600s]".
+// The duration is rounded down to whole seconds so the selector is stable and debuggable.
+func (w TimeWindow) RangeSelector() string {
+	return fmt.Sprintf("[%ds]", int64(w.End.Sub(w.Start).Seconds()))
+}
+
+// EvalTime returns a *sysdig.Time suitable for GetQueryV1Params.Time. The value is
+// the End instant as unix seconds — the native format accepted by Sysdig's internal
+// PromQL stack (confirmed against backend PrometheusFacadeController.java:113).
+func (w TimeWindow) EvalTime() (*sysdig.Time, error) {
+	if w.IsZero() {
+		return nil, nil
+	}
+	var qt sysdig.Time
+	if err := qt.FromQueryTime1(w.End.Unix()); err != nil {
+		return nil, fmt.Errorf("building eval time: %w", err)
+	}
+	return &qt, nil
+}
+
+// WithTimeWindowParams returns a ToolOption that declares the shared "start" and "end"
+// RFC3339 parameters on a tool.
+func WithTimeWindowParams() mcp.ToolOption {
+	return func(t *mcp.Tool) {
+		mcp.WithString(timeParamStart, mcp.Description(startParamDescription))(t)
+		mcp.WithString(timeParamEnd, mcp.Description(endParamDescription))(t)
+	}
+}
+
+// ParseTimeWindow reads "start" and "end" from the request, validates them, and returns
+// the resolved TimeWindow.
+//
+//   - Both absent:                  returns zero-value TimeWindow, nil error.
+//   - end without start:            error ("end requires start").
+//   - start without end:            end = clk.Now().
+//   - invalid RFC3339:              error naming the bad field.
+//   - end <= start:                 error.
+//   - end > clk.Now() + 60s:        error (generous grace for client clock skew).
+//   - end - start > maxInterval():  error referencing SYSDIG_MCP_MAX_INTERVAL.
+func ParseTimeWindow(request mcp.CallToolRequest, clk clock.Clock) (TimeWindow, error) {
+	startStr := mcp.ParseString(request, timeParamStart, "")
+	endStr := mcp.ParseString(request, timeParamEnd, "")
+
+	if startStr == "" && endStr == "" {
+		return TimeWindow{}, nil
+	}
+
+	if startStr == "" && endStr != "" {
+		return TimeWindow{}, fmt.Errorf("end requires start")
+	}
+
+	start, err := time.Parse(time.RFC3339, startStr)
+	if err != nil {
+		return TimeWindow{}, fmt.Errorf("invalid start timestamp %q: must be RFC3339 (e.g. 2026-04-01T00:00:00Z)", startStr)
+	}
+
+	now := clk.Now()
+
+	var end time.Time
+	if endStr == "" {
+		end = now
+	} else {
+		end, err = time.Parse(time.RFC3339, endStr)
+		if err != nil {
+			return TimeWindow{}, fmt.Errorf("invalid end timestamp %q: must be RFC3339 (e.g. 2026-04-01T01:00:00Z)", endStr)
+		}
+	}
+
+	if !end.After(start) {
+		return TimeWindow{}, fmt.Errorf("end (%s) must be after start (%s)", end.Format(time.RFC3339), start.Format(time.RFC3339))
+	}
+
+	if end.After(now.Add(futureClockSkewGrace)) {
+		return TimeWindow{}, fmt.Errorf("end (%s) must not be more than %s in the future (server time: %s)", end.Format(time.RFC3339), futureClockSkewGrace, now.Format(time.RFC3339))
+	}
+
+	window := end.Sub(start)
+	if max := maxInterval(); window > max {
+		return TimeWindow{}, fmt.Errorf("requested window (%s) exceeds maximum allowed (%s); set %s to raise the cap", window, max, maxIntervalEnvVar)
+	}
+
+	return TimeWindow{Start: start, End: end}, nil
+}
+
+// maxInterval returns the configured maximum window duration. The SYSDIG_MCP_MAX_INTERVAL
+// env var is read on every call (not cached) so tests can override it via t.Setenv without
+// bumping into sync.Once-style staleness.
+func maxInterval() time.Duration {
+	if v := os.Getenv(maxIntervalEnvVar); v != "" {
+		if d, err := time.ParseDuration(v); err == nil && d > 0 {
+			return d
+		}
+	}
+	return defaultMaxInterval
+}