sysdiglabs · tembleking · Jun 19, 2026 · Jun 19, 2026
@@ -4,13 +4,13 @@ This document is a comprehensive guide for an AI agent tasked with developing an
 
 ## 1. Project Overview
 
-**Sysdig MCP Server** is a Go-based Model Context Protocol (MCP) server that exposes Sysdig Monitor platform capabilities to LLMs. It provides tools for querying Kubernetes metrics and executing SysQL queries through multiple transport protocols (stdio, streamable-http, SSE). Sysdig Secure-specific tools live in the separate [@sysdig/secure-mcp-server](https://www.npmjs.com/package/@sysdig/secure-mcp-server) package.
+**Sysdig MCP Server** is a Go-based Model Context Protocol (MCP) server that exposes Sysdig Monitor platform capabilities to LLMs. It provides tools for querying Kubernetes metrics through multiple transport protocols (stdio, streamable-http, SSE). Sysdig Secure-specific tools live in the separate [@sysdig/secure-mcp-server](https://www.npmjs.com/package/@sysdig/secure-mcp-server) package.
 
 ### 1.1. Quick Facts
 
 | Topic | Details |
 | --- | --- |
-| **Purpose** | Expose vetted Sysdig Monitor workflows (plus shared SysQL tooling) to LLMs through MCP tools. |
+| **Purpose** | Expose vetted Sysdig Monitor workflows to LLMs through MCP tools. |
 | **Tech Stack** | Go 1.26+, `mcp-go`, Cobra CLI, Ginkgo/Gomega, `golangci-lint`, Nix. |
 | **Entry Point** | `cmd/server/main.go` (Cobra CLI that wires config, Sysdig client, etc.). |
 | **Dev Shell** | `nix develop` provides a consistent development environment. |

@@ -6,8 +6,6 @@
 > **Breaking change — this MCP server now focuses on Sysdig Monitor.**
 >
 > Starting with the next major release, the dedicated Sysdig Secure tools (`list_runtime_events`, `get_event_info`, `get_event_process_tree`) have been removed from this server. For Sysdig Secure use cases, install the new **[@sysdig/secure-mcp-server](https://www.npmjs.com/package/@sysdig/secure-mcp-server)** package, which provides comprehensive coverage of Sysdig Secure capabilities.
->
-> The SysQL tools (`generate_sysql`, `run_sysql`) remain available here because they can be used against both Monitor and Secure datasets.
 
 ---
 
@@ -35,7 +33,7 @@
 
 ## Description
 
-This is an implementation of an [MCP (Model Context Protocol) Server](https://modelcontextprotocol.io/quickstart/server) that exposes Sysdig Monitor capabilities to LLMs, plus the cross-cutting SysQL tooling. New tools and functionalities will be added over time following semantic versioning. The goal is to provide a simple and easy-to-use interface for querying information from the Sysdig platform using LLMs.
+This is an implementation of an [MCP (Model Context Protocol) Server](https://modelcontextprotocol.io/quickstart/server) that exposes Sysdig Monitor capabilities to LLMs. New tools and functionalities will be added over time following semantic versioning. The goal is to provide a simple and easy-to-use interface for querying information from the Sysdig platform using LLMs.
 
 For Sysdig Secure-specific workflows, use the dedicated [@sysdig/secure-mcp-server](https://www.npmjs.com/package/@sysdig/secure-mcp-server).
 
@@ -44,7 +42,7 @@ For Sysdig Secure-specific workflows, use the dedicated [@sysdig/secure-mcp-serv
 Get up and running with the Sysdig MCP Server quickly using our pre-built Docker image.
 
 1. **Get your API Token**:
-    Go to your Sysdig instance and navigate to **Settings > Sysdig Monitor API** (or **Sysdig Secure API** — either works, since SysQL tools accept both). This token is required to authenticate requests to the Sysdig Platform (See the [Configuration](#configuration) section for more details).
+    Go to your Sysdig instance and navigate to **Settings > Sysdig Monitor API**. This token is required to authenticate requests to the Sysdig Platform (See the [Configuration](#configuration) section for more details).
 
 2. **Configure your MCP client**:
 
@@ -142,19 +140,6 @@ The server dynamically filters the available tools based on the permissions asso
 
 > **Note:** When a time window is provided, the underlying PromQL is wrapped in the aggregation appropriate for each tool (`avg_over_time`, `max_over_time`, `min_over_time`, `increase`, etc.) and evaluated at `end`. See [`internal/infra/mcp/tools/README.md`](./internal/infra/mcp/tools/README.md) for the per-tool aggregation table.
 
-### Sysdig Monitor & Sysdig Secure
-
-- **`generate_sysql`**
-  - **Description**: Generates a SysQL query from a natural language question.
-  - **Required Permission**: `sage.exec`
-  - **Sample Prompt**: "List top 10 pods by memory usage in the last hour"
-  - **Note**: The `generate_sysql` tool currently does not work with Service Account tokens and will return a 500 error. For this tool, use an API token assigned to a regular user account.
-
-- **`run_sysql`**
-  - **Description**: Execute a pre-written SysQL query directly (use only when user provides explicit query).
-  - **Required Permission**: `sage.exec`, `risks.read`
-  - **Sample Prompt**: "Run this query: MATCH CloudResource WHERE type = 'aws_s3_bucket' LIMIT 10"
-
 ## Requirements
 - [Go](https://go.dev/doc/install) 1.26 or higher (if running without Docker).
 
@@ -216,8 +201,6 @@ To use the MCP server tools, your API token needs specific permissions on the Sy
 | Permission           | Sysdig UI Permission Name                   |
 |----------------------|---------------------------------------------|
 | `metrics-data.read`  | Data Access Settings: "Metrics Data" (Read) |
-| `risks.read`         | Risks: "Access to risk feature" (Read)      |
-| `sage.exec`          | SysQL: "AI Query Generation" (Exec)         |
 
 **Additional Permissions:**
 
@@ -234,9 +217,6 @@ To use the MCP server tools, your API token needs specific permissions on the Sy
 
 For detailed instructions, see the official [Sysdig Roles Administration documentation](https://docs.sysdig.com/en/administration/roles-administration/).
 
->[!IMPORTANT]
-> **Service Account Limitation:** The `generate_sysql` tool currently does not work with Service Account tokens and will return a 500 error. For this tool, use an API token assigned to a regular user account.
-
 
 ## Server Setup
 

@@ -113,9 +113,6 @@ func setupHandler(sysdigClient sysdig.ExtendedClientWithResponsesInterface) *mcp
 	systemClock := clock.NewSystemClock()
 	handler := mcp.NewHandler(Version, sysdigClient)
 	handler.RegisterTools(
-		tools.NewToolRunSysql(sysdigClient),
-		tools.NewToolGenerateSysql(sysdigClient),
-
 		tools.NewK8sListClusters(sysdigClient, systemClock),
 		tools.NewK8sListNodes(sysdigClient, systemClock),
 		tools.NewK8sListCronjobs(sysdigClient, systemClock),

@@ -1,7 +1,7 @@
 {
   imageName = "quay.io/sysdig/sysdig-mini-ubi9";
-  imageDigest = "sha256:4c41436ce108c1576399e4c624f72238c3a9577b570a97115d941c907bf40909";
-  hash = "sha256-eLn7KUR4QqmHr5eVIdRy9uR0J1ooCPfUHxTLDMOlV0w=";
+  imageDigest = "sha256:51a8e50674f95e4e3089e1b44ad3ee61f7b1979e5f9edac8de726c2acd997349";
+  hash = "sha256-jTmkEwnYSNBMIOr8aBLCGzC+bh+Xjm3to51mqkl3Hyc=";
   finalImageName = "quay.io/sysdig/sysdig-mini-ubi9";
   finalImageTag = "1";
 }
@@ -1,7 +1,7 @@
 {
   imageName = "quay.io/sysdig/sysdig-mini-ubi9";
-  imageDigest = "sha256:4c41436ce108c1576399e4c624f72238c3a9577b570a97115d941c907bf40909";
-  hash = "sha256-XLdqxTuzuRc6ariE/Q3ME/pC/PvT/sQtXmXWhWoLT44=";
+  imageDigest = "sha256:51a8e50674f95e4e3089e1b44ad3ee61f7b1979e5f9edac8de726c2acd997349";
+  hash = "sha256-6X3VUknvtn8AiNbZHLAmFLoidqqSgnwrPl684za+U0U=";
   finalImageName = "quay.io/sysdig/sysdig-mini-ubi9";
   finalImageTag = "1";
 }
@@ -12,8 +12,5 @@
 **Problem**: Tests failing with "command not found"
 - **Solution**: Enter Nix shell with `nix develop` or `direnv allow`. All dev tools are provided by the flake.
 
-**Problem**: `generate_sysql` returning 500 error
-- **Solution**: This tool requires a regular user API token, not a Service Account token. Switch to a user-based token.
-
 **Problem**: Pre-commit hooks not running
 - **Solution**: Run `pre-commit install` to install git hooks, then `pre-commit run -a` to test all files.
@@ -3,10 +3,10 @@ module github.com/sysdiglabs/sysdig-mcp-server
 go 1.26
 
 require (
-	github.com/mark3labs/mcp-go v0.54.1
+	github.com/mark3labs/mcp-go v0.55.0
 	github.com/oapi-codegen/runtime v1.4.1
-	github.com/onsi/ginkgo/v2 v2.29.0
-	github.com/onsi/gomega v1.41.0
+	github.com/onsi/ginkgo/v2 v2.31.0
+	github.com/onsi/gomega v1.42.0
 	github.com/spf13/cobra v1.10.2
 	go.uber.org/mock v0.6.0
 	gopkg.in/yaml.v2 v2.4.0
@@ -28,9 +28,9 @@ require (
 	github.com/yosida95/uritemplate/v3 v3.0.2 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/mod v0.37.0 // indirect
-	golang.org/x/net v0.55.0 // indirect
+	golang.org/x/net v0.56.0 // indirect
 	golang.org/x/sync v0.21.0 // indirect
 	golang.org/x/sys v0.46.0 // indirect
 	golang.org/x/text v0.38.0 // indirect
-	golang.org/x/tools v0.45.0 // indirect
+	golang.org/x/tools v0.46.0 // indirect
 )
@@ -41,8 +41,8 @@ github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/mark3labs/mcp-go v0.54.1 h1:Ap/ptEB9FtWzFKM8NDsTA7QDxerQOC06eZigrTldVj0=
-github.com/mark3labs/mcp-go v0.54.1/go.mod h1:+8WclSK1ZUweCP3hvktSji8n8ABG/95QaEkeVE/Uwas=
+github.com/mark3labs/mcp-go v0.55.0 h1:lJfz2aoctiwK+sI991+uIYwmKNIBciI+O7zsyDsa4U8=
+github.com/mark3labs/mcp-go v0.55.0/go.mod h1:+8WclSK1ZUweCP3hvktSji8n8ABG/95QaEkeVE/Uwas=
 github.com/maruel/natural v1.1.1 h1:Hja7XhhmvEFhcByqDoHz9QZbkWey+COd9xWfCfn1ioo=
 github.com/maruel/natural v1.1.1/go.mod h1:v+Rfd79xlw1AgVBjbO0BEQmptqb5HvL/k9GRHB7ZKEg=
 github.com/mfridman/tparse v0.18.0 h1:wh6dzOKaIwkUGyKgOntDW4liXSo37qg5AXbIhkMV3vE=
@@ -51,10 +51,10 @@ github.com/oapi-codegen/nullable v1.1.0 h1:eAh8JVc5430VtYVnq00Hrbpag9PFRGWLjxR1/
 github.com/oapi-codegen/nullable v1.1.0/go.mod h1:KUZ3vUzkmEKY90ksAmit2+5juDIhIZhfDl+0PwOQlFY=
 github.com/oapi-codegen/runtime v1.4.1 h1:9nwLoI+KrWxzbBcp0jO/R8uXqbik/HUyCvPeU68Y/qo=
 github.com/oapi-codegen/runtime v1.4.1/go.mod h1:GwV7hC2hviaMzj+ITfHVRESK5J2W/GefVwIND/bMGvU=
-github.com/onsi/ginkgo/v2 v2.29.0 h1:rfh+ZFjgJhYWRoIqVf3Uwx/W20yLrcrE2h2GmYVRaag=
-github.com/onsi/ginkgo/v2 v2.29.0/go.mod h1:+aXOY+vzZ5mu2iI2HpTZUPmM//oQfsNFX6gU9kNcA44=
-github.com/onsi/gomega v1.41.0 h1:OwKp4pXNgVxf6sCplzYo794OFNuoL2q2SBMU5NSWOjA=
-github.com/onsi/gomega v1.41.0/go.mod h1:M/Uqpu/8qTjtzCLUA2zJHX9Iilrau25x1PdoSRbWh5A=
+github.com/onsi/ginkgo/v2 v2.31.0 h1:GtuJos5DFUV9EerYJo8RhYxosYNGvOdDE5haKq6Grfs=
+github.com/onsi/ginkgo/v2 v2.31.0/go.mod h1:+aXOY+vzZ5mu2iI2HpTZUPmM//oQfsNFX6gU9kNcA44=
+github.com/onsi/gomega v1.42.0 h1:CJby8u36xb7v34W78F8WKvqTQP7PCMIPB78IVDB73l4=
+github.com/onsi/gomega v1.42.0/go.mod h1:M/Uqpu/8qTjtzCLUA2zJHX9Iilrau25x1PdoSRbWh5A=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
@@ -90,16 +90,16 @@ go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/mod v0.37.0 h1:vF1DjpVEshcIqoEaauuHebaLk1O1forxjxBaVn884JQ=
 golang.org/x/mod v0.37.0/go.mod h1:m8S8VeM9r4dzDwjrKO0a1sZP3YjeMamRRlD+fmR2Q/0=
-golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8=
-golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww=
+golang.org/x/net v0.56.0 h1:Rw8j/hFzGvJUZwNBXnAtf5sVDVt+65SK2C7IxCxZt5o=
+golang.org/x/net v0.56.0/go.mod h1:D3Ku6r+V6JROoZK144D2XfMHFcMq/0zSfLelVTCFKec=
 golang.org/x/sync v0.21.0 h1:HLII4xRRTtCRkxYp4HNFF0Js/Og6q2i++KXbg0gHCwM=
 golang.org/x/sync v0.21.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/sys v0.46.0 h1:noSf2Fq6F8DBgS+LysIkx7rIExoNHJsxOAtPp4rthXw=
 golang.org/x/sys v0.46.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/text v0.38.0 h1:sXmwo9DwP3OK9EZ7PqAdaooSGozfl/3a6/xJcbzPRhE=
 golang.org/x/text v0.38.0/go.mod h1:YXZt3QhHUKYT53r2lLKFIVi6Ao1jdzrTR/KQ09qyxF4=
-golang.org/x/tools v0.45.0 h1:18qN3FAooORvApf5XjCXgsuayZOEtXf6JK18I3+ONa8=
-golang.org/x/tools v0.45.0/go.mod h1:LuUGqqaXcXMEFEruIVJVm5mgDD8vww/z/SR1gQ4uE/0=
+golang.org/x/tools v0.46.0 h1:7jTurBkPZu4moS/Uy4OQT1M+QBlsj3wejyZwsT8Z7rk=
+golang.org/x/tools v0.46.0/go.mod h1:FrD85F8l+NWL+9XWBSyVSHO6Ne4jutsfIFba7AWQ5Ys=
 google.golang.org/protobuf v1.36.7 h1:IgrO7UwFQGJdRNXH/sQux4R1Dj1WAKcLElzeeRaXV2A=
 google.golang.org/protobuf v1.36.7/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

@@ -23,13 +23,6 @@ The handler filters tools dynamically based on the Sysdig user's permissions. Ea
 | `k8s_list_underutilized_pods_cpu_quota` | `tool_k8s_list_underutilized_pods_cpu_quota.go` | List Kubernetes pods with CPU usage below 25% of the quota limit. | `metrics-data.read` | "Show the top 10 underutilized pods by CPU quota in cluster 'production'" |
 | `k8s_list_underutilized_pods_memory_quota` | `tool_k8s_list_underutilized_pods_memory_quota.go` | List Kubernetes pods with memory usage below 25% of the limit. | `metrics-data.read` | "Show the top 10 underutilized pods by memory quota in cluster 'production'" |
 
-### Sysdig Monitor & Sysdig Secure
-
-| Tool | File | Capability | Required Permissions | Useful Prompts |
-|---|---|---|---|---|
-| `generate_sysql` | `tool_generate_sysql.go` | Convert natural language to SysQL via Sysdig Sage. | `sage.exec` (does not work with Service Accounts) | "Create a SysQL to list S3 buckets." |
-| `run_sysql` | `tool_run_sysql.go` | Execute caller-supplied Sysdig SysQL queries safely. | `sage.exec`, `risks.read` | "Run the following SysQL…". |
-
 > Dedicated Sysdig Secure tools (runtime events, event details, process trees) live in the separate [@sysdig/secure-mcp-server](https://www.npmjs.com/package/@sysdig/secure-mcp-server) package.
 
 ## Historical range (start / end)