feat: add readonly hint annotations

.mcp.json

@@ -0,0 +1,12 @@
+{
+  "mcpServers": {
+    "sysdig": {
+      "type": "stdio",
+      "command": "go",
+      "args": [
+        "run",
+        "./cmd/server/"
+      ]
+    }
+  }
+}

CLAUDE.md

@@ -0,0 +1 @@
+@AGENTS.md

flake.nix

@@ -32,7 +32,7 @@
             mkShell {
               packages = [
                 ginkgo
-                go_1_25
+                go
                 gofumpt
                 golangci-lint
                 just

internal/infra/mcp/tools/tool_generate_sysql.go

@@ -53,6 +53,8 @@ func (h *ToolGenerateSysql) RegisterInServer(s *server.MCPServer) {
 			),
 		),
 		mcp.WithOutputSchema[map[string]any](),
+		mcp.WithReadOnlyHintAnnotation(true),
+		mcp.WithDestructiveHintAnnotation(false),
 		WithRequiredPermissions("sage.exec"),
 	)
 	s.AddTool(tool, h.handle)

internal/infra/mcp/tools/tool_get_event_info.go

@@ -43,6 +43,8 @@ func (h *ToolGetEventInfo) RegisterInServer(s *server.MCPServer) {
 			mcp.Required(),
 		),
 		mcp.WithOutputSchema[map[string]any](),
+		mcp.WithReadOnlyHintAnnotation(true),
+		mcp.WithDestructiveHintAnnotation(false),
 		WithRequiredPermissions("policy-events.read"),
 	)
 

internal/infra/mcp/tools/tool_get_event_process_tree.go

@@ -61,6 +61,8 @@ func (h *ToolGetEventProcessTree) RegisterInServer(s *server.MCPServer) {
 			mcp.Required(),
 		),
 		mcp.WithOutputSchema[map[string]any](),
+		mcp.WithReadOnlyHintAnnotation(true),
+		mcp.WithDestructiveHintAnnotation(false),
 		WithRequiredPermissions("policy-events.read"),
 	)
 

internal/infra/mcp/tools/tool_kubernetes_list_clusters.go

@@ -30,6 +30,8 @@ func (t *KubernetesListClusters) RegisterInServer(s *server.MCPServer) {
 			mcp.DefaultNumber(10),
 		),
 		mcp.WithOutputSchema[map[string]any](),
+		mcp.WithReadOnlyHintAnnotation(true),
+		mcp.WithDestructiveHintAnnotation(false),
 		WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries.
 	)
 	s.AddTool(tool, t.handle)

internal/infra/mcp/tools/tool_kubernetes_list_cronjobs.go

@@ -33,6 +33,8 @@ func (t *KubernetesListCronjobs) RegisterInServer(s *server.MCPServer) {
 			mcp.DefaultNumber(10),
 		),
 		mcp.WithOutputSchema[map[string]any](),
+		mcp.WithReadOnlyHintAnnotation(true),
+		mcp.WithDestructiveHintAnnotation(false),
 		WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries.
 	)
 	s.AddTool(tool, t.handle)

internal/infra/mcp/tools/tool_kubernetes_list_nodes.go

@@ -32,6 +32,8 @@ func (t *KubernetesListNodes) RegisterInServer(s *server.MCPServer) {
 			mcp.DefaultNumber(10),
 		),
 		mcp.WithOutputSchema[map[string]any](),
+		mcp.WithReadOnlyHintAnnotation(true),
+		mcp.WithDestructiveHintAnnotation(false),
 		WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries.
 	)
 	s.AddTool(tool, t.handle)

internal/infra/mcp/tools/tool_kubernetes_list_pod_containers.go

@@ -38,6 +38,8 @@ func (t *KubernetesListPodContainers) RegisterInServer(s *server.MCPServer) {
 			mcp.DefaultNumber(10),
 		),
 		mcp.WithOutputSchema[map[string]any](),
+		mcp.WithReadOnlyHintAnnotation(true),
+		mcp.WithDestructiveHintAnnotation(false),
 		WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries.
 	)
 	s.AddTool(tool, t.handle)

internal/infra/mcp/tools/tool_kubernetes_list_workloads.go

@@ -42,6 +42,8 @@ func (t *KubernetesListWorkloads) RegisterInServer(s *server.MCPServer) {
 			mcp.DefaultNumber(10),
 		),
 		mcp.WithOutputSchema[map[string]any](),
+		mcp.WithReadOnlyHintAnnotation(true),
+		mcp.WithDestructiveHintAnnotation(false),
 		WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries.
 	)
 	s.AddTool(tool, t.handle)

internal/infra/mcp/tools/tool_list_runtime_events.go

@@ -99,6 +99,8 @@ You can specify the severity of the events based on the following cases:
 			),
 		),
 		mcp.WithOutputSchema[map[string]any](),
+		mcp.WithReadOnlyHintAnnotation(true),
+		mcp.WithDestructiveHintAnnotation(false),
 		WithRequiredPermissions("policy-events.read"),
 	)
 

internal/infra/mcp/tools/tool_run_sysql.go

@@ -60,6 +60,8 @@ func (h *ToolRunSysql) RegisterInServer(s *server.MCPServer) {
 			),
 		),
 		mcp.WithOutputSchema[map[string]any](),
+		mcp.WithReadOnlyHintAnnotation(true),
+		mcp.WithDestructiveHintAnnotation(false),
 		WithRequiredPermissions("sage.exec", "risks.read"),
 	)
 	s.AddTool(tool, h.handle)

internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_count_pods_per_cluster.go

@@ -32,6 +32,8 @@ func (t *TroubleshootKubernetesListCountPodsPerCluster) RegisterInServer(s *serv
 			mcp.DefaultNumber(20),
 		),
 		mcp.WithOutputSchema[map[string]any](),
+		mcp.WithReadOnlyHintAnnotation(true),
+		mcp.WithDestructiveHintAnnotation(false),
 		WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries.
 	)
 	s.AddTool(tool, t.handle)

internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_400_500_http_errors_in_pods.go

@@ -36,6 +36,8 @@ func (t *TroubleshootKubernetesListTop400500HttpErrorsInPods) RegisterInServer(s
 			mcp.DefaultNumber(20),
 		),
 		mcp.WithOutputSchema[map[string]any](),
+		mcp.WithReadOnlyHintAnnotation(true),
+		mcp.WithDestructiveHintAnnotation(false),
 		WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries.
 	)
 	s.AddTool(tool, t.handle)

internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_cpu_consumed_by_container.go

@@ -34,6 +34,8 @@ func (t *TroubleshootKubernetesListTopCPUConsumedByContainer) RegisterInServer(s
 			mcp.DefaultNumber(20),
 		),
 		mcp.WithOutputSchema[map[string]any](),
+		mcp.WithReadOnlyHintAnnotation(true),
+		mcp.WithDestructiveHintAnnotation(false),
 		WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries.
 	)
 	s.AddTool(tool, t.handle)

internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_cpu_consumed_by_workload.go

@@ -34,6 +34,8 @@ func (t *TroubleshootKubernetesListTopCPUConsumedByWorkload) RegisterInServer(s
 			mcp.DefaultNumber(20),
 		),
 		mcp.WithOutputSchema[map[string]any](),
+		mcp.WithReadOnlyHintAnnotation(true),
+		mcp.WithDestructiveHintAnnotation(false),
 		WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries.
 	)
 	s.AddTool(tool, t.handle)

internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_memory_consumed_by_container.go

@@ -34,6 +34,8 @@ func (t *TroubleshootKubernetesListTopMemoryConsumedByContainer) RegisterInServe
 			mcp.DefaultNumber(20),
 		),
 		mcp.WithOutputSchema[map[string]any](),
+		mcp.WithReadOnlyHintAnnotation(true),
+		mcp.WithDestructiveHintAnnotation(false),
 		WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries.
 	)
 	s.AddTool(tool, t.handle)

internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_memory_consumed_by_workload.go

@@ -34,6 +34,8 @@ func (t *TroubleshootKubernetesListTopMemoryConsumedByWorkload) RegisterInServer
 			mcp.DefaultNumber(20),
 		),
 		mcp.WithOutputSchema[map[string]any](),
+		mcp.WithReadOnlyHintAnnotation(true),
+		mcp.WithDestructiveHintAnnotation(false),
 		WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries.
 	)
 	s.AddTool(tool, t.handle)

internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_network_errors_in_pods.go

@@ -36,6 +36,8 @@ func (t *TroubleshootKubernetesListTopNetworkErrorsInPods) RegisterInServer(s *s
 			mcp.DefaultNumber(20),
 		),
 		mcp.WithOutputSchema[map[string]any](),
+		mcp.WithReadOnlyHintAnnotation(true),
+		mcp.WithDestructiveHintAnnotation(false),
 		WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries.
 	)
 	s.AddTool(tool, t.handle)

internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_restarted_pods.go

@@ -35,6 +35,8 @@ func (t *TroubleshootKubernetesListTopRestartedPods) RegisterInServer(s *server.
 			mcp.DefaultNumber(10),
 		),
 		mcp.WithOutputSchema[map[string]any](),
+		mcp.WithReadOnlyHintAnnotation(true),
+		mcp.WithDestructiveHintAnnotation(false),
 		WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries.
 	)
 	s.AddTool(tool, t.handle)

internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_unavailable_pods.go

@@ -34,6 +34,8 @@ func (t *TroubleshootKubernetesListTopUnavailablePods) RegisterInServer(s *serve
 			mcp.DefaultNumber(20),
 		),
 		mcp.WithOutputSchema[map[string]any](),
+		mcp.WithReadOnlyHintAnnotation(true),
+		mcp.WithDestructiveHintAnnotation(false),
 		WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries.
 	)
 	s.AddTool(tool, t.handle)

internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_underutilized_pods_by_cpu_quota.go

@@ -32,6 +32,8 @@ func (t *TroubleshootKubernetesListUnderutilizedPodsByCPUQuota) RegisterInServer
 			mcp.DefaultNumber(10),
 		),
 		mcp.WithOutputSchema[map[string]any](),
+		mcp.WithReadOnlyHintAnnotation(true),
+		mcp.WithDestructiveHintAnnotation(false),
 		WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries.
 	)
 	s.AddTool(tool, t.handle)

internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_underutilized_pods_by_memory_quota.go

@@ -32,6 +32,8 @@ func (t *TroubleshootKubernetesListUnderutilizedPodsByMemoryQuota) RegisterInSer
 			mcp.DefaultNumber(10),
 		),
 		mcp.WithOutputSchema[map[string]any](),
+		mcp.WithReadOnlyHintAnnotation(true),
+		mcp.WithDestructiveHintAnnotation(false),
 		WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries.
 	)
 	s.AddTool(tool, t.handle)

justfile

@@ -30,6 +30,8 @@ bump:
 	nix develop --command go get -u -t -v ./...
 	nix develop --command go mod tidy
 	nix develop --command just rehash-package-nix
+	nix develop --command pre-commit autoupdate
+
 
 rehash-package-nix:
 	sd 'vendorHash = ".*";' 'vendorHash = "";' package.nix; h="$((nix build -L --no-link .#default || true) 2>&1 | sed -nE 's/.*got:[[:space:]]+([^ ]+).*/\1/p' | tail -1)"; [ -n "$h" ] && sd 'vendorHash = ".*";' "vendorHash = \"$h\";" package.nix && echo "vendorHash -> $h"