notque · notque · May 7, 2026 · May 7, 2026
@@ -17,3 +17,6 @@ __pycache__/
 # Build
 dist/
 build/
+
+# Local Claude settings
+.claude/settings.local.json
@@ -36,7 +36,7 @@ Copy skills to your agent's skills location:
 └─────────────────────────────────────────────────────────────────┘
 ```
 
-**MCP Server** ([openstack-mcp-server](https://github.com/notque/openstack-mcp-server)) = runtime providing typed tools (28+ API operations)
+**MCP Server** ([openstack-mcp-server](https://github.com/notque/openstack-mcp-server)) = runtime providing typed tools (55 API operations)
 **Agent Toolkit** (this repo) = intelligence layer teaching agents *when* and *how* to use those tools
 
 ## What's Included

@@ -6,7 +6,7 @@
 
 ## Context
 
-We have a working [openstack-mcp-server](https://github.com/notque/openstack-mcp-server) that provides 28+ MCP tools across 8 SAP Converged Cloud services:
+We have a working [openstack-mcp-server](https://github.com/notque/openstack-mcp-server) that provides 55 MCP tools across 8 SAP Converged Cloud services:
 
 | Service | Project | Tools |
 |---------|---------|-------|

@@ -2,7 +2,7 @@
 
 ## Goal
 
-Build a complete agent toolkit for SAP Converged Cloud that teaches AI agents how to effectively use the openstack-mcp-server's 28+ tools across 9 services, following the AWS agent-toolkit-for-aws plugin pattern.
+Build a complete agent toolkit for SAP Converged Cloud that teaches AI agents how to effectively use the openstack-mcp-server's 55 tools across 9 services, following the AWS agent-toolkit-for-aws plugin pattern.
 
 ## Phases
 

@@ -26,7 +26,7 @@ Format: `<geo>-<country>-<number>`
 | `na-us-3` | US Central | North America |
 | `ap-jp-1` | Japan | Asia-Pacific |
 | `ap-au-1` | Australia | Asia-Pacific |
-| `qa-de-1` | Germany | QA/staging environment |
+| ... | Various | Non-production regions also exist |
 
 ## Domain → Project Hierarchy
 

@@ -59,4 +59,4 @@ Each SAP CC region is an independent OpenStack deployment:
 - Separate Keystone (identity)
 - Separate service catalog
 - Separate credentials required
-- Region naming: `<geo>-<country>-<number>` (e.g., `eu-de-1`, `qa-de-1`, `na-us-1`)
+- Region naming: `<geo>-<country>-<number>` (e.g., `eu-de-1`, `na-us-1`)
@@ -112,7 +112,7 @@ Output the configuration block for Claude Code settings (`~/.claude/settings.jso
     "sapcc": {
       "command": "openstack-mcp-server",
       "env": {
-        "OS_AUTH_URL": "https://identity-3.{region}.cloud.sap/v3",
+        "OS_AUTH_URL": "https://identity-3.{region}.cloud.example.com/v3",
         "OS_APPLICATION_CREDENTIAL_ID": "{id}",
         "OS_APPCRED_SECRET_CMD": "security find-generic-password -a mcp-server-{project}-{region} -s openstack-appcred -w",
         "OS_REGION_NAME": "{region}"

@@ -33,7 +33,7 @@ initiator (who) → action (what) → target (to what) → outcome (result)
 
 | Field | Description | Example |
 |-------|-------------|---------|
-| `initiator.name` | Username who performed the action | `I810033` |
+| `initiator.name` | Username who performed the action | `D012345` |
 | `action` | The operation performed | `update` |
 | `target.type_uri` | Resource type in slash format | `compute/server` |
 | `target.id` | UUID of the affected resource | `abc-123-def` |
@@ -91,7 +91,7 @@ Events appear seconds to minutes after the action occurs. If you just performed
 
 ### 9. initiator_name is the username, not UUID
 
-Filter by human-readable username (e.g., `I810033`, `technical_user_xyz`), not the user's Keystone UUID. This is the name that appears in Keystone token info.
+Filter by human-readable username (e.g., `D012345`, `technical_user_xyz`), not the user's Keystone UUID. This is the name that appears in Keystone token info.
 
 ### 10. Full event detail includes request/response attachments
 

@@ -13,7 +13,7 @@ CADF (Cloud Auditing Data Federation) is the DMTF standard used by Hermes to str
   "outcome": "success",
   "initiator": {
     "id": "user-uuid",
-    "name": "I810033",
+    "name": "D012345",
     "typeURI": "service/security/account/user",
     "domain_id": "domain-uuid",
     "project_id": "project-uuid"

@@ -86,7 +86,7 @@ For deeper explanation, see `references/domain-project-model.md`.
 1. keystone_list_application_credentials
    → Check if one already exists with intended name
 2. keystone_create_application_credential
-   name: "mcp-server-<project>-<region>"  (e.g., mcp-server-cc-demo-qa-de-1)
+   name: "mcp-server-<project>-<region>"  (e.g., mcp-server-cc-demo-eu-de-2)
    description: "MCP server credential for <project> in <region>"
    expires_at: "2027-05-06T00:00:00Z"  (recommend 1 year dev, 90 days prod)
 3. IMMEDIATELY store the secret in keychain:

@@ -32,7 +32,7 @@ An independent OpenStack deployment. Each region has:
 - Its own set of credentials
 - No resource sharing across regions
 
-Region naming: `<geo>-<country>-<number>` (e.g., `eu-de-1`, `qa-de-1`, `na-us-1`, `ap-jp-1`)
+Region naming: `<geo>-<country>-<number>` (e.g., `eu-de-1`, `na-us-1`, `ap-jp-1`)
 
 ### Domain
 

@@ -21,24 +21,25 @@ Maia is SAP CC's multi-tenant Prometheus-as-a-Service. Same PromQL query languag
 | `maia_metric_names` | List all available metric names for current project | (none) |
 | `maia_label_values` | Get values for a specific label | `label` (e.g., `__name__`, `instance`, `job`) |
 | `maia_query` | Execute instant PromQL query | `query` (optional: `time`) |
+| `maia_query_range` | Execute range PromQL query over time window | `query`, `start`, `end`, `step` |
 
 ## Maia vs Regular Prometheus
 
 - **Same PromQL** — all standard functions and operators work (rate, avg, sum, topk, etc.)
 - **Tenant-isolated** — you only see metrics from your authenticated project
 - **Available metrics vary** — depends on what's instrumented in your project (not all projects have the same metrics)
 - **Read-only** — no recording rules, no alert configuration, no write path via MCP
-- **Instant queries only** — maia_query executes point-in-time queries, not range queries
+- **Instant and range queries** — maia_query executes point-in-time queries; maia_query_range returns time series over a window
 
 ## Gotchas
 
 ### 1. Results are scoped to current project — you CANNOT query other projects' metrics
 
 Maia enforces tenant isolation via the OpenStack token. There is no way to query cross-project metrics. If you need fleet-wide data, check Limes for capacity or use cluster-level monitoring.
 
-### 2. maia_query is INSTANT query only
+### 2. maia_query is INSTANT — use maia_query_range for time series
 
-No range queries (`query_range`) via this tool. You get a single point in time. Use the `time` parameter to query a historical point, but you cannot get a time series of values in one call. For "show me the last hour" requests — you can only sample individual points.
+`maia_query` returns a single point in time. Use the `time` parameter to query a historical point. For time series data ("show me the last hour"), use `maia_query_range` with `start`, `end`, and `step` parameters instead.
 
 ### 3. Always start with maia_metric_names
 

@@ -5,7 +5,7 @@
 ### Push Flow
 
 ```
-docker push registry.region.cloud.sap/account/repo:tag
+docker push registry.<region>.cloud.example.com/account/repo:tag
   1. Client authenticates via OpenStack token
   2. Layers uploaded to account's backing storage (Swift/S3)
   3. Manifest created linking layers together
@@ -17,7 +17,7 @@ docker push registry.region.cloud.sap/account/repo:tag
 ### Pull Flow
 
 ```
-docker pull registry.region.cloud.sap/account/repo:tag
+docker pull registry.<region>.cloud.example.com/account/repo:tag
   1. Client authenticates via OpenStack token
   2. Tag resolved to manifest digest
   3. Manifest fetched → layer list retrieved
-Original file line number
+Diff line change
@@ Expand Up / @@ -17,3 +17,6 @@ __pycache__/ @@
     # Build
     dist/
     build/
+    # Local Claude settings
+    .claude/settings.local.json