RootCause 🧭
AI-native SRE for Kubernetes incidents.
RootCause is a local-first MCP server that turns natural-language requests into evidence-backed incident analysis, Kubernetes diagnostics, and safer operations.
Built in Go as a single binary, RootCause is optimized for low-friction local workflows using your existing kubeconfig identity.
🚀 Quick Start | 🌐 Client Setup | 🛠️ Tools | 🧩 Skills | 🔒 Safety | ⚙️ Config | 🏗️ Architecture | 🤝 Contributing
Why RootCause 💡
RootCause is built for SRE/operator workflows where speed matters, but unsafe automation is unacceptable.
- 🚀 Stop context-switching: investigate incidents, rollout risk, Helm/Terraform/AWS signals, and remediation from one MCP server.
- 🧠 AI-powered diagnostics: evidence-first analysis with RCA, timelines, and action-oriented next checks.
- 💸 Built-in cost optimization: combine resource usage, workload best-practice checks, Terraform plan analysis, and cloud context for optimization decisions.
- 🔒 Enterprise-ready guardrails: role/namespace policy enforcement, redaction, read-only mode, destructive tool controls, and mutation preflight.
- ⚡ Zero learning curve: ask natural-language operational questions and use provided prompt templates for common SRE flows.
- 🌐 Universal compatibility: works with MCP-compatible clients across Claude, Cursor, Copilot, Codex, and more.
- 🏭 Production-grade workflow: single Go binary, kubeconfig-native auth, deterministic structured outputs, and broad test coverage.
Why teams choose it
| Need | RootCause answer |
|---|---|
| "What changed and why did this break?" | rootcause.incident_bundle, rootcause.change_timeline, rootcause.rca_generate |
| "Is it safe to restart or roll out now?" | k8s.restart_safety_check, k8s.best_practice, k8s.safe_mutation_preflight |
| "Is my platform ecosystem healthy?" | k8s.*_detect + k8s.diagnose_* for ArgoCD/Flux/cert-manager/Kyverno/Gatekeeper/Cilium |
| "Can I standardize SRE responses?" | Prompt templates + structured output from shared render/evidence pipeline |
What Can You Do?
Ask your AI assistant in natural language:
- "Why did this deployment fail after rollout?"
- "Is this workload safe to restart right now?"
- "Why are ArgoCD apps out of sync?"
- "Is Flux healthy in this cluster?"
- "Why are certs failing to renew?"
- "Before patch/apply, is this mutation safe?"
RootCause keeps its depth-first model: evidence-first diagnosis, root-cause analysis, and remediation flow instead of raw tool sprawl.
Power users can map these prompts to concrete tools in this README (Complete Feature Set, Toolchains, and Tools sections).
Use Cases
Incident response
- Build end-to-end incident evidence with
rootcause.incident_bundle - Generate probable causes with
rootcause.rca_generate - Export timeline and postmortem artifacts for follow-up
Safe operations before mutation
- Evaluate rollout/restart risk with
k8s.restart_safety_checkandk8s.best_practice - Run
k8s.safe_mutation_preflightbefore apply/patch/delete/scale operations
Ecosystem-specific health checks
- ArgoCD: detect installation and diagnose sync/health drift
- Flux: detect controllers and diagnose reconciliation failures
- cert-manager / Kyverno / Gatekeeper / Cilium: detect footprint and diagnose control-plane or policy issues
Feature Highlights
| Area | RootCause Capability |
|---|---|
| Incident analysis | rootcause.incident_bundle, rootcause.rca_generate, rootcause.change_timeline, rootcause.postmortem_export, rootcause.capabilities |
| Kubernetes resilience | k8s.restart_safety_check, k8s.best_practice, k8s.safe_mutation_preflight |
| Ecosystem diagnostics | ArgoCD/Flux/cert-manager/Kyverno/Gatekeeper/Cilium via *_detect and diagnose_* tools |
| Deployment safety | Automatic preflight before k8s mutating operations |
| Helm operations | Chart search/list/get, release diff, rollback advisor, template apply/uninstall flows |
| Terraform analysis | Module/provider search + terraform.debug_plan for impact/risk analysis |
| Service mesh & scaling | Linkerd/Istio/Karpenter diagnostics with shared evidence model |
Complete Feature Set
| Category | Representative capabilities |
|---|---|
Kubernetes core (k8s.*) | CRUD, logs/events, graph-based debug flows, restart safety, best-practice scoring, mutation preflight |
| Ecosystem diagnostics | ArgoCD, Flux, cert-manager, Kyverno, Gatekeeper, Cilium via *_detect and diagnose_* |
Incident intelligence (rootcause.*) | Incident bundle orchestration, timeline export, RCA generation, remediation playbook, postmortem export |
Helm operations (helm.*) | Chart registry search/list/get, release status/diff, rollback advisor, install/upgrade/uninstall, template apply/uninstall |
Terraform analysis (terraform.*) | Modules/providers/resources/data source discovery + plan debugging |
Service mesh (istio.*, linkerd.*) | Proxy/config/status diagnostics, policy/routing visibility, mesh resource health |
Cluster autoscaling (karpenter.*) | Provisioning, nodepool/nodeclass, interruption and scheduling diagnostics |
Cloud context (aws.*) | IAM, VPC, EC2, EKS, ECR, STS, KMS diagnostics for cross-layer incident analysis |
| Safety and controls | Read-only mode, destructive gating, explicit confirmation, auto preflight checks before mutating K8s operations |
Agent Skills
Extend your AI coding agent with Kubernetes and RootCause expertise using the built-in skills library in skills/.
Skills metadata is schema-versioned and embedded in the CLI from internal/skills/catalog/manifest.json.
Quick Install
# Copy all skills to Claude
cp -r skills/claude/* ~/.claude/skills/
# Or install a specific skill
cp -r skills/claude/k8s-helm ~/.claude/skills/
Sync Skills into Project Agent Directories
# List supported agent targets
rootcause sync-skills --list-agents
# Sync skills for one agent into project-local defaults
rootcause sync-skills --agent claude --project-dir .
# Example: GitHub Copilot project files
rootcause sync-skills --agent copilot --project-dir .
# UX helpers
rootcause sync-skills --all-agents --dry-run
rootcause sync-skills --agent claude --skill k8s-incident --skill rootcause-rca
rootcause sync-skills --list-skills
Agent directory defaults used by sync-skills:
| Agent | Format | Project Directory |
|---|---|---|
| Claude Code | SKILL.md | .claude/skills/ |
| Cursor | .mdc | .cursor/skills/ |
| Codex | SKILL.md | .codex/skills/ |
| Gemini CLI | SKILL.md | .gemini/skills/ |
| OpenCode | SKILL.md | .opencode/skills/ |
| GitHub Copilot | Markdown | .github/skills/ |
| Windsurf | Markdown | .windsurf/skills/ |
| Devin | Markdown | .devin/skills/ |
| Aider | SKILL.md | .aider/skills/ |
| Sourcegraph Cody | SKILL.md | .cody/skills/ |
| Amazon Q | SKILL.md | .amazonq/skills/ |
Available Skills (21)
20 skills are currently included.
| Category | Skills |
|---|---|
| Incident Response | k8s-incident, rootcause-rca |
| Core and Operations | k8s-core, k8s-operations |
| Diagnostics and Debugging | k8s-diagnostics, k8s-troubleshoot |
| Deployment and Delivery | k8s-deploy, k8s-helm, k8s-rollouts |
| GitOps | k8s-gitops |
| Networking and Mesh | k8s-networking, k8s-service-mesh, k8s-cilium |
| Security and Policy | k8s-security, k8s-policy, k8s-gatekeeper, k8s-certs |
| Cost and Scaling | k8s-cost, k8s-autoscaling |
| Storage | k8s-storage |
| Browser Automation | k8s-browser |
Supported agents include Claude, Cursor, Codex, Gemini CLI, GitHub Copilot, Goose, Windsurf, Roo, Amp, and more.
Skills include consistent triggers, workflow steps, tool references, troubleshooting notes, and output contracts.
See skills/README.md for full documentation and skills/CATALOG.md for auto-generated catalog output.
MCP Resources
Access Kubernetes data as browsable resources:
| Resource URI | Description |
|---|---|
kubeconfig://contexts | List all available kubeconfig contexts |
kubeconfig://current-context | Get current active context |
namespace://current | Get current namespace |
namespace://list | List all namespaces |
cluster://info | Get cluster connection info |
cluster://nodes | Get detailed node information |
cluster://version | Get Kubernetes version |
cluster://api-resources | List available API resources |
manifest://deployments/{namespace}/{name} | Get deployment YAML |
manifest://services/{namespace}/{name} | Get service YAML |
manifest://pods/{namespace}/{name} | Get pod YAML |
manifest://configmaps/{namespace}/{name} | Get ConfigMap YAML |
manifest://secrets/{namespace}/{name} | Get secret YAML (data masked) |
manifest://ingresses/{namespace}/{name} | Get ingress YAML |
MCP Prompts
Pre-built workflow prompts for Kubernetes and platform operations:
| Prompt | Description |
|---|---|
troubleshoot_workload | Comprehensive troubleshooting guide for pods/deployments |
deploy_application | Step-by-step deployment workflow |
security_audit | Security scanning and RBAC analysis workflow |
cost_optimization | Resource optimization and cost analysis workflow |
disaster_recovery | Backup and recovery planning workflow |
debug_networking | Network debugging for services and connectivity |
scale_application | Scaling guide with HPA/VPA best practices |
upgrade_cluster | Kubernetes cluster upgrade planning |
sre_incident_commander | Severity-based SRE incident coordination workflow |
istio_mesh_diagnose | Diagnose Istio control-plane and traffic policy issues |
linkerd_mesh_diagnose | Diagnose Linkerd control-plane, proxy, and policy health |
helm_release_recovery | Recover failed Helm install/upgrade with rollback strategy |
terraform_drift_triage | Investigate Terraform drift and plan safety |
aws_eks_operational_check | EKS health, nodegroup, and IAM integration diagnostics |
karpenter_capacity_debug | Debug Karpenter provisioning and scheduling issues |
Custom prompt overrides are also supported. Resolution order:
MCP_PROMPTS_FILEROOTCAUSE_PROMPTS_FILE[prompts].fileinconfig.toml- Default files:
~/.rootcause/prompts.toml,~/.config/rootcause/prompts.toml,./rootcause-prompts.toml
Example custom prompt file:
[[prompt]]
name = "security_audit"
title = "Custom Security Audit"
description = "Org-specific security policy checks"
template = "Run custom security audit for {{namespace|all namespaces}} with CIS and policy controls"
[[prompt.arguments]]
name = "namespace"
description = "Target namespace"
required = false
Custom prompts override built-ins with the same name.
Key Capabilities
- 🤖 Powerful tool catalog - Kubernetes, ecosystem diagnostics, incident workflows, Helm, Terraform, service mesh, and AWS context.
- 🎯 Prompt-driven workflows - Repeatable runbook templates for incident and reliability analysis.
- 📊 MCP Resources support - Readable resource URIs for kubeconfig, namespace, cluster, and manifest access.
- 🔐 Security first - Non-destructive modes, policy enforcement, secret masking, and mutation preflight checks.
- 🏥 Advanced diagnostics - Root-cause oriented outputs with evidence and recommended next actions.
- 🎡 Strong Helm + Terraform coverage - Chart lifecycle and plan/debug analysis in one server.
- 🔧 CLI-first operations - Single binary, local kubeconfig usage, and toolset-level controls.
Getting Started
1) Run RootCause
go run . --config config.toml
2) Connect your MCP client
Use stdio transport and point your MCP client to the rootcause command.
3) Try high-signal prompts
- "Generate an incident bundle for namespace payments and summarize the likely root cause."
- "Run best-practice checks for deployment payment-api and list critical findings."
- "Run safe mutation preflight for this apply operation before execution."
Quick Start 🚀
- Run the server:
go run . --config config.example.toml
- Use your existing kubeconfig (default) or point to one:
- Uses
KUBECONFIGif set, otherwise~/.kube/config. - Override with
--kubeconfigand--context.
- Connect your MCP client using stdio.
RootCause is built for local development. No API keys are required in this version.
Safe-by-default workflow: diagnose read-only first, then run mutation preflight before any write operation.
Installation
Homebrew:
brew install yindia/homebrew-yindia/rootcause
Curl install:
curl -fsSL https://raw.githubusercontent.com/yindia/rootcause/refs/heads/main/install.sh | sh
Go install:
go install .
Or build a local binary:
go build -o rootcause .
Supported OS: macOS, Linux, and Windows.
Windows build example:
go build -o rootcause.exe .
Docker
# Build local image
docker build -t rootcause:local .
# Run stdio mode (default)
docker run --rm -it rootcause:local
# Run HTTP transport
docker run --rm -p 8000:8000 rootcause:local --transport http --host 0.0.0.0 --port 8000 --path /mcp
CI image publishing is configured via GitHub Actions in .github/workflows/docker.yml and pushes to GHCR (ghcr.io/<owner>/rootcause) on main and release tags.
Usage
Run with a config file:
rootcause --config config.toml
Enable a subset of toolchains:
rootcause --toolsets k8s,istio
Enable read-only mode:
rootcause --read-only
Sync skills into agent-specific project directories:
rootcause sync-skills --agent claude --project-dir .
MCP Client Setup 🌐
All MCP clients use the same core values:
command:rootcauseargs: usually--config /path/to/config.tomlenv: optionalKUBECONFIG
Universal template
{
"mcpServers": {
"rootcause": {
"command": "rootcause",
"args": ["--config", "/Users/you/.config/rootcause/config.toml"],
"env": { "KUBECONFIG": "/Users/you/.kube/config" }
}
}
}
All Supported AI Assistants
Claude Desktop
File: ~/Library/Application Support/Claude/claude_desktop_config.json
{
"mcpServers": {
"rootcause": {
"command": "rootcause",
"args": ["--config", "/Users/you/.config/rootcause/config.toml"],
"env": { "KUBECONFIG": "/Users/you/.kube/config" }
}
}
}
Claude Code
File: ~/.config/claude-code/mcp.json
{
"mcpServers": {
"rootcause": {
"command": "rootcause",
"args": ["--config", "/Users/you/.config/rootcause/config.toml"],
"env": { "KUBECONFIG": "/Users/you/.kube/config" }
}
}
}
Cursor
File: ~/.cursor/mcp.json
{
"mcpServers": {
"rootcause": {
"command": "rootcause",
"args": ["--config", "/Users/you/.config/rootcause/config.toml"],
"env": { "KUBECONFIG": "/Users/you/.kube/config" }
}
}
}
GitHub Copilot (VS Code)
File: VS Code settings.json (MCP-enabled builds)
{
"mcp.servers": {
"rootcause": {
"command": "rootcause",
"args": ["--config", "/Users/you/.config/rootcause/config.toml"],
"env": { "KUBECONFIG": "/Users/you/.kube/config" }
}
}
}
OpenAI Codex / Codex CLI
Format can vary by release. Equivalent TOML entry:
[mcp.servers.rootcause]
command = "rootcause"
args = ["--config", "/Users/you/.config/rootcause/config.toml"]
env = { KUBECONFIG = "/Users/you/.kube/config" }
Goose
File: ~/.config/goose/config.yaml
extensions:
rootcause:
command: rootcause
args:
- --config
- /Users/you/.config/rootcause/config.toml
Gemini CLI
File: ~/.gemini/settings.json
{
"mcpServers": {
"rootcause": {
"command": "rootcause",
"args": ["--config", "/Users/you/.config/rootcause/config.toml"],
"env": { "KUBECONFIG": "/Users/you/.kube/config" }
}
}
}
Roo Code / Kilo Code
File: ~/.config/roo-code/mcp.json or ~/.config/kilo-code/mcp.json
{
"mcpServers": {
"rootcause": {
"command": "rootcause",
"args": ["--config", "/Users/you/.config/rootcause/config.toml"],
"env": { "KUBECONFIG": "/Users/you/.kube/config" }
}
}
}
Windsurf
File: ~/.config/windsurf/mcp.json
{
"mcpServers": {
"rootcause": {
"command": "rootcause",
"args": ["--config", "/Users/you/.config/rootcause/config.toml"],
"env": { "KUBECONFIG": "/Users/you/.kube/config" }
}
}
}
Other MCP-compatible clients
Use the universal template and map keys to the client's schema.
MCP Client Compatibility
Works seamlessly with MCP-compatible AI assistants:
| Client | Status | Client | Status |
|---|---|---|---|
| Claude Desktop | ✅ Native | Claude Code | ✅ Native |
| Cursor | ✅ Native | Windsurf | ✅ Native |
| GitHub Copilot | ✅ Native | OpenAI Codex | ✅ Native |
| Gemini CLI | ✅ Native | Goose | ✅ Native |
| Roo Code | ✅ Native | Kilo Code | ✅ Native |
| Amp | ✅ Compatible | Trae | ✅ Compatible |
| OpenCode | ✅ Compatible | Kiro CLI | ✅ Compatible |
| Antigravity | ✅ Compatible | Clawdbot | ✅ Compatible |
| Droid (Factory) | ✅ Compatible | Any MCP Client | ✅ Compatible |
Validate setup (all providers)
- Restart your client after editing MCP config.
- Ask: "List RootCause tools".
- Ask: "Run
k8s.argocd_detect". - If tools are missing, verify
rootcausepath,--toolsets, andKUBECONFIG.
Suggested first prompts (RootCause context)
- "Run incident bundle for namespace payments and summarize root cause."
- "Check deployment payment-api restart safety before rollout."
- "Diagnose ArgoCD health in namespace argocd."
- "Preflight this patch operation before mutation."
MCP Client Example (stdio)
rootcause --config config.toml
Point your MCP client to run the command above and use stdio transport.
Example Operator Flows 🧪
Incident RCA flow
- "Create incident bundle for namespace payments"
- "Generate RCA from latest incident bundle"
- "Export postmortem draft"
Tools behind this flow:
rootcause.incident_bundlerootcause.rca_generaterootcause.postmortem_export
Safe rollout flow
- "Run restart safety check for deployment payment-api"
- "Run best-practice check for payment-api"
- "Run mutation preflight for rollout restart"
Tools behind this flow:
k8s.restart_safety_checkk8s.best_practicek8s.safe_mutation_preflight
Ecosystem diagnosis flow
- "Detect Flux in this cluster"
- "Diagnose Flux reconciliation health in namespace flux-system"
- "Summarize top issues and next actions"
Tools behind this flow:
k8s.flux_detectk8s.diagnose_flux
Toolchains
Enabled by default:
| Toolchain | Primary Purpose | Typical Requirement |
|---|---|---|
k8s | Core Kubernetes operations and diagnostics | Kubernetes API access |
linkerd | Linkerd health and policy diagnostics | Linkerd control plane |
karpenter | Node provisioning and scaling diagnostics | Karpenter controller |
istio | Service mesh configuration and proxy diagnostics | Istio control plane |
helm | Chart registry/release workflows and diffing | Helm 3 and cluster access |
aws | EKS/EC2/VPC/IAM/ECR/KMS/STS diagnostics | AWS credentials |
terraform | Registry and plan impact analysis | Terraform workflows |
rootcause | Incident bundles, RCA, timeline, postmortem export | Kubernetes access |
browser (optional) | Browser automation via agent-browser | MCP_BROWSER_ENABLED=true + agent-browser install |
Optional toolchains return "not detected" when the control plane is absent. Additional toolchains can be registered via the plugin SDK; see PLUGINS.md.
Enable only what you need:
rootcause --toolsets k8s,helm,rootcause
Optional: Browser Automation (26 Tools)
Automate web-based Kubernetes operations with agent-browser integration.
Quick setup:
# Install agent-browser
npm install -g agent-browser
agent-browser install
# Enable browser tools
export MCP_BROWSER_ENABLED=true
rootcause
What you can do:
- 🌐 Test deployed apps via Ingress URLs
- 📸 Screenshot Grafana, ArgoCD, or any K8s dashboard
- ☁️ Automate cloud console operations (EKS, GKE, AKS)
- 🏥 Health check web applications
- 📄 Export monitoring dashboards as PDF
- 🔐 Test authentication flows with persistent sessions
26 available tools: browser_open, browser_screenshot, browser_click, browser_fill, browser_test_ingress, browser_screenshot_grafana, browser_health_check, and 19 more.
Full list: browser_open, browser_screenshot, browser_click, browser_fill, browser_test_ingress, browser_screenshot_grafana, browser_health_check, browser_snapshot, browser_get_text, browser_get_html, browser_evaluate, browser_pdf, browser_wait_for, browser_wait_for_url, browser_press, browser_select, browser_check, browser_uncheck, browser_hover, browser_type, browser_upload, browser_drag, browser_new_tab, browser_switch_tab, browser_close_tab, browser_close.
Advanced features:
- Cloud providers: Browserbase, Browser Use
- Persistent browser profiles
- Remote CDP connections
- Session management
Tools
Prompt templates for common debugging flows are in prompts/prompt.md.
Core Kubernetes (k8s.* + kubectl-style aliases)
- CRUD + discovery:
k8s.get,k8s.list,k8s.describe,k8s.create,k8s.apply,k8s.patch,k8s.delete,k8s.api_resources,k8s.crds - Ops + observability:
k8s.logs,k8s.events,k8s.context,k8s.explain_resource,k8s.ping,k8s.events_timeline - Workload operations and safety:
k8s.scale,k8s.rollout,k8s.restart_safety_check,k8s.best_practice,k8s.safe_mutation_preflight - Ecosystem detection:
k8s.argocd_detect,k8s.flux_detect,k8s.cert_manager_detect,k8s.kyverno_detect,k8s.gatekeeper_detect,k8s.cilium_detect - Ecosystem diagnostics:
k8s.diagnose_argocd,k8s.diagnose_flux,k8s.diagnose_cert_manager,k8s.diagnose_kyverno,k8s.diagnose_gatekeeper,k8s.diagnose_cilium - Debugging:
k8s.overview,k8s.crashloop_debug,k8s.scheduling_debug,k8s.hpa_debug,k8s.vpa_debug,k8s.storage_debug,k8s.config_debug,k8s.permission_debug,k8s.network_debug,k8s.private_link_debug,k8s.debug_flow - Maintenance + topology:
k8s.cleanup_pods,k8s.node_management,k8s.graph,k8s.resource_usage
Linkerd (linkerd.*)
linkerd.health,linkerd.proxy_status,linkerd.identity_issues,linkerd.policy_debug,linkerd.cr_status,linkerd.virtualservice_status,linkerd.destinationrule_status,linkerd.gateway_status,linkerd.httproute_status
Istio (istio.*)
istio.health,istio.proxy_status,istio.config_summary,istio.service_mesh_hosts,istio.discover_namespaces,istio.pods_by_service,istio.external_dependency_checkistio.proxy_clusters,istio.proxy_listeners,istio.proxy_routes,istio.proxy_endpoints,istio.proxy_bootstrap,istio.proxy_config_dumpistio.cr_status,istio.virtualservice_status,istio.destinationrule_status,istio.gateway_status,istio.httproute_status
Karpenter (karpenter.*)
karpenter.status,karpenter.node_provisioning_debug,karpenter.nodepool_debug,karpenter.nodeclass_debug,karpenter.interruption_debug
Helm (helm.*)
- Repo/registry:
helm.repo_add,helm.repo_list,helm.repo_update,helm.list_charts,helm.get_chart,helm.search_charts - Release operations:
helm.list,helm.status,helm.diff_release,helm.rollback_advisor,helm.install,helm.upgrade,helm.uninstall,helm.template_apply,helm.template_uninstall
AWS IAM (aws.iam.*)
aws.iam.list_roles,aws.iam.get_role,aws.iam.get_instance_profile,aws.iam.update_role,aws.iam.delete_roleaws.iam.list_policies,aws.iam.get_policy,aws.iam.update_policy,aws.iam.delete_policy
AWS VPC (aws.vpc.*)
aws.vpc.list_vpcs,aws.vpc.get_vpc,aws.vpc.list_subnets,aws.vpc.get_subnet,aws.vpc.list_route_tables,aws.vpc.get_route_tableaws.vpc.list_nat_gateways,aws.vpc.get_nat_gateway,aws.vpc.list_security_groups,aws.vpc.get_security_groupaws.vpc.list_network_acls,aws.vpc.get_network_acl,aws.vpc.list_internet_gateways,aws.vpc.get_internet_gatewayaws.vpc.list_vpc_endpoints,aws.vpc.get_vpc_endpoint,aws.vpc.list_network_interfaces,aws.vpc.get_network_interfaceaws.vpc.list_resolver_endpoints,aws.vpc.get_resolver_endpoint,aws.vpc.list_resolver_rules,aws.vpc.get_resolver_rule
AWS EC2 (aws.ec2.*)
aws.ec2.list_instances,aws.ec2.get_instance,aws.ec2.list_auto_scaling_groups,aws.ec2.get_auto_scaling_group,aws.ec2.list_load_balancers,aws.ec2.get_load_balanceraws.ec2.list_target_groups,aws.ec2.get_target_group,aws.ec2.list_listeners,aws.ec2.get_listener,aws.ec2.get_target_healthaws.ec2.list_listener_rules,aws.ec2.get_listener_rule,aws.ec2.list_auto_scaling_policies,aws.ec2.get_auto_scaling_policy,aws.ec2.list_scaling_activities,aws.ec2.get_scaling_activityaws.ec2.list_launch_templates,aws.ec2.get_launch_template,aws.ec2.list_launch_configurations,aws.ec2.get_launch_configurationaws.ec2.get_instance_iam,aws.ec2.get_security_group_rules,aws.ec2.list_spot_instance_requests,aws.ec2.get_spot_instance_requestaws.ec2.list_capacity_reservations,aws.ec2.get_capacity_reservation,aws.ec2.list_volumes,aws.ec2.get_volume,aws.ec2.list_snapshots,aws.ec2.get_snapshot,aws.ec2.list_volume_attachmentsaws.ec2.list_placement_groups,aws.ec2.get_placement_group,aws.ec2.list_instance_status,aws.ec2.get_instance_status
AWS EKS (aws.eks.*)
aws.eks.list_clusters,aws.eks.get_cluster,aws.eks.list_nodegroups,aws.eks.get_nodegroup,aws.eks.list_addons,aws.eks.get_addonaws.eks.list_fargate_profiles,aws.eks.get_fargate_profile,aws.eks.list_identity_provider_configs,aws.eks.get_identity_provider_configaws.eks.list_updates,aws.eks.get_update,aws.eks.list_nodes,aws.eks.debug
AWS ECR (aws.ecr.*)
aws.ecr.list_repositories,aws.ecr.describe_repository,aws.ecr.list_images,aws.ecr.describe_images,aws.ecr.describe_registry,aws.ecr.get_authorization_token
AWS STS (aws.sts.*)
aws.sts.get_caller_identity,aws.sts.assume_role
AWS KMS (aws.kms.*)
aws.kms.list_keys,aws.kms.list_aliases,aws.kms.describe_key,aws.kms.get_key_policy
Terraform (terraform.*)
terraform.debug_planterraform.list_modules,terraform.get_module,terraform.list_module_versions,terraform.search_modulesterraform.list_providers,terraform.get_provider,terraform.list_provider_versions,terraform.get_provider_package,terraform.search_providersterraform.list_resources,terraform.get_resource,terraform.search_resourcesterraform.list_data_sources,terraform.get_data_source,terraform.search_data_sources
RootCause (rootcause.*)
rootcause.incident_bundle,rootcause.change_timeline,rootcause.rca_generate,rootcause.remediation_playbook,rootcause.postmortem_export,rootcause.capabilities
Browser (browser_*, optional)
browser_open,browser_screenshot,browser_click,browser_fill,browser_test_ingress,browser_screenshot_grafana,browser_health_checkbrowser_snapshot,browser_get_text,browser_get_html,browser_evaluate,browser_pdf,browser_wait_for,browser_wait_for_urlbrowser_press,browser_select,browser_check,browser_uncheck,browser_hover,browser_type,browser_upload,browser_dragbrowser_new_tab,browser_switch_tab,browser_close_tab,browser_close
Kubectl-style aliases
kubectl_get,kubectl_list,kubectl_describe,kubectl_create,kubectl_apply,kubectl_delete,kubectl_logs,kubectl_patch,kubectl_scale,kubectl_rollout,kubectl_context,kubectl_generic,kubectl_top,explain_resource,list_api_resources,ping
Safety Modes
--read-only: removes apply/patch/delete/exec tools from discovery.--disable-destructive: removes delete and risky write tools unless allowlisted (create/scale/rollout remain available).- Mutating tools are documented in this README under
Complete Feature SetandSafety Modes.
Default safety policy:
- If a user does not explicitly request a mutating action, treat the request as read-only diagnostics.
- Do not run mutating tools implicitly during analysis.
- For investigation-first workflows, prefer running RootCause in
--read-onlymode. - K8s mutating tools
create/apply/patch/delete/scale/rollout/cleanup_pods/node_managementrun an automatick8s.safe_mutation_preflightcheck before execution.
Safety workflow recommendation:
- Run read-only diagnosis (
k8s.*_debug,k8s.*_detect,k8s.diagnose_*,rootcause.incident_bundle) - Run
k8s.safe_mutation_preflightfor intended mutation - Execute mutation only after preflight passes and
confirm=true
Config and Flags
rootcause --config config.example.toml --toolsets k8s,linkerd,istio,karpenter,helm,aws
Flags
--kubeconfig--context--toolsets(comma-separated)--config--read-only--disable-destructive--transport(stdio|http|sse)--host(for HTTP/SSE)--port(for HTTP/SSE)--path(for HTTP/SSE)--log-level
If --config is not set, RootCause will use the ROOTCAUSE_CONFIG environment variable when present.
AWS Credentials
The AWS IAM tools use the standard AWS credential chain and region resolution. Set AWS_REGION or AWS_DEFAULT_REGION (defaults to us-east-1), optionally select a profile with AWS_PROFILE or AWS_DEFAULT_PROFILE, and use any of the normal credential sources (env vars, shared config/credentials files, SSO, or instance metadata).
Kubeconfig Resolution
If --kubeconfig is not set, RootCause follows standard Kubernetes loading rules: it uses KUBECONFIG when present, otherwise defaults to ~/.kube/config.
Authentication and authorization use your kubeconfig identity only in this version.
Troubleshooting
kubeconfig not found
- Verify
KUBECONFIGor~/.kube/config - Override explicitly with
--kubeconfig /path/to/config
tools not visible in MCP client
- Confirm server is running and client points to
rootcause - Check selected toolsets with
--toolsets - If using
--read-only, mutating tools will be hidden by design
ecosystem tools return not detected
- This usually means the ecosystem control plane is not installed in the cluster
- Run
k8s.<ecosystem>_detectfirst, thenk8s.diagnose_<ecosystem>
mutation blocked by preflight
- Run
k8s.safe_mutation_preflightexplicitly and inspect failed checks - Fix policy/namespace/resource issues, then retry with
confirm=true
Architecture at a Glance
AI Client
-> MCP stdio server
-> Tool registry (k8s/linkerd/istio/karpenter/helm/aws/terraform/rootcause)
-> Shared internals (kube clients, evidence, policy, rendering, redaction)
-> Target APIs (Kubernetes + cloud providers)
Why this matters:
- consistent evidence format across toolsets
- reusable diagnostics instead of duplicated logic
- safer operations through centralized policy and preflight checks
Architecture Overview
RootCause is organized around shared Kubernetes plumbing and toolsets that reuse it.
- Shared clients (typed, dynamic, discovery, RESTMapper) are created once in
internal/kubeand injected into all toolsets. - Common safeguards live in
internal/policy(namespace vs cluster enforcement and tool allowlists) andinternal/redact(token/secret redaction). internal/evidencegathers events, owner chains, endpoints, and pod status summaries used by all toolsets.internal/renderenforces a consistent analysis output format (root causes, evidence, next checks, resources examined) and provides the shared describe helper.- Toolsets live under
toolsets/and register namespaced tools (k8s.*,linkerd.*,karpenter.*,istio.*,helm.*,aws.iam.*,aws.vpc.*) through a shared MCP registry.
The MCP server runs over stdio using the MCP Go SDK and is designed for local kubeconfig usage. Optional in-cluster deployment is intentionally out of scope for Phase 1.
Config Reload
Send SIGHUP to reload config and rebuild the tool registry. On Windows, SIGHUP is not supported; restart the process to reload config.
MCP Transport
RootCause supports MCP over stdio (default), http (streamable HTTP), and sse.
Examples:
# stdio
rootcause --config config.toml --transport stdio
# HTTP (streamable)
rootcause --config config.toml --transport http --host 127.0.0.1 --port 8000 --path /mcp
# SSE
rootcause --config config.toml --transport sse --host 127.0.0.1 --port 8000 --path /mcp
Design focus today:
- best-in-class local reliability for AI-assisted SRE workflows
- deterministic, auditable outputs for incident review
- safe mutation gates instead of broad write-by-default behavior
Future Cloud Readiness
AWS IAM support is now available. The toolset system is designed to add deeper cloud integrations (EKS/EC2/VPC/GCP/Azure) without changing the core MCP or shared Kubernetes libraries.
Contributing Guide 🤝
We welcome code, docs, tests, and operational feedback.
Ways to contribute
- 🐛 Report bugs with reproducible steps and expected behavior
- 💡 Propose features with concrete operator scenarios
- 🧪 Improve tests for safety, policy, and ecosystem diagnostics
- 🧩 Add or improve toolsets via shared SDK and internal libraries
Contributor workflow
- Fork and create a feature branch
- Implement focused changes with tests
- Run local verification:
go test ./...
- Update docs (
README.md,prompts/prompt.md) if behavior changed - Open PR with problem statement, approach, and verification notes
Development references
- Contribution rules:
CONTRIBUTING.md - Plugin SDK and external toolsets:
PLUGINS.md - Config example:
config.toml - MCP eval harness:
eval/README.md
PR quality checklist
- Behavior matches user/operator expectations
- Safety model preserved (
read-only, destructive gating, preflight) - Tests added/updated for new behavior
- Tool/docs consistency checked (
README.md)