Thin client for Opsphere — all MCP tools run on the remote gateway (mcp-cursor.opsphere.io). Query logs, diagnose incidents, and manage Datadog, Vercel, GitHub, AWS, and more from Cursor. OAuth2 + PKCE; no backend code in the bundle.
# Opsphere — DevOps Operational Intelligence
Opsphere connects your DevOps tools to Cursor. Query logs, check deploys, search issues, diagnose incidents, and manage integrations — all from the chat, without leaving the IDE.
The backend is a remote MCP server. All tool calls go to the Opsphere gateway. No tool logic runs locally.
---
## Available Tool Categories
These tools are available once authenticated and integrations are configured:
| Category | Provider | Tools |
|----------|----------|-------|
| Monitoring | Datadog | `dd_logs_search`, `dd_errors_by_service`, `dd_errors_recent`, `dd_synthetics_summary` |
| Deployments | Vercel | `vercel_deploys_latest`, `vercel_project_status` |
| Source Control | GitHub Enterprise | `ghe_repo_summary`, `ghe_actions_latest` |
| Source Control | Bitbucket | `bb_pipelines_latest`, `bb_pipeline_diagnose` |
| CDN / DNS | Cloudflare | `cf_quick_status`, `cf_dns_records` |
| Issue Tracking | Jira | `jira_issue_get`, `jira_issues_search` |
| Error Tracking | Sentry | `sentry_issues_list`, `sentry_issues_search` |
| Cloud | AWS | `aws_sts_whoami`, `aws_cli_query` |
| Network (built-in) | — | `dns_lookup`, `http_check`, `cert_status` |
| Integration Mgmt | — | `ops_configure_integration`, `ops_list_integrations`, `ops_test_integration`, `ops_remove_integration` |
| Plan & Usage | — | `ops_my_usage` |
| Work context | — | `ops_set_work_context`, `ops_get_work_context` |
| Operational memory | — | `memory_search`, `memory_store`, `memory_session_touch`, `memory_invalidate` |
**Network tools (`dns_lookup`, `http_check`, `cert_status`) work immediately after login — no integration setup needed.**
**Memory tools** appear only when the `memory` module is enabled for your tenant (`tenant_tools`, profile `cursor`). They store **distilled** notes from past sessions — not live ops truth. Always verify current state with Datadog, K8s, Vercel, or other live tools after reading memory.
**Work context** is injected automatically when MCP connects (default cloud account + index of others). After signup, if `ops_my_usage` shows work context as not configured, run the `set-work-context` skill. For full text of a non-default account, use `ops_get_work_context` or resource `opsphere://tenant/account-context`.
---
## When to Suggest Integration Setup
If a tool returns an error about missing credentials or an unconfigured provider:
1. Identify the provider from the tool name prefix:
- `dd_` → Datadog
- `vercel_` → Vercel
- `ghe_` → GitHub
- `bb_` → Bitbucket
- `cf_` → Cloudflare
- `jira_` → Jira
- `sentry_` → Sentry
- `aws_` → AWS
2. Suggest: "It looks like [Provider] is not configured yet. Say **'Configure my [Provider]'** and I will walk you through it."
3. Use the `configure-integration` skill for the full setup flow.
---
## Integration credentials — agent rules (mandatory)
When a user needs to connect Datadog, Vercel, AWS, GitHub, or any other provider:
1. **Always** use the `configure-integration` skill — collect one credential at a time, then call **`ops_configure_integration(provider, credentials)`** with the full map in a single tool call.
2. **Never** ask the user to paste API keys, tokens, or passwords into free-form chat for general questions, troubleshooting, or work context.
3. **Never** store secrets in `ops_set_work_context`, `memory_store`, or any tool other than `ops_configure_integration`.
4. **Never** echo back full credential values in your reply — confirm success with provider name only (e.g. "Datadog connected").
5. If the user pastes a secret outside the setup flow, acknowledge it and **immediately** move them into `configure-integration` → `ops_configure_integration`; remind them not to leave secrets in casual chat messages.
Credentials persist **only** on the Opsphere gateway (encrypted, tenant-scoped). They are **not** written to this plugin repo, Cursor plugin files, or local disk.
---
## When to Suggest Signup / Re-login
If the MCP connection fails with **401 Unauthorized** or tools are not visible:
- The user likely has not set up an account yet, or their token has expired (tokens last 24 hours).
- Suggest: "It looks like you need to authenticate. Say **'Set up my Opsphere account'**, run **`/opsphere-setup`**, or **`/opsphere-welcome`** for a quick start."
For brand-new installs (no Connect yet), you may suggest **`/opsphere-welcome`** before full setup — it lists example prompts without running any shell scripts.
---
## Trial Expiration (TRIAL_EXPIRED)
If the gateway returns error code `TRIAL_EXPIRED`:
- Tell the user: "Your 30-day free trial has expired. Visit **https://opsphere.io/pricing** to continue using Opsphere."
- Do not retry the request.
- Do not suggest re-login — re-authentication will not fix an expired trial.
---
## Rate Limit (RATE_LIMIT_EXCEEDED)
If the gateway returns error code `RATE_LIMIT_EXCEEDED`:
- Tell the user how many calls they have used and when the limit resets (from `details.resetsAt` in the error body).
- Suggest: "You can check your full plan status with `ops_my_usage`."
- Do not retry the request automatically.
---
## Plan & Usage Visibility
When the user asks about their plan, usage, trial status, remaining calls, or upgrade options:
- Use `ops_my_usage` — no parameters required.
- It returns: plan name, trial end date, days remaining, daily usage (used / limit / resets at), configured integrations count, and upgrade link.
---
## Example Prompts
Users might say things like:
- "Check my latest Vercel deploys"
- "Search Datadog logs for errors in the last hour"
- "What's failing in Sentry right now?"
- "Is example.com up?" — triggers `dns_lookup` + `http_check` + `cert_status`
- "Check the SSL cert for api.mycompany.com"
- "Configure my Datadog" — triggers the `configure-integration` skill
- "Tell Opsphere what I usually work with" — triggers the `set-work-context` skill
- "Show PR #42 status in Bitbucket"
- "Find Jira issues assigned to me"
- "What GitHub Actions ran today on the main branch?"
- "Show my usage" — triggers `ops_my_usage`
- "Which integrations do I have configured?" — triggers `ops_list_integrations`
- "Do we have memory about this outage before?" — `memory_search` with `scopes: ["incident"]` (and `repo` if known)
- "Save this investigation summary for next time" — `memory_store` (`scope`: `user` or `session` for general notes; `incident` / `decision` for structured post-mortems)
### Memory quick selection
| Need | Tool |
|------|------|
| Recall prior work / outage precedent | `memory_search` |
| Save finding after investigation | `memory_store` |
| Optional session heartbeat | `memory_session_touch` |
| Remove stale memory | `memory_invalidate` |
### When to use memory (agent behavior)
1. **Before** repeating a long repo analysis or outage triage → `memory_search` (query ≥ 3 chars; optional `scopes`, `repo`).
2. **After** a useful investigation → `memory_store` with a **short** summary (no raw logs, no secrets).
3. **When outdated** → `memory_invalidate` with `status: stale` (owner or admin).
4. **Optional** at session start → `memory_session_touch` once (`repo` optional; inferred from `ghe_*` / `bb_*` / `repos_*` tool calls).
Default scopes for partners: **session** + **user**. Use `scope=repository` only with explicit `repo` `org/name`. Use `scope=incident` (`kind=episodic` + `incident` object) or `scope=decision` (`decision` object) for post-mortems and ADR-lite.
Do **not** store text that duplicates account catalog context (`cloud_accounts.system_prompt_context`). If `memory_store` returns `catalog_context_duplicate`, distill only session-specific findings or use `skip_catalog_duplicate_check=true` only when the user explicitly asks to override.
If `memory_*` tools are missing from `tools/list`, the tenant does not have memory enabled — do not invent the tools; tell the user to contact Opsphere support or check signup plan.
---
## Important Constraints
- Never invent tool names. Only call tools that exist in the list above.
- Never ask the user to edit `mcp.json` or configure the MCP transport manually — the plugin handles this.
- **Integration secrets:** collect only inside the `configure-integration` flow; persist **only** via `ops_configure_integration`. Never in free-form chat, work context, or memory. Never stored locally or in this repo.
- When a tool is blocked (not in the free tier), explain the limitation briefly and mention the upgrade path at https://opsphere.io/pricing.