insights-mcp

# Red Hat Lightspeed MCP
_(formerly known as Insights MCP)_

Red Hat Lightspeed Model Context Protocol ([MCP](https://modelcontextprotocol.io)) server is a lightweight, self-hosted solution that connects LLM-based agents - such as Claude Desktop and other MCP-compatible tools - to Red Hat Lightspeed services.

## Features
 * Supports read-only operations: The server runs in read-only mode by default. Use `--all-tools` to enable write tools (e.g. create blueprints, run composes). RBAC permissions can also restrict access.
 * Provides natural language prompts: provides an ability to use natural language for querying Red Hat Lightspeed services

## Supported Lightspeed Services
 * [advisor](https://docs.redhat.com/en/documentation/red_hat_insights/1-latest/html/assessing_rhel_configuration_issues_using_the_red_hat_insights_advisor_service/index)
 * [hosted image builder](https://osbuild.org/docs/hosted/architecture/)
 * [inventory](https://docs.redhat.com/en/documentation/red_hat_insights/1-latest/html/viewing_and_managing_system_inventory/index)
 * [planning](https://docs.redhat.com/en/documentation/red_hat_lightspeed/1-latest/html/dynamically_creating_a_digital_roadmap_to_manage_rhel_systems/index)
 * [remediations](https://docs.redhat.com/en/documentation/red_hat_insights/1-latest/html/red_hat_insights_remediations_guide/index)
 * [vulnerability](https://docs.redhat.com/en/documentation/red_hat_insights/1-latest/html/assessing_and_monitoring_security_vulnerabilities_on_rhel_systems/index)

## Setup and usage

### Authentication

**Note**: Authentication is only required for accessing Red Hat Lightspeed APIs. The MCP server itself does not require authentication.

There are two ways to authenticate:

1. **Service Account** (client_id + client_secret) — create a service account and provide the credentials via environment variables or HTTP headers.
2. **JWT Bearer Token** — provide a pre-existing JWT token via the `Authorization: Bearer <token>` HTTP header (SSE/HTTP transports only).

#### Service Account Setup

1. Go to https://console.redhat.com → Click Settings (⚙️ Gear Icon) →  "Service Accounts"
2. Create a service account and remember `Client ID` and `Client secret` for later.<br>
   See below in the integration instructions, there they are respectively referred to as
   `LIGHTSPEED_CLIENT_ID` and `LIGHTSPEED_CLIENT_SECRET`.

#### Required Permissions by Toolset

Different toolsets require specific roles for your service account:

- **Advisor tools**: `RHEL Advisor viewer`
- **Inventory tools**: `Inventory Hosts viewer`
- **Vulnerability tools**: `Vulnerability viewer`, `Inventory Hosts viewer`
- **Remediation tools**: `Remediations user`

#### Granting Permissions to Service Accounts

By default, service accounts have no access. An organization administrator must assign permissions. The MCP server will only be able to perform tasks that it has permission to perform. For example, if the user wants to allow read-only operations and deny write operations, this can be accomplished via the permissions system.

For detailed step-by-step instructions, see this video tutorial: [Service Account Permissions Setup](https://www.youtube.com/watch?v=UvNcmJsbg1w)

1. **Log in as Organization Administrator** with User Access administrator role
2. **Navigate to User Access Settings**: Click Settings (⚙️ Gear Icon) → "User Access" → "Groups"
3. **Assign permissions** (choose one option):

   **Option A - Create New Group:**
   - Create new group (e.g., `mcp-service-accounts`)
   - Add required roles (e.g., RHEL Advisor viewer, Inventory Hosts viewer, etc.)
   - Add your service account to this group

   **Option B - Use Existing Group:**
   - Open existing group with necessary roles
   - Go to "Service accounts" tab
   - Add your service account to the group

Your service account will inherit all roles from the assigned group.

#### ⚠️ Security Remarks ⚠️

If you start this MCP server locally (with `podman` or `docker`) make sure the container is not exposed to the internet. In this scenario it's probably fine to use `LIGHTSPEED_CLIENT_ID` and `LIGHTSPEED_CLIENT_SECRET` although your MCP Client (e.g. VSCode, Cursor, etc.) can get your `LIGHTSPEED_CLIENT_ID` and `LIGHTSPEED_CLIENT_SECRET`.

For a deployment where you connect to this MCP server from a different machine, you should consider that `LIGHTSPEED_CLIENT_ID` and `LIGHTSPEED_CLIENT_SECRET` (or your JWT Bearer token) are transferred to the MCP server and you are trusting the remote MCP server not to leak them.

In both cases if you are in doubt, please disable/remove the `LIGHTSPEED_CLIENT_ID` and `LIGHTSPEED_CLIENT_SECRET` from your account after you are done using the MCP server.

#### Security & Incident Response (Emergency Revocation)

To ensure safe AI operations and compliance with security standards, operators must be able to rapidly sever the connected LLM's access to Red Hat Lightspeed in the event of abnormal AI behavior, unexpected data exposure, or suspected token compromise.

**Emergency "Kill Switch" Procedure:**

If you need to immediately revoke AI access to the toolsets, execute the following steps:
1. **Terminate the Server:** Stop the MCP container or local process immediately (e.g., run `podman ps` to find the container, then `podman stop <container_id>`).
2. **Revoke Credentials:** Invalidate the Red Hat Client ID used by the MCP server to authenticate with Red Hat services. Go to the "[Service Accounts](https://console.redhat.com/iam/service-accounts)" page and `Delete` or `Reset` the credentials.

Additionally you can remove the MCP server entry (e.g., `lightspeed-mcp` in your client's `mcp.json`) from your local LLM client's configuration to prevent the client from attempting to restart or reconnect to the server.

If credential compromise or data exposure is suspected, assess breach notification obligations under applicable law (e.g., GDPR). For logging, debug mode, and compliance details, see [HACKING.md - Logging and Compliance](HACKING.md#logging-and-compliance).

## Technical Info
### Toolsets

See [toolsets.md](toolsets.md) for the toolsets available in the MCP server.

## Integrations

### Prerequisites

Make sure you have `podman` installed.<br>
(Docker is fine too but the commands below have to be adapted accordingly)

You can install it with `sudo dnf install podman` on Fedora/RHEL/CentOS,
or on macOS use either [Podman Desktop](https://podman-desktop.io/) or `brew install podman`.

⚠️ **Note** if you use Podman on macOS, you sometimes need to set the path to `podman` explicitly.
E.g. replace `podman` with the full path. Should be something like

 * `/usr/local/bin/podman`
 * `/opt/homebrew/bin/podman`
 * …

You can find the path by running `which podman` in your terminal.

### VSCode

First check the [prerequisites](#prerequisites) section.

#### Option 1: One-click installation (easiest)

[![Install with Podman in VS Code](https://img.shields.io/badge/VS_Code-Install_Red_Hat_Lightspeed_MCP-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect/mcp/install?name=red-hat-lightspeed-mcp&config=%7B%22type%22%3A%20%22stdio%22%2C%20%22command%22%3A%20%22podman%22%2C%20%22args%22%3A%20%5B%22run%22%2C%20%22--env%22%2C%20%22LIGHTSPEED_CLIENT_ID%22%2C%20%22--env%22%2C%20%22LIGHTSPEED_CLIENT_SECRET%22%2C%20%22--interactive%22%2C%20%22--rm%22%2C%20%22quay.io%2Fredhat-services-prod%2Finsights-management-tenant%2Finsights-mcp%2Fred-hat-lightspeed-mcp%3Alatest%22%5D%2C%20%22env%22%3A%20%7B%22LIGHTSPEED_CLIENT_ID%22%3A%20%22%24%7Binput%3Alightspeed_client_id%7D%22%2C%20%22LIGHTSPEED_CLIENT_SECRET%22%3A%20%22%24%7Binput%3Alightspeed_client_secret%7D%22%7D%7D&inputs=%5B%7B%22id%22%3A%20%22lightspeed_client_id%22%2C%20%22type%22%3A%20%22promptString%22%2C%20%22description%22%3A%20%22Enter%20the%20Red%20Hat%20Lightspeed%20Client%20ID%22%2C%20%22default%22%3A%20%22%22%2C%20%22password%22%3A%20true%7D%2C%20%7B%22id%22%3A%20%22lightspeed_client_secret%22%2C%20%22type%22%3A%20%22promptString%22%2C%20%22description%22%3A%20%22Enter%20the%20Red%20Hat%20Lightspeed%20Client%20Secret%22%2C%20%22default%22%3A%20%22%22%2C%20%22password%22%3A%20true%7D%5D)<br>
(Note: this uses the `quay.io` container image)

#### Option 2: Manual STDIO installation

For the usage in your project, create a file called `.vscode/mcp.json` with
the following content.

```
{
    "inputs": [
        {
            "id": "lightspeed_client_id",
            "type": "promptString",
            "description": "Enter the Red Hat Lightspeed Client ID",
            "default": "",
            "password": true
        },
        {
            "id": "lightspeed_client_secret",
            "type": "promptString",
            "description": "Enter the Red Hat Lightspeed Client Secret",
            "default": "",
            "password": true
        }
    ],
    "servers": {
        "lightspeed-mcp": {
            "type": "stdio",
            "command": "podman",
            "args": [
                "run",
                "--env",
                "LIGHTSPEED_CLIENT_ID",
                "--env",
                "LIGHTSPEED_CLIENT_SECRET",
                "--interactive",
                "--rm",
                "ghcr.io/redhatinsights/red-hat-lightspeed-mcp:latest"
            ],
            "env": {
                "LIGHTSPEED_CLIENT_ID": "${input:lightspeed_client_id}",
                "LIGHTSPEED_CLIENT_SECRET": "${input:lightspeed_client_secret}"
            }
        }
    }
}
```

### Cursor

First check the [prerequisites](#prerequisites) section.

#### Option 1: One-click installation (easiest)

⚠️ Use **`Ctrl`/`Cmd`-click** to open in a **new tab**.<br>
Otherwise the tab will close after installation and you won't see the documentation anymore.<br>
[![Install with Podman in Cursor](https://cursor.com/deeplink/mcp-install-dark.svg)](https://cursor.com/en/install-mcp?name=red-hat-lightspeed-mcp&config=eyJ0eXBlIjoic3RkaW8iLCJjb21tYW5kIjoicG9kbWFuIHJ