feat: add ECS MCP server

[taylor-swanson]

• Add Go code to repo under go-ecs
• Add new ECS MCP server

[github-actions]

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

• run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

[github-actions]

ECS PR Triage (automated)

PR Triage Report

PR: #2623 — feat: add ECS MCP server
Classification: Needs Discussion
Change type: Tooling
Scope: Substantial

Summary

This PR introduces a new Go-based MCP (Model Context Protocol) server under go-ecs/ that loads all tagged ECS releases into a SQLite database and exposes tools for searching, matching, and querying ECS fields. It also adds a Makefile target (ecs-mcp) for building the server. The change is purely additive tooling — no schema files, generated artifacts, or RFC documents are touched. However, the scope is substantial (1,937 additions, 20 files, an entirely new Go module and application) and introduces a novel capability to the repository, which warrants maintainer discussion on whether this belongs in the main ECS repo and whether the design/architecture is appropriate.

Files changed

• Schemas: none
• Generated: none
• Tooling/scripts/tests: Makefile (new ecs-mcp target), go-ecs/cmd/ecs-mcp/main.go, go-ecs/internal/field/field.go, go-ecs/internal/field/fieldset.go, go-ecs/internal/field/parse.go, go-ecs/internal/field/schema.go, go-ecs/internal/git/repo.go, go-ecs/internal/mcp/mcp.go, go-ecs/internal/mcp/ecs_guide.md, go-ecs/internal/store/db.go, go-ecs/internal/store/models.go, go-ecs/internal/store/queries.go, go-ecs/internal/store/queries.sql.go, go-ecs/internal/store/sql/queries.sql, go-ecs/internal/store/sql/schema.sql, go-ecs/internal/store/sql/sqlc.yml, go-ecs/internal/store/store.go, go-ecs/go.mod, go-ecs/go.sum
• Docs (hand-authored): go-ecs/docs/ecs-mcp.md
• CI / GitHub: none
• RFCs: none

Routing decision

This PR is classified as Needs Discussion rather than a straightforward Direct PR for the following reasons:

1. Novel capability / architectural decision (classification-rules §3): While this is tooling (not a schema change), it introduces an entirely new Go module (go-ecs/) and a new application paradigm (MCP server) to the ECS repository. This is not a minor tweak to existing scripts/ tooling — it establishes a new subdirectory, language ecosystem (Go), and dependency tree (29 direct/indirect Go dependencies including SQLite, MCP SDK, semver, gorilla/handlers, etc.).

2. Scope is substantial: 1,937 lines added across 20 new files. The PR introduces a full application with HTTP/stdio transport, TLS support, SQLite database layer with FTS5 full-text search, git repository interaction, YAML parsing, and MCP tool/prompt registration.

3. Repository ownership and maintenance implications: Adding a Go module to a repository that has historically been Python-based tooling (scripts/) raises questions about build requirements, CI integration, testing strategy, and long-term maintenance burden. Maintainers should weigh in on whether this belongs in the main ECS repo vs. a separate repository.

4. No RFC triggers (§1) apply — there are no schema changes, no breaking changes, no new field sets, and no changes to ECS field definitions. This is purely additive tooling.

5. Not a simple Direct PR (§2) — while tooling-only changes are normally Direct PR candidates, the classification-rules §2 caveat applies: "If a 'small' addition introduces new semantics (new tool protocol, new entity type), escalate." An MCP server is a new tool protocol for the repository.

Risk notes

• Breaking / deprecation: No. Purely additive; no existing files are modified except Makefile (appended target).
• OTel / semconv: N/A. No schema fields involved.
• Scope / reuse: Introduces a new go-ecs/ top-level directory with its own Go module. No impact on existing schema, generated artifacts, or Python tooling. The MCP server reads from the git repo's tagged releases and generated/ecs/ecs_nested.yml artifacts — it is a consumer of existing schema data, not a producer.

Completeness checklist

• PR description (all sections): Missing. The PR body contains only two bullet points ("Add Go code to repo under go-ecs" and "Add new ECS MCP server"). None of the 7 template sections (What does this PR do?, Which ECS fields are affected?, Why is this change necessary?, Documentation?, Built ECS?, Validation tests?, Anything else?) are filled in.
• CHANGELOG.next.md: Missing. Since this PR adds new tooling (a new Go application + Makefile target), an entry is expected under "Tooling and Artifact Changes > Added" with #2623.
• make + committed generated outputs: N/A — no schema changes, so no generated artifact updates required.
• OTel otel: on new/changed semconv-related fields: N/A — no schema fields changed.
• Tests / make check: No test files are included in the PR. There are no Go test files (*_test.go) for any of the new packages (field, git, mcp, store). The PR does not indicate whether make test or make check was run.
• CLA (contributor): Cannot be verified from the diff; contributor should ensure CLA is signed.

Recommended next actions

1. Contributor: Fill in all 7 sections of the PR description template per .github/PULL_REQUEST_TEMPLATE.md. In particular, explain the motivation, intended users, and why this tool should live in the ECS repo rather than a separate repository.
2. Contributor: Add a CHANGELOG.next.md entry under "Tooling and Artifact Changes > Added" with #2623 (e.g. * Add ECS MCP server for LLM-powered tools to explore ECS schema. #2623).
3. Contributor: Add Go unit tests for the new packages (field, git, mcp, store). At minimum, the YAML parsing logic in field/parse.go and the query logic in store/queries.go should have test coverage.
4. Maintainers: Discuss and decide whether a Go module and MCP server belong in the main ECS repository, or if this should be a separate repo (e.g. elastic/ecs-mcp). Consider the CI, build, and maintenance implications of adding Go to a primarily Python-based tooling repo.
5. Maintainers: If the tool is accepted into the repo, consider whether CI workflows need updating to build/test the Go code (currently no .github/workflows/ changes are included).
6. Contributor: Consider whether the go-ecs/ directory name is appropriate — it suggests a broader Go SDK for ECS, but currently only contains the MCP server. Clarify the intended scope of this directory.

---

Posted by PR Triage workflow

[qcorporation]

@taylor-swanson should you be feeding in the sanitized result back into the splitCamelCase

Similarly for the line below implicitOR(sanitized)

[taylor-swanson]

Good catch, I'll fix that.

[qcorporation]

should it be

if err = rows.Err(); err != nil {
    return nil, err
}

?

[qcorporation]

Two fundamental questions:

• should we have any CI tests for future contributions?

• ecs predominately is generally written in python - this is a new toolchain. I know this is a bit late but do we want to introduce this toolchain into the ecs repo?

• Should we be adding changelog

[taylor-swanson]

• should we have any CI tests for future contributions?

Yeah this was an oversight on my part... can certainly add tests and getting that running in CI is trivial.

• Should we be adding changelog

I suppose this is tooling, but it's not used in the process of ECS itself... so it sits somewhere else I feel. More on this below.

• ecs predominately is generally written in python - this is a new toolchain. I know this is a bit late but do we want to introduce this toolchain into the ecs repo?

This isn't related to the tools in scripts/, as those are specifically for building ECS. I'm not opposed to having a separate repo, as I get that we don't want to mix usages here (and I suppose toolchains, although I would argue that Go is probably one of the most lightweight toolchains out there).

Would something like an ecs-tools or go-ecs repo make more sense? I have other things I want to add that are already written in Go.

[taylor-swanson]

go-ecs is already taken, so ecs-tools it is. I'll move the go code over to a new public elastic repo called elastic/ecs-tools and close this PR. I'll apply the fixes for the above issues and add some tests where appropriate.

I think having it separate is a better idea anyway, since while the tool itself consumes ECS, it is not ECS nor does it build ECS (if that makes sense).

[taylor-swanson]

New PR here in the elastic/ecs-tools repo: elastic/ecs-tools#1