A

Environment Variables Reference

Complete configuration reference for all deployment modes

A.1 Core Settings

Variable	Default	Description
`API_KEY`	—	Primary API authentication key. If absent, community plan is assumed and authentication is skipped.
`MESHOPTIXIQ_LICENSE_KEY`	—	License key for starter/pro/enterprise plans. Validated against the license server at startup.
`MESHOPTIXIQ_DEMO_MODE`	`false`	Set to `true` to run with in-memory fixtures and bypass license/API key checks.
`GRAPH_BACKEND`	`neo4j`	Graph provider: `neo4j`, `postgres`, or `inmemory`.
`LOG_LEVEL`	`INFO`	Python logging level: `DEBUG`, `INFO`, `WARNING`, `ERROR`.
`HOST`	`0.0.0.0`	Interface the uvicorn server binds to.
`PORT`	`8000`	Port the uvicorn server listens on.
`CORS_ORIGINS`	`*`	Comma-separated list of allowed CORS origins. Defaults to wildcard.

A.2 Neo4j Settings

Variable	Default	Description
`NEO4J_URI`	`bolt://localhost:7687`	Bolt connection URI. Use `bolt+s://` for TLS-encrypted connections.
`NEO4J_USER`	`neo4j`	Neo4j username.
`NEO4J_PASSWORD`	—	Neo4j password. Required when `GRAPH_BACKEND=neo4j`.
`NEO4J_DATABASE`	`neo4j`	Target database name within the Neo4j instance.

A.3 PostgreSQL Settings

Variable	Default	Description
`POSTGRES_DSN`	—	Full PostgreSQL connection DSN, e.g. `postgresql://user:pass@host:5432/db`. Required when `GRAPH_BACKEND=postgres`.
`POSTGRES_POOL_MIN`	`2`	Minimum connections maintained in the psycopg connection pool.
`POSTGRES_POOL_MAX`	`10`	Maximum connections the pool will open. Scale proportionally to API pod count.

A.4 Redis / Cluster Settings

Variable	Default	Description
`REDIS_URL`	—	Redis connection URL, e.g. `redis://redis:6379/0`. When set, activates clustered mode: shared rate limiting, distributed snapshots, pub/sub RBAC reload, and collection queue.
`MESHQ_COLLECT_SERVICE_URL`	—	URL of the collect-service (port 8002). When set, the main API proxies `/collect/` and `/collectors/` traffic to it instead of handling locally.
`MESHQ_COLLECT_SERVICE_KEY`	API_KEY	API key for authenticating calls to the collect-service. Falls back to `API_KEY`.
`MESHQ_INGEST_SERVICE_URL`	—	URL of the ingest-service (port 8001). When set, enables Redis-stream-based ingest fan-out.
`MESHQ_INGEST_SERVICE_KEY`	API_KEY	API key for the ingest-service. Falls back to `API_KEY`.
`MESHQ_GRAPH_SERVICE_URL`	—	URL of the graph-service (port 8004). When set, the main API proxies `/queries/`, `/history/`, and `/graph/*` to it.
`MESHQ_GRAPH_SERVICE_KEY`	API_KEY	API key for the graph-service. Falls back to `API_KEY`.
`KAFKA_BROKER_URL`	—	Kafka broker URL, e.g. `kafka:9092`. When set, the flow ingest pipeline uses `KafkaFlowBackend` (write + consumer read path) instead of in-memory storage.
`MESHQ_AGENT_VERSION`	v0.23.0	Agent binary version to proxy from GitHub Releases when `agent/dist/` is empty. Used by `GET /download/agent?platform=linux-amd64`.
`ANTHROPIC_API_KEY`	—	Anthropic API key. When set, activates the Anthropic Claude provider for NL querying and chat (`/chat/message`, `/ai/query`).
`OPENAI_API_KEY`	—	OpenAI API key. Activates the OpenAI provider. Also used with `LLM_BASE_URL` for vLLM, LM Studio, or llama.cpp.
`OLLAMA_URL`	http://localhost:11434	Ollama server URL. When set (and no cloud key present), activates the Ollama provider. No extra packages required.
`LLM_BASE_URL`	—	Custom LLM base URL for OpenAI-compatible endpoints (vLLM, LM Studio, llama.cpp). Set `LLM_API_KEY=local` alongside.
`LLM_MODEL`	—	Override the default model for the active LLM provider.
`OTEL_EXPORTER_OTLP_ENDPOINT`	—	OpenTelemetry OTLP endpoint. When set, enables OTel auto-instrumentation on the ingest-service and API.
`MESHQ_TENANT_DATABASES`	—	JSON map of tenant ID → database name for hard multi-tenancy DB routing, e.g. `{"acme": "acme_db", "beta": "beta_db"}`.
`MESHQ_MCP_ALLOWED_TOOLS`	—	Comma-separated glob patterns restricting which MCP tools are callable globally, e.g. `meshq_get_,meshq_topology_`.
`MESHQ_PROTECT_HEALTH`	true	Set to `false` to allow unauthenticated access to `GET /health/license` (useful for external monitoring probes).

A.5 Collection Settings

Variable	Default	Description
`SSH_USERNAME`	—	Default SSH username for all devices (overridden per-device in inventory).
`SSH_KEY_PATH`	—	Path to the SSH private key file used for device authentication.
`SSH_PASSWORD`	—	Default SSH password (use key-based auth in production).
`SSH_TIMEOUT`	`30`	SSH connection timeout in seconds.
`COLLECT_POLL_INTERVAL`	`5`	Seconds a distributed collector worker waits between queue polls.

A.6 Enterprise Settings

Variable	Default	Description
`AUTH_MODE`	`api_key`	Authentication mode: `api_key`, `oidc`, or `both`.
`OIDC_ISSUER`	—	OIDC provider issuer URL (e.g. Azure AD tenant endpoint).
`OIDC_CLIENT_ID`	—	OIDC application client ID.
`OIDC_CLIENT_SECRET`	—	OIDC application client secret.
`SECRETS_PROVIDER`	—	Secrets backend: `vault`, `aws`, `azure`, or `gcp`.
`AUDIT_LOG_ENABLED`	`false`	Enable structured audit logging.
`AUDIT_LOG_BACKEND`	`stdout`	Audit sink: `splunk`, `elasticsearch`, `opensearch`, `webhook`, or `stdout`.
`RBAC_POLICY_FILE`	—	Absolute path to a YAML RBAC policy file.
`RBAC_POLICY`	—	Inline YAML RBAC policy string (overrides `RBAC_POLICY_FILE`).
`RBAC_RELOAD_INTERVAL`	`30`	Seconds between mtime checks of the RBAC policy file for hot-reload.
`SOAR_WEBHOOK_URL`	—	SOAR webhook target URL.
`SOAR_WEBHOOK_TOKEN`	—	Bearer token sent in the `Authorization` header of SOAR webhook requests.
`SOAR_RULES`	—	JSON array of SOAR trigger rules; see §13.7 for schema.
`NETBOX_URL`	—	NetBox instance base URL.
`NETBOX_TOKEN`	—	NetBox API token with read/write permissions on the devices endpoint.
`NETBOX_SYNC_DIRECTION`	`pull`	Sync direction: `push`, `pull`, or `both`.

A.7 Health Endpoints

MeshOptixIQ exposes four health check endpoints. None of them require an API key, making them safe for use with load balancer health checks, Kubernetes probes, and Prometheus scraping.

Endpoint	Purpose
`GET /health`	Basic liveness — returns `{"status":"ok"}` immediately
`GET /health/ready`	Readiness — checks database connectivity and returns pool stats
`GET /health/license`	License status — plan, expiry, days remaining, demo mode
`GET /health/redis`	Redis / cluster status — reachability and cluster mode flag

GET /health

curl http://localhost:8000/health

{"status": "ok", "version": "0.9.0"}

GET /health/ready

curl http://localhost:8000/health/ready

{
  "status": "ready",
  "backend": "neo4j",
  "connected": true
}

When GRAPH_BACKEND=postgres, the response also includes:

{
  "status": "ready",
  "backend": "postgres",
  "connected": true,
  "pool_available": 8
}

Use this endpoint as the Kubernetes readiness probe. It returns HTTP 503 if the database is unreachable.

GET /health/license

curl http://localhost:8000/health/license

{
  "plan": "pro",
  "expires": "2027-01-01",
  "days_remaining": 303,
  "demo_mode": false
}

For community plan (no license key): expires and days_remaining are null.

GET /health/redis

curl http://localhost:8000/health/redis

{
  "cluster_mode": true,
  "redis_reachable": true,
  "redis_url": "redis://redis:***@6379/0"
}

The password in redis_url is masked with ***. When Redis is not configured, cluster_mode is false and redis_reachable is null.

Kubernetes probe configuration

livenessProbe:
  httpGet:
    path: /health
    port: 8000
  initialDelaySeconds: 5
  periodSeconds: 10

readinessProbe:
  httpGet:
    path: /health/ready
    port: 8000
  initialDelaySeconds: 10
  periodSeconds: 15
  failureThreshold: 3

B

CLI Command Reference

Complete reference for the meshq command-line interface

B.0 Global Flags

Flag	Description
`--api-url URL`	Override the API base URL (default: from `~/.meshoptixiq/credentials` or `http://localhost:8000`)
`--api-key KEY`	Override the API key (default: from credentials file or `API_KEY` env var)
`--output json\|table\|csv`	Output format (default: `table`)
`--no-color`	Disable ANSI colour output
`-v, --verbose`	Enable verbose logging

B.1 meshq ingest

Parse and ingest a raw device capture file into the graph database.

meshq ingest <file> [OPTIONS]

Option	Description
`--vendor VENDOR`	Override vendor detection (e.g. `cisco_ios`, `juniper_junos`)
`--dry-run`	Parse and validate without writing to the graph
`--merge`	Merge into existing graph nodes rather than replacing them

B.2 meshq collect

Connect to live devices via SSH and collect configuration and state data.

meshq collect --inventory <file> [OPTIONS]

Option	Description
`--inventory FILE`	YAML inventory file (required unless using `--dispatch` or `--worker` mode)
`--dispatch`	Push inventory devices onto the Redis work queue (distributed mode)
`--worker`	Run as a queue worker: pop → SSH collect → ingest, loop indefinitely
`--poll-interval N`	Seconds between queue polls in worker mode (default: 5)
`--concurrency N`	Number of parallel SSH sessions (default: 5)
`--timeout N`	SSH connection timeout in seconds (default: 30)
`--output-dir DIR`	Save raw device output files to directory for later re-ingest

B.3 meshq parse

Parse a raw device capture without ingesting — useful for validating parser output.

meshq parse <file> [--vendor VENDOR] [--output json|table]

Outputs the parsed NetworkFacts structure. Exit code 0 on success, 1 if parsing fails.

B.4 meshq status

Show the current status of the API, graph backend, and license.

meshq status [--json]

Queries /health, /health/ready, and /health/license and prints a human-readable summary or JSON object.

B.5 meshq version

Print the CLI and API version information.

meshq version

meshq CLI   v0.9.0
API server  v0.9.0 (connected)
Python      3.12.4

B.6 meshq license

Display current license information.

meshq license [--json]

Plan:            pro
Expires:         2027-01-01
Days remaining:  303
Demo mode:       false

Returns exit code 2 if the license is expired.

B.7 meshq login

Authenticate and store a Personal Access Token (PAT) in the local credentials file.

meshq login [OPTIONS]

Option	Description
`--url URL`	API base URL to authenticate against
`--token TOKEN`	Provide token directly (non-interactive)

In interactive mode, prompts for the API URL and your API key or OIDC token. Stores the result in ~/.meshoptixiq/credentials (mode 0600). Subsequent CLI commands read credentials from this file automatically.

B.8 meshq logout

Remove stored credentials from the local credentials file.

meshq logout

Deletes the ~/.meshoptixiq/credentials file. After logout, every CLI command requires --api-url and --api-key flags or the corresponding environment variables.

B.9 meshq export

Export graph data in various formats.

meshq export [OPTIONS]

Option	Description
`--format ansible\|json\|csv`	Output format (default: `json`)
`--output FILE`	Write output to file instead of stdout
`--ini`	When `--format ansible`, output legacy INI format instead of JSON

The ansible format produces a dynamic inventory JSON compatible with ansible-inventory --list. Devices are grouped by vendor, os_version prefix, and a firewalls group for devices with firewall rules.

# Pipe directly to Ansible
ansible-playbook -i <(meshq export --format ansible) site.yml

B.10 meshq sync

Synchronise graph data with external systems.

meshq sync --target <target> [OPTIONS]

Option	Description
`--target netbox`	Target system (currently only NetBox is supported)
`--direction push\|pull\|both`	Sync direction (default: from `NETBOX_SYNC_DIRECTION` env var)
`--dry-run`	Preview changes without writing to either system

Requires the [integrations] extra: pip install 'meshoptixiq-network-discovery[integrations]' and the NETBOX_URL / NETBOX_TOKEN environment variables. See §13.8 for full workflow.

C

Supported Vendor Matrix

Parsers, commands, and capabilities per vendor

C.1 Network Device Parsers

Vendor	Platform key	Commands collected	Topology	Addressing	Device Info
Cisco IOS / IOS-XE	`cisco_ios`	show cdp neighbors detail, show ip interface brief, show version, show ip route	CDP	Yes	Yes
Cisco NX-OS	`cisco_nxos`	show cdp neighbors detail, show interface brief, show version	CDP	Yes	Yes
Cisco ASA	`cisco_asa`	show interface, show route, show version, show running-config	—	Yes	Yes
Arista EOS	`arista_eos`	show lldp neighbors detail, show interface, show version	LLDP	Yes	Yes
Juniper JunOS (MX/EX/SRX)	`juniper_junos`	show lldp neighbors, show interfaces, show version, show route	LLDP	Yes	Yes
HP/Aruba ProCurve	`hp_procurve`	show lldp neighbors, show interfaces	LLDP	Yes	—
Fortinet FortiOS	`fortinet`	get system interface, get router info, get system status	—	Yes	Yes
Palo Alto PAN-OS	`paloalto_panos`	show interface all, show routing route, show system info	—	Yes	—

C.2 Firewall Policy Parsers

Vendor	Platform key	Security Policies	Address Objects	Service Objects
Palo Alto PAN-OS	`paloalto_panos`	Yes	Yes	Yes
Juniper JunOS SRX	`juniper_junos`	Yes	Yes	—
Fortinet FortiOS	`fortinet`	Yes	Yes	—
Cisco ASA	`cisco_asa`	Yes	Yes	—

Adding custom parsers

Community parsers can be contributed as pull requests. Enterprise customers may request parser development as part of their support contract. Parser modules live in network_discovery/parsers/<vendor>/ and register themselves via the vendor registry on import.

D

Query Registry

All 109 named queries — parameters, backends, and feature gates

The query registry (network_discovery/queries/registry.yaml) defines all available queries. Each entry specifies the query name, category, required feature flag, supported backends, and optional parameters.

D.1 Topology Queries

Query name	Description	Parameters	Feature gate
`topology_full`	All devices and CONNECTED_TO relationships	—	api_access
`device_neighbors`	Direct neighbours of a specific device	`hostname`	api_access
`topology_neighborhood`	N-hop BFS subgraph around a device	`hostname`, `depth` (default: 2)	api_access
`blast_radius_from_device`	All devices reachable from a given device within N hops	`hostname`, `max_hops` (default: 3)	api_access
`blast_radius_from_subnet`	All devices reachable from devices in a given subnet	`subnet`, `max_hops`	api_access
`lldp_neighbors`	All LLDP-discovered adjacencies: device, local port, remote device, remote port	—	api_access

D.2 Endpoint Queries

Query name	Description	Parameters	Feature gate
`endpoints_by_device`	All endpoints (hosts) connected to a device	`hostname`	api_access
`endpoints_without_location`	Endpoints lacking site/rack/location metadata	—	api_access
`locate_endpoint_by_ip`	Find which switch port an IP address is connected to	`ip`, `vrf` (optional)	api_access
`locate_endpoint_by_mac`	Find a switch port by MAC address	`mac`	api_access

D.3 Addressing Queries

Query name	Description	Parameters	Feature gate
`ips_in_subnet`	All IP addresses within a CIDR block	`subnet`, `vrf` (optional)	api_access
`subnet_utilisation`	Used vs total host count for a subnet	`subnet`	api_access
`all_subnets`	All subnets present in the graph	—	api_access
`vrfs`	All VRFs and their associated devices	—	api_access

D.4 Hygiene Queries

Query name	Description	Parameters	Feature gate
`devices_without_neighbors`	Devices with no CONNECTED_TO relationships (isolated nodes)	—	api_access
`interfaces_without_ips`	Layer-3 interfaces missing an IP address assignment	—	api_access
`endpoints_without_location`	Endpoint nodes missing site, rack, or building metadata	—	api_access
`devices_missing_os_version`	Devices where `os_version` property is null or empty	—	api_access
`devices_missing_hostname`	Devices where `hostname` is not set (defaults to IP-only)	—	api_access
`interfaces_no_description`	Interfaces missing a description string	—	api_access
`duplicate_ip_addresses`	IP addresses assigned to more than one interface	—	api_access

D.5 Summary Queries

Query name	Description	Parameters	Feature gate
`summary_stats`	High-level counts: devices, interfaces, endpoints, subnets, firewall rules	—	api_access
`vendor_summary`	Device count grouped by vendor	—	api_access
`os_version_summary`	Device count grouped by OS version	—	api_access

D.6 Inventory Queries

Query name	Description	Parameters	Feature gate
`all_devices`	Full device inventory: hostname, vendor, model, OS version, management IP	—	api_access
`update_device_metadata`	Write NetBox-sourced metadata (`nb_site`, `nb_tenant`, `nb_rack`) onto device nodes	`hostname`, `nb_site`, `nb_tenant`, `nb_rack`	netbox_sync

D.7 Firewall Queries

Query name	Description	Parameters	Feature gate
`firewall_rules_by_device`	All security policies on a specific firewall device	`hostname`	firewall_queries
`firewall_rules_by_zone_pair`	Rules between a source and destination zone	`src_zone`, `dst_zone`	firewall_queries
`path_analysis`	Whether traffic is permitted between two IP addresses across firewall policies	`src_ip`, `dst_ip`, `dst_port`, `protocol`	firewall_queries
`all_firewall_devices`	All devices classified as firewalls in the graph	—	firewall_queries
`deny_rules_summary`	Deny/drop rules grouped by device and zone pair	—	firewall_queries

D.8 Routing Queries Pro+

Query name	Description	Parameters	Feature gate
`bgp_peers`	All BGP peer sessions on a device: neighbor IP, AS, state, prefixes received/sent	`device`	bgp_intelligence
`bgp_topology`	Full BGP peering graph: all AS relationships and session states across all devices	—	bgp_intelligence
`bgp_peers_down`	BGP sessions not in Established state — fast health check for NOC dashboards	—	bgp_intelligence

D.9 InfiniBand & GPU Queries Enterprise

Query name	Description	Parameters	Feature gate
`ib_topology`	All InfiniBand ports and peer connections: device, port number, state, speed, peer hostname and port	—	nccl_visualization
`ib_ports_down`	InfiniBand ports not in Active state — use for fabric health checks	—	nccl_visualization
`dcgm_gpu_health`	DCGM GPU metrics per device: SM utilization, memory utilization, power draw, temperature, SM clock, NVLink bandwidth	—	nccl_visualization

D.10 Interface Metrics Queries Pro+

Query name	Description	Parameters	Feature gate
`interface_metrics`	Per-interface counters: in/out bytes, in/out errors, in/out discards for a specific device	`device`	server_metrics
`link_utilization`	Computed utilization percentage for all links with known speed: bytes/sec ÷ interface speed	—	server_metrics

D.11 NCCL / Training Job Queries Enterprise

Query name	Description	Parameters	Feature gate
`nccl_jobs`	All known NCCL training jobs: job ID, name, participating GPU servers, status, start time	—	nccl_visualization
`nccl_flows_by_job`	AllReduce/AllGather communication flows for a specific NCCL job: source, destination, bytes, operation type	`job_id`	nccl_visualization
`nccl_top_talkers`	Top GPU-to-GPU pairs by total bytes transferred across all active NCCL jobs	—	nccl_visualization

E

License Plan Comparison

Features and limits by plan tier

Device count definition

The network infrastructure device limit applies to switches, routers, firewalls, and load balancers discovered in the graph. Endpoint devices (laptops, phones, servers, IoT) are not counted against this limit and are always unlimited.

Feature	Community	Starter	Pro	Enterprise
Pricing
Monthly price	Free	$79 / mo	$499 / mo	$2,999 / mo
Limits
Network infrastructure devices	1	100	750	Unlimited
Endpoint devices	Unlimited	Unlimited	Unlimited	Unlimited
Core
Web UI	Yes	Yes	Yes	Yes
CLI (`meshq`)	Yes	Yes	Yes	Yes
Demo mode	Yes	Yes	Yes	Yes
Neo4j backend	Yes	Yes	Yes	Yes
PostgreSQL backend	—	—	Yes	Yes
In-memory backend	Yes	Yes	Yes	Yes
Queries & API
Query API (`/queries/execute`)	—	—	Yes	Yes
All 42 named queries	—	—	Yes	Yes
Firewall queries (5)	—	—	Yes	Yes
What-If simulation	—	—	Yes	Yes
History diff & snapshots	—	—	Yes	Yes
Integrations
MCP server (134 tools)	—	—	Yes	Yes
NetBox sync	—	—	Yes	Yes
Ansible dynamic inventory	—	—	Yes	Yes
SOAR webhooks	—	—	—	Yes
Security & Compliance
RBAC policy engine	—	—	Yes	Yes
Audit logging	—	—	—	Yes
OIDC SSO	—	—	—	Yes
Infrastructure
Redis clustering	—	—	Yes	Yes
PostgreSQL connection pooling	—	—	Yes	Yes
Kubernetes Helm chart	—	—	Yes	Yes
Secrets provider integration	—	—	—	Yes
APM auto-instrumentation	—	—	—	Yes
Support
Community forum	Yes	Yes	Yes	Yes
Email support	—	Yes	Yes	Yes
Dedicated Slack channel	—	—	—	Yes
SLA	—	—	—	99.9% uptime SLA

Prices shown are monthly billed annually. Contact for volume discounts, multi-year pricing, and academic / non-profit rates.

F

MCP Tool Reference

All 134 tools, 6 resources, and 6 prompts exposed by the MCP server

Pro+ The MCP server package (network_discovery/mcp/) is installed with pip install 'meshoptixiq-network-discovery[mcp]' and launched via the meshq-mcp entry point. It exposes 134 tools across 32 modules, 6 resources, and 6 prompts.

F.1 Topology Tools

Tool name	Description	Key parameters
`get_topology`	Return all devices and their connections as a graph structure	—
`get_device_neighbors`	Return the direct neighbours of a device	`hostname`
`get_blast_radius`	Return all devices reachable within N hops of a device	`hostname`, `max_hops`
`get_blast_radius_subnet`	Return reachable devices from all devices in a subnet	`subnet`, `max_hops`

F.2 Endpoint Tools

Tool name	Description	Key parameters
`get_endpoints_by_device`	List endpoints connected to a specific switch or router	`hostname`
`locate_endpoint_by_ip`	Find which switch port an endpoint IP is connected to	`ip`, `vrf`
`locate_endpoint_by_mac`	Locate an endpoint by MAC address	`mac`

F.3 Addressing Tools

Tool name	Description	Key parameters
`get_ips_in_subnet`	Return all IP addresses within a CIDR block	`subnet`, `vrf`
`get_subnet_utilisation`	Return used vs total host count for a subnet	`subnet`
`get_all_subnets`	List all subnets in the graph	—
`get_vrfs`	List all VRFs and associated devices	—

F.4 Firewall Tools

Tool name	Description	Key parameters
`get_firewall_rules_by_device`	Return all security policies on a firewall device	`hostname`
`get_firewall_rules_by_zone_pair`	Return rules matching a source/destination zone pair	`src_zone`, `dst_zone`
`analyse_path`	Determine if traffic is permitted between two IPs	`src_ip`, `dst_ip`, `dst_port`, `protocol`
`get_all_firewall_devices`	List all firewall devices in the graph	—
`get_deny_rules_summary`	Summarise deny/drop rules by device and zone pair	—

F.5 Hygiene Tools

Tool name	Description	Key parameters
`get_devices_without_neighbors`	Return isolated devices with no topology connections	—
`get_interfaces_without_ips`	Return layer-3 interfaces missing an IP address	—
`get_endpoints_without_location`	Return endpoints lacking site or rack metadata	—
`get_devices_missing_os_version`	Return devices where OS version is not recorded	—
`get_devices_missing_hostname`	Return devices that were discovered by IP only	—
`get_interfaces_no_description`	Return interfaces with no description string	—
`get_duplicate_ips`	Return IP addresses assigned to more than one interface	—

F.6 Summary & Inventory Tools

Tool name	Description	Key parameters
`get_summary_stats`	High-level graph counts: devices, interfaces, endpoints, subnets, rules	—
`get_vendor_summary`	Device count grouped by vendor	—
`get_os_version_summary`	Device count grouped by OS version	—
`get_all_devices`	Full device inventory list	—

F.7 Administrative Tools

Tool name	Description	Key parameters
`get_license_status`	Return current plan, expiry date, and days remaining	—
`get_health`	Return API and database connectivity status	—

F.8 MCP Resources

Resources expose read-only structured data to the MCP host. Unlike tools, resources are fetched on demand by the AI agent without requiring a function call.

Resource URI	Description
`meshoptixiq://topology`	Full network topology graph (nodes and edges)
`meshoptixiq://devices`	All device inventory records
`meshoptixiq://subnets`	All subnet records with utilisation counts
`meshoptixiq://firewall-rules`	All firewall security policies
`meshoptixiq://hygiene-report`	Aggregated hygiene findings across all seven hygiene queries
`meshoptixiq://license`	Current license plan and feature flags

F.9 MCP Prompts

Prompts are pre-built instruction templates that guide the AI model through common network analysis workflows.

Prompt name	Description
`analyse-blast-radius`	Walk through blast radius analysis for a given device: fetch, summarise, and recommend isolation actions
`audit-firewall-policies`	Review all deny rules and flag over-permissive policies with remediation suggestions
`network-hygiene-report`	Run all seven hygiene queries and produce a prioritised findings report
`path-analysis-workflow`	Determine if traffic is permitted between two hosts and explain the policy chain
`change-impact-assessment`	Use what-if simulation to assess the impact of proposed topology changes
`inventory-audit`	Produce a complete device inventory report with vendor distribution and OS coverage

Index

Key terms and their locations in this guide

A
Address objects, §6.2, App D
Ansible dynamic inventory, §5.5, B.9
API key, §4.1, §12.1
APM / observability, §13.4
Audit logging, §12.5, §13.3

B
Backends (graph), §1.3, §4.2
Blast radius, §8.2, App D
Bulk import (ingestion), §5.3

C
Change Center (History), §7.8
Cisco ASA, App C
Cisco IOS / IOS-XE, App C
CLI commands, App B
Cluster compose, §10.2
Collection queue (distributed), §5.4
Command palette (Cmd+K), §7.1
Community plan, §1.4, App E
CORS, §4.1, §11.4
Cython (.so), §3.3, §11.1

D
Dark mode, §7.1
Demo mode, §3.3, §4.1
Device count limit, §1.4, App E
Distributed collection, §5.4
Docker Compose, §3.2
Duplicate IPs (hygiene query), §8.3, App D

E
Enterprise container, §13.1
Enterprise plan, App E
Environment variables, App A
OIDC SSO, §13.2

F
Firewall policies (UI), §7.6
Firewall queries, §8.4, App D
Fortinet, App C
Feature gates, App E

G
Graph backends, §4.2
Graph model (nodes & edges), §1.3.1

H
Health endpoints, §A.7
Helm chart (Kubernetes), §10.4
Hygiene queries, §8.3, App D

I
In-memory backend, §4.2
Ingest command, §5.3, B.1
Inspector drawer, §7.2
Inventory (device), §7.5

J
Juniper JunOS, App C

K
Kubernetes, §10.4, App A

L
License plans, §1.4, App E
License troubleshooting, §11.2
Load balancing (nginx), §10.2
LOD (level of detail), §7.4

M
MCP server, §9, App F
meshq CLI, App B
meshq collect, §5.4, B.2
meshq export, B.9
meshq ingest, B.1
meshq login / logout, B.7, B.8
meshq sync, B.10
Mobile navigation, §7.1

N
Neo4j backend, §4.2, App A
NetBox sync, §13.8, B.10
Network policy (Kubernetes), §12.2

O
OIDC SSO, §13.2
OpenTelemetry, §13.4

P
Palo Alto PAN-OS, App C
PAT (Personal Access Token), §4.5, B.7
Path analysis, §7.6, §8.4
PostgreSQL backend, §4.2, App A
PostgreSQL connection pool, §A.3
Pro plan, App E
Provenance card, §7.3

Q
Query API, §8.1
Query registry (109 queries), App D
Query rate limiting, §8.1, §11.4

R
Rate limiting, §8.1, §11.4
RBAC, §12.4, §13.6
RBAC hot reload, §13.6
Redis clustering, §10.2, App A
Requirements (system), §2
Role personas, §7.1

S
Secrets management, §12.3, §13.5
Security best practices, §12
Service objects, §6.2
SOAR webhooks, §13.7
SSH collection, §5.2
SSE (Server-Sent Events), §7.1, §10.3, §A.7
Starter plan, App E

T
TLS configuration, §12.2
Topology view, §7.4
Troubleshooting, §11

U
UI architecture, §7.1
Update device metadata query, §8.5, App D

V
Vendor matrix, App C
VRF-aware queries, §8.2, App D

W
What-If simulation, §7.8
Web UI, §7