@aborruso/ckan-mcp-server 0.4.85 → 0.4.86

package/LOG.md

@@ -2,6 +2,7 @@
 
 ## 2026-03-16
 
+- docs(`tools/datastore.ts`): add security note to `ckan_datastore_search_sql` — clarifies SQL forwarding boundary; bump v0.4.86
 - security(`tools/sparql.ts`): apply `validateServerUrl()` to `sparql_query` — blocks SSRF via private IPs (gap from GHSA-3xm7-qw7j-qc8v); 1 new test
 
 ## 2026-03-15

package/dist/index.js

@@ -2539,7 +2539,9 @@ Examples:
   - { server_url: "...", sql: "SELECT * FROM "abc-123" LIMIT 10" }
   - { server_url: "...", sql: "SELECT COUNT(*) AS total FROM "abc-123"" }
 
-Typical workflow: ckan_package_show (get resource_id) \u2192 ckan_datastore_search_sql (run SQL on it)`,
+Typical workflow: ckan_package_show (get resource_id) \u2192 ckan_datastore_search_sql (run SQL on it)
+
+Security note: SQL queries are forwarded directly to the CKAN DataStore API. The CKAN server enforces its own access controls and read-only permissions. No local database is exposed. Queries are limited to public DataStore resources on the target portal.`,
       inputSchema: z4.object({
         server_url: z4.string().url().describe("Base URL of the CKAN server (e.g., https://dati.gov.it/opendata)"),
         sql: z4.string().min(1).describe('SQL SELECT query; resource_id is the table name, must be double-quoted (e.g., SELECT * FROM "abc-123" LIMIT 10)'),
@@ -5122,7 +5124,7 @@ var registerAllPrompts = (server2) => {
 function createServer() {
   return new McpServer({
     name: "ckan-mcp-server",
-    version: "0.4.85"
+    version: "0.4.86"
   });
 }
 function registerAll(server2) {