@adriancy/mcp-mssql 1.0.1 → 1.0.2

package/.env.example

@@ -10,6 +10,7 @@ MSSQL_DATABASE=your_database
 # TLS (defaults: encrypt true, trust cert false). MSSQL_ENCRYPT may be true, false, or strict (TDS 8.0).
 # MSSQL_ENCRYPT=true
 # MSSQL_TRUST_SERVER_CERTIFICATE=false
+# Hostname on the SQL Server TLS cert when MSSQL_SERVER is an IP (Node.js cannot use an IP as TLS SNI).
 # MSSQL_TLS_SERVER_NAME=
 # Paths on the MCP host; PEM contents read at startup (fail fast if missing).
 # MSSQL_TLS_CA_FILE=

package/README.md

@@ -64,7 +64,7 @@ All variables are read from the MCP process environment (e.g. Cursor `env`). Boo
 | `MSSQL_PORT` | no | `1433` | TCP port; omit when using `MSSQL_INSTANCE_NAME` (driver uses instance + SQL Browser) |
 | `MSSQL_ENCRYPT` | no | `true` | TLS `encrypt`: `true`, `false`, or `strict` (TDS 8.0 / tedious) |
 | `MSSQL_TRUST_SERVER_CERTIFICATE` | no | `false` | Trust self-signed / skip cert validation (dev only) |
-| `MSSQL_TLS_SERVER_NAME` | no | — | Hostname for TLS validation when it differs from `MSSQL_SERVER` (e.g. connect by IP) |
+| `MSSQL_TLS_SERVER_NAME` | no | — | TLS SNI / cert hostname when `MSSQL_SERVER` is an IP or differs from the cert (required for IP + encrypted connections; must be a hostname, not an IP) |
 | `MSSQL_TLS_CA_FILE` | no | — | Path to CA PEM; passed via `cryptoCredentialsDetails.ca` |
 | `MSSQL_TLS_CERT_FILE` | no | — | Optional client cert PEM (mutual TLS) |
 | `MSSQL_TLS_KEY_FILE` | no | — | Optional client private key PEM |

package/dist/config.js

@@ -1,4 +1,5 @@
 import * as fs from 'node:fs';
+import { isIP } from 'node:net';
 import * as path from 'node:path';
 import * as v from 'valibot';
 const TRUE_VALUES = new Set(['1', 'true', 'yes', 'on']);
@@ -36,6 +37,13 @@ function parseEncrypt(raw) {
         return 'strict';
     return parseBool(raw, true);
 }
+/** True when MSSQL_ENCRYPT explicitly disables TLS (default is encrypt on). */
+function isEncryptExplicitlyDisabled(raw) {
+    const trimmed = raw?.trim();
+    if (trimmed === undefined || trimmed === '')
+        return false;
+    return FALSE_VALUES.has(trimmed.toLowerCase());
+}
 function normalizeAuthType(raw) {
     const trimmed = raw?.trim();
     if (trimmed === undefined || trimmed === '')
@@ -168,6 +176,20 @@ function rawScalarChecks(e, addIssue) {
             addIssue({ message: `${rule.key} must be ${range}.` });
         }
     }
+    const serverHost = e.MSSQL_SERVER.trim();
+    if (isIP(serverHost) !== 0 && !isEncryptExplicitlyDisabled(e.MSSQL_ENCRYPT)) {
+        const tlsName = e.MSSQL_TLS_SERVER_NAME?.trim();
+        if (tlsName === undefined || tlsName === '') {
+            addIssue({
+                message: 'MSSQL_SERVER is an IP address; Node.js TLS cannot set SNI server name to an IP. Set MSSQL_TLS_SERVER_NAME to the hostname on the server certificate (often the machine FQDN), or put that hostname in MSSQL_SERVER if DNS resolves, or set MSSQL_ENCRYPT=false if plaintext is acceptable.',
+            });
+        }
+        else if (isIP(tlsName) !== 0) {
+            addIssue({
+                message: 'MSSQL_TLS_SERVER_NAME must be a hostname, not an IP address (Node.js TLS does not allow SNI with an IP).',
+            });
+        }
+    }
 }
 function rawEnvChecks(e, addIssue) {
     const rawAuth = normalizeAuthType(e.MSSQL_AUTH_TYPE);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adriancy/mcp-mssql",
-  "version": "1.0.1",
+  "version": "1.0.2",
   "private": false,
   "type": "module",
   "main": "dist/index.js",