@agenticmail/enterprise 0.5.319 → 0.5.321

package/dist/chunk-BQM7MBPS.js

@@ -0,0 +1,1380 @@
+import {
+  __esm,
+  __require
+} from "./chunk-KFQGP6VL.js";
+
+// src/database-access/query-sanitizer.ts
+function classifyQuery(sql) {
+  const trimmed = sql.trim().toUpperCase();
+  for (const pattern of BLOCKED_PATTERNS) {
+    if (pattern.test(sql)) return "blocked";
+  }
+  for (const pattern of EXECUTE_PATTERNS) {
+    if (pattern.test(sql)) return "execute";
+  }
+  if (trimmed.startsWith("SELECT") || trimmed.startsWith("WITH") || trimmed.startsWith("EXPLAIN")) return "read";
+  if (trimmed.startsWith("INSERT") || trimmed.startsWith("UPDATE") || trimmed.startsWith("UPSERT") || trimmed.startsWith("MERGE")) return "write";
+  if (trimmed.startsWith("DELETE")) return "delete";
+  if (trimmed.startsWith("CREATE") || trimmed.startsWith("ALTER") || trimmed.startsWith("DROP")) return "schema";
+  return "blocked";
+}
+function sanitizeQuery(sql, permissions, connectionConfig, agentAccess) {
+  const operation = classifyQuery(sql);
+  if (operation === "blocked") {
+    return { allowed: false, operation, reason: "Query contains blocked patterns (potential injection or dangerous operations)" };
+  }
+  if (!permissions.includes(operation)) {
+    return { allowed: false, operation, reason: `Agent lacks '${operation}' permission on this database` };
+  }
+  const tables = extractTableNames(sql);
+  const mergedBlocked = mergeBlockedTables(connectionConfig, agentAccess);
+  const mergedAllowed = mergeAllowedTables(connectionConfig, agentAccess);
+  for (const table of tables) {
+    if (mergedBlocked.has(table.toLowerCase())) {
+      return { allowed: false, operation, reason: `Access to table '${table}' is blocked` };
+    }
+    if (mergedAllowed.size > 0 && !mergedAllowed.has(table.toLowerCase())) {
+      return { allowed: false, operation, reason: `Table '${table}' is not in the allowed tables list` };
+    }
+  }
+  const columns = extractColumnNames(sql);
+  const blockedColumns = /* @__PURE__ */ new Set([
+    ...(connectionConfig.schemaAccess?.blockedColumns || []).map((c) => c.toLowerCase()),
+    ...(agentAccess.schemaAccess?.blockedColumns || []).map((c) => c.toLowerCase())
+  ]);
+  for (const col of columns) {
+    if (blockedColumns.has(col.toLowerCase())) {
+      return { allowed: false, operation, reason: `Access to column '${col}' is blocked (sensitive data)` };
+    }
+  }
+  let sanitizedQuery = sql.trim();
+  if (operation === "read" && !sanitizedQuery.toUpperCase().includes("LIMIT")) {
+    const maxRows = agentAccess.queryLimits?.maxRowsRead ?? connectionConfig.queryLimits?.maxRowsRead ?? 1e4;
+    sanitizedQuery = `${sanitizedQuery.replace(/;?\s*$/, "")} LIMIT ${maxRows}`;
+  }
+  return { allowed: true, operation, sanitizedQuery };
+}
+function extractTableNames(sql) {
+  const tables = /* @__PURE__ */ new Set();
+  const fromMatch = sql.match(/\bFROM\s+([`"[\]]?\w+[`"\]]?(?:\s*\.\s*[`"[\]]?\w+[`"\]]?)?)/gi);
+  if (fromMatch) {
+    for (const m of fromMatch) {
+      const name = m.replace(/^FROM\s+/i, "").replace(/[`"[\]]/g, "").trim();
+      tables.add(name.split(".").pop() || name);
+    }
+  }
+  const joinMatch = sql.match(/\bJOIN\s+([`"[\]]?\w+[`"\]]?(?:\s*\.\s*[`"[\]]?\w+[`"\]]?)?)/gi);
+  if (joinMatch) {
+    for (const m of joinMatch) {
+      const name = m.replace(/^JOIN\s+/i, "").replace(/[`"[\]]/g, "").trim();
+      tables.add(name.split(".").pop() || name);
+    }
+  }
+  const insertMatch = sql.match(/\bINSERT\s+INTO\s+([`"[\]]?\w+[`"\]]?)/i);
+  if (insertMatch) tables.add(insertMatch[1].replace(/[`"[\]]/g, ""));
+  const updateMatch = sql.match(/\bUPDATE\s+([`"[\]]?\w+[`"\]]?)/i);
+  if (updateMatch) tables.add(updateMatch[1].replace(/[`"[\]]/g, ""));
+  const deleteMatch = sql.match(/\bDELETE\s+FROM\s+([`"[\]]?\w+[`"\]]?)/i);
+  if (deleteMatch) tables.add(deleteMatch[1].replace(/[`"[\]]/g, ""));
+  return [...tables];
+}
+function extractColumnNames(sql) {
+  const columns = /* @__PURE__ */ new Set();
+  const selectMatch = sql.match(/\bSELECT\s+(.*?)\bFROM\b/is);
+  if (selectMatch && !selectMatch[1].includes("*")) {
+    const parts = selectMatch[1].split(",");
+    for (const p of parts) {
+      const col = p.trim().split(/\s+AS\s+/i)[0].trim().split(".").pop();
+      if (col && /^\w+$/.test(col)) columns.add(col);
+    }
+  }
+  return [...columns];
+}
+function mergeBlockedTables(config, access) {
+  return /* @__PURE__ */ new Set([
+    ...(config.schemaAccess?.blockedTables || []).map((t) => t.toLowerCase()),
+    ...(access.schemaAccess?.blockedTables || []).map((t) => t.toLowerCase())
+  ]);
+}
+function mergeAllowedTables(config, access) {
+  const connAllowed = config.schemaAccess?.allowedTables || [];
+  const agentAllowed = access.schemaAccess?.allowedTables || [];
+  if (agentAllowed.length > 0) return new Set(agentAllowed.map((t) => t.toLowerCase()));
+  if (connAllowed.length > 0) return new Set(connAllowed.map((t) => t.toLowerCase()));
+  return /* @__PURE__ */ new Set();
+}
+function sanitizeForLogging(sql) {
+  let sanitized = sql.replace(/'[^']*'/g, "'?'");
+  sanitized = sanitized.replace(/=\s*\d+/g, "= ?");
+  return sanitized;
+}
+var BLOCKED_PATTERNS, EXECUTE_PATTERNS;
+var init_query_sanitizer = __esm({
+  "src/database-access/query-sanitizer.ts"() {
+    "use strict";
+    BLOCKED_PATTERNS = [
+      /;\s*DROP\s+/i,
+      /;\s*TRUNCATE\s+/i,
+      /;\s*ALTER\s+/i,
+      /;\s*CREATE\s+/i,
+      /;\s*GRANT\s+/i,
+      /;\s*REVOKE\s+/i,
+      /;\s*SET\s+ROLE/i,
+      /LOAD_FILE\s*\(/i,
+      /INTO\s+OUTFILE/i,
+      /INTO\s+DUMPFILE/i,
+      /INFORMATION_SCHEMA/i,
+      /pg_catalog\./i,
+      /sys\.\w+/i,
+      /xp_cmdshell/i,
+      /sp_execute/i,
+      /EXEC\s*\(/i,
+      /EXECUTE\s+IMMEDIATE/i,
+      /--\s*$/m,
+      // SQL comments at end of line (common injection)
+      /\/\*[\s\S]*?\*\//,
+      // Block comments (hiding malicious code)
+      /SLEEP\s*\(/i,
+      /BENCHMARK\s*\(/i,
+      /WAITFOR\s+DELAY/i,
+      /pg_sleep/i
+    ];
+    EXECUTE_PATTERNS = [
+      /\bCALL\s+/i,
+      /\bEXEC\s+/i,
+      /\bEXECUTE\s+/i
+    ];
+  }
+});
+
+// src/database-access/connection-manager.ts
+import crypto from "crypto";
+var RateLimiter, DatabaseConnectionManager;
+var init_connection_manager = __esm({
+  "src/database-access/connection-manager.ts"() {
+    init_query_sanitizer();
+    RateLimiter = class {
+      windows = /* @__PURE__ */ new Map();
+      check(key, maxPerMinute) {
+        const now = Date.now();
+        const window = this.windows.get(key);
+        if (!window || window.resetAt <= now) {
+          this.windows.set(key, { count: 1, resetAt: now + 6e4 });
+          return true;
+        }
+        if (window.count >= maxPerMinute) return false;
+        window.count++;
+        return true;
+      }
+    };
+    DatabaseConnectionManager = class {
+      pools = /* @__PURE__ */ new Map();
+      configs = /* @__PURE__ */ new Map();
+      agentAccess = /* @__PURE__ */ new Map();
+      // agentId → accesses
+      drivers = /* @__PURE__ */ new Map();
+      rateLimiter = new RateLimiter();
+      stats = /* @__PURE__ */ new Map();
+      engineDb;
+      vault;
+      constructor(deps) {
+        this.engineDb = deps?.engineDb;
+        this.vault = deps?.vault;
+        this.registerBuiltinDrivers();
+      }
+      // ─── Initialization ──────────────────────────────────────────────────────
+      async setDb(db) {
+        this.engineDb = db;
+        await this.init();
+      }
+      /** Normalize DB execute — adapters may have run() or execute() */
+      async dbRun(sql, params) {
+        if (!this.engineDb) throw new Error("No database");
+        const fn = this.engineDb.run || this.engineDb.execute;
+        if (!fn) throw new Error("DB adapter has no run/execute method");
+        return fn.call(this.engineDb, sql, params);
+      }
+      async dbAll(sql, params) {
+        if (!this.engineDb) return [];
+        if (this.engineDb.all) return this.engineDb.all(sql, params);
+        if (this.engineDb.query) {
+          const result2 = await this.engineDb.query(sql, params);
+          return Array.isArray(result2) ? result2 : result2?.rows || [];
+        }
+        const result = await this.dbRun(sql, params);
+        return Array.isArray(result) ? result : result?.rows || [];
+      }
+      async dbGet(sql, params) {
+        if (!this.engineDb) return null;
+        if (this.engineDb.get) return this.engineDb.get(sql, params);
+        const rows = await this.dbAll(sql, params);
+        return rows?.[0] || null;
+      }
+      async init() {
+        try {
+          await this.ensureTable();
+          await this.loadConnections();
+          await this.loadAgentAccess();
+          console.log(`[db-access] Initialized: ${this.configs.size} connections, ${this.agentAccess.size} agent mappings`);
+        } catch (err) {
+          console.error(`[db-access] Init failed: ${err.message}`);
+        }
+      }
+      async ensureTable() {
+        if (!this.engineDb) return;
+        let isPostgres = false;
+        try {
+          await this.dbRun(`SELECT NOW()`);
+          isPostgres = true;
+        } catch {
+          isPostgres = false;
+        }
+        const now = isPostgres ? "NOW()" : "(datetime('now'))";
+        const jsonType = isPostgres ? "JSONB" : "TEXT";
+        const boolType = isPostgres ? "BOOLEAN" : "INTEGER";
+        const boolFalse = isPostgres ? "FALSE" : "0";
+        const boolTrue = isPostgres ? "TRUE" : "1";
+        try {
+          await this.dbRun(`
+        CREATE TABLE IF NOT EXISTS database_connections (
+          id TEXT PRIMARY KEY,
+          org_id TEXT NOT NULL,
+          name TEXT NOT NULL,
+          type TEXT NOT NULL,
+          config ${jsonType} NOT NULL DEFAULT '{}',
+          status TEXT NOT NULL DEFAULT 'inactive',
+          last_tested_at TEXT,
+          last_error TEXT,
+          created_at TEXT NOT NULL DEFAULT ${now},
+          updated_at TEXT NOT NULL DEFAULT ${now}
+        )
+      `);
+          await this.dbRun(`
+        CREATE TABLE IF NOT EXISTS agent_database_access (
+          id TEXT PRIMARY KEY,
+          org_id TEXT NOT NULL,
+          agent_id TEXT NOT NULL,
+          connection_id TEXT NOT NULL REFERENCES database_connections(id) ON DELETE CASCADE,
+          permissions TEXT NOT NULL DEFAULT '["read"]',
+          query_limits ${jsonType},
+          schema_access ${jsonType},
+          log_all_queries ${boolType} NOT NULL DEFAULT ${boolFalse},
+          require_approval ${boolType} NOT NULL DEFAULT ${boolFalse},
+          enabled ${boolType} NOT NULL DEFAULT ${boolTrue},
+          created_at TEXT NOT NULL DEFAULT ${now},
+          updated_at TEXT NOT NULL DEFAULT ${now},
+          UNIQUE(agent_id, connection_id)
+        )
+      `);
+          await this.dbRun(`
+        CREATE TABLE IF NOT EXISTS database_audit_log (
+          id TEXT PRIMARY KEY,
+          org_id TEXT NOT NULL,
+          agent_id TEXT NOT NULL,
+          agent_name TEXT,
+          connection_id TEXT NOT NULL,
+          connection_name TEXT,
+          operation TEXT NOT NULL,
+          query TEXT NOT NULL,
+          param_count INTEGER NOT NULL DEFAULT 0,
+          rows_affected INTEGER NOT NULL DEFAULT 0,
+          execution_time_ms INTEGER NOT NULL DEFAULT 0,
+          success ${boolType} NOT NULL DEFAULT ${boolTrue},
+          error TEXT,
+          timestamp TEXT NOT NULL DEFAULT ${now}
+        )
+      `);
+          await this.dbRun(`CREATE INDEX IF NOT EXISTS idx_db_audit_agent ON database_audit_log(agent_id, timestamp)`).catch(() => {
+          });
+          await this.dbRun(`CREATE INDEX IF NOT EXISTS idx_db_audit_conn ON database_audit_log(connection_id, timestamp)`).catch(() => {
+          });
+        } catch (err) {
+          console.error(`[db-access] Table creation failed:`, err.message);
+        }
+      }
+      async loadConnections() {
+        if (!this.engineDb) {
+          console.warn("[db-access] No engineDb, skipping loadConnections");
+          return;
+        }
+        try {
+          const rows = await this.dbAll("SELECT * FROM database_connections");
+          for (const row of rows || []) {
+            const config = this.rowToConfig(row);
+            this.configs.set(config.id, config);
+          }
+        } catch (err) {
+          console.warn(`[db-access] Failed to load connections: ${err.message}`);
+        }
+      }
+      async loadAgentAccess() {
+        if (!this.engineDb) return;
+        try {
+          const rows = await this.dbAll("SELECT * FROM agent_database_access WHERE enabled IS NOT FALSE");
+          for (const row of rows || []) {
+            const access = this.rowToAccess(row);
+            const list = this.agentAccess.get(access.agentId) || [];
+            list.push(access);
+            this.agentAccess.set(access.agentId, list);
+          }
+        } catch (err) {
+          console.warn(`[db-access] Failed to load agent access: ${err.message}`);
+        }
+      }
+      // ─── CRUD: Connections ─────────────────────────────────────────────────────
+      async createConnection(config, credentials) {
+        const id = crypto.randomUUID();
+        const now = (/* @__PURE__ */ new Date()).toISOString();
+        const full = { ...config, id, createdAt: now, updatedAt: now };
+        if (credentials?.password && this.vault) {
+          await this.vault.storeSecret(config.orgId, `db:${id}:password`, "database_credential", credentials.password);
+        }
+        if (credentials?.connectionString && this.vault) {
+          await this.vault.storeSecret(config.orgId, `db:${id}:connection_string`, "database_credential", credentials.connectionString);
+        }
+        if (this.engineDb) {
+          await this.dbRun(
+            `INSERT INTO database_connections (id, org_id, name, type, config, status, created_at, updated_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,
+            [id, full.orgId, full.name, full.type, JSON.stringify(this.configToStorable(full)), full.status, now, now]
+          );
+        }
+        this.configs.set(id, full);
+        console.log(`[db-access] Connection created: ${full.name} (${full.type})`);
+        return full;
+      }
+      async updateConnection(id, updates, credentials) {
+        const existing = this.configs.get(id);
+        if (!existing) return null;
+        const updated = { ...existing, ...updates, id, updatedAt: (/* @__PURE__ */ new Date()).toISOString() };
+        if (this.vault) {
+          if (credentials?.password) {
+            const old = this.vault.findByName(`db:${id}:password`);
+            if (old) try {
+              await this.vault.deleteSecret(old.id);
+            } catch {
+            }
+            await this.vault.storeSecret(existing.orgId, `db:${id}:password`, "database_credential", credentials.password);
+          }
+          if (credentials?.connectionString) {
+            const old = this.vault.findByName(`db:${id}:connection_string`);
+            if (old) try {
+              await this.vault.deleteSecret(old.id);
+            } catch {
+            }
+            await this.vault.storeSecret(existing.orgId, `db:${id}:connection_string`, "database_credential", credentials.connectionString);
+          }
+        }
+        if (this.engineDb) {
+          await this.dbRun(
+            `UPDATE database_connections SET name = ?, type = ?, config = ?, status = ?, updated_at = ? WHERE id = ?`,
+            [updated.name, updated.type, JSON.stringify(this.configToStorable(updated)), updated.status, updated.updatedAt, id]
+          );
+        }
+        this.configs.set(id, updated);
+        await this.closePool(id);
+        return updated;
+      }
+      async deleteConnection(id) {
+        const config = this.configs.get(id);
+        if (!config) return false;
+        await this.closePool(id);
+        if (this.vault) {
+          try {
+            for (const suffix of ["password", "connection_string", "ssh_key"]) {
+              const entry = this.vault.findByName(`db:${id}:${suffix}`);
+              if (entry) await this.vault.deleteSecret(entry.id);
+            }
+          } catch {
+          }
+        }
+        if (this.engineDb) {
+          await this.dbRun("DELETE FROM agent_database_access WHERE connection_id = ?", [id]);
+          await this.dbRun("DELETE FROM database_connections WHERE id = ?", [id]);
+        }
+        this.configs.delete(id);
+        for (const [agentId, list] of this.agentAccess) {
+          const filtered = list.filter((a) => a.connectionId !== id);
+          if (filtered.length === 0) this.agentAccess.delete(agentId);
+          else this.agentAccess.set(agentId, filtered);
+        }
+        console.log(`[db-access] Connection deleted: ${config.name}`);
+        return true;
+      }
+      getConnection(id) {
+        return this.configs.get(id);
+      }
+      /** Get a human-readable summary of an agent's database connections for system prompts */
+      getAgentConnectionSummary(agentId) {
+        const accesses = this.getAgentAccess(agentId).filter((a) => a.enabled);
+        return accesses.map((a) => {
+          const config = this.configs.get(a.connectionId);
+          if (!config) return "";
+          const perms = a.permissions?.join(", ") || "read";
+          return `"${config.name}" (${config.type}) \u2014 permissions: ${perms}`;
+        }).filter(Boolean);
+      }
+      listConnections(orgId) {
+        return [...this.configs.values()].filter((c) => c.orgId === orgId);
+      }
+      // ─── CRUD: Agent Access ────────────────────────────────────────────────────
+      async grantAccess(access) {
+        const id = crypto.randomUUID();
+        const now = (/* @__PURE__ */ new Date()).toISOString();
+        const full = { ...access, id, createdAt: now, updatedAt: now };
+        if (this.engineDb) {
+          await this.dbRun(
+            `INSERT INTO agent_database_access (id, org_id, agent_id, connection_id, permissions, query_limits, schema_access, log_all_queries, require_approval, enabled, created_at, updated_at)
+         VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+            [
+              id,
+              full.orgId,
+              full.agentId,
+              full.connectionId,
+              JSON.stringify(full.permissions),
+              JSON.stringify(full.queryLimits || null),
+              JSON.stringify(full.schemaAccess || null),
+              full.logAllQueries,
+              full.requireApproval,
+              full.enabled,
+              now,
+              now
+            ]
+          );
+        }
+        const list = this.agentAccess.get(full.agentId) || [];
+        list.push(full);
+        this.agentAccess.set(full.agentId, list);
+        return full;
+      }
+      async revokeAccess(agentId, connectionId) {
+        if (this.engineDb) {
+          await this.dbRun(
+            "DELETE FROM agent_database_access WHERE agent_id = ? AND connection_id = ?",
+            [agentId, connectionId]
+          );
+        }
+        const list = this.agentAccess.get(agentId) || [];
+        const filtered = list.filter((a) => a.connectionId !== connectionId);
+        if (filtered.length === 0) this.agentAccess.delete(agentId);
+        else this.agentAccess.set(agentId, filtered);
+        return true;
+      }
+      async updateAccess(agentId, connectionId, updates) {
+        const list = this.agentAccess.get(agentId) || [];
+        const idx = list.findIndex((a) => a.connectionId === connectionId);
+        if (idx === -1) return null;
+        const updated = { ...list[idx], ...updates, updatedAt: (/* @__PURE__ */ new Date()).toISOString() };
+        list[idx] = updated;
+        this.agentAccess.set(agentId, list);
+        if (this.engineDb) {
+          await this.dbRun(
+            `UPDATE agent_database_access SET permissions = ?, query_limits = ?, schema_access = ?, log_all_queries = ?, require_approval = ?, enabled = ?, updated_at = ? WHERE agent_id = ? AND connection_id = ?`,
+            [
+              JSON.stringify(updated.permissions),
+              JSON.stringify(updated.queryLimits || null),
+              JSON.stringify(updated.schemaAccess || null),
+              updated.logAllQueries,
+              updated.requireApproval,
+              updated.enabled,
+              updated.updatedAt,
+              agentId,
+              connectionId
+            ]
+          );
+        }
+        return updated;
+      }
+      getAgentAccess(agentId) {
+        return this.agentAccess.get(agentId) || [];
+      }
+      getConnectionAgents(connectionId) {
+        const result = [];
+        for (const list of this.agentAccess.values()) {
+          for (const a of list) {
+            if (a.connectionId === connectionId) result.push(a);
+          }
+        }
+        return result;
+      }
+      // ─── Query Execution ──────────────────────────────────────────────────────
+      async executeQuery(query) {
+        const startMs = Date.now();
+        const queryId = crypto.randomUUID();
+        const access = this.getAgentAccess(query.agentId).find((a) => a.connectionId === query.connectionId && a.enabled);
+        if (!access) {
+          return { success: false, error: "Agent does not have access to this database", executionTimeMs: 0, queryId };
+        }
+        const config = this.configs.get(query.connectionId);
+        if (!config || config.status !== "active") {
+          return { success: false, error: "Database connection is not active", executionTimeMs: 0, queryId };
+        }
+        const rateLimit = access.queryLimits?.maxQueriesPerMinute ?? 60;
+        const rateKey = `${query.agentId}:${query.connectionId}`;
+        if (!this.rateLimiter.check(rateKey, rateLimit)) {
+          return { success: false, error: `Rate limit exceeded (${rateLimit}/min)`, executionTimeMs: 0, queryId };
+        }
+        if (!query.sql) {
+          return { success: false, error: "No SQL query provided", executionTimeMs: 0, queryId };
+        }
+        const sanitizeResult = sanitizeQuery(query.sql, access.permissions, config, access);
+        if (!sanitizeResult.allowed) {
+          await this.logAudit(query, config, access, "read", 0, false, sanitizeResult.reason || "Query blocked", startMs, queryId);
+          return { success: false, error: sanitizeResult.reason, executionTimeMs: Date.now() - startMs, queryId };
+        }
+        const finalSql = sanitizeResult.sanitizedQuery || query.sql;
+        const maxConcurrent = access.queryLimits?.maxConcurrentQueries ?? config.queryLimits?.maxConcurrentQueries ?? 5;
+        const timeout = access.queryLimits?.queryTimeoutMs ?? config.queryLimits?.queryTimeoutMs ?? 3e4;
+        try {
+          const conn = await this.getPooledConnection(query.connectionId);
+          const result = await Promise.race([
+            conn.query(finalSql, query.params),
+            new Promise((_, reject) => setTimeout(() => reject(new Error("Query timeout")), timeout))
+          ]);
+          const execMs = Date.now() - startMs;
+          const rows = result.rows || [];
+          const affectedRows = result.affectedRows ?? rows.length;
+          const maxRows = sanitizeResult.operation === "read" ? access.queryLimits?.maxRowsRead ?? config.queryLimits?.maxRowsRead ?? 1e4 : sanitizeResult.operation === "write" ? access.queryLimits?.maxRowsWrite ?? config.queryLimits?.maxRowsWrite ?? 1e3 : access.queryLimits?.maxRowsDelete ?? config.queryLimits?.maxRowsDelete ?? 100;
+          const truncated = rows.length > maxRows;
+          const limitedRows = truncated ? rows.slice(0, maxRows) : rows;
+          this.updateStats(query.connectionId, execMs, false);
+          const shouldLog = access.logAllQueries || sanitizeResult.operation !== "read";
+          if (shouldLog) {
+            await this.logAudit(query, config, access, sanitizeResult.operation, affectedRows, true, void 0, startMs, queryId);
+          }
+          return {
+            success: true,
+            rows: limitedRows,
+            rowCount: limitedRows.length,
+            affectedRows,
+            fields: result.fields,
+            executionTimeMs: execMs,
+            truncated,
+            queryId
+          };
+        } catch (err) {
+          const execMs = Date.now() - startMs;
+          this.updateStats(query.connectionId, execMs, true);
+          await this.logAudit(query, config, access, sanitizeResult.operation, 0, false, err.message, startMs, queryId);
+          return { success: false, error: err.message, executionTimeMs: execMs, queryId };
+        }
+      }
+      // ─── Connection Testing ────────────────────────────────────────────────────
+      async testConnection(connectionId) {
+        const config = this.configs.get(connectionId);
+        if (!config) return { success: false, latencyMs: 0, error: "Connection not found" };
+        const startMs = Date.now();
+        try {
+          const conn = await this.getPooledConnection(connectionId);
+          const alive = await conn.ping();
+          const latencyMs = Date.now() - startMs;
+          await this.updateConnection(connectionId, {
+            status: alive ? "active" : "error",
+            lastTestedAt: (/* @__PURE__ */ new Date()).toISOString(),
+            lastError: alive ? void 0 : "Ping failed"
+          });
+          return { success: alive, latencyMs, error: alive ? void 0 : "Ping failed \u2014 connection may have been closed or timed out. Try reconnecting." };
+        } catch (err) {
+          try {
+            await this.closePool(connectionId);
+            const conn = await this.getPooledConnection(connectionId);
+            const alive = await conn.ping();
+            const latencyMs = Date.now() - startMs;
+            await this.updateConnection(connectionId, { status: alive ? "active" : "error", lastTestedAt: (/* @__PURE__ */ new Date()).toISOString(), lastError: alive ? void 0 : "Ping failed on retry" });
+            return { success: alive, latencyMs, error: alive ? void 0 : "Ping failed on retry" };
+          } catch (retryErr) {
+          }
+          const msg = (err instanceof AggregateError ? err.errors?.map?.((x) => x.message).join("; ") || "Multiple connection failures" : err.message || String(err)) || "Unknown connection error";
+          await this.updateConnection(connectionId, {
+            status: "error",
+            lastTestedAt: (/* @__PURE__ */ new Date()).toISOString(),
+            lastError: msg
+          });
+          return { success: false, latencyMs: Date.now() - startMs, error: msg };
+        }
+      }
+      /**
+       * Test connection parameters without saving — creates a temporary connection,
+       * pings it, and immediately destroys it.
+       */
+      async testConnectionParams(params) {
+        const startMs = Date.now();
+        const driver = this.drivers.get(params.type);
+        if (!driver) return { success: false, latencyMs: 0, error: `No driver for database type: ${params.type}` };
+        let connection;
+        try {
+          connection = await driver.connect(
+            { type: params.type, host: params.host, port: params.port, database: params.database, ssl: params.ssl },
+            { password: params.password, connectionString: params.connectionString }
+          );
+          const alive = await connection.ping();
+          const latencyMs = Date.now() - startMs;
+          return { success: alive, latencyMs, error: alive ? void 0 : "Ping failed \u2014 database responded but health check did not pass" };
+        } catch (err) {
+          return { success: false, latencyMs: Date.now() - startMs, error: err.message || String(err) || "Connection failed" };
+        } finally {
+          try {
+            if (connection?.close) await connection.close();
+          } catch {
+          }
+        }
+      }
+      // ─── Pool Management ───────────────────────────────────────────────────────
+      async getPooledConnection(connectionId) {
+        const pool = this.pools.get(connectionId) || [];
+        const idle = pool.find((p) => !p.inUse);
+        if (idle) {
+          idle.inUse = true;
+          idle.lastUsedAt = Date.now();
+          return this.wrapPooledConnection(idle);
+        }
+        const config = this.configs.get(connectionId);
+        if (!config) throw new Error("Connection not found");
+        const maxPool = config.pool?.max ?? 10;
+        if (pool.length >= maxPool) throw new Error("Connection pool exhausted");
+        const driver = this.drivers.get(config.type);
+        if (!driver) throw new Error(`No driver for database type: ${config.type}`);
+        const credentials = await this.loadCredentials(config);
+        const connection = await driver.connect(config, credentials);
+        const entry = {
+          connection,
+          connectionId,
+          createdAt: Date.now(),
+          lastUsedAt: Date.now(),
+          inUse: true,
+          queryCount: 0
+        };
+        pool.push(entry);
+        this.pools.set(connectionId, pool);
+        return this.wrapPooledConnection(entry);
+      }
+      wrapPooledConnection(entry) {
+        return {
+          query: async (sql, params) => {
+            entry.queryCount++;
+            return entry.connection.query(sql, params);
+          },
+          close: async () => {
+            entry.inUse = false;
+          },
+          // Return to pool, don't actually close
+          ping: () => entry.connection.ping()
+        };
+      }
+      async closePool(connectionId) {
+        const pool = this.pools.get(connectionId) || [];
+        for (const entry of pool) {
+          try {
+            await entry.connection.close();
+          } catch {
+          }
+        }
+        this.pools.delete(connectionId);
+      }
+      async loadCredentials(config) {
+        const creds = {};
+        if (this.vault) {
+          try {
+            const pw = await this.vault.getSecretByName(config.orgId, `db:${config.id}:password`, "database_credential");
+            if (pw) creds.password = pw.plaintext;
+          } catch {
+          }
+          try {
+            const cs = await this.vault.getSecretByName(config.orgId, `db:${config.id}:connection_string`, "database_credential");
+            if (cs) creds.connectionString = cs.plaintext;
+          } catch {
+          }
+          if (config.sshTunnel?.enabled) {
+            try {
+              const ssh = await this.vault.getSecretByName(config.orgId, `db:${config.id}:ssh_key`, "database_credential");
+              if (ssh) creds.sshPrivateKey = ssh.plaintext;
+            } catch {
+            }
+          }
+        }
+        return creds;
+      }
+      // ─── Stats ─────────────────────────────────────────────────────────────────
+      getPoolStats(connectionId) {
+        const pool = this.pools.get(connectionId) || [];
+        const s = this.stats.get(connectionId) || { queries: 0, errors: 0, totalTimeMs: 0, lastActivity: 0 };
+        return {
+          connectionId,
+          totalConnections: pool.length,
+          activeConnections: pool.filter((p) => p.inUse).length,
+          idleConnections: pool.filter((p) => !p.inUse).length,
+          waitingRequests: 0,
+          queriesExecuted: s.queries,
+          averageQueryTimeMs: s.queries > 0 ? Math.round(s.totalTimeMs / s.queries) : 0,
+          errorCount: s.errors,
+          lastActivityAt: s.lastActivity ? new Date(s.lastActivity).toISOString() : ""
+        };
+      }
+      updateStats(connectionId, timeMs, isError) {
+        const s = this.stats.get(connectionId) || { queries: 0, errors: 0, totalTimeMs: 0, lastActivity: 0 };
+        s.queries++;
+        s.totalTimeMs += timeMs;
+        if (isError) s.errors++;
+        s.lastActivity = Date.now();
+        this.stats.set(connectionId, s);
+      }
+      // ─── Audit Logging ─────────────────────────────────────────────────────────
+      async logAudit(query, config, access, operation, rowsAffected, success, error, startMs, queryId) {
+        if (!this.engineDb) return;
+        try {
+          await this.dbRun(
+            `INSERT INTO database_audit_log (id, org_id, agent_id, connection_id, connection_name, operation, query, param_count, rows_affected, execution_time_ms, success, error, timestamp)
+         VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+            [
+              queryId,
+              config.orgId,
+              query.agentId,
+              query.connectionId,
+              config.name,
+              operation,
+              sanitizeForLogging(query.sql || ""),
+              (query.params || []).length,
+              rowsAffected,
+              Date.now() - startMs,
+              success,
+              error || null,
+              (/* @__PURE__ */ new Date()).toISOString()
+            ]
+          );
+        } catch (err) {
+          console.warn(`[db-access] Audit log failed: ${err.message}`);
+        }
+      }
+      async getAuditLog(opts) {
+        if (!this.engineDb) return [];
+        const conditions = ["org_id = ?"];
+        const params = [opts.orgId];
+        if (opts.agentId) {
+          conditions.push("agent_id = ?");
+          params.push(opts.agentId);
+        }
+        if (opts.connectionId) {
+          conditions.push("connection_id = ?");
+          params.push(opts.connectionId);
+        }
+        params.push(opts.limit ?? 100, opts.offset ?? 0);
+        return this.dbAll(
+          `SELECT * FROM database_audit_log WHERE ${conditions.join(" AND ")} ORDER BY timestamp DESC LIMIT ? OFFSET ?`,
+          params
+        );
+      }
+      // ─── Driver Registration ───────────────────────────────────────────────────
+      registerDriver(type, driver) {
+        this.drivers.set(type, driver);
+      }
+      // ─── Auto-Install Helper ──────────────────────────────────────────────────
+      _installCache = /* @__PURE__ */ new Set();
+      /**
+       * Auto-install a npm package if not already installed.
+       * Caches install attempts to avoid repeated installs in the same process.
+       */
+      /**
+       * Load a package using createRequire (works in bundled builds where dynamic import() fails).
+       * Falls back through multiple strategies: createRequire at cwd, createRequire at node_modules, direct import.
+       */
+      _requirePkg(pkg) {
+        try {
+          const { createRequire } = __require("module");
+          const req = createRequire(__require("path").join(process.cwd(), "node_modules", ".package.json"));
+          return req(pkg);
+        } catch {
+        }
+        try {
+          const { createRequire } = __require("module");
+          const req = createRequire(__require("path").join(process.cwd(), "package.json"));
+          return req(pkg);
+        } catch {
+        }
+        try {
+          const absPath = __require("path").join(process.cwd(), "node_modules", pkg);
+          return __require(absPath);
+        } catch {
+        }
+        try {
+          return __require(pkg);
+        } catch {
+        }
+        return null;
+      }
+      async ensurePackage(pkg) {
+        const existing = this._requirePkg(pkg);
+        if (existing) return existing;
+        try {
+          return await import(pkg);
+        } catch {
+        }
+        if (this._installCache.has(pkg)) {
+          throw new Error(`Package "${pkg}" could not be loaded after auto-install. Please install manually: npm install ${pkg}`);
+        }
+        this._installCache.add(pkg);
+        console.log(`[database-access] Auto-installing "${pkg}"...`);
+        const { execSync } = await import("child_process");
+        try {
+          execSync(`npm install --no-save ${pkg}`, {
+            stdio: "pipe",
+            timeout: 12e4,
+            cwd: process.cwd()
+          });
+          console.log(`[database-access] Successfully installed "${pkg}"`);
+        } catch (installErr) {
+          const msg = installErr.stderr?.toString?.().slice(0, 200) || installErr.message;
+          throw new Error(`Failed to auto-install "${pkg}": ${msg}. Please install manually: npm install ${pkg}`);
+        }
+        const loaded = this._requirePkg(pkg);
+        if (loaded) return loaded;
+        try {
+          return await import(pkg);
+        } catch {
+        }
+        throw new Error(`Package "${pkg}" installed but could not be loaded. Try restarting the server, or install manually: npm install ${pkg}`);
+      }
+      /**
+       * Connect with a timeout wrapper — all drivers get a 15s connect timeout.
+       */
+      async connectWithTimeout(fn, timeoutMs = 15e3, label = "Connection") {
+        return new Promise((resolve, reject) => {
+          const timer = setTimeout(() => reject(new Error(`${label} timed out after ${timeoutMs}ms \u2014 check your host/port and ensure the database is reachable`)), timeoutMs);
+          fn().then(
+            (v) => {
+              clearTimeout(timer);
+              resolve(v);
+            },
+            (e) => {
+              clearTimeout(timer);
+              reject(e);
+            }
+          );
+        });
+      }
+      /**
+       * Detect SSL requirement from connection string or cloud provider type.
+       * Cloud-hosted databases almost always require SSL.
+       */
+      needsSsl(config, credentials) {
+        if (config.ssl === true) return true;
+        if (config.ssl === false) return false;
+        const cloudTypes = ["supabase", "neon", "planetscale", "cockroachdb", "turso", "upstash"];
+        if (cloudTypes.includes(config.type)) return true;
+        const connStr = credentials?.connectionString || "";
+        if (connStr.includes("sslmode=require") || connStr.includes("ssl=true")) return true;
+        if (/supabase|neon\.tech|cockroachlabs|planetscale|turso\.io|railway\.app|render\.com|aiven\.io|timescale\.com/i.test(connStr)) return true;
+        if (/supabase|neon\.tech|cockroachlabs|planetscale|turso\.io|railway|render|aiven|timescale/i.test(config.host || "")) return true;
+        return false;
+      }
+      /**
+       * Parse a connection string to extract host/port/database/username when fields are missing.
+       */
+      parseConnectionString(connStr, type) {
+        try {
+          const cleaned = connStr.replace(/^(postgres|postgresql|mysql|mongodb\+srv|mongodb|redis|rediss|libsql)/, "http");
+          const url = new URL(cleaned);
+          return {
+            host: url.hostname || void 0,
+            port: url.port ? parseInt(url.port) : void 0,
+            database: url.pathname?.replace(/^\//, "") || void 0,
+            username: url.username || void 0
+          };
+        } catch {
+          return {};
+        }
+      }
+      registerBuiltinDrivers() {
+        const self = this;
+        const pgDriver = {
+          async connect(config, credentials) {
+            const pgMod = await self.ensurePackage("postgres");
+            const pgFn = pgMod.default || pgMod;
+            let connStr = credentials.connectionString;
+            if (!connStr) {
+              const user = encodeURIComponent(config.username || "postgres");
+              const pass = encodeURIComponent(credentials.password || "");
+              const host = config.host || "localhost";
+              const port = config.port || 5432;
+              const db = config.database || "postgres";
+              connStr = `postgresql://${user}:${pass}@${host}:${port}/${db}`;
+            }
+            const ssl = self.needsSsl(config, credentials);
+            const sql = await self.connectWithTimeout(() => {
+              const s = pgFn(connStr, {
+                max: config.pool?.max ?? 10,
+                idle_timeout: (config.pool?.idleTimeoutMs ?? 3e4) / 1e3,
+                connect_timeout: 10,
+                ssl: ssl ? config.sslRejectUnauthorized === false ? "prefer" : "require" : false
+              });
+              return s`SELECT 1`.then(() => s);
+            }, 15e3, "PostgreSQL");
+            return {
+              async query(q, params) {
+                const result = params?.length ? await sql.unsafe(q, params) : await sql.unsafe(q);
+                return {
+                  rows: [...result],
+                  affectedRows: result.count,
+                  fields: result.columns?.map((c) => ({ name: c.name, type: String(c.type) }))
+                };
+              },
+              async close() {
+                try {
+                  await sql.end({ timeout: 5 });
+                } catch {
+                }
+              },
+              async ping() {
+                try {
+                  await sql`SELECT 1`;
+                  return true;
+                } catch (e) {
+                  const msg = e instanceof AggregateError ? e.errors?.map?.((x) => x.message).join("; ") || "Multiple connection failures" : e.message || String(e);
+                  throw new Error("PostgreSQL ping failed: " + msg);
+                }
+              }
+            };
+          }
+        };
+        this.drivers.set("postgresql", pgDriver);
+        this.drivers.set("cockroachdb", pgDriver);
+        this.drivers.set("supabase", pgDriver);
+        this.drivers.set("neon", pgDriver);
+        const mysqlDriver = {
+          async connect(config, credentials) {
+            const mysql2 = await self.ensurePackage("mysql2/promise");
+            const parsed = credentials.connectionString ? self.parseConnectionString(credentials.connectionString, config.type) : {};
+            const ssl = self.needsSsl(config, credentials);
+            const pool = await self.connectWithTimeout(async () => {
+              const p = mysql2.createPool({
+                host: config.host || parsed.host || "localhost",
+                port: config.port || parsed.port || 3306,
+                user: config.username || parsed.username,
+                password: credentials.password || (credentials.connectionString ? (() => {
+                  try {
+                    const u = new URL(credentials.connectionString.replace(/^mysql/, "http"));
+                    return decodeURIComponent(u.password);
+                  } catch {
+                    return void 0;
+                  }
+                })() : void 0),
+                database: config.database || parsed.database,
+                connectionLimit: config.pool?.max ?? 10,
+                connectTimeout: 1e4,
+                ssl: ssl ? { rejectUnauthorized: config.sslRejectUnauthorized !== false } : void 0,
+                uri: credentials.connectionString || void 0
+              });
+              await p.execute("SELECT 1");
+              return p;
+            }, 15e3, "MySQL");
+            return {
+              async query(q, params) {
+                const [rows, fields] = await pool.execute(q, params);
+                const resultRows = Array.isArray(rows) ? rows : [];
+                return {
+                  rows: resultRows,
+                  affectedRows: rows.affectedRows,
+                  fields: fields?.map((f) => ({ name: f.name, type: String(f.type) }))
+                };
+              },
+              async close() {
+                try {
+                  await pool.end();
+                } catch {
+                }
+              },
+              async ping() {
+                try {
+                  await pool.execute("SELECT 1");
+                  return true;
+                } catch (e) {
+                  throw new Error("MySQL ping failed: " + (e.message || e));
+                }
+              }
+            };
+          }
+        };
+        this.drivers.set("mysql", mysqlDriver);
+        this.drivers.set("mariadb", mysqlDriver);
+        this.drivers.set("planetscale", mysqlDriver);
+        this.drivers.set("sqlite", {
+          async connect(config, credentials) {
+            const sqliteMod = await self.ensurePackage("better-sqlite3");
+            const Database = sqliteMod.default || sqliteMod;
+            const dbPath = credentials.connectionString || config.database || ":memory:";
+            const db = new Database(dbPath, { readonly: false });
+            try {
+              db.pragma("journal_mode = WAL");
+            } catch {
+            }
+            return {
+              async query(q, params) {
+                const trimmed = q.trim().toUpperCase();
+                if (trimmed.startsWith("SELECT") || trimmed.startsWith("WITH") || trimmed.startsWith("PRAGMA") || trimmed.startsWith("EXPLAIN")) {
+                  const stmt = db.prepare(q);
+                  const rows = params?.length ? stmt.all(...params) : stmt.all();
+                  return { rows, fields: rows.length > 0 ? Object.keys(rows[0]).map((k) => ({ name: k, type: "unknown" })) : [] };
+                } else {
+                  const stmt = db.prepare(q);
+                  const result = params?.length ? stmt.run(...params) : stmt.run();
+                  return { rows: [], affectedRows: result.changes };
+                }
+              },
+              async close() {
+                try {
+                  db.close();
+                } catch {
+                }
+              },
+              async ping() {
+                try {
+                  db.prepare("SELECT 1").get();
+                  return true;
+                } catch (e) {
+                  throw new Error("SQLite ping failed: " + (e.message || e));
+                }
+              }
+            };
+          }
+        });
+        this.drivers.set("turso", {
+          async connect(config, credentials) {
+            const libsql = await self.ensurePackage("@libsql/client");
+            const { createClient } = libsql;
+            const url = credentials.connectionString || `libsql://${config.host}`;
+            const client = createClient({ url, authToken: credentials.password });
+            await self.connectWithTimeout(() => client.execute("SELECT 1"), 15e3, "Turso");
+            return {
+              async query(q, params) {
+                const result = await client.execute({ sql: q, args: params || [] });
+                return {
+                  rows: result.rows,
+                  affectedRows: result.rowsAffected,
+                  fields: result.columns?.map((c) => ({ name: String(c), type: "unknown" }))
+                };
+              },
+              async close() {
+                try {
+                  client.close();
+                } catch {
+                }
+              },
+              async ping() {
+                try {
+                  await client.execute("SELECT 1");
+                  return true;
+                } catch (e) {
+                  throw new Error("Turso ping failed: " + (e.message || e));
+                }
+              }
+            };
+          }
+        });
+        this.drivers.set("mongodb", {
+          async connect(config, credentials) {
+            const mongoMod = await self.ensurePackage("mongodb");
+            const { MongoClient } = mongoMod;
+            const uri = credentials.connectionString || (() => {
+              const user = encodeURIComponent(config.username || "");
+              const pass = encodeURIComponent(credentials.password || "");
+              const host = config.host || "localhost";
+              const port = config.port || 27017;
+              const db2 = config.database || "admin";
+              const auth = user ? `${user}:${pass}@` : "";
+              return `mongodb://${auth}${host}:${port}/${db2}`;
+            })();
+            const ssl = self.needsSsl(config, credentials);
+            const useTls = ssl || uri.startsWith("mongodb+srv://");
+            const client = new MongoClient(uri, {
+              maxPoolSize: config.pool?.max ?? 10,
+              serverSelectionTimeoutMS: 1e4,
+              connectTimeoutMS: 1e4,
+              tls: useTls || void 0
+            });
+            await self.connectWithTimeout(() => client.connect(), 15e3, "MongoDB");
+            const db = client.db(config.database || self.parseConnectionString(uri, "mongodb").database);
+            return {
+              async query(q, _params) {
+                try {
+                  const cmd = JSON.parse(q);
+                  const collection = db.collection(cmd.collection);
+                  switch (cmd.operation) {
+                    case "find": {
+                      const cursor = collection.find(cmd.filter || {});
+                      if (cmd.projection) cursor.project(cmd.projection);
+                      if (cmd.sort) cursor.sort(cmd.sort);
+                      if (cmd.skip) cursor.skip(cmd.skip);
+                      cursor.limit(cmd.limit || 100);
+                      return { rows: await cursor.toArray() };
+                    }
+                    case "findOne": {
+                      const doc = await collection.findOne(cmd.filter || {}, { projection: cmd.projection });
+                      return { rows: doc ? [doc] : [] };
+                    }
+                    case "insertOne": {
+                      const r = await collection.insertOne(cmd.document);
+                      return { rows: [{ insertedId: r.insertedId }], affectedRows: 1 };
+                    }
+                    case "insertMany": {
+                      const r = await collection.insertMany(cmd.documents);
+                      return { rows: [{ insertedCount: r.insertedCount }], affectedRows: r.insertedCount };
+                    }
+                    case "updateOne":
+                    case "updateMany": {
+                      const fn = cmd.operation === "updateOne" ? collection.updateOne.bind(collection) : collection.updateMany.bind(collection);
+                      const r = await fn(cmd.filter || {}, cmd.update, { upsert: cmd.upsert });
+                      return { rows: [{ matchedCount: r.matchedCount, modifiedCount: r.modifiedCount, upsertedId: r.upsertedId }], affectedRows: r.modifiedCount };
+                    }
+                    case "deleteOne":
+                    case "deleteMany": {
+                      const fn = cmd.operation === "deleteOne" ? collection.deleteOne.bind(collection) : collection.deleteMany.bind(collection);
+                      const r = await fn(cmd.filter || {});
+                      return { rows: [], affectedRows: r.deletedCount };
+                    }
+                    case "aggregate":
+                      return { rows: await collection.aggregate(cmd.pipeline || []).toArray() };
+                    case "count":
+                    case "countDocuments":
+                      return { rows: [{ count: await collection.countDocuments(cmd.filter || {}) }] };
+                    case "distinct":
+                      return { rows: [{ values: await collection.distinct(cmd.field, cmd.filter || {}) }] };
+                    case "listCollections": {
+                      const cols = await db.listCollections().toArray();
+                      return { rows: cols.map((c) => ({ name: c.name, type: c.type })) };
+                    }
+                    default:
+                      throw new Error(`Unknown operation: ${cmd.operation}. Supported: find, findOne, insertOne, insertMany, updateOne, updateMany, deleteOne, deleteMany, aggregate, count, distinct, listCollections`);
+                  }
+                } catch (err) {
+                  throw new Error(`MongoDB query error: ${err.message}`);
+                }
+              },
+              async close() {
+                try {
+                  await client.close();
+                } catch {
+                }
+              },
+              async ping() {
+                try {
+                  await db.command({ ping: 1 });
+                  return true;
+                } catch (e) {
+                  throw new Error("MongoDB ping failed: " + (e.message || e));
+                }
+              }
+            };
+          }
+        });
+        this.drivers.set("redis", {
+          async connect(config, credentials) {
+            const host = config.host || "localhost";
+            const port = config.port || 6379;
+            const ssl = self.needsSsl(config, credentials);
+            const connStr = credentials.connectionString || "";
+            const useTls = ssl || connStr.startsWith("rediss://");
+            let password = credentials.password;
+            let username = config.username;
+            if (connStr) {
+              try {
+                const parsed = self.parseConnectionString(connStr, "redis");
+                if (!password) {
+                  const url = new URL(connStr.replace(/^redis(s?)/, "http"));
+                  password = url.password || password;
+                  username = url.username || username;
+                }
+              } catch {
+              }
+            }
+            let socket;
+            const connectHost = connStr ? self.parseConnectionString(connStr, "redis").host || host : host;
+            const connectPort = connStr ? self.parseConnectionString(connStr, "redis").port || port : port;
+            await self.connectWithTimeout(async () => {
+              if (useTls) {
+                const tls = await import("tls");
+                socket = tls.connect({ host: connectHost, port: connectPort, rejectUnauthorized: config.sslRejectUnauthorized !== false });
+                await new Promise((resolve, reject) => {
+                  socket.on("secureConnect", resolve);
+                  socket.on("error", reject);
+                });
+              } else {
+                const net = await import("net");
+                socket = new net.Socket();
+                await new Promise((resolve, reject) => {
+                  socket.connect(connectPort, connectHost, () => resolve());
+                  socket.on("error", reject);
+                });
+              }
+              if (password) {
+                const authCmd = username && username !== "default" ? `AUTH ${username} ${password}` : `AUTH ${password}`;
+                await sendRedisCommand(socket, authCmd);
+              }
+            }, 15e3, "Redis");
+            function sendRedisCommand(sock, cmd) {
+              return new Promise((resolve, reject) => {
+                let data = "";
+                const onData = (chunk) => {
+                  data += chunk.toString();
+                  if (data.includes("\r\n")) {
+                    sock.off("data", onData);
+                    resolve(data);
+                  }
+                };
+                sock.on("data", onData);
+                sock.write(cmd + "\r\n");
+                setTimeout(() => {
+                  sock.off("data", onData);
+                  reject(new Error("Redis command timed out after 10s"));
+                }, 1e4);
+              });
+            }
+            return {
+              async query(q) {
+                const result = await sendRedisCommand(socket, q);
+                return { rows: [{ result: result.trim() }] };
+              },
+              async close() {
+                try {
+                  socket.destroy();
+                } catch {
+                }
+              },
+              async ping() {
+                try {
+                  const r = await sendRedisCommand(socket, "PING");
+                  if (!r.includes("PONG")) throw new Error("No PONG response");
+                  return true;
+                } catch (e) {
+                  throw new Error("Redis ping failed: " + (e.message || e));
+                }
+              }
+            };
+          }
+        });
+        this.drivers.set("upstash", {
+          async connect(config, credentials) {
+            let baseUrl = "";
+            let token = credentials.password || "";
+            if (credentials.connectionString) {
+              const cs = credentials.connectionString;
+              if (cs.startsWith("https://") && cs.includes("@")) {
+                try {
+                  const url = new URL(cs);
+                  token = token || url.username || url.password;
+                  baseUrl = `https://${url.host}`;
+                } catch {
+                  baseUrl = cs;
+                }
+              } else if (cs.startsWith("https://")) {
+                baseUrl = cs.replace(/\/$/, "");
+              } else if (cs.startsWith("rediss://")) {
+                try {
+                  const url = new URL(cs.replace("rediss://", "https://"));
+                  token = token || url.password;
+                  baseUrl = `https://${url.hostname}`;
+                } catch {
+                  baseUrl = `https://${config.host}`;
+                }
+              } else {
+                baseUrl = `https://${cs}`;
+              }
+            } else {
+              baseUrl = `https://${config.host}`;
+            }
+            if (!baseUrl) throw new Error("Upstash requires a REST URL or hostname. Find it in your Upstash console under REST API.");
+            if (!token) throw new Error("Upstash requires an auth token. Find it in your Upstash console under REST API.");
+            async function upstashRequest(command) {
+              const ctrl = new AbortController();
+              const timer = setTimeout(() => ctrl.abort(), 1e4);
+              try {
+                const resp = await fetch(baseUrl, {
+                  method: "POST",
+                  headers: { "Authorization": `Bearer ${token}`, "Content-Type": "application/json" },
+                  body: JSON.stringify(command),
+                  signal: ctrl.signal
+                });
+                if (!resp.ok) {
+                  const body = await resp.text().catch(() => "");
+                  throw new Error(`Upstash HTTP ${resp.status}: ${body.slice(0, 200)}`);
+                }
+                return resp.json();
+              } finally {
+                clearTimeout(timer);
+              }
+            }
+            await self.connectWithTimeout(async () => {
+              const r = await upstashRequest(["PING"]);
+              if (r.result !== "PONG") throw new Error("Upstash PING failed \u2014 check your token and endpoint URL");
+            }, 15e3, "Upstash");
+            return {
+              async query(q) {
+                const parts = q.trim().split(/\s+/);
+                const result = await upstashRequest(parts);
+                const val = result.result ?? result;
+                return { rows: [{ result: typeof val === "string" ? val : JSON.stringify(val) }] };
+              },
+              async close() {
+              },
+              async ping() {
+                try {
+                  const r = await upstashRequest(["PING"]);
+                  if (r.result !== "PONG") throw new Error("No PONG response");
+                  return true;
+                } catch (e) {
+                  throw new Error("Upstash ping failed: " + (e.message || e));
+                }
+              }
+            };
+          }
+        });
+      }
+      // ─── Row Mapping ───────────────────────────────────────────────────────────
+      rowToConfig(row) {
+        const config = typeof row.config === "string" ? JSON.parse(row.config) : row.config || {};
+        return {
+          id: row.id,
+          orgId: row.org_id,
+          name: row.name,
+          type: row.type,
+          ...config,
+          status: row.status,
+          lastTestedAt: row.last_tested_at,
+          lastError: row.last_error,
+          createdAt: row.created_at,
+          updatedAt: row.updated_at
+        };
+      }
+      rowToAccess(row) {
+        return {
+          id: row.id,
+          orgId: row.org_id,
+          agentId: row.agent_id,
+          connectionId: row.connection_id,
+          permissions: typeof row.permissions === "string" ? JSON.parse(row.permissions) : row.permissions || ["read"],
+          queryLimits: typeof row.query_limits === "string" ? JSON.parse(row.query_limits) : row.query_limits,
+          schemaAccess: typeof row.schema_access === "string" ? JSON.parse(row.schema_access) : row.schema_access,
+          logAllQueries: !!row.log_all_queries,
+          requireApproval: !!row.require_approval,
+          enabled: !!row.enabled,
+          createdAt: row.created_at,
+          updatedAt: row.updated_at
+        };
+      }
+      configToStorable(config) {
+        const { id, orgId, name, type, status, lastTestedAt, lastError, createdAt, updatedAt, ...rest } = config;
+        return rest;
+      }
+      // ─── Cleanup ───────────────────────────────────────────────────────────────
+      async shutdown() {
+        for (const [connId] of this.pools) {
+          await this.closePool(connId);
+        }
+        console.log("[db-access] All connection pools closed");
+      }
+    };
+  }
+});
+
+export {
+  init_query_sanitizer,
+  DatabaseConnectionManager,
+  init_connection_manager
+};