@berthojoris/mcp-mysql-server 1.12.0 → 1.14.0

package/dist/security/maskingLayer.d.ts

@@ -0,0 +1,37 @@
+export declare enum MaskingStrategy {
+    REDACT = "redact",// Replace with [REDACTED]
+    PARTIAL = "partial",// Show first/last chars: a***@b.com
+    HASH = "hash",// SHA256 hash (simulated for simplicity or real)
+    NONE = "none"
+}
+export interface MaskingRule {
+    columnPattern: RegExp;
+    strategy: MaskingStrategy;
+}
+export declare enum MaskingProfile {
+    NONE = "none",
+    SOFT = "soft",// Mask only credentials (passwords, secrets)
+    PARTIAL = "partial",// Mask credentials + partial mask PII (email, phone)
+    STRICT = "strict"
+}
+/**
+ * Data Masking Layer
+ * Handles identifying and masking sensitive data in query results
+ */
+export declare class MaskingLayer {
+    private profile;
+    private rules;
+    constructor(profile?: string);
+    private parseProfile;
+    private getRulesForProfile;
+    /**
+     * Check if filtering is active
+     */
+    isEnabled(): boolean;
+    getProfile(): MaskingProfile;
+    /**
+     * Apply masking to a dataset (array of objects)
+     */
+    processResults(data: any[]): any[];
+    private applyStrategy;
+}

package/dist/security/maskingLayer.js

@@ -0,0 +1,131 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MaskingLayer = exports.MaskingProfile = exports.MaskingStrategy = void 0;
+var MaskingStrategy;
+(function (MaskingStrategy) {
+    MaskingStrategy["REDACT"] = "redact";
+    MaskingStrategy["PARTIAL"] = "partial";
+    MaskingStrategy["HASH"] = "hash";
+    MaskingStrategy["NONE"] = "none"; // No masking
+})(MaskingStrategy || (exports.MaskingStrategy = MaskingStrategy = {}));
+var MaskingProfile;
+(function (MaskingProfile) {
+    MaskingProfile["NONE"] = "none";
+    MaskingProfile["SOFT"] = "soft";
+    MaskingProfile["PARTIAL"] = "partial";
+    MaskingProfile["STRICT"] = "strict"; // Redact all PII and credentials
+})(MaskingProfile || (exports.MaskingProfile = MaskingProfile = {}));
+/**
+ * Data Masking Layer
+ * Handles identifying and masking sensitive data in query results
+ */
+class MaskingLayer {
+    constructor(profile = "none") {
+        this.profile = this.parseProfile(profile);
+        this.rules = this.getRulesForProfile(this.profile);
+    }
+    parseProfile(input) {
+        const normalized = input.toLowerCase().trim();
+        if (Object.values(MaskingProfile).includes(normalized)) {
+            return normalized;
+        }
+        return MaskingProfile.NONE;
+    }
+    getRulesForProfile(profile) {
+        const credentialsPattern = /^(password|passwd|pwd|secret|token|api_key|auth_key|access_token|refresh_token)$/i;
+        const piiPattern = /^(email|phone|mobile|cell|ssn|social_security|credit_card|cc_number|card_number|iban|dob|date_of_birth)$/i;
+        switch (profile) {
+            case MaskingProfile.NONE:
+                return [];
+            case MaskingProfile.SOFT:
+                return [
+                    { columnPattern: credentialsPattern, strategy: MaskingStrategy.REDACT }
+                ];
+            case MaskingProfile.PARTIAL:
+                return [
+                    { columnPattern: credentialsPattern, strategy: MaskingStrategy.REDACT },
+                    { columnPattern: piiPattern, strategy: MaskingStrategy.PARTIAL }
+                ];
+            case MaskingProfile.STRICT:
+                return [
+                    { columnPattern: credentialsPattern, strategy: MaskingStrategy.REDACT },
+                    { columnPattern: piiPattern, strategy: MaskingStrategy.REDACT }
+                ];
+            default:
+                return [];
+        }
+    }
+    /**
+     * Check if filtering is active
+     */
+    isEnabled() {
+        return this.profile !== MaskingProfile.NONE;
+    }
+    getProfile() {
+        return this.profile;
+    }
+    /**
+     * Apply masking to a dataset (array of objects)
+     */
+    processResults(data) {
+        if (!this.isEnabled() || !data || data.length === 0) {
+            return data;
+        }
+        // Identify columns to mask based on the first record (optimization)
+        const firstRecord = data[0];
+        const columns = Object.keys(firstRecord);
+        const columnsToMask = [];
+        for (const col of columns) {
+            for (const rule of this.rules) {
+                if (rule.columnPattern.test(col)) {
+                    columnsToMask.push({ col, strategy: rule.strategy });
+                    break; // Apply first matching rule
+                }
+            }
+        }
+        if (columnsToMask.length === 0) {
+            // No sensitive columns found
+            return data;
+        }
+        // Apply masking to all records
+        return data.map(record => {
+            const maskedRecord = { ...record };
+            for (const { col, strategy } of columnsToMask) {
+                if (maskedRecord[col] !== null && maskedRecord[col] !== undefined) {
+                    maskedRecord[col] = this.applyStrategy(maskedRecord[col], strategy);
+                }
+            }
+            return maskedRecord;
+        });
+    }
+    applyStrategy(value, strategy) {
+        const strVal = String(value);
+        switch (strategy) {
+            case MaskingStrategy.REDACT:
+                return "[REDACTED]";
+            case MaskingStrategy.PARTIAL:
+                if (strVal.includes('@')) {
+                    // Email masking: j***@domain.com
+                    const [local, domain] = strVal.split('@');
+                    const maskedLocal = local.length > 2 ? local[0] + '***' + local[local.length - 1] : '***';
+                    return `${maskedLocal}@${domain}`;
+                }
+                else if (strVal.length > 4) {
+                    // Generic partial: show last 4 chars (e.g. phone/cc)
+                    // or first 1 + last 4
+                    return '***' + strVal.slice(-4);
+                }
+                else {
+                    return "***";
+                }
+            case MaskingStrategy.HASH:
+                // Simple placeholder for hash to avoid crypto dependency if not needed,
+                // or use a simple consistent hash if strictly required. 
+                // For now, let's use a redaction-like placeholder to indicate hashing intent.
+                return "[HASHED]";
+            default:
+                return value;
+        }
+    }
+}
+exports.MaskingLayer = MaskingLayer;

package/dist/security/securityLayer.d.ts

@@ -1,10 +1,12 @@
 import { FeatureConfig } from "../config/featureConfig.js";
+import { MaskingLayer } from "./maskingLayer.js";
 export declare class SecurityLayer {
     private ajv;
     private readonly dangerousKeywords;
     private readonly allowedOperations;
     private readonly ddlOperations;
     private featureConfig;
+    masking: MaskingLayer;
     constructor(featureConfig?: FeatureConfig);
     /**
      * Check if a query is a read-only information query (SHOW, DESCRIBE, EXPLAIN, etc.)

package/dist/security/securityLayer.js

@@ -6,10 +6,14 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.SecurityLayer = void 0;
 const ajv_1 = __importDefault(require("ajv"));
 const featureConfig_js_1 = require("../config/featureConfig.js");
+const maskingLayer_js_1 = require("./maskingLayer.js");
 class SecurityLayer {
     constructor(featureConfig) {
         this.ajv = new ajv_1.default();
         this.featureConfig = featureConfig || new featureConfig_js_1.FeatureConfig();
+        // Initialize masking layer from environment variable
+        const maskingProfile = process.env.MCP_MASKING_PROFILE || "none";
+        this.masking = new maskingLayer_js_1.MaskingLayer(maskingProfile);
         // Define dangerous SQL keywords that should ALWAYS be blocked (critical security threats)
         // These are blocked even with 'execute' permission
         // Note: Avoid blocking common table/column names like "user" or "password"

package/dist/tools/aiTools.d.ts

@@ -0,0 +1,22 @@
+import { SecurityLayer } from "../security/securityLayer";
+export declare class AiTools {
+    private db;
+    private security;
+    private analyzer;
+    private optimizer;
+    constructor(security: SecurityLayer);
+    /**
+     * guided_query_fixer
+     * Analyzes a query (and optional error) to suggest repairs or optimizations using EXPLAIN.
+     */
+    repairQuery(params: {
+        query: string;
+        error_message?: string;
+    }): Promise<{
+        status: string;
+        analysis?: any;
+        fixed_query?: string;
+        suggestions?: string[];
+        error?: string;
+    }>;
+}

package/dist/tools/aiTools.js

@@ -0,0 +1,80 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AiTools = void 0;
+const connection_1 = __importDefault(require("../db/connection"));
+const explainAnalyzer_1 = require("../optimization/explainAnalyzer");
+const queryOptimizer_1 = require("../optimization/queryOptimizer");
+class AiTools {
+    constructor(security) {
+        this.db = connection_1.default.getInstance();
+        this.security = security;
+        this.analyzer = explainAnalyzer_1.ExplainAnalyzer.getInstance();
+        this.optimizer = queryOptimizer_1.QueryOptimizer.getInstance();
+    }
+    /**
+     * guided_query_fixer
+     * Analyzes a query (and optional error) to suggest repairs or optimizations using EXPLAIN.
+     */
+    async repairQuery(params) {
+        const { query, error_message } = params;
+        // 1. If there is a syntax error provided, we can't run EXPLAIN.
+        // We try to provided simple heuristics or just return the analysis of the error.
+        if (error_message) {
+            return {
+                status: "success",
+                suggestions: [
+                    "Check SQL syntax matching your MySQL version.",
+                    "Verify table and column names using 'list_tables' or 'read_table_schema'.",
+                    "Ensure string literals are quoted correctly."
+                ],
+                fixed_query: query, // We can't auto-fix syntax errors reliably without an LLM
+                analysis: {
+                    issue: "Syntax/Execution Error",
+                    details: error_message
+                }
+            };
+        }
+        // 2. Validate query generally (security check)
+        // We assume this tool is used by an agent who might have 'read' permissions at least.
+        // If the query is unsafe (e.g. injection), we return that.
+        const validation = this.security.validateQuery(query, true); // validate with execute permission simulation to check structure
+        if (!validation.valid) {
+            return {
+                status: "error",
+                error: `Query rejected by security layer: ${validation.error}`
+            };
+        }
+        // 3. Run EXPLAIN
+        try {
+            const explainQuery = `EXPLAIN FORMAT=JSON ${query}`;
+            // Note: We use the raw connection or executeSql equivalent.
+            // But EXPLAIN is safe-ish if the inner query is safe.
+            // validation passed, so we try EXPLAIN.
+            const explainResult = await this.db.query(explainQuery);
+            const analysis = this.analyzer.analyze(explainResult);
+            // 4. Try to apply simple fixes based on analysis (e.g. Missing Limit)
+            let fixedQuery = query;
+            if (analysis.complexity === "HIGH" && !query.toLowerCase().includes("limit")) {
+                // Suggest adding LIMIT if not present and complexity is high
+                analysis.suggestions.push("Consider adding 'LIMIT 100' to prevent massive data transfer.");
+            }
+            return {
+                status: "success",
+                analysis: analysis,
+                suggestions: analysis.suggestions,
+                fixed_query: fixedQuery
+            };
+        }
+        catch (e) {
+            return {
+                status: "error",
+                error: `Failed to analyze query: ${e.message}`,
+                suggestions: ["Verify the query is valid SQL before analyzing."]
+            };
+        }
+    }
+}
+exports.AiTools = AiTools;

package/dist/tools/crudTools.js

@@ -187,7 +187,7 @@ class CrudTools {
                 const results = await this.db.query(query, paramValidation.sanitizedParams);
                 return {
                     status: "success",
-                    data: results,
+                    data: this.security.masking.processResults(results),
                     total,
                 };
             }
@@ -197,7 +197,7 @@ class CrudTools {
                 const results = await this.db.query(query, paramValidation.sanitizedParams);
                 return {
                     status: "success",
-                    data: results,
+                    data: this.security.masking.processResults(results),
                     total: results.length,
                 };
             }

package/dist/tools/queryTools.js

@@ -90,9 +90,10 @@ class QueryTools {
             }
             // Execute the query with sanitized parameters
             const results = await this.db.query(finalQuery, paramValidation.sanitizedParams, useCache);
+            const maskedResults = this.security.masking.processResults(results);
             return {
                 status: "success",
-                data: results,
+                data: maskedResults,
                 optimizedQuery,
             };
         }