@bytebase/dbhub 0.10.0 → 0.11.1

package/README.md

@@ -22,14 +22,15 @@ DBHub is a universal database gateway implementing the Model Context Protocol (M
  |                  |    |              |    |                  |
  |  Claude Desktop  +--->+              +--->+    PostgreSQL    |
  |                  |    |              |    |                  |
- |  Cursor          +--->+    DBHub     +--->+    SQL Server    |
+ |  Claude Code     +--->+              +--->+    SQL Server    |
  |                  |    |              |    |                  |
- |  Other Clients   +--->+              +--->+    SQLite        |
+ |  Cursor          +--->+    DBHub     +--->+    SQLite        |
  |                  |    |              |    |                  |
- |                  |    |              +--->+    MySQL         |
+ |  Other Clients   +--->+              +--->+    MySQL         |
  |                  |    |              |    |                  |
  |                  |    |              +--->+    MariaDB       |
  |                  |    |              |    |                  |
+ |                  |    |              |    |                  |
  +------------------+    +--------------+    +------------------+
       MCP Clients           MCP Server             Databases
 ```
@@ -82,7 +83,7 @@ docker run --rm --init \
 ```
 
 ```bash
-# Demo mode with sample employee database
+# Demo mode with sqlite sample employee database
 docker run --rm --init \
    --name dbhub \
    --publish 8080:8080 \
@@ -92,12 +93,14 @@ docker run --rm --init \
    --demo
 ```
 
-
 ### NPM
 
 ```bash
 # PostgreSQL example
 npx @bytebase/dbhub --transport http --port 8080 --dsn "postgres://user:password@localhost:5432/dbname?sslmode=disable"
+
+# Demo mode with sqlite sample employee database
+npx @bytebase/dbhub --transport http --port 8080 --demo
 ```
 
 ```bash
@@ -150,6 +153,10 @@ npx @bytebase/dbhub --transport http --port 8080 --demo
 }
 ```
 
+### Claude Code
+
+Check https://docs.anthropic.com/en/docs/claude-code/mcp
+
 ### Cursor
 
 [![Install MCP Server](https://cursor.com/deeplink/mcp-install-dark.svg)](https://cursor.com/install-mcp?name=dbhub&config=eyJjb21tYW5kIjoibnB4IEBieXRlYmFzZS9kYmh1YiIsImVudiI6eyJUUkFOU1BPUlQiOiJzdGRpbyIsIkRTTiI6InBvc3RncmVzOi8vdXNlcjpwYXNzd29yZEBsb2NhbGhvc3Q6NTQzMi9kYm5hbWU%2Fc3NsbW9kZT1kaXNhYmxlIiwiUkVBRE9OTFkiOiJ0cnVlIn19)
@@ -161,17 +168,30 @@ npx @bytebase/dbhub --transport http --port 8080 --demo
 
 ## Usage
 
+### Read-only Mode
+
+You can run DBHub in read-only mode, which restricts SQL query execution to read-only operations:
+
+```bash
+# Enable read-only mode
+npx @bytebase/dbhub --readonly --dsn "postgres://user:password@localhost:5432/dbname"
+```
+
+In read-only mode, only [readonly SQL operations](https://github.com/bytebase/dbhub/blob/main/src/utils/allowed-keywords.ts) are allowed.
+
+This provides an additional layer of security when connecting to production databases.
+
 ### SSL Connections
 
 You can specify the SSL mode using the `sslmode` parameter in your DSN string:
 
-| Database   | `sslmode=disable` | `sslmode=require` |      Default SSL Behavior      |
-| ---------- | :---------------: | :---------------: | :----------------------------: |
-| PostgreSQL |        ✅         |        ✅         |    Certificate verification    |
-| MySQL      |        ✅         |        ✅         |    Certificate verification    |
-| MariaDB    |        ✅         |        ✅         |    Certificate verification    |
-| SQL Server |        ✅         |        ✅         |    Certificate verification    |
-| SQLite     |        ❌         |        ❌         |        N/A (file-based)        |
+| Database   | `sslmode=disable` | `sslmode=require` |   Default SSL Behavior   |
+| ---------- | :---------------: | :---------------: | :----------------------: |
+| PostgreSQL |        ✅         |        ✅         | Certificate verification |
+| MySQL      |        ✅         |        ✅         | Certificate verification |
+| MariaDB    |        ✅         |        ✅         | Certificate verification |
+| SQL Server |        ✅         |        ✅         | Certificate verification |
+| SQLite     |        ❌         |        ❌         |     N/A (file-based)     |
 
 **SSL Mode Options:**
 
@@ -193,18 +213,70 @@ postgres://user:password@localhost:5432/dbname?sslmode=require
 postgres://user:password@localhost:5432/dbname
 ```
 
-### Read-only Mode
+### SSH Tunnel Support
 
-You can run DBHub in read-only mode, which restricts SQL query execution to read-only operations:
+DBHub supports connecting to databases through SSH tunnels, enabling secure access to databases in private networks or behind firewalls.
+
+#### Using SSH Config File (Recommended)
+
+DBHub can read SSH connection settings from your `~/.ssh/config` file. Simply use the host alias from your SSH config:
 
 ```bash
-# Enable read-only mode
-npx @bytebase/dbhub --readonly --dsn "postgres://user:password@localhost:5432/dbname"
+# If you have this in ~/.ssh/config:
+# Host mybastion
+#   HostName bastion.example.com
+#   User ubuntu
+#   IdentityFile ~/.ssh/id_rsa
+
+npx @bytebase/dbhub \
+  --dsn "postgres://dbuser:dbpass@database.internal:5432/mydb" \
+  --ssh-host mybastion
 ```
 
-In read-only mode, only [readonly SQL operations](https://github.com/bytebase/dbhub/blob/main/src/utils/allowed-keywords.ts) are allowed.
+DBHub will automatically use the settings from your SSH config, including hostname, user, port, and identity file. If no identity file is specified in the config, DBHub will try common default locations (`~/.ssh/id_rsa`, `~/.ssh/id_ed25519`, etc.).
 
-This provides an additional layer of security when connecting to production databases.
+#### SSH with Password Authentication
+
+```bash
+npx @bytebase/dbhub \
+  --dsn "postgres://dbuser:dbpass@database.internal:5432/mydb" \
+  --ssh-host bastion.example.com \
+  --ssh-user ubuntu \
+  --ssh-password mypassword
+```
+
+#### SSH with Private Key Authentication
+
+```bash
+npx @bytebase/dbhub \
+  --dsn "postgres://dbuser:dbpass@database.internal:5432/mydb" \
+  --ssh-host bastion.example.com \
+  --ssh-user ubuntu \
+  --ssh-key ~/.ssh/id_rsa
+```
+
+#### SSH with Private Key and Passphrase
+
+```bash
+npx @bytebase/dbhub \
+  --dsn "postgres://dbuser:dbpass@database.internal:5432/mydb" \
+  --ssh-host bastion.example.com \
+  --ssh-port 2222 \
+  --ssh-user ubuntu \
+  --ssh-key ~/.ssh/id_rsa \
+  --ssh-passphrase mykeypassphrase
+```
+
+#### Using Environment Variables
+
+```bash
+export SSH_HOST=bastion.example.com
+export SSH_USER=ubuntu
+export SSH_KEY=~/.ssh/id_rsa
+npx @bytebase/dbhub --dsn "postgres://dbuser:dbpass@database.internal:5432/mydb"
+```
+
+**Note**: When using SSH tunnels, the database host in your DSN should be the hostname/IP as seen from the SSH server (bastion host), not from your local machine.
 
 ### Configure your database connection
 
@@ -244,14 +316,13 @@ For real databases, a Database Source Name (DSN) is required. You can provide th
 
 DBHub supports the following database connection string formats:
 
-| Database   | DSN Format                                                | Example                                                                                                        |
-| ---------- | --------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------- |
-| MySQL      | `mysql://[user]:[password]@[host]:[port]/[database]`      | `mysql://user:password@localhost:3306/dbname?sslmode=disable`                                                  |
-| MariaDB    | `mariadb://[user]:[password]@[host]:[port]/[database]`    | `mariadb://user:password@localhost:3306/dbname?sslmode=disable`                                                |
-| PostgreSQL | `postgres://[user]:[password]@[host]:[port]/[database]`   | `postgres://user:password@localhost:5432/dbname?sslmode=disable`                                               |
-| SQL Server | `sqlserver://[user]:[password]@[host]:[port]/[database]`  | `sqlserver://user:password@localhost:1433/dbname?sslmode=disable`                                              |
-| SQLite     | `sqlite:///[path/to/file]` or `sqlite:///:memory:`        | `sqlite:///path/to/database.db`, `sqlite:C:/Users/YourName/data/database.db (windows)` or `sqlite:///:memory:` |
-
+| Database   | DSN Format                                               | Example                                                                                                        |
+| ---------- | -------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------- |
+| MySQL      | `mysql://[user]:[password]@[host]:[port]/[database]`     | `mysql://user:password@localhost:3306/dbname?sslmode=disable`                                                  |
+| MariaDB    | `mariadb://[user]:[password]@[host]:[port]/[database]`   | `mariadb://user:password@localhost:3306/dbname?sslmode=disable`                                                |
+| PostgreSQL | `postgres://[user]:[password]@[host]:[port]/[database]`  | `postgres://user:password@localhost:5432/dbname?sslmode=disable`                                               |
+| SQL Server | `sqlserver://[user]:[password]@[host]:[port]/[database]` | `sqlserver://user:password@localhost:1433/dbname?sslmode=disable`                                              |
+| SQLite     | `sqlite:///[path/to/file]` or `sqlite:///:memory:`       | `sqlite:///path/to/database.db`, `sqlite:C:/Users/YourName/data/database.db (windows)` or `sqlite:///:memory:` |
 
 #### SQL Server
 
@@ -276,13 +347,19 @@ Extra query parameters:
 
 ### Command line options
 
-| Option    | Environment Variable | Description                                                      | Default                      |
-| --------- | -------------------- | ---------------------------------------------------------------- | ---------------------------- |
-| dsn       | `DSN`                | Database connection string                                       | Required if not in demo mode |
-| transport | `TRANSPORT`          | Transport mode: `stdio` or `http`                                | `stdio`                      |
-| port      | `PORT`               | HTTP server port (only applicable when using `--transport=http`) | `8080`                       |
-| readonly  | `READONLY`           | Restrict SQL execution to read-only operations                   | `false`                      |
-| demo      | N/A                  | Run in demo mode with sample employee database                   | `false`                      |
+| Option         | Environment Variable | Description                                                      | Default                      |
+| -------------- | -------------------- | ---------------------------------------------------------------- | ---------------------------- |
+| dsn            | `DSN`                | Database connection string                                       | Required if not in demo mode |
+| transport      | `TRANSPORT`          | Transport mode: `stdio` or `http`                                | `stdio`                      |
+| port           | `PORT`               | HTTP server port (only applicable when using `--transport=http`) | `8080`                       |
+| readonly       | `READONLY`           | Restrict SQL execution to read-only operations                   | `false`                      |
+| demo           | N/A                  | Run in demo mode with sample employee database                   | `false`                      |
+| ssh-host       | `SSH_HOST`           | SSH server hostname for tunnel connection                        | N/A                          |
+| ssh-port       | `SSH_PORT`           | SSH server port                                                  | `22`                         |
+| ssh-user       | `SSH_USER`           | SSH username                                                     | N/A                          |
+| ssh-password   | `SSH_PASSWORD`       | SSH password (for password authentication)                       | N/A                          |
+| ssh-key        | `SSH_KEY`            | Path to SSH private key file                                     | N/A                          |
+| ssh-passphrase | `SSH_PASSPHRASE`     | Passphrase for SSH private key                                   | N/A                          |
 
 The demo mode uses an in-memory SQLite database loaded with the [sample employee database](https://github.com/bytebase/dbhub/tree/main/resources/employee-sqlite) that includes tables for employees, departments, titles, salaries, department employees, and department managers. The sample database includes SQL scripts for table creation, data loading, and testing.
 
@@ -379,7 +456,6 @@ docker pull mcr.microsoft.com/mssql/server:2019-latest
 - Ensure Docker has sufficient memory allocated (4GB+ recommended)
 - Consider running SQL Server tests separately if experiencing timeouts
 
-
 **Network/Resource Issues:**
 
 ```bash

package/dist/index.js

@@ -1881,89 +1881,148 @@ import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import express from "express";
 import path3 from "path";
-import { readFileSync } from "fs";
+import { readFileSync as readFileSync3 } from "fs";
 import { fileURLToPath as fileURLToPath3 } from "url";
 
-// src/connectors/manager.ts
-var managerInstance = null;
-var ConnectorManager = class {
+// src/utils/ssh-tunnel.ts
+import { Client } from "ssh2";
+import { readFileSync } from "fs";
+import { createServer } from "net";
+var SSHTunnel = class {
   constructor() {
-    this.activeConnector = null;
-    this.connected = false;
-    if (!managerInstance) {
-      managerInstance = this;
-    }
+    this.sshClient = null;
+    this.localServer = null;
+    this.tunnelInfo = null;
+    this.isConnected = false;
   }
   /**
-   * Initialize and connect to the database using a DSN
+   * Establish an SSH tunnel
+   * @param config SSH connection configuration
+   * @param options Tunnel options including target host and port
+   * @returns Promise resolving to tunnel information including local port
    */
-  async connectWithDSN(dsn, initScript) {
-    let connector = ConnectorRegistry.getConnectorForDSN(dsn);
-    if (!connector) {
-      throw new Error(`No connector found that can handle the DSN: ${dsn}`);
-    }
-    this.activeConnector = connector;
-    await this.activeConnector.connect(dsn, initScript);
-    this.connected = true;
+  async establish(config, options) {
+    if (this.isConnected) {
+      throw new Error("SSH tunnel is already established");
+    }
+    return new Promise((resolve, reject) => {
+      this.sshClient = new Client();
+      const sshConfig = {
+        host: config.host,
+        port: config.port || 22,
+        username: config.username
+      };
+      if (config.password) {
+        sshConfig.password = config.password;
+      } else if (config.privateKey) {
+        try {
+          const privateKey = readFileSync(config.privateKey);
+          sshConfig.privateKey = privateKey;
+          if (config.passphrase) {
+            sshConfig.passphrase = config.passphrase;
+          }
+        } catch (error) {
+          reject(new Error(`Failed to read private key file: ${error instanceof Error ? error.message : String(error)}`));
+          return;
+        }
+      } else {
+        reject(new Error("Either password or privateKey must be provided for SSH authentication"));
+        return;
+      }
+      this.sshClient.on("error", (err) => {
+        this.cleanup();
+        reject(new Error(`SSH connection error: ${err.message}`));
+      });
+      this.sshClient.on("ready", () => {
+        console.error("SSH connection established");
+        this.localServer = createServer((localSocket) => {
+          this.sshClient.forwardOut(
+            "127.0.0.1",
+            0,
+            options.targetHost,
+            options.targetPort,
+            (err, stream) => {
+              if (err) {
+                console.error("SSH forward error:", err);
+                localSocket.end();
+                return;
+              }
+              localSocket.pipe(stream).pipe(localSocket);
+              stream.on("error", (err2) => {
+                console.error("SSH stream error:", err2);
+                localSocket.end();
+              });
+              localSocket.on("error", (err2) => {
+                console.error("Local socket error:", err2);
+                stream.end();
+              });
+            }
+          );
+        });
+        const localPort = options.localPort || 0;
+        this.localServer.listen(localPort, "127.0.0.1", () => {
+          const address = this.localServer.address();
+          if (!address || typeof address === "string") {
+            this.cleanup();
+            reject(new Error("Failed to get local server address"));
+            return;
+          }
+          this.tunnelInfo = {
+            localPort: address.port,
+            targetHost: options.targetHost,
+            targetPort: options.targetPort
+          };
+          this.isConnected = true;
+          console.error(`SSH tunnel established: localhost:${address.port} -> ${options.targetHost}:${options.targetPort}`);
+          resolve(this.tunnelInfo);
+        });
+        this.localServer.on("error", (err) => {
+          this.cleanup();
+          reject(new Error(`Local server error: ${err.message}`));
+        });
+      });
+      this.sshClient.connect(sshConfig);
+    });
   }
   /**
-   * Initialize and connect to the database using a specific connector type
+   * Close the SSH tunnel and clean up resources
    */
-  async connectWithType(connectorType, dsn) {
-    const connector = ConnectorRegistry.getConnector(connectorType);
-    if (!connector) {
-      throw new Error(`Connector "${connectorType}" not found`);
-    }
-    this.activeConnector = connector;
-    const connectionString = dsn || connector.dsnParser.getSampleDSN();
-    await this.activeConnector.connect(connectionString);
-    this.connected = true;
+  async close() {
+    if (!this.isConnected) {
+      return;
+    }
+    return new Promise((resolve) => {
+      this.cleanup();
+      this.isConnected = false;
+      console.error("SSH tunnel closed");
+      resolve();
+    });
   }
   /**
-   * Close the database connection
+   * Clean up resources
    */
-  async disconnect() {
-    if (this.activeConnector && this.connected) {
-      await this.activeConnector.disconnect();
-      this.connected = false;
+  cleanup() {
+    if (this.localServer) {
+      this.localServer.close();
+      this.localServer = null;
     }
-  }
-  /**
-   * Get the active connector
-   */
-  getConnector() {
-    if (!this.activeConnector) {
-      throw new Error("No active connector. Call connectWithDSN() or connectWithType() first.");
+    if (this.sshClient) {
+      this.sshClient.end();
+      this.sshClient = null;
     }
-    return this.activeConnector;
+    this.tunnelInfo = null;
   }
   /**
-   * Check if there's an active connection
-   */
-  isConnected() {
-    return this.connected;
-  }
-  /**
-   * Get all available connector types
+   * Get current tunnel information
    */
-  static getAvailableConnectors() {
-    return ConnectorRegistry.getAvailableConnectors();
+  getTunnelInfo() {
+    return this.tunnelInfo;
   }
   /**
-   * Get sample DSNs for all available connectors
+   * Check if tunnel is connected
    */
-  static getAllSampleDSNs() {
-    return ConnectorRegistry.getAllSampleDSNs();
-  }
-  /**
-   * Get the current active connector instance
-   * This is used by resource and tool handlers
-   */
-  static getCurrentConnector() {
-    if (!managerInstance) {
-      throw new Error("ConnectorManager not initialized");
-    }
-    return managerInstance.getConnector();
+  getIsConnected() {
+    return this.isConnected;
   }
 };
 
@@ -1972,6 +2031,102 @@ import dotenv from "dotenv";
 import path from "path";
 import fs from "fs";
 import { fileURLToPath } from "url";
+
+// src/utils/ssh-config-parser.ts
+import { readFileSync as readFileSync2, existsSync } from "fs";
+import { homedir } from "os";
+import { join } from "path";
+import SSHConfig from "ssh-config";
+var DEFAULT_SSH_KEYS = [
+  "~/.ssh/id_rsa",
+  "~/.ssh/id_ed25519",
+  "~/.ssh/id_ecdsa",
+  "~/.ssh/id_dsa"
+];
+function expandTilde(filePath) {
+  if (filePath.startsWith("~/")) {
+    return join(homedir(), filePath.substring(2));
+  }
+  return filePath;
+}
+function fileExists(filePath) {
+  try {
+    return existsSync(expandTilde(filePath));
+  } catch {
+    return false;
+  }
+}
+function findDefaultSSHKey() {
+  for (const keyPath of DEFAULT_SSH_KEYS) {
+    if (fileExists(keyPath)) {
+      return expandTilde(keyPath);
+    }
+  }
+  return void 0;
+}
+function parseSSHConfig(hostAlias, configPath) {
+  const sshConfigPath = configPath || join(homedir(), ".ssh", "config");
+  if (!existsSync(sshConfigPath)) {
+    return null;
+  }
+  try {
+    const configContent = readFileSync2(sshConfigPath, "utf8");
+    const config = SSHConfig.parse(configContent);
+    const hostConfig = config.compute(hostAlias);
+    if (!hostConfig || !hostConfig.HostName && !hostConfig.User) {
+      return null;
+    }
+    const sshConfig = {};
+    if (hostConfig.HostName) {
+      sshConfig.host = hostConfig.HostName;
+    } else {
+      sshConfig.host = hostAlias;
+    }
+    if (hostConfig.Port) {
+      sshConfig.port = parseInt(hostConfig.Port, 10);
+    }
+    if (hostConfig.User) {
+      sshConfig.username = hostConfig.User;
+    }
+    if (hostConfig.IdentityFile) {
+      const identityFile = Array.isArray(hostConfig.IdentityFile) ? hostConfig.IdentityFile[0] : hostConfig.IdentityFile;
+      const expandedPath = expandTilde(identityFile);
+      if (fileExists(expandedPath)) {
+        sshConfig.privateKey = expandedPath;
+      }
+    }
+    if (!sshConfig.privateKey) {
+      const defaultKey = findDefaultSSHKey();
+      if (defaultKey) {
+        sshConfig.privateKey = defaultKey;
+      }
+    }
+    if (hostConfig.ProxyJump || hostConfig.ProxyCommand) {
+      console.error("Warning: ProxyJump/ProxyCommand in SSH config is not yet supported by DBHub");
+    }
+    if (!sshConfig.host || !sshConfig.username) {
+      return null;
+    }
+    return sshConfig;
+  } catch (error) {
+    console.error(`Error parsing SSH config: ${error instanceof Error ? error.message : String(error)}`);
+    return null;
+  }
+}
+function looksLikeSSHAlias(host) {
+  if (host.includes(".")) {
+    return false;
+  }
+  if (/^[\d:]+$/.test(host)) {
+    return false;
+  }
+  if (/^[0-9a-fA-F:]+$/.test(host) && host.includes(":")) {
+    return false;
+  }
+  return true;
+}
+
+// src/config/env.ts
 var __filename = fileURLToPath(import.meta.url);
 var __dirname = path.dirname(__filename);
 function parseCommandLineArgs() {
@@ -2086,6 +2241,206 @@ function redactDSN(dsn) {
     return dsn.replace(/\/\/([^:]+):([^@]+)@/, "//$1:***@");
   }
 }
+function resolveSSHConfig() {
+  const args = parseCommandLineArgs();
+  const hasSSHArgs = args["ssh-host"] || process.env.SSH_HOST;
+  if (!hasSSHArgs) {
+    return null;
+  }
+  let config = {};
+  let sources = [];
+  let sshConfigHost;
+  if (args["ssh-host"]) {
+    sshConfigHost = args["ssh-host"];
+    config.host = args["ssh-host"];
+    sources.push("ssh-host from command line");
+  } else if (process.env.SSH_HOST) {
+    sshConfigHost = process.env.SSH_HOST;
+    config.host = process.env.SSH_HOST;
+    sources.push("SSH_HOST from environment");
+  }
+  if (sshConfigHost && looksLikeSSHAlias(sshConfigHost)) {
+    const sshConfigData = parseSSHConfig(sshConfigHost);
+    if (sshConfigData) {
+      config = { ...sshConfigData };
+      sources.push(`SSH config for host '${sshConfigHost}'`);
+    }
+  }
+  if (args["ssh-port"]) {
+    config.port = parseInt(args["ssh-port"], 10);
+    sources.push("ssh-port from command line");
+  } else if (process.env.SSH_PORT) {
+    config.port = parseInt(process.env.SSH_PORT, 10);
+    sources.push("SSH_PORT from environment");
+  }
+  if (args["ssh-user"]) {
+    config.username = args["ssh-user"];
+    sources.push("ssh-user from command line");
+  } else if (process.env.SSH_USER) {
+    config.username = process.env.SSH_USER;
+    sources.push("SSH_USER from environment");
+  }
+  if (args["ssh-password"]) {
+    config.password = args["ssh-password"];
+    sources.push("ssh-password from command line");
+  } else if (process.env.SSH_PASSWORD) {
+    config.password = process.env.SSH_PASSWORD;
+    sources.push("SSH_PASSWORD from environment");
+  }
+  if (args["ssh-key"]) {
+    config.privateKey = args["ssh-key"];
+    if (config.privateKey.startsWith("~/")) {
+      config.privateKey = path.join(process.env.HOME || "", config.privateKey.substring(2));
+    }
+    sources.push("ssh-key from command line");
+  } else if (process.env.SSH_KEY) {
+    config.privateKey = process.env.SSH_KEY;
+    if (config.privateKey.startsWith("~/")) {
+      config.privateKey = path.join(process.env.HOME || "", config.privateKey.substring(2));
+    }
+    sources.push("SSH_KEY from environment");
+  }
+  if (args["ssh-passphrase"]) {
+    config.passphrase = args["ssh-passphrase"];
+    sources.push("ssh-passphrase from command line");
+  } else if (process.env.SSH_PASSPHRASE) {
+    config.passphrase = process.env.SSH_PASSPHRASE;
+    sources.push("SSH_PASSPHRASE from environment");
+  }
+  if (!config.host || !config.username) {
+    throw new Error("SSH tunnel configuration requires at least --ssh-host and --ssh-user");
+  }
+  if (!config.password && !config.privateKey) {
+    throw new Error("SSH tunnel configuration requires either --ssh-password or --ssh-key for authentication");
+  }
+  return {
+    config,
+    source: sources.join(", ")
+  };
+}
+
+// src/connectors/manager.ts
+var managerInstance = null;
+var ConnectorManager = class {
+  constructor() {
+    this.activeConnector = null;
+    this.connected = false;
+    this.sshTunnel = null;
+    this.originalDSN = null;
+    if (!managerInstance) {
+      managerInstance = this;
+    }
+  }
+  /**
+   * Initialize and connect to the database using a DSN
+   */
+  async connectWithDSN(dsn, initScript) {
+    this.originalDSN = dsn;
+    const sshConfig = resolveSSHConfig();
+    let actualDSN = dsn;
+    if (sshConfig) {
+      console.error(`SSH tunnel configuration loaded from ${sshConfig.source}`);
+      const url = new URL(dsn);
+      const targetHost = url.hostname;
+      const targetPort = parseInt(url.port) || this.getDefaultPort(dsn);
+      this.sshTunnel = new SSHTunnel();
+      const tunnelInfo = await this.sshTunnel.establish(sshConfig.config, {
+        targetHost,
+        targetPort
+      });
+      url.hostname = "127.0.0.1";
+      url.port = tunnelInfo.localPort.toString();
+      actualDSN = url.toString();
+      console.error(`Database connection will use SSH tunnel through localhost:${tunnelInfo.localPort}`);
+    }
+    let connector = ConnectorRegistry.getConnectorForDSN(actualDSN);
+    if (!connector) {
+      throw new Error(`No connector found that can handle the DSN: ${actualDSN}`);
+    }
+    this.activeConnector = connector;
+    await this.activeConnector.connect(actualDSN, initScript);
+    this.connected = true;
+  }
+  /**
+   * Initialize and connect to the database using a specific connector type
+   */
+  async connectWithType(connectorType, dsn) {
+    const connector = ConnectorRegistry.getConnector(connectorType);
+    if (!connector) {
+      throw new Error(`Connector "${connectorType}" not found`);
+    }
+    this.activeConnector = connector;
+    const connectionString = dsn || connector.dsnParser.getSampleDSN();
+    await this.activeConnector.connect(connectionString);
+    this.connected = true;
+  }
+  /**
+   * Close the database connection
+   */
+  async disconnect() {
+    if (this.activeConnector && this.connected) {
+      await this.activeConnector.disconnect();
+      this.connected = false;
+    }
+    if (this.sshTunnel) {
+      await this.sshTunnel.close();
+      this.sshTunnel = null;
+    }
+    this.originalDSN = null;
+  }
+  /**
+   * Get the active connector
+   */
+  getConnector() {
+    if (!this.activeConnector) {
+      throw new Error("No active connector. Call connectWithDSN() or connectWithType() first.");
+    }
+    return this.activeConnector;
+  }
+  /**
+   * Check if there's an active connection
+   */
+  isConnected() {
+    return this.connected;
+  }
+  /**
+   * Get all available connector types
+   */
+  static getAvailableConnectors() {
+    return ConnectorRegistry.getAvailableConnectors();
+  }
+  /**
+   * Get sample DSNs for all available connectors
+   */
+  static getAllSampleDSNs() {
+    return ConnectorRegistry.getAllSampleDSNs();
+  }
+  /**
+   * Get the current active connector instance
+   * This is used by resource and tool handlers
+   */
+  static getCurrentConnector() {
+    if (!managerInstance) {
+      throw new Error("ConnectorManager not initialized");
+    }
+    return managerInstance.getConnector();
+  }
+  /**
+   * Get default port for a database based on DSN protocol
+   */
+  getDefaultPort(dsn) {
+    if (dsn.startsWith("postgres://") || dsn.startsWith("postgresql://")) {
+      return 5432;
+    } else if (dsn.startsWith("mysql://")) {
+      return 3306;
+    } else if (dsn.startsWith("mariadb://")) {
+      return 3306;
+    } else if (dsn.startsWith("sqlserver://")) {
+      return 1433;
+    }
+    return 0;
+  }
+};
 
 // src/config/demo-loader.ts
 import fs2 from "fs";
@@ -2948,7 +3303,7 @@ function registerPrompts(server) {
 var __filename3 = fileURLToPath3(import.meta.url);
 var __dirname3 = path3.dirname(__filename3);
 var packageJsonPath = path3.join(__dirname3, "..", "package.json");
-var packageJson = JSON.parse(readFileSync(packageJsonPath, "utf8"));
+var packageJson = JSON.parse(readFileSync3(packageJsonPath, "utf8"));
 var SERVER_NAME = "DBHub MCP Server";
 var SERVER_VERSION = packageJson.version;
 function generateBanner(version, modes = []) {
@@ -2986,7 +3341,7 @@ See documentation for more details on configuring database connections.
 `);
       process.exit(1);
     }
-    const createServer = () => {
+    const createServer2 = () => {
       const server = new McpServer2({
         name: SERVER_NAME,
         version: SERVER_VERSION
@@ -3040,6 +3395,9 @@ See documentation for more details on configuring database connections.
         }
         next();
       });
+      app.get("/healthz", (req, res) => {
+        res.status(200).send("OK");
+      });
       app.post("/message", async (req, res) => {
         try {
           const transport = new StreamableHTTPServerTransport({
@@ -3048,7 +3406,7 @@ See documentation for more details on configuring database connections.
             enableJsonResponse: false
             // Use SSE streaming
           });
-          const server = createServer();
+          const server = createServer2();
           await server.connect(transport);
           await transport.handleRequest(req, res, req.body);
         } catch (error) {
@@ -3066,7 +3424,7 @@ See documentation for more details on configuring database connections.
         console.error(`Connect to MCP server at http://0.0.0.0:${port}/message`);
       });
     } else {
-      const server = createServer();
+      const server = createServer2();
       const transport = new StdioServerTransport();
       console.error("Starting with STDIO transport");
       await server.connect(transport);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bytebase/dbhub",
-  "version": "0.10.0",
+  "version": "0.11.1",
   "description": "Universal Database MCP Server",
   "main": "dist/index.js",
   "type": "module",
@@ -25,6 +25,8 @@
     "mssql": "^11.0.1",
     "mysql2": "^3.13.0",
     "pg": "^8.13.3",
+    "ssh-config": "^5.0.3",
+    "ssh2": "^1.16.0",
     "zod": "^3.24.2"
   },
   "devDependencies": {
@@ -37,6 +39,7 @@
     "@types/mssql": "^9.1.7",
     "@types/node": "^22.13.10",
     "@types/pg": "^8.11.11",
+    "@types/ssh2": "^1.15.5",
     "cross-env": "^7.0.3",
     "husky": "^9.0.11",
     "lint-staged": "^15.2.2",