@bytebase/dbhub 0.13.2 → 0.15.0

package/dist/{chunk-KBVJEDZF.js → chunk-TPHNNFR5.js}

@@ -62,161 +62,11 @@ var ConnectorRegistry = _ConnectorRegistry;
 
 // src/utils/ssh-tunnel.ts
 import { Client } from "ssh2";
-import { readFileSync } from "fs";
+import { readFileSync as readFileSync2 } from "fs";
 import { createServer } from "net";
-var SSHTunnel = class {
-  constructor() {
-    this.sshClient = null;
-    this.localServer = null;
-    this.tunnelInfo = null;
-    this.isConnected = false;
-  }
-  /**
-   * Establish an SSH tunnel
-   * @param config SSH connection configuration
-   * @param options Tunnel options including target host and port
-   * @returns Promise resolving to tunnel information including local port
-   */
-  async establish(config, options) {
-    if (this.isConnected) {
-      throw new Error("SSH tunnel is already established");
-    }
-    return new Promise((resolve, reject) => {
-      this.sshClient = new Client();
-      const sshConfig = {
-        host: config.host,
-        port: config.port || 22,
-        username: config.username
-      };
-      if (config.password) {
-        sshConfig.password = config.password;
-      } else if (config.privateKey) {
-        try {
-          const privateKey = readFileSync(config.privateKey);
-          sshConfig.privateKey = privateKey;
-          if (config.passphrase) {
-            sshConfig.passphrase = config.passphrase;
-          }
-        } catch (error) {
-          reject(new Error(`Failed to read private key file: ${error instanceof Error ? error.message : String(error)}`));
-          return;
-        }
-      } else {
-        reject(new Error("Either password or privateKey must be provided for SSH authentication"));
-        return;
-      }
-      this.sshClient.on("error", (err) => {
-        this.cleanup();
-        reject(new Error(`SSH connection error: ${err.message}`));
-      });
-      this.sshClient.on("ready", () => {
-        console.error("SSH connection established");
-        this.localServer = createServer((localSocket) => {
-          this.sshClient.forwardOut(
-            "127.0.0.1",
-            0,
-            options.targetHost,
-            options.targetPort,
-            (err, stream) => {
-              if (err) {
-                console.error("SSH forward error:", err);
-                localSocket.end();
-                return;
-              }
-              localSocket.pipe(stream).pipe(localSocket);
-              stream.on("error", (err2) => {
-                console.error("SSH stream error:", err2);
-                localSocket.end();
-              });
-              localSocket.on("error", (err2) => {
-                console.error("Local socket error:", err2);
-                stream.end();
-              });
-            }
-          );
-        });
-        const localPort = options.localPort || 0;
-        this.localServer.listen(localPort, "127.0.0.1", () => {
-          const address = this.localServer.address();
-          if (!address || typeof address === "string") {
-            this.cleanup();
-            reject(new Error("Failed to get local server address"));
-            return;
-          }
-          this.tunnelInfo = {
-            localPort: address.port,
-            targetHost: options.targetHost,
-            targetPort: options.targetPort
-          };
-          this.isConnected = true;
-          console.error(`SSH tunnel established: localhost:${address.port} -> ${options.targetHost}:${options.targetPort}`);
-          resolve(this.tunnelInfo);
-        });
-        this.localServer.on("error", (err) => {
-          this.cleanup();
-          reject(new Error(`Local server error: ${err.message}`));
-        });
-      });
-      this.sshClient.connect(sshConfig);
-    });
-  }
-  /**
-   * Close the SSH tunnel and clean up resources
-   */
-  async close() {
-    if (!this.isConnected) {
-      return;
-    }
-    return new Promise((resolve) => {
-      this.cleanup();
-      this.isConnected = false;
-      console.error("SSH tunnel closed");
-      resolve();
-    });
-  }
-  /**
-   * Clean up resources
-   */
-  cleanup() {
-    if (this.localServer) {
-      this.localServer.close();
-      this.localServer = null;
-    }
-    if (this.sshClient) {
-      this.sshClient.end();
-      this.sshClient = null;
-    }
-    this.tunnelInfo = null;
-  }
-  /**
-   * Get current tunnel information
-   */
-  getTunnelInfo() {
-    return this.tunnelInfo;
-  }
-  /**
-   * Check if tunnel is connected
-   */
-  getIsConnected() {
-    return this.isConnected;
-  }
-};
-
-// src/config/toml-loader.ts
-import fs2 from "fs";
-import path2 from "path";
-import { homedir as homedir3 } from "os";
-import toml from "@iarna/toml";
-
-// src/config/env.ts
-import dotenv from "dotenv";
-import path from "path";
-import fs from "fs";
-import { fileURLToPath } from "url";
-import { homedir as homedir2 } from "os";
 
 // src/utils/ssh-config-parser.ts
-import { readFileSync as readFileSync2, existsSync } from "fs";
+import { readFileSync, realpathSync, statSync } from "fs";
 import { homedir } from "os";
 import { join } from "path";
 import SSHConfig from "ssh-config";
@@ -232,28 +82,38 @@ function expandTilde(filePath) {
   }
   return filePath;
 }
-function fileExists(filePath) {
+function resolveSymlink(filePath) {
+  const expandedPath = expandTilde(filePath);
   try {
-    return existsSync(expandTilde(filePath));
+    return realpathSync(expandedPath);
+  } catch {
+    return expandedPath;
+  }
+}
+function isFile(filePath) {
+  try {
+    const stat = statSync(filePath);
+    return stat.isFile();
   } catch {
     return false;
   }
 }
 function findDefaultSSHKey() {
   for (const keyPath of DEFAULT_SSH_KEYS) {
-    if (fileExists(keyPath)) {
-      return expandTilde(keyPath);
+    const resolvedPath = resolveSymlink(keyPath);
+    if (isFile(resolvedPath)) {
+      return resolvedPath;
     }
   }
   return void 0;
 }
 function parseSSHConfig(hostAlias, configPath) {
-  const sshConfigPath = configPath;
-  if (!existsSync(sshConfigPath)) {
+  const sshConfigPath = resolveSymlink(configPath);
+  if (!isFile(sshConfigPath)) {
     return null;
   }
   try {
-    const configContent = readFileSync2(sshConfigPath, "utf8");
+    const configContent = readFileSync(sshConfigPath, "utf8");
     const config = SSHConfig.parse(configContent);
     const hostConfig = config.compute(hostAlias);
     if (!hostConfig || !hostConfig.HostName && !hostConfig.User) {
@@ -273,9 +133,9 @@ function parseSSHConfig(hostAlias, configPath) {
     }
     if (hostConfig.IdentityFile) {
       const identityFile = Array.isArray(hostConfig.IdentityFile) ? hostConfig.IdentityFile[0] : hostConfig.IdentityFile;
-      const expandedPath = expandTilde(identityFile);
-      if (fileExists(expandedPath)) {
-        sshConfig.privateKey = expandedPath;
+      const resolvedPath = resolveSymlink(identityFile);
+      if (isFile(resolvedPath)) {
+        sshConfig.privateKey = resolvedPath;
       }
     }
     if (!sshConfig.privateKey) {
@@ -284,8 +144,11 @@ function parseSSHConfig(hostAlias, configPath) {
         sshConfig.privateKey = defaultKey;
       }
     }
-    if (hostConfig.ProxyJump || hostConfig.ProxyCommand) {
-      console.error("Warning: ProxyJump/ProxyCommand in SSH config is not yet supported by DBHub");
+    if (hostConfig.ProxyJump) {
+      sshConfig.proxyJump = hostConfig.ProxyJump;
+    }
+    if (hostConfig.ProxyCommand) {
+      console.error("Warning: ProxyCommand in SSH config is not supported by DBHub. Use ProxyJump instead.");
     }
     if (!sshConfig.host || !sshConfig.username) {
       return null;
@@ -308,6 +171,332 @@ function looksLikeSSHAlias(host) {
   }
   return true;
 }
+function validatePort(port, jumpHostStr) {
+  if (isNaN(port) || port <= 0 || port > 65535) {
+    throw new Error(`Invalid port number in "${jumpHostStr}": port must be between 1 and 65535`);
+  }
+}
+function parseJumpHost(jumpHostStr) {
+  let username;
+  let host;
+  let port = 22;
+  let remaining = jumpHostStr.trim();
+  if (!remaining) {
+    throw new Error("Jump host string cannot be empty");
+  }
+  const atIndex = remaining.indexOf("@");
+  if (atIndex !== -1) {
+    const extractedUsername = remaining.substring(0, atIndex).trim();
+    if (extractedUsername) {
+      username = extractedUsername;
+    }
+    remaining = remaining.substring(atIndex + 1);
+  }
+  if (remaining.startsWith("[")) {
+    const closeBracket = remaining.indexOf("]");
+    if (closeBracket !== -1) {
+      host = remaining.substring(1, closeBracket);
+      const afterBracket = remaining.substring(closeBracket + 1);
+      if (afterBracket.startsWith(":")) {
+        const parsedPort = parseInt(afterBracket.substring(1), 10);
+        validatePort(parsedPort, jumpHostStr);
+        port = parsedPort;
+      }
+    } else {
+      throw new Error(`Invalid ProxyJump host "${jumpHostStr}": missing closing bracket in IPv6 address`);
+    }
+  } else {
+    const lastColon = remaining.lastIndexOf(":");
+    if (lastColon !== -1) {
+      const potentialPort = remaining.substring(lastColon + 1);
+      if (/^\d+$/.test(potentialPort)) {
+        host = remaining.substring(0, lastColon);
+        const parsedPort = parseInt(potentialPort, 10);
+        validatePort(parsedPort, jumpHostStr);
+        port = parsedPort;
+      } else {
+        host = remaining;
+      }
+    } else {
+      host = remaining;
+    }
+  }
+  if (!host) {
+    throw new Error(`Invalid jump host format: "${jumpHostStr}" - host cannot be empty`);
+  }
+  return { host, port, username };
+}
+function parseJumpHosts(proxyJump) {
+  if (!proxyJump || proxyJump.trim() === "" || proxyJump.toLowerCase() === "none") {
+    return [];
+  }
+  return proxyJump.split(",").map((s) => s.trim()).filter((s) => s.length > 0).map(parseJumpHost);
+}
+
+// src/utils/ssh-tunnel.ts
+var SSHTunnel = class {
+  constructor() {
+    this.sshClients = [];
+    // All SSH clients in the chain
+    this.localServer = null;
+    this.tunnelInfo = null;
+    this.isConnected = false;
+  }
+  /**
+   * Establish an SSH tunnel, optionally through jump hosts (ProxyJump).
+   * @param config SSH connection configuration
+   * @param options Tunnel options including target host and port
+   * @returns Promise resolving to tunnel information including local port
+   */
+  async establish(config, options) {
+    if (this.isConnected) {
+      throw new Error("SSH tunnel is already established");
+    }
+    this.isConnected = true;
+    try {
+      const jumpHosts = config.proxyJump ? parseJumpHosts(config.proxyJump) : [];
+      let privateKeyBuffer;
+      if (config.privateKey) {
+        try {
+          const resolvedKeyPath = resolveSymlink(config.privateKey);
+          privateKeyBuffer = readFileSync2(resolvedKeyPath);
+        } catch (error) {
+          throw new Error(`Failed to read private key file: ${error instanceof Error ? error.message : String(error)}`);
+        }
+      }
+      if (!config.password && !privateKeyBuffer) {
+        throw new Error("Either password or privateKey must be provided for SSH authentication");
+      }
+      const finalClient = await this.establishChain(jumpHosts, config, privateKeyBuffer);
+      return await this.createLocalTunnel(finalClient, options);
+    } catch (error) {
+      this.cleanup();
+      throw error;
+    }
+  }
+  /**
+   * Establish a chain of SSH connections through jump hosts.
+   * @returns The final SSH client connected to the target host
+   */
+  async establishChain(jumpHosts, targetConfig, privateKey) {
+    let previousStream;
+    for (let i = 0; i < jumpHosts.length; i++) {
+      const jumpHost = jumpHosts[i];
+      const nextHost = i + 1 < jumpHosts.length ? jumpHosts[i + 1] : { host: targetConfig.host, port: targetConfig.port || 22 };
+      let client = null;
+      let forwardStream;
+      try {
+        client = await this.connectToHost(
+          {
+            host: jumpHost.host,
+            port: jumpHost.port,
+            username: jumpHost.username || targetConfig.username
+          },
+          targetConfig.password,
+          privateKey,
+          targetConfig.passphrase,
+          previousStream,
+          `jump host ${i + 1}`
+        );
+        console.error(`  \u2192 Forwarding through ${jumpHost.host}:${jumpHost.port} to ${nextHost.host}:${nextHost.port}`);
+        forwardStream = await this.forwardTo(client, nextHost.host, nextHost.port);
+      } catch (error) {
+        if (client) {
+          try {
+            client.end();
+          } catch {
+          }
+        }
+        throw error;
+      }
+      this.sshClients.push(client);
+      previousStream = forwardStream;
+    }
+    const finalClient = await this.connectToHost(
+      {
+        host: targetConfig.host,
+        port: targetConfig.port || 22,
+        username: targetConfig.username
+      },
+      targetConfig.password,
+      privateKey,
+      targetConfig.passphrase,
+      previousStream,
+      jumpHosts.length > 0 ? "target host" : void 0
+    );
+    this.sshClients.push(finalClient);
+    return finalClient;
+  }
+  /**
+   * Connect to a single SSH host.
+   */
+  connectToHost(hostInfo, password, privateKey, passphrase, sock, label) {
+    return new Promise((resolve, reject) => {
+      const client = new Client();
+      const sshConfig = {
+        host: hostInfo.host,
+        port: hostInfo.port,
+        username: hostInfo.username
+      };
+      if (password) {
+        sshConfig.password = password;
+      }
+      if (privateKey) {
+        sshConfig.privateKey = privateKey;
+        if (passphrase) {
+          sshConfig.passphrase = passphrase;
+        }
+      }
+      if (sock) {
+        sshConfig.sock = sock;
+      }
+      const onError = (err) => {
+        client.removeListener("ready", onReady);
+        client.destroy();
+        reject(new Error(`SSH connection error${label ? ` (${label})` : ""}: ${err.message}`));
+      };
+      const onReady = () => {
+        client.removeListener("error", onError);
+        const desc = label || `${hostInfo.host}:${hostInfo.port}`;
+        console.error(`SSH connection established: ${desc}`);
+        resolve(client);
+      };
+      client.on("error", onError);
+      client.on("ready", onReady);
+      client.connect(sshConfig);
+    });
+  }
+  /**
+   * Forward a connection through an SSH client to a target host.
+   */
+  forwardTo(client, targetHost, targetPort) {
+    return new Promise((resolve, reject) => {
+      client.forwardOut("127.0.0.1", 0, targetHost, targetPort, (err, stream) => {
+        if (err) {
+          reject(new Error(`SSH forward error: ${err.message}`));
+          return;
+        }
+        resolve(stream);
+      });
+    });
+  }
+  /**
+   * Create the local server that tunnels connections to the database.
+   */
+  createLocalTunnel(sshClient, options) {
+    return new Promise((resolve, reject) => {
+      let settled = false;
+      this.localServer = createServer((localSocket) => {
+        sshClient.forwardOut(
+          "127.0.0.1",
+          0,
+          options.targetHost,
+          options.targetPort,
+          (err, stream) => {
+            if (err) {
+              console.error("SSH forward error:", err);
+              localSocket.end();
+              return;
+            }
+            localSocket.pipe(stream).pipe(localSocket);
+            stream.on("error", (err2) => {
+              console.error("SSH stream error:", err2);
+              localSocket.end();
+            });
+            localSocket.on("error", (err2) => {
+              console.error("Local socket error:", err2);
+              stream.end();
+            });
+          }
+        );
+      });
+      this.localServer.on("error", (err) => {
+        if (!settled) {
+          settled = true;
+          reject(new Error(`Local server error: ${err.message}`));
+        } else {
+          console.error("Local server error after tunnel established:", err);
+          this.cleanup();
+        }
+      });
+      const localPort = options.localPort || 0;
+      this.localServer.listen(localPort, "127.0.0.1", () => {
+        const address = this.localServer.address();
+        if (!address || typeof address === "string") {
+          if (!settled) {
+            settled = true;
+            reject(new Error("Failed to get local server address"));
+          }
+          return;
+        }
+        this.tunnelInfo = {
+          localPort: address.port,
+          targetHost: options.targetHost,
+          targetPort: options.targetPort
+        };
+        console.error(`SSH tunnel established: localhost:${address.port} \u2192 ${options.targetHost}:${options.targetPort}`);
+        settled = true;
+        resolve(this.tunnelInfo);
+      });
+    });
+  }
+  /**
+   * Close the SSH tunnel and clean up resources
+   */
+  async close() {
+    if (!this.isConnected) {
+      return;
+    }
+    return new Promise((resolve) => {
+      this.cleanup();
+      console.error("SSH tunnel closed");
+      resolve();
+    });
+  }
+  /**
+   * Clean up resources. Closes all SSH clients in reverse order (innermost first).
+   */
+  cleanup() {
+    if (this.localServer) {
+      this.localServer.close();
+      this.localServer = null;
+    }
+    for (let i = this.sshClients.length - 1; i >= 0; i--) {
+      try {
+        this.sshClients[i].end();
+      } catch {
+      }
+    }
+    this.sshClients = [];
+    this.tunnelInfo = null;
+    this.isConnected = false;
+  }
+  /**
+   * Get current tunnel information
+   */
+  getTunnelInfo() {
+    return this.tunnelInfo;
+  }
+  /**
+   * Check if tunnel is connected
+   */
+  getIsConnected() {
+    return this.isConnected;
+  }
+};
+
+// src/config/toml-loader.ts
+import fs2 from "fs";
+import path2 from "path";
+import { homedir as homedir3 } from "os";
+import toml from "@iarna/toml";
+
+// src/config/env.ts
+import dotenv from "dotenv";
+import path from "path";
+import fs from "fs";
+import { fileURLToPath } from "url";
+import { homedir as homedir2 } from "os";
 
 // src/utils/safe-url.ts
 var SafeURL = class {
@@ -815,6 +1004,13 @@ function resolveSSHConfig() {
     config.passphrase = process.env.SSH_PASSPHRASE;
     sources.push("SSH_PASSPHRASE from environment");
   }
+  if (args["ssh-proxy-jump"]) {
+    config.proxyJump = args["ssh-proxy-jump"];
+    sources.push("ssh-proxy-jump from command line");
+  } else if (process.env.SSH_PROXY_JUMP) {
+    config.proxyJump = process.env.SSH_PROXY_JUMP;
+    sources.push("SSH_PROXY_JUMP from environment");
+  }
   if (!config.host || !config.username) {
     throw new Error("SSH tunnel configuration requires at least --ssh-host and --ssh-user");
   }
@@ -917,8 +1113,13 @@ function loadTomlConfig() {
   try {
     const fileContent = fs2.readFileSync(configPath, "utf-8");
     const parsedToml = toml.parse(fileContent);
-    validateTomlConfig(parsedToml, configPath);
+    if (!Array.isArray(parsedToml.sources)) {
+      throw new Error(
+        `Configuration file ${configPath}: must contain a [[sources]] array. Use [[sources]] syntax for array of tables in TOML.`
+      );
+    }
     const sources = processSourceConfigs(parsedToml.sources, configPath);
+    validateTomlConfig({ ...parsedToml, sources }, configPath);
     return {
       sources,
       tools: parsedToml.tools,
@@ -960,11 +1161,6 @@ id = "my_db"
 dsn = "postgres://..."`
     );
   }
-  if (!Array.isArray(config.sources)) {
-    throw new Error(
-      `Configuration file ${configPath}: 'sources' must be an array. Use [[sources]] syntax for array of tables in TOML.`
-    );
-  }
   if (config.sources.length === 0) {
     throw new Error(
       `Configuration file ${configPath}: sources array cannot be empty. Please define at least one source with [[sources]].`
@@ -1041,11 +1237,6 @@ function validateToolsConfig(tools, sources, configPath) {
           `Configuration file ${configPath}: custom tool '${tool.name}' must have 'description' and 'statement' fields`
         );
       }
-      if (tool.readonly !== void 0 || tool.max_rows !== void 0) {
-        throw new Error(
-          `Configuration file ${configPath}: custom tool '${tool.name}' cannot have readonly or max_rows fields (these are only valid for ${BUILTIN_TOOL_EXECUTE_SQL} tool)`
-        );
-      }
     }
     if (tool.max_rows !== void 0) {
       if (typeof tool.max_rows !== "number" || tool.max_rows <= 0) {
@@ -1054,6 +1245,11 @@ function validateToolsConfig(tools, sources, configPath) {
         );
       }
     }
+    if (tool.readonly !== void 0 && typeof tool.readonly !== "boolean") {
+      throw new Error(
+        `Configuration file ${configPath}: tool '${tool.name}' has invalid readonly. Must be a boolean (true or false).`
+      );
+    }
   }
 }
 function validateSourceConfig(source, configPath) {
@@ -1081,10 +1277,10 @@ function validateSourceConfig(source, configPath) {
       );
     }
   }
-  if (source.request_timeout !== void 0) {
-    if (typeof source.request_timeout !== "number" || source.request_timeout <= 0) {
+  if (source.query_timeout !== void 0) {
+    if (typeof source.query_timeout !== "number" || source.query_timeout <= 0) {
       throw new Error(
-        `Configuration file ${configPath}: source '${source.id}' has invalid request_timeout. Must be a positive number (in seconds).`
+        `Configuration file ${configPath}: source '${source.id}' has invalid query_timeout. Must be a positive number (in seconds).`
       );
     }
   }
@@ -1095,6 +1291,64 @@ function validateSourceConfig(source, configPath) {
       );
     }
   }
+  if (source.sslmode !== void 0) {
+    if (source.type === "sqlite") {
+      throw new Error(
+        `Configuration file ${configPath}: source '${source.id}' has sslmode but SQLite does not support SSL. Remove the sslmode field for SQLite sources.`
+      );
+    }
+    const validSslModes = ["disable", "require"];
+    if (!validSslModes.includes(source.sslmode)) {
+      throw new Error(
+        `Configuration file ${configPath}: source '${source.id}' has invalid sslmode '${source.sslmode}'. Valid values: ${validSslModes.join(", ")}`
+      );
+    }
+  }
+  if (source.authentication !== void 0) {
+    if (source.type !== "sqlserver") {
+      throw new Error(
+        `Configuration file ${configPath}: source '${source.id}' has authentication but it is only supported for SQL Server.`
+      );
+    }
+    const validAuthMethods = ["ntlm", "azure-active-directory-access-token"];
+    if (!validAuthMethods.includes(source.authentication)) {
+      throw new Error(
+        `Configuration file ${configPath}: source '${source.id}' has invalid authentication '${source.authentication}'. Valid values: ${validAuthMethods.join(", ")}`
+      );
+    }
+    if (source.authentication === "ntlm" && !source.domain) {
+      throw new Error(
+        `Configuration file ${configPath}: source '${source.id}' uses NTLM authentication but 'domain' is not specified.`
+      );
+    }
+  }
+  if (source.domain !== void 0) {
+    if (source.type !== "sqlserver") {
+      throw new Error(
+        `Configuration file ${configPath}: source '${source.id}' has domain but it is only supported for SQL Server.`
+      );
+    }
+    if (source.authentication === void 0) {
+      throw new Error(
+        `Configuration file ${configPath}: source '${source.id}' has domain but authentication is not set. Add authentication = "ntlm" to use Windows domain authentication.`
+      );
+    }
+    if (source.authentication !== "ntlm") {
+      throw new Error(
+        `Configuration file ${configPath}: source '${source.id}' has domain but authentication is set to '${source.authentication}'. Domain is only valid with authentication = "ntlm".`
+      );
+    }
+  }
+  if (source.readonly !== void 0) {
+    throw new Error(
+      `Configuration file ${configPath}: source '${source.id}' has 'readonly' field, but readonly must be configured per-tool, not per-source. Move 'readonly' to [[tools]] configuration instead.`
+    );
+  }
+  if (source.max_rows !== void 0) {
+    throw new Error(
+      `Configuration file ${configPath}: source '${source.id}' has 'max_rows' field, but max_rows must be configured per-tool, not per-source. Move 'max_rows' to [[tools]] configuration instead.`
+    );
+  }
 }
 function processSourceConfigs(sources, configPath) {
   return sources.map((source) => {
@@ -1154,9 +1408,15 @@ function buildDSNFromSource(source) {
     }
     return `sqlite:///${source.database}`;
   }
-  if (!source.host || !source.user || !source.password || !source.database) {
+  const passwordRequired = source.authentication !== "azure-active-directory-access-token";
+  if (!source.host || !source.user || !source.database) {
+    throw new Error(
+      `Source '${source.id}': missing required connection parameters. Required: type, host, user, database`
+    );
+  }
+  if (passwordRequired && !source.password) {
     throw new Error(
-      `Source '${source.id}': missing required connection parameters. Required: type, host, user, password, database`
+      `Source '${source.id}': password is required. (Password is optional only for azure-active-directory-access-token authentication)`
     );
   }
   const port = source.port || getDefaultPortForType(source.type);
@@ -1164,11 +1424,26 @@ function buildDSNFromSource(source) {
     throw new Error(`Source '${source.id}': unable to determine port`);
   }
   const encodedUser = encodeURIComponent(source.user);
-  const encodedPassword = encodeURIComponent(source.password);
+  const encodedPassword = source.password ? encodeURIComponent(source.password) : "";
   const encodedDatabase = encodeURIComponent(source.database);
   let dsn = `${source.type}://${encodedUser}:${encodedPassword}@${source.host}:${port}/${encodedDatabase}`;
-  if (source.type === "sqlserver" && source.instanceName) {
-    dsn += `?instanceName=${encodeURIComponent(source.instanceName)}`;
+  const queryParams = [];
+  if (source.type === "sqlserver") {
+    if (source.instanceName) {
+      queryParams.push(`instanceName=${encodeURIComponent(source.instanceName)}`);
+    }
+    if (source.authentication) {
+      queryParams.push(`authentication=${encodeURIComponent(source.authentication)}`);
+    }
+    if (source.domain) {
+      queryParams.push(`domain=${encodeURIComponent(source.domain)}`);
+    }
+  }
+  if (source.sslmode && source.type !== "sqlite") {
+    queryParams.push(`sslmode=${source.sslmode}`);
+  }
+  if (queryParams.length > 0) {
+    dsn += `?${queryParams.join("&")}`;
   }
   return dsn;
 }
@@ -1181,7 +1456,6 @@ var ConnectorManager = class {
     // Maps for multi-source support
     this.connectors = /* @__PURE__ */ new Map();
     this.sshTunnels = /* @__PURE__ */ new Map();
-    this.executeOptions = /* @__PURE__ */ new Map();
     this.sourceConfigs = /* @__PURE__ */ new Map();
     // Store original source configs
     this.sourceIds = [];
@@ -1197,6 +1471,7 @@ var ConnectorManager = class {
     if (sources.length === 0) {
       throw new Error("No sources provided");
     }
+    console.error(`Connecting to ${sources.length} database source(s)...`);
     for (const source of sources) {
       await this.connectSource(source);
     }
@@ -1207,6 +1482,7 @@ var ConnectorManager = class {
   async connectSource(source) {
     const sourceId = source.id;
     const dsn = buildDSNFromSource(source);
+    console.error(`  - ${sourceId}: ${redactDSN(dsn)}`);
     let actualDSN = dsn;
     if (source.ssh_host) {
       if (!source.ssh_user) {
@@ -1220,7 +1496,8 @@ var ConnectorManager = class {
         username: source.ssh_user,
         password: source.ssh_password,
         privateKey: source.ssh_key,
-        passphrase: source.ssh_passphrase
+        passphrase: source.ssh_passphrase,
+        proxyJump: source.ssh_proxy_jump
       };
       if (!sshConfig.password && !sshConfig.privateKey) {
         throw new Error(
@@ -1255,8 +1532,8 @@ var ConnectorManager = class {
     if (source.connection_timeout !== void 0) {
       config.connectionTimeoutSeconds = source.connection_timeout;
     }
-    if (connector.id === "sqlserver" && source.request_timeout !== void 0) {
-      config.requestTimeoutSeconds = source.request_timeout;
+    if (source.query_timeout !== void 0 && connector.id !== "sqlite") {
+      config.queryTimeoutSeconds = source.query_timeout;
     }
     if (source.readonly !== void 0) {
       config.readonly = source.readonly;
@@ -1265,14 +1542,6 @@ var ConnectorManager = class {
     this.connectors.set(sourceId, connector);
     this.sourceIds.push(sourceId);
     this.sourceConfigs.set(sourceId, source);
-    const options = {};
-    if (source.max_rows !== void 0) {
-      options.maxRows = source.max_rows;
-    }
-    if (source.readonly !== void 0) {
-      options.readonly = source.readonly;
-    }
-    this.executeOptions.set(sourceId, options);
   }
   /**
    * Close all database connections
@@ -1295,7 +1564,6 @@ var ConnectorManager = class {
     }
     this.connectors.clear();
     this.sshTunnels.clear();
-    this.executeOptions.clear();
     this.sourceConfigs.clear();
     this.sourceIds = [];
   }
@@ -1340,25 +1608,6 @@ var ConnectorManager = class {
     }
     return managerInstance.getConnector(sourceId);
   }
-  /**
-   * Get execute options for SQL execution
-   * @param sourceId - Optional source ID. If not provided, returns default options
-   */
-  getExecuteOptions(sourceId) {
-    const id = sourceId || this.sourceIds[0];
-    return this.executeOptions.get(id) || {};
-  }
-  /**
-   * Get the current execute options
-   * This is used by tool handlers
-   * @param sourceId - Optional source ID. If not provided, returns default options
-   */
-  static getCurrentExecuteOptions(sourceId) {
-    if (!managerInstance) {
-      throw new Error("ConnectorManager not initialized");
-    }
-    return managerInstance.getExecuteOptions(sourceId);
-  }
   /**
    * Get all available source IDs
    */
@@ -1812,11 +2061,9 @@ export {
   isDemoMode,
   resolveTransport,
   resolvePort,
-  redactDSN,
   resolveSourceConfigs,
   BUILTIN_TOOL_EXECUTE_SQL,
   BUILTIN_TOOL_SEARCH_OBJECTS,
-  buildDSNFromSource,
   ConnectorManager,
   mapArgumentsToArray,
   ToolRegistry,