@connorbritain/mssql-mcp-core 0.1.0

package/dist/audit/AuditLogger.d.ts

@@ -0,0 +1,37 @@
+export type AuditLevel = "none" | "basic" | "verbose";
+export interface AuditLogEntry {
+    timestamp: string;
+    toolName: string;
+    environment?: string;
+    arguments?: Record<string, any>;
+    result?: {
+        success: boolean;
+        recordCount?: number;
+        error?: string;
+        data?: any;
+    };
+    durationMs?: number;
+    sessionId?: string;
+    userId?: string;
+}
+export declare class AuditLogger {
+    private readonly logFilePath;
+    private readonly enabled;
+    private readonly redactSensitiveData;
+    constructor();
+    private ensureLogDirectory;
+    private redactArguments;
+    log(entry: AuditLogEntry): void;
+    logToolInvocation(toolName: string, args: any, result: any, durationMs: number, options?: {
+        sessionId?: string;
+        userId?: string;
+        environment?: string;
+        auditLevel?: AuditLevel;
+    }): void;
+    /**
+     * Truncate result data for verbose logging to prevent huge log entries
+     */
+    private truncateResultData;
+}
+export declare const auditLogger: AuditLogger;
+//# sourceMappingURL=AuditLogger.d.ts.map

package/dist/audit/AuditLogger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuditLogger.d.ts","sourceRoot":"","sources":["../../src/audit/AuditLogger.ts"],"names":[],"mappings":"AAGA,MAAM,MAAM,UAAU,GAAG,MAAM,GAAG,OAAO,GAAG,SAAS,CAAC;AAEtD,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAChC,MAAM,CAAC,EAAE;QACP,OAAO,EAAE,OAAO,CAAC;QACjB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,IAAI,CAAC,EAAE,GAAG,CAAC;KACZ,CAAC;IACF,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAU;IAClC,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAU;;IAoB9C,OAAO,CAAC,kBAAkB;IAS1B,OAAO,CAAC,eAAe;IA6BvB,GAAG,CAAC,KAAK,EAAE,aAAa,GAAG,IAAI;IAkB/B,iBAAiB,CACf,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,GAAG,EACT,MAAM,EAAE,GAAG,EACX,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE;QACR,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,UAAU,CAAC,EAAE,UAAU,CAAC;KACzB,GACA,IAAI;IA+CP;;OAEG;IACH,OAAO,CAAC,kBAAkB;CA2B3B;AAGD,eAAO,MAAM,WAAW,aAAoB,CAAC"}

package/dist/audit/AuditLogger.js

@@ -0,0 +1,145 @@
+import * as fs from "fs";
+import * as path from "path";
+export class AuditLogger {
+    constructor() {
+        // Read config from env vars
+        const logPath = process.env.AUDIT_LOG_PATH;
+        this.enabled = process.env.AUDIT_LOGGING !== "false"; // Enabled by default
+        this.redactSensitiveData = process.env.AUDIT_REDACT_SENSITIVE !== "false"; // Redact by default
+        if (this.enabled && logPath) {
+            this.logFilePath = path.resolve(logPath);
+            this.ensureLogDirectory();
+        }
+        else if (this.enabled) {
+            // Default to logs/audit.jsonl in the project root
+            this.logFilePath = path.resolve(process.cwd(), "logs", "audit.jsonl");
+            this.ensureLogDirectory();
+        }
+        else {
+            this.logFilePath = "";
+        }
+    }
+    ensureLogDirectory() {
+        if (!this.logFilePath)
+            return;
+        const dir = path.dirname(this.logFilePath);
+        if (!fs.existsSync(dir)) {
+            fs.mkdirSync(dir, { recursive: true });
+        }
+    }
+    redactArguments(args) {
+        if (!this.redactSensitiveData) {
+            return args;
+        }
+        const redacted = { ...args };
+        const sensitiveKeys = [
+            "password",
+            "secret",
+            "token",
+            "key",
+            "authorization",
+            "auth",
+            "credential",
+        ];
+        for (const [key, value] of Object.entries(redacted)) {
+            const lowerKey = key.toLowerCase();
+            if (sensitiveKeys.some((sensitive) => lowerKey.includes(sensitive))) {
+                redacted[key] = "[REDACTED]";
+            }
+            else if (typeof value === "string" && value.length > 500) {
+                // Truncate very long strings (likely large query results)
+                redacted[key] = value.substring(0, 500) + "... [TRUNCATED]";
+            }
+        }
+        return redacted;
+    }
+    log(entry) {
+        if (!this.enabled || !this.logFilePath) {
+            return;
+        }
+        try {
+            const logEntry = {
+                ...entry,
+                arguments: entry.arguments ? this.redactArguments(entry.arguments) : undefined,
+            };
+            const logLine = JSON.stringify(logEntry) + "\n";
+            fs.appendFileSync(this.logFilePath, logLine, { encoding: "utf-8" });
+        }
+        catch (error) {
+            console.error("Failed to write audit log:", error);
+        }
+    }
+    logToolInvocation(toolName, args, result, durationMs, options) {
+        const auditLevel = options?.auditLevel ?? "basic";
+        // Skip logging entirely for 'none' level
+        if (auditLevel === "none") {
+            return;
+        }
+        // Basic level: minimal info (tool name, success, timing, environment)
+        if (auditLevel === "basic") {
+            const entry = {
+                timestamp: new Date().toISOString(),
+                toolName,
+                environment: options?.environment,
+                result: {
+                    success: result?.success ?? false,
+                    recordCount: result?.recordCount ?? result?.rowsAffected,
+                    error: result?.error,
+                },
+                durationMs: Math.round(durationMs),
+                sessionId: options?.sessionId,
+                userId: options?.userId,
+            };
+            this.log(entry);
+            return;
+        }
+        // Verbose level: full arguments and result data
+        const entry = {
+            timestamp: new Date().toISOString(),
+            toolName,
+            environment: options?.environment,
+            arguments: args || {},
+            result: {
+                success: result?.success ?? false,
+                recordCount: result?.recordCount ?? result?.rowsAffected,
+                error: result?.error,
+                data: this.truncateResultData(result?.data),
+            },
+            durationMs: Math.round(durationMs),
+            sessionId: options?.sessionId,
+            userId: options?.userId,
+        };
+        this.log(entry);
+    }
+    /**
+     * Truncate result data for verbose logging to prevent huge log entries
+     */
+    truncateResultData(data) {
+        if (!data)
+            return undefined;
+        // If it's an array, limit to first 10 items
+        if (Array.isArray(data)) {
+            if (data.length > 10) {
+                return {
+                    _truncated: true,
+                    _totalCount: data.length,
+                    items: data.slice(0, 10),
+                };
+            }
+            return data;
+        }
+        // If it's a large object (stringified > 10KB), truncate
+        const stringified = JSON.stringify(data);
+        if (stringified.length > 10000) {
+            return {
+                _truncated: true,
+                _originalSize: stringified.length,
+                preview: stringified.substring(0, 1000) + "...",
+            };
+        }
+        return data;
+    }
+}
+// Singleton instance
+export const auditLogger = new AuditLogger();
+//# sourceMappingURL=AuditLogger.js.map

package/dist/audit/AuditLogger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuditLogger.js","sourceRoot":"","sources":["../../src/audit/AuditLogger.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAoB7B,MAAM,OAAO,WAAW;IAKtB;QACE,4BAA4B;QAC5B,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;QAC3C,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,KAAK,OAAO,CAAC,CAAC,qBAAqB;QAC3E,IAAI,CAAC,mBAAmB,GAAG,OAAO,CAAC,GAAG,CAAC,sBAAsB,KAAK,OAAO,CAAC,CAAC,oBAAoB;QAE/F,IAAI,IAAI,CAAC,OAAO,IAAI,OAAO,EAAE,CAAC;YAC5B,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;YACzC,IAAI,CAAC,kBAAkB,EAAE,CAAC;QAC5B,CAAC;aAAM,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACxB,kDAAkD;YAClD,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,aAAa,CAAC,CAAC;YACtE,IAAI,CAAC,kBAAkB,EAAE,CAAC;QAC5B,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,WAAW,GAAG,EAAE,CAAC;QACxB,CAAC;IACH,CAAC;IAEO,kBAAkB;QACxB,IAAI,CAAC,IAAI,CAAC,WAAW;YAAE,OAAO;QAE9B,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAC3C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACxB,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACzC,CAAC;IACH,CAAC;IAEO,eAAe,CAAC,IAAyB;QAC/C,IAAI,CAAC,IAAI,CAAC,mBAAmB,EAAE,CAAC;YAC9B,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,QAAQ,GAAG,EAAE,GAAG,IAAI,EAAE,CAAC;QAC7B,MAAM,aAAa,GAAG;YACpB,UAAU;YACV,QAAQ;YACR,OAAO;YACP,KAAK;YACL,eAAe;YACf,MAAM;YACN,YAAY;SACb,CAAC;QAEF,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;YACpD,MAAM,QAAQ,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;YACnC,IAAI,aAAa,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;gBACpE,QAAQ,CAAC,GAAG,CAAC,GAAG,YAAY,CAAC;YAC/B,CAAC;iBAAM,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;gBAC3D,0DAA0D;gBAC1D,QAAQ,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,GAAG,iBAAiB,CAAC;YAC9D,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,GAAG,CAAC,KAAoB;QACtB,IAAI,CAAC,IAAI,CAAC,OAAO,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YACvC,OAAO;QACT,CAAC;QAED,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG;gBACf,GAAG,KAAK;gBACR,SAAS,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS;aAC/E,CAAC;YAEF,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC;YAChD,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,WAAW,EAAE,OAAO,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;QACtE,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,4BAA4B,EAAE,KAAK,CAAC,CAAC;QACrD,CAAC;IACH,CAAC;IAED,iBAAiB,CACf,QAAgB,EAChB,IAAS,EACT,MAAW,EACX,UAAkB,EAClB,OAKC;QAED,MAAM,UAAU,GAAG,OAAO,EAAE,UAAU,IAAI,OAAO,CAAC;QAElD,yCAAyC;QACzC,IAAI,UAAU,KAAK,MAAM,EAAE,CAAC;YAC1B,OAAO;QACT,CAAC;QAED,sEAAsE;QACtE,IAAI,UAAU,KAAK,OAAO,EAAE,CAAC;YAC3B,MAAM,KAAK,GAAkB;gBAC3B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACnC,QAAQ;gBACR,WAAW,EAAE,OAAO,EAAE,WAAW;gBACjC,MAAM,EAAE;oBACN,OAAO,EAAE,MAAM,EAAE,OAAO,IAAI,KAAK;oBACjC,WAAW,EAAE,MAAM,EAAE,WAAW,IAAI,MAAM,EAAE,YAAY;oBACxD,KAAK,EAAE,MAAM,EAAE,KAAK;iBACrB;gBACD,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC;gBAClC,SAAS,EAAE,OAAO,EAAE,SAAS;gBAC7B,MAAM,EAAE,OAAO,EAAE,MAAM;aACxB,CAAC;YACF,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;YAChB,OAAO;QACT,CAAC;QAED,gDAAgD;QAChD,MAAM,KAAK,GAAkB;YAC3B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,QAAQ;YACR,WAAW,EAAE,OAAO,EAAE,WAAW;YACjC,SAAS,EAAE,IAAI,IAAI,EAAE;YACrB,MAAM,EAAE;gBACN,OAAO,EAAE,MAAM,EAAE,OAAO,IAAI,KAAK;gBACjC,WAAW,EAAE,MAAM,EAAE,WAAW,IAAI,MAAM,EAAE,YAAY;gBACxD,KAAK,EAAE,MAAM,EAAE,KAAK;gBACpB,IAAI,EAAE,IAAI,CAAC,kBAAkB,CAAC,MAAM,EAAE,IAAI,CAAC;aAC5C;YACD,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC;YAClC,SAAS,EAAE,OAAO,EAAE,SAAS;YAC7B,MAAM,EAAE,OAAO,EAAE,MAAM;SACxB,CAAC;QAEF,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAClB,CAAC;IAED;;OAEG;IACK,kBAAkB,CAAC,IAAS;QAClC,IAAI,CAAC,IAAI;YAAE,OAAO,SAAS,CAAC;QAE5B,4CAA4C;QAC5C,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACxB,IAAI,IAAI,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;gBACrB,OAAO;oBACL,UAAU,EAAE,IAAI;oBAChB,WAAW,EAAE,IAAI,CAAC,MAAM;oBACxB,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;iBACzB,CAAC;YACJ,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,wDAAwD;QACxD,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACzC,IAAI,WAAW,CAAC,MAAM,GAAG,KAAK,EAAE,CAAC;YAC/B,OAAO;gBACL,UAAU,EAAE,IAAI;gBAChB,aAAa,EAAE,WAAW,CAAC,MAAM;gBACjC,OAAO,EAAE,WAAW,CAAC,SAAS,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,KAAK;aAChD,CAAC;QACJ,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AAED,qBAAqB;AACrB,MAAM,CAAC,MAAM,WAAW,GAAG,IAAI,WAAW,EAAE,CAAC"}

package/dist/config/EnvironmentManager.d.ts

@@ -0,0 +1,75 @@
+import sql from "mssql";
+import { SecretResolver, SecretsConfig } from "./SecretResolver.js";
+export type AccessLevel = "server" | "database";
+export type TierLevel = "reader" | "writer" | "admin";
+export type AuditLevel = "none" | "basic" | "verbose";
+export interface EnvironmentConfig {
+    name: string;
+    description?: string;
+    server: string;
+    database: string;
+    port?: number;
+    authMode: "sql" | "windows" | "aad";
+    username?: string;
+    password?: string;
+    domain?: string;
+    trustServerCertificate?: boolean;
+    connectionTimeout?: number;
+    requestTimeout?: number;
+    readonly?: boolean;
+    allowedTools?: string[];
+    deniedTools?: string[];
+    maxRowsDefault?: number;
+    requireApproval?: boolean;
+    auditLevel?: AuditLevel;
+    accessLevel?: AccessLevel;
+    allowedDatabases?: string[] | "*";
+    deniedDatabases?: string[];
+    allowedSchemas?: string[];
+    deniedSchemas?: string[];
+    tier?: TierLevel;
+}
+export interface EnvironmentsConfig {
+    defaultEnvironment?: string;
+    environments: EnvironmentConfig[];
+    scriptsPath?: string;
+    secrets?: SecretsConfig;
+}
+export declare class EnvironmentManager {
+    private readonly environments;
+    private defaultEnvironment?;
+    private readonly connections;
+    private secretResolver;
+    constructor(configPath?: string);
+    getSecretResolver(): SecretResolver;
+    private loadFromFile;
+    private loadFromEnvVars;
+    getEnvironment(name?: string): EnvironmentConfig;
+    listEnvironments(): EnvironmentConfig[];
+    /**
+     * Check if the environment allows access to a specific database.
+     * For database-level access, only the configured database is allowed.
+     * For server-level access, checks allowedDatabases/deniedDatabases.
+     */
+    isDatabaseAllowed(environmentName: string | undefined, databaseName: string): {
+        allowed: boolean;
+        reason?: string;
+    };
+    /**
+     * Check if a schema.table reference is allowed based on allowedSchemas/deniedSchemas.
+     * Pattern matching supports wildcards (e.g., "audit.*", "*.sensitive_*")
+     */
+    isSchemaAllowed(environmentName: string | undefined, schemaName: string, tableName?: string): {
+        allowed: boolean;
+        reason?: string;
+    };
+    /**
+     * Simple wildcard pattern matching (supports * as wildcard)
+     */
+    private matchesPattern;
+    getConnection(environmentName?: string): Promise<sql.ConnectionPool>;
+    private createSqlConfig;
+    closeAll(): Promise<void>;
+}
+export declare function getEnvironmentManager(): EnvironmentManager;
+//# sourceMappingURL=EnvironmentManager.d.ts.map

package/dist/config/EnvironmentManager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"EnvironmentManager.d.ts","sourceRoot":"","sources":["../../src/config/EnvironmentManager.ts"],"names":[],"mappings":"AAGA,OAAO,GAAG,MAAM,OAAO,CAAC;AACxB,OAAO,EAAE,cAAc,EAAE,aAAa,EAAwB,MAAM,qBAAqB,CAAC;AAE1F,MAAM,MAAM,WAAW,GAAG,QAAQ,GAAG,UAAU,CAAC;AAChD,MAAM,MAAM,SAAS,GAAG,QAAQ,GAAG,QAAQ,GAAG,OAAO,CAAC;AACtD,MAAM,MAAM,UAAU,GAAG,MAAM,GAAG,OAAO,GAAG,SAAS,CAAC;AAEtD,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,KAAK,GAAG,SAAS,GAAG,KAAK,CAAC;IACpC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,cAAc,CAAC,EAAE,MAAM,CAAC;IAGxB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,UAAU,CAAC,EAAE,UAAU,CAAC;IAGxB,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,gBAAgB,CAAC,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC;IAClC,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAG3B,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IAGzB,IAAI,CAAC,EAAE,SAAS,CAAC;CAClB;AAED,MAAM,WAAW,kBAAkB;IACjC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,YAAY,EAAE,iBAAiB,EAAE,CAAC;IAClC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,aAAa,CAAC;CACzB;AAED,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAiC;IAC9D,OAAO,CAAC,kBAAkB,CAAC,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAA8D;IAC1F,OAAO,CAAC,cAAc,CAAiB;gBAE3B,UAAU,CAAC,EAAE,MAAM;IAc/B,iBAAiB,IAAI,cAAc;IAInC,OAAO,CAAC,YAAY;IAsCpB,OAAO,CAAC,eAAe;IA+BvB,cAAc,CAAC,IAAI,CAAC,EAAE,MAAM,GAAG,iBAAiB;IAahD,gBAAgB,IAAI,iBAAiB,EAAE;IAIvC;;;;OAIG;IACH,iBAAiB,CAAC,eAAe,EAAE,MAAM,GAAG,SAAS,EAAE,YAAY,EAAE,MAAM,GAAG;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE;IA4CnH;;;OAGG;IACH,eAAe,CAAC,eAAe,EAAE,MAAM,GAAG,SAAS,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE;IAiCnI;;OAEG;IACH,OAAO,CAAC,cAAc;IAQhB,aAAa,CAAC,eAAe,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;YA+B5D,eAAe;IAsGvB,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC;CAShC;AAKD,wBAAgB,qBAAqB,IAAI,kBAAkB,CAM1D"}

package/dist/config/EnvironmentManager.js

@@ -0,0 +1,305 @@
+import * as fs from "fs";
+import * as path from "path";
+import { InteractiveBrowserCredential } from "@azure/identity";
+import sql from "mssql";
+import { createSecretResolver } from "./SecretResolver.js";
+export class EnvironmentManager {
+    constructor(configPath) {
+        this.environments = new Map();
+        this.connections = new Map();
+        this.secretResolver = createSecretResolver(); // default: env-only
+        // Try to load from config file first
+        if (configPath) {
+            this.loadFromFile(configPath);
+        }
+        else {
+            // Fall back to environment variables for single environment
+            this.loadFromEnvVars();
+        }
+    }
+    getSecretResolver() {
+        return this.secretResolver;
+    }
+    loadFromFile(configPath) {
+        try {
+            const resolvedPath = path.resolve(configPath);
+            if (!fs.existsSync(resolvedPath)) {
+                console.warn(`Environment config file not found at ${resolvedPath}, falling back to env vars`);
+                this.loadFromEnvVars();
+                return;
+            }
+            const configContent = fs.readFileSync(resolvedPath, "utf-8");
+            const config = JSON.parse(configContent);
+            // Build the secret resolver from config or fallback to DOTENV_PATH
+            let secretsConfig = config.secrets;
+            if (!secretsConfig) {
+                const dotenvPath = process.env.DOTENV_PATH;
+                if (dotenvPath) {
+                    secretsConfig = { providers: [{ type: "env" }, { type: "dotenv", path: dotenvPath }] };
+                    console.log(`Using DOTENV_PATH fallback: ${dotenvPath}`);
+                }
+            }
+            this.secretResolver = createSecretResolver(secretsConfig);
+            this.defaultEnvironment = config.defaultEnvironment;
+            for (const env of config.environments) {
+                // Resolve any secret placeholders in the config
+                const resolvedEnv = this.secretResolver.resolveObject(env);
+                this.environments.set(resolvedEnv.name, resolvedEnv);
+            }
+            console.log(`Loaded ${this.environments.size} environment(s) from ${resolvedPath}`);
+        }
+        catch (error) {
+            console.error(`Failed to load environment config: ${error}`);
+            this.loadFromEnvVars();
+        }
+    }
+    loadFromEnvVars() {
+        const server = process.env.SERVER_NAME;
+        const database = process.env.DATABASE_NAME;
+        if (!server || !database) {
+            throw new Error("No environment config file provided and SERVER_NAME/DATABASE_NAME env vars not set");
+        }
+        const defaultEnv = {
+            name: "default",
+            server,
+            database,
+            port: process.env.SQL_PORT ? parseInt(process.env.SQL_PORT, 10) : undefined,
+            authMode: process.env.SQL_AUTH_MODE?.toLowerCase() ?? "aad",
+            username: process.env.SQL_USERNAME,
+            password: process.env.SQL_PASSWORD,
+            domain: process.env.SQL_DOMAIN,
+            trustServerCertificate: process.env.TRUST_SERVER_CERTIFICATE?.toLowerCase() === "true",
+            connectionTimeout: process.env.CONNECTION_TIMEOUT
+                ? parseInt(process.env.CONNECTION_TIMEOUT, 10)
+                : 30,
+            readonly: process.env.READONLY === "true",
+        };
+        this.environments.set("default", defaultEnv);
+        this.defaultEnvironment = "default";
+        console.log("Loaded default environment from environment variables");
+    }
+    getEnvironment(name) {
+        const targetName = name || this.defaultEnvironment || "default";
+        const env = this.environments.get(targetName);
+        if (!env) {
+            throw new Error(`Environment '${targetName}' not found. Available: ${Array.from(this.environments.keys()).join(", ")}`);
+        }
+        return env;
+    }
+    listEnvironments() {
+        return Array.from(this.environments.values());
+    }
+    /**
+     * Check if the environment allows access to a specific database.
+     * For database-level access, only the configured database is allowed.
+     * For server-level access, checks allowedDatabases/deniedDatabases.
+     */
+    isDatabaseAllowed(environmentName, databaseName) {
+        const env = this.getEnvironment(environmentName);
+        const accessLevel = env.accessLevel ?? "database";
+        // Database-level access: only the configured database is allowed
+        if (accessLevel === "database") {
+            if (databaseName.toLowerCase() !== env.database.toLowerCase()) {
+                return {
+                    allowed: false,
+                    reason: `Environment '${env.name}' has database-level access and is restricted to database '${env.database}'. Cannot access '${databaseName}'.`,
+                };
+            }
+            return { allowed: true };
+        }
+        // Server-level access: check allow/deny lists
+        const deniedDatabases = env.deniedDatabases ?? [];
+        const allowedDatabases = env.allowedDatabases;
+        // Check denied list first (takes precedence)
+        if (deniedDatabases.some((db) => db.toLowerCase() === databaseName.toLowerCase())) {
+            return {
+                allowed: false,
+                reason: `Database '${databaseName}' is in the denied list for environment '${env.name}'.`,
+            };
+        }
+        // Check allowed list
+        if (allowedDatabases === "*") {
+            return { allowed: true };
+        }
+        if (Array.isArray(allowedDatabases) && allowedDatabases.length > 0) {
+            if (!allowedDatabases.some((db) => db.toLowerCase() === databaseName.toLowerCase())) {
+                return {
+                    allowed: false,
+                    reason: `Database '${databaseName}' is not in the allowed list for environment '${env.name}'. Allowed: ${allowedDatabases.join(", ")}.`,
+                };
+            }
+        }
+        return { allowed: true };
+    }
+    /**
+     * Check if a schema.table reference is allowed based on allowedSchemas/deniedSchemas.
+     * Pattern matching supports wildcards (e.g., "audit.*", "*.sensitive_*")
+     */
+    isSchemaAllowed(environmentName, schemaName, tableName) {
+        const env = this.getEnvironment(environmentName);
+        const fullRef = tableName ? `${schemaName}.${tableName}` : schemaName;
+        const deniedSchemas = env.deniedSchemas ?? [];
+        const allowedSchemas = env.allowedSchemas;
+        // Check denied patterns first
+        for (const pattern of deniedSchemas) {
+            if (this.matchesPattern(fullRef, pattern) || this.matchesPattern(schemaName, pattern)) {
+                return {
+                    allowed: false,
+                    reason: `Schema/table '${fullRef}' matches denied pattern '${pattern}' in environment '${env.name}'.`,
+                };
+            }
+        }
+        // If allowedSchemas is specified, check against it
+        if (allowedSchemas && allowedSchemas.length > 0) {
+            const isAllowed = allowedSchemas.some((pattern) => this.matchesPattern(fullRef, pattern) || this.matchesPattern(schemaName, pattern));
+            if (!isAllowed) {
+                return {
+                    allowed: false,
+                    reason: `Schema/table '${fullRef}' does not match any allowed pattern in environment '${env.name}'. Allowed: ${allowedSchemas.join(", ")}.`,
+                };
+            }
+        }
+        return { allowed: true };
+    }
+    /**
+     * Simple wildcard pattern matching (supports * as wildcard)
+     */
+    matchesPattern(value, pattern) {
+        const regexPattern = pattern
+            .replace(/[.+?^${}()|[\]\\]/g, "\\$&") // Escape special regex chars except *
+            .replace(/\*/g, ".*"); // Convert * to .*
+        const regex = new RegExp(`^${regexPattern}$`, "i");
+        return regex.test(value);
+    }
+    async getConnection(environmentName) {
+        const env = this.getEnvironment(environmentName);
+        const cached = this.connections.get(env.name);
+        // Check if we have a valid cached connection
+        if (cached &&
+            cached.pool.connected &&
+            (!cached.expiresOn || cached.expiresOn > new Date(Date.now() + 2 * 60 * 1000))) {
+            return cached.pool;
+        }
+        // Create new connection
+        const { config, expiresOn } = await this.createSqlConfig(env);
+        // Close old connection if exists
+        if (cached?.pool && cached.pool.connected) {
+            await cached.pool.close();
+        }
+        const pool = new sql.ConnectionPool(config);
+        pool.on("error", (err) => {
+            console.error(`[mssql] Pool error for '${env.name}':`, err.message);
+        });
+        await pool.connect();
+        this.connections.set(env.name, { pool, expiresOn });
+        return pool;
+    }
+    async createSqlConfig(env) {
+        const baseConfig = {
+            server: env.server,
+            database: env.database,
+            port: env.port,
+            connectionTimeout: (env.connectionTimeout || 30) * 1000,
+            requestTimeout: (env.requestTimeout || 120) * 1000,
+            pool: {
+                max: 10,
+                min: 0,
+                idleTimeoutMillis: 30000,
+            },
+        };
+        if (env.authMode === "sql") {
+            if (!env.username || !env.password) {
+                throw new Error(`Environment '${env.name}' requires username and password for SQL auth`);
+            }
+            return {
+                config: {
+                    ...baseConfig,
+                    user: env.username,
+                    password: env.password,
+                    options: {
+                        encrypt: false,
+                        trustServerCertificate: env.trustServerCertificate ?? false,
+                    },
+                },
+            };
+        }
+        if (env.authMode === "windows") {
+            if (!env.username || !env.password) {
+                throw new Error(`Environment '${env.name}' requires username and password for Windows auth`);
+            }
+            // Strip DOMAIN\ prefix from username if present — tedious NTLM expects
+            // the username and domain as separate fields
+            let ntlmUser = env.username;
+            let ntlmDomain = env.domain || "";
+            const backslashIndex = ntlmUser.indexOf("\\");
+            if (backslashIndex !== -1) {
+                if (!ntlmDomain) {
+                    ntlmDomain = ntlmUser.substring(0, backslashIndex);
+                }
+                ntlmUser = ntlmUser.substring(backslashIndex + 1);
+            }
+            return {
+                config: {
+                    ...baseConfig,
+                    options: {
+                        encrypt: false,
+                        trustServerCertificate: env.trustServerCertificate ?? false,
+                    },
+                    authentication: {
+                        type: "ntlm",
+                        options: {
+                            userName: ntlmUser,
+                            password: env.password,
+                            domain: ntlmDomain,
+                        },
+                    },
+                },
+            };
+        }
+        // Azure AD auth
+        const credential = new InteractiveBrowserCredential({
+            redirectUri: "http://localhost",
+        });
+        const accessToken = await credential.getToken("https://database.windows.net/.default");
+        if (!accessToken?.token) {
+            throw new Error(`Failed to acquire Azure AD token for environment '${env.name}'`);
+        }
+        return {
+            config: {
+                ...baseConfig,
+                options: {
+                    encrypt: true,
+                    trustServerCertificate: env.trustServerCertificate ?? false,
+                },
+                authentication: {
+                    type: "azure-active-directory-access-token",
+                    options: {
+                        token: accessToken.token,
+                    },
+                },
+            },
+            expiresOn: accessToken?.expiresOnTimestamp
+                ? new Date(accessToken.expiresOnTimestamp)
+                : new Date(Date.now() + 30 * 60 * 1000),
+        };
+    }
+    async closeAll() {
+        for (const [name, { pool }] of this.connections.entries()) {
+            if (pool.connected) {
+                await pool.close();
+                console.log(`Closed connection for environment '${name}'`);
+            }
+        }
+        this.connections.clear();
+    }
+}
+// Singleton instance
+let environmentManager;
+export function getEnvironmentManager() {
+    if (!environmentManager) {
+        const configPath = process.env.ENVIRONMENTS_CONFIG_PATH;
+        environmentManager = new EnvironmentManager(configPath);
+    }
+    return environmentManager;
+}
+//# sourceMappingURL=EnvironmentManager.js.map

package/dist/config/EnvironmentManager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"EnvironmentManager.js","sourceRoot":"","sources":["../../src/config/EnvironmentManager.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,EAAE,4BAA4B,EAAE,MAAM,iBAAiB,CAAC;AAC/D,OAAO,GAAG,MAAM,OAAO,CAAC;AACxB,OAAO,EAAiC,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAgD1F,MAAM,OAAO,kBAAkB;IAM7B,YAAY,UAAmB;QAC7B,IAAI,CAAC,YAAY,GAAG,IAAI,GAAG,EAAE,CAAC;QAC9B,IAAI,CAAC,WAAW,GAAG,IAAI,GAAG,EAAE,CAAC;QAC7B,IAAI,CAAC,cAAc,GAAG,oBAAoB,EAAE,CAAC,CAAC,oBAAoB;QAElE,qCAAqC;QACrC,IAAI,UAAU,EAAE,CAAC;YACf,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC;QAChC,CAAC;aAAM,CAAC;YACN,4DAA4D;YAC5D,IAAI,CAAC,eAAe,EAAE,CAAC;QACzB,CAAC;IACH,CAAC;IAED,iBAAiB;QACf,OAAO,IAAI,CAAC,cAAc,CAAC;IAC7B,CAAC;IAEO,YAAY,CAAC,UAAkB;QACrC,IAAI,CAAC;YACH,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;YAC9C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;gBACjC,OAAO,CAAC,IAAI,CAAC,wCAAwC,YAAY,4BAA4B,CAAC,CAAC;gBAC/F,IAAI,CAAC,eAAe,EAAE,CAAC;gBACvB,OAAO;YACT,CAAC;YAED,MAAM,aAAa,GAAG,EAAE,CAAC,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;YAC7D,MAAM,MAAM,GAAuB,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;YAE7D,mEAAmE;YACnE,IAAI,aAAa,GAAG,MAAM,CAAC,OAAO,CAAC;YACnC,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC;gBAC3C,IAAI,UAAU,EAAE,CAAC;oBACf,aAAa,GAAG,EAAE,SAAS,EAAE,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC;oBACvF,OAAO,CAAC,GAAG,CAAC,+BAA+B,UAAU,EAAE,CAAC,CAAC;gBAC3D,CAAC;YACH,CAAC;YACD,IAAI,CAAC,cAAc,GAAG,oBAAoB,CAAC,aAAa,CAAC,CAAC;YAE1D,IAAI,CAAC,kBAAkB,GAAG,MAAM,CAAC,kBAAkB,CAAC;YAEpD,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;gBACtC,gDAAgD;gBAChD,MAAM,WAAW,GAAG,IAAI,CAAC,cAAc,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC;gBAC3D,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;YACvD,CAAC;YAED,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,CAAC,YAAY,CAAC,IAAI,wBAAwB,YAAY,EAAE,CAAC,CAAC;QACtF,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,sCAAsC,KAAK,EAAE,CAAC,CAAC;YAC7D,IAAI,CAAC,eAAe,EAAE,CAAC;QACzB,CAAC;IACH,CAAC;IAEO,eAAe;QACrB,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC;QACvC,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;QAE3C,IAAI,CAAC,MAAM,IAAI,CAAC,QAAQ,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CACb,oFAAoF,CACrF,CAAC;QACJ,CAAC;QAED,MAAM,UAAU,GAAsB;YACpC,IAAI,EAAE,SAAS;YACf,MAAM;YACN,QAAQ;YACR,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS;YAC3E,QAAQ,EAAG,OAAO,CAAC,GAAG,CAAC,aAAa,EAAE,WAAW,EAAU,IAAI,KAAK;YACpE,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,YAAY;YAClC,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,YAAY;YAClC,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU;YAC9B,sBAAsB,EAAE,OAAO,CAAC,GAAG,CAAC,wBAAwB,EAAE,WAAW,EAAE,KAAK,MAAM;YACtF,iBAAiB,EAAE,OAAO,CAAC,GAAG,CAAC,kBAAkB;gBAC/C,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,EAAE,EAAE,CAAC;gBAC9C,CAAC,CAAC,EAAE;YACN,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,MAAM;SAC1C,CAAC;QAEF,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;QAC7C,IAAI,CAAC,kBAAkB,GAAG,SAAS,CAAC;QACpC,OAAO,CAAC,GAAG,CAAC,uDAAuD,CAAC,CAAC;IACvE,CAAC;IAED,cAAc,CAAC,IAAa;QAC1B,MAAM,UAAU,GAAG,IAAI,IAAI,IAAI,CAAC,kBAAkB,IAAI,SAAS,CAAC;QAChE,MAAM,GAAG,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QAE9C,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,MAAM,IAAI,KAAK,CACb,gBAAgB,UAAU,2BAA2B,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACvG,CAAC;QACJ,CAAC;QAED,OAAO,GAAG,CAAC;IACb,CAAC;IAED,gBAAgB;QACd,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,CAAC,CAAC;IAChD,CAAC;IAED;;;;OAIG;IACH,iBAAiB,CAAC,eAAmC,EAAE,YAAoB;QACzE,MAAM,GAAG,GAAG,IAAI,CAAC,cAAc,CAAC,eAAe,CAAC,CAAC;QACjD,MAAM,WAAW,GAAG,GAAG,CAAC,WAAW,IAAI,UAAU,CAAC;QAElD,iEAAiE;QACjE,IAAI,WAAW,KAAK,UAAU,EAAE,CAAC;YAC/B,IAAI,YAAY,CAAC,WAAW,EAAE,KAAK,GAAG,CAAC,QAAQ,CAAC,WAAW,EAAE,EAAE,CAAC;gBAC9D,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,MAAM,EAAE,gBAAgB,GAAG,CAAC,IAAI,8DAA8D,GAAG,CAAC,QAAQ,qBAAqB,YAAY,IAAI;iBAChJ,CAAC;YACJ,CAAC;YACD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC3B,CAAC;QAED,8CAA8C;QAC9C,MAAM,eAAe,GAAG,GAAG,CAAC,eAAe,IAAI,EAAE,CAAC;QAClD,MAAM,gBAAgB,GAAG,GAAG,CAAC,gBAAgB,CAAC;QAE9C,6CAA6C;QAC7C,IAAI,eAAe,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,WAAW,EAAE,KAAK,YAAY,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;YAClF,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,aAAa,YAAY,4CAA4C,GAAG,CAAC,IAAI,IAAI;aAC1F,CAAC;QACJ,CAAC;QAED,qBAAqB;QACrB,IAAI,gBAAgB,KAAK,GAAG,EAAE,CAAC;YAC7B,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC3B,CAAC;QAED,IAAI,KAAK,CAAC,OAAO,CAAC,gBAAgB,CAAC,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACnE,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,WAAW,EAAE,KAAK,YAAY,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;gBACpF,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,MAAM,EAAE,aAAa,YAAY,iDAAiD,GAAG,CAAC,IAAI,eAAe,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;iBACxI,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED;;;OAGG;IACH,eAAe,CAAC,eAAmC,EAAE,UAAkB,EAAE,SAAkB;QACzF,MAAM,GAAG,GAAG,IAAI,CAAC,cAAc,CAAC,eAAe,CAAC,CAAC;QACjD,MAAM,OAAO,GAAG,SAAS,CAAC,CAAC,CAAC,GAAG,UAAU,IAAI,SAAS,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC;QAEtE,MAAM,aAAa,GAAG,GAAG,CAAC,aAAa,IAAI,EAAE,CAAC;QAC9C,MAAM,cAAc,GAAG,GAAG,CAAC,cAAc,CAAC;QAE1C,8BAA8B;QAC9B,KAAK,MAAM,OAAO,IAAI,aAAa,EAAE,CAAC;YACpC,IAAI,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,OAAO,CAAC,IAAI,IAAI,CAAC,cAAc,CAAC,UAAU,EAAE,OAAO,CAAC,EAAE,CAAC;gBACtF,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,MAAM,EAAE,iBAAiB,OAAO,6BAA6B,OAAO,qBAAqB,GAAG,CAAC,IAAI,IAAI;iBACtG,CAAC;YACJ,CAAC;QACH,CAAC;QAED,mDAAmD;QACnD,IAAI,cAAc,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAChD,MAAM,SAAS,GAAG,cAAc,CAAC,IAAI,CACnC,CAAC,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,OAAO,CAAC,IAAI,IAAI,CAAC,cAAc,CAAC,UAAU,EAAE,OAAO,CAAC,CAC/F,CAAC;YACF,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,MAAM,EAAE,iBAAiB,OAAO,wDAAwD,GAAG,CAAC,IAAI,eAAe,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;iBAC5I,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED;;OAEG;IACK,cAAc,CAAC,KAAa,EAAE,OAAe;QACnD,MAAM,YAAY,GAAG,OAAO;aACzB,OAAO,CAAC,oBAAoB,EAAE,MAAM,CAAC,CAAC,sCAAsC;aAC5E,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,kBAAkB;QAC3C,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,IAAI,YAAY,GAAG,EAAE,GAAG,CAAC,CAAC;QACnD,OAAO,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC3B,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,eAAwB;QAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,cAAc,CAAC,eAAe,CAAC,CAAC;QACjD,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAE9C,6CAA6C;QAC7C,IACE,MAAM;YACN,MAAM,CAAC,IAAI,CAAC,SAAS;YACrB,CAAC,CAAC,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,EAC9E,CAAC;YACD,OAAO,MAAM,CAAC,IAAI,CAAC;QACrB,CAAC;QAED,wBAAwB;QACxB,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;QAE9D,iCAAiC;QACjC,IAAI,MAAM,EAAE,IAAI,IAAI,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YAC1C,MAAM,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;QAC5B,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC;QAC5C,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACvB,OAAO,CAAC,KAAK,CAAC,2BAA2B,GAAG,CAAC,IAAI,IAAI,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;QACtE,CAAC,CAAC,CAAC;QACH,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACrB,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC;QAEpD,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,KAAK,CAAC,eAAe,CAC3B,GAAsB;QAEtB,MAAM,UAAU,GAAe;YAC7B,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,iBAAiB,EAAE,CAAC,GAAG,CAAC,iBAAiB,IAAI,EAAE,CAAC,GAAG,IAAI;YACvD,cAAc,EAAE,CAAC,GAAG,CAAC,cAAc,IAAI,GAAG,CAAC,GAAG,IAAI;YAClD,IAAI,EAAE;gBACJ,GAAG,EAAE,EAAE;gBACP,GAAG,EAAE,CAAC;gBACN,iBAAiB,EAAE,KAAK;aACzB;SACF,CAAC;QAEF,IAAI,GAAG,CAAC,QAAQ,KAAK,KAAK,EAAE,CAAC;YAC3B,IAAI,CAAC,GAAG,CAAC,QAAQ,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;gBACnC,MAAM,IAAI,KAAK,CAAC,gBAAgB,GAAG,CAAC,IAAI,+CAA+C,CAAC,CAAC;YAC3F,CAAC;YAED,OAAO;gBACL,MAAM,EAAE;oBACN,GAAG,UAAU;oBACb,IAAI,EAAE,GAAG,CAAC,QAAQ;oBAClB,QAAQ,EAAE,GAAG,CAAC,QAAQ;oBACtB,OAAO,EAAE;wBACP,OAAO,EAAE,KAAK;wBACd,sBAAsB,EAAE,GAAG,CAAC,sBAAsB,IAAI,KAAK;qBAC5D;iBACF;aACF,CAAC;QACJ,CAAC;QAED,IAAI,GAAG,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;YAC/B,IAAI,CAAC,GAAG,CAAC,QAAQ,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;gBACnC,MAAM,IAAI,KAAK,CACb,gBAAgB,GAAG,CAAC,IAAI,mDAAmD,CAC5E,CAAC;YACJ,CAAC;YAED,uEAAuE;YACvE,6CAA6C;YAC7C,IAAI,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC;YAC5B,IAAI,UAAU,GAAG,GAAG,CAAC,MAAM,IAAI,EAAE,CAAC;YAClC,MAAM,cAAc,GAAG,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YAC9C,IAAI,cAAc,KAAK,CAAC,CAAC,EAAE,CAAC;gBAC1B,IAAI,CAAC,UAAU,EAAE,CAAC;oBAChB,UAAU,GAAG,QAAQ,CAAC,SAAS,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC;gBACrD,CAAC;gBACD,QAAQ,GAAG,QAAQ,CAAC,SAAS,CAAC,cAAc,GAAG,CAAC,CAAC,CAAC;YACpD,CAAC;YAED,OAAO;gBACL,MAAM,EAAE;oBACN,GAAG,UAAU;oBACb,OAAO,EAAE;wBACP,OAAO,EAAE,KAAK;wBACd,sBAAsB,EAAE,GAAG,CAAC,sBAAsB,IAAI,KAAK;qBAC5D;oBACD,cAAc,EAAE;wBACd,IAAI,EAAE,MAAM;wBACZ,OAAO,EAAE;4BACP,QAAQ,EAAE,QAAQ;4BAClB,QAAQ,EAAE,GAAG,CAAC,QAAQ;4BACtB,MAAM,EAAE,UAAU;yBACnB;qBACF;iBACF;aACF,CAAC;QACJ,CAAC;QAED,gBAAgB;QAChB,MAAM,UAAU,GAAG,IAAI,4BAA4B,CAAC;YAClD,WAAW,EAAE,kBAAkB;SAChC,CAAC,CAAC;QACH,MAAM,WAAW,GAAG,MAAM,UAAU,CAAC,QAAQ,CAAC,uCAAuC,CAAC,CAAC;QAEvF,IAAI,CAAC,WAAW,EAAE,KAAK,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,qDAAqD,GAAG,CAAC,IAAI,GAAG,CAAC,CAAC;QACpF,CAAC;QAED,OAAO;YACL,MAAM,EAAE;gBACN,GAAG,UAAU;gBACb,OAAO,EAAE;oBACP,OAAO,EAAE,IAAI;oBACb,sBAAsB,EAAE,GAAG,CAAC,sBAAsB,IAAI,KAAK;iBAC5D;gBACD,cAAc,EAAE;oBACd,IAAI,EAAE,qCAAqC;oBAC3C,OAAO,EAAE;wBACP,KAAK,EAAE,WAAW,CAAC,KAAK;qBACzB;iBACF;aACF;YACD,SAAS,EAAE,WAAW,EAAE,kBAAkB;gBACxC,CAAC,CAAC,IAAI,IAAI,CAAC,WAAW,CAAC,kBAAkB,CAAC;gBAC1C,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;SAC1C,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,QAAQ;QACZ,KAAK,MAAM,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,CAAC,IAAI,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,EAAE,CAAC;YAC1D,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACnB,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC;gBACnB,OAAO,CAAC,GAAG,CAAC,sCAAsC,IAAI,GAAG,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC;QACD,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,CAAC;IAC3B,CAAC;CACF;AAED,qBAAqB;AACrB,IAAI,kBAAsC,CAAC;AAE3C,MAAM,UAAU,qBAAqB;IACnC,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACxB,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC;QACxD,kBAAkB,GAAG,IAAI,kBAAkB,CAAC,UAAU,CAAC,CAAC;IAC1D,CAAC;IACD,OAAO,kBAAkB,CAAC;AAC5B,CAAC"}

package/dist/config/ScriptManager.d.ts

@@ -0,0 +1,69 @@
+import { TierLevel } from "./EnvironmentManager.js";
+export interface ScriptParameter {
+    name: string;
+    type: "string" | "number" | "boolean";
+    required?: boolean;
+    default?: string | number | boolean;
+    description?: string;
+}
+export interface ScriptDefinition {
+    name: string;
+    description: string;
+    file: string;
+    parameters?: ScriptParameter[];
+    allowedEnvironments?: string[];
+    deniedEnvironments?: string[];
+    tier?: TierLevel;
+    requiresApproval?: boolean;
+    readonly?: boolean;
+}
+export interface ScriptsManifest {
+    scripts: ScriptDefinition[];
+}
+export interface LoadedScript extends ScriptDefinition {
+    sql: string;
+}
+export declare class ScriptManager {
+    private readonly scriptsPath;
+    private readonly scripts;
+    private loaded;
+    constructor(scriptsPath?: string);
+    /**
+     * Load scripts from the configured path
+     */
+    private loadScripts;
+    /**
+     * Get all available scripts
+     */
+    listScripts(): LoadedScript[];
+    /**
+     * Get a specific script by name
+     */
+    getScript(name: string): LoadedScript | undefined;
+    /**
+     * Check if a script can run in a given environment
+     */
+    canRunInEnvironment(scriptName: string, environmentName: string): {
+        allowed: boolean;
+        reason?: string;
+    };
+    /**
+     * Resolve script parameters into the SQL template
+     * Parameters in SQL use @paramName syntax
+     */
+    resolveParameters(script: LoadedScript, providedParams: Record<string, any>): {
+        sql: string;
+        errors: string[];
+    };
+    /**
+     * Get the scripts path (for display/debugging)
+     */
+    getScriptsPath(): string | null;
+    /**
+     * Check if scripts are configured
+     */
+    isConfigured(): boolean;
+}
+export declare function getScriptManager(scriptsPath?: string): ScriptManager;
+export declare function initScriptManager(scriptsPath?: string): void;
+//# sourceMappingURL=ScriptManager.d.ts.map