@connorbritain/mssql-mcp-reader 0.1.0

package/README.md

@@ -0,0 +1,106 @@
+# MSSQL MCP Reader
+
+[![npm version](https://img.shields.io/npm/v/@connorbritain/mssql-mcp-reader.svg)](https://www.npmjs.com/package/@connorbritain/mssql-mcp-reader)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+
+**Read-only Model Context Protocol server for Microsoft SQL Server.**
+
+Safe schema discovery, profiling, and querying with zero risk of data modification. Ideal for analysts, auditors, and anyone who needs database exploration without write access.
+
+## Package Tiers
+
+| Package | npm | Tools | Use Case |
+|---------|-----|-------|----------|
+| **mssql-mcp-reader** (this) | `@connorbritain/mssql-mcp-reader` | 14 read-only | Analysts, auditors, safe exploration |
+| **[mssql-mcp-writer](https://github.com/ConnorBritain/mssql-mcp-writer)** | `@connorbritain/mssql-mcp-writer` | 17 (reader + data ops) | Data engineers, ETL developers |
+| **[mssql-mcp-server](https://github.com/ConnorBritain/mssql-mcp-server)** | `@connorbritain/mssql-mcp-server` | 20 (all tools) | DBAs, full admin access |
+
+---
+
+## Tools Included
+
+| Category | Tools |
+|----------|-------|
+| **Discovery** | `search_schema`, `describe_table`, `list_table`, `list_databases`, `list_environments` |
+| **Profiling** | `profile_table`, `inspect_relationships`, `inspect_dependencies`, `explain_query` |
+| **Querying** | `read_data` (SELECT only) |
+| **Scripts** | `list_scripts`, `run_script` (readonly scripts only) |
+| **Operations** | `test_connection`, `validate_environment_config` |
+
+**Not included:** `insert_data`, `update_data`, `delete_data`, `create_table`, `create_index`, `drop_table`
+
+---
+
+## Quick Start
+
+### Install
+
+```bash
+npm install -g @connorbritain/mssql-mcp-reader@latest
+```
+
+### MCP Client Configuration
+
+```json
+{
+  "mcpServers": {
+    "mssql": {
+      "command": "npx",
+      "args": ["@connorbritain/mssql-mcp-reader@latest"],
+      "env": {
+        "SERVER_NAME": "127.0.0.1",
+        "DATABASE_NAME": "mydb",
+        "SQL_AUTH_MODE": "sql",
+        "SQL_USERNAME": "readonly_user",
+        "SQL_PASSWORD": "YourPassword123"
+      }
+    }
+  }
+}
+```
+
+---
+
+## Configuration
+
+| Variable | Required | Notes |
+|----------|----------|-------|
+| `SERVER_NAME` | Yes | SQL Server hostname/IP |
+| `DATABASE_NAME` | Yes | Target database |
+| `SQL_AUTH_MODE` | | `sql`, `windows`, or `aad` (default: `aad`) |
+| `SQL_USERNAME` / `SQL_PASSWORD` | | Required for `sql`/`windows` modes |
+| `ENVIRONMENTS_CONFIG_PATH` | | Path to multi-environment JSON config |
+| `SCRIPTS_PATH` | | Path to named SQL scripts directory |
+| `AUDIT_LOG_PATH` | | Custom audit log path |
+
+---
+
+## Features
+
+All packages in the MSSQL MCP family share:
+
+- **Multi-environment support** - Named database environments (prod, staging, dev) with per-environment policies
+- **Governance controls** - `allowedTools`, `deniedTools`, `allowedSchemas`, `deniedSchemas`, `requireApproval`
+- **Audit logging** - JSON Lines logs with session IDs and auto-redaction
+- **Secret management** - `${secret:NAME}` placeholders for secure credential handling
+- **Named SQL scripts** - Pre-approved parameterized queries with governance controls
+
+---
+
+## Documentation
+
+Full documentation, configuration examples, and governance details are available in the main repository:
+
+**[MSSQL MCP Server Documentation](https://github.com/ConnorBritain/mssql-mcp-server#readme)**
+
+---
+
+## License
+
+MIT License. See [LICENSE](./LICENSE) for details.
+
+---
+
+**Repository:** https://github.com/ConnorBritain/mssql-mcp-reader
+**Issues:** https://github.com/ConnorBritain/mssql-mcp-reader/issues
+**npm:** https://www.npmjs.com/package/@connorbritain/mssql-mcp-reader

package/dist/audit/AuditLogger.d.ts

@@ -0,0 +1,37 @@
+export type AuditLevel = "none" | "basic" | "verbose";
+export interface AuditLogEntry {
+    timestamp: string;
+    toolName: string;
+    environment?: string;
+    arguments?: Record<string, any>;
+    result?: {
+        success: boolean;
+        recordCount?: number;
+        error?: string;
+        data?: any;
+    };
+    durationMs?: number;
+    sessionId?: string;
+    userId?: string;
+}
+export declare class AuditLogger {
+    private readonly logFilePath;
+    private readonly enabled;
+    private readonly redactSensitiveData;
+    constructor();
+    private ensureLogDirectory;
+    private redactArguments;
+    log(entry: AuditLogEntry): void;
+    logToolInvocation(toolName: string, args: any, result: any, durationMs: number, options?: {
+        sessionId?: string;
+        userId?: string;
+        environment?: string;
+        auditLevel?: AuditLevel;
+    }): void;
+    /**
+     * Truncate result data for verbose logging to prevent huge log entries
+     */
+    private truncateResultData;
+}
+export declare const auditLogger: AuditLogger;
+//# sourceMappingURL=AuditLogger.d.ts.map

package/dist/audit/AuditLogger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuditLogger.d.ts","sourceRoot":"","sources":["../../src/audit/AuditLogger.ts"],"names":[],"mappings":"AAGA,MAAM,MAAM,UAAU,GAAG,MAAM,GAAG,OAAO,GAAG,SAAS,CAAC;AAEtD,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAChC,MAAM,CAAC,EAAE;QACP,OAAO,EAAE,OAAO,CAAC;QACjB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,IAAI,CAAC,EAAE,GAAG,CAAC;KACZ,CAAC;IACF,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAU;IAClC,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAU;;IAoB9C,OAAO,CAAC,kBAAkB;IAS1B,OAAO,CAAC,eAAe;IA6BvB,GAAG,CAAC,KAAK,EAAE,aAAa,GAAG,IAAI;IAkB/B,iBAAiB,CACf,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,GAAG,EACT,MAAM,EAAE,GAAG,EACX,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE;QACR,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,UAAU,CAAC,EAAE,UAAU,CAAC;KACzB,GACA,IAAI;IA+CP;;OAEG;IACH,OAAO,CAAC,kBAAkB;CA2B3B;AAGD,eAAO,MAAM,WAAW,aAAoB,CAAC"}

package/dist/audit/AuditLogger.js

@@ -0,0 +1,145 @@
+import * as fs from "fs";
+import * as path from "path";
+export class AuditLogger {
+    constructor() {
+        // Read config from env vars
+        const logPath = process.env.AUDIT_LOG_PATH;
+        this.enabled = process.env.AUDIT_LOGGING !== "false"; // Enabled by default
+        this.redactSensitiveData = process.env.AUDIT_REDACT_SENSITIVE !== "false"; // Redact by default
+        if (this.enabled && logPath) {
+            this.logFilePath = path.resolve(logPath);
+            this.ensureLogDirectory();
+        }
+        else if (this.enabled) {
+            // Default to logs/audit.jsonl in the project root
+            this.logFilePath = path.resolve(process.cwd(), "logs", "audit.jsonl");
+            this.ensureLogDirectory();
+        }
+        else {
+            this.logFilePath = "";
+        }
+    }
+    ensureLogDirectory() {
+        if (!this.logFilePath)
+            return;
+        const dir = path.dirname(this.logFilePath);
+        if (!fs.existsSync(dir)) {
+            fs.mkdirSync(dir, { recursive: true });
+        }
+    }
+    redactArguments(args) {
+        if (!this.redactSensitiveData) {
+            return args;
+        }
+        const redacted = { ...args };
+        const sensitiveKeys = [
+            "password",
+            "secret",
+            "token",
+            "key",
+            "authorization",
+            "auth",
+            "credential",
+        ];
+        for (const [key, value] of Object.entries(redacted)) {
+            const lowerKey = key.toLowerCase();
+            if (sensitiveKeys.some((sensitive) => lowerKey.includes(sensitive))) {
+                redacted[key] = "[REDACTED]";
+            }
+            else if (typeof value === "string" && value.length > 500) {
+                // Truncate very long strings (likely large query results)
+                redacted[key] = value.substring(0, 500) + "... [TRUNCATED]";
+            }
+        }
+        return redacted;
+    }
+    log(entry) {
+        if (!this.enabled || !this.logFilePath) {
+            return;
+        }
+        try {
+            const logEntry = {
+                ...entry,
+                arguments: entry.arguments ? this.redactArguments(entry.arguments) : undefined,
+            };
+            const logLine = JSON.stringify(logEntry) + "\n";
+            fs.appendFileSync(this.logFilePath, logLine, { encoding: "utf-8" });
+        }
+        catch (error) {
+            console.error("Failed to write audit log:", error);
+        }
+    }
+    logToolInvocation(toolName, args, result, durationMs, options) {
+        const auditLevel = options?.auditLevel ?? "basic";
+        // Skip logging entirely for 'none' level
+        if (auditLevel === "none") {
+            return;
+        }
+        // Basic level: minimal info (tool name, success, timing, environment)
+        if (auditLevel === "basic") {
+            const entry = {
+                timestamp: new Date().toISOString(),
+                toolName,
+                environment: options?.environment,
+                result: {
+                    success: result?.success ?? false,
+                    recordCount: result?.recordCount ?? result?.rowsAffected,
+                    error: result?.error,
+                },
+                durationMs: Math.round(durationMs),
+                sessionId: options?.sessionId,
+                userId: options?.userId,
+            };
+            this.log(entry);
+            return;
+        }
+        // Verbose level: full arguments and result data
+        const entry = {
+            timestamp: new Date().toISOString(),
+            toolName,
+            environment: options?.environment,
+            arguments: args || {},
+            result: {
+                success: result?.success ?? false,
+                recordCount: result?.recordCount ?? result?.rowsAffected,
+                error: result?.error,
+                data: this.truncateResultData(result?.data),
+            },
+            durationMs: Math.round(durationMs),
+            sessionId: options?.sessionId,
+            userId: options?.userId,
+        };
+        this.log(entry);
+    }
+    /**
+     * Truncate result data for verbose logging to prevent huge log entries
+     */
+    truncateResultData(data) {
+        if (!data)
+            return undefined;
+        // If it's an array, limit to first 10 items
+        if (Array.isArray(data)) {
+            if (data.length > 10) {
+                return {
+                    _truncated: true,
+                    _totalCount: data.length,
+                    items: data.slice(0, 10),
+                };
+            }
+            return data;
+        }
+        // If it's a large object (stringified > 10KB), truncate
+        const stringified = JSON.stringify(data);
+        if (stringified.length > 10000) {
+            return {
+                _truncated: true,
+                _originalSize: stringified.length,
+                preview: stringified.substring(0, 1000) + "...",
+            };
+        }
+        return data;
+    }
+}
+// Singleton instance
+export const auditLogger = new AuditLogger();
+//# sourceMappingURL=AuditLogger.js.map

package/dist/audit/AuditLogger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuditLogger.js","sourceRoot":"","sources":["../../src/audit/AuditLogger.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAoB7B,MAAM,OAAO,WAAW;IAKtB;QACE,4BAA4B;QAC5B,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;QAC3C,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,KAAK,OAAO,CAAC,CAAC,qBAAqB;QAC3E,IAAI,CAAC,mBAAmB,GAAG,OAAO,CAAC,GAAG,CAAC,sBAAsB,KAAK,OAAO,CAAC,CAAC,oBAAoB;QAE/F,IAAI,IAAI,CAAC,OAAO,IAAI,OAAO,EAAE,CAAC;YAC5B,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;YACzC,IAAI,CAAC,kBAAkB,EAAE,CAAC;QAC5B,CAAC;aAAM,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACxB,kDAAkD;YAClD,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,aAAa,CAAC,CAAC;YACtE,IAAI,CAAC,kBAAkB,EAAE,CAAC;QAC5B,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,WAAW,GAAG,EAAE,CAAC;QACxB,CAAC;IACH,CAAC;IAEO,kBAAkB;QACxB,IAAI,CAAC,IAAI,CAAC,WAAW;YAAE,OAAO;QAE9B,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAC3C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACxB,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACzC,CAAC;IACH,CAAC;IAEO,eAAe,CAAC,IAAyB;QAC/C,IAAI,CAAC,IAAI,CAAC,mBAAmB,EAAE,CAAC;YAC9B,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,QAAQ,GAAG,EAAE,GAAG,IAAI,EAAE,CAAC;QAC7B,MAAM,aAAa,GAAG;YACpB,UAAU;YACV,QAAQ;YACR,OAAO;YACP,KAAK;YACL,eAAe;YACf,MAAM;YACN,YAAY;SACb,CAAC;QAEF,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;YACpD,MAAM,QAAQ,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;YACnC,IAAI,aAAa,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;gBACpE,QAAQ,CAAC,GAAG,CAAC,GAAG,YAAY,CAAC;YAC/B,CAAC;iBAAM,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;gBAC3D,0DAA0D;gBAC1D,QAAQ,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,GAAG,iBAAiB,CAAC;YAC9D,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,GAAG,CAAC,KAAoB;QACtB,IAAI,CAAC,IAAI,CAAC,OAAO,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YACvC,OAAO;QACT,CAAC;QAED,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG;gBACf,GAAG,KAAK;gBACR,SAAS,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS;aAC/E,CAAC;YAEF,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC;YAChD,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,WAAW,EAAE,OAAO,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;QACtE,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,4BAA4B,EAAE,KAAK,CAAC,CAAC;QACrD,CAAC;IACH,CAAC;IAED,iBAAiB,CACf,QAAgB,EAChB,IAAS,EACT,MAAW,EACX,UAAkB,EAClB,OAKC;QAED,MAAM,UAAU,GAAG,OAAO,EAAE,UAAU,IAAI,OAAO,CAAC;QAElD,yCAAyC;QACzC,IAAI,UAAU,KAAK,MAAM,EAAE,CAAC;YAC1B,OAAO;QACT,CAAC;QAED,sEAAsE;QACtE,IAAI,UAAU,KAAK,OAAO,EAAE,CAAC;YAC3B,MAAM,KAAK,GAAkB;gBAC3B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACnC,QAAQ;gBACR,WAAW,EAAE,OAAO,EAAE,WAAW;gBACjC,MAAM,EAAE;oBACN,OAAO,EAAE,MAAM,EAAE,OAAO,IAAI,KAAK;oBACjC,WAAW,EAAE,MAAM,EAAE,WAAW,IAAI,MAAM,EAAE,YAAY;oBACxD,KAAK,EAAE,MAAM,EAAE,KAAK;iBACrB;gBACD,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC;gBAClC,SAAS,EAAE,OAAO,EAAE,SAAS;gBAC7B,MAAM,EAAE,OAAO,EAAE,MAAM;aACxB,CAAC;YACF,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;YAChB,OAAO;QACT,CAAC;QAED,gDAAgD;QAChD,MAAM,KAAK,GAAkB;YAC3B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,QAAQ;YACR,WAAW,EAAE,OAAO,EAAE,WAAW;YACjC,SAAS,EAAE,IAAI,IAAI,EAAE;YACrB,MAAM,EAAE;gBACN,OAAO,EAAE,MAAM,EAAE,OAAO,IAAI,KAAK;gBACjC,WAAW,EAAE,MAAM,EAAE,WAAW,IAAI,MAAM,EAAE,YAAY;gBACxD,KAAK,EAAE,MAAM,EAAE,KAAK;gBACpB,IAAI,EAAE,IAAI,CAAC,kBAAkB,CAAC,MAAM,EAAE,IAAI,CAAC;aAC5C;YACD,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC;YAClC,SAAS,EAAE,OAAO,EAAE,SAAS;YAC7B,MAAM,EAAE,OAAO,EAAE,MAAM;SACxB,CAAC;QAEF,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAClB,CAAC;IAED;;OAEG;IACK,kBAAkB,CAAC,IAAS;QAClC,IAAI,CAAC,IAAI;YAAE,OAAO,SAAS,CAAC;QAE5B,4CAA4C;QAC5C,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACxB,IAAI,IAAI,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;gBACrB,OAAO;oBACL,UAAU,EAAE,IAAI;oBAChB,WAAW,EAAE,IAAI,CAAC,MAAM;oBACxB,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;iBACzB,CAAC;YACJ,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,wDAAwD;QACxD,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACzC,IAAI,WAAW,CAAC,MAAM,GAAG,KAAK,EAAE,CAAC;YAC/B,OAAO;gBACL,UAAU,EAAE,IAAI;gBAChB,aAAa,EAAE,WAAW,CAAC,MAAM;gBACjC,OAAO,EAAE,WAAW,CAAC,SAAS,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,KAAK;aAChD,CAAC;QACJ,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AAED,qBAAqB;AACrB,MAAM,CAAC,MAAM,WAAW,GAAG,IAAI,WAAW,EAAE,CAAC"}

package/dist/config/EnvironmentManager.d.ts

@@ -0,0 +1,70 @@
+import sql from "mssql";
+export type AccessLevel = "server" | "database";
+export type TierLevel = "reader" | "writer" | "admin";
+export type AuditLevel = "none" | "basic" | "verbose";
+export interface EnvironmentConfig {
+    name: string;
+    description?: string;
+    server: string;
+    database: string;
+    port?: number;
+    authMode: "sql" | "windows" | "aad";
+    username?: string;
+    password?: string;
+    domain?: string;
+    trustServerCertificate?: boolean;
+    connectionTimeout?: number;
+    readonly?: boolean;
+    allowedTools?: string[];
+    deniedTools?: string[];
+    maxRowsDefault?: number;
+    requireApproval?: boolean;
+    auditLevel?: AuditLevel;
+    accessLevel?: AccessLevel;
+    allowedDatabases?: string[] | "*";
+    deniedDatabases?: string[];
+    allowedSchemas?: string[];
+    deniedSchemas?: string[];
+    tier?: TierLevel;
+}
+export interface EnvironmentsConfig {
+    defaultEnvironment?: string;
+    environments: EnvironmentConfig[];
+    scriptsPath?: string;
+}
+export declare class EnvironmentManager {
+    private readonly environments;
+    private defaultEnvironment?;
+    private readonly connections;
+    constructor(configPath?: string);
+    private loadFromFile;
+    private loadFromEnvVars;
+    getEnvironment(name?: string): EnvironmentConfig;
+    listEnvironments(): EnvironmentConfig[];
+    /**
+     * Check if the environment allows access to a specific database.
+     * For database-level access, only the configured database is allowed.
+     * For server-level access, checks allowedDatabases/deniedDatabases.
+     */
+    isDatabaseAllowed(environmentName: string | undefined, databaseName: string): {
+        allowed: boolean;
+        reason?: string;
+    };
+    /**
+     * Check if a schema.table reference is allowed based on allowedSchemas/deniedSchemas.
+     * Pattern matching supports wildcards (e.g., "audit.*", "*.sensitive_*")
+     */
+    isSchemaAllowed(environmentName: string | undefined, schemaName: string, tableName?: string): {
+        allowed: boolean;
+        reason?: string;
+    };
+    /**
+     * Simple wildcard pattern matching (supports * as wildcard)
+     */
+    private matchesPattern;
+    getConnection(environmentName?: string): Promise<sql.ConnectionPool>;
+    private createSqlConfig;
+    closeAll(): Promise<void>;
+}
+export declare function getEnvironmentManager(): EnvironmentManager;
+//# sourceMappingURL=EnvironmentManager.d.ts.map

package/dist/config/EnvironmentManager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"EnvironmentManager.d.ts","sourceRoot":"","sources":["../../src/config/EnvironmentManager.ts"],"names":[],"mappings":"AAGA,OAAO,GAAG,MAAM,OAAO,CAAC;AAExB,MAAM,MAAM,WAAW,GAAG,QAAQ,GAAG,UAAU,CAAC;AAChD,MAAM,MAAM,SAAS,GAAG,QAAQ,GAAG,QAAQ,GAAG,OAAO,CAAC;AACtD,MAAM,MAAM,UAAU,GAAG,MAAM,GAAG,OAAO,GAAG,SAAS,CAAC;AAEtD,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,KAAK,GAAG,SAAS,GAAG,KAAK,CAAC;IACpC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAG3B,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,UAAU,CAAC,EAAE,UAAU,CAAC;IAGxB,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,gBAAgB,CAAC,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC;IAClC,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAG3B,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IAGzB,IAAI,CAAC,EAAE,SAAS,CAAC;CAClB;AAED,MAAM,WAAW,kBAAkB;IACjC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,YAAY,EAAE,iBAAiB,EAAE,CAAC;IAClC,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAmCD,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAiC;IAC9D,OAAO,CAAC,kBAAkB,CAAC,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAA8D;gBAE9E,UAAU,CAAC,EAAE,MAAM;IAa/B,OAAO,CAAC,YAAY;IA2BpB,OAAO,CAAC,eAAe;IA+BvB,cAAc,CAAC,IAAI,CAAC,EAAE,MAAM,GAAG,iBAAiB;IAahD,gBAAgB,IAAI,iBAAiB,EAAE;IAIvC;;;;OAIG;IACH,iBAAiB,CAAC,eAAe,EAAE,MAAM,GAAG,SAAS,EAAE,YAAY,EAAE,MAAM,GAAG;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE;IA4CnH;;;OAGG;IACH,eAAe,CAAC,eAAe,EAAE,MAAM,GAAG,SAAS,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE;IAiCnI;;OAEG;IACH,OAAO,CAAC,cAAc;IAQhB,aAAa,CAAC,eAAe,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;YA2B5D,eAAe;IAoFvB,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC;CAShC;AAKD,wBAAgB,qBAAqB,IAAI,kBAAkB,CAM1D"}

package/dist/config/EnvironmentManager.js

@@ -0,0 +1,301 @@
+import * as fs from "fs";
+import * as path from "path";
+import { InteractiveBrowserCredential } from "@azure/identity";
+import sql from "mssql";
+/**
+ * Resolves secret placeholders in the format ${secret:NAME}
+ * Currently supports environment variables; extensible for Key Vault, etc.
+ */
+function resolveSecrets(value) {
+    if (!value)
+        return value;
+    const secretPattern = /\$\{secret:([^}]+)\}/g;
+    return value.replace(secretPattern, (match, secretName) => {
+        const envValue = process.env[secretName];
+        if (envValue === undefined) {
+            console.warn(`Secret '${secretName}' not found in environment variables`);
+            return match; // Return original placeholder if not found
+        }
+        return envValue;
+    });
+}
+/**
+ * Recursively resolves secrets in an object's string values
+ */
+function resolveSecretsInConfig(config) {
+    const resolved = { ...config };
+    for (const [key, value] of Object.entries(resolved)) {
+        if (typeof value === "string") {
+            resolved[key] = resolveSecrets(value);
+        }
+        else if (value && typeof value === "object" && !Array.isArray(value)) {
+            resolved[key] = resolveSecretsInConfig(value);
+        }
+    }
+    return resolved;
+}
+export class EnvironmentManager {
+    constructor(configPath) {
+        this.environments = new Map();
+        this.connections = new Map();
+        // Try to load from config file first
+        if (configPath) {
+            this.loadFromFile(configPath);
+        }
+        else {
+            // Fall back to environment variables for single environment
+            this.loadFromEnvVars();
+        }
+    }
+    loadFromFile(configPath) {
+        try {
+            const resolvedPath = path.resolve(configPath);
+            if (!fs.existsSync(resolvedPath)) {
+                console.warn(`Environment config file not found at ${resolvedPath}, falling back to env vars`);
+                this.loadFromEnvVars();
+                return;
+            }
+            const configContent = fs.readFileSync(resolvedPath, "utf-8");
+            const config = JSON.parse(configContent);
+            this.defaultEnvironment = config.defaultEnvironment;
+            for (const env of config.environments) {
+                // Resolve any secret placeholders in the config
+                const resolvedEnv = resolveSecretsInConfig(env);
+                this.environments.set(resolvedEnv.name, resolvedEnv);
+            }
+            console.log(`Loaded ${this.environments.size} environment(s) from ${resolvedPath}`);
+        }
+        catch (error) {
+            console.error(`Failed to load environment config: ${error}`);
+            this.loadFromEnvVars();
+        }
+    }
+    loadFromEnvVars() {
+        const server = process.env.SERVER_NAME;
+        const database = process.env.DATABASE_NAME;
+        if (!server || !database) {
+            throw new Error("No environment config file provided and SERVER_NAME/DATABASE_NAME env vars not set");
+        }
+        const defaultEnv = {
+            name: "default",
+            server,
+            database,
+            port: process.env.SQL_PORT ? parseInt(process.env.SQL_PORT, 10) : undefined,
+            authMode: process.env.SQL_AUTH_MODE?.toLowerCase() ?? "aad",
+            username: process.env.SQL_USERNAME,
+            password: process.env.SQL_PASSWORD,
+            domain: process.env.SQL_DOMAIN,
+            trustServerCertificate: process.env.TRUST_SERVER_CERTIFICATE?.toLowerCase() === "true",
+            connectionTimeout: process.env.CONNECTION_TIMEOUT
+                ? parseInt(process.env.CONNECTION_TIMEOUT, 10)
+                : 30,
+            readonly: process.env.READONLY === "true",
+        };
+        this.environments.set("default", defaultEnv);
+        this.defaultEnvironment = "default";
+        console.log("Loaded default environment from environment variables");
+    }
+    getEnvironment(name) {
+        const targetName = name || this.defaultEnvironment || "default";
+        const env = this.environments.get(targetName);
+        if (!env) {
+            throw new Error(`Environment '${targetName}' not found. Available: ${Array.from(this.environments.keys()).join(", ")}`);
+        }
+        return env;
+    }
+    listEnvironments() {
+        return Array.from(this.environments.values());
+    }
+    /**
+     * Check if the environment allows access to a specific database.
+     * For database-level access, only the configured database is allowed.
+     * For server-level access, checks allowedDatabases/deniedDatabases.
+     */
+    isDatabaseAllowed(environmentName, databaseName) {
+        const env = this.getEnvironment(environmentName);
+        const accessLevel = env.accessLevel ?? "database";
+        // Database-level access: only the configured database is allowed
+        if (accessLevel === "database") {
+            if (databaseName.toLowerCase() !== env.database.toLowerCase()) {
+                return {
+                    allowed: false,
+                    reason: `Environment '${env.name}' has database-level access and is restricted to database '${env.database}'. Cannot access '${databaseName}'.`,
+                };
+            }
+            return { allowed: true };
+        }
+        // Server-level access: check allow/deny lists
+        const deniedDatabases = env.deniedDatabases ?? [];
+        const allowedDatabases = env.allowedDatabases;
+        // Check denied list first (takes precedence)
+        if (deniedDatabases.some((db) => db.toLowerCase() === databaseName.toLowerCase())) {
+            return {
+                allowed: false,
+                reason: `Database '${databaseName}' is in the denied list for environment '${env.name}'.`,
+            };
+        }
+        // Check allowed list
+        if (allowedDatabases === "*") {
+            return { allowed: true };
+        }
+        if (Array.isArray(allowedDatabases) && allowedDatabases.length > 0) {
+            if (!allowedDatabases.some((db) => db.toLowerCase() === databaseName.toLowerCase())) {
+                return {
+                    allowed: false,
+                    reason: `Database '${databaseName}' is not in the allowed list for environment '${env.name}'. Allowed: ${allowedDatabases.join(", ")}.`,
+                };
+            }
+        }
+        return { allowed: true };
+    }
+    /**
+     * Check if a schema.table reference is allowed based on allowedSchemas/deniedSchemas.
+     * Pattern matching supports wildcards (e.g., "audit.*", "*.sensitive_*")
+     */
+    isSchemaAllowed(environmentName, schemaName, tableName) {
+        const env = this.getEnvironment(environmentName);
+        const fullRef = tableName ? `${schemaName}.${tableName}` : schemaName;
+        const deniedSchemas = env.deniedSchemas ?? [];
+        const allowedSchemas = env.allowedSchemas;
+        // Check denied patterns first
+        for (const pattern of deniedSchemas) {
+            if (this.matchesPattern(fullRef, pattern) || this.matchesPattern(schemaName, pattern)) {
+                return {
+                    allowed: false,
+                    reason: `Schema/table '${fullRef}' matches denied pattern '${pattern}' in environment '${env.name}'.`,
+                };
+            }
+        }
+        // If allowedSchemas is specified, check against it
+        if (allowedSchemas && allowedSchemas.length > 0) {
+            const isAllowed = allowedSchemas.some((pattern) => this.matchesPattern(fullRef, pattern) || this.matchesPattern(schemaName, pattern));
+            if (!isAllowed) {
+                return {
+                    allowed: false,
+                    reason: `Schema/table '${fullRef}' does not match any allowed pattern in environment '${env.name}'. Allowed: ${allowedSchemas.join(", ")}.`,
+                };
+            }
+        }
+        return { allowed: true };
+    }
+    /**
+     * Simple wildcard pattern matching (supports * as wildcard)
+     */
+    matchesPattern(value, pattern) {
+        const regexPattern = pattern
+            .replace(/[.+?^${}()|[\]\\]/g, "\\$&") // Escape special regex chars except *
+            .replace(/\*/g, ".*"); // Convert * to .*
+        const regex = new RegExp(`^${regexPattern}$`, "i");
+        return regex.test(value);
+    }
+    async getConnection(environmentName) {
+        const env = this.getEnvironment(environmentName);
+        const cached = this.connections.get(env.name);
+        // Check if we have a valid cached connection
+        if (cached &&
+            cached.pool.connected &&
+            (!cached.expiresOn || cached.expiresOn > new Date(Date.now() + 2 * 60 * 1000))) {
+            return cached.pool;
+        }
+        // Create new connection
+        const { config, expiresOn } = await this.createSqlConfig(env);
+        // Close old connection if exists
+        if (cached?.pool && cached.pool.connected) {
+            await cached.pool.close();
+        }
+        const pool = await sql.connect(config);
+        this.connections.set(env.name, { pool, expiresOn });
+        return pool;
+    }
+    async createSqlConfig(env) {
+        const baseConfig = {
+            server: env.server,
+            database: env.database,
+            port: env.port,
+            connectionTimeout: (env.connectionTimeout || 30) * 1000,
+        };
+        if (env.authMode === "sql") {
+            if (!env.username || !env.password) {
+                throw new Error(`Environment '${env.name}' requires username and password for SQL auth`);
+            }
+            return {
+                config: {
+                    ...baseConfig,
+                    user: env.username,
+                    password: env.password,
+                    options: {
+                        encrypt: false,
+                        trustServerCertificate: env.trustServerCertificate ?? false,
+                    },
+                },
+            };
+        }
+        if (env.authMode === "windows") {
+            if (!env.username || !env.password) {
+                throw new Error(`Environment '${env.name}' requires username and password for Windows auth`);
+            }
+            return {
+                config: {
+                    ...baseConfig,
+                    options: {
+                        encrypt: false,
+                        trustServerCertificate: env.trustServerCertificate ?? false,
+                    },
+                    authentication: {
+                        type: "ntlm",
+                        options: {
+                            userName: env.username,
+                            password: env.password,
+                            domain: env.domain || "",
+                        },
+                    },
+                },
+            };
+        }
+        // Azure AD auth
+        const credential = new InteractiveBrowserCredential({
+            redirectUri: "http://localhost",
+        });
+        const accessToken = await credential.getToken("https://database.windows.net/.default");
+        if (!accessToken?.token) {
+            throw new Error(`Failed to acquire Azure AD token for environment '${env.name}'`);
+        }
+        return {
+            config: {
+                ...baseConfig,
+                options: {
+                    encrypt: true,
+                    trustServerCertificate: env.trustServerCertificate ?? false,
+                },
+                authentication: {
+                    type: "azure-active-directory-access-token",
+                    options: {
+                        token: accessToken.token,
+                    },
+                },
+            },
+            expiresOn: accessToken?.expiresOnTimestamp
+                ? new Date(accessToken.expiresOnTimestamp)
+                : new Date(Date.now() + 30 * 60 * 1000),
+        };
+    }
+    async closeAll() {
+        for (const [name, { pool }] of this.connections.entries()) {
+            if (pool.connected) {
+                await pool.close();
+                console.log(`Closed connection for environment '${name}'`);
+            }
+        }
+        this.connections.clear();
+    }
+}
+// Singleton instance
+let environmentManager;
+export function getEnvironmentManager() {
+    if (!environmentManager) {
+        const configPath = process.env.ENVIRONMENTS_CONFIG_PATH;
+        environmentManager = new EnvironmentManager(configPath);
+    }
+    return environmentManager;
+}
+//# sourceMappingURL=EnvironmentManager.js.map