@dbx-app/node-core 0.4.3

package/dist/sql-safety.js

@@ -0,0 +1,103 @@
+const READ_KEYWORDS = new Set(["select", "with", "show", "describe", "desc", "explain"]);
+const DANGEROUS_KEYWORDS = new Set(["drop", "truncate", "alter"]);
+export function evaluateSqlSafety(sql, options = {}) {
+    const statements = splitSqlStatements(sql);
+    if (statements.length === 0)
+        return { allowed: false, reason: "SQL is empty." };
+    if (statements.length > 1)
+        return { allowed: false, reason: "Only one SQL statement is allowed per MCP query." };
+    const normalized = stripSqlCommentsAndStrings(statements[0]).trim();
+    const firstKeyword = normalized.match(/^[a-zA-Z_]+/)?.[0]?.toLowerCase();
+    if (!firstKeyword)
+        return { allowed: false, reason: "SQL statement is not recognized." };
+    const tokens = normalized.toLowerCase().match(/[a-z_]+/g) ?? [];
+    const dangerous = tokens.find((token) => DANGEROUS_KEYWORDS.has(token));
+    if (dangerous && !options.allowDangerous) {
+        return { allowed: false, reason: `Dangerous SQL keyword "${dangerous.toUpperCase()}" is blocked.` };
+    }
+    if (!options.allowWrites && !READ_KEYWORDS.has(firstKeyword)) {
+        return {
+            allowed: false,
+            reason: "MCP SQL execution is read-only by default. Set DBX_MCP_ALLOW_WRITES=1 to allow write statements.",
+        };
+    }
+    if (options.allowWrites && !options.allowDangerous) {
+        if (firstKeyword === "update" && !tokens.includes("where")) {
+            return { allowed: false, reason: "UPDATE statements must include a WHERE clause." };
+        }
+        if (firstKeyword === "delete" && !tokens.includes("where")) {
+            return { allowed: false, reason: "DELETE statements must include a WHERE clause." };
+        }
+    }
+    return { allowed: true };
+}
+export function sqlSafetyFromEnv(env = process.env) {
+    return {
+        allowWrites: env.DBX_MCP_ALLOW_WRITES === "1" || env.DBX_MCP_ALLOW_WRITES === "true",
+        allowDangerous: env.DBX_MCP_ALLOW_DANGEROUS_SQL === "1" || env.DBX_MCP_ALLOW_DANGEROUS_SQL === "true",
+    };
+}
+function splitSqlStatements(sql) {
+    const statements = [];
+    let current = "";
+    let quote = null;
+    let inLineComment = false;
+    let inBlockComment = false;
+    for (let i = 0; i < sql.length; i++) {
+        const char = sql[i];
+        const next = sql[i + 1];
+        if (inLineComment) {
+            current += char;
+            if (char === "\n")
+                inLineComment = false;
+            continue;
+        }
+        if (inBlockComment) {
+            current += char;
+            if (char === "*" && next === "/") {
+                current += next;
+                i++;
+                inBlockComment = false;
+            }
+            continue;
+        }
+        if (quote) {
+            current += char;
+            if (char === quote) {
+                if (next === quote) {
+                    current += next;
+                    i++;
+                }
+                else {
+                    quote = null;
+                }
+            }
+            continue;
+        }
+        if (char === "-" && next === "-")
+            inLineComment = true;
+        if (char === "/" && next === "*")
+            inBlockComment = true;
+        if (char === "'" || char === '"' || char === "`")
+            quote = char;
+        if (char === ";") {
+            if (current.trim())
+                statements.push(current.trim());
+            current = "";
+        }
+        else {
+            current += char;
+        }
+    }
+    if (current.trim())
+        statements.push(current.trim());
+    return statements;
+}
+function stripSqlCommentsAndStrings(sql) {
+    return sql
+        .replace(/--.*$/gm, " ")
+        .replace(/\/\*[\s\S]*?\*\//g, " ")
+        .replace(/'([^']|'')*'/g, "''")
+        .replace(/"([^"]|"")*"/g, '""')
+        .replace(/`([^`]|``)*`/g, "``");
+}

package/dist/web-backend.d.ts

@@ -0,0 +1,9 @@
+import type { ConnectionConfig } from "./connections.js";
+import type { TableInfo, ColumnInfo, QueryOptions, QueryResult } from "./database.js";
+export declare function loadConnections(): Promise<ConnectionConfig[]>;
+export declare function findConnection(name: string): Promise<ConnectionConfig | undefined>;
+export declare function addConnection(config: Omit<ConnectionConfig, "id">): Promise<ConnectionConfig>;
+export declare function removeConnection(name: string): Promise<boolean>;
+export declare function listTables(config: ConnectionConfig, schema?: string): Promise<TableInfo[]>;
+export declare function describeTable(config: ConnectionConfig, table: string, schema?: string): Promise<ColumnInfo[]>;
+export declare function executeQuery(config: ConnectionConfig, sql: string, options?: QueryOptions): Promise<QueryResult>;

package/dist/web-backend.js

@@ -0,0 +1,115 @@
+const baseUrl = process.env.DBX_WEB_URL.replace(/\/+$/, "");
+const password = process.env.DBX_WEB_PASSWORD || "";
+let sessionCookie = null;
+async function ensureAuth() {
+    if (sessionCookie)
+        return;
+    if (!password)
+        return; // no password set, assume no auth required
+    const res = await fetch(`${baseUrl}/api/auth/login`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ password }),
+        redirect: "manual",
+    });
+    if (!res.ok) {
+        throw new Error(`Authentication failed: ${res.status} ${res.statusText}`);
+    }
+    const setCookie = res.headers.get("set-cookie");
+    if (setCookie) {
+        const match = setCookie.match(/dbx_session=([^;]+)/);
+        if (match) {
+            sessionCookie = match[1];
+        }
+    }
+}
+function headers(extra) {
+    const h = { "Content-Type": "application/json", ...extra };
+    if (sessionCookie) {
+        h["Cookie"] = `dbx_session=${sessionCookie}`;
+    }
+    return h;
+}
+async function apiFetch(path, init) {
+    await ensureAuth();
+    const res = await fetch(`${baseUrl}${path}`, {
+        ...init,
+        headers: headers(init?.headers),
+    });
+    if (!res.ok) {
+        const body = await res.text().catch(() => "");
+        throw new Error(`API request ${path} failed: ${res.status} ${res.statusText} ${body}`);
+    }
+    return res;
+}
+export async function loadConnections() {
+    const res = await apiFetch("/api/connection/list");
+    return res.json();
+}
+export async function findConnection(name) {
+    const connections = await loadConnections();
+    return connections.find((c) => c.name.toLowerCase() === name.toLowerCase());
+}
+export async function addConnection(config) {
+    const res = await apiFetch("/api/connection/save", {
+        method: "POST",
+        body: JSON.stringify({ configs: [config] }),
+    });
+    const saved = (await res.json());
+    return saved;
+}
+export async function removeConnection(name) {
+    const connection = await findConnection(name);
+    if (!connection)
+        return false;
+    await apiFetch(`/api/connection/delete?id=${encodeURIComponent(connection.id)}`, { method: "DELETE" });
+    return true;
+}
+async function ensureConnected(config) {
+    await apiFetch("/api/connection/connect", {
+        method: "POST",
+        body: JSON.stringify({ config }),
+    });
+}
+export async function listTables(config, schema) {
+    await ensureConnected(config);
+    const params = new URLSearchParams({
+        connection_id: config.id,
+        database: config.database || "",
+        schema: schema || "",
+    });
+    const res = await apiFetch(`/api/schema/tables?${params}`);
+    return res.json();
+}
+export async function describeTable(config, table, schema) {
+    await ensureConnected(config);
+    const params = new URLSearchParams({
+        connection_id: config.id,
+        database: config.database || "",
+        schema: schema || "",
+        table,
+    });
+    const res = await apiFetch(`/api/schema/columns?${params}`);
+    return res.json();
+}
+export async function executeQuery(config, sql, options) {
+    await ensureConnected(config);
+    const res = await apiFetch("/api/query/execute", {
+        method: "POST",
+        body: JSON.stringify({
+            connectionId: config.id,
+            database: config.database || "",
+            sql,
+        }),
+    });
+    const data = (await res.json());
+    const rows = data.rows.map((row) => {
+        const obj = {};
+        data.columns.forEach((col, i) => {
+            obj[col] = row[i];
+        });
+        return obj;
+    });
+    const limitedRows = rows.slice(0, options?.maxRows ?? rows.length);
+    return { columns: data.columns, rows: limitedRows, row_count: limitedRows.length };
+}

package/package.json

@@ -0,0 +1,41 @@
+{
+  "name": "@dbx-app/node-core",
+  "version": "0.4.3",
+  "description": "Shared Node.js database and DBX connection utilities for DBX CLI and MCP server",
+  "type": "module",
+  "engines": {
+    "node": ">=22.13.0"
+  },
+  "files": [
+    "dist"
+  ],
+  "exports": {
+    ".": "./dist/index.js",
+    "./backend": "./dist/backend.js",
+    "./bridge": "./dist/bridge.js",
+    "./connections": "./dist/connections.js",
+    "./database": "./dist/database.js",
+    "./diagnostics": "./dist/diagnostics.js",
+    "./paths": "./dist/paths.js",
+    "./schema-context": "./dist/schema-context.js",
+    "./sql-safety": "./dist/sql-safety.js"
+  },
+  "license": "MIT",
+  "dependencies": {
+    "better-sqlite3": "^12.9.0",
+    "keytar": "^7.9.0",
+    "mysql2": "^3.14.1",
+    "pg": "^8.16.0"
+  },
+  "devDependencies": {
+    "@types/better-sqlite3": "^7.6.13",
+    "@types/node": "^22.15.21",
+    "@types/pg": "^8.15.4",
+    "tsx": "^4.19.4",
+    "typescript": "^5.8.3"
+  },
+  "scripts": {
+    "test": "tsx --test tests/*.test.ts",
+    "build": "tsc"
+  }
+}