@dbx-app/node-core 0.4.4 → 0.4.6

package/dist/connections.d.ts

@@ -10,6 +10,7 @@ export interface ConnectionConfig {
     database?: string;
     url_params?: string;
     ssh_enabled: boolean;
+    ssh_tunnels?: SshTunnelConfig[];
     proxy_enabled?: boolean;
     proxy_type?: "socks5" | "http";
     proxy_host?: string;
@@ -26,6 +27,19 @@ export interface ConnectionConfig {
     redis_sentinel_password?: string;
     redis_sentinel_tls?: boolean;
 }
+export interface SshTunnelConfig {
+    id: string;
+    name?: string;
+    enabled?: boolean;
+    host: string;
+    port: number;
+    user: string;
+    password?: string;
+    key_path?: string;
+    key_passphrase?: string;
+    connect_timeout_secs?: number;
+    expose_lan?: boolean;
+}
 export interface ConnectionStoreOptions {
     path?: string;
 }

package/dist/connections.js

@@ -143,6 +143,7 @@ export async function addConnection(config) {
         ssh_key_path: "",
         ssh_key_passphrase: "",
         ssh_expose_lan: false,
+        ssh_tunnels: normalized.ssh_tunnels ?? [],
         proxy_enabled: normalized.proxy_enabled ?? false,
         proxy_type: normalized.proxy_type ?? "socks5",
         proxy_host: normalized.proxy_host ?? "",

package/dist/database.js

@@ -4,6 +4,7 @@ import { join } from "node:path";
 import { homedir, platform } from "node:os";
 import Database from "better-sqlite3";
 import { sqlSafetyFromEnv } from "./sql-safety.js";
+import { isDirectQueryType } from "./diagnostics.js";
 const MAX_ROWS = 100;
 const IDLE_TIMEOUT_MS = 5 * 60 * 1000;
 const QUERY_TIMEOUT_MS = 30_000;
@@ -194,19 +195,6 @@ function portBytes(port) {
 function isMysqlType(dbType) {
     return dbType === "mysql" || dbType === "doris" || dbType === "starrocks";
 }
-function isDirectType(dbType) {
-    switch (dbType) {
-        case "postgres":
-        case "redshift":
-        case "mysql":
-        case "doris":
-        case "starrocks":
-        case "sqlite":
-            return true;
-        default:
-            return false;
-    }
-}
 function bridgeAppDataDir() {
     const home = homedir();
     switch (platform()) {
@@ -366,7 +354,7 @@ export async function executeQuery(config, sql, options) {
         }
         throw new Error("Use MongoDB shell-style commands, for example: db.projects.find({}).limit(100), db.projects.countDocuments({}), db.projects.insertOne({...}), db.projects.updateOne({...}, {$set: {...}}), or db.projects.deleteOne({...})");
     }
-    if (isDirectType(config.db_type)) {
+    if (isDirectQueryType(config.db_type)) {
         return query(config, sql, undefined, options);
     }
     const result = await withTimeout(bridgeDataRequest("/data/execute-query", {
@@ -389,7 +377,7 @@ export async function listTables(config, schema) {
         const result = await query(config, `SELECT name, type FROM sqlite_master WHERE type IN ('table', 'view') AND name NOT LIKE 'sqlite_%' ORDER BY name`);
         return result.rows.map((r) => ({ name: String(r.name || ""), type: String(r.type || "table") }));
     }
-    if (!isDirectType(config.db_type)) {
+    if (!isDirectQueryType(config.db_type)) {
         const tables = await bridgeDataRequest("/data/list-tables", {
             connection_name: config.name,
             database: config.database || "",
@@ -422,7 +410,7 @@ export async function describeTable(config, table, schema) {
             comment: null,
         }));
     }
-    if (!isDirectType(config.db_type)) {
+    if (!isDirectQueryType(config.db_type)) {
         const columns = await bridgeDataRequest("/data/describe-table", {
             connection_name: config.name,
             database: config.database || "",
@@ -743,7 +731,7 @@ function readChainedIntegerArgument(chain, method, fallback) {
     return Number(arg.trim());
 }
 function normalizeJsonArgument(arg) {
-    const value = (arg.trim() || "{}").replace(/ObjectId\s*\(\s*["']([^"']+)["']\s*\)/g, '{"$oid":"$1"}');
+    const value = quoteUnquotedObjectKeys(convertSingleQuotedStrings((arg.trim() || "{}").replace(/ObjectId\s*\(\s*["']([^"']+)["']\s*\)/g, '{"$oid":"$1"}')));
     try {
         JSON.parse(value);
         return value;
@@ -752,6 +740,100 @@ function normalizeJsonArgument(arg) {
         return null;
     }
 }
+function convertSingleQuotedStrings(source) {
+    let result = "";
+    let copiedUntil = 0;
+    let quote = null;
+    let start = 0;
+    let value = "";
+    let escaped = false;
+    for (let i = 0; i < source.length; i += 1) {
+        const char = source[i];
+        if (!quote) {
+            if (char === "'") {
+                quote = char;
+                start = i;
+                value = "";
+                escaped = false;
+            }
+            else if (char === '"') {
+                quote = char;
+            }
+            continue;
+        }
+        if (quote === '"') {
+            if (escaped)
+                escaped = false;
+            else if (char === "\\")
+                escaped = true;
+            else if (char === '"')
+                quote = null;
+            continue;
+        }
+        if (escaped) {
+            value += char;
+            escaped = false;
+        }
+        else if (char === "\\") {
+            escaped = true;
+        }
+        else if (char === "'") {
+            result += source.slice(copiedUntil, start) + JSON.stringify(value);
+            copiedUntil = i + 1;
+            quote = null;
+        }
+        else {
+            value += char;
+        }
+    }
+    return quote === "'" ? source : result + source.slice(copiedUntil);
+}
+function quoteUnquotedObjectKeys(source) {
+    let result = "";
+    let quote = null;
+    let escaped = false;
+    for (let i = 0; i < source.length; i += 1) {
+        const char = source[i];
+        if (quote) {
+            result += char;
+            if (escaped)
+                escaped = false;
+            else if (char === "\\")
+                escaped = true;
+            else if (char === quote)
+                quote = null;
+            continue;
+        }
+        if (char === '"' || char === "'") {
+            quote = char;
+            result += char;
+            continue;
+        }
+        if (/[A-Za-z_$]/.test(char) && shouldQuoteObjectKey(source, i)) {
+            let end = i + 1;
+            while (/[\w$]/.test(source[end] || ""))
+                end += 1;
+            result += `"${source.slice(i, end)}"`;
+            i = end - 1;
+            continue;
+        }
+        result += char;
+    }
+    return result;
+}
+function shouldQuoteObjectKey(source, index) {
+    let before = index - 1;
+    while (/\s/.test(source[before] || ""))
+        before -= 1;
+    if (source[before] !== "{" && source[before] !== ",")
+        return false;
+    let after = index + 1;
+    while (/[\w$]/.test(source[after] || ""))
+        after += 1;
+    while (/\s/.test(source[after] || ""))
+        after += 1;
+    return source[after] === ":";
+}
 function isEmptyJsonObject(json) {
     try {
         const parsed = JSON.parse(json);

package/dist/diagnostics.d.ts

@@ -1,5 +1,7 @@
 export declare const DIRECT_QUERY_TYPES: readonly ["postgres", "redshift", "mysql", "doris", "starrocks", "sqlite", "gaussdb", "opengauss"];
-export declare const BRIDGE_REQUIRED_TYPES: readonly ["redis", "mongodb", "duckdb", "clickhouse", "sqlserver", "oracle", "elasticsearch", "dameng", "kingbase", "highgo", "vastbase", "goldendb", "yashandb", "databricks", "saphana", "teradata", "vertica", "firebird", "exasol", "oceanbase-oracle", "gbase", "tdengine", "h2", "snowflake", "trino", "hive", "db2", "informix", "neo4j", "cassandra", "bigquery", "kylin", "sundb", "xugu", "jdbc", "access"];
+export type DirectQueryType = (typeof DIRECT_QUERY_TYPES)[number];
+export declare function isDirectQueryType(dbType: string): dbType is DirectQueryType;
+export declare const BRIDGE_REQUIRED_TYPES: readonly ["redis", "mongodb", "duckdb", "clickhouse", "sqlserver", "oracle", "elasticsearch", "dameng", "kingbase", "highgo", "vastbase", "goldendb", "yashandb", "databricks", "saphana", "teradata", "vertica", "firebird", "exasol", "oceanbase-oracle", "gbase", "tdengine", "h2", "snowflake", "trino", "hive", "db2", "informix", "iris", "neo4j", "cassandra", "bigquery", "kylin", "sundb", "xugu", "jdbc", "access"];
 export interface DbxDiagnostics {
     appDataDir: string;
     dbPath: string;

package/dist/diagnostics.js

@@ -1,7 +1,20 @@
 import { access, readFile } from "node:fs/promises";
 import { bridgePortFilePath, dbPath, appDataDir } from "./paths.js";
 import { inspectConnectionStore } from "./connections.js";
-export const DIRECT_QUERY_TYPES = ["postgres", "redshift", "mysql", "doris", "starrocks", "sqlite", "gaussdb", "opengauss"];
+export const DIRECT_QUERY_TYPES = [
+    "postgres",
+    "redshift",
+    "mysql",
+    "doris",
+    "starrocks",
+    "sqlite",
+    "gaussdb",
+    "opengauss",
+];
+const DIRECT_QUERY_TYPE_SET = new Set(DIRECT_QUERY_TYPES);
+export function isDirectQueryType(dbType) {
+    return DIRECT_QUERY_TYPE_SET.has(dbType);
+}
 export const BRIDGE_REQUIRED_TYPES = [
     "redis",
     "mongodb",
@@ -31,6 +44,7 @@ export const BRIDGE_REQUIRED_TYPES = [
     "hive",
     "db2",
     "informix",
+    "iris",
     "neo4j",
     "cassandra",
     "bigquery",

package/dist/entrypoint.d.ts

@@ -0,0 +1 @@
+export declare function isMainModule(moduleUrl: string, argvPath: string | undefined): boolean;

package/dist/entrypoint.js

@@ -0,0 +1,20 @@
+import { realpathSync } from "node:fs";
+import { normalize, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
+export function isMainModule(moduleUrl, argvPath) {
+    if (!argvPath)
+        return false;
+    return normalizeEntryPath(fileURLToPath(moduleUrl)) === normalizeEntryPath(argvPath);
+}
+function normalizeEntryPath(path) {
+    const normalized = normalize(realpathIfPossible(resolve(path)));
+    return process.platform === "win32" ? normalized.toLowerCase() : normalized;
+}
+function realpathIfPossible(path) {
+    try {
+        return realpathSync.native(path);
+    }
+    catch {
+        return path;
+    }
+}

package/dist/index.d.ts

@@ -3,6 +3,7 @@ export * from "./bridge.js";
 export * from "./connections.js";
 export * from "./database.js";
 export * from "./diagnostics.js";
+export * from "./entrypoint.js";
 export * from "./format.js";
 export * from "./paths.js";
 export * from "./schema-context.js";

package/dist/index.js

@@ -3,6 +3,7 @@ export * from "./bridge.js";
 export * from "./connections.js";
 export * from "./database.js";
 export * from "./diagnostics.js";
+export * from "./entrypoint.js";
 export * from "./format.js";
 export * from "./paths.js";
 export * from "./schema-context.js";

package/dist/sql-safety.d.ts

@@ -1,6 +1,7 @@
 export interface SqlSafetyOptions {
     allowWrites?: boolean;
     allowDangerous?: boolean;
+    allowMultipleStatements?: boolean;
 }
 export interface SqlSafetyDecision {
     allowed: boolean;
@@ -8,3 +9,4 @@ export interface SqlSafetyDecision {
 }
 export declare function evaluateSqlSafety(sql: string, options?: SqlSafetyOptions): SqlSafetyDecision;
 export declare function sqlSafetyFromEnv(env?: NodeJS.ProcessEnv): SqlSafetyOptions;
+export declare function splitSqlStatements(sql: string): string[];

package/dist/sql-safety.js

@@ -1,12 +1,37 @@
 const READ_KEYWORDS = new Set(["select", "with", "show", "describe", "desc", "explain"]);
 const DANGEROUS_KEYWORDS = new Set(["drop", "truncate", "alter"]);
+function parseBooleanEnv(value) {
+    if (value === undefined)
+        return undefined;
+    const normalized = value.trim().toLowerCase();
+    if (normalized === "1" || normalized === "true")
+        return true;
+    if (normalized === "0" || normalized === "false")
+        return false;
+    return undefined;
+}
 export function evaluateSqlSafety(sql, options = {}) {
     const statements = splitSqlStatements(sql);
     if (statements.length === 0)
         return { allowed: false, reason: "SQL is empty." };
-    if (statements.length > 1)
-        return { allowed: false, reason: "Only one SQL statement is allowed per MCP query." };
-    const normalized = stripSqlCommentsAndStrings(statements[0]).trim();
+    if (statements.length > 1 && !options.allowMultipleStatements) {
+        return { allowed: false, reason: "Only one SQL statement is allowed per query." };
+    }
+    for (let i = 0; i < statements.length; i++) {
+        const decision = evaluateSingleSqlStatementSafety(statements[i], options);
+        if (!decision.allowed && statements.length > 1) {
+            return {
+                allowed: false,
+                reason: `Statement ${i + 1}: ${decision.reason ?? "SQL blocked."}`,
+            };
+        }
+        if (!decision.allowed)
+            return decision;
+    }
+    return { allowed: true };
+}
+function evaluateSingleSqlStatementSafety(sql, options = {}) {
+    const normalized = stripSqlCommentsAndStrings(sql).trim();
     const firstKeyword = normalized.match(/^[a-zA-Z_]+/)?.[0]?.toLowerCase();
     if (!firstKeyword)
         return { allowed: false, reason: "SQL statement is not recognized." };
@@ -18,7 +43,7 @@ export function evaluateSqlSafety(sql, options = {}) {
     if (!options.allowWrites && !READ_KEYWORDS.has(firstKeyword)) {
         return {
             allowed: false,
-            reason: "MCP SQL execution is read-only by default. Set DBX_MCP_ALLOW_WRITES=1 to allow write statements.",
+            reason: "MCP SQL execution is read-only for this session. Set DBX_MCP_ALLOW_WRITES=1 to allow write statements.",
         };
     }
     if (options.allowWrites && !options.allowDangerous) {
@@ -32,12 +57,14 @@ export function evaluateSqlSafety(sql, options = {}) {
     return { allowed: true };
 }
 export function sqlSafetyFromEnv(env = process.env) {
+    const allowWrites = parseBooleanEnv(env.DBX_MCP_ALLOW_WRITES);
+    const allowDangerous = parseBooleanEnv(env.DBX_MCP_ALLOW_DANGEROUS_SQL);
     return {
-        allowWrites: env.DBX_MCP_ALLOW_WRITES === "1" || env.DBX_MCP_ALLOW_WRITES === "true",
-        allowDangerous: env.DBX_MCP_ALLOW_DANGEROUS_SQL === "1" || env.DBX_MCP_ALLOW_DANGEROUS_SQL === "true",
+        allowWrites: allowWrites ?? true,
+        allowDangerous: allowDangerous ?? false,
     };
 }
-function splitSqlStatements(sql) {
+export function splitSqlStatements(sql) {
     const statements = [];
     let current = "";
     let quote = null;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dbx-app/node-core",
-  "version": "0.4.4",
+  "version": "0.4.6",
   "description": "Shared Node.js database and DBX connection utilities for DBX CLI and MCP server",
   "type": "module",
   "engines": {
@@ -16,6 +16,7 @@
     "./connections": "./dist/connections.js",
     "./database": "./dist/database.js",
     "./diagnostics": "./dist/diagnostics.js",
+    "./entrypoint": "./dist/entrypoint.js",
     "./format": "./dist/format.js",
     "./paths": "./dist/paths.js",
     "./schema-context": "./dist/schema-context.js",