npm - @mgsoftwarebv/mg-dashboard-mcp - Versions diffs - 6.1.1 → 6.3.0 - Mend

@mgsoftwarebv/mg-dashboard-mcp 6.1.1 → 6.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.js CHANGED Viewed

@@ -1191,7 +1191,7 @@ async function handleVercelTool(name, args2, deps) {
           sinceMs
         );
         if (error) {
-          const hint = error.includes("404") || error.includes("400") ? '\n\nThis endpoint requires both project ID and deployment ID and may not be available on every Vercel plan. Use kind="webhooks" or the supabase MCP (vercel_deployment_log table) for archived runtime logs.' : "";
+          const hint = error.includes("404") || error.includes("400") ? '\n\nThis endpoint requires both project ID and deployment ID and may not be available on every Vercel plan. Use kind="webhooks" or query the vercel_deployment_log table directly for archived runtime logs.' : "";
           return { content: [{ type: "text", text: `Error: ${error}${hint}` }] };
         }
         const body = formatRuntimeLogs(logs);
@@ -1199,7 +1199,7 @@ async function handleVercelTool(name, args2, deps) {
         const footer = hitDurationLimit ? `
 [${windowNote}]
-[hint] Vercel hit its 5-min query budget for this window. Try a smaller sinceMinutes (e.g. 5-10), lower limit, or use kind="webhooks" / the supabase MCP vercel_deployment_log table for archived logs.` : `
+[hint] Vercel hit its 5-min query budget for this window. Try a smaller sinceMinutes (e.g. 5-10), lower limit, or use kind="webhooks" / query the vercel_deployment_log table for archived logs.` : `
 [${windowNote}]`;
         return { content: [{ type: "text", text: body + footer }] };
@@ -2420,6 +2420,10 @@ function assertServerAccess(serverId) {
     throw new Error(`Access denied: you do not have permission for server ${serverId}`);
   }
 }
+function uuidArrayParam(values) {
+  if (values.length === 0) return sql`ARRAY[]::uuid[]`;
+  return sql`ARRAY[${sql.join(values.map((v) => sql`${v}::uuid`), sql`, `)}]`;
+}
 async function resolveReleaseProfileStageIds(profileName) {
   const profileRows = await db.execute(sql`
     SELECT id, name FROM release_profile
@@ -2449,13 +2453,13 @@ async function getProfileNamesForStageIds(stageIds) {
   if (stageIds.length === 0) return {};
   const stages = await db.execute(sql`
     SELECT id, release_profile_id FROM release_profile_stage
-    WHERE id = ANY(${stageIds}::uuid[])
+    WHERE id = ANY(${uuidArrayParam(stageIds)})
   `);
   if (stages.length === 0) return {};
   const profileIds = [...new Set(stages.map((s) => s.release_profile_id))];
   const profiles = await db.execute(sql`
     SELECT id, name FROM release_profile
-    WHERE id = ANY(${profileIds}::uuid[])
+    WHERE id = ANY(${uuidArrayParam(profileIds)})
   `);
   const profileMap = {};
   for (const p of profiles) profileMap[p.id] = p.name;
@@ -2690,7 +2694,35 @@ async function getProxyConnection() {
   };
   return _proxyConnCache;
 }
-async function getServerConnection(serverId) {
+var UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+async function resolveServerId(input) {
+  const trimmed = (input ?? "").trim();
+  if (!trimmed) throw new Error("serverId is required");
+  if (UUID_RE.test(trimmed)) return trimmed;
+  const exact = await db.execute(sql`
+    SELECT id, name FROM ssh_server WHERE name = ${trimmed} LIMIT 2
+  `);
+  if (exact.length === 1) {
+    KNOWN_SERVER_NAMES.set(exact[0].id, { id: exact[0].id, name: exact[0].name });
+    return exact[0].id;
+  }
+  if (exact.length > 1) {
+    throw new Error(`Multiple servers share the exact name "${trimmed}". Pass the UUID instead.`);
+  }
+  const fuzzy = await db.execute(sql`
+    SELECT id, name FROM ssh_server WHERE name ILIKE ${"%" + trimmed + "%"} ORDER BY name LIMIT 5
+  `);
+  if (fuzzy.length === 1) {
+    KNOWN_SERVER_NAMES.set(fuzzy[0].id, { id: fuzzy[0].id, name: fuzzy[0].name });
+    return fuzzy[0].id;
+  }
+  if (fuzzy.length === 0) {
+    throw new Error(`Server "${trimmed}" not found by id or name. Call \`list-servers\` to see what's available.`);
+  }
+  throw new Error(`Multiple servers match "${trimmed}": ${fuzzy.map((f) => f.name).join(", ")}. Use an exact name or UUID.`);
+}
+async function getServerConnection(serverIdOrName) {
+  const serverId = await resolveServerId(serverIdOrName);
   assertServerAccess(serverId);
   const rows = await db.execute(sql`
     SELECT hostname, port, username, password_encrypted, ssh_key_encrypted,
@@ -2718,7 +2750,7 @@ async function getServerConnection(serverId) {
   const needsProxy = data.allowed_ssh_ips !== null && serverId !== SSH_PROXY_SERVER_ID;
   const proxy = needsProxy ? await getProxyConnection() : void 0;
   const os = data.os_type === "windows" ? "windows" : "linux";
-  return { conn, proxy, os };
+  return { serverId, conn, proxy, os };
 }
 async function sshExec(opts, command, proxy, options) {
   const first = await sshExecOnce(opts, command, proxy, options);
@@ -4200,6 +4232,34 @@ done
   }
   return out;
 }
+var POSTGRES_CONTAINER_CREDS_CACHE = /* @__PURE__ */ new Map();
+var PG_CREDS_TTL_MS = 60 * 60 * 1e3;
+function cachePostgresContainerCreds(serverId, containerName, creds) {
+  POSTGRES_CONTAINER_CREDS_CACHE.set(`${serverId}|${containerName}`, { ...creds, capturedAt: Date.now() });
+}
+async function resolvePostgresContainerCreds(conn, proxy, serverId, containerName) {
+  const key = `${serverId}|${containerName}`;
+  const cached = POSTGRES_CONTAINER_CREDS_CACHE.get(key);
+  if (cached && Date.now() - cached.capturedAt < PG_CREDS_TTL_MS) return cached;
+  const safeContainer = containerName.replace(/[^a-zA-Z0-9._-]/g, "");
+  const res = await sshExec(
+    conn,
+    `docker exec ${safeContainer} env 2>/dev/null | grep -E '^POSTGRES_(USER|DB|PASSWORD)='`,
+    proxy
+  );
+  let dbUser = "postgres";
+  let dbName = "postgres";
+  let hasPassword = false;
+  for (const raw of res.stdout.split("\n")) {
+    const line = raw.trim();
+    if (line.startsWith("POSTGRES_USER=")) dbUser = line.slice("POSTGRES_USER=".length) || "postgres";
+    else if (line.startsWith("POSTGRES_DB=")) dbName = line.slice("POSTGRES_DB=".length) || "postgres";
+    else if (line.startsWith("POSTGRES_PASSWORD=")) hasPassword = true;
+  }
+  const creds = { dbName, dbUser, hasPassword, capturedAt: Date.now() };
+  POSTGRES_CONTAINER_CREDS_CACHE.set(key, creds);
+  return creds;
+}
 async function psqlInContainer(conn, proxy, containerName, dbUser, dbName, scriptSql, flags) {
   const safeContainer = containerName.replace(/[^a-zA-Z0-9._-]/g, "");
   const safeUser = dbUser.replace(/[^a-zA-Z0-9_-]/g, "") || "postgres";
@@ -4442,7 +4502,7 @@ async function mijnhostFetch(path, options = {}) {
 var TOOLS = [
   {
     name: "list-servers",
-    description: 'List all SSH servers you have access to. Returns id, name, hostname, tags, and os_type per server. Pass `includeStats: true` to also probe each server in parallel for container count, disk-free, and uptime (skips unreachable hosts gracefully). Cached for 60s \u2014 pass `noCache: true` to force a refresh. Adds an "auto-context" footer with one-line tags inferred from server name/tags so the LLM knows which host runs Trigger / Supabase / proxy / etc. (disable with `context: false`).',
+    description: 'List all SSH servers you have access to. Returns id, name, hostname, tags, and os_type per server. Pass `includeStats: true` to also probe each server in parallel for container count, disk-free, and uptime (skips unreachable hosts gracefully). Cached for 60s \u2014 pass `noCache: true` to force a refresh. Adds an "auto-context" footer with one-line tags inferred from server name/tags so the LLM knows which host runs Trigger / Supabase / proxy / etc. (disable with `context: false`).\n\n**Tip:** every tool that takes `serverId` also accepts the server `name` directly (exact match or fuzzy `ILIKE %x%`). E.g. `ssh-execute serverId="MG Giga Server"` works without a separate UUID lookup.',
     inputSchema: {
       type: "object",
       properties: {
@@ -4655,22 +4715,22 @@ var TOOLS = [
   },
   {
     name: "db-tables",
-    description: "List tables with row counts + sizes. Two routing modes:\n- MySQL via `/var/www` autodiscover: pass `sitePath`. Credentials are read from wp-config.php / parameters.php / .env.\n- Postgres container: pass `containerName` (and optionally `dbName` / `dbUser`, defaulting to `postgres`). Returns one row per user table sorted by total size, with estimated row count from pg_class.reltuples.",
+    description: "List tables with row counts + sizes. Two routing modes:\n- MySQL via `/var/www` autodiscover: pass `sitePath`. Credentials are read from wp-config.php / parameters.php / .env.\n- Postgres container: pass `containerName`. dbName + dbUser are auto-resolved from the container `POSTGRES_DB` / `POSTGRES_USER` env vars (cached 1h). Returns one row per user table sorted by total size, with estimated row count from pg_class.reltuples.",
     inputSchema: {
       type: "object",
       properties: {
-        serverId: { type: "string", description: "UUID of the SSH server" },
+        serverId: { type: "string", description: "UUID or (fuzzy) name of the SSH server" },
         sitePath: { type: "string", description: "Site root path (e.g. /var/www/example.com). MySQL autodiscover mode." },
         containerName: { type: "string", description: "Postgres container name. Activates direct Postgres mode." },
-        dbName: { type: "string", description: 'Database name (containerName mode, defaults to "postgres")' },
-        dbUser: { type: "string", description: 'Database user (containerName mode, defaults to "postgres")' }
+        dbName: { type: "string", description: "Database name (containerName mode). Auto-resolved from container env when omitted." },
+        dbUser: { type: "string", description: "Database user (containerName mode). Auto-resolved from container env when omitted." }
       },
       required: ["serverId"]
     }
   },
   {
     name: "db-query",
-    description: 'Execute SQL against any database. **Use this for ALL queries (SELECT, INSERT, UPDATE, DELETE, schema introspection) against vanilla Postgres / MySQL / MSSQL containers** \u2014 do NOT fall back to `ssh-execute` + `docker cp` + `psql -f` with .tmp.sql files; the container path here already pipes via stdin so quotes / `$` / `;` are safe. Multi-statement scripts work fine: separate with `;` and they will all be executed by psql/mysql.\n\nTwo routing modes:\n- MySQL via `/var/www` autodiscover (default): pass `sitePath` (and `engine: "mysql"` implicitly). Credentials are read from wp-config.php, parameters.php, .env.\n- Direct via Docker container: pass `containerName` (the container running the DB server). Engine defaults to `postgres`; pass `engine: "mysql"` or `"mssql"` to override. Use `db-discover include=["postgres-containers"]` to find available containers + creds.\n\nPostgres example: `{ serverId, containerName: "refront-postgres-vanilla", dbName: "main", dbUser: "postgres", query: "SELECT 1" }`. Defaults: dbUser=postgres, dbName=postgres.\nMSSQL example: `{ serverId, containerName: "mssql-1", engine: "mssql", dbUser: "sa", dbPass: "...", query: "SELECT 1" }`.\n\nResult safety: `maxRows` (default 1000, max 10000) auto-injects a `LIMIT` for SELECT queries that don\'t have one. The footer reports whether the cap was applied. Pass `maxRows: 0` to disable.\n\nDiagnostics: `explain: true` prepends EXPLAIN (postgres / mysql) or runs `SET SHOWPLAN_TEXT ON` (mssql).\n\nSchema introspection: pass `describe: "tablename"` to get columns + indexes (works for mysql, postgres, and mssql). Pass `describe: "*"` to list all tables. When `describe` is set, `query` is ignored.\n\nDestructive operations (DROP, TRUNCATE, ALTER \u2026 DROP, naked DELETE) are blocked by default. For schema migrations, **prefer `db-apply-migration`** \u2014 it has an audit ledger and idempotency. As an escape hatch for ad-hoc hot-fixes, pass `allowDestructive: "yes-i-understand-this-is-not-logged"` (literal string) to bypass the gate. The bypass is logged in the response footer.',
+    description: 'Execute SQL against any database. **Use this for ALL queries (SELECT, INSERT, UPDATE, DELETE, schema introspection) against vanilla Postgres / MySQL / MSSQL containers** \u2014 do NOT fall back to `ssh-execute` + `docker cp` + `psql -f` with .tmp.sql files; the container path here already pipes via stdin so quotes / `$` / `;` are safe. Multi-statement scripts work fine: separate with `;` and they will all be executed by psql/mysql.\n\nTwo routing modes:\n- MySQL via `/var/www` autodiscover (default): pass `sitePath` (and `engine: "mysql"` implicitly). Credentials are read from wp-config.php, parameters.php, .env.\n- Direct via Docker container: pass `containerName` (the container running the DB server). Engine defaults to `postgres`; pass `engine: "mysql"` or `"mssql"` to override. Use `db-discover include=["postgres-containers"]` to find available containers + creds.\n\nPostgres example: `{ serverId, containerName: "refront-postgres-vanilla", query: "SELECT 1" }` \u2014 dbName and dbUser are AUTO-RESOLVED from the container\'s `POSTGRES_USER` / `POSTGRES_DB` env vars (cached 1h per server). Only pass `dbName`/`dbUser` explicitly when the instance hosts multiple databases or you want to query as a non-default role.\nMSSQL example: `{ serverId, containerName: "mssql-1", engine: "mssql", dbUser: "sa", dbPass: "...", query: "SELECT 1" }`.\n\nResult safety: `maxRows` (default 1000, max 10000) auto-injects a `LIMIT` for SELECT queries that don\'t have one. The footer reports whether the cap was applied. Pass `maxRows: 0` to disable.\n\nDiagnostics: `explain: true` prepends EXPLAIN (postgres / mysql) or runs `SET SHOWPLAN_TEXT ON` (mssql).\n\nAtomic multi-statement: pass `transaction: true` to wrap the query in BEGIN/COMMIT (postgres / mysql) so a failure in any statement rolls back the lot. Use for ad-hoc fixes that are not schema migrations (e.g. `UPDATE tax_rate SET pct = pct * 100; UPDATE order SET ...`).\n\nSchema introspection: pass `describe: "tablename"` to get columns + indexes (works for mysql, postgres, and mssql). Pass `describe: "*"` to list all tables. When `describe` is set, `query` is ignored.\n\nDestructive operations (DROP, TRUNCATE, ALTER \u2026 DROP, naked DELETE) are blocked by default. For schema migrations, **prefer `db-apply-migration`** \u2014 it has an audit ledger and idempotency. As an escape hatch for ad-hoc hot-fixes, pass `allowDestructive: "yes-i-understand-this-is-not-logged"` (literal string) to bypass the gate. The bypass is logged in the response footer.',
     inputSchema: {
       type: "object",
       properties: {
@@ -4680,46 +4740,48 @@ var TOOLS = [
         sitePath: { type: "string", description: "Site root path (e.g. /var/www/example.com). Used only with engine=mysql autodiscover." },
         containerName: { type: "string", description: 'Docker container running the DB server (e.g. "refront-postgres-vanilla", "supabase-db"). Activates direct-query mode.' },
         engine: { type: "string", enum: ["mysql", "postgres", "mssql"], description: 'DB engine. Defaults to "mysql" with sitePath, "postgres" with containerName.' },
-        dbName: { type: "string", description: 'Database name (containerName mode). Defaults: postgres \u2192 "postgres", mysql \u2192 server default, mssql \u2192 server default.' },
-        dbUser: { type: "string", description: 'Database user (containerName mode). Defaults: postgres \u2192 "postgres", mysql \u2192 "root", mssql \u2192 "sa".' },
+        dbName: { type: "string", description: "Database name (containerName mode). For postgres: auto-resolved from container `POSTGRES_DB` env var when omitted. For mysql: server default. For mssql: server default." },
+        dbUser: { type: "string", description: 'Database user (containerName mode). For postgres: auto-resolved from container `POSTGRES_USER` env var when omitted. For mysql: defaults to "root". For mssql: defaults to "sa".' },
         dbPass: { type: "string", description: "Database password (containerName mode). Required for mssql; optional for mysql; postgres uses trust auth by default." },
         maxRows: { type: "number", description: "Auto-inject LIMIT for unbounded SELECTs. Default 1000, max 10000, set 0 to disable." },
         explain: { type: "boolean", description: "Prepend EXPLAIN (postgres/mysql) or SHOWPLAN (mssql) instead of executing. Useful for slow-query diagnosis." },
-        allowDestructive: { type: "string", description: 'Escape hatch for ad-hoc DROP/TRUNCATE/ALTER\u2026DROP/naked DELETE. Pass the literal string "yes-i-understand-this-is-not-logged". For schema migrations prefer db-apply-migration (audit-logged, idempotent).' }
+        allowDestructive: { type: "string", description: 'Escape hatch for ad-hoc DROP/TRUNCATE/ALTER\u2026DROP/naked DELETE. Pass the literal string "yes-i-understand-this-is-not-logged". For schema migrations prefer db-apply-migration (audit-logged, idempotent).' },
+        transaction: { type: "boolean", description: "Wrap the query in BEGIN/COMMIT so multiple statements either all succeed or all roll back. Use for atomic ad-hoc updates like `UPDATE x SET y = y * 100; UPDATE z ...` that are not migration-worthy. Ignored in EXPLAIN mode and on MSSQL (use its own transaction syntax). Postgres/MySQL only." }
       },
       required: ["serverId"]
     }
   },
   {
     name: "db-apply-migration",
-    description: 'Apply a SQL migration to a Postgres container and record it in an MCP-managed ledger table (`_mcp_migrations`) so re-runs are idempotent. Use this for ALL schema changes (CREATE/ALTER/DROP/TRUNCATE) \u2014 it allows DDL that `db-query` blocks, and gives you audit + drift detection in exchange.\n\nLedger schema (auto-created on first call): `_mcp_migrations(name TEXT PRIMARY KEY, sha256 TEXT, applied_at TIMESTAMPTZ, applied_by TEXT)`.\n\nBehaviour:\n- If `name` is already in the ledger AND the sha256 of the supplied SQL matches \u2192 no-op, returns "already applied".\n- If `name` is already in the ledger with a DIFFERENT sha256 \u2192 fails loudly ("drift detected"). Pass `force: true` to overwrite (logged).\n- Otherwise the SQL is wrapped in BEGIN/COMMIT and applied, then a row is inserted into `_mcp_migrations`.\n\nPass `noTransaction: true` for statements that cannot run inside a transaction (`CREATE INDEX CONCURRENTLY`, `ALTER TYPE \u2026 ADD VALUE`, `VACUUM`, etc.). In that mode the user SQL runs first and the ledger is recorded in a separate follow-up call.\n\nSQL source: provide ONE of `sql` (inline string), `localFile` (path on this machine, read and piped via stdin), or `remoteFile` (absolute path on the SSH server, read with `cat` first).\n\nExample: `{ serverId, containerName: "refront-postgres-vanilla", dbName: "main", name: "20260517120000_add_unified_classification", localFile: "./migrations/20260517120000_add_unified_classification.sql" }`.',
+    description: 'Apply a SQL migration to a Postgres container and record it in an MCP-managed ledger table (`_mcp_migrations`) so re-runs are idempotent. Use this for ALL schema changes (CREATE/ALTER/DROP/TRUNCATE) \u2014 it allows DDL that `db-query` blocks, and gives you audit + drift detection in exchange.\n\nLedger schema (auto-created on first call): `_mcp_migrations(name TEXT PRIMARY KEY, sha256 TEXT, applied_at TIMESTAMPTZ, applied_by TEXT)`.\n\nBehaviour:\n- If `name` is already in the ledger AND the sha256 of the supplied SQL matches \u2192 no-op, returns "already applied".\n- If `name` is already in the ledger with a DIFFERENT sha256 \u2192 fails loudly ("drift detected"). Pass `force: true` to overwrite (logged).\n- Otherwise the SQL is wrapped in BEGIN/COMMIT and applied, then a row is inserted into `_mcp_migrations`.\n\nPass `noTransaction: true` for statements that cannot run inside a transaction (`CREATE INDEX CONCURRENTLY`, `ALTER TYPE \u2026 ADD VALUE`, `VACUUM`, etc.). In that mode the user SQL runs first and the ledger is recorded in a separate follow-up call.\n\nSQL source: provide ONE of `sql` (inline string), `localFile` (path on this machine, read and piped via stdin), or `remoteFile` (absolute path on the SSH server, read with `cat` first).\n\nExample: `{ serverId, containerName: "refront-postgres-vanilla", name: "20260517120000_add_unified_classification", localFile: "./migrations/20260517120000_add_unified_classification.sql" }` \u2014 dbName + dbUser are auto-resolved from the container env (cached 1h).',
     inputSchema: {
       type: "object",
       properties: {
-        serverId: { type: "string", description: "UUID of the SSH server" },
+        serverId: { type: "string", description: "UUID or (fuzzy) name of the SSH server" },
         containerName: { type: "string", description: 'Postgres container name (e.g. "refront-postgres-vanilla")' },
-        dbName: { type: "string", description: 'Database (defaults to "postgres" \u2014 set explicitly to your app DB)' },
-        dbUser: { type: "string", description: 'User (defaults to "postgres")' },
+        dbName: { type: "string", description: "Database. Auto-resolved from container `POSTGRES_DB` env when omitted. Override only when the instance hosts multiple databases." },
+        dbUser: { type: "string", description: "User. Auto-resolved from container `POSTGRES_USER` env when omitted." },
         name: { type: "string", description: "Unique migration name (recommended format: `YYYYMMDDhhmmss_description`)" },
         sql: { type: "string", description: "Inline SQL string (mutually exclusive with localFile / remoteFile)" },
         localFile: { type: "string", description: "Path on this machine to a .sql file (read here, streamed via stdin)" },
         remoteFile: { type: "string", description: "Absolute path of a .sql file already on the server (read with `cat`)" },
         noTransaction: { type: "boolean", description: "Skip the implicit BEGIN/COMMIT wrapper. Required for CONCURRENTLY / ALTER TYPE ADD VALUE / VACUUM. Default false." },
-        force: { type: "boolean", description: "Re-apply even when the ledger says it ran with a different sha256. Use after a deliberate edit; logged in the response." }
+        force: { type: "boolean", description: "Re-apply even when the ledger says it ran with a different sha256. Use after a deliberate edit; logged in the response." },
+        recordOnly: { type: "boolean", description: "Register the migration in the ledger WITHOUT executing the SQL. Use to backfill migrations that were applied out-of-band (e.g. by hand via ssh + psql). The SQL is still required so the recorded sha256 matches what was run." }
       },
       required: ["serverId", "containerName", "name"]
     }
   },
   {
     name: "db-list-migrations",
-    description: 'List entries from the `_mcp_migrations` ledger on a Postgres container. Answers "what migrations have already been applied here?" without having to write SQL. Returns name, sha256 (truncated), applied_at, applied_by, ordered by most recent first. If the ledger table does not exist yet (no migrations applied via db-apply-migration), returns an empty list.',
+    description: 'List entries from the `_mcp_migrations` ledger on a Postgres container. Answers "what migrations have already been applied here?" without having to write SQL. Returns full name, sha256, applied_at, applied_by, ordered by most recent first. If the ledger table does not exist yet (no migrations applied via db-apply-migration), returns a friendly empty response. dbName + dbUser are auto-resolved from the container env when omitted.',
     inputSchema: {
       type: "object",
       properties: {
-        serverId: { type: "string", description: "UUID of the SSH server" },
+        serverId: { type: "string", description: "UUID or (fuzzy) name of the SSH server" },
         containerName: { type: "string", description: "Postgres container name" },
-        dbName: { type: "string", description: 'Database (defaults to "postgres")' },
-        dbUser: { type: "string", description: 'User (defaults to "postgres")' },
+        dbName: { type: "string", description: "Database. Auto-resolved from container `POSTGRES_DB` env when omitted." },
+        dbUser: { type: "string", description: "User. Auto-resolved from container `POSTGRES_USER` env when omitted." },
         limit: { type: "number", description: "Max number of entries (default 50, max 500)" }
       },
       required: ["serverId", "containerName"]
@@ -4824,7 +4886,7 @@ var TOOLS = [
   // ----- Repo reference -----
   ...REPO_TOOLS
 ];
-var MCP_VERSION = "6.1.1";
+var MCP_VERSION = "6.3.0";
 async function handleListTools() {
   if (!authContext) return { tools: TOOLS };
   const accessible = TOOLS.filter((tool) => {
@@ -4892,7 +4954,7 @@ async function executeToolCall(name, a, _serverId) {
         const data = ctx.allowedServerIds !== null ? await db.execute(sql`
               SELECT id, name, hostname, port, username, tags, hosted_by, os_type, created_at
               FROM ssh_server
-              WHERE id = ANY(${ctx.allowedServerIds}::uuid[])
+              WHERE id = ANY(${uuidArrayParam(ctx.allowedServerIds)})
               ORDER BY name
             `) : await db.execute(sql`
               SELECT id, name, hostname, port, username, tags, hosted_by, os_type, created_at
@@ -5780,7 +5842,7 @@ ${trail.join("\n")}` }] };
       }
       // ----- Database -----
       case "db-discover": {
-        const { conn, proxy } = await getServerConnection(String(a.serverId));
+        const { serverId, conn, proxy } = await getServerConnection(String(a.serverId));
         const rawInclude = Array.isArray(a.include) ? a.include.map(String) : ["www"];
         const include = new Set(rawInclude.filter((m) => m === "www" || m === "postgres-containers"));
         if (include.size === 0) include.add("www");
@@ -5799,6 +5861,13 @@ ${lines.join("\n")}`);
         }
         if (include.has("postgres-containers")) {
           const containers = await discoverPostgresContainers(conn, proxy);
+          for (const c of containers) {
+            cachePostgresContainerCreds(serverId, c.container, {
+              dbName: c.db,
+              dbUser: c.user,
+              hasPassword: c.hasPassword
+            });
+          }
           if (!containers.length) {
             sections.push("## Postgres containers\n(none \u2014 no running container exposes POSTGRES_USER/POSTGRES_DB)");
           } else {
@@ -5808,17 +5877,22 @@ ${lines.join("\n")}`);
             sections.push(`## Postgres containers (${containers.length})
 ${lines.join("\n")}
-Tip: use these directly with \`db-query containerName=\u2026 dbName=\u2026 dbUser=\u2026\` or \`db-apply-migration\`.`);
+Tip: pass just \`containerName\` to \`db-query\` / \`db-apply-migration\` / \`db-list-migrations\` \u2014 dbName + dbUser are auto-resolved from the container env (cached for 1h per server).`);
           }
         }
         return { content: [{ type: "text", text: sections.join("\n\n") }] };
       }
       case "db-tables": {
-        const { conn, proxy } = await getServerConnection(String(a.serverId));
+        const { serverId, conn, proxy } = await getServerConnection(String(a.serverId));
         const containerName = typeof a.containerName === "string" && a.containerName ? a.containerName : "";
         if (containerName) {
-          const dbUser = typeof a.dbUser === "string" && a.dbUser ? a.dbUser : "postgres";
-          const dbName = typeof a.dbName === "string" && a.dbName ? a.dbName : "postgres";
+          let dbUser = typeof a.dbUser === "string" && a.dbUser ? a.dbUser : "";
+          let dbName = typeof a.dbName === "string" && a.dbName ? a.dbName : "";
+          if (!dbUser || !dbName) {
+            const creds = await resolvePostgresContainerCreds(conn, proxy, serverId, containerName);
+            if (!dbUser) dbUser = creds.dbUser;
+            if (!dbName) dbName = creds.dbName;
+          }
           const sqlText2 = `SELECT n.nspname AS schema,
        c.relname AS "table",
        pg_size_pretty(pg_total_relation_size(c.oid)) AS size,
@@ -5878,6 +5952,7 @@ For a one-off ad-hoc destructive query, pass \`allowDestructive: "${allowDestruc
         }
         let query = rawQuery.replace(/;\s*$/, "");
         let appliedLimit = false;
+        const wrapTransaction = a.transaction === true && !explainMode && !describeArg && engine !== "mssql";
         if (explainMode && !describeArg) {
           if (engine === "mssql") {
             query = `SET SHOWPLAN_TEXT ON;
@@ -5894,20 +5969,33 @@ LIMIT ${maxRows + 1}`;
             appliedLimit = true;
           }
         }
+        if (wrapTransaction) {
+          query = `BEGIN;
+${query.replace(/;\s*$/, "")};
+COMMIT;`;
+        }
+        const txBanner = wrapTransaction ? `
+[transaction] wrapped in BEGIN/COMMIT \u2014 all statements committed atomically.` : "";
         const destructiveBanner = allowDestructive ? "\n\n[allowDestructive] safety gate bypassed for this query \u2014 NOT recorded in any audit ledger. Consider db-apply-migration for repeatable schema changes." : "";
         if (!containerName && engine === "mysql") {
           if (!a.sitePath) return { content: [{ type: "text", text: "Error: sitePath is required for mysql autodiscover (or pass containerName + engine for direct DB queries)" }] };
           const { conn: conn2, proxy: proxy2 } = await getServerConnection(String(a.serverId));
           const output2 = await execSiteMysql(conn2, String(a.sitePath), query, proxy2);
           const footer2 = formatDbQueryFooter(output2, appliedLimit, maxRows, explainMode);
-          return { content: [{ type: "text", text: (output2 || "Query executed successfully (no output)") + footer2 + destructiveBanner }] };
+          return { content: [{ type: "text", text: (output2 || "Query executed successfully (no output)") + footer2 + destructiveBanner + txBanner }] };
         }
         if (!containerName) {
           return { content: [{ type: "text", text: `Error: engine=${engine} requires containerName (the docker container running the DB server, e.g. "supabase-db" or "trigger-postgres")` }] };
         }
-        const dbName = typeof a.dbName === "string" && a.dbName ? a.dbName.replace(/[^a-zA-Z0-9_-]/g, "") : "";
-        const dbUser = typeof a.dbUser === "string" && a.dbUser ? a.dbUser.replace(/[^a-zA-Z0-9_-]/g, "") : "";
-        const { conn, proxy } = await getServerConnection(String(a.serverId));
+        let dbName = typeof a.dbName === "string" && a.dbName ? a.dbName.replace(/[^a-zA-Z0-9_-]/g, "") : "";
+        let dbUser = typeof a.dbUser === "string" && a.dbUser ? a.dbUser.replace(/[^a-zA-Z0-9_-]/g, "") : "";
+        const { serverId, conn, proxy } = await getServerConnection(String(a.serverId));
+        if (engine === "postgres" && (!dbName || !dbUser)) {
+          const creds = await resolvePostgresContainerCreds(conn, proxy, serverId, containerName);
+          if (!dbName) dbName = creds.dbName.replace(/[^a-zA-Z0-9_-]/g, "");
+          if (!dbUser) dbUser = creds.dbUser.replace(/[^a-zA-Z0-9_-]/g, "");
+        }
         let cmd;
         let stdinPayload;
         if (engine === "postgres") {
@@ -5940,13 +6028,13 @@ GO
           return { content: [{ type: "text", text: `Error (exit ${result.exitCode}, ${engine}): ${output}` }] };
         }
         const footer = formatDbQueryFooter(output, appliedLimit, maxRows, explainMode);
-        return { content: [{ type: "text", text: output + footer + destructiveBanner }] };
+        return { content: [{ type: "text", text: output + footer + destructiveBanner + txBanner }] };
       }
       case "db-apply-migration": {
         const containerName = String(a.containerName || "").replace(/[^a-zA-Z0-9._-]/g, "");
         if (!containerName) return { content: [{ type: "text", text: "Error: containerName is required" }] };
-        const dbUser = (typeof a.dbUser === "string" && a.dbUser ? a.dbUser : "postgres").replace(/[^a-zA-Z0-9_-]/g, "") || "postgres";
-        const dbName = (typeof a.dbName === "string" && a.dbName ? a.dbName : "postgres").replace(/[^a-zA-Z0-9_-]/g, "") || "postgres";
+        let dbUser = (typeof a.dbUser === "string" && a.dbUser ? a.dbUser : "").replace(/[^a-zA-Z0-9_-]/g, "");
+        let dbName = (typeof a.dbName === "string" && a.dbName ? a.dbName : "").replace(/[^a-zA-Z0-9_-]/g, "");
         const name2 = String(a.name || "").trim();
         if (!name2) return { content: [{ type: "text", text: 'Error: name is required (e.g. "20260517120000_add_foo")' }] };
         if (!/^[\w.@:+\-]+$/.test(name2) || name2.length > 200) {
@@ -5954,6 +6042,9 @@ GO
         }
         const noTransaction = a.noTransaction === true;
         const force = a.force === true;
+        const recordOnly = a.recordOnly === true;
+        const t0 = Date.now();
+        const took = () => `${((Date.now() - t0) / 1e3).toFixed(2)}s`;
         const sources = [
           typeof a.sql === "string" && a.sql ? "sql" : null,
           typeof a.localFile === "string" && a.localFile ? "localFile" : null,
@@ -5962,7 +6053,12 @@ GO
         if (sources.length !== 1) {
           return { content: [{ type: "text", text: `Error: pass exactly one of \`sql\`, \`localFile\`, or \`remoteFile\` (got ${sources.length || "none"}: ${sources.join(", ") || "\u2014"})` }] };
         }
-        const { conn, proxy } = await getServerConnection(String(a.serverId));
+        const { serverId, conn, proxy } = await getServerConnection(String(a.serverId));
+        if (!dbUser || !dbName) {
+          const creds = await resolvePostgresContainerCreds(conn, proxy, serverId, containerName);
+          if (!dbUser) dbUser = creds.dbUser.replace(/[^a-zA-Z0-9_-]/g, "") || "postgres";
+          if (!dbName) dbName = creds.dbName.replace(/[^a-zA-Z0-9_-]/g, "") || "postgres";
+        }
         let migrationSql;
         if (typeof a.sql === "string" && a.sql) {
           migrationSql = a.sql;
@@ -5992,20 +6088,23 @@ GO
           return { content: [{ type: "text", text: "Error: resolved SQL is empty" }] };
         }
         const sha = migrationSha256(migrationSql);
-        const probeSql = `${MIGRATION_LEDGER_DDL}
-SELECT sha256 FROM _mcp_migrations WHERE name = ${dollarQuote(name2)};
+        const ddl = await psqlInContainer(conn, proxy, containerName, dbUser, dbName, `${MIGRATION_LEDGER_DDL}
+`, "");
+        if (ddl.exitCode !== 0) {
+          return { content: [{ type: "text", text: `Error initialising ledger on ${containerName} (${dbName}): ${ddl.stderr || ddl.stdout || `exit ${ddl.exitCode}`}` }] };
+        }
+        const probeSelect = `SELECT sha256 FROM _mcp_migrations WHERE name = ${dollarQuote(name2)};
 `;
-        const probe = await psqlInContainer(conn, proxy, containerName, dbUser, dbName, probeSql, "-tA");
+        const probe = await psqlInContainer(conn, proxy, containerName, dbUser, dbName, probeSelect, "-tA");
         if (probe.exitCode !== 0) {
-          return { content: [{ type: "text", text: `Error initialising ledger on ${containerName} (${dbName}): ${probe.stderr || probe.stdout || `exit ${probe.exitCode}`}` }] };
+          return { content: [{ type: "text", text: `Error reading ledger on ${containerName} (${dbName}): ${probe.stderr || probe.stdout || `exit ${probe.exitCode}`}` }] };
         }
-        const probeLines = probe.stdout.split("\n").map((l) => l.trim()).filter((l) => l.length > 0);
-        const existingSha = probeLines.length > 0 ? probeLines[probeLines.length - 1] : "";
+        const existingSha = probe.stdout.split("\n").map((l) => l.trim()).find((l) => /^[0-9a-f]{64}$/.test(l)) || "";
         if (existingSha && existingSha === sha) {
           return {
             content: [{
               type: "text",
-              text: `[noop] Migration "${name2}" already applied on ${containerName}/${dbName} (sha256 matches).
+              text: `[noop] Migration "${name2}" already applied on ${containerName}/${dbName} (sha256 matches, took ${took()}).
 Ledger sha: ${sha.slice(0, 12)}\u2026`
             }]
           };
@@ -6014,7 +6113,7 @@ Ledger sha: ${sha.slice(0, 12)}\u2026`
           return {
             content: [{
               type: "text",
-              text: `[drift] Migration "${name2}" exists in ledger with DIFFERENT sha256.
+              text: `[drift] Migration "${name2}" exists in ledger with DIFFERENT sha256 (took ${took()}).
   ledger sha: ${existingSha.slice(0, 12)}\u2026
   new sha:    ${sha.slice(0, 12)}\u2026
@@ -6026,6 +6125,29 @@ This usually means the migration file was edited after it was first applied. Ins
         const ledgerInsert = `INSERT INTO _mcp_migrations (name, sha256, applied_by) VALUES (${dollarQuote(name2)}, ${dollarQuote(sha)}, ${dollarQuote(appliedBy)})
 ON CONFLICT (name) DO UPDATE SET sha256 = EXCLUDED.sha256, applied_at = now(), applied_by = EXCLUDED.applied_by;
 `;
+        if (recordOnly) {
+          const record = await psqlInContainer(conn, proxy, containerName, dbUser, dbName, ledgerInsert, "");
+          if (record.exitCode !== 0) {
+            return {
+              content: [{
+                type: "text",
+                text: `[failed] Ledger insert for "${name2}" failed (recordOnly=true, no SQL was executed).
+psql exit: ${record.exitCode}
+` + (record.stderr ? `--- stderr ---
+${record.stderr}
+` : "") + (record.stdout ? `--- stdout ---
+${record.stdout}` : "")
+              }]
+            };
+          }
+          return {
+            content: [{
+              type: "text",
+              text: `[recorded] "${name2}" written to ledger on ${containerName}/${dbName} WITHOUT executing the SQL (recordOnly=true${existingSha ? ", overwrote existing entry" : ""}, took ${took()}).
+ledger sha: ${sha.slice(0, 12)}\u2026`
+            }]
+          };
+        }
         if (noTransaction) {
           const apply = await psqlInContainer(conn, proxy, containerName, dbUser, dbName, normalised, "");
           if (apply.exitCode !== 0) {
@@ -6058,7 +6180,7 @@ ${record.stdout}` : "")
           return {
             content: [{
               type: "text",
-              text: `[applied] "${name2}" on ${containerName}/${dbName} (noTransaction=true${existingSha ? ", force" : ""}).
+              text: `[applied] "${name2}" on ${containerName}/${dbName} (noTransaction=true${existingSha ? ", force" : ""}, took ${took()}).
 ledger sha: ${sha.slice(0, 12)}\u2026
 ` + (apply.stdout ? `--- output ---
 ${apply.stdout.trim()}` : "(no output)")
@@ -6086,7 +6208,7 @@ ${res.stdout}` : "")
         return {
           content: [{
             type: "text",
-            text: `[applied] "${name2}" on ${containerName}/${dbName}${existingSha ? " (forced overwrite)" : ""}.
+            text: `[applied] "${name2}" on ${containerName}/${dbName}${existingSha ? " (forced overwrite)" : ""} (took ${took()}).
 ledger sha: ${sha.slice(0, 12)}\u2026
 ` + (res.stdout ? `--- output ---
 ${res.stdout.trim()}` : "(no output)")
@@ -6096,13 +6218,17 @@ ${res.stdout.trim()}` : "(no output)")
       case "db-list-migrations": {
         const containerName = String(a.containerName || "").replace(/[^a-zA-Z0-9._-]/g, "");
         if (!containerName) return { content: [{ type: "text", text: "Error: containerName is required" }] };
-        const dbUser = (typeof a.dbUser === "string" && a.dbUser ? a.dbUser : "postgres").replace(/[^a-zA-Z0-9_-]/g, "") || "postgres";
-        const dbName = (typeof a.dbName === "string" && a.dbName ? a.dbName : "postgres").replace(/[^a-zA-Z0-9_-]/g, "") || "postgres";
+        let dbUser = (typeof a.dbUser === "string" && a.dbUser ? a.dbUser : "").replace(/[^a-zA-Z0-9_-]/g, "");
+        let dbName = (typeof a.dbName === "string" && a.dbName ? a.dbName : "").replace(/[^a-zA-Z0-9_-]/g, "");
         const limitRaw = Number(a.limit);
         const limit = Math.min(Math.max(Number.isFinite(limitRaw) && limitRaw > 0 ? Math.floor(limitRaw) : 50, 1), 500);
-        const { conn, proxy } = await getServerConnection(String(a.serverId));
-        const sqlText = `DO $$ BEGIN IF NOT EXISTS (SELECT 1 FROM pg_class WHERE relname = '_mcp_migrations') THEN RAISE NOTICE 'NO_LEDGER'; END IF; END $$;
-SELECT name, substr(sha256, 1, 12) || '\u2026' AS sha, applied_at, applied_by
+        const { serverId, conn, proxy } = await getServerConnection(String(a.serverId));
+        if (!dbUser || !dbName) {
+          const creds = await resolvePostgresContainerCreds(conn, proxy, serverId, containerName);
+          if (!dbUser) dbUser = creds.dbUser.replace(/[^a-zA-Z0-9_-]/g, "") || "postgres";
+          if (!dbName) dbName = creds.dbName.replace(/[^a-zA-Z0-9_-]/g, "") || "postgres";
+        }
+        const sqlText = `SELECT name, sha256, applied_at, applied_by
 FROM _mcp_migrations
 ORDER BY applied_at DESC
 LIMIT ${limit};
@@ -6127,7 +6253,7 @@ LIMIT ${limit};
         const data = stageFilterIds ? await db.execute(sql`
               SELECT id, app_name, environment, description, updated_at, release_profile_stage_id
               FROM env_config
-              WHERE release_profile_stage_id = ANY(${stageFilterIds}::uuid[])
+              WHERE release_profile_stage_id = ANY(${uuidArrayParam(stageFilterIds)})
               ORDER BY app_name, environment
             `) : await db.execute(sql`
               SELECT id, app_name, environment, description, updated_at, release_profile_stage_id
@@ -6155,7 +6281,7 @@ LIMIT ${limit};
               FROM env_config
               WHERE app_name = ${appName}
                 AND environment = ${environment}
-                AND release_profile_stage_id = ANY(${stageFilterIds}::uuid[])
+                AND release_profile_stage_id = ANY(${uuidArrayParam(stageFilterIds)})
             `) : await db.execute(sql`
               SELECT env_data_encrypted, release_profile_stage_id
               FROM env_config
@@ -6190,7 +6316,7 @@ LIMIT ${limit};
               FROM env_config
               WHERE app_name = ${appName}
                 AND environment = ${environment}
-                AND release_profile_stage_id = ANY(${resolvedStageIds}::uuid[])
+                AND release_profile_stage_id = ANY(${uuidArrayParam(resolvedStageIds)})
             `) : await db.execute(sql`
               SELECT id, release_profile_stage_id
               FROM env_config