@mgsoftwarebv/mg-dashboard-mcp 6.2.0 → 6.4.0

package/dist/index.js

@@ -7,6 +7,8 @@ import { StreamableHTTPClientTransport } from '@modelcontextprotocol/sdk/client/
 import { Server } from '@modelcontextprotocol/sdk/server/index.js';
 import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
 import { ListToolsRequestSchema, CallToolRequestSchema, isInitializeRequest, ListPromptsRequestSchema, GetPromptRequestSchema, ListResourcesRequestSchema, ReadResourceRequestSchema, ListResourceTemplatesRequestSchema, SubscribeRequestSchema, UnsubscribeRequestSchema, ListToolsResultSchema, CallToolResultSchema, ListPromptsResultSchema, GetPromptResultSchema, ListResourcesResultSchema, ReadResourceResultSchema, ListResourceTemplatesResultSchema, EmptyResultSchema } from '@modelcontextprotocol/sdk/types.js';
+import { createServer as createServer$1 } from 'net';
+import { Client } from 'ssh2';
 import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
 import { createServer } from 'http';
 import { randomUUID, createHash, randomBytes, createDecipheriv, createCipheriv } from 'crypto';
@@ -15,7 +17,6 @@ import { drizzle } from 'drizzle-orm/postgres-js';
 import postgres from 'postgres';
 import { readFile, mkdtemp, writeFile, rm } from 'fs/promises';
 import { tmpdir } from 'os';
-import { Client } from 'ssh2';
 import { HeadObjectCommand, S3Client, ListObjectsV2Command, DeleteObjectsCommand, DeleteObjectCommand, CreateMultipartUploadCommand, UploadPartCommand, CompleteMultipartUploadCommand, AbortMultipartUploadCommand, PutObjectCommand, GetObjectCommand, CopyObjectCommand } from '@aws-sdk/client-s3';
 
 var __defProp = Object.defineProperty;
@@ -272,6 +273,181 @@ var init_proxy_mode = __esm({
   "src/proxy-mode.ts"() {
   }
 });
+
+// src/db-ssh-tunnel.ts
+var db_ssh_tunnel_exports = {};
+__export(db_ssh_tunnel_exports, {
+  fetchRemoteEnvValue: () => fetchRemoteEnvValue,
+  openDbSshTunnel: () => openDbSshTunnel
+});
+function expandHome2(path) {
+  if (!path.startsWith("~")) return path;
+  const home = process.env.HOME || process.env.USERPROFILE || "";
+  return join(home, path.slice(1));
+}
+function resolvePrivateKeyPath(input) {
+  const candidate = expandHome2(input);
+  const stripped = candidate.endsWith(".pub") ? candidate.slice(0, -4) : candidate;
+  if (existsSync(stripped) && statSync(stripped).isFile()) return stripped;
+  throw new Error(
+    `SSH private key not found at ${stripped}. The --db-ssh-tunnel flag needs the private key (not just .pub) to open the tunnel.`
+  );
+}
+function parseSshTarget(target) {
+  const at = target.indexOf("@");
+  if (at === -1) {
+    throw new Error(`--db-ssh-tunnel must be in the form user@host[:port], got: ${target}`);
+  }
+  const username = target.slice(0, at);
+  const hostPart = target.slice(at + 1);
+  const colon = hostPart.lastIndexOf(":");
+  if (colon === -1) return { username, host: hostPart, port: 22 };
+  const port = Number(hostPart.slice(colon + 1));
+  if (!Number.isFinite(port) || port < 1 || port > 65535) {
+    throw new Error(`Invalid SSH port in --db-ssh-tunnel: ${hostPart.slice(colon + 1)}`);
+  }
+  return { username, host: hostPart.slice(0, colon), port };
+}
+function rewriteUrl(originalUrl, localPort) {
+  const parsed = new URL(originalUrl);
+  parsed.hostname = "127.0.0.1";
+  parsed.port = String(localPort);
+  return parsed.toString();
+}
+async function connectSsh(opts) {
+  return await new Promise((resolve, reject) => {
+    const conn = new Client();
+    const onError = (err) => {
+      conn.removeAllListeners();
+      reject(err);
+    };
+    conn.once("ready", () => {
+      conn.removeListener("error", onError);
+      resolve(conn);
+    });
+    conn.once("error", onError);
+    conn.connect({
+      host: opts.host,
+      port: opts.port,
+      username: opts.username,
+      privateKey: opts.privateKey,
+      keepaliveInterval: opts.keepaliveIntervalMs,
+      keepaliveCountMax: 3,
+      readyTimeout: 2e4
+    });
+  });
+}
+function execOverSsh(conn, cmd) {
+  return new Promise((resolve, reject) => {
+    conn.exec(cmd, (err, stream) => {
+      if (err) {
+        reject(err);
+        return;
+      }
+      let stdout = "";
+      let stderr = "";
+      stream.on("data", (chunk) => {
+        stdout += chunk.toString("utf8");
+      });
+      stream.stderr.on("data", (chunk) => {
+        stderr += chunk.toString("utf8");
+      });
+      stream.on("close", (code) => {
+        resolve({ stdout, stderr, code: code ?? -1 });
+      });
+    });
+  });
+}
+function parseEnvValue(content, key) {
+  const re = new RegExp(`^${key}\\s*=\\s*(.*)$`, "m");
+  const m = content.match(re);
+  if (!m || !m[1]) return void 0;
+  let value = m[1].trim();
+  if (value.length >= 2 && (value[0] === '"' || value[0] === "'") && value[value.length - 1] === value[0]) {
+    value = value.slice(1, -1);
+  }
+  return value;
+}
+async function fetchRemoteEnvValue(options) {
+  const { username, host, port } = parseSshTarget(options.sshTarget);
+  const privateKeyPath = resolvePrivateKeyPath(options.sshKeyPath);
+  const privateKey = readFileSync(privateKeyPath);
+  const keepaliveIntervalMs = options.keepaliveIntervalMs ?? 3e4;
+  const envKey = options.envKey ?? "DATABASE_PRIMARY_URL";
+  const conn = await connectSsh({ host, port, username, privateKey, keepaliveIntervalMs });
+  try {
+    const safePath = options.remoteEnvPath.replace(/'/g, "'\\''");
+    const result = await execOverSsh(conn, `cat -- '${safePath}'`);
+    if (result.code !== 0) {
+      throw new Error(
+        `remote cat ${options.remoteEnvPath} failed (exit ${result.code}): ${result.stderr.trim()}`
+      );
+    }
+    const value = parseEnvValue(result.stdout, envKey);
+    if (!value) {
+      throw new Error(`${envKey} not found in ${options.remoteEnvPath}`);
+    }
+    return value;
+  } finally {
+    conn.end();
+  }
+}
+async function openDbSshTunnel(options) {
+  const { username, host, port } = parseSshTarget(options.sshTarget);
+  const privateKeyPath = resolvePrivateKeyPath(options.sshKeyPath);
+  const privateKey = readFileSync(privateKeyPath);
+  const keepaliveIntervalMs = options.keepaliveIntervalMs ?? 3e4;
+  const parsedDbUrl = new URL(options.databaseUrl);
+  const remoteHost = parsedDbUrl.hostname;
+  const remotePort = Number(parsedDbUrl.port || "5432");
+  const conn = await connectSsh({ host, port, username, privateKey, keepaliveIntervalMs });
+  conn.on("error", (err) => {
+    console.error(`[mcp][db-ssh-tunnel] ssh connection error: ${err.message}`);
+  });
+  conn.on("close", () => {
+    console.error("[mcp][db-ssh-tunnel] ssh connection closed; MCP will exit so Cursor can respawn it");
+    process.exit(1);
+  });
+  const server2 = createServer$1((local) => {
+    conn.forwardOut("127.0.0.1", 0, remoteHost, remotePort, (err, stream) => {
+      if (err) {
+        console.error(`[mcp][db-ssh-tunnel] forwardOut failed: ${err.message}`);
+        local.destroy(err);
+        return;
+      }
+      local.on("error", () => stream.destroy());
+      stream.on("error", () => local.destroy());
+      local.pipe(stream).pipe(local);
+    });
+  });
+  const localPort = await new Promise((resolve, reject) => {
+    server2.once("error", reject);
+    server2.listen(0, "127.0.0.1", () => {
+      const addr = server2.address();
+      if (!addr || typeof addr === "string") {
+        reject(new Error("Failed to bind local tunnel listener"));
+        return;
+      }
+      resolve(addr.port);
+    });
+  });
+  const rewrittenDatabaseUrl = rewriteUrl(options.databaseUrl, localPort);
+  console.error(
+    `[mcp][db-ssh-tunnel] forwarding 127.0.0.1:${localPort} -> ${remoteHost}:${remotePort} via ssh ${username}@${host}:${port}`
+  );
+  return {
+    rewrittenDatabaseUrl,
+    localPort,
+    async close() {
+      await new Promise((resolve) => server2.close(() => resolve()));
+      conn.end();
+    }
+  };
+}
+var init_db_ssh_tunnel = __esm({
+  "src/db-ssh-tunnel.ts"() {
+  }
+});
 var connectionConfig = {
   prepare: false,
   idle_timeout: 20,
@@ -1979,19 +2155,42 @@ var sshKeyPath = getArg2("ssh-key") || process.env.MG_DASHBOARD_SSH_KEY;
 var databaseUrl = getArg2("database-url") || process.env.DATABASE_PRIMARY_POOLER_URL || process.env.DATABASE_PRIMARY_URL;
 var encryptionKey = getArg2("encryption-key") || process.env.ENCRYPTION_KEY;
 var mijnhostApiKey = getArg2("mijnhost-api-key") || process.env.MIJNHOST_API_KEY;
+var dbSshTunnel = getArg2("db-ssh-tunnel") || process.env.MG_DASHBOARD_DB_SSH_TUNNEL;
+var dbRemoteEnvFile = getArg2("db-remote-env-file") || process.env.MG_DASHBOARD_DB_REMOTE_ENV_FILE;
+var dbRemoteEnvKey = getArg2("db-remote-env-key") || process.env.MG_DASHBOARD_DB_REMOTE_ENV_KEY || "DATABASE_PRIMARY_URL";
 var httpMode = args.includes("--http");
 var httpPort = Number(getArg2("port")) || 3100;
 if (!apiKey || !sshKeyPath) {
   console.error("Authentication required. Use both --api-key=dk_xxx and --ssh-key=PATH (path to your SSH private or public key), or set MG_DASHBOARD_API_KEY and MG_DASHBOARD_SSH_KEY.");
   process.exit(1);
 }
+if (dbRemoteEnvFile && !dbSshTunnel) {
+  console.error("--db-remote-env-file requires --db-ssh-tunnel (the same SSH connection is used to read the env value).");
+  process.exit(1);
+}
+if (dbRemoteEnvFile) {
+  const { fetchRemoteEnvValue: fetchRemoteEnvValue2 } = await Promise.resolve().then(() => (init_db_ssh_tunnel(), db_ssh_tunnel_exports));
+  databaseUrl = await fetchRemoteEnvValue2({
+    sshTarget: dbSshTunnel,
+    sshKeyPath,
+    remoteEnvPath: dbRemoteEnvFile,
+    envKey: dbRemoteEnvKey
+  });
+}
 if (!databaseUrl) {
-  console.error("Database URL required. Use --database-url=postgres://... or set DATABASE_PRIMARY_URL (or DATABASE_PRIMARY_POOLER_URL).");
+  console.error("Database URL required. Provide one of:\n  --database-url=postgres://...\n  --db-remote-env-file=/path/.env (combined with --db-ssh-tunnel)\n  DATABASE_PRIMARY_URL or DATABASE_PRIMARY_POOLER_URL env var");
   process.exit(1);
 }
-if (!process.env.DATABASE_PRIMARY_URL && !process.env.DATABASE_PRIMARY_POOLER_URL) {
-  process.env.DATABASE_PRIMARY_URL = databaseUrl;
+if (dbSshTunnel) {
+  const { openDbSshTunnel: openDbSshTunnel2 } = await Promise.resolve().then(() => (init_db_ssh_tunnel(), db_ssh_tunnel_exports));
+  const tunnel = await openDbSshTunnel2({ sshTarget: dbSshTunnel, sshKeyPath, databaseUrl });
+  databaseUrl = tunnel.rewrittenDatabaseUrl;
+  process.on("exit", () => {
+    void tunnel.close();
+  });
 }
+process.env.DATABASE_PRIMARY_URL = databaseUrl;
+process.env.DATABASE_PRIMARY_POOLER_URL = databaseUrl;
 var db = getDb();
 var RateLimiter = class {
   buckets = /* @__PURE__ */ new Map();
@@ -2079,7 +2278,6 @@ async function writeAuditLog(entry) {
 var MODULE_KEYS = [
   "users",
   "ssh_servers",
-  "supabase",
   "wiki",
   "ci_cd",
   "domains",
@@ -2088,7 +2286,7 @@ var MODULE_KEYS = [
 ];
 var FULL_PERMISSIONS = {
   modules: Object.fromEntries(MODULE_KEYS.map((k) => [k, true])),
-  resources: { ssh_servers: ["*"], supabase_instances: ["*"] }
+  resources: { ssh_servers: ["*"] }
 };
 function parsePermissions(raw) {
   if (!raw || typeof raw !== "object") return null;
@@ -2105,8 +2303,7 @@ function resolvePermissions(roleName, roleDefaults, userOverrides) {
     modules[key] = userVal !== void 0 ? userVal : roleVal !== void 0 ? roleVal : false;
   }
   const resources = {
-    ssh_servers: overrides?.resources?.ssh_servers ?? base?.resources?.ssh_servers ?? [],
-    supabase_instances: overrides?.resources?.supabase_instances ?? base?.resources?.supabase_instances ?? []
+    ssh_servers: overrides?.resources?.ssh_servers ?? base?.resources?.ssh_servers ?? []
   };
   return { modules, resources };
 }
@@ -2750,7 +2947,7 @@ async function getServerConnection(serverIdOrName) {
   const needsProxy = data.allowed_ssh_ips !== null && serverId !== SSH_PROXY_SERVER_ID;
   const proxy = needsProxy ? await getProxyConnection() : void 0;
   const os = data.os_type === "windows" ? "windows" : "linux";
-  return { conn, proxy, os };
+  return { serverId, conn, proxy, os };
 }
 async function sshExec(opts, command, proxy, options) {
   const first = await sshExecOnce(opts, command, proxy, options);
@@ -4232,6 +4429,34 @@ done
   }
   return out;
 }
+var POSTGRES_CONTAINER_CREDS_CACHE = /* @__PURE__ */ new Map();
+var PG_CREDS_TTL_MS = 60 * 60 * 1e3;
+function cachePostgresContainerCreds(serverId, containerName, creds) {
+  POSTGRES_CONTAINER_CREDS_CACHE.set(`${serverId}|${containerName}`, { ...creds, capturedAt: Date.now() });
+}
+async function resolvePostgresContainerCreds(conn, proxy, serverId, containerName) {
+  const key = `${serverId}|${containerName}`;
+  const cached = POSTGRES_CONTAINER_CREDS_CACHE.get(key);
+  if (cached && Date.now() - cached.capturedAt < PG_CREDS_TTL_MS) return cached;
+  const safeContainer = containerName.replace(/[^a-zA-Z0-9._-]/g, "");
+  const res = await sshExec(
+    conn,
+    `docker exec ${safeContainer} env 2>/dev/null | grep -E '^POSTGRES_(USER|DB|PASSWORD)='`,
+    proxy
+  );
+  let dbUser = "postgres";
+  let dbName = "postgres";
+  let hasPassword = false;
+  for (const raw of res.stdout.split("\n")) {
+    const line = raw.trim();
+    if (line.startsWith("POSTGRES_USER=")) dbUser = line.slice("POSTGRES_USER=".length) || "postgres";
+    else if (line.startsWith("POSTGRES_DB=")) dbName = line.slice("POSTGRES_DB=".length) || "postgres";
+    else if (line.startsWith("POSTGRES_PASSWORD=")) hasPassword = true;
+  }
+  const creds = { dbName, dbUser, hasPassword, capturedAt: Date.now() };
+  POSTGRES_CONTAINER_CREDS_CACHE.set(key, creds);
+  return creds;
+}
 async function psqlInContainer(conn, proxy, containerName, dbUser, dbName, scriptSql, flags) {
   const safeContainer = containerName.replace(/[^a-zA-Z0-9._-]/g, "");
   const safeUser = dbUser.replace(/[^a-zA-Z0-9_-]/g, "") || "postgres";
@@ -4687,22 +4912,22 @@ var TOOLS = [
   },
   {
     name: "db-tables",
-    description: "List tables with row counts + sizes. Two routing modes:\n- MySQL via `/var/www` autodiscover: pass `sitePath`. Credentials are read from wp-config.php / parameters.php / .env.\n- Postgres container: pass `containerName` (and optionally `dbName` / `dbUser`, defaulting to `postgres`). Returns one row per user table sorted by total size, with estimated row count from pg_class.reltuples.",
+    description: "List tables with row counts + sizes. Two routing modes:\n- MySQL via `/var/www` autodiscover: pass `sitePath`. Credentials are read from wp-config.php / parameters.php / .env.\n- Postgres container: pass `containerName`. dbName + dbUser are auto-resolved from the container `POSTGRES_DB` / `POSTGRES_USER` env vars (cached 1h). Returns one row per user table sorted by total size, with estimated row count from pg_class.reltuples.",
     inputSchema: {
       type: "object",
       properties: {
-        serverId: { type: "string", description: "UUID of the SSH server" },
+        serverId: { type: "string", description: "UUID or (fuzzy) name of the SSH server" },
         sitePath: { type: "string", description: "Site root path (e.g. /var/www/example.com). MySQL autodiscover mode." },
         containerName: { type: "string", description: "Postgres container name. Activates direct Postgres mode." },
-        dbName: { type: "string", description: 'Database name (containerName mode, defaults to "postgres")' },
-        dbUser: { type: "string", description: 'Database user (containerName mode, defaults to "postgres")' }
+        dbName: { type: "string", description: "Database name (containerName mode). Auto-resolved from container env when omitted." },
+        dbUser: { type: "string", description: "Database user (containerName mode). Auto-resolved from container env when omitted." }
       },
       required: ["serverId"]
     }
   },
   {
     name: "db-query",
-    description: 'Execute SQL against any database. **Use this for ALL queries (SELECT, INSERT, UPDATE, DELETE, schema introspection) against vanilla Postgres / MySQL / MSSQL containers** \u2014 do NOT fall back to `ssh-execute` + `docker cp` + `psql -f` with .tmp.sql files; the container path here already pipes via stdin so quotes / `$` / `;` are safe. Multi-statement scripts work fine: separate with `;` and they will all be executed by psql/mysql.\n\nTwo routing modes:\n- MySQL via `/var/www` autodiscover (default): pass `sitePath` (and `engine: "mysql"` implicitly). Credentials are read from wp-config.php, parameters.php, .env.\n- Direct via Docker container: pass `containerName` (the container running the DB server). Engine defaults to `postgres`; pass `engine: "mysql"` or `"mssql"` to override. Use `db-discover include=["postgres-containers"]` to find available containers + creds.\n\nPostgres example: `{ serverId, containerName: "refront-postgres-vanilla", dbName: "main", dbUser: "postgres", query: "SELECT 1" }`. Defaults: dbUser=postgres, dbName=postgres.\nMSSQL example: `{ serverId, containerName: "mssql-1", engine: "mssql", dbUser: "sa", dbPass: "...", query: "SELECT 1" }`.\n\nResult safety: `maxRows` (default 1000, max 10000) auto-injects a `LIMIT` for SELECT queries that don\'t have one. The footer reports whether the cap was applied. Pass `maxRows: 0` to disable.\n\nDiagnostics: `explain: true` prepends EXPLAIN (postgres / mysql) or runs `SET SHOWPLAN_TEXT ON` (mssql).\n\nAtomic multi-statement: pass `transaction: true` to wrap the query in BEGIN/COMMIT (postgres / mysql) so a failure in any statement rolls back the lot. Use for ad-hoc fixes that are not schema migrations (e.g. `UPDATE tax_rate SET pct = pct * 100; UPDATE order SET ...`).\n\nSchema introspection: pass `describe: "tablename"` to get columns + indexes (works for mysql, postgres, and mssql). Pass `describe: "*"` to list all tables. When `describe` is set, `query` is ignored.\n\nDestructive operations (DROP, TRUNCATE, ALTER \u2026 DROP, naked DELETE) are blocked by default. For schema migrations, **prefer `db-apply-migration`** \u2014 it has an audit ledger and idempotency. As an escape hatch for ad-hoc hot-fixes, pass `allowDestructive: "yes-i-understand-this-is-not-logged"` (literal string) to bypass the gate. The bypass is logged in the response footer.',
+    description: 'Execute SQL against any database. **Use this for ALL queries (SELECT, INSERT, UPDATE, DELETE, schema introspection) against vanilla Postgres / MySQL / MSSQL containers** \u2014 do NOT fall back to `ssh-execute` + `docker cp` + `psql -f` with .tmp.sql files; the container path here already pipes via stdin so quotes / `$` / `;` are safe. Multi-statement scripts work fine: separate with `;` and they will all be executed by psql/mysql.\n\nTwo routing modes:\n- MySQL via `/var/www` autodiscover (default): pass `sitePath` (and `engine: "mysql"` implicitly). Credentials are read from wp-config.php, parameters.php, .env.\n- Direct via Docker container: pass `containerName` (the container running the DB server). Engine defaults to `postgres`; pass `engine: "mysql"` or `"mssql"` to override. Use `db-discover include=["postgres-containers"]` to find available containers + creds.\n\nPostgres example: `{ serverId, containerName: "refront-postgres-vanilla", query: "SELECT 1" }` \u2014 dbName and dbUser are AUTO-RESOLVED from the container\'s `POSTGRES_USER` / `POSTGRES_DB` env vars (cached 1h per server). Only pass `dbName`/`dbUser` explicitly when the instance hosts multiple databases or you want to query as a non-default role.\nMSSQL example: `{ serverId, containerName: "mssql-1", engine: "mssql", dbUser: "sa", dbPass: "...", query: "SELECT 1" }`.\n\nResult safety: `maxRows` (default 1000, max 10000) auto-injects a `LIMIT` for SELECT queries that don\'t have one. The footer reports whether the cap was applied. Pass `maxRows: 0` to disable.\n\nDiagnostics: `explain: true` prepends EXPLAIN (postgres / mysql) or runs `SET SHOWPLAN_TEXT ON` (mssql).\n\nAtomic multi-statement: pass `transaction: true` to wrap the query in BEGIN/COMMIT (postgres / mysql) so a failure in any statement rolls back the lot. Use for ad-hoc fixes that are not schema migrations (e.g. `UPDATE tax_rate SET pct = pct * 100; UPDATE order SET ...`).\n\nSchema introspection: pass `describe: "tablename"` to get columns + indexes (works for mysql, postgres, and mssql). Pass `describe: "*"` to list all tables. When `describe` is set, `query` is ignored.\n\nDestructive operations (DROP, TRUNCATE, ALTER \u2026 DROP, naked DELETE) are blocked by default. For schema migrations, **prefer `db-apply-migration`** \u2014 it has an audit ledger and idempotency. As an escape hatch for ad-hoc hot-fixes, pass `allowDestructive: "yes-i-understand-this-is-not-logged"` (literal string) to bypass the gate. The bypass is logged in the response footer.',
     inputSchema: {
       type: "object",
       properties: {
@@ -4712,8 +4937,8 @@ var TOOLS = [
         sitePath: { type: "string", description: "Site root path (e.g. /var/www/example.com). Used only with engine=mysql autodiscover." },
         containerName: { type: "string", description: 'Docker container running the DB server (e.g. "refront-postgres-vanilla", "supabase-db"). Activates direct-query mode.' },
         engine: { type: "string", enum: ["mysql", "postgres", "mssql"], description: 'DB engine. Defaults to "mysql" with sitePath, "postgres" with containerName.' },
-        dbName: { type: "string", description: 'Database name (containerName mode). Defaults: postgres \u2192 "postgres", mysql \u2192 server default, mssql \u2192 server default.' },
-        dbUser: { type: "string", description: 'Database user (containerName mode). Defaults: postgres \u2192 "postgres", mysql \u2192 "root", mssql \u2192 "sa".' },
+        dbName: { type: "string", description: "Database name (containerName mode). For postgres: auto-resolved from container `POSTGRES_DB` env var when omitted. For mysql: server default. For mssql: server default." },
+        dbUser: { type: "string", description: 'Database user (containerName mode). For postgres: auto-resolved from container `POSTGRES_USER` env var when omitted. For mysql: defaults to "root". For mssql: defaults to "sa".' },
         dbPass: { type: "string", description: "Database password (containerName mode). Required for mssql; optional for mysql; postgres uses trust auth by default." },
         maxRows: { type: "number", description: "Auto-inject LIMIT for unbounded SELECTs. Default 1000, max 10000, set 0 to disable." },
         explain: { type: "boolean", description: "Prepend EXPLAIN (postgres/mysql) or SHOWPLAN (mssql) instead of executing. Useful for slow-query diagnosis." },
@@ -4725,14 +4950,14 @@ var TOOLS = [
   },
   {
     name: "db-apply-migration",
-    description: 'Apply a SQL migration to a Postgres container and record it in an MCP-managed ledger table (`_mcp_migrations`) so re-runs are idempotent. Use this for ALL schema changes (CREATE/ALTER/DROP/TRUNCATE) \u2014 it allows DDL that `db-query` blocks, and gives you audit + drift detection in exchange.\n\nLedger schema (auto-created on first call): `_mcp_migrations(name TEXT PRIMARY KEY, sha256 TEXT, applied_at TIMESTAMPTZ, applied_by TEXT)`.\n\nBehaviour:\n- If `name` is already in the ledger AND the sha256 of the supplied SQL matches \u2192 no-op, returns "already applied".\n- If `name` is already in the ledger with a DIFFERENT sha256 \u2192 fails loudly ("drift detected"). Pass `force: true` to overwrite (logged).\n- Otherwise the SQL is wrapped in BEGIN/COMMIT and applied, then a row is inserted into `_mcp_migrations`.\n\nPass `noTransaction: true` for statements that cannot run inside a transaction (`CREATE INDEX CONCURRENTLY`, `ALTER TYPE \u2026 ADD VALUE`, `VACUUM`, etc.). In that mode the user SQL runs first and the ledger is recorded in a separate follow-up call.\n\nSQL source: provide ONE of `sql` (inline string), `localFile` (path on this machine, read and piped via stdin), or `remoteFile` (absolute path on the SSH server, read with `cat` first).\n\nExample: `{ serverId, containerName: "refront-postgres-vanilla", dbName: "main", name: "20260517120000_add_unified_classification", localFile: "./migrations/20260517120000_add_unified_classification.sql" }`.',
+    description: 'Apply a SQL migration to a Postgres container and record it in an MCP-managed ledger table (`_mcp_migrations`) so re-runs are idempotent. Use this for ALL schema changes (CREATE/ALTER/DROP/TRUNCATE) \u2014 it allows DDL that `db-query` blocks, and gives you audit + drift detection in exchange.\n\nLedger schema (auto-created on first call): `_mcp_migrations(name TEXT PRIMARY KEY, sha256 TEXT, applied_at TIMESTAMPTZ, applied_by TEXT)`.\n\nBehaviour:\n- If `name` is already in the ledger AND the sha256 of the supplied SQL matches \u2192 no-op, returns "already applied".\n- If `name` is already in the ledger with a DIFFERENT sha256 \u2192 fails loudly ("drift detected"). Pass `force: true` to overwrite (logged).\n- Otherwise the SQL is wrapped in BEGIN/COMMIT and applied, then a row is inserted into `_mcp_migrations`.\n\nPass `noTransaction: true` for statements that cannot run inside a transaction (`CREATE INDEX CONCURRENTLY`, `ALTER TYPE \u2026 ADD VALUE`, `VACUUM`, etc.). In that mode the user SQL runs first and the ledger is recorded in a separate follow-up call.\n\nSQL source: provide ONE of `sql` (inline string), `localFile` (path on this machine, read and piped via stdin), or `remoteFile` (absolute path on the SSH server, read with `cat` first).\n\nExample: `{ serverId, containerName: "refront-postgres-vanilla", name: "20260517120000_add_unified_classification", localFile: "./migrations/20260517120000_add_unified_classification.sql" }` \u2014 dbName + dbUser are auto-resolved from the container env (cached 1h).',
     inputSchema: {
       type: "object",
       properties: {
-        serverId: { type: "string", description: "UUID of the SSH server" },
+        serverId: { type: "string", description: "UUID or (fuzzy) name of the SSH server" },
         containerName: { type: "string", description: 'Postgres container name (e.g. "refront-postgres-vanilla")' },
-        dbName: { type: "string", description: 'Database (defaults to "postgres" \u2014 set explicitly to your app DB)' },
-        dbUser: { type: "string", description: 'User (defaults to "postgres")' },
+        dbName: { type: "string", description: "Database. Auto-resolved from container `POSTGRES_DB` env when omitted. Override only when the instance hosts multiple databases." },
+        dbUser: { type: "string", description: "User. Auto-resolved from container `POSTGRES_USER` env when omitted." },
         name: { type: "string", description: "Unique migration name (recommended format: `YYYYMMDDhhmmss_description`)" },
         sql: { type: "string", description: "Inline SQL string (mutually exclusive with localFile / remoteFile)" },
         localFile: { type: "string", description: "Path on this machine to a .sql file (read here, streamed via stdin)" },
@@ -4746,14 +4971,14 @@ var TOOLS = [
   },
   {
     name: "db-list-migrations",
-    description: 'List entries from the `_mcp_migrations` ledger on a Postgres container. Answers "what migrations have already been applied here?" without having to write SQL. Returns name, sha256 (truncated), applied_at, applied_by, ordered by most recent first. If the ledger table does not exist yet (no migrations applied via db-apply-migration), returns an empty list.',
+    description: 'List entries from the `_mcp_migrations` ledger on a Postgres container. Answers "what migrations have already been applied here?" without having to write SQL. Returns full name, sha256, applied_at, applied_by, ordered by most recent first. If the ledger table does not exist yet (no migrations applied via db-apply-migration), returns a friendly empty response. dbName + dbUser are auto-resolved from the container env when omitted.',
     inputSchema: {
       type: "object",
       properties: {
-        serverId: { type: "string", description: "UUID of the SSH server" },
+        serverId: { type: "string", description: "UUID or (fuzzy) name of the SSH server" },
         containerName: { type: "string", description: "Postgres container name" },
-        dbName: { type: "string", description: 'Database (defaults to "postgres")' },
-        dbUser: { type: "string", description: 'User (defaults to "postgres")' },
+        dbName: { type: "string", description: "Database. Auto-resolved from container `POSTGRES_DB` env when omitted." },
+        dbUser: { type: "string", description: "User. Auto-resolved from container `POSTGRES_USER` env when omitted." },
         limit: { type: "number", description: "Max number of entries (default 50, max 500)" }
       },
       required: ["serverId", "containerName"]
@@ -4858,7 +5083,7 @@ var TOOLS = [
   // ----- Repo reference -----
   ...REPO_TOOLS
 ];
-var MCP_VERSION = "6.2.0";
+var MCP_VERSION = "6.3.0";
 async function handleListTools() {
   if (!authContext) return { tools: TOOLS };
   const accessible = TOOLS.filter((tool) => {
@@ -5814,7 +6039,7 @@ ${trail.join("\n")}` }] };
       }
       // ----- Database -----
       case "db-discover": {
-        const { conn, proxy } = await getServerConnection(String(a.serverId));
+        const { serverId, conn, proxy } = await getServerConnection(String(a.serverId));
         const rawInclude = Array.isArray(a.include) ? a.include.map(String) : ["www"];
         const include = new Set(rawInclude.filter((m) => m === "www" || m === "postgres-containers"));
         if (include.size === 0) include.add("www");
@@ -5833,6 +6058,13 @@ ${lines.join("\n")}`);
         }
         if (include.has("postgres-containers")) {
           const containers = await discoverPostgresContainers(conn, proxy);
+          for (const c of containers) {
+            cachePostgresContainerCreds(serverId, c.container, {
+              dbName: c.db,
+              dbUser: c.user,
+              hasPassword: c.hasPassword
+            });
+          }
           if (!containers.length) {
             sections.push("## Postgres containers\n(none \u2014 no running container exposes POSTGRES_USER/POSTGRES_DB)");
           } else {
@@ -5842,17 +6074,22 @@ ${lines.join("\n")}`);
             sections.push(`## Postgres containers (${containers.length})
 ${lines.join("\n")}
 
-Tip: use these directly with \`db-query containerName=\u2026 dbName=\u2026 dbUser=\u2026\` or \`db-apply-migration\`.`);
+Tip: pass just \`containerName\` to \`db-query\` / \`db-apply-migration\` / \`db-list-migrations\` \u2014 dbName + dbUser are auto-resolved from the container env (cached for 1h per server).`);
           }
         }
         return { content: [{ type: "text", text: sections.join("\n\n") }] };
       }
       case "db-tables": {
-        const { conn, proxy } = await getServerConnection(String(a.serverId));
+        const { serverId, conn, proxy } = await getServerConnection(String(a.serverId));
         const containerName = typeof a.containerName === "string" && a.containerName ? a.containerName : "";
         if (containerName) {
-          const dbUser = typeof a.dbUser === "string" && a.dbUser ? a.dbUser : "postgres";
-          const dbName = typeof a.dbName === "string" && a.dbName ? a.dbName : "postgres";
+          let dbUser = typeof a.dbUser === "string" && a.dbUser ? a.dbUser : "";
+          let dbName = typeof a.dbName === "string" && a.dbName ? a.dbName : "";
+          if (!dbUser || !dbName) {
+            const creds = await resolvePostgresContainerCreds(conn, proxy, serverId, containerName);
+            if (!dbUser) dbUser = creds.dbUser;
+            if (!dbName) dbName = creds.dbName;
+          }
           const sqlText2 = `SELECT n.nspname AS schema,
        c.relname AS "table",
        pg_size_pretty(pg_total_relation_size(c.oid)) AS size,
@@ -5948,9 +6185,14 @@ COMMIT;`;
         if (!containerName) {
           return { content: [{ type: "text", text: `Error: engine=${engine} requires containerName (the docker container running the DB server, e.g. "supabase-db" or "trigger-postgres")` }] };
         }
-        const dbName = typeof a.dbName === "string" && a.dbName ? a.dbName.replace(/[^a-zA-Z0-9_-]/g, "") : "";
-        const dbUser = typeof a.dbUser === "string" && a.dbUser ? a.dbUser.replace(/[^a-zA-Z0-9_-]/g, "") : "";
-        const { conn, proxy } = await getServerConnection(String(a.serverId));
+        let dbName = typeof a.dbName === "string" && a.dbName ? a.dbName.replace(/[^a-zA-Z0-9_-]/g, "") : "";
+        let dbUser = typeof a.dbUser === "string" && a.dbUser ? a.dbUser.replace(/[^a-zA-Z0-9_-]/g, "") : "";
+        const { serverId, conn, proxy } = await getServerConnection(String(a.serverId));
+        if (engine === "postgres" && (!dbName || !dbUser)) {
+          const creds = await resolvePostgresContainerCreds(conn, proxy, serverId, containerName);
+          if (!dbName) dbName = creds.dbName.replace(/[^a-zA-Z0-9_-]/g, "");
+          if (!dbUser) dbUser = creds.dbUser.replace(/[^a-zA-Z0-9_-]/g, "");
+        }
         let cmd;
         let stdinPayload;
         if (engine === "postgres") {
@@ -5988,8 +6230,8 @@ GO
       case "db-apply-migration": {
         const containerName = String(a.containerName || "").replace(/[^a-zA-Z0-9._-]/g, "");
         if (!containerName) return { content: [{ type: "text", text: "Error: containerName is required" }] };
-        const dbUser = (typeof a.dbUser === "string" && a.dbUser ? a.dbUser : "postgres").replace(/[^a-zA-Z0-9_-]/g, "") || "postgres";
-        const dbName = (typeof a.dbName === "string" && a.dbName ? a.dbName : "postgres").replace(/[^a-zA-Z0-9_-]/g, "") || "postgres";
+        let dbUser = (typeof a.dbUser === "string" && a.dbUser ? a.dbUser : "").replace(/[^a-zA-Z0-9_-]/g, "");
+        let dbName = (typeof a.dbName === "string" && a.dbName ? a.dbName : "").replace(/[^a-zA-Z0-9_-]/g, "");
         const name2 = String(a.name || "").trim();
         if (!name2) return { content: [{ type: "text", text: 'Error: name is required (e.g. "20260517120000_add_foo")' }] };
         if (!/^[\w.@:+\-]+$/.test(name2) || name2.length > 200) {
@@ -6008,7 +6250,12 @@ GO
         if (sources.length !== 1) {
           return { content: [{ type: "text", text: `Error: pass exactly one of \`sql\`, \`localFile\`, or \`remoteFile\` (got ${sources.length || "none"}: ${sources.join(", ") || "\u2014"})` }] };
         }
-        const { conn, proxy } = await getServerConnection(String(a.serverId));
+        const { serverId, conn, proxy } = await getServerConnection(String(a.serverId));
+        if (!dbUser || !dbName) {
+          const creds = await resolvePostgresContainerCreds(conn, proxy, serverId, containerName);
+          if (!dbUser) dbUser = creds.dbUser.replace(/[^a-zA-Z0-9_-]/g, "") || "postgres";
+          if (!dbName) dbName = creds.dbName.replace(/[^a-zA-Z0-9_-]/g, "") || "postgres";
+        }
         let migrationSql;
         if (typeof a.sql === "string" && a.sql) {
           migrationSql = a.sql;
@@ -6168,11 +6415,16 @@ ${res.stdout.trim()}` : "(no output)")
       case "db-list-migrations": {
         const containerName = String(a.containerName || "").replace(/[^a-zA-Z0-9._-]/g, "");
         if (!containerName) return { content: [{ type: "text", text: "Error: containerName is required" }] };
-        const dbUser = (typeof a.dbUser === "string" && a.dbUser ? a.dbUser : "postgres").replace(/[^a-zA-Z0-9_-]/g, "") || "postgres";
-        const dbName = (typeof a.dbName === "string" && a.dbName ? a.dbName : "postgres").replace(/[^a-zA-Z0-9_-]/g, "") || "postgres";
+        let dbUser = (typeof a.dbUser === "string" && a.dbUser ? a.dbUser : "").replace(/[^a-zA-Z0-9_-]/g, "");
+        let dbName = (typeof a.dbName === "string" && a.dbName ? a.dbName : "").replace(/[^a-zA-Z0-9_-]/g, "");
         const limitRaw = Number(a.limit);
         const limit = Math.min(Math.max(Number.isFinite(limitRaw) && limitRaw > 0 ? Math.floor(limitRaw) : 50, 1), 500);
-        const { conn, proxy } = await getServerConnection(String(a.serverId));
+        const { serverId, conn, proxy } = await getServerConnection(String(a.serverId));
+        if (!dbUser || !dbName) {
+          const creds = await resolvePostgresContainerCreds(conn, proxy, serverId, containerName);
+          if (!dbUser) dbUser = creds.dbUser.replace(/[^a-zA-Z0-9_-]/g, "") || "postgres";
+          if (!dbName) dbName = creds.dbName.replace(/[^a-zA-Z0-9_-]/g, "") || "postgres";
+        }
         const sqlText = `SELECT name, sha256, applied_at, applied_by
 FROM _mcp_migrations
 ORDER BY applied_at DESC