@sigma4life/mysql-mcp-server 1.0.0

package/dist/core/security/access-control.js

@@ -0,0 +1,244 @@
+/**
+ * Access Control Validation for execute_query
+ *
+ * Validates SQL queries against access control configuration:
+ * - Database access (must be configured)
+ * - Table whitelist/blacklist
+ * - Column access (inclusion/exclusion modes)
+ * - SELECT * blocking
+ */
+import { AccessControlError, } from "./types.js";
+import { getTableConfigForSchema } from "./config-loader.js";
+import { parseQuery } from "../sql-parser.js";
+import { logger } from "../logger.js";
+/**
+ * Validate a query against access control configuration
+ * @throws AccessControlError if validation fails
+ */
+export function validateQueryAccess(query, database, config) {
+    const violations = [];
+    // Step 1: Check if database is configured
+    const dbViolation = validateDatabaseAccess(database, config);
+    if (dbViolation) {
+        throw new AccessControlError([dbViolation]);
+    }
+    // Step 2: Parse the query
+    const parsed = parseQuery(query, database);
+    logger.debug(`Parsed query info: tables=${parsed.tables.length}, columns=${parsed.columns.length}, hasSelectStar=${parsed.hasSelectStar}`);
+    // Step 3: Validate SELECT * usage
+    if (config.requireExplicitColumns && parsed.hasSelectStar) {
+        violations.push(...validateSelectStar(parsed.selectStarTables));
+    }
+    // Step 4: Validate table access
+    for (const table of parsed.tables) {
+        const tableViolation = validateTableAccess(table, config);
+        if (tableViolation) {
+            violations.push(tableViolation);
+        }
+    }
+    // Step 5: Validate column access (only if no SELECT *)
+    // If SELECT * is used, we can't know which columns will be returned
+    // so we already blocked it above
+    if (!parsed.hasSelectStar) {
+        for (const column of parsed.columns) {
+            const columnViolation = validateColumnAccess(column, config);
+            if (columnViolation) {
+                violations.push(columnViolation);
+            }
+        }
+    }
+    // Throw if any violations found
+    if (violations.length > 0) {
+        logger.warn(`Access control violations: ${violations.map((v) => v.message).join("; ")}`);
+        throw new AccessControlError(violations);
+    }
+    logger.debug("Query passed access control validation");
+}
+/**
+ * Validate database is configured
+ */
+function validateDatabaseAccess(database, config) {
+    const dbUpper = database.toUpperCase();
+    if (!config.databases[dbUpper]) {
+        return {
+            type: "database_not_configured",
+            database,
+            message: `Database '${database}' is not configured for query access. ` +
+                `Add it to QUERY_ACCESS_CONFIG to enable queries.`,
+        };
+    }
+    return null;
+}
+/**
+ * Validate SELECT * usage
+ */
+function validateSelectStar(selectStarTables) {
+    const violations = [];
+    for (const tableRef of selectStarTables) {
+        if (tableRef === "*") {
+            violations.push({
+                type: "select_star",
+                message: "SELECT * is not allowed. All SELECT statements must explicitly list columns. " +
+                    "Example: SELECT name, email FROM customers",
+            });
+        }
+        else {
+            violations.push({
+                type: "select_star",
+                table: tableRef,
+                message: `SELECT ${tableRef}.* is not allowed. ` +
+                    `Please specify columns explicitly instead of using table.* syntax.`,
+            });
+        }
+    }
+    return violations;
+}
+/**
+ * Validate table access against whitelist/blacklist
+ */
+function validateTableAccess(table, config) {
+    // Skip subquery pseudo-tables
+    if (table.schema === "__subquery__") {
+        return null;
+    }
+    // Skip CTE references (they're query-scoped aliases, not real tables)
+    if (table.schema === "__cte__") {
+        return null;
+    }
+    const schemaConfig = getTableConfigForSchema(config, table.database, table.schema);
+    if (!schemaConfig) {
+        return {
+            type: "schema_not_configured",
+            database: table.database,
+            schema: table.schema,
+            table: table.table,
+            message: `Schema '${table.schema}' in database '${table.database}' is not configured for query access. ` +
+                `Add schema rules to QUERY_ACCESS_CONFIG.`,
+        };
+    }
+    const { tableConfig } = schemaConfig;
+    const tableNameLower = table.table.toLowerCase();
+    // Check whitelist/blacklist
+    const listLower = tableConfig.list.map((t) => t.toLowerCase());
+    switch (tableConfig.mode) {
+        case "whitelist":
+            if (!listLower.includes(tableNameLower)) {
+                return {
+                    type: "table_not_allowed",
+                    database: table.database,
+                    schema: table.schema,
+                    table: table.table,
+                    message: `Table '${table.database}.${table.schema}.${table.table}' is not in the allowed tables list. ` +
+                        `Allowed tables for ${table.database}.${table.schema}: ${tableConfig.list.join(", ") || "(none)"}`,
+                };
+            }
+            break;
+        case "blacklist":
+            if (listLower.includes(tableNameLower)) {
+                return {
+                    type: "table_not_allowed",
+                    database: table.database,
+                    schema: table.schema,
+                    table: table.table,
+                    message: `Table '${table.database}.${table.schema}.${table.table}' cannot be queried. ` +
+                        `This table is in the exclusion list for database '${table.database}', schema '${table.schema}'.`,
+                };
+            }
+            break;
+        case "none":
+            // No table-level restrictions
+            break;
+    }
+    return null;
+}
+/**
+ * Validate column access against inclusion/exclusion rules
+ */
+function validateColumnAccess(column, config) {
+    // Skip unknown table columns (can't validate)
+    if (column.table === "__unknown__") {
+        return null;
+    }
+    const schemaConfig = getTableConfigForSchema(config, column.database, column.schema);
+    if (!schemaConfig) {
+        // Schema not configured - already caught in table validation
+        return null;
+    }
+    const { columnAccess } = schemaConfig;
+    const tableNameLower = column.table.toLowerCase();
+    const columnNameLower = column.column.toLowerCase();
+    // Find policy for this table (case-insensitive)
+    let policy = null;
+    let policyTableName = "";
+    for (const [table, tablePolicy] of Object.entries(columnAccess)) {
+        if (table.toLowerCase() === tableNameLower) {
+            policy = tablePolicy;
+            policyTableName = table;
+            break;
+        }
+    }
+    // No policy = allow all columns
+    if (!policy) {
+        return null;
+    }
+    const columnsLower = policy.columns.map((c) => c.toLowerCase());
+    if (policy.mode === "inclusion") {
+        // Whitelist: column must be in the list
+        if (!columnsLower.includes(columnNameLower)) {
+            return {
+                type: "column_not_allowed",
+                database: column.database,
+                schema: column.schema,
+                table: column.table,
+                column: column.column,
+                message: `Column '${column.column}' from '${column.database}.${column.schema}.${column.table}' cannot be selected. ` +
+                    `Allowed columns for ${policyTableName}: ${policy.columns.join(", ")}`,
+            };
+        }
+    }
+    else {
+        // Blacklist: column must NOT be in the list
+        if (columnsLower.includes(columnNameLower)) {
+            return {
+                type: "column_excluded",
+                database: column.database,
+                schema: column.schema,
+                table: column.table,
+                column: column.column,
+                message: `Column '${column.column}' from '${column.database}.${column.schema}.${column.table}' cannot be selected. ` +
+                    `Excluded columns: ${policy.columns.join(", ")}`,
+            };
+        }
+    }
+    return null;
+}
+// Singleton config holder
+let globalConfig = null;
+/**
+ * Initialize the global access control config
+ * Called once at startup from index.ts
+ */
+export function initAccessControl(config) {
+    globalConfig = config;
+    logger.info("Access control initialized");
+}
+/**
+ * Get the global access control config
+ * @throws Error if not initialized
+ */
+export function getAccessControlConfig() {
+    if (!globalConfig) {
+        throw new Error("Access control not initialized. Ensure QUERY_ACCESS_CONFIG is set and valid.");
+    }
+    return globalConfig;
+}
+/**
+ * Check if access control is initialized
+ */
+export function isAccessControlInitialized() {
+    return globalConfig !== null;
+}
+// Re-export types for convenience
+export { AccessControlError } from "./types.js";
+export { loadAccessControlConfig, getTableConfigForSchema, } from "./config-loader.js";
+//# sourceMappingURL=access-control.js.map

package/dist/core/security/access-control.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"access-control.js","sourceRoot":"","sources":["../../../src/core/security/access-control.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAGL,kBAAkB,GAGnB,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,uBAAuB,EAAE,MAAM,oBAAoB,CAAC;AAC7D,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AAEtC;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CACjC,KAAa,EACb,QAAgB,EAChB,MAA2B;IAE3B,MAAM,UAAU,GAAsB,EAAE,CAAC;IAEzC,0CAA0C;IAC1C,MAAM,WAAW,GAAG,sBAAsB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC7D,IAAI,WAAW,EAAE,CAAC;QAChB,MAAM,IAAI,kBAAkB,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC;IAC9C,CAAC;IAED,0BAA0B;IAC1B,MAAM,MAAM,GAAG,UAAU,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IAC3C,MAAM,CAAC,KAAK,CACV,6BAA6B,MAAM,CAAC,MAAM,CAAC,MAAM,aAAa,MAAM,CAAC,OAAO,CAAC,MAAM,mBAAmB,MAAM,CAAC,aAAa,EAAE,CAC7H,CAAC;IAEF,kCAAkC;IAClC,IAAI,MAAM,CAAC,sBAAsB,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;QAC1D,UAAU,CAAC,IAAI,CAAC,GAAG,kBAAkB,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC,CAAC;IAClE,CAAC;IAED,gCAAgC;IAChC,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAClC,MAAM,cAAc,GAAG,mBAAmB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAC1D,IAAI,cAAc,EAAE,CAAC;YACnB,UAAU,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QAClC,CAAC;IACH,CAAC;IAED,uDAAuD;IACvD,oEAAoE;IACpE,iCAAiC;IACjC,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;QAC1B,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACpC,MAAM,eAAe,GAAG,oBAAoB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;YAC7D,IAAI,eAAe,EAAE,CAAC;gBACpB,UAAU,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;IACH,CAAC;IAED,gCAAgC;IAChC,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1B,MAAM,CAAC,IAAI,CACT,8BAA8B,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC5E,CAAC;QACF,MAAM,IAAI,kBAAkB,CAAC,UAAU,CAAC,CAAC;IAC3C,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAC;AACzD,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB,CAC7B,QAAgB,EAChB,MAA2B;IAE3B,MAAM,OAAO,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;IACvC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,CAAC;QAC/B,OAAO;YACL,IAAI,EAAE,yBAAyB;YAC/B,QAAQ;YACR,OAAO,EACL,aAAa,QAAQ,wCAAwC;gBAC7D,kDAAkD;SACrD,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CAAC,gBAA0B;IACpD,MAAM,UAAU,GAAsB,EAAE,CAAC;IAEzC,KAAK,MAAM,QAAQ,IAAI,gBAAgB,EAAE,CAAC;QACxC,IAAI,QAAQ,KAAK,GAAG,EAAE,CAAC;YACrB,UAAU,CAAC,IAAI,CAAC;gBACd,IAAI,EAAE,aAAa;gBACnB,OAAO,EACL,+EAA+E;oBAC/E,4CAA4C;aAC/C,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,UAAU,CAAC,IAAI,CAAC;gBACd,IAAI,EAAE,aAAa;gBACnB,KAAK,EAAE,QAAQ;gBACf,OAAO,EACL,UAAU,QAAQ,qBAAqB;oBACvC,oEAAoE;aACvE,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAC1B,KAAwB,EACxB,MAA2B;IAE3B,8BAA8B;IAC9B,IAAI,KAAK,CAAC,MAAM,KAAK,cAAc,EAAE,CAAC;QACpC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,sEAAsE;IACtE,IAAI,KAAK,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAC/B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,YAAY,GAAG,uBAAuB,CAC1C,MAAM,EACN,KAAK,CAAC,QAAQ,EACd,KAAK,CAAC,MAAM,CACb,CAAC;IAEF,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,OAAO;YACL,IAAI,EAAE,uBAAuB;YAC7B,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,OAAO,EACL,WAAW,KAAK,CAAC,MAAM,kBAAkB,KAAK,CAAC,QAAQ,wCAAwC;gBAC/F,0CAA0C;SAC7C,CAAC;IACJ,CAAC;IAED,MAAM,EAAE,WAAW,EAAE,GAAG,YAAY,CAAC;IACrC,MAAM,cAAc,GAAG,KAAK,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC;IAEjD,4BAA4B;IAC5B,MAAM,SAAS,GAAG,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;IAE/D,QAAQ,WAAW,CAAC,IAAI,EAAE,CAAC;QACzB,KAAK,WAAW;YACd,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;gBACxC,OAAO;oBACL,IAAI,EAAE,mBAAmB;oBACzB,QAAQ,EAAE,KAAK,CAAC,QAAQ;oBACxB,MAAM,EAAE,KAAK,CAAC,MAAM;oBACpB,KAAK,EAAE,KAAK,CAAC,KAAK;oBAClB,OAAO,EACL,UAAU,KAAK,CAAC,QAAQ,IAAI,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,KAAK,uCAAuC;wBAC9F,sBAAsB,KAAK,CAAC,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,QAAQ,EAAE;iBACrG,CAAC;YACJ,CAAC;YACD,MAAM;QAER,KAAK,WAAW;YACd,IAAI,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;gBACvC,OAAO;oBACL,IAAI,EAAE,mBAAmB;oBACzB,QAAQ,EAAE,KAAK,CAAC,QAAQ;oBACxB,MAAM,EAAE,KAAK,CAAC,MAAM;oBACpB,KAAK,EAAE,KAAK,CAAC,KAAK;oBAClB,OAAO,EACL,UAAU,KAAK,CAAC,QAAQ,IAAI,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,KAAK,uBAAuB;wBAC9E,qDAAqD,KAAK,CAAC,QAAQ,cAAc,KAAK,CAAC,MAAM,IAAI;iBACpG,CAAC;YACJ,CAAC;YACD,MAAM;QAER,KAAK,MAAM;YACT,8BAA8B;YAC9B,MAAM;IACV,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB,CAC3B,MAA0B,EAC1B,MAA2B;IAE3B,8CAA8C;IAC9C,IAAI,MAAM,CAAC,KAAK,KAAK,aAAa,EAAE,CAAC;QACnC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,YAAY,GAAG,uBAAuB,CAC1C,MAAM,EACN,MAAM,CAAC,QAAQ,EACf,MAAM,CAAC,MAAM,CACd,CAAC;IACF,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,6DAA6D;QAC7D,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,EAAE,YAAY,EAAE,GAAG,YAAY,CAAC;IACtC,MAAM,cAAc,GAAG,MAAM,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC;IAClD,MAAM,eAAe,GAAG,MAAM,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;IAEpD,gDAAgD;IAChD,IAAI,MAAM,GAAG,IAAI,CAAC;IAClB,IAAI,eAAe,GAAG,EAAE,CAAC;IACzB,KAAK,MAAM,CAAC,KAAK,EAAE,WAAW,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;QAChE,IAAI,KAAK,CAAC,WAAW,EAAE,KAAK,cAAc,EAAE,CAAC;YAC3C,MAAM,GAAG,WAAW,CAAC;YACrB,eAAe,GAAG,KAAK,CAAC;YACxB,MAAM;QACR,CAAC;IACH,CAAC;IAED,gCAAgC;IAChC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,YAAY,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;IAEhE,IAAI,MAAM,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;QAChC,wCAAwC;QACxC,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;YAC5C,OAAO;gBACL,IAAI,EAAE,oBAAoB;gBAC1B,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,OAAO,EACL,WAAW,MAAM,CAAC,MAAM,WAAW,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,KAAK,wBAAwB;oBAC3G,uBAAuB,eAAe,KAAK,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;aACzE,CAAC;QACJ,CAAC;IACH,CAAC;SAAM,CAAC;QACN,4CAA4C;QAC5C,IAAI,YAAY,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;YAC3C,OAAO;gBACL,IAAI,EAAE,iBAAiB;gBACvB,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,OAAO,EACL,WAAW,MAAM,CAAC,MAAM,WAAW,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,KAAK,wBAAwB;oBAC3G,qBAAqB,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;aACnD,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,0BAA0B;AAC1B,IAAI,YAAY,GAA+B,IAAI,CAAC;AAEpD;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAA2B;IAC3D,YAAY,GAAG,MAAM,CAAC;IACtB,MAAM,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;AAC5C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,sBAAsB;IACpC,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,MAAM,IAAI,KAAK,CACb,8EAA8E,CAC/E,CAAC;IACJ,CAAC;IACD,OAAO,YAAY,CAAC;AACtB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,0BAA0B;IACxC,OAAO,YAAY,KAAK,IAAI,CAAC;AAC/B,CAAC;AAED,kCAAkC;AAClC,OAAO,EAAuB,kBAAkB,EAAE,MAAM,YAAY,CAAC;AACrE,OAAO,EACL,uBAAuB,EACvB,uBAAuB,GACxB,MAAM,oBAAoB,CAAC"}

package/dist/core/security/config-loader.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Access Control Configuration Loader
+ *
+ * Loads configuration from JSON file specified by QUERY_ACCESS_CONFIG env var.
+ * Validates configuration structure and provides helpful error messages.
+ */
+import { AccessControlConfig, TableConfig, ColumnAccessPolicy } from './types.js';
+/**
+ * Load and validate access control configuration
+ * @throws Error if config is invalid or missing (restrictive default)
+ */
+export declare function loadAccessControlConfig(): AccessControlConfig;
+/**
+ * Get the effective table config for a database/schema combination
+ */
+export declare function getTableConfigForSchema(config: AccessControlConfig, database: string, schema: string): {
+    tableConfig: TableConfig;
+    columnAccess: Record<string, ColumnAccessPolicy>;
+} | null;
+//# sourceMappingURL=config-loader.d.ts.map

package/dist/core/security/config-loader.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../../src/core/security/config-loader.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EACL,mBAAmB,EAEnB,WAAW,EAEX,kBAAkB,EACnB,MAAM,YAAY,CAAC;AAMpB;;;GAGG;AACH,wBAAgB,uBAAuB,IAAI,mBAAmB,CAuC7D;AA0MD;;GAEG;AACH,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,mBAAmB,EAC3B,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,GACb;IAAE,WAAW,EAAE,WAAW,CAAC;IAAC,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAA;CAAE,GAAG,IAAI,CAyCvF"}

package/dist/core/security/config-loader.js

@@ -0,0 +1,227 @@
+/**
+ * Access Control Configuration Loader
+ *
+ * Loads configuration from JSON file specified by QUERY_ACCESS_CONFIG env var.
+ * Validates configuration structure and provides helpful error messages.
+ */
+import * as fs from 'fs';
+import * as path from 'path';
+import { logger } from '../logger.js';
+// Environment variable for config file path
+const CONFIG_ENV_VAR = 'QUERY_ACCESS_CONFIG';
+/**
+ * Load and validate access control configuration
+ * @throws Error if config is invalid or missing (restrictive default)
+ */
+export function loadAccessControlConfig() {
+    const configPath = process.env[CONFIG_ENV_VAR];
+    if (!configPath) {
+        throw new Error(`Access control configuration not found. ` +
+            `Set ${CONFIG_ENV_VAR} environment variable to the path of your config file. ` +
+            `Example: ${CONFIG_ENV_VAR}=/path/to/query-access.json`);
+    }
+    // Resolve path (handle relative paths)
+    const resolvedPath = path.resolve(configPath);
+    if (!fs.existsSync(resolvedPath)) {
+        throw new Error(`Access control config file not found at: ${resolvedPath}. ` +
+            `Create the config file or update ${CONFIG_ENV_VAR} to point to the correct location.`);
+    }
+    logger.info(`Loading access control config from: ${resolvedPath}`);
+    let rawConfig;
+    try {
+        const content = fs.readFileSync(resolvedPath, 'utf-8');
+        rawConfig = JSON.parse(content);
+    }
+    catch (error) {
+        throw new Error(`Failed to parse access control config: ${error.message}`);
+    }
+    // Validate and normalize the configuration
+    const config = validateConfig(rawConfig);
+    logger.info(`Access control config loaded: ${Object.keys(config.databases).length} database(s) configured`);
+    return config;
+}
+/**
+ * Validate configuration structure
+ */
+function validateConfig(raw) {
+    if (typeof raw !== 'object' || raw === null) {
+        throw new Error('Access control config must be a JSON object');
+    }
+    // Validate requireExplicitColumns
+    if (typeof raw.requireExplicitColumns !== 'boolean') {
+        throw new Error("Access control config must have 'requireExplicitColumns' (boolean)");
+    }
+    // Validate databases
+    if (typeof raw.databases !== 'object' || raw.databases === null) {
+        throw new Error("Access control config must have 'databases' object");
+    }
+    const databases = {};
+    for (const [dbName, dbConfig] of Object.entries(raw.databases)) {
+        databases[dbName.toUpperCase()] = validateDatabaseConfig(dbName, dbConfig);
+    }
+    return {
+        requireExplicitColumns: raw.requireExplicitColumns,
+        databases,
+    };
+}
+/**
+ * Validate database configuration
+ */
+function validateDatabaseConfig(dbName, raw) {
+    if (typeof raw !== 'object' || raw === null) {
+        throw new Error(`Database config for '${dbName}' must be an object`);
+    }
+    // Error on deprecated columnExclusions format
+    if (raw.columnExclusions) {
+        throw new Error(`Database '${dbName}' uses deprecated 'columnExclusions' format. ` +
+            `Please migrate to 'columnAccess' with { mode: 'exclusion' | 'inclusion', columns: [...] } per table. ` +
+            `See documentation for the new format.`);
+    }
+    const result = {};
+    // Check for schema-level config (full format)
+    if (raw.schemas) {
+        if (typeof raw.schemas !== 'object') {
+            throw new Error(`'schemas' in database '${dbName}' must be an object`);
+        }
+        result.schemas = {};
+        for (const [schemaName, schemaConfig] of Object.entries(raw.schemas)) {
+            result.schemas[schemaName.toLowerCase()] = validateSchemaConfig(dbName, schemaName, schemaConfig);
+        }
+    }
+    // Check for compact format (tables at database level)
+    if (raw.tables) {
+        result.tables = validateTableConfig(dbName, '_default_', raw.tables);
+    }
+    // Must have either schemas or tables
+    if (!result.schemas && !result.tables) {
+        throw new Error(`Database '${dbName}' must have either 'schemas' or 'tables' configuration`);
+    }
+    return result;
+}
+/**
+ * Validate schema configuration
+ */
+function validateSchemaConfig(dbName, schemaName, raw) {
+    if (typeof raw !== 'object' || raw === null) {
+        throw new Error(`Schema config for '${dbName}.${schemaName}' must be an object`);
+    }
+    if (!raw.tables) {
+        throw new Error(`Schema '${dbName}.${schemaName}' must have 'tables' configuration`);
+    }
+    return {
+        tables: validateTableConfig(dbName, schemaName, raw.tables),
+    };
+}
+/**
+ * Validate table configuration
+ */
+function validateTableConfig(dbName, schemaName, raw) {
+    if (typeof raw !== 'object' || raw === null) {
+        throw new Error(`Table config for '${dbName}.${schemaName}' must be an object`);
+    }
+    // Error on deprecated columnExclusions format
+    if (raw.columnExclusions) {
+        throw new Error(`Table config for '${dbName}.${schemaName}' uses deprecated 'columnExclusions' format. ` +
+            `Please migrate to 'columnAccess' with { mode: 'exclusion' | 'inclusion', columns: [...] } per table. ` +
+            `See documentation for the new format.`);
+    }
+    // Validate mode
+    const validModes = ['whitelist', 'blacklist', 'none'];
+    if (!validModes.includes(raw.mode)) {
+        throw new Error(`Table mode for '${dbName}.${schemaName}' must be one of: ${validModes.join(', ')}`);
+    }
+    // Validate list
+    if (!Array.isArray(raw.list)) {
+        throw new Error(`Table list for '${dbName}.${schemaName}' must be an array`);
+    }
+    const list = raw.list.map((t) => {
+        if (typeof t !== 'string') {
+            throw new Error(`Table list for '${dbName}.${schemaName}' must contain only strings`);
+        }
+        return t; // Keep original case for display, but compare case-insensitively
+    });
+    const result = {
+        mode: raw.mode,
+        list,
+    };
+    // Optional column access policies
+    if (raw.columnAccess) {
+        result.columnAccess = validateColumnAccess(`${dbName}.${schemaName}`, raw.columnAccess);
+    }
+    return result;
+}
+/**
+ * Validate column access policies
+ */
+function validateColumnAccess(context, raw) {
+    if (typeof raw !== 'object' || raw === null) {
+        throw new Error(`Column access for '${context}' must be an object`);
+    }
+    const result = {};
+    for (const [tableName, policy] of Object.entries(raw)) {
+        if (typeof policy !== 'object' || policy === null) {
+            throw new Error(`Column access for '${context}.${tableName}' must be an object with 'mode' and 'columns'`);
+        }
+        const p = policy;
+        // Validate mode
+        const validModes = ['inclusion', 'exclusion'];
+        if (!validModes.includes(p.mode)) {
+            throw new Error(`Column access mode for '${context}.${tableName}' must be 'inclusion' or 'exclusion'`);
+        }
+        // Validate columns
+        if (!Array.isArray(p.columns)) {
+            throw new Error(`Column access for '${context}.${tableName}' must have 'columns' array`);
+        }
+        const columns = p.columns.map((c) => {
+            if (typeof c !== 'string') {
+                throw new Error(`Column access for '${context}.${tableName}' columns must contain only strings`);
+            }
+            return c;
+        });
+        result[tableName] = {
+            mode: p.mode,
+            columns,
+        };
+    }
+    return result;
+}
+/**
+ * Get the effective table config for a database/schema combination
+ */
+export function getTableConfigForSchema(config, database, schema) {
+    const dbConfig = config.databases[database.toUpperCase()];
+    if (!dbConfig) {
+        return null;
+    }
+    const schemaLower = schema.toLowerCase();
+    // Check schema-level config first
+    if (dbConfig.schemas) {
+        // Try exact match
+        if (dbConfig.schemas[schemaLower]) {
+            const schemaConfig = dbConfig.schemas[schemaLower];
+            return {
+                tableConfig: schemaConfig.tables,
+                columnAccess: schemaConfig.tables.columnAccess || {},
+            };
+        }
+        // Try wildcard
+        if (dbConfig.schemas['*']) {
+            const schemaConfig = dbConfig.schemas['*'];
+            return {
+                tableConfig: schemaConfig.tables,
+                columnAccess: schemaConfig.tables.columnAccess || {},
+            };
+        }
+        // No matching schema config
+        return null;
+    }
+    // Use compact format (database-level tables config)
+    if (dbConfig.tables) {
+        return {
+            tableConfig: dbConfig.tables,
+            columnAccess: dbConfig.tables.columnAccess || {},
+        };
+    }
+    return null;
+}
+//# sourceMappingURL=config-loader.js.map

package/dist/core/security/config-loader.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-loader.js","sourceRoot":"","sources":["../../../src/core/security/config-loader.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAQ7B,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AAEtC,4CAA4C;AAC5C,MAAM,cAAc,GAAG,qBAAqB,CAAC;AAE7C;;;GAGG;AACH,MAAM,UAAU,uBAAuB;IACrC,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IAE/C,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CACb,0CAA0C;YACxC,OAAO,cAAc,yDAAyD;YAC9E,YAAY,cAAc,6BAA6B,CAC1D,CAAC;IACJ,CAAC;IAED,uCAAuC;IACvC,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAE9C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CACb,4CAA4C,YAAY,IAAI;YAC1D,oCAAoC,cAAc,oCAAoC,CACzF,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,uCAAuC,YAAY,EAAE,CAAC,CAAC;IAEnE,IAAI,SAAc,CAAC;IACnB,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;QACvD,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAClC,CAAC;IAAC,OAAO,KAAU,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,0CAA0C,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;IAC7E,CAAC;IAED,2CAA2C;IAC3C,MAAM,MAAM,GAAG,cAAc,CAAC,SAAS,CAAC,CAAC;IAEzC,MAAM,CAAC,IAAI,CACT,iCAAiC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,yBAAyB,CAC/F,CAAC;IAEF,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,GAAQ;IAC9B,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;QAC5C,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;IACjE,CAAC;IAED,kCAAkC;IAClC,IAAI,OAAO,GAAG,CAAC,sBAAsB,KAAK,SAAS,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAC;IACxF,CAAC;IAED,qBAAqB;IACrB,IAAI,OAAO,GAAG,CAAC,SAAS,KAAK,QAAQ,IAAI,GAAG,CAAC,SAAS,KAAK,IAAI,EAAE,CAAC;QAChE,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IACxE,CAAC;IAED,MAAM,SAAS,GAAmC,EAAE,CAAC;IAErD,KAAK,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;QAC/D,SAAS,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,GAAG,sBAAsB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC7E,CAAC;IAED,OAAO;QACL,sBAAsB,EAAE,GAAG,CAAC,sBAAsB;QAClD,SAAS;KACV,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB,CAAC,MAAc,EAAE,GAAQ;IACtD,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;QAC5C,MAAM,IAAI,KAAK,CAAC,wBAAwB,MAAM,qBAAqB,CAAC,CAAC;IACvE,CAAC;IAED,8CAA8C;IAC9C,IAAI,GAAG,CAAC,gBAAgB,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CACb,aAAa,MAAM,+CAA+C;YAChE,uGAAuG;YACvG,uCAAuC,CAC1C,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAmB,EAAE,CAAC;IAElC,8CAA8C;IAC9C,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC;QAChB,IAAI,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,0BAA0B,MAAM,qBAAqB,CAAC,CAAC;QACzE,CAAC;QAED,MAAM,CAAC,OAAO,GAAG,EAAE,CAAC;QACpB,KAAK,MAAM,CAAC,UAAU,EAAE,YAAY,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;YACrE,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,WAAW,EAAE,CAAC,GAAG,oBAAoB,CAC7D,MAAM,EACN,UAAU,EACV,YAAY,CACb,CAAC;QACJ,CAAC;IACH,CAAC;IAED,sDAAsD;IACtD,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;QACf,MAAM,CAAC,MAAM,GAAG,mBAAmB,CAAC,MAAM,EAAE,WAAW,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IACvE,CAAC;IAED,qCAAqC;IACrC,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CACb,aAAa,MAAM,wDAAwD,CAC5E,CAAC;IACJ,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB,CAAC,MAAc,EAAE,UAAkB,EAAE,GAAQ;IACxE,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;QAC5C,MAAM,IAAI,KAAK,CAAC,sBAAsB,MAAM,IAAI,UAAU,qBAAqB,CAAC,CAAC;IACnF,CAAC;IAED,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CAAC,WAAW,MAAM,IAAI,UAAU,oCAAoC,CAAC,CAAC;IACvF,CAAC;IAED,OAAO;QACL,MAAM,EAAE,mBAAmB,CAAC,MAAM,EAAE,UAAU,EAAE,GAAG,CAAC,MAAM,CAAC;KAC5D,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAAC,MAAc,EAAE,UAAkB,EAAE,GAAQ;IACvE,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;QAC5C,MAAM,IAAI,KAAK,CAAC,qBAAqB,MAAM,IAAI,UAAU,qBAAqB,CAAC,CAAC;IAClF,CAAC;IAED,8CAA8C;IAC9C,IAAI,GAAG,CAAC,gBAAgB,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CACb,qBAAqB,MAAM,IAAI,UAAU,+CAA+C;YACtF,uGAAuG;YACvG,uCAAuC,CAC1C,CAAC;IACJ,CAAC;IAED,gBAAgB;IAChB,MAAM,UAAU,GAAG,CAAC,WAAW,EAAE,WAAW,EAAE,MAAM,CAAC,CAAC;IACtD,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CACb,mBAAmB,MAAM,IAAI,UAAU,qBAAqB,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACpF,CAAC;IACJ,CAAC;IAED,gBAAgB;IAChB,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,mBAAmB,MAAM,IAAI,UAAU,oBAAoB,CAAC,CAAC;IAC/E,CAAC;IAED,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE;QACnC,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,mBAAmB,MAAM,IAAI,UAAU,6BAA6B,CAAC,CAAC;QACxF,CAAC;QACD,OAAO,CAAC,CAAC,CAAC,iEAAiE;IAC7E,CAAC,CAAC,CAAC;IAEH,MAAM,MAAM,GAAgB;QAC1B,IAAI,EAAE,GAAG,CAAC,IAA0C;QACpD,IAAI;KACL,CAAC;IAEF,kCAAkC;IAClC,IAAI,GAAG,CAAC,YAAY,EAAE,CAAC;QACrB,MAAM,CAAC,YAAY,GAAG,oBAAoB,CAAC,GAAG,MAAM,IAAI,UAAU,EAAE,EAAE,GAAG,CAAC,YAAY,CAAC,CAAC;IAC1F,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB,CAC3B,OAAe,EACf,GAAQ;IAER,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;QAC5C,MAAM,IAAI,KAAK,CAAC,sBAAsB,OAAO,qBAAqB,CAAC,CAAC;IACtE,CAAC;IAED,MAAM,MAAM,GAAuC,EAAE,CAAC;IAEtD,KAAK,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACtD,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;YAClD,MAAM,IAAI,KAAK,CACb,sBAAsB,OAAO,IAAI,SAAS,+CAA+C,CAC1F,CAAC;QACJ,CAAC;QAED,MAAM,CAAC,GAAG,MAAa,CAAC;QAExB,gBAAgB;QAChB,MAAM,UAAU,GAAG,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;QAC9C,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC;YACjC,MAAM,IAAI,KAAK,CACb,2BAA2B,OAAO,IAAI,SAAS,sCAAsC,CACtF,CAAC;QACJ,CAAC;QAED,mBAAmB;QACnB,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CAAC,sBAAsB,OAAO,IAAI,SAAS,6BAA6B,CAAC,CAAC;QAC3F,CAAC;QAED,MAAM,OAAO,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE;YACvC,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;gBAC1B,MAAM,IAAI,KAAK,CACb,sBAAsB,OAAO,IAAI,SAAS,qCAAqC,CAChF,CAAC;YACJ,CAAC;YACD,OAAO,CAAC,CAAC;QACX,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,SAAS,CAAC,GAAG;YAClB,IAAI,EAAE,CAAC,CAAC,IAAiC;YACzC,OAAO;SACR,CAAC;IACJ,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,uBAAuB,CACrC,MAA2B,EAC3B,QAAgB,EAChB,MAAc;IAEd,MAAM,QAAQ,GAAG,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,CAAC;IAC1D,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;IAEzC,kCAAkC;IAClC,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;QACrB,kBAAkB;QAClB,IAAI,QAAQ,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;YAClC,MAAM,YAAY,GAAG,QAAQ,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;YACnD,OAAO;gBACL,WAAW,EAAE,YAAY,CAAC,MAAM;gBAChC,YAAY,EAAE,YAAY,CAAC,MAAM,CAAC,YAAY,IAAI,EAAE;aACrD,CAAC;QACJ,CAAC;QAED,eAAe;QACf,IAAI,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1B,MAAM,YAAY,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YAC3C,OAAO;gBACL,WAAW,EAAE,YAAY,CAAC,MAAM;gBAChC,YAAY,EAAE,YAAY,CAAC,MAAM,CAAC,YAAY,IAAI,EAAE;aACrD,CAAC;QACJ,CAAC;QAED,4BAA4B;QAC5B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,oDAAoD;IACpD,IAAI,QAAQ,CAAC,MAAM,EAAE,CAAC;QACpB,OAAO;YACL,WAAW,EAAE,QAAQ,CAAC,MAAM;YAC5B,YAAY,EAAE,QAAQ,CAAC,MAAM,CAAC,YAAY,IAAI,EAAE;SACjD,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/core/security/types.d.ts

@@ -0,0 +1,64 @@
+/**
+ * Access Control Types for execute_query
+ *
+ * Hierarchical configuration structure:
+ * database → schema → table → column
+ */
+export interface ColumnAccessPolicy {
+    mode: 'inclusion' | 'exclusion';
+    columns: string[];
+}
+export interface TableConfig {
+    mode: 'whitelist' | 'blacklist' | 'none';
+    list: string[];
+    columnAccess?: Record<string, ColumnAccessPolicy>;
+}
+export interface SchemaConfig {
+    tables: TableConfig;
+}
+export interface DatabaseConfig {
+    schemas?: Record<string, SchemaConfig>;
+    tables?: TableConfig;
+}
+export interface AccessControlConfig {
+    requireExplicitColumns: boolean;
+    databases: Record<string, DatabaseConfig>;
+}
+export type ViolationType = 'select_star' | 'table_not_allowed' | 'column_excluded' | 'column_not_allowed' | 'database_not_configured' | 'schema_not_configured';
+export interface AccessViolation {
+    type: ViolationType;
+    message: string;
+    database?: string;
+    schema?: string;
+    table?: string;
+    column?: string;
+}
+export interface AccessValidationResult {
+    allowed: boolean;
+    violations: AccessViolation[];
+}
+export interface QualifiedTableRef {
+    database: string;
+    schema: string;
+    table: string;
+    alias?: string;
+}
+export interface QualifiedColumnRef {
+    database: string;
+    schema: string;
+    table: string;
+    column: string;
+}
+export interface ParsedQueryInfo {
+    tables: QualifiedTableRef[];
+    columns: QualifiedColumnRef[];
+    hasSelectStar: boolean;
+    selectStarTables: string[];
+    aliases: Map<string, QualifiedTableRef>;
+}
+export declare class AccessControlError extends Error {
+    readonly violations: AccessViolation[];
+    constructor(violations: AccessViolation[]);
+}
+export declare function formatAccessViolations(violations: AccessViolation[]): string;
+//# sourceMappingURL=types.d.ts.map

package/dist/core/security/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/core/security/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,WAAW,GAAG,WAAW,CAAC;IAChC,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB;AAGD,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,WAAW,GAAG,WAAW,GAAG,MAAM,CAAC;IACzC,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC;CACnD;AAGD,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,WAAW,CAAC;CACrB;AAGD,MAAM,WAAW,cAAc;IAE7B,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;IAEvC,MAAM,CAAC,EAAE,WAAW,CAAC;CACtB;AAGD,MAAM,WAAW,mBAAmB;IAClC,sBAAsB,EAAE,OAAO,CAAC;IAChC,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;CAC3C;AAGD,MAAM,MAAM,aAAa,GACrB,aAAa,GACb,mBAAmB,GACnB,iBAAiB,GACjB,oBAAoB,GACpB,yBAAyB,GACzB,uBAAuB,CAAC;AAG5B,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,aAAa,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAGD,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,EAAE,eAAe,EAAE,CAAC;CAC/B;AAGD,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAGD,MAAM,WAAW,kBAAkB;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;CAChB;AAGD,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,iBAAiB,EAAE,CAAC;IAC5B,OAAO,EAAE,kBAAkB,EAAE,CAAC;IAC9B,aAAa,EAAE,OAAO,CAAC;IACvB,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,OAAO,EAAE,GAAG,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC;CACzC;AAGD,qBAAa,kBAAmB,SAAQ,KAAK;IAC3C,SAAgB,UAAU,EAAE,eAAe,EAAE,CAAC;gBAElC,UAAU,EAAE,eAAe,EAAE;CAM1C;AAGD,wBAAgB,sBAAsB,CAAC,UAAU,EAAE,eAAe,EAAE,GAAG,MAAM,CAW5E"}

package/dist/core/security/types.js

@@ -0,0 +1,28 @@
+/**
+ * Access Control Types for execute_query
+ *
+ * Hierarchical configuration structure:
+ * database → schema → table → column
+ */
+// Custom error class for access control violations
+export class AccessControlError extends Error {
+    violations;
+    constructor(violations) {
+        const message = formatAccessViolations(violations);
+        super(message);
+        this.name = 'AccessControlError';
+        this.violations = violations;
+    }
+}
+// Format violations into user-friendly error messages
+export function formatAccessViolations(violations) {
+    if (violations.length === 0) {
+        return 'No access violations';
+    }
+    if (violations.length === 1) {
+        return violations[0].message;
+    }
+    const lines = violations.map((v, i) => `  ${i + 1}. ${v.message}`);
+    return `Multiple access control violations:\n${lines.join('\n')}`;
+}
+//# sourceMappingURL=types.js.map

package/dist/core/security/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/core/security/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAoFH,mDAAmD;AACnD,MAAM,OAAO,kBAAmB,SAAQ,KAAK;IAC3B,UAAU,CAAoB;IAE9C,YAAY,UAA6B;QACvC,MAAM,OAAO,GAAG,sBAAsB,CAAC,UAAU,CAAC,CAAC;QACnD,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAC;QACjC,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;IAC/B,CAAC;CACF;AAED,sDAAsD;AACtD,MAAM,UAAU,sBAAsB,CAAC,UAA6B;IAClE,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5B,OAAO,sBAAsB,CAAC;IAChC,CAAC;IAED,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5B,OAAO,UAAU,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;IAC/B,CAAC;IAED,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;IACnE,OAAO,wCAAwC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;AACpE,CAAC"}

package/dist/core/sql-parser.d.ts

@@ -0,0 +1,23 @@
+/**
+ * SQL Parser Utility for Access Control
+ *
+ * Uses node-sql-parser to parse SQL and extract:
+ * - Tables (including JOINs, subqueries, CTEs)
+ * - Columns being selected
+ * - SELECT * detection
+ * - Alias resolution
+ */
+import { ParsedQueryInfo } from "./security/types.js";
+/**
+ * Parse a SQL query and extract tables, columns, and SELECT * usage
+ */
+export declare function parseQuery(sql: string, database: string): ParsedQueryInfo;
+/**
+ * Check if a query contains SELECT * or table.*
+ */
+export declare function hasSelectStar(sql: string): boolean;
+/**
+ * Extract table names from a simple SQL query (utility function)
+ */
+export declare function extractTableNames(sql: string): string[];
+//# sourceMappingURL=sql-parser.d.ts.map

package/dist/core/sql-parser.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sql-parser.d.ts","sourceRoot":"","sources":["../../src/core/sql-parser.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAIH,OAAO,EACL,eAAe,EAGhB,MAAM,qBAAqB,CAAC;AAM7B;;GAEG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,eAAe,CA4BzE;AAqeD;;GAEG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAGlD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,CAsBvD"}