@zlash65/postgres-ssh-mcp 0.0.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Zarrar
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,161 @@
+# PostgreSQL MCP Server with SSH Tunneling
+
+MCP server for PostgreSQL with built-in SSH tunnel support. Connects through bastion hosts automatically—no manual `ssh -L` needed.
+
+## Tools
+
+- **execute_query** - Run SQL queries with parameters. Results capped at `MAX_ROWS`.
+- **explain_query** - Get the execution plan for a query.
+- **list_schemas** - List database schemas.
+- **list_tables** - List tables with row counts and sizes.
+- **describe_table** - Show columns, indexes, and constraints.
+- **list_databases** - List all databases on the server.
+- **get_connection_status** - Check pool and tunnel health.
+- **get_database_version** - PostgreSQL version string.
+- **get_database_size** - Database size and largest tables.
+- **get_table_stats** - Vacuum times, sequential scans, row estimates.
+- **list_active_connections** - Current sessions from `pg_stat_activity`.
+- **list_long_running_queries** - Queries exceeding a time threshold.
+
+Read-only mode is enabled by default. It blocks `INSERT`, `UPDATE`, `DELETE`, and DDL statements.
+
+## Configuration
+
+Set environment variables directly or use a `.env` file. See `.env.example` for all options.
+
+**Database connection:**
+
+```
+DATABASE_URI=postgresql://user:password@localhost:5432/mydb
+```
+
+Or use individual variables: `DATABASE_HOST`, `DATABASE_PORT`, `DATABASE_NAME`, `DATABASE_USER`, `DATABASE_PASSWORD`.
+
+**SSL:** Set `DATABASE_SSL=true` to force SSL, `false` to disable, or leave unset for auto-detection.
+
+**SSH tunnel:**
+
+```
+SSH_ENABLED=true
+SSH_HOST=bastion.example.com
+SSH_USER=ubuntu
+SSH_PRIVATE_KEY_PATH=~/.ssh/id_rsa
+```
+
+Host keys are verified against `~/.ssh/known_hosts`. If you get an unknown host error:
+
+```bash
+ssh-keyscan -H bastion.example.com >> ~/.ssh/known_hosts
+```
+
+**Server options:**
+
+```
+READ_ONLY=true       # default, blocks writes
+QUERY_TIMEOUT=30000  # ms
+MAX_ROWS=1000        # per query
+```
+
+## Usage with Claude Desktop
+
+Add to `claude_desktop_config.json`:
+
+- macOS: `~/Library/Application Support/Claude/claude_desktop_config.json`
+- Windows: `%APPDATA%/Claude/claude_desktop_config.json`
+
+**Direct connection:**
+
+```json
+{
+  "mcpServers": {
+    "postgres": {
+      "command": "node",
+      "args": ["/path/to/postgres-ssh-mcp/dist/index.js"],
+      "env": {
+        "DATABASE_URI": "postgresql://user:password@localhost:5432/mydb"
+      }
+    }
+  }
+}
+```
+
+**With SSH tunnel:**
+
+```json
+{
+  "mcpServers": {
+    "postgres": {
+      "command": "node",
+      "args": ["/path/to/postgres-ssh-mcp/dist/index.js"],
+      "env": {
+        "DATABASE_URI": "postgresql://user:password@db.internal:5432/mydb",
+        "SSH_ENABLED": "true",
+        "SSH_HOST": "bastion.example.com",
+        "SSH_USER": "ubuntu",
+        "SSH_PRIVATE_KEY_PATH": "~/.ssh/id_rsa"
+      }
+    }
+  }
+}
+```
+
+### Docker
+
+```json
+{
+  "mcpServers": {
+    "postgres": {
+      "command": "docker",
+      "args": ["run", "-i", "--rm", "-e", "DATABASE_URI", "postgres-ssh-mcp"],
+      "env": {
+        "DATABASE_URI": "postgresql://user:password@host.docker.internal:5432/mydb"
+      }
+    }
+  }
+}
+```
+
+Use `host.docker.internal` instead of `localhost` to reach the host machine.
+
+## Usage with VS Code
+
+Add to your settings JSON or create `.vscode/mcp.json` in your workspace:
+
+```json
+{
+  "mcp": {
+    "servers": {
+      "postgres": {
+        "command": "node",
+        "args": ["/path/to/postgres-ssh-mcp/dist/index.js"],
+        "env": {
+          "DATABASE_URI": "postgresql://user:password@localhost:5432/mydb"
+        }
+      }
+    }
+  }
+}
+```
+
+## Building
+
+```bash
+npm install
+npm run build
+```
+
+Docker:
+
+```bash
+docker build -t postgres-ssh-mcp .
+```
+
+## Development
+
+```bash
+npm test              # all tests
+npm run test:unit     # unit tests only
+npm run test:docker   # full integration with SSH
+
+npm run lint
+```

package/dist/config.d.ts

@@ -0,0 +1,3 @@
+import type { ParsedConfig } from './types.js';
+export declare function parseConfig(): ParsedConfig;
+//# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAIV,YAAY,EACb,MAAM,YAAY,CAAC;AAwGpB,wBAAgB,WAAW,IAAI,YAAY,CA+C1C"}

package/dist/config.js

@@ -0,0 +1,122 @@
+import { parse as parseConnectionString } from 'pg-connection-string';
+function requireEnv(name) {
+    const value = process.env[name];
+    if (!value) {
+        throw new Error(`Missing required environment variable: ${name}`);
+    }
+    return value;
+}
+function parseDatabaseConfig() {
+    const uri = process.env.DATABASE_URI;
+    if (uri) {
+        if (uri.includes('sslmode=')) {
+            console.error('[Config] Warning: sslmode in DATABASE_URI is ignored. Use DATABASE_SSL env var instead.');
+        }
+        const parsed = parseConnectionString(uri);
+        if (!parsed.host) {
+            throw new Error('DATABASE_URI missing host');
+        }
+        if (!parsed.database) {
+            throw new Error('DATABASE_URI missing database name');
+        }
+        if (!parsed.user) {
+            throw new Error('DATABASE_URI missing user');
+        }
+        return {
+            host: parsed.host,
+            port: parsed.port ? parseInt(parsed.port, 10) : 5432,
+            database: parsed.database,
+            user: parsed.user,
+            password: parsed.password || '',
+        };
+    }
+    return {
+        host: requireEnv('DATABASE_HOST'),
+        port: parseInt(process.env.DATABASE_PORT || '5432', 10),
+        database: requireEnv('DATABASE_NAME'),
+        user: requireEnv('DATABASE_USER'),
+        password: requireEnv('DATABASE_PASSWORD'),
+    };
+}
+function parseSSLPreference() {
+    const sslEnv = process.env.DATABASE_SSL?.toLowerCase();
+    return {
+        explicit: sslEnv === 'true' ? 'true' : sslEnv === 'false' ? 'false' : null,
+        ca: process.env.DATABASE_SSL_CA,
+        rejectUnauthorized: process.env.DATABASE_SSL_REJECT_UNAUTHORIZED !== 'false',
+    };
+}
+function parseSSHConfig() {
+    if (process.env.SSH_ENABLED !== 'true') {
+        return undefined;
+    }
+    const privateKeyPath = process.env.SSH_PRIVATE_KEY_PATH;
+    const password = process.env.SSH_PASSWORD;
+    if (!privateKeyPath && !password) {
+        throw new Error('SSH_ENABLED is true but no authentication method provided. ' +
+            'Set either SSH_PRIVATE_KEY_PATH or SSH_PASSWORD.');
+    }
+    const port = parseInt(process.env.SSH_PORT || '22', 10);
+    if (isNaN(port) || port < 1 || port > 65535) {
+        throw new Error('SSH_PORT must be a number between 1 and 65535');
+    }
+    const keepaliveInterval = parseInt(process.env.SSH_KEEPALIVE_INTERVAL || '10000', 10);
+    if (isNaN(keepaliveInterval) || keepaliveInterval < 1) {
+        throw new Error('SSH_KEEPALIVE_INTERVAL must be a positive number (minimum 1ms)');
+    }
+    return {
+        host: requireEnv('SSH_HOST'),
+        port,
+        username: requireEnv('SSH_USER'),
+        privateKeyPath,
+        privateKeyPassphrase: process.env.SSH_PRIVATE_KEY_PASSPHRASE,
+        password,
+        strictHostKey: process.env.SSH_STRICT_HOST_KEY !== 'false',
+        knownHostsPath: process.env.SSH_KNOWN_HOSTS_PATH,
+        keepaliveInterval,
+    };
+}
+export function parseConfig() {
+    const database = parseDatabaseConfig();
+    const sslPreference = parseSSLPreference();
+    const ssh = parseSSHConfig();
+    const readOnly = process.env.READ_ONLY !== 'false';
+    const queryTimeout = parseInt(process.env.QUERY_TIMEOUT || '30000', 10);
+    const maxRows = parseInt(process.env.MAX_ROWS || '1000', 10);
+    if (isNaN(queryTimeout) || queryTimeout < 0) {
+        throw new Error('QUERY_TIMEOUT must be a positive number');
+    }
+    if (isNaN(maxRows) || maxRows < 1) {
+        throw new Error('MAX_ROWS must be a positive number');
+    }
+    if (database.port < 1 || database.port > 65535) {
+        throw new Error('DATABASE_PORT must be between 1 and 65535');
+    }
+    console.error('[Config] Database:', {
+        host: database.host,
+        port: database.port,
+        database: database.database,
+        user: database.user,
+    });
+    console.error('[Config] Mode:', readOnly ? 'read-only' : 'read-write');
+    console.error('[Config] Max rows:', maxRows);
+    console.error('[Config] Query timeout:', queryTimeout, 'ms');
+    if (ssh) {
+        console.error('[Config] SSH tunnel enabled:', {
+            host: ssh.host,
+            port: ssh.port,
+            username: ssh.username,
+            authMethod: ssh.privateKeyPath ? 'key' : 'password',
+            strictHostKey: ssh.strictHostKey,
+        });
+    }
+    return {
+        database,
+        sslPreference,
+        ssh,
+        readOnly,
+        queryTimeout,
+        maxRows,
+    };
+}
+//# sourceMappingURL=config.js.map

package/dist/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,IAAI,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAQtE,SAAS,UAAU,CAAC,IAAY;IAC9B,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAChC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,0CAA0C,IAAI,EAAE,CAAC,CAAC;IACpE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,mBAAmB;IAC1B,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;IAErC,IAAI,GAAG,EAAE,CAAC;QACR,IAAI,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;YAC7B,OAAO,CAAC,KAAK,CACX,yFAAyF,CAC1F,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,qBAAqB,CAAC,GAAG,CAAC,CAAC;QAE1C,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;QAC/C,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;YACrB,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;QACxD,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;QAC/C,CAAC;QAED,OAAO;YACL,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI;YACpD,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,EAAE;SAChC,CAAC;IACJ,CAAC;IAED,OAAO;QACL,IAAI,EAAE,UAAU,CAAC,eAAe,CAAC;QACjC,IAAI,EAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,MAAM,EAAE,EAAE,CAAC;QACvD,QAAQ,EAAE,UAAU,CAAC,eAAe,CAAC;QACrC,IAAI,EAAE,UAAU,CAAC,eAAe,CAAC;QACjC,QAAQ,EAAE,UAAU,CAAC,mBAAmB,CAAC;KAC1C,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB;IACzB,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,EAAE,WAAW,EAAE,CAAC;IAEvD,OAAO;QACL,QAAQ,EACN,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,KAAK,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI;QAClE,EAAE,EAAE,OAAO,CAAC,GAAG,CAAC,eAAe;QAC/B,kBAAkB,EAAE,OAAO,CAAC,GAAG,CAAC,gCAAgC,KAAK,OAAO;KAC7E,CAAC;AACJ,CAAC;AAED,SAAS,cAAc;IACrB,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,KAAK,MAAM,EAAE,CAAC;QACvC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,cAAc,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;IACxD,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;IAE1C,IAAI,CAAC,cAAc,IAAI,CAAC,QAAQ,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CACb,6DAA6D;YAC3D,kDAAkD,CACrD,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,IAAI,EAAE,EAAE,CAAC,CAAC;IACxD,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,KAAK,EAAE,CAAC;QAC5C,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;IACnE,CAAC;IAED,MAAM,iBAAiB,GAAG,QAAQ,CAChC,OAAO,CAAC,GAAG,CAAC,sBAAsB,IAAI,OAAO,EAC7C,EAAE,CACH,CAAC;IACF,IAAI,KAAK,CAAC,iBAAiB,CAAC,IAAI,iBAAiB,GAAG,CAAC,EAAE,CAAC;QACtD,MAAM,IAAI,KAAK,CACb,gEAAgE,CACjE,CAAC;IACJ,CAAC;IAED,OAAO;QACL,IAAI,EAAE,UAAU,CAAC,UAAU,CAAC;QAC5B,IAAI;QACJ,QAAQ,EAAE,UAAU,CAAC,UAAU,CAAC;QAChC,cAAc;QACd,oBAAoB,EAAE,OAAO,CAAC,GAAG,CAAC,0BAA0B;QAC5D,QAAQ;QACR,aAAa,EAAE,OAAO,CAAC,GAAG,CAAC,mBAAmB,KAAK,OAAO;QAC1D,cAAc,EAAE,OAAO,CAAC,GAAG,CAAC,oBAAoB;QAChD,iBAAiB;KAClB,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,WAAW;IACzB,MAAM,QAAQ,GAAG,mBAAmB,EAAE,CAAC;IACvC,MAAM,aAAa,GAAG,kBAAkB,EAAE,CAAC;IAC3C,MAAM,GAAG,GAAG,cAAc,EAAE,CAAC;IAE7B,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,KAAK,OAAO,CAAC;IACnD,MAAM,YAAY,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,OAAO,EAAE,EAAE,CAAC,CAAC;IACxE,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,MAAM,EAAE,EAAE,CAAC,CAAC;IAE7D,IAAI,KAAK,CAAC,YAAY,CAAC,IAAI,YAAY,GAAG,CAAC,EAAE,CAAC;QAC5C,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;IAC7D,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,OAAO,GAAG,CAAC,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;IACD,IAAI,QAAQ,CAAC,IAAI,GAAG,CAAC,IAAI,QAAQ,CAAC,IAAI,GAAG,KAAK,EAAE,CAAC;QAC/C,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;IAC/D,CAAC;IAED,OAAO,CAAC,KAAK,CAAC,oBAAoB,EAAE;QAClC,IAAI,EAAE,QAAQ,CAAC,IAAI;QACnB,IAAI,EAAE,QAAQ,CAAC,IAAI;QACnB,QAAQ,EAAE,QAAQ,CAAC,QAAQ;QAC3B,IAAI,EAAE,QAAQ,CAAC,IAAI;KACpB,CAAC,CAAC;IACH,OAAO,CAAC,KAAK,CAAC,gBAAgB,EAAE,QAAQ,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC;IACvE,OAAO,CAAC,KAAK,CAAC,oBAAoB,EAAE,OAAO,CAAC,CAAC;IAC7C,OAAO,CAAC,KAAK,CAAC,yBAAyB,EAAE,YAAY,EAAE,IAAI,CAAC,CAAC;IAE7D,IAAI,GAAG,EAAE,CAAC;QACR,OAAO,CAAC,KAAK,CAAC,8BAA8B,EAAE;YAC5C,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,UAAU,EAAE,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,UAAU;YACnD,aAAa,EAAE,GAAG,CAAC,aAAa;SACjC,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,QAAQ;QACR,aAAa;QACb,GAAG;QACH,QAAQ;QACR,YAAY;QACZ,OAAO;KACR,CAAC;AACJ,CAAC"}

package/dist/connection/host-key-verifier.d.ts

@@ -0,0 +1,13 @@
+import type { HostKeyVerificationResult } from '../types.js';
+export declare class HostKeyVerifier {
+    private knownHosts;
+    private knownHostsPath;
+    constructor(knownHostsPath?: string);
+    private loadKnownHosts;
+    private normalizeHostname;
+    private hashHostname;
+    private hostnameMatches;
+    private findKnownKeys;
+    verifyHostKey(hostname: string, port: number, keyType: string, publicKey: Buffer): HostKeyVerificationResult;
+}
+//# sourceMappingURL=host-key-verifier.d.ts.map

package/dist/connection/host-key-verifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"host-key-verifier.d.ts","sourceRoot":"","sources":["../../src/connection/host-key-verifier.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAa,yBAAyB,EAAE,MAAM,aAAa,CAAC;AAExE,qBAAa,eAAe;IAC1B,OAAO,CAAC,UAAU,CAAuC;IACzD,OAAO,CAAC,cAAc,CAAS;gBAEnB,cAAc,CAAC,EAAE,MAAM;IAMnC,OAAO,CAAC,cAAc;IAkDtB,OAAO,CAAC,iBAAiB;IAUzB,OAAO,CAAC,YAAY;IAMpB,OAAO,CAAC,eAAe;IAevB,OAAO,CAAC,aAAa;IAYrB,aAAa,CACX,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,GAChB,yBAAyB;CA6C7B"}

package/dist/connection/host-key-verifier.js

@@ -0,0 +1,127 @@
+import * as fs from 'fs';
+import * as path from 'path';
+import * as os from 'os';
+import * as crypto from 'crypto';
+export class HostKeyVerifier {
+    knownHosts = new Map();
+    knownHostsPath;
+    constructor(knownHostsPath) {
+        this.knownHostsPath =
+            knownHostsPath || path.join(os.homedir(), '.ssh', 'known_hosts');
+        this.loadKnownHosts();
+    }
+    loadKnownHosts() {
+        try {
+            if (!fs.existsSync(this.knownHostsPath)) {
+                console.error(`[SSH] Warning: known_hosts file not found at ${this.knownHostsPath}`);
+                return;
+            }
+            const content = fs.readFileSync(this.knownHostsPath, 'utf8');
+            const lines = content.split('\n');
+            for (const line of lines) {
+                const trimmed = line.trim();
+                if (!trimmed || trimmed.startsWith('#'))
+                    continue;
+                if (trimmed.startsWith('@')) {
+                    console.error(`[SSH] Skipping known_hosts marker line: ${trimmed.slice(0, 50)}...`);
+                    continue;
+                }
+                const parts = trimmed.split(/\s+/);
+                if (parts.length < 3)
+                    continue;
+                const [hostnames, keyType, publicKey] = parts;
+                const hosts = hostnames.split(',');
+                for (const host of hosts) {
+                    const normalizedHost = this.normalizeHostname(host);
+                    if (!this.knownHosts.has(normalizedHost)) {
+                        this.knownHosts.set(normalizedHost, []);
+                    }
+                    this.knownHosts.get(normalizedHost).push({
+                        hostname: normalizedHost,
+                        keyType,
+                        publicKey,
+                    });
+                }
+            }
+            console.error(`[SSH] Loaded ${this.knownHosts.size} known hosts from ${this.knownHostsPath}`);
+        }
+        catch (error) {
+            console.error(`[SSH] Error loading known_hosts: ${error}`);
+        }
+    }
+    normalizeHostname(hostname) {
+        const match = hostname.match(/^\[([^\]]+)\]:(\d+)$/);
+        if (match) {
+            const port = parseInt(match[2], 10);
+            if (port === 22)
+                return match[1];
+            return hostname;
+        }
+        return hostname;
+    }
+    hashHostname(hostname, salt) {
+        const hmac = crypto.createHmac('sha1', salt);
+        hmac.update(hostname);
+        return hmac.digest('base64');
+    }
+    hostnameMatches(entry, hostname) {
+        if (!entry.startsWith('|1|')) {
+            return entry === hostname;
+        }
+        const parts = entry.split('|');
+        if (parts.length !== 4)
+            return false;
+        const salt = Buffer.from(parts[2], 'base64');
+        const storedHash = parts[3];
+        const computedHash = this.hashHostname(hostname, salt);
+        return computedHash === storedHash;
+    }
+    findKnownKeys(hostname) {
+        const results = [];
+        for (const [entryHostname, keys] of this.knownHosts.entries()) {
+            if (this.hostnameMatches(entryHostname, hostname)) {
+                results.push(...keys);
+            }
+        }
+        return results;
+    }
+    verifyHostKey(hostname, port, keyType, publicKey) {
+        const lookupKeys = port === 22 ? [hostname] : [`[${hostname}]:${port}`, hostname];
+        let knownKeys = [];
+        for (const lookupKey of lookupKeys) {
+            knownKeys = this.findKnownKeys(lookupKey);
+            if (knownKeys.length > 0)
+                break;
+        }
+        if (knownKeys.length === 0) {
+            const displayHost = port === 22 ? hostname : `[${hostname}]:${port}`;
+            return {
+                verified: false,
+                reason: `UNKNOWN HOST: '${displayHost}' not found in known_hosts.\n` +
+                    `To add it, run: ssh-keyscan -H ${hostname} >> ~/.ssh/known_hosts\n` +
+                    `Then restart the MCP server.`,
+            };
+        }
+        const serverKeyBase64 = publicKey.toString('base64');
+        for (const known of knownKeys) {
+            if (known.keyType === keyType && known.publicKey === serverKeyBase64) {
+                return {
+                    verified: true,
+                    reason: 'Host key verified against known_hosts',
+                };
+            }
+        }
+        const displayHost = port === 22 ? hostname : `[${hostname}]:${port}`;
+        return {
+            verified: false,
+            reason: `HOST KEY MISMATCH for '${displayHost}'!\n` +
+                `Server presented: ${keyType}\n` +
+                `This could indicate a man-in-the-middle attack.\n` +
+                `If the server was legitimately re-keyed, remove the old entry:\n` +
+                `  ssh-keygen -R ${hostname}\n` +
+                `Then add the new key:\n` +
+                `  ssh-keyscan -H ${hostname} >> ~/.ssh/known_hosts`,
+        };
+    }
+}
+//# sourceMappingURL=host-key-verifier.js.map

package/dist/connection/host-key-verifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"host-key-verifier.js","sourceRoot":"","sources":["../../src/connection/host-key-verifier.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,KAAK,MAAM,MAAM,QAAQ,CAAC;AAGjC,MAAM,OAAO,eAAe;IAClB,UAAU,GAA6B,IAAI,GAAG,EAAE,CAAC;IACjD,cAAc,CAAS;IAE/B,YAAY,cAAuB;QACjC,IAAI,CAAC,cAAc;YACjB,cAAc,IAAI,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,aAAa,CAAC,CAAC;QACnE,IAAI,CAAC,cAAc,EAAE,CAAC;IACxB,CAAC;IAEO,cAAc;QACpB,IAAI,CAAC;YACH,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,cAAc,CAAC,EAAE,CAAC;gBACxC,OAAO,CAAC,KAAK,CACX,gDAAgD,IAAI,CAAC,cAAc,EAAE,CACtE,CAAC;gBACF,OAAO;YACT,CAAC;YAED,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC;YAC7D,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAElC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC5B,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;oBAAE,SAAS;gBAElD,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC5B,OAAO,CAAC,KAAK,CAAC,2CAA2C,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC;oBACpF,SAAS;gBACX,CAAC;gBAED,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;gBACnC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;oBAAE,SAAS;gBAE/B,MAAM,CAAC,SAAS,EAAE,OAAO,EAAE,SAAS,CAAC,GAAG,KAAK,CAAC;gBAE9C,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;gBACnC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;oBACzB,MAAM,cAAc,GAAG,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC;oBAEpD,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,CAAC;wBACzC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC;oBAC1C,CAAC;oBAED,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,cAAc,CAAE,CAAC,IAAI,CAAC;wBACxC,QAAQ,EAAE,cAAc;wBACxB,OAAO;wBACP,SAAS;qBACV,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,OAAO,CAAC,KAAK,CACX,gBAAgB,IAAI,CAAC,UAAU,CAAC,IAAI,qBAAqB,IAAI,CAAC,cAAc,EAAE,CAC/E,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,oCAAoC,KAAK,EAAE,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC;IAEO,iBAAiB,CAAC,QAAgB;QACxC,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACrD,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,IAAI,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACpC,IAAI,IAAI,KAAK,EAAE;gBAAE,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;YACjC,OAAO,QAAQ,CAAC;QAClB,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,YAAY,CAAC,QAAgB,EAAE,IAAY;QACjD,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QAC7C,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACtB,OAAO,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAC/B,CAAC;IAEO,eAAe,CAAC,KAAa,EAAE,QAAgB;QACrD,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;YAC7B,OAAO,KAAK,KAAK,QAAQ,CAAC;QAC5B,CAAC;QAED,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QAErC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;QAC7C,MAAM,UAAU,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAC5B,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QAEvD,OAAO,YAAY,KAAK,UAAU,CAAC;IACrC,CAAC;IAEO,aAAa,CAAC,QAAgB;QACpC,MAAM,OAAO,GAAgB,EAAE,CAAC;QAEhC,KAAK,MAAM,CAAC,aAAa,EAAE,IAAI,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC;YAC9D,IAAI,IAAI,CAAC,eAAe,CAAC,aAAa,EAAE,QAAQ,CAAC,EAAE,CAAC;gBAClD,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC;YACxB,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,aAAa,CACX,QAAgB,EAChB,IAAY,EACZ,OAAe,EACf,SAAiB;QAEjB,MAAM,UAAU,GACd,IAAI,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,QAAQ,KAAK,IAAI,EAAE,EAAE,QAAQ,CAAC,CAAC;QAEjE,IAAI,SAAS,GAAgB,EAAE,CAAC;QAChC,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;YACnC,SAAS,GAAG,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC;YAC1C,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC;gBAAE,MAAM;QAClC,CAAC;QAED,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC3B,MAAM,WAAW,GAAG,IAAI,KAAK,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;YACrE,OAAO;gBACL,QAAQ,EAAE,KAAK;gBACf,MAAM,EACJ,kBAAkB,WAAW,+BAA+B;oBAC5D,kCAAkC,QAAQ,0BAA0B;oBACpE,8BAA8B;aACjC,CAAC;QACJ,CAAC;QAED,MAAM,eAAe,GAAG,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAErD,KAAK,MAAM,KAAK,IAAI,SAAS,EAAE,CAAC;YAC9B,IAAI,KAAK,CAAC,OAAO,KAAK,OAAO,IAAI,KAAK,CAAC,SAAS,KAAK,eAAe,EAAE,CAAC;gBACrE,OAAO;oBACL,QAAQ,EAAE,IAAI;oBACd,MAAM,EAAE,uCAAuC;iBAChD,CAAC;YACJ,CAAC;QACH,CAAC;QAED,MAAM,WAAW,GAAG,IAAI,KAAK,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;QACrE,OAAO;YACL,QAAQ,EAAE,KAAK;YACf,MAAM,EACJ,0BAA0B,WAAW,MAAM;gBAC3C,qBAAqB,OAAO,IAAI;gBAChC,mDAAmD;gBACnD,kEAAkE;gBAClE,mBAAmB,QAAQ,IAAI;gBAC/B,yBAAyB;gBACzB,oBAAoB,QAAQ,wBAAwB;SACvD,CAAC;IACJ,CAAC;CACF"}

package/dist/connection/index.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Connection module exports
+ */
+export { ConnectionManager } from './postgres-pool.js';
+export { SSHTunnelManager } from './ssh-tunnel.js';
+export { HostKeyVerifier } from './host-key-verifier.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/connection/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/connection/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACnD,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC"}

package/dist/connection/index.js

@@ -0,0 +1,7 @@
+/**
+ * Connection module exports
+ */
+export { ConnectionManager } from './postgres-pool.js';
+export { SSHTunnelManager } from './ssh-tunnel.js';
+export { HostKeyVerifier } from './host-key-verifier.js';
+//# sourceMappingURL=index.js.map

package/dist/connection/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/connection/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACnD,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC"}

package/dist/connection/postgres-pool.d.ts

@@ -0,0 +1,23 @@
+import type { ParsedConfig, ConnectionStatus, QueryResultWithMeta } from '../types.js';
+export declare class ConnectionManager {
+    private pool;
+    private tunnelManager;
+    private config;
+    private isInitialized;
+    private isReconnecting;
+    private currentLocalPort;
+    private sslEnabled;
+    constructor(config: ParsedConfig);
+    initialize(): Promise<void>;
+    private resolveSSLConfig;
+    private createPool;
+    private recreatePool;
+    executeQuery(sql: string, params?: unknown[]): Promise<QueryResultWithMeta>;
+    private executeReadOnlyQuery;
+    private executeWriteQuery;
+    private executeQueryWithLimit;
+    private shouldUseCursorLimiting;
+    getStatus(): ConnectionStatus;
+    close(): Promise<void>;
+}
+//# sourceMappingURL=postgres-pool.d.ts.map

package/dist/connection/postgres-pool.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"postgres-pool.d.ts","sourceRoot":"","sources":["../../src/connection/postgres-pool.ts"],"names":[],"mappings":"AAWA,OAAO,KAAK,EACV,YAAY,EAEZ,gBAAgB,EAChB,mBAAmB,EAEpB,MAAM,aAAa,CAAC;AAErB,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,IAAI,CAAqB;IACjC,OAAO,CAAC,aAAa,CAAiC;IACtD,OAAO,CAAC,MAAM,CAAe;IAC7B,OAAO,CAAC,aAAa,CAAS;IAC9B,OAAO,CAAC,cAAc,CAAS;IAC/B,OAAO,CAAC,gBAAgB,CAAuB;IAC/C,OAAO,CAAC,UAAU,CAAS;gBAEf,MAAM,EAAE,YAAY;IAI1B,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IA4CjC,OAAO,CAAC,gBAAgB;YAoCV,UAAU;YAyCV,YAAY;IAyBpB,YAAY,CAChB,GAAG,EAAE,MAAM,EACX,MAAM,CAAC,EAAE,OAAO,EAAE,GACjB,OAAO,CAAC,mBAAmB,CAAC;YAgBjB,oBAAoB;YA8CpB,iBAAiB;YAwCjB,qBAAqB;IAkDnC,OAAO,CAAC,uBAAuB;IAsC/B,SAAS,IAAI,gBAAgB;IAuBvB,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;CAgB7B"}