mssql-mcp 2.0.3 → 2.3.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024-2025 BYMCS
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -1,6 +1,17 @@
-# MS SQL Server MCP Server v2.0.3
+# MS SQL Server MCP Server v2.3.0
 
-🚀 **Smart Trust-Based Model Context Protocol (MCP) server** for Microsoft SQL Server with intelligent auto-connection and AI-friendly design.
+🚀 **Model Context Protocol (MCP) server** for Microsoft SQL Server - compatible with Claude Desktop, Cursor, Windsurf and VS Code.
+
+[![CI](https://github.com/BYMCS/mssql-mcp/actions/workflows/ci.yml/badge.svg)](https://github.com/BYMCS/mssql-mcp/actions/workflows/ci.yml)
+[![npm version](https://img.shields.io/npm/v/mssql-mcp.svg)](https://www.npmjs.com/package/mssql-mcp)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
+
+## Standards Alignment
+
+- Protocol target: [MCP draft/latest spec](https://modelcontextprotocol.io/specification/draft/server/tools)
+- Transport spec: [Transports](https://modelcontextprotocol.io/specification/draft/basic/transports)
+- Security: [Security best practices](https://modelcontextprotocol.io/docs/tutorials/security/security_best_practices)
+- SDK: `@modelcontextprotocol/sdk` pinned to `1.28.0`
 
 ## 🚀 Quick Start
 
@@ -24,6 +35,7 @@ npm install -g mssql-mcp
         "DB_DATABASE": "your-database",
         "DB_USER": "your-username",
         "DB_PASSWORD": "your-password",
+        "DB_ENCRYPT": "true",
         "DB_TRUST_SERVER_CERTIFICATE": "true"
       }
     }
@@ -43,6 +55,7 @@ npm install -g mssql-mcp
         "DB_DATABASE": "your-database",
         "DB_USER": "your-username",
         "DB_PASSWORD": "your-password",
+        "DB_ENCRYPT": "true",
         "DB_TRUST_SERVER_CERTIFICATE": "true"
       }
     }
@@ -50,87 +63,179 @@ npm install -g mssql-mcp
 }
 ```
 
-> Replace with your actual database credentials. Server auto-connects using these.
+**HTTP transport** (remote/hosted scenarios):
+```json
+{
+  "servers": {
+    "mssql": {
+      "type": "http",
+      "url": "http://127.0.0.1:3001",
+      "env": {}
+    }
+  }
+}
+```
+
+> Replace with your actual database credentials. Credentials are read from the **server environment only** — never passed as tool parameters.
+
+## ��️ Tool Catalog
+
+### Primary tools (use these)
+
+| Tool | Read-only | Description |
+|------|-----------|-------------|
+| `mssql_connect_database` | No | Connect using env variables. Idempotent. |
+| `mssql_disconnect_database` | No | Close connection. Idempotent. |
+| `mssql_connection_status` | ✅ | Connection state and pool metrics |
+| `mssql_run_sql_query` | ⚠️ No | Execute arbitrary SQL. **May mutate data.** |
+| `mssql_list_schema_objects` | ✅ | List tables/views/procedures/functions with pagination |
+| `mssql_describe_table_columns` | ✅ | Column definitions for a table |
+| `mssql_read_table_rows` | ✅ | Paginated rows with projection and safe WHERE |
+| `mssql_execute_stored_procedure` | ⚠️ No | Execute a stored procedure |
+| `mssql_list_databases` | ✅ | List all databases on the instance |
+
+All data tools accept a `response_format` parameter (`"json"` | `"markdown"`, default `"json"`). Use `"markdown"` to get human-readable table output.
+
+### Deprecated aliases (still work for backward compatibility)
+
+| Old name | Use instead |
+|----------|-------------|
+| `connect_database` | `mssql_connect_database` |
+| `disconnect_database` | `mssql_disconnect_database` |
+| `connection_status` | `mssql_connection_status` |
+| `execute_query` | `mssql_run_sql_query` |
+| `run_sql_query` | `mssql_run_sql_query` |
+| `get_schema` | `mssql_list_schema_objects` |
+| `list_schema_objects` | `mssql_list_schema_objects` |
+| `describe_table` | `mssql_describe_table_columns` |
+| `describe_table_columns` | `mssql_describe_table_columns` |
+| `get_table_data` | `mssql_read_table_rows` |
+| `read_table_rows` | `mssql_read_table_rows` |
+| `execute_procedure` | `mssql_execute_stored_procedure` |
+| `execute_stored_procedure` | `mssql_execute_stored_procedure` |
+| `list_databases` | `mssql_list_databases` |
+
+## 🚌 Transport Modes
+
+| Mode | Use when |
+|------|----------|
+| `stdio` (default) | Local IDE integration (Claude Desktop, Cursor, VS Code) |
+| `http` | Remote/hosted deployment, testing with MCP Inspector |
 
-## 🛠️ Available Tools
+```bash
+# stdio (default)
+node dist/src/index.js
 
-| Tool | Description |
-|------|-------------|
-| `execute_query` | Execute any SQL query with parameters |
-| `get_schema` | List database objects (tables, views, procedures) |
-| `describe_table` | Get detailed table structure |
-| `get_table_data` | Retrieve data with pagination |
-| `execute_procedure` | Execute stored procedures |
-| `list_databases` | List all databases |
-| `connection_status` | Check connection state |
-| `connect_database` | Manual connection (rarely needed) |
-| `disconnect_database` | Close connection |
-| `clear_cache` | Clear query cache |
+# HTTP on 127.0.0.1:3001
+MCP_TRANSPORT=http node dist/src/index.js
 
-All tools auto-connect using environment variables.
+# Custom HTTP host/port
+MCP_TRANSPORT=http MCP_HOST=0.0.0.0 MCP_PORT=8080 node dist/src/index.js
+```
 
 ## 🔧 Environment Variables
 
-| Variable | Required | Default |
-|----------|----------|---------|
-| `DB_SERVER` | ✅ | - |
-| `DB_DATABASE` | ✅ | - |
-| `DB_USER` | ✅ | - |
-| `DB_PASSWORD` | ✅ | - |
-| `DB_PORT` | ❌ | 1433 |
-| `DB_TRUST_SERVER_CERTIFICATE` | ❌ | true |
-| `DB_CONNECTION_TIMEOUT` | ❌ | 30000 |
-| `DB_REQUEST_TIMEOUT` | ❌ | 30000 |
+### Database connection
 
-## 🛡️ Security
+| Variable | Required | Default | Description |
+|----------|----------|---------|-------------|
+| `DB_SERVER` | ✅ | — | SQL Server hostname or IP |
+| `DB_DATABASE` | ❌ | — | Database name |
+| `DB_USER` | ❌ | — | Login username |
+| `DB_PASSWORD` | ❌ | — | Login password |
+| `DB_PORT` | ❌ | 1433 | TCP port |
+| `DB_ENCRYPT` | ❌ | true | Enable TLS (required for Azure SQL) |
+| `DB_TRUST_SERVER_CERTIFICATE` | ❌ | false | Trust self-signed certs |
+| `DB_CONNECTION_TIMEOUT` | ❌ | 30000 | Connection timeout ms |
+| `DB_REQUEST_TIMEOUT` | ❌ | 30000 | Query timeout ms |
 
-**✅ Supported:** All database operations (SELECT, INSERT, UPDATE, DELETE, CREATE, ALTER, DROP)
+### Transport
 
-**🚨 Blocked:** Server-level operations only (SHUTDOWN, XP_CMDSHELL, RECONFIGURE)
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `MCP_TRANSPORT` | `stdio` | `stdio` or `http` |
+| `MCP_HOST` | `127.0.0.1` | HTTP bind address |
+| `MCP_PORT` | `3001` | HTTP port |
 
-## 🏆 Features
+## 🔒 Security Model
 
-- ✅ **Auto-Connection**: Environment-based, no manual steps
-- ✅ **Complete SQL Support**: All database operations
-- ✅ **No Rate Limiting**: Natural workflow
-- ✅ **Query Caching**: 5-minute TTL for SELECT queries
-- ✅ **Performance Monitoring**: Execution time tracking
-- ✅ **Latest MCP SDK**: v1.20.2 with 2025 protocol
-- ✅ **Clean Logging**: Minimal console output, MCP protocol compatible
+- **No credential parameters**: All connection settings come from environment variables only. Tool inputs cannot override connection config.
+- **Identifier validation**: Schema, table, and procedure names are validated against a safe identifier pattern before interpolation into SQL.
+- **Parameterized queries**: All user-supplied values (WHERE clause values, column values) must be passed as named parameters via `@paramName` — never embedded in query strings.
+- **Origin validation**: HTTP transport validates `Origin` header and only allows localhost by default.
+- **SQL risk labeling**: `run_sql_query` and `execute_stored_procedure` are explicitly labeled as non-read-only and open-world.
 
-## 🔍 Troubleshooting
+### ⚠️ SQL Risk Notes
 
-**❌ Auto-connection failed**
-- Set all required environment variables
-- Verify server accessibility and credentials
-- Check network connectivity
+`run_sql_query` accepts arbitrary SQL including DDL and DML. To minimize risk:
+- Use a least-privilege SQL login (SELECT-only where possible)
+- Never run the server with a `sysadmin` or `sa` account
+- Consider network firewall rules to limit what the server can reach
 
-**❌ SQL Security Alert**
-- Only server operations are blocked
-- Database operations should work normally
+## 📄 Pagination
 
-## 📋 Version History
+All list tools return a `pagination` object:
 
-### v2.0.3 - Latest
-- ✅ Updated documentation with modern styling
-- ✅ Improved troubleshooting section
-- ✅ Enhanced feature descriptions
+```json
+{
+  "count": 20,
+  "limit": 20,
+  "offset": 0,
+  "has_more": true,
+  "next_offset": 20,
+  "total_count": 150
+}
+```
+
+Default page size: **20 rows**. Maximum: **200 rows**.
+
+Results are also truncated if the serialized payload exceeds 100KB, with a `truncation_message` explaining how many rows were dropped.
+
+## 🏗️ Architecture
 
-### v2.0.2 - Performance & Compatibility
-- ✅ Simplified logging for MCP protocol compatibility
-- ✅ All console output moved to stderr
-- ✅ Clean, professional log messages
-- ✅ Version bump to 2.0.2
+```
+src/
+  index.ts          ← bootstrap (env, transport selection)
+  server.ts         ← createServer() factory
+  constants.ts      ← limits, defaults, protocol strings
+  config.ts         ← env parsing
+  types.ts          ← shared TypeScript interfaces
+  db/
+    connection.ts   ← connection pool singleton
+    validators.ts   ← SQL identifier validation
+    query-builders.ts ← safe parameterized query construction
+  tools/            ← one file per tool group
+  resources/        ← MCP resource handlers
+  transports/       ← stdio and HTTP transports
+  utils/
+    errors.ts       ← error normalization helpers
+    format.ts       ← JSON formatting, payload truncation
+    markdown.ts     ← markdown table/list rendering helpers
+    pagination.ts   ← pagination metadata helpers
+```
 
-## 📄 License
+## 🧪 Inspector Smoke Test
 
-MIT License
+```bash
+npx @modelcontextprotocol/inspector
+```
 
-## 🆘 Support
+Expected:
+- stdio server connects
+- Tool list renders with all tools
+- `mssql_connection_status` returns JSON without a connection
+- `mssql_connect_database` works when env variables are set
 
-- **Issues**: [GitHub Issues](https://github.com/BYMCS/mssql-mcp/issues)
-- **Repository**: [BYMCS/mssql-mcp](https://github.com/BYMCS/mssql-mcp)
+## 🔨 Development
+
+```bash
+npm install
+npm run typecheck   # type check only
+npm run build       # compile TypeScript
+npm test            # run unit tests
+npm run ci          # typecheck + build + test
+```
 
----
+## License
 
-**🎉 v2.0.3: Enhanced documentation and user experience**
+[MIT](LICENSE) © BYMCS

package/dist/src/config.d.ts

@@ -0,0 +1,39 @@
+import { z } from "zod";
+import type { DatabaseConfig } from "./types.js";
+export declare const ConfigSchema: z.ZodObject<{
+    server: z.ZodString;
+    database: z.ZodOptional<z.ZodString>;
+    user: z.ZodOptional<z.ZodString>;
+    password: z.ZodOptional<z.ZodString>;
+    port: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+    encrypt: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+    trustServerCertificate: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+    connectionTimeout: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+    requestTimeout: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+}, "strip", z.ZodTypeAny, {
+    server: string;
+    port: number;
+    encrypt: boolean;
+    trustServerCertificate: boolean;
+    connectionTimeout: number;
+    requestTimeout: number;
+    database?: string | undefined;
+    user?: string | undefined;
+    password?: string | undefined;
+}, {
+    server: string;
+    database?: string | undefined;
+    port?: number | undefined;
+    user?: string | undefined;
+    password?: string | undefined;
+    encrypt?: boolean | undefined;
+    trustServerCertificate?: boolean | undefined;
+    connectionTimeout?: number | undefined;
+    requestTimeout?: number | undefined;
+}>;
+export declare function loadConfigFromEnv(): DatabaseConfig;
+export interface HttpConfig {
+    host: string;
+    port: number;
+}
+export declare function loadHttpConfig(): HttpConfig;

package/dist/src/config.js

@@ -0,0 +1,37 @@
+import { z } from "zod";
+import { DEFAULT_PORT, DEFAULT_ENCRYPT, DEFAULT_TRUST_SERVER_CERTIFICATE, DEFAULT_CONNECTION_TIMEOUT, DEFAULT_REQUEST_TIMEOUT, } from "./constants.js";
+export const ConfigSchema = z.object({
+    server: z.string().min(1, "Server address is required"),
+    database: z.string().optional(),
+    user: z.string().optional(),
+    password: z.string().optional(),
+    port: z.number().int().min(1).max(65535).optional().default(DEFAULT_PORT),
+    encrypt: z.boolean().optional().default(DEFAULT_ENCRYPT),
+    trustServerCertificate: z.boolean().optional().default(DEFAULT_TRUST_SERVER_CERTIFICATE),
+    connectionTimeout: z.number().int().min(1000).max(60000).optional().default(DEFAULT_CONNECTION_TIMEOUT),
+    requestTimeout: z.number().int().min(1000).max(300000).optional().default(DEFAULT_REQUEST_TIMEOUT),
+});
+export function loadConfigFromEnv() {
+    const raw = {
+        server: process.env.DB_SERVER,
+        database: process.env.DB_DATABASE,
+        user: process.env.DB_USER,
+        password: process.env.DB_PASSWORD,
+        port: process.env.DB_PORT ? parseInt(process.env.DB_PORT, 10) : DEFAULT_PORT,
+        encrypt: process.env.DB_ENCRYPT !== "false",
+        trustServerCertificate: process.env.DB_TRUST_SERVER_CERTIFICATE === "true",
+        connectionTimeout: process.env.DB_CONNECTION_TIMEOUT
+            ? parseInt(process.env.DB_CONNECTION_TIMEOUT, 10)
+            : DEFAULT_CONNECTION_TIMEOUT,
+        requestTimeout: process.env.DB_REQUEST_TIMEOUT
+            ? parseInt(process.env.DB_REQUEST_TIMEOUT, 10)
+            : DEFAULT_REQUEST_TIMEOUT,
+    };
+    return ConfigSchema.parse(raw);
+}
+export function loadHttpConfig() {
+    return {
+        host: process.env.MCP_HOST ?? "127.0.0.1",
+        port: process.env.MCP_PORT ? parseInt(process.env.MCP_PORT, 10) : 3001,
+    };
+}

package/dist/src/constants.d.ts

@@ -0,0 +1,15 @@
+export declare const SERVER_NAME = "mssql-mcp-server";
+export declare const SERVER_VERSION = "2.3.0";
+export declare const DEFAULT_PORT = 1433;
+export declare const DEFAULT_ENCRYPT = true;
+export declare const DEFAULT_TRUST_SERVER_CERTIFICATE = false;
+export declare const DEFAULT_CONNECTION_TIMEOUT = 30000;
+export declare const DEFAULT_REQUEST_TIMEOUT = 30000;
+export declare const POOL_MAX = 10;
+export declare const POOL_MIN = 0;
+export declare const POOL_IDLE_TIMEOUT_MS = 30000;
+export declare const DEFAULT_PAGE_SIZE = 20;
+export declare const MAX_PAGE_SIZE = 200;
+export declare const MAX_TEXT_PAYLOAD_BYTES = 100000;
+export declare const HTTP_DEFAULT_HOST = "127.0.0.1";
+export declare const HTTP_DEFAULT_PORT = 3001;

package/dist/src/constants.js

@@ -0,0 +1,15 @@
+export const SERVER_NAME = "mssql-mcp-server";
+export const SERVER_VERSION = "2.3.0";
+export const DEFAULT_PORT = 1433;
+export const DEFAULT_ENCRYPT = true;
+export const DEFAULT_TRUST_SERVER_CERTIFICATE = false;
+export const DEFAULT_CONNECTION_TIMEOUT = 30000;
+export const DEFAULT_REQUEST_TIMEOUT = 30000;
+export const POOL_MAX = 10;
+export const POOL_MIN = 0;
+export const POOL_IDLE_TIMEOUT_MS = 30000;
+export const DEFAULT_PAGE_SIZE = 20;
+export const MAX_PAGE_SIZE = 200;
+export const MAX_TEXT_PAYLOAD_BYTES = 100_000;
+export const HTTP_DEFAULT_HOST = "127.0.0.1";
+export const HTTP_DEFAULT_PORT = 3001;

package/dist/src/db/connection.d.ts

@@ -0,0 +1,8 @@
+import sql from "mssql";
+import type { DatabaseConfig, ConnectionState } from "../types.js";
+export declare function connectPool(config: DatabaseConfig): Promise<void>;
+export declare function disconnectPool(): Promise<void>;
+export declare function getPool(): sql.ConnectionPool | null;
+export declare function requirePool(): sql.ConnectionPool;
+export declare function getConnectionState(): ConnectionState;
+export declare function closePoolOnShutdown(): Promise<void>;

package/dist/src/db/connection.js

@@ -0,0 +1,80 @@
+import sql from "mssql";
+import { POOL_MAX, POOL_MIN, POOL_IDLE_TIMEOUT_MS } from "../constants.js";
+let pool = null;
+let currentConfig = null;
+export async function connectPool(config) {
+    if (pool) {
+        console.error("Closing existing connection...");
+        await pool.close();
+        pool = null;
+    }
+    console.error(`Connecting to ${config.server}:${config.port}`);
+    const newPool = new sql.ConnectionPool({
+        server: config.server,
+        database: config.database,
+        user: config.user,
+        password: config.password,
+        port: config.port,
+        options: {
+            encrypt: config.encrypt,
+            trustServerCertificate: config.trustServerCertificate,
+            enableArithAbort: true,
+        },
+        connectionTimeout: config.connectionTimeout,
+        requestTimeout: config.requestTimeout,
+        pool: { max: POOL_MAX, min: POOL_MIN, idleTimeoutMillis: POOL_IDLE_TIMEOUT_MS },
+    });
+    newPool.on("error", (err) => {
+        console.error("Pool error:", err);
+    });
+    try {
+        await newPool.connect();
+        pool = newPool;
+        currentConfig = config;
+        console.error(`Connected to ${config.server}${config.database ? `/${config.database}` : ""}`);
+    }
+    catch (err) {
+        try {
+            await newPool.close();
+        }
+        catch { /* ignore */ }
+        throw err;
+    }
+}
+export async function disconnectPool() {
+    if (pool) {
+        await pool.close();
+        pool = null;
+        currentConfig = null;
+    }
+}
+export function getPool() {
+    return pool;
+}
+export function requirePool() {
+    if (!pool?.connected) {
+        throw new Error("No active database connection. Use connect_database first.");
+    }
+    return pool;
+}
+export function getConnectionState() {
+    return {
+        connected: pool?.connected ?? false,
+        config: currentConfig
+            ? { server: currentConfig.server, database: currentConfig.database, port: currentConfig.port }
+            : null,
+        pool_info: pool
+            ? { size: pool.size, available: pool.available, pending: pool.pending, borrowed: pool.borrowed }
+            : null,
+    };
+}
+export async function closePoolOnShutdown() {
+    if (pool) {
+        try {
+            await pool.close();
+        }
+        catch { /* ignore */ }
+        pool = null;
+        currentConfig = null;
+    }
+}

package/dist/src/db/query-builders.d.ts

@@ -0,0 +1,3 @@
+export declare function buildSelectQuery(schemaName: string, tableName: string, columns: string[] | null, orderBy: string | null, offset: number, limit: number): string;
+export declare function buildSelectWithWhereQuery(schemaName: string, tableName: string, columns: string[] | null, whereClause: string, orderBy: string | null, offset: number, limit: number): string;
+export declare function buildSchemaObjectsQuery(objectType: "tables" | "views" | "procedures" | "functions" | "all", schemaName?: string): string;

package/dist/src/db/query-builders.js

@@ -0,0 +1,58 @@
+import { bracketIdentifier } from "./validators.js";
+export function buildSelectQuery(schemaName, tableName, columns, orderBy, offset, limit) {
+    const safeSchema = bracketIdentifier(schemaName);
+    const safeTable = bracketIdentifier(tableName);
+    const projection = columns && columns.length > 0 ? columns.map(bracketIdentifier).join(", ") : "*";
+    const order = orderBy ?? "(SELECT NULL)";
+    return (`SELECT ${projection} FROM ${safeSchema}.${safeTable}` +
+        ` ORDER BY ${order}` +
+        ` OFFSET ${offset} ROWS FETCH NEXT ${limit} ROWS ONLY`);
+}
+export function buildSelectWithWhereQuery(schemaName, tableName, columns, whereClause, orderBy, offset, limit) {
+    const safeSchema = bracketIdentifier(schemaName);
+    const safeTable = bracketIdentifier(tableName);
+    const projection = columns && columns.length > 0 ? columns.map(bracketIdentifier).join(", ") : "*";
+    const order = orderBy ?? "(SELECT NULL)";
+    return (`SELECT ${projection} FROM ${safeSchema}.${safeTable}` +
+        ` WHERE ${whereClause}` +
+        ` ORDER BY ${order}` +
+        ` OFFSET ${offset} ROWS FETCH NEXT ${limit} ROWS ONLY`);
+}
+export function buildSchemaObjectsQuery(objectType, schemaName) {
+    const parts = [];
+    const schemaFilter = schemaName ? "TABLE_SCHEMA = @schemaName" : null;
+    const routineSchemaFilter = schemaName ? "ROUTINE_SCHEMA = @schemaName" : null;
+    if (objectType === "tables" || objectType === "all") {
+        parts.push(`
+      SELECT TABLE_SCHEMA, TABLE_NAME, TABLE_TYPE, 'table' as OBJECT_TYPE
+      FROM INFORMATION_SCHEMA.TABLES
+      ${schemaFilter ? `WHERE ${schemaFilter}` : ""}
+    `);
+    }
+    if (objectType === "views" || objectType === "all") {
+        parts.push(`
+      SELECT TABLE_SCHEMA, TABLE_NAME, 'VIEW' as TABLE_TYPE, 'view' as OBJECT_TYPE
+      FROM INFORMATION_SCHEMA.VIEWS
+      ${schemaFilter ? `WHERE ${schemaFilter}` : ""}
+    `);
+    }
+    if (objectType === "procedures" || objectType === "all") {
+        parts.push(`
+      SELECT ROUTINE_SCHEMA as TABLE_SCHEMA, ROUTINE_NAME as TABLE_NAME,
+             'PROCEDURE' as TABLE_TYPE, 'procedure' as OBJECT_TYPE
+      FROM INFORMATION_SCHEMA.ROUTINES
+      WHERE ROUTINE_TYPE = 'PROCEDURE'
+      ${routineSchemaFilter ? `AND ${routineSchemaFilter}` : ""}
+    `);
+    }
+    if (objectType === "functions" || objectType === "all") {
+        parts.push(`
+      SELECT ROUTINE_SCHEMA as TABLE_SCHEMA, ROUTINE_NAME as TABLE_NAME,
+             'FUNCTION' as TABLE_TYPE, 'function' as OBJECT_TYPE
+      FROM INFORMATION_SCHEMA.ROUTINES
+      WHERE ROUTINE_TYPE = 'FUNCTION'
+      ${routineSchemaFilter ? `AND ${routineSchemaFilter}` : ""}
+    `);
+    }
+    return parts.join(" UNION ALL ") + " ORDER BY TABLE_SCHEMA, TABLE_NAME";
+}

package/dist/src/db/validators.d.ts

@@ -0,0 +1,5 @@
+export declare const SAFE_IDENTIFIER_RE: RegExp;
+export declare function isValidIdentifier(name: string): boolean;
+export declare function validateIdentifier(name: string, label: string): string;
+export declare function bracketIdentifier(name: string): string;
+export declare function validateOrderBy(orderBy: string): string;

package/dist/src/db/validators.js

@@ -0,0 +1,25 @@
+// Safe SQL identifier validation.
+// Only validates identifier names (schema, table, procedure) — never user values.
+// User values must always be passed as mssql parameters, never interpolated.
+export const SAFE_IDENTIFIER_RE = /^[a-zA-Z_][a-zA-Z0-9_$#@]{0,127}$/;
+export function isValidIdentifier(name) {
+    return SAFE_IDENTIFIER_RE.test(name);
+}
+export function validateIdentifier(name, label) {
+    if (!isValidIdentifier(name)) {
+        throw new Error(`Invalid ${label} "${name}". Identifiers must start with a letter or underscore and contain only letters, digits, underscores, $, #, @.`);
+    }
+    return name;
+}
+export function bracketIdentifier(name) {
+    validateIdentifier(name, "identifier");
+    return `[${name}]`;
+}
+// ORDER BY: allows column names (optionally bracketed), dotted refs, ASC/DESC
+const ORDER_BY_RE = /^(\[?[a-zA-Z_][a-zA-Z0-9_$#@.]*\]?(\s+(ASC|DESC))?)((\s*,\s*)\[?[a-zA-Z_][a-zA-Z0-9_$#@.]*\]?(\s+(ASC|DESC))?)*$/i;
+export function validateOrderBy(orderBy) {
+    if (!ORDER_BY_RE.test(orderBy.trim())) {
+        throw new Error("Invalid ORDER BY clause. Only column names, commas, and ASC/DESC direction keywords are allowed.");
+    }
+    return orderBy.trim();
+}

package/dist/src/index.js

@@ -0,0 +1,26 @@
+#!/usr/bin/env node
+import dotenv from "dotenv";
+import { createServer } from "./server.js";
+import { runStdioTransport } from "./transports/stdio.js";
+import { runHttpTransport } from "./transports/http.js";
+import { loadHttpConfig } from "./config.js";
+import { SERVER_VERSION } from "./constants.js";
+dotenv.config();
+async function main() {
+    const transport = process.env.MCP_TRANSPORT ?? "stdio";
+    const server = createServer();
+    if (transport === "http") {
+        const httpConfig = loadHttpConfig();
+        console.error(`MSSQL MCP Server v${SERVER_VERSION} starting (HTTP mode)...`);
+        await runHttpTransport(server, httpConfig);
+    }
+    else {
+        console.error(`MSSQL MCP Server v${SERVER_VERSION} starting (stdio mode)...`);
+        await runStdioTransport(server);
+        console.error("Server ready.");
+    }
+}
+main().catch((err) => {
+    console.error("Fatal startup error:", err);
+    process.exit(1);
+});

package/dist/src/resources/connection.d.ts

@@ -0,0 +1,2 @@
+import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+export declare function registerConnectionResource(server: McpServer): void;

package/dist/src/resources/connection.js

@@ -0,0 +1,19 @@
+import { getConnectionState } from "../db/connection.js";
+export function registerConnectionResource(server) {
+    server.registerResource("connection-info", "mssql://connection/info", {
+        title: "Connection Info",
+        description: "Current MSSQL connection status and configuration (no credentials exposed).",
+        mimeType: "application/json",
+    }, async () => {
+        const state = getConnectionState();
+        return {
+            contents: [
+                {
+                    uri: "mssql://connection/info",
+                    text: JSON.stringify(state, null, 2),
+                    mimeType: "application/json",
+                },
+            ],
+        };
+    });
+}

package/dist/src/resources/metadata.d.ts

@@ -0,0 +1,2 @@
+import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+export declare function registerMetadataResources(server: McpServer): void;