Warp SQL Server MCP

# Changelog All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [1.7.11] - 2025-09-11 ### Changed - Package renamed to scoped npm package: `@egarcia74/warp-sql-server-mcp`. - Added `publishConfig.access = public` to support public scoped publishing. ### Notes - The previous unscoped package `warp-sql-server-mcp` remains available temporarily. It will be deprecated in favor of the scoped package after validation. ## [1.7.7] - 2025-09-10 ### Hotfix - Logging & Connection Handling - **Mock Winston Before Import**: Ensured that Winston is mocked before importing it in the codebase to prevent unexpected behavior during testing and runtime. - **Connection Management**: Addressed a bug in the `getConnection` method to handle cases where the connection pool is exhausted and improve compatibility with non-standard pool implementations. Enhanced error handling for better robustness. - **Result Formatting**: Added validation in the `formatResults` method to ensure the `result` parameter is not null or undefined, throwing a clear error message when necessary. ## [1.7.6] - 2025-09-09 ### Hotfix - API Consistency & Usability - **Removed connect() Tool**: The dedicated database connection verification tool was removed for API consistency and to avoid redundant manual connection management. Connection is now always handled automatically by the MCP server. Use `get_connection_health` for status and diagnostics. ### Other changes - See 1.7.5 for previous infrastructure and error handling improvements. - **🧪 Enhanced Testing Framework**: Comprehensive test suite improvements - **Unit Test Coverage**: New comprehensive unit tests for main server (test/unit/index.test.js) - **Protocol Testing**: Simplified MCP protocol startup validation (test/protocol/mcp-server-startup-test.js) - **Mocking Integration**: Enhanced Vitest integration for reliable test isolation with corrected mock targets - **Test Summary Reporting**: New test summary script for better CI/CD feedback - **Verbose Protocol Testing**: Added verbose mode for detailed JSON response debugging (`VERBOSE=1`) - **Clean Test Output**: Suppressed ReDoS security warnings during testing while preserving production functionality - **🛠️ Code Quality Improvements**: Enhanced code structure and maintainability - **ESLint Compliance**: Fixed all ESLint issues for better code quality - **Constructor Standardization**: Updated analyzer constructors with proper ConnectionManager integration - **Import Cleanup**: Removed unused imports and optimized module loading - **Method Signature Updates**: Standardized method signatures across analysis modules ### Enhanced - Infrastructure & Development Workflow - **🚀 VS Code Integration**: Added comprehensive VS Code workspace configuration - **Optimized Workspace Settings**: Multi-root workspace with intelligent project navigation - **GitHub Copilot Integration**: Project-specific instructions referencing WARP.md knowledge base - **Task Automation**: Pre-configured VS Code tasks for build, test, and development workflows - **Apple Silicon Docker Support**: Intelligent platform detection for SQL Server containers - **📊 Enhanced Logging System**: Improved getServerInfo with detailed system information - **Comprehensive Server Details**: Enhanced server information reporting with system metrics - **Development Environment Detection**: Smart environment detection based on NODE_ENV - **Performance Monitoring**: Detailed logging throughout the system for better observability - **🐳 Docker Testing Infrastructure**: Complete Docker-based testing framework - **Platform-Specific Optimization**: Apple Silicon SQL Server container support with intelligent fallback - **Stress Testing Framework**: Comprehensive Docker environment stress testing capabilities - **Clean Testing Environment**: Automated Docker container lifecycle management for testing - **📋 Process Improvement**: Added continuous improvement sections to development checklists - **Self-Improving Workflows**: Both commit and push checklists now include maintenance sections - **Learning Documentation**: Process reflection checks encourage capturing lessons learned - **Quality Evolution**: Checklists evolve based on real developer experiences ### Added - Documentation & Testing - **📚 Comprehensive Documentation Updates**: Corrected npm script references throughout documentation - **Accurate Script References**: Fixed outdated npm run test:\* commands in all documentation - **Markdown Quality**: Resolved linting issues and improved documentation structure - **Cross-Reference Validation**: Verified all documentation links and script references - **🧪 Testing Infrastructure Enhancements**: Enhanced testing capabilities and documentation - **Apple Silicon Compatibility**: Docker testing with platform-specific optimizations - **Comprehensive Test Coverage**: 465 unit tests, 40 integration tests, 20 protocol tests - **Performance Validation**: Integration performance testing framework ### Fixed - Quality & Compatibility - **🔧 Environment Detection**: Replaced non-existent \_isDevelopmentEnvironment method with proper NODE_ENV check - **📝 Markdown Linting**: Fixed line length and formatting issues across documentation - **🔗 Link Validation**: Ensured all internal documentation links are valid and accessible ## [1.7.4] - 2025-09-04 ### Enhanced - Documentation System & Configuration Management - **📖 Centralized Environment Variables Documentation**: Created comprehensive ENV-VARS.md reference - **Single Source of Truth**: Complete reference for all 33+ environment variables with defaults, descriptions, and examples - **Context-Aware SSL Documentation**: Detailed explanation of smart SSL certificate trust behavior for development vs production - **Security Configuration Examples**: Clear examples for Maximum Security, Data Analysis, and Full Development modes - **Cross-Referenced Documentation**: Updated all docs to reference ENV-VARS.md instead of duplicating variable details - **Enhanced User Experience**: Progressive disclosure - basic setup with links to comprehensive configuration when needed - **🔧 Clean Configuration Files**: Overhauled .env.example and warp-mcp-config.json for better usability - **Smart Defaults Approach**: Variables using defaults are commented out but documented with their default values - **Required Variables Highlighted**: Only essential connection settings (HOST, PORT, DATABASE, USER, PASSWORD) uncommented - **SSL Auto-Detection Explained**: Clear documentation of development vs production environment detection - **CLI Tool Integration**: warp-mcp-config.json prominently features recommended CLI tool setup method - **Security Configuration Examples**: Well-organized sections showing different security levels with warnings - **📋 Comprehensive MCP Tools Documentation Updates**: Fixed inconsistencies and completed tool listings - **Complete 16-Tool Inventory**: Both quickstart guides now show all available MCP tools including get_server_info - **Consistent Tool Lists**: QUICKSTART.md and QUICKSTART-VSCODE.md have identical, comprehensive tool listings - **Organized Categories**: Tools grouped into Database Operations (8 tools) and Performance & Monitoring (8 tools) - **Central Documentation References**: Both guides link to complete MCP Tools Reference for detailed API documentation - **Natural Language Support**: VS Code guide shows both natural language commands and technical tool names ### Added - Developer Experience Enhancements - **📋 Git Workflow Checklists**: Added comprehensive pre-commit and pre-push validation checklists - **Git Commit Checklist** (`docs/GIT-COMMIT-CHECKLIST.md`): Reflects actual pre-commit hook behavior - Documents automated checks: ESLint --fix, Prettier --write, Markdownlint --fix, npm test - Includes conventional commits format with examples - Manual verification steps for security and change review - Generic, reusable guidelines for any feature development - **Git Push Checklist** (`docs/GIT-PUSH-CHECKLIST.md`): Comprehensive pre-push validation guide - Documents automated pre-push checks: full test suite, coverage, security audit, linting, format check, link check - Advanced push guidance with troubleshooting for common failures - Force push safety guidelines and pull request creation process - Post-push validation steps and CI/CD monitoring - **Documentation Index**: Added both checklists to `docs/README.md` DevOps & Automation section ### Changed - Documentation Organization - **🗂️ File Organization Improvements**: Moved development documentation to appropriate locations - **Moved GIT-COMMIT-CHECKLIST.md** from root to `docs/` directory for better organization - **Updated .npmignore**: Removed explicit reference since `docs/` directory is excluded by default - **Enhanced README.md**: Added Git checklists to Developer Resources section - **Cleaner Project Root**: Reduces clutter while maintaining accessibility to developers - **NPM Package Optimization**: Files automatically excluded from npm packages via docs/ exclusion ### Security - Dependency Updates - **🔒 Security Updates**: Updated multiple dependencies for security and compatibility - **dotenv**: Updated from 17.2.1 to 17.2.2 (security patch) - **@modelcontextprotocol/sdk**: Updated from 0.7.0 to 1.17.5 (major compatibility update) - **@eslint-community/eslint-utils**: Updated for security improvements - **All updates**: Validated through comprehensive test suite with 100% success rate ## [1.7.3] - 2025-01-03 ### Added - New MCP Tool: Server Information and Diagnostics - **🔍 get_server_info Tool**: Added comprehensive server diagnostics and configuration visibility - **Server Status**: Real-time server information (name, version, uptime, platform, Node.js version) - **Configuration Overview**: Complete configuration summary including connection, security, performance, and logging settings - **Security Level Display**: Human-readable security level descriptions ("MAXIMUM (Read-Only)", "MEDIUM (DML Allowed)", "MINIMAL (Full Access)") - **Runtime Statistics**: Performance metrics, connection health, memory usage, and process information - **MCP-Compatible**: Accessible through Warp MCP interface with structured JSON responses - **Optional Log Context**: Include recent logging information when requested - **Troubleshooting Ready**: Perfect for diagnosing configuration issues and server health ### Enhanced - Comprehensive Logging System Overhaul - **📝 File-Based Logging**: Complete logging system with structured file output - **Main Application Logs**: Configurable via `LOG_FILE` environment variable - **Security Audit Logs**: Dedicated security event logging via `SECURITY_LOG_FILE` - **Winston Integration**: Professional logging with timestamps, metadata, and log levels - **Development & Production**: Works in all environments when file paths are specified - **Structured JSON**: Machine-readable logs with complete query context and performance data - **🛡️ Enhanced Security Audit Logging**: Comprehensive security event tracking - **Query Blocking Events**: Detailed logs when queries are blocked by security policies - **Policy Violation Details**: Full query text, violation reason, and security classification - **Severity Assessment**: Automatic severity level assignment (LOW, MEDIUM, HIGH, CRITICAL) - **Forensic Ready**: Complete audit trail with precise timestamps and context - **Compliance Support**: SOX, GDPR, HIPAA-ready logging for regulatory requirements - **⚡ Performance and Query Logging**: Advanced query execution tracking - **Execution Metrics**: Query duration, row counts, database context, and tool attribution - **Security Context**: Security level classification for each query execution - **Error Logging**: Complete error details with stack traces for debugging - **Tool Attribution**: Track which MCP tool executed each query for usage analytics ### Fixed - Configuration Loading and Logging - **🔧 Configuration Reload System**: Fixed configuration caching issues - **Dynamic Reloading**: ServerConfig now properly reloads environment variables - **Singleton Refresh**: Added reload mechanism to ensure latest configuration values - **Environment Priority**: Proper handling of environment variable precedence - **Development Experience**: Configuration changes take effect without full restarts - **📊 MCP Log Visibility**: Resolved logging visibility issues in MCP environments - **File Path Configuration**: Logger now properly uses LOG_FILE and SECURITY_LOG_FILE environment variables - **Console Fallback**: Graceful fallback to console logging when file paths not specified - **MCP Compatibility**: Logs visible in both file-based systems and MCP protocol streams - **Debug Enhancement**: Added debug-level logging for troubleshooting configuration issues ### Added - Development Automation Enhancement - **🔧 Enhanced Backlog Management Scripts**: Fixed issue creation and link management - **Duplicate Prevention**: Improved issue existence checking in `create-backlog-issues.sh` - **Safer Issue Creation**: Added robust title pattern matching for better duplicate detection - **Cleaner Code**: Removed duplicate code blocks and simplified script logic - **User Feedback**: Enhanced status messages with emoji indicators - **Script Reliability**: Fixed error handling and process management - **Development Experience**: Better debugging output and error messages ### Added - New Feature: Environment Configuration Detection - **⚡ New Backlog Feature**: Added automatic environment configuration detection system - **Pool Size Optimization**: Intelligent connection pool size recommendations - **Security Level Analysis**: Automatic security setting suggestions - **SSL/TLS Configuration**: Detection and validation of encryption settings - **Timeout Optimization**: Performance-based timeout adjustments - **Added to Phase 2**: Scheduled for Q1 2026 implementation - **Created Issue**: [#57](https://github.com/egarcia74/warp-sql-server-mcp/issues/57) ## [1.7.2] - 2025-09-03 ### ⚡ Performance - Query Validation Enhancement - **🚀 Full Destruction Mode Optimization**: Added intelligent query validation bypass - **Zero-Overhead Mode**: Complete validation bypass when all safety restrictions are disabled - **Smart Detection**: Automatically activates in unrestricted environments - **Performance Impact**: Eliminates AST parsing overhead for maximum throughput - **Safety Preserved**: Full validation remains active when any restrictions enabled - **Compatibility**: 100% backward compatible with existing configurations - **Production Ready**: Validated through comprehensive performance test suite ### 🐛 Fixed - Configuration Logging - **🔧 Resolved Configuration Display Corruption**: Fixed critical bug where configuration logging was fragmented and repeated - **Root Cause**: Multiple line-by-line `console.error` calls during startup causing interleaved output - **Impact**: Clean, professional configuration display with proper formatting and visual sections - **Solution**: Consolidated configuration logging into single batched output call - **Result**: One cohesive configuration block with proper emoji sections and no repeated lines - **Production Ready**: Configuration output now appears professional and production-ready - **MCP Protocol**: Eliminates log interference with MCP protocol communication during handshake ### 🚀 Performance - Query Validation Optimization - **⚡ Full Destruction Mode Optimization**: Revolutionary performance improvement for unrestricted environments - **Smart Validation Bypass**: When all safety restrictions are disabled (`SQL_SERVER_READ_ONLY=false`, `SQL_SERVER_ALLOW_DESTRUCTIVE_OPERATIONS=true`, `SQL_SERVER_ALLOW_SCHEMA_CHANGES=true`), query validation is completely bypassed - **Eliminated AST Parsing Overhead**: Skips expensive `node-sql-parser` AST analysis for unrestricted queries - **Performance Gains**: Immediate query approval with `optimized: true` flag for monitoring - **Preserved Security Boundaries**: Validation still applies when any restrictions are enabled - **Zero Breaking Changes**: Existing security configurations continue to work as expected ### 🐛 Fixed - DDL Query Validation Bug - **🔧 Resolved DDL Parsing Inconsistencies**: Fixed critical bug where complex DDL operations were incorrectly blocked - **Root Cause**: AST parsing was inconsistently validating DDL statements even when `SQL_SERVER_ALLOW_SCHEMA_CHANGES=true` - **Impact**: Complex CREATE TABLE, ALTER TABLE, DROP TABLE, CREATE INDEX operations now work reliably - **Edge Cases Fixed**: Multi-line DDL, constraints, defaults, foreign keys, stored procedures, triggers - **Validation Logic**: Improved query type detection and security boundary enforcement ### ✅ Enhanced - Enterprise DDL Support - **🏗️ Complete DDL Operation Support**: All SQL Server DDL operations now fully functional - **CREATE Operations**: Tables, indexes, views, stored procedures, functions, triggers - **ALTER Operations**: Table modifications, column additions/changes - **DROP Operations**: Complete object removal capabilities - **Complex DDL**: Multi-line statements, constraints, foreign keys, defaults - **Advanced Features**: User-defined functions, triggers, audit tables ### 🧪 Validated - Advanced SQL Server Features - **📊 Comprehensive Feature Testing**: Extensive validation of enterprise SQL Server capabilities - **Window Functions**: ROW_NUMBER, DENSE_RANK, LAG, LEAD, PERCENT_RANK - **Common Table Expressions (CTEs)**: Multi-level CTEs with complex aggregations - **MERGE Statements**: Complete upsert operations with WHEN MATCHED/NOT MATCHED - **PIVOT Operations**: Dynamic data pivoting with aggregation - **JSON Functions**: JSON_VALUE for data extraction from JSON columns - **Table Variables**: DECLARE @table syntax with INSERT/SELECT operations - **Transaction Management**: BEGIN/COMMIT/ROLLBACK with error handling - **Bulk Operations**: Multi-row INSERT statements with VALUES clause - **Unicode Support**: Full emoji and special character support in results ### ⚡ Added - Enhanced Performance Testing Infrastructure - **🚀 Improved Performance Test Suite**: Complete overhaul of manual performance testing capabilities - `test/manual/improved-performance-test.js` - New primary performance test with persistent MCP process - **Persistent MCP Server**: Single long-running process eliminates connection delays and startup overhead - **Concurrent Query Testing**: Built-in support for concurrent queries with proper listener management - **Comprehensive Metrics**: Response time analysis with min/avg/median/95th/99th percentile reporting - **Error Handling**: Robust error handling with detailed failure analysis and recovery - **Performance Benchmarks**: Reliable performance validation with 100% success rate - **ESLint Compliant**: All code passes linting with proper variable handling - **📊 Enhanced Performance Test Documentation**: - `docs/MANUAL-PERFORMANCE-TESTING.md` - Complete guide to performance testing methodology - `docs/TESTING-GUIDE.md` - Comprehensive overview of all test categories and usage - **Performance Benchmarks**: Expected response times (50-500ms) and success rates (100%) - **Test Comparison**: Clear guidance on when to use each performance test - **Troubleshooting Guide**: Debug commands and common issue resolution - **🔗 Warp Integration Performance Test**: Specialized test for Warp MCP server validation - `test/manual/warp-mcp-performance-test.js` - Tests against running Warp MCP instances - **Real Integration Testing**: Validates production Warp setup and performance - **95% Threshold Validation**: Specific testing for connection pool threshold fixes - **Comprehensive Reporting**: Detailed performance analysis with success rate assessment - **📝 Updated Documentation & Commands**: - Updated `WARP.md` with new performance test commands (`npm run test:manual:performance`) - Enhanced `README.md` references to improved performance testing capabilities - **Help System**: New help script with comprehensive command documentation - **npm Scripts**: Dedicated commands for different performance test scenarios ### 🔧 Fixed - Code Quality - **ESLint Compliance**: Resolved all unused variable errors across performance test files - **Markdown Linting**: Fixed code block language specification issues - **Code Quality**: All performance tests now pass pre-commit hooks and validation ## [1.7.1] - 2025-01-02 ### 🛠️ Infrastructure & Documentation Fixes Release This patch release resolves critical infrastructure issues and enhances system reliability. ### 🛡️ Security - **Fixed CodeQL Security Alerts**: Resolved 5 critical security vulnerabilities identified by CodeQL analysis - **GitHub Actions Token Permissions**: Added explicit least-privilege token permissions to all workflow jobs - `release.yml`: Added `contents: read` to `check-changes` job, corrected `release` job permissions - Enhanced security posture with minimal required permissions for each operation - **CLI File System Race Condition (TOCTOU)**: Eliminated Time-of-Check Time-of-Use vulnerability in config file creation - Replaced `fs.existsSync()` + `fs.writeFileSync()` pattern with atomic `O_CREAT | O_EXCL` flags - Added comprehensive comments explaining security rationale and CVE prevention - Implemented proper error handling for concurrent file creation scenarios - Set secure file permissions (0o600) atomically during file creation ### 🔧 Fixed - **Documentation Generation Pipeline**: Resolved CI/CD documentation extraction failures - Fixed `scripts/docs/extract-docs.js` to work with new modular tool registry architecture - Updated extraction logic to parse tools from `lib/tools/tool-registry.js` instead of legacy `index.js` - Correctly extracts all 15 MCP tools from modular arrays (`DATABASE_TOOLS`, `DATA_TOOLS`, etc.) - Resolved "Could not find tools array in index.js" error in GitHub Actions workflow - **Tool Registry Compatibility**: Enhanced documentation pipeline to support architectural refactoring - Added support for extracting tools from multiple tool arrays - Maintained backward compatibility with existing documentation format - Ensured all tool metadata and examples are properly generated ### 🧪 Testing - **Enhanced Security Testing**: Added comprehensive CLI security test suite - Race condition testing with concurrent process spawning to verify atomic file operations - File permission validation ensuring restrictive access (owner read/write only) - Graceful handling verification for existing configuration files - CLI help system functionality testing ### 🔒 Security Hardening - **Workflow Security Enhancements**: All GitHub Actions workflows now follow security best practices - Explicit token permissions defined for each job based on principle of least privilege - Reduced attack surface by limiting unnecessary permissions - Enhanced supply chain security through proper permission scoping - **CLI Security Improvements**: Configuration file handling now immune to race condition attacks - Atomic file operations prevent security vulnerabilities in multi-process environments - Secure-by-default file permissions prevent unauthorized access to database credentials ## [1.7.0] - 2025-09-02 ### 🎨 Enhanced Configuration Display & Secure Defaults Release This release introduces a comprehensive visual configuration display system with emoji-enhanced sections, secure-by-default configuration, and fixes SSL certificate validation logic for improved security and user experience. ### 🏗️ Major Architectural Refactoring - **Modular Architecture Implementation**: Complete restructuring of the monolithic `index.js` (from 2,307 lines) into focused, maintainable modules - `lib/config/server-config.js` - Configuration management and environment variable handling - `lib/database/connection-manager.js` - Database connection logic with retry mechanisms - `lib/tools/handlers/base-handler.js` - Base handler for tool implementations - `lib/tools/handlers/database-tools.js` - Database operation tool handlers - `lib/tools/tool-registry.js` - Centralized tool registration and management - Improved separation of concerns and single responsibility principle - Enhanced testability with isolated, mockable components - Better maintainability and team collaboration capabilities ### 🔒 Enhanced Security Features - **Pre-push Security Auditing**: Added comprehensive security audit checks to git hooks - `npm run security:audit` - New script for standalone security auditing using `npm audit --audit-level=high` - Updated pre-push hook to include security vulnerability scanning - Updated CI pipeline (`npm run ci`) to include security auditing - Updated `npm run prepush` to include security audit checks - Automatic vulnerability detection before code is pushed to repository - Clear error messages and fix guidance when vulnerabilities are detected ### 🧪 Enhanced Testing Infrastructure - **Modular Test Architecture**: Restructured test suite to align with new modular architecture - Enhanced `mcp-security.test.js` with comprehensive safety mechanism testing - Updated `mcp-shared-fixtures.js` with improved test data and mock configurations - Integration tests for new architectural components - Comprehensive unit tests for individual modules - Better test isolation and focused testing capabilities ### 🎨 Enhanced Configuration Display & User Experience - **Visual Configuration Enhancements**: - **Emoji-Enhanced Configuration Display**: Added visual section headers with intuitive emojis (🌐, 🔒, ⚡, 📊, 📝) - **Enhanced Security Indicators**: Visual security status with lock/unlock emojis (🔒/🔓) and warning/success indicators (⚠️/✅) - **Improved Configuration Warnings**: Prominent warning display with ⚠️ emojis for immediate visibility - **Consistent 4-Space Indenting**: Professional formatting across all configuration sections - **SSL Connection Information**: Displays SSL/TLS connection status and encryption details when enabled - **Enhanced Password Security**: Full password masking (`***********`) with username visibility for configuration verification - **Configuration Display Sections**: - 🌐 **Connection Settings**: Server, database, authentication, and SSL details - 🔐 **SSL Connection Information**: Protocol, encryption status, and certificate trust settings (when SSL enabled) - 🔒 **Security & Operation Settings**: Visual security status with clear indicators - ⚡ **Performance Monitoring**: Tracking and optimization configuration - 📊 **Streaming Configuration**: Large dataset handling settings - 📝 **Logging & Output**: Log levels and output formatting options ### 📚 Documentation Updates - **Updated Configuration Examples**: Revised sample log outputs throughout documentation - Updated `docs/DEBUG-LOGGING.md` with new emoji-enhanced configuration sections - Updated `docs/VSCODE-INTEGRATION-GUIDE.md` with current startup log examples and security status displays - Replaced outdated `⚠️ Security: UNSAFE (RW, DML+, DDL-)` format with detailed configuration display - Updated password masking documentation to reflect new fixed-length masking approach - Added comprehensive examples of SSL connection information display ### 🛠️ Development Workflow Improvements - **Enhanced Developer Experience**: - New npm scripts for security auditing and comprehensive CI checks - Improved git hooks with security validation - Better separation of development concerns - Enhanced IDE performance with smaller, focused files - Streamlined debugging and development workflows ### ⚠️ Breaking Changes - **🔒 Secure-by-Default Configuration Changes**: - **`SQL_SERVER_ENCRYPT`**: Default changed from `false` to `true` (SSL encryption now enabled by default) - **`ENABLE_STREAMING`**: Default changed from `false` to `true` (streaming now enabled by default for better performance) - **SSL Certificate Validation**: Fixed `trustServerCertificate` logic to properly respect `SQL_SERVER_TRUST_CERT=false` - **Impact**: Existing deployments without explicit environment variables will now use secure defaults - **Migration**: Set `SQL_SERVER_ENCRYPT=false` and `ENABLE_STREAMING=false` in your `.env` to maintain previous behavior - **Recommendation**: Review and update your SSL configuration for enhanced security ## [1.6.0] - 2025-09-01 ### 🎯 Query Optimization & Security Hardening Release This release introduces comprehensive query optimization tools and resolves critical security vulnerabilities, making the MCP server production-ready for enterprise environments with enhanced performance analysis capabilities. ### Added - Query Optimization & Performance Analysis - **🔧 Complete Query Optimization Suite** ([#37](https://github.com/egarcia74/warp-sql-server-mcp/pull/37)): - `analyze_query_performance` - Deep query analysis with bottleneck detection - `suggest_query_optimizations` - AI-powered optimization recommendations - `analyze_index_usage` - Index effectiveness analysis and suggestions - `detect_performance_bottlenecks` - Systematic performance issue identification - Advanced SQL parsing and performance metrics collection - Comprehensive error handling and validation - 49 unit tests with 83%+ code coverage - **📊 Query Optimizer Engine** (`lib/analysis/query-optimizer.js`): - SQL operator extraction and analysis (SELECT, JOIN, WHERE, ORDER BY, GROUP BY) - Query complexity scoring and bottleneck identification - Index recommendation based on query patterns - Performance insights with actionable optimization suggestions - Support for complex multi-table queries and subqueries - Production-ready error handling and logging integration - **🔍 Bottleneck Detection System** (`lib/analysis/bottleneck-detector.js`): - Automated detection of query performance issues - Analysis of table scans, missing indexes, and inefficient joins - Memory usage pattern identification - Query execution plan analysis - Comprehensive reporting with severity levels ### Fixed - Critical Security Vulnerabilities - **🛡️ Resolved CodeQL Security Alert #147**: "Incomplete multi-character sanitization" - Eliminated unsafe regex character removal in query optimization - Implemented precise SQL operator pattern matching - Enhanced input validation with comprehensive sanitization - Zero security vulnerabilities in current codebase - **🔒 GitHub Actions Security Hardening**: - Pinned all GitHub Actions to specific commit hashes for supply chain security - Implemented least-privilege token permissions across all workflows - Fixed workflow vulnerabilities identified by OSSF Scorecard - Enhanced workflow security posture to enterprise standards ### Added - Documentation & Development Tools - **📚 Dead Link Checking** ([#25](https://github.com/egarcia74/warp-sql-server-mcp/issues/25)): - Automated markdown link validation in CI/CD pipeline - Comprehensive link checking across all documentation - Integration with documentation workflow for link health monitoring - **📝 Spell Check Improvements**: - Added "roadmaps" to CSpell dictionary (correctly spelled business term) - Fixed spell check configuration path in documentation workflow - Comprehensive spell checking for all markdown files ### Enhanced - Development Workflow - **🤖 Dependabot Auto-Triage**: - Enhanced dependency management with automated security updates - Improved auto-merge logic for dependency updates - Comprehensive security scanning integration - **📊 Test Coverage Improvements**: - Comprehensive test suite for query optimization features - 584 passing tests with 83.69% overall coverage - Enhanced unit testing for all new optimization algorithms - Production-ready test infrastructure ### Fixed - Infrastructure & Maintenance - **🔧 Package Dependencies**: - Fixed corrupted winston dependency specification - Updated dependency versions for security and compatibility - Clean package.json with proper version specifications - **📋 Documentation Generation**: - Automated API documentation generation and updates - Enhanced PR workflow with documentation checks - Improved documentation consistency and accuracy ### Performance Metrics - **Test Coverage**: 83.69% (584 passing tests) - **Security Vulnerabilities**: 0 (resolved critical CodeQL alert) - **New MCP Tools**: 4 query optimization tools added - **Documentation Links**: 100% valid (comprehensive link checking) - **Code Quality**: All ESLint, Prettier, and Markdown lint checks pass ### Breaking Changes - None. This release maintains full backward compatibility. ### v1.6.0 Migration Notes - Query optimization tools are available immediately with no configuration required - All existing functionality remains unchanged - New tools integrate seamlessly with existing MCP server infrastructure ### Added - Performance Monitoring Enhancement - **📊 Complete Performance Monitoring Coverage**: Extended performance monitoring instrumentation to all SQL Server MCP tools - Added performance tracking to `listForeignKeys` method with detailed metadata capture - Added performance tracking to `exportTableCsv` method with query parameter and result metrics - All 11 MCP tools now contribute comprehensive data to overall server performance statistics - Enhanced unit tests with performance monitoring mocks for complete coverage - Fixed code formatting and linting issues across the codebase - Updated documentation to reflect complete performance monitoring capabilities ### Enhanced - Performance Monitoring Documentation - **📚 Updated Documentation**: - Added performance monitoring tools (`get_performance_stats`, `get_query_performance`, `get_connection_health`) to README.md Available Tools section - Enhanced WARP setup guide with comprehensive performance monitoring examples - Corrected markdown formatting issues in setup guides - Ensured all CI/CD checks pass (linting, formatting, testing) This completes the performance monitoring implementation started in GitHub issue #15, providing comprehensive query performance tracking, error handling, and diagnostics across all database operation methods. ### Enhanced - Test Suite Modularization - **🧪 Modular Test Architecture**: Restructured monolithic test suite into focused, maintainable modules - Extracted `mcp-connection.test.js` - Database connection tests (4 tests) - Extracted `mcp-security.test.js` - Safety mechanisms and query validation tests (38 tests) - Extracted `mcp-core-tools.test.js` - Core SQL tools tests (12 tests) - Extracted `mcp-data-tools.test.js` - Data manipulation tools tests (36 tests) - Extracted `mcp-performance-tools.test.js` - Performance monitoring tests (22 tests) - Extracted `mcp-server-lifecycle.test.js` - Server startup and configuration tests (15 tests) - All 127 tests from original monolithic suite successfully extracted and verified - Original monolithic test file preserved for compatibility - Each test file runs independently with proper environment isolation - Improved development workflow with focused test execution - Updated test documentation to reflect modular structure ## [1.5.0] - 2025-08-29 ### 🎯 Product Management & Development Workflow Enhancement This release introduces comprehensive project management capabilities and enhanced development workflows for better feature tracking and GitHub integration. ### Added - Product Backlog & Issue Management - **📋 Comprehensive Product Backlog System** (`PRODUCT-BACKLOG.md`): - 17 prioritized features organized by business value and implementation phases - Phase-based roadmap (0-3 months, 3-6 months, 6-12 months, 12+ months) - Detailed feature descriptions with technical specifications - Business value analysis and priority rankings - Complete feature lifecycle tracking from concept to deployment - Strategic alignment with enterprise-grade software framework vision - **🔧 GitHub Issues Integration**: - Automated issue creation from product backlog (`scripts/backlog/create-backlog-issues.sh`) - Backlog-to-issue synchronization script (`scripts/backlog/update-backlog-links.sh`) - All 7 priority features now linked to GitHub issues (#16-#22) - Comprehensive labeling system (priority, phase, category labels) - Batch issue creation with consistent formatting - Duplicate detection and intelligent issue management - **📝 Enhanced Issue Templates**: - Professional feature request template (`.github/ISSUE_TEMPLATE/feature-request.md`) - Detailed acceptance criteria and technical requirements sections - Business justification and impact analysis fields - Implementation complexity assessment - Cross-reference support between backlog and issues ### Added - Development Automation - **🤖 Backlog Management Scripts**: - `scripts/backlog/create-backlog-issues.sh` - Automated GitHub issue creation - `scripts/backlog/update-backlog-links.sh` - Synchronize backlog with existing issues - Intelligent duplicate checking and existing issue detection - GitHub CLI integration with authentication validation - Comprehensive error handling and user feedback ### Enhanced - Project Documentation - **📚 Strategic Documentation Updates**: - Complete product roadmap with implementation phases - Feature prioritization methodology and business value framework - Development process improvements with TDD emphasis - Enhanced contribution guidelines with backlog integration - Cross-referenced documentation between backlog and GitHub issues ### Fixes - **🔧 Template and Documentation Fixes**: - Corrected broken links in feature request template - Fixed changelog link references to proper release pages - Improved script portability for different shell environments - Enhanced error handling in backlog automation scripts ### Features Now Tracked in GitHub Issues - Enhanced Data Visualization Support → [#18](https://github.com/egarcia74/warp-sql-server-mcp/issues/18) - Query Builder & Template System → [#17](https://github.com/egarcia74/warp-sql-server-mcp/issues/17) - Advanced Data Export Options → [#16](https://github.com/egarcia74/warp-sql-server-mcp/issues/16) - Real-time Data Monitoring → [#19](https://github.com/egarcia74/warp-sql-server-mcp/issues/19) - Database Comparison & Synchronization → [#20](https://github.com/egarcia74/warp-sql-server-mcp/issues/20) - Query Optimization & Performance Tools → [#21](https://github.com/egarcia74/warp-sql-server-mcp/issues/21) - Natural Language Query Interface → [#22](https://github.com/egarcia74/warp-sql-server-mcp/issues/22) ## [1.4.0] - 2025-08-29 ### 🚀 Major Architecture Enhancement Release This release represents a significant architectural evolution with enterprise-grade features for production environments. ### Added - Enterprise Secret Management - **🔐 AWS Secrets Manager Integration**: Complete implementation for enterprise secret management - Support for individual secrets and JSON secret bundles - Multiple secret retrieval strategies with intelligent fallback - Regional support with configurable endpoints - Comprehensive error handling and retry logic with exponential backoff - Secret versioning support with automatic AWSCURRENT selection - Health monitoring and connectivity validation - Extensive configuration validation and troubleshooting guides - Integration test suite with comprehensive examples (`test/integration/test-aws-secrets.js`) - **🔑 Azure Key Vault Integration**: Full-featured Azure secret management - Service Principal and Managed Identity authentication support - Automatic secret name conversion (underscores to hyphens) - Multi-tenancy support with configurable vault URLs - Advanced caching with TTL and manual refresh capabilities - Health monitoring and permission validation - Detailed setup guides with Azure CLI examples - Integration test suite with real-world scenarios (`test/integration/test-azure-secrets.js`) - **📋 Universal Secret Manager Architecture** (`lib/config/secret-manager.js`): - Pluggable architecture supporting multiple secret backends - Intelligent fallback to environment variables for development - Comprehensive secret masking for audit trails - Database configuration assembly from multiple sources - Performance monitoring with caching analytics - 855 unit tests covering all scenarios and edge cases - Production-ready error handling and logging integration ### Added - Advanced Security & Query Validation - **🛡️ Enhanced Query Validation System** (`lib/security/query-validator.js`): - Advanced SQL parsing with `node-sql-parser` integration - Intelligent fallback to regex validation for complex queries - Comprehensive dangerous function detection (xp_cmdshell, OPENROWSET, etc.) - Multi-statement query analysis and validation - Whitelist-based approach for maximum security - Detailed validation reporting with security justifications - 390 lines of production-hardened validation logic - Extensive test coverage with real-world attack pattern testing - **🔒 CodeQL Security Compliance**: - Complete resolution of clear-text-logging warnings - Secure environment variable handling patterns - Production-ready logging that avoids sensitive data exposure - GitHub Advanced Security integration with zero warnings - Security-first development practices throughout codebase ### Added - Production Monitoring & Logging - **📊 Advanced Performance Monitoring** (`lib/utils/performance-monitor.js`): - Comprehensive query execution time tracking - Memory usage monitoring with detailed heap analysis - Connection pool performance metrics - Operation success/failure rate tracking - Configurable alert thresholds with notification support - Historical performance data aggregation - Export capabilities for external monitoring systems - 642 lines of enterprise-grade monitoring infrastructure - 1,027 unit tests covering all monitoring scenarios - **📝 Enterprise Logging System** (`lib/utils/logger.js`): - Winston-based structured logging with configurable levels - Multiple transport support (console, file, external systems) - Contextual logging with request tracing - Security-aware log filtering and sanitization - Production-ready log formatting and rotation - Integration with monitoring and alerting systems - 366 lines of production-hardened logging logic - 795 unit tests ensuring reliability across all scenarios ### Added - Developer Experience & Tooling - **🛠️ Advanced Development Tools**: - `scripts/pretty-logs.sh` - Enhanced log formatting with syntax highlighting - `scripts/pretty-logs-detailed.sh` - Comprehensive log analysis with metrics - `scripts/view-server-logs.sh` - Real-time server log monitoring - `scripts/view-full-logs.sh` - Complete log aggregation and filtering - Professional log colorization and timestamp formatting - Grep-based filtering with context preservation - Production debugging support with secure log redaction - **📚 Comprehensive Documentation**: - `docs/AWS-SECRETS-GUIDE.md` - Complete AWS Secrets Manager integration guide (934 lines) - `docs/AZURE-SECRETS-GUIDE.md` - Comprehensive Azure Key Vault setup guide (529 lines) - `docs/DEBUG-LOGGING.md` - Production debugging and monitoring guide (133 lines) - `ARCHITECTURE.md` - Complete system architecture documentation (428 lines) - `MANIFESTO.md` - Development philosophy and design principles (162 lines) - `PERFORMANCE.md` - Performance optimization and monitoring guide (413 lines) - Step-by-step setup guides with real-world examples - Troubleshooting sections with common issues and solutions - Security best practices and deployment guidelines ### Added - Testing & Quality Assurance - **🧪 Comprehensive Test Suite Expansion**: - **278 total tests** (up from 56) with 68.97% code coverage - Unit tests: `logger.test.js` (48 tests), `performance-monitor.test.js` (58 tests) - Unit tests: `secret-manager.test.js` (51 tests), `query-validator-simple.test.js` (16 tests) - Integration tests: Real AWS and Azure secret manager integration testing - Performance tests: Load testing and memory usage validation - Security tests: Comprehensive attack pattern and injection testing - Edge case testing: Network failures, timeout handling, invalid configurations - Mocked external dependencies for reliable CI/CD testing ### Enhanced - Core Architecture - **⚡ Modular Architecture Redesign**: - Clean separation of concerns with dedicated lib/ modules - Dependency injection patterns for improved testability - Plugin architecture for extensible secret management - Event-driven monitoring and logging integration - Production-ready error handling with detailed context - Comprehensive configuration validation and startup checks - **🔧 Enhanced Configuration Management**: - Startup configuration validation with detailed error reporting - Visual security status display with emoji indicators and color coding - Comprehensive environment variable documentation - Production deployment checklists and validation scripts - Security recommendations based on current configuration - Troubleshooting guides with step-by-step resolution ### Security Enhancements - **🔒 Production Security Hardening**: - Complete elimination of CodeQL security warnings - Secure credential handling patterns throughout codebase - Environment variable sanitization in all logging contexts - Secret masking in audit trails and error messages - Production-ready authentication and authorization patterns - Comprehensive security testing and validation ### Performance - **⚡ Enterprise Performance Optimization**: - Advanced connection pooling with intelligent retry logic - Query execution monitoring with performance analytics - Memory usage optimization and garbage collection tuning - Caching strategies for secret management and query results - Configurable timeouts and resource limits - Production monitoring and alerting integration ### Dependencies - **📦 New Production Dependencies**: - `@azure/identity@^4.11.1` - Azure authentication and identity management - `@azure/keyvault-secrets@^4.10.0` - Azure Key Vault secret operations - `aws-sdk@^2.1692.0` - AWS service integration and secret management - `node-sql-parser@^5.3.11` - Advanced SQL parsing and validation - `winston@latest` - Enterprise-grade structured logging ### Migration Notes - **No Breaking Changes**: All existing configurations continue to work - **New Environment Variables**: Secret management is optional and falls back to env vars - **Enhanced Security**: New validation may catch previously undetected issues - **Performance**: Startup time may increase due to comprehensive validation - **Logging**: New structured logging provides more detailed information ### Upgrade Guide 1. **Update Dependencies**: `npm install` will pull all new dependencies 2. **Optional Secret Management**: Configure AWS or Azure secrets for enhanced security 3. **Review Logs**: New structured logging provides enhanced debugging information 4. **Performance Monitoring**: Enable advanced monitoring for production insights 5. **Security**: Review new security validation messages for optimal configuration ## [1.3.0] - 2025-08-28 ### Added - Security Features - **🔒 Three-Tier Graduated Safety System**: Revolutionary security architecture for production database safety - **Read-Only Mode**: `SQL_SERVER_READ_ONLY` (default: `true`) - Restricts to SELECT queries only - **Destructive Operations Control**: `SQL_SERVER_ALLOW_DESTRUCTIVE_OPERATIONS` (default: `false`) - Controls INSERT/UPDATE/DELETE - **Schema Changes Control**: `SQL_SERVER_ALLOW_SCHEMA_CHANGES` (default: `false`) - Controls CREATE/DROP/ALTER - **Secure by Default**: Maximum security out-of-the-box with explicit opt-in for dangerous operations - **Comprehensive Query Validation**: Advanced regex-based SQL parsing to enforce security policies - **Clear Security Feedback**: Detailed error messages explaining why operations are blocked - **Runtime Security Status**: Every response includes current safety configuration for transparency - **🛡️ Production Security Features** - **Startup Security Summary**: Visual security status display in MCP logs with emoji indicators - **Security Level Indicators**: `🔒 SECURE` / `⚠️ UNSAFE` status with detailed breakdown (RO/RW, DML±, DDL±) - **Configuration Validation**: Automatic detection and warning of unsafe production configurations - **Audit Trail**: Security decisions logged for compliance and troubleshooting - **Comprehensive Documentation**: Dedicated `SECURITY.md` with threat model and deployment guidelines - **📋 Configuration Management** - **Enhanced .env.example**: Comprehensive security configuration examples with detailed explanations - **Environment-Specific Templates**: Production, staging, and development configuration patterns - **Security Checklist**: Production deployment validation checklist - **Migration Guide**: Clear upgrade path for existing installations ### Added - Documentation & Tooling - **Enhanced Auto-Generated Documentation System**: Complete overhaul of documentation generation - `scripts/extract-docs.js` - Automatically parses MCP tool definitions from source code - `scripts/generate-tools-html.js` - Creates comprehensive API reference with parameters and examples - `scripts/generate-landing-page.js` - Generates dynamic landing page with current tool counts - Documentation now auto-extracts all 8 MCP tools with full parameter details and usage examples - Landing page displays dynamic version numbers and tool counts from actual code - Detailed API reference page with parameter tables, required/optional indicators, and code examples - Ensures documentation never goes out of sync with actual code changes - Professional styling with table of contents, navigation, and responsive design - Automatic rebuilds on every push via GitHub Actions integration ### Security - **🚨 BREAKING CHANGE**: Default behavior now prioritizes security over functionality - **New installations default to read-only mode** - only SELECT queries allowed - **Existing configurations may need updates** - see migration guide in SECURITY.md - **Explicit configuration required** for write operations in production - **Comprehensive Security Testing**: 100% coverage of security validation logic - **Threat Model Documentation**: Detailed analysis of mitigated and unmitigated threats - **Security Response Process**: Formal vulnerability disclosure and response procedures ### Enhanced Documentation - Enhanced online documentation site with auto-generated content - Complete API reference at `/tools.html` with detailed parameter documentation - Dynamic tool counting and version display throughout documentation - Professional documentation layout with improved navigation and styling - Added comprehensive documentation section to README.md explaining the auto-generation system ### Added - User Experience - **🚀 Quick Start Guide**: New QUICKSTART.md providing 5-minute setup walkthrough - Step-by-step installation and configuration - Security defaults explanation - Basic testing and troubleshooting - Cross-references to detailed documentation - **📚 Enhanced User Onboarding**: Quick Start references added throughout documentation - Prominent Quick Start links in README.md, SECURITY.md, CONTRIBUTING.md, WARP.md - Improved navigation for new users - Better documentation discoverability ## [1.7.12] - 2025-09-12 ### Fixed - CLI: Route startup banners to stderr in MCP/stdio environments to prevent JSON handshake pollution on Windows (VS Code/Warp). - Detect MCP via `VSCODE_MCP`, `MCP_TRANSPORT=stdio`, or non‑TTY stdio. - No behavior change for normal terminal usage.