coremcp/coremcp.example.yaml at main · CoreBaseHQ/coremcp · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
# CoreMCP Configuration Example
# Copy this file to coremcp.yaml and customize for your environment

server:
  name: "coremcp-agent"
  version: "0.4.0"
  transport: "stdio"  # stdio (for Claude Desktop) or http (for remote server)
  port: 8080          # Only used in http mode

logging:
  level: "info"       # debug, info, warn, error
  format: "json"      # text or json

# Database sources configuration
sources:
  # Example: Dummy database (for testing)
  - name: "test_db"
    type: "dummy"
    dsn: "dummy://test"
    readonly: true

  # Example: Microsoft SQL Server (modern - 2012 or newer)
  # - name: "production_db"
  #   type: "mssql"
  #   dsn: "sqlserver://username:password@localhost:1433?database=mydb&encrypt=disable"
  #   readonly: true
  #   no_lock: true            # Use READ UNCOMMITTED isolation (equivalent to WITH (NOLOCK))
  #                            # Eliminates shared locks on busy OLTP databases.
  #                            # Trade-off: may read uncommitted rows.
  #                            # Recommended for AI / reporting workloads.

  # Example: Legacy Turkish ERP (SQL Server 2000 / 2008 with Turkish_CI_AS collation)
  # CoreMCP auto-detects the SQL Server version on connect and adapts queries:
  #   - SQL Server 2000: uses sysobjects / sysforeignkeys instead of sys.* views
  #   - SQL Server 2008 and older: rewrites OFFSET FETCH to SELECT TOP N automatically
  #   - All versions: rewrites LIMIT N to SELECT TOP N (T-SQL compatibility)
  # - name: "erp_db"
  #   type: "mssql"
  #   dsn: "sqlserver://sa:password@192.168.1.10:1433?database=ERPDB&encrypt=disable"
  #   readonly: false          # Override default (true) to allow execute_procedure tool
  #   no_lock: true            # Avoid locking on busy OLTP
  #   normalize_turkish: true  # Normalize Turkish chars in SQL literals for legacy Turkish_CI_AS databases
  #                            # Outgoing: 'Huseyin' to 'HUSEYIN', 'seker' to 'SEKER' inside WHERE clauses
  #                            # Incoming: auto-corrects Windows-1254 / Windows-1252 mojibake in results

  # Example: Firebird (not implemented yet)
  # - name: "legacy_db"
  #   type: "firebird"
  #   dsn: "firebird://user:password@localhost:3050/database.fdb"
  #   readonly: true

# DSN Format Examples:
# MSSQL:  sqlserver://username:password@host:port?database=dbname&encrypt=disable
# Dummy:  dummy://anything
#
# MSSQL Version Support (auto-detected - no manual config required):
#   SQL Server 2000  (v8)  - sysobjects/sysforeignkeys; no column descriptions
#   SQL Server 2005  (v9)  - INFORMATION_SCHEMA + sys.* views; column descriptions via sys.extended_properties
#   SQL Server 2008  (v10) - same as 2005; OFFSET FETCH not supported (auto-rewritten to TOP)
#   SQL Server 2012+ (v11) - full support including OFFSET FETCH pagination
#   SQL Server 2019  (v15) - full support
#   SQL Server 2022  (v16) - full support

# Security configuration
security:
  # Maximum number of rows to return from any query (prevents DB overload)
  max_row_limit: 1000

  # Enable PII (Personally Identifiable Information) masking
  enable_pii_masking: true

  # PII patterns to mask in query results
  pii_patterns:
    - name: "credit_card"
      pattern: '\b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b'
      replacement: "****-****-****-****"
      enabled: true

    - name: "email"
      pattern: '\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b'
      replacement: "***@***.***"
      enabled: true

    - name: "turkish_id"
      pattern: '\b[1-9]\d{10}\b'
      replacement: "***********"
      enabled: true

    - name: "phone"
      pattern: '\b\d{3}[-.\s]?\d{3}[-.\s]?\d{4}\b'
      replacement: "***-***-****"
      enabled: true

    - name: "iban"
      pattern: '\b[A-Z]{2}\d{2}[A-Z0-9]{1,30}\b'
      replacement: "********************"
      enabled: false  # Disabled by default

  # Additional SQL keywords to allow (beyond SELECT/WITH)
  allowed_keywords: []

  # Additional SQL keywords to block (beyond default dangerous ones)
  blocked_keywords: []

# Custom tools configuration (optional)
# Define reusable SQL queries as MCP tools.
# In addition to these, the following built-in tools are always available:
#   query_database    - execute any SQL query
#   list_tables       - list all tables with column counts
#   describe_table    - show full schema of a table (columns, PKs, FKs, descriptions)
#   list_views        - list all views with their columns
#   list_procedures   - list all stored procedures with parameters
#   execute_procedure - run a stored procedure (requires readonly: false on the source)
custom_tools:
  # Each parameter accepts an optional `type` field that constrains what values
  # the AI is allowed to pass.  Using a precise type is strongly recommended
  # to prevent SQL injection when the value is interpolated into the query:
  #
  #   type: integer    — only bare integers accepted (e.g. 42); safe unquoted
  #   type: number     — integers and decimals (e.g. 3.14); safe unquoted
  #   type: date       — YYYY-MM-DD only (e.g. 2024-01-31); wrap in quotes in template
  #   type: identifier — letters/digits/underscores only; safe unquoted
  #   type: string     — default; single quotes escaped ('→''); ALWAYS wrap {{param}} in
  #                      quotes inside the query template: WHERE name = '{{name}}'
  #
  # Values that fail type validation are rejected before the query runs, so
  # payloads like "1 OR 1=1" are blocked when type is "integer" or "identifier".

  # Example: Get daily sales summary
  - name: "get_daily_sales"
    description: "Retrieves daily sales summary for a specific date"
    source: "test_db"
    query: "SELECT * FROM orders WHERE DATE(created_at) = '{{date}}'"
    parameters:
      - name: "date"
        description: "Date in YYYY-MM-DD format"
        required: true
        type: "date"   # enforces YYYY-MM-DD; blocks arbitrary strings

  # Example: Get top customers
  - name: "get_top_customers"
    description: "Lists top N customers by order count"
    source: "test_db"
    query: "SELECT user_id, COUNT(*) as order_count FROM orders GROUP BY user_id ORDER BY order_count DESC LIMIT {{limit}}"
    parameters:
      - name: "limit"
        description: "Number of top customers to return"
        required: true
        default: "10"
        type: "integer"   # prevents "1 OR 1=1" style injections

  # Example: No-parameter custom query
  - name: "get_pending_orders"
    description: "Gets all orders with pending status"
    source: "test_db"
    query: "SELECT * FROM orders WHERE status = 'pending' ORDER BY created_at DESC"
    parameters: []