Tags: tuannvm/mcp-trino
Tags
feat(cli): add dual-purpose CLI mode to mcp-trino (#168) * feat(cli): add dual-purpose CLI mode to mcp-trino Add CLI mode alongside existing MCP server functionality: CLI Commands: - query: Execute SQL queries with output formatting (table/json/csv) - catalogs: List available Trino catalogs - schemas: List schemas in a catalog - tables: List tables in a schema - describe: Show table schema - explain: Analyze query execution plans - interactive: REPL mode for interactive SQL querying Configuration: - YAML config file support at ~/.mcp-trino/config.yaml - Environment variable fallback (TRINO_*) - Command-line flags for connection parameters Mode Detection: - Auto-detects MCP vs CLI mode based on environment and flags - Preserves backward compatibility with existing MCP integrations REPL Features: - Multi-line query support with continuation prompt - Meta-commands for catalog/schema/table navigation Architecture: - New internal/cli package for CLI functionality - cmd/cli.go for CLI entry point - Shared use of existing trino/config packages * feat(cli): add production-ready CLI mode with dual-mode operation Transform mcp-trino from MCP-only to dual-purpose tool supporting both MCP server mode (for AI assistants) and CLI mode (for human users). ## Features Added **CLI Mode:** - Interactive REPL with SQL query execution and meta-commands - Subcommands: query, catalogs, schemas, tables, describe, explain - Output formats: table, json, csv with deterministic column ordering - Config file support: ~/.config/trino/config.yaml - Auto-completion and history in REPL **Dual-Mode Operation:** - Automatic mode detection based on args and environment - MCP mode: default for no args or when MCP_PROTOCOL_VERSION set - CLI mode: activated by known commands or --cli flag - Explicit control via --mcp/--cli flags - Full backward compatibility with existing MCP integrations ## Configuration - Config precedence: defaults → config file → env vars → CLI flags - YAML-based configuration at ~/.config/trino/config.yaml - Support for all Trino connection parameters - SSL configuration with insecure option ## Testing - Unit tests: 100+ tests across 6 test files - Integration tests: end-to-end binary execution - All tests passing with race detection - 0 linting issues ## Breaking Changes - Table/CSV output columns now sorted alphabetically (deterministic) - Scripts parsing by column position may need updates - Recommend parsing by column name instead ## Documentation - Comprehensive README with usage examples - TESTING.md with test coverage details - RELEASE_NOTES.md with migration guide - PRODUCTION_READINESS.md with deployment checklist Resolves CLI mode requirement for interactive Trino access. * feat(cli): add comprehensive config validation and testing - Add extensive unit tests for config package (90%+ coverage) - Implement strict validation for all config fields - Add config file merging with precedence (CLI > env > file) - Add schema validation for Trino connection parameters - Add tests for edge cases (empty values, invalid URLs, etc.) - Add integration test helper for config loading - Update CLAUDE.md with CLI config documentation - Update RELEASE_NOTES.md with testing improvements - Update installation.md with config file examples All tests pass with race detection enabled. * fix: support flag-style arguments for schemas and tables commands - Add subcommand-specific FlagSet for schemas (--catalog) and tables (--catalog, --schema) - Change schemas from ExitOnError to ContinueOnError for consistency - Add hasFlags() helper to detect if arguments contain flags - Update fallback logic to only treat args as positional when no flags present - Support mixed form: flags before positional args (e.g., tables --catalog dmx tiny) Fixes issue where 'schemas --catalog dmx' failed but 'schemas dmx' worked. Known limitation: flags after positional args (e.g., tables dmx --schema tiny) won't parse correctly due to Go flag package behavior. Users should put flags first or use all positional args. * fix: correct precedence chain and add runtime validation - Fix precedence: profiles now override env vars (env vars are lowest priority) - Changed setEnvIfAbsent to setEnvIfValue that always sets the value - CLI flags still override profiles (applied after profile env vars) - Add runtime validation for active profile required fields - Validate host, port, user in RunCLIMode before connecting - Fail fast with clear error messages for missing/invalid fields - Config commands still bypass validation (allow fixing stale configs) This ensures the correct precedence chain: 1. CLI flags (--host, --port, etc.) - highest 2. --profile flag 3. TRINO_PROFILE env var 4. current in config file 5. default profile fallback 6. Environment variables (TRINO_HOST, etc.) - lowest * fix: handle empty config files and update tests - Ensure default profile exists when config file is empty or has no profiles - Add empty profile handling to LoadCLIConfig, ParseCLIConfig, ParseCLIConfigWithPath - Fix profile list output to use deterministic sorted order - Use GetProfileNames() instead of iterating map directly - Update integration test to reflect correct precedence - Renamed TestIntegration_EnvVarOverridesConfig to TestIntegration_ConfigOverridesEnvVar - Config now correctly overrides env vars (env vars are lowest priority) - Fix test config files to include required fields - Add 'user: testuser' to all test configs to pass validation - Add 'port: 9999' to configs that were missing it * fix: ensure SSL_INSECURE profile value overrides env var When SSL.Enabled is configured in a profile, always set TRINO_SSL_INSECURE to match the profile value, ensuring profiles take precedence over env vars. Previously, only 'true' values were set, allowing existing env vars to win when profile value was 'false'. This violated the precedence rule where env vars should be lowest priority. * fix: allow CLI flags to complete incomplete profiles Move validation from profile-level to TrinoConfig-level, allowing CLI flags to provide missing required fields (host, port, user) before validation. Previously, validation happened on the profile data before CLI flags were applied, preventing flags from 'rescuing' incomplete profiles. This violated the precedence rule where CLI flags should be highest priority. Now: 1. Profile is resolved and checked for existence 2. Profile values are applied to env vars 3. CLI flags are applied to env vars (override profile) 4. TrinoConfig validates final env var values This correctly implements the precedence chain. * fix: validate required fields after precedence is applied Add fail-fast validation for host and user AFTER both profile and CLI flags are applied to env vars. This ensures: 1. CLI flags can still rescue incomplete profiles (precedence works) 2. Missing required fields fail fast instead of using defaults 3. Clear error messages guide users to fix the issue Previously, removing profile-level validation caused incomplete configs to use defaults (localhost, trino) instead of failing. This masked configuration errors and violated fail-fast behavior. Validation now checks the final env var values after the full precedence chain is applied. * fix: update trivy-action to safe version v0.35.0 Critical security fix: Replace compromised trivy-action@0.33.1 with verified safe version v0.35.0. Background: Aqua Security reported a supply chain attack on March 19, 2026 where tags 0.0.1 to 0.34.2 were compromised with credential stealing malware. Version v0.35.0 (released March 20, 2026) is the first safe version using the new 'v' prefix convention. Also removed the 'version' parameter which was incorrectly specifying the Trivy binary version instead of being a valid action parameter. * remove: Cursor Code Review workflow Remove the .github/workflows/cursor.yml file as it's no longer needed. This workflow was used for automated PR reviews using Cursor Agent. * docs: remove outdated files and update for named profiles feature Removed outdated documentation: - REVIEW_SUMMARY.md (old CLI review from March 2025, pre-profiles) - SOLUTION.md (old MCP solution doc, doesn't mention CLI mode) - PRODUCTION_READINESS.md (old production readiness, pre-profiles) Updated documentation: - README.md: Added Named Profiles section with: - Profile-based configuration examples - Profile management commands (list, use, show) - Configuration precedence explanation - Updated Environment Variables section - RELEASE_NOTES.md: Fixed Configuration Precedence section to show: - New profile-aware precedence chain - Profile selection examples - Updated config file format with profiles structure All documentation now reflects the current dual-mode (MCP + CLI) with named profiles feature. * remove: outdated internal/cli/TESTING.md Remove old manual testing documentation from March 2025 (pre-profiles). The project now has comprehensive automated test coverage, making this manual testing document obsolete. * fix: correct documentation formatting issues Fix README.md malformed markdown (extra closing fence) Fix RELEASE_NOTES.md broken YAML snippet and removed reference to deleted TESTING.md All tests passing and lint clean. * chore: remove .claude/scheduled_tasks.lock file
perf: add row limiting, precompile regexes, increase default timeout (#… …162) * perf: add row limiting, precompile regexes, increase default timeout Three performance improvements: 1. Row limiting (TRINO_MAX_ROWS) - New env var TRINO_MAX_ROWS (default 10000, 0=unlimited) - ExecuteQueryWithContext stops scanning at limit, closes rows immediately to halt server-side streaming - Truncation signaled cleanly in handler JSON response envelope - Validated: negative/non-integer values fall back to default 2. Regex precompilation - All ~30 regexes compiled once at package init time - Eliminates repeated regexp.Compile calls per query - Behavior verified identical via 26-case consistency test 3. Default query timeout: 30s -> 300s - Analytical Trino queries routinely take minutes - Configurable via existing TRINO_QUERY_TIMEOUT env var Also fixes (from Codex review): - rows.Err() no longer checked after truncation break - Truncation metadata no longer injected as fake row into results Test coverage: 10 new MCP handler tests, 7 config tests, 37 client tests Signed-off-by: Tommy Nguyen <tuannvm@hotmail.com> * fix: MCP 2025-06-18 compliance - use structuredContent for truncation Breaking change fix: the previous commit wrapped execute_query results in a JSON envelope, breaking backward compatibility for MCP clients expecting a bare JSON array. Now uses the MCP 2025-06-18 structuredContent field: - content[0].text = bare JSON array (backward-compatible) - structuredContent = {results, truncated, rowCount, message} Also introduces QueryResult type to carry explicit truncation signal from ExecuteQueryWithContext, eliminating false-positive truncation detection when a query naturally returns exactly MaxRows rows. Verified against: - MCP spec 2025-06-18 (structuredContent field) - mcp-go v0.43.1 NewToolResultStructured helper - Codex-5.3-High review Signed-off-by: Tommy Nguyen <tuannvm@hotmail.com> * fix: bump Go 1.24.11 → 1.25.8, upgrade vulnerable dependencies Go stdlib: - Go 1.24.x has no fix for GO-2026-4601 (net/url) and GO-2026-4602 (os) - Go 1.25.8 (released 2026-03-05) resolves these Module dependencies: - golang.org/x/crypto v0.37.0 → v0.45.0 Fixes: GO-2025-4116, GO-2025-4134, GO-2025-4135 (ssh/agent DoS, ssh unbounded memory, ssh/agent malformed constraint) - golang.org/x/net v0.39.0 → v0.47.0 Fixes: GO-2026-4440, GO-2026-4441 (html quadratic parsing, infinite parsing loop) Updates go.mod, go.sum, build.yml, release.yml, and Dockerfile. Signed-off-by: Tommy Nguyen <tuannvm@hotmail.com> * fix: pin Trivy to v0.69.3 to avoid transient install failures Signed-off-by: Tommy Nguyen <tuannvm@hotmail.com> --------- Signed-off-by: Tommy Nguyen <tuannvm@hotmail.com> Co-authored-by: Tommy Nguyen <tuannvm@hotmail.com>
feat: Add MCP tool annotations for LLM guidance (#148) * feat: Add MCP tool annotations for LLM guidance Add title and hint annotations to all 6 tools to help LLMs understand tool behavior and make safer decisions about tool usage. **Read-Only Tools (5 tools):** - list_catalogs - Discover Trino catalogs - list_schemas - Browse schemas in a catalog - list_tables - Discover tables and views - get_table_schema - Inspect table structure - explain_query - Analyze query execution plans **Destructive Tools (1 tool):** - execute_query - Execute SQL queries (can run DML/DDL) Uses mark3labs/mcp-go annotation functions: - WithTitleAnnotation() - Human-readable tool names - WithReadOnlyHintAnnotation(true) - Safe read operations - WithDestructiveHintAnnotation(true) - State-modifying operations 🤖 Generated with [Claude Code](https://claude.com/claude-code) Signed-off-by: triepod-ai <199543909+triepod-ai@users.noreply.github.com> * fix: Update execute_query description to reflect actual capabilities Address CodeRabbit review feedback: the execute_query tool supports all SQL statements (including DML/DDL like INSERT, UPDATE, DELETE, CREATE, DROP), not just SELECT/SHOW/DESCRIBE/EXPLAIN as previously documented. This clarifies why destructiveHint is set to true - the tool can modify data. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Signed-off-by: triepod-ai <199543909+triepod-ai@users.noreply.github.com> * fix: Clarify default read-only behavior in execute_query description Updated description to accurately reflect that by default only read-only queries (SELECT, SHOW, DESCRIBE, EXPLAIN) are allowed for security. DML/DDL operations require TRINO_ALLOW_WRITE_QUERIES=true. Addresses CodeRabbit review feedback. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Signed-off-by: triepod-ai <199543909+triepod-ai@users.noreply.github.com> --------- Signed-off-by: triepod-ai <199543909+triepod-ai@users.noreply.github.com> Co-authored-by: triepod-ai <noreply@github.com>
Pr/tommynguyen vungle/142 (#143) * [PE-7844] send per-query user identity to Trino (#29) * added method to retrieve user from context Signed-off-by: Zhong Liang Ong <zong@liftoff.io> * added run apk update to fix docker build error * add run apk update to runtime container to fix docker build error Signed-off-by: Zhong Liang Ong <zong@liftoff.io> * add run apk update to runtime container to fix docker build error Signed-off-by: Zhong Liang Ong <zong@liftoff.io> * manually update alpine linux version to fix execve error in busybox-1.37.0-r29.trigger Signed-off-by: Zhong Liang Ong <zong@liftoff.io> * updated trino per query arguments Signed-off-by: Zhong Liang Ong <zong@liftoff.io> * updated oauth-mcp-proxy to remove scopes_supported in oauth-protected-resource route Signed-off-by: Zhong Liang Ong <zong@liftoff.io> --------- Signed-off-by: Zhong Liang Ong <zong@liftoff.io> * docs: document query attribution and impersonation identity tracking Signed-off-by: Tommy Nguyen <tuannvm@hotmail.com> * ci: upload Trivy SARIF only when file exists Signed-off-by: Tommy Nguyen <tuannvm@hotmail.com> * build: bump Go version to 1.24.11 Signed-off-by: Tommy Nguyen <tuannvm@hotmail.com> --------- Signed-off-by: Zhong Liang Ong <zong@liftoff.io> Signed-off-by: Tommy Nguyen <tuannvm@hotmail.com> Co-authored-by: Zhong Liang Ong <zong@liftoff.io>
chore(deps): bump github.com/tuannvm/oauth-mcp-proxy from 1.0.0 to 1.… …0.1 (#130) Bumps [github.com/tuannvm/oauth-mcp-proxy](https://github.com/tuannvm/oauth-mcp-proxy) from 1.0.0 to 1.0.1. - [Release notes](https://github.com/tuannvm/oauth-mcp-proxy/releases) - [Changelog](https://github.com/tuannvm/oauth-mcp-proxy/blob/main/.goreleaser.yml) - [Commits](tuannvm/oauth-mcp-proxy@v1.0.0...v1.0.1) --- updated-dependencies: - dependency-name: github.com/tuannvm/oauth-mcp-proxy dependency-version: 1.0.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Tommy Nguyen <tuannvm@users.noreply.github.com>
PreviousNext