# CoreMCP Configuration Example # Copy this file to coremcp.yaml and customize for your environment server: name: "coremcp-agent" # version: optional. Defaults to the binary version compiled in via -ldflags # (shown by `coremcp version`). Override only if you need to advertise a # different version string to MCP clients. transport: "stdio" # stdio (for Claude Desktop) or http (for remote server) port: 8080 # Only used in http mode logging: level: "info" # debug, info, warn, error format: "json" # text or json # Database sources configuration sources: # Example: Dummy database (for testing) - name: "test_db" type: "dummy" dsn: "dummy://test" readonly: true # Example: Microsoft SQL Server (modern - 2012 or newer) # - name: "production_db" # type: "mssql" # dsn: "sqlserver://username:password@localhost:1433?database=mydb&encrypt=disable" # readonly: true # no_lock: true # Use READ UNCOMMITTED isolation (equivalent to WITH (NOLOCK)) # # Eliminates shared locks on busy OLTP databases. # # Trade-off: may read uncommitted rows. # # Recommended for AI / reporting workloads. # Example: Legacy Turkish ERP (SQL Server 2000 / 2008 with Turkish_CI_AS collation) # CoreMCP auto-detects the SQL Server version on connect and adapts queries: # - SQL Server 2000: uses sysobjects / sysforeignkeys instead of sys.* views # - SQL Server 2008 and older: rewrites OFFSET FETCH to SELECT TOP N automatically # - All versions: rewrites LIMIT N to SELECT TOP N (T-SQL compatibility) # - name: "erp_db" # type: "mssql" # dsn: "sqlserver://sa:password@192.168.1.10:1433?database=ERPDB&encrypt=disable" # readonly: false # Override default (true) to allow execute_procedure tool # no_lock: true # Avoid locking on busy OLTP # normalize_turkish: true # Normalize Turkish chars in SQL literals for legacy Turkish_CI_AS databases # # Outgoing: 'Huseyin' to 'HUSEYIN', 'seker' to 'SEKER' inside WHERE clauses # # Incoming: auto-corrects Windows-1254 / Windows-1252 mojibake in results # Example: REST API (OpenAPI/Swagger) # Use `base_url` + optional `spec_url` and `api_key` instead of a raw dsn. # CoreMCP discovers endpoints from the OpenAPI spec at startup and exposes # each path as an MCP tool. Without a spec_url the adapter still allows # query_database calls against arbitrary paths. # - name: "stripe_api" # type: "rest" # base_url: "https://api.stripe.com/v1" # api_key: "sk_live_..." # sent as "Authorization: Bearer " # spec_url: "https://api.stripe.com/openapi.json" # optional OpenAPI discovery # readonly: true # REST sources default to read-only # timeout: 30 # request timeout in seconds (default: 30) # headers: # any extra HTTP headers # Stripe-Version: "2024-06-20" # Example: GraphQL API (with introspection) # CoreMCP sends an introspection query on connect and maps every query / # mutation to an MCP tool. Set introspection_enabled: false on the # matching API connection in the CoreBase panel if the server blocks it. # - name: "shopify_gql" # type: "graphql" # base_url: "https://mystore.myshopify.com/api/2024-01/graphql.json" # api_key: "shpat_..." # sent as "Authorization: Bearer " # readonly: true # timeout: 30 # headers: # X-Shopify-Access-Token: "shpat_..." # Example: Firebird (not implemented yet) # - name: "legacy_db" # type: "firebird" # dsn: "firebird://user:password@localhost:3050/database.fdb" # readonly: true # DSN Format Examples: # MSSQL: sqlserver://username:password@host:port?database=dbname&encrypt=disable # REST: rest://api.example.com/v1?apiKey=xxx&specURL=https://…/openapi.json # (built automatically from base_url / api_key / spec_url / headers) # GraphQL: graphql://api.example.com/graphql?apiKey=xxx # (built automatically from base_url / api_key / headers) # Dummy: dummy://anything # # MSSQL Version Support (auto-detected - no manual config required): # SQL Server 2000 (v8) - sysobjects/sysforeignkeys; no column descriptions # SQL Server 2005 (v9) - INFORMATION_SCHEMA + sys.* views; column descriptions via sys.extended_properties # SQL Server 2008 (v10) - same as 2005; OFFSET FETCH not supported (auto-rewritten to TOP) # SQL Server 2012+ (v11) - full support including OFFSET FETCH pagination # SQL Server 2019 (v15) - full support # SQL Server 2022 (v16) - full support # Security configuration security: # Maximum number of rows to return from any query (prevents DB overload) max_row_limit: 1000 # Enable PII (Personally Identifiable Information) masking enable_pii_masking: true # PII patterns to mask in query results pii_patterns: - name: "credit_card" pattern: '\b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b' replacement: "****-****-****-****" enabled: true - name: "email" pattern: '\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b' replacement: "***@***.***" enabled: true - name: "turkish_id" pattern: '\b[1-9]\d{10}\b' replacement: "***********" enabled: true - name: "phone" pattern: '\b\d{3}[-.\s]?\d{3}[-.\s]?\d{4}\b' replacement: "***-***-****" enabled: true - name: "iban" pattern: '\b[A-Z]{2}\d{2}[A-Z0-9]{1,30}\b' replacement: "********************" enabled: false # Disabled by default # Additional SQL keywords to allow (beyond SELECT/WITH) allowed_keywords: [] # Additional SQL keywords to block (beyond default dangerous ones) blocked_keywords: [] # Custom tools configuration (optional) # Define reusable SQL queries as MCP tools. # In addition to these, the following built-in tools are always available: # query_database - execute any SQL query # list_tables - list all tables with column counts # describe_table - show full schema of a table (columns, PKs, FKs, descriptions) # list_views - list all views with their columns # list_procedures - list all stored procedures with parameters # execute_procedure - run a stored procedure (requires readonly: false on the source) custom_tools: # Each parameter accepts an optional `type` field that constrains what values # the AI is allowed to pass. Using a precise type is strongly recommended # to prevent SQL injection when the value is interpolated into the query: # # type: integer — only bare integers accepted (e.g. 42); safe unquoted # type: number — integers and decimals (e.g. 3.14); safe unquoted # type: date — YYYY-MM-DD only (e.g. 2024-01-31); wrap in quotes in template # type: identifier — letters/digits/underscores only; safe unquoted # type: string — default; single quotes escaped ('→''); ALWAYS wrap {{param}} in # quotes inside the query template: WHERE name = '{{name}}' # # Values that fail type validation are rejected before the query runs, so # payloads like "1 OR 1=1" are blocked when type is "integer" or "identifier". # Example: Get daily sales summary - name: "get_daily_sales" description: "Retrieves daily sales summary for a specific date" source: "test_db" query: "SELECT * FROM orders WHERE DATE(created_at) = '{{date}}'" parameters: - name: "date" description: "Date in YYYY-MM-DD format" required: true type: "date" # enforces YYYY-MM-DD; blocks arbitrary strings # Example: Get top customers - name: "get_top_customers" description: "Lists top N customers by order count" source: "test_db" query: "SELECT user_id, COUNT(*) as order_count FROM orders GROUP BY user_id ORDER BY order_count DESC LIMIT {{limit}}" parameters: - name: "limit" description: "Number of top customers to return" required: true default: "10" type: "integer" # prevents "1 OR 1=1" style injections # Example: No-parameter custom query - name: "get_pending_orders" description: "Gets all orders with pending status" source: "test_db" query: "SELECT * FROM orders WHERE status = 'pending' ORDER BY created_at DESC" parameters: []