fix: Enforce read-only mode, add connection whitelist, improve unsupported driver errors

- Fix read-only mode bypass: execute_query now enforces SELECT-only, transaction
  tools blocked in read-only mode (fixes #19)
- Add DBEAVER_ALLOWED_CONNECTIONS env var for connection whitelisting (fixes #20)
- Improve error messages for unsupported database drivers with clear guidance on
  supported drivers and workarounds (fixes #17)
- Fix UPDATE validation regex that incorrectly blocked UPDATE with WHERE
- Fix infinite recursion in connection wrapper methods
- Bump version to 1.2.5
- Update README, CHANGELOG, example config with new features

Author: srthkdev

CHANGELOG.md

@@ -5,6 +5,21 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.2.5] - 2026-02-15
+
+### Added
+- Connection whitelist via `DBEAVER_ALLOWED_CONNECTIONS` environment variable — restrict which DBeaver connections are visible by ID or name
+- `enforceReadOnly()` query-level enforcement — `execute_query` now strictly allows only read-only statements (SELECT, EXPLAIN, SHOW, DESCRIBE, PRAGMA)
+- Test queries for SAP HANA (`SELECT * FROM DUMMY`) and DB2 (`SYSIBM.SYSDUMMY1`)
+
+### Fixed
+- **Read-only mode bypass (Issue #19)**: `execute_query` no longer allows write operations (INSERT/UPDATE/DELETE/CREATE/ALTER/DROP). Transaction tools (`begin_transaction`, `commit_transaction`, `rollback_transaction`, `execute_in_transaction`) are now blocked in read-only mode.
+- **Unsupported driver errors (Issue #17)**: DBeaver CLI fallback now provides clear, actionable error messages listing natively supported drivers and workarounds. DBeaver availability is checked before attempting CLI fallback.
+- **UPDATE validation regex**: `UPDATE ... SET ... WHERE ...` was incorrectly blocked by the dangerous query filter. The regex now correctly allows UPDATE with WHERE clause.
+
+### Changed
+- DBeaver CLI fallback uses connection name-based spec for better compatibility
+
 ## [1.2.4] - 2026-01-15
 
 ### Added

README.md

@@ -57,6 +57,7 @@ Add to your Claude Desktop config (`~/Library/Application Support/Claude/claude_
 | `DBEAVER_TIMEOUT` | Query timeout (ms) | `30000` |
 | `DBEAVER_DEBUG` | Enable debug logging | `false` |
 | `DBEAVER_READ_ONLY` | Disable write operations | `false` |
+| `DBEAVER_ALLOWED_CONNECTIONS` | Comma-separated whitelist of connection IDs or names | All |
 | `DBEAVER_DISABLED_TOOLS` | Comma-separated tools to disable | None |
 | `DBEAVER_POOL_MIN` | Minimum connections per pool | `2` |
 | `DBEAVER_POOL_MAX` | Maximum connections per pool | `10` |
@@ -78,6 +79,23 @@ Add to your Claude Desktop config (`~/Library/Application Support/Claude/claude_
 }
 ```
 
+### Connection Whitelist
+
+Restrict which DBeaver connections are visible to the AI assistant. Accepts connection IDs or display names, comma-separated:
+
+```json
+{
+  "mcpServers": {
+    "dbeaver": {
+      "command": "dbeaver-mcp-server",
+      "env": {
+        "DBEAVER_ALLOWED_CONNECTIONS": "dev-postgres,staging-mysql"
+      }
+    }
+  }
+}
+```
+
 ### Disable Specific Tools
 
 ```json

examples/claude-desktop-config.json

@@ -9,18 +9,20 @@
     }
   },
   "explanation": {
-    "purpose": "Enhanced DBeaver MCP Server configuration for Claude Desktop",
+    "purpose": "DBeaver MCP Server configuration for Claude Desktop",
     "features": [
-      "Universal database support (200+ databases)",
-      "Resource-based schema browsing",
-      "Business insights tracking",
-      "Complete DDL operations",
-      "Multiple export formats",
-      "Advanced safety features"
+      "Native query execution for PostgreSQL, MySQL/MariaDB, SQLite, SQL Server",
+      "DBeaver CLI fallback for other database types",
+      "Connection pooling and transaction support",
+      "Query execution plan analysis (EXPLAIN)",
+      "Schema comparison between connections",
+      "Connection whitelisting for access control",
+      "Read-only mode and tool filtering",
+      "Data export to CSV/JSON"
     ],
     "tools_available": [
       "list_connections",
-      "get_connection_info", 
+      "get_connection_info",
       "execute_query",
       "write_query",
       "create_table",
@@ -31,19 +33,31 @@
       "export_data",
       "test_connection",
       "get_database_stats",
+      "begin_transaction",
+      "commit_transaction",
+      "rollback_transaction",
+      "execute_in_transaction",
+      "explain_query",
+      "compare_schemas",
+      "get_pool_stats",
       "append_insight",
       "list_insights"
     ],
     "environment_variables": {
       "DBEAVER_PATH": "Custom path to DBeaver executable (auto-detected if not set)",
+      "DBEAVER_WORKSPACE": "Custom DBeaver workspace path (OS default if not set)",
       "DBEAVER_TIMEOUT": "Query timeout in milliseconds (default: 30000)",
-      "DBEAVER_DEBUG": "Enable debug logging (true/false)"
+      "DBEAVER_DEBUG": "Enable debug logging (true/false)",
+      "DBEAVER_READ_ONLY": "Disable all write operations (true/false)",
+      "DBEAVER_ALLOWED_CONNECTIONS": "Comma-separated whitelist of connection IDs or names",
+      "DBEAVER_DISABLED_TOOLS": "Comma-separated list of tools to disable"
     },
     "configuration_examples": {
       "production": {
         "command": "dbeaver-mcp-server",
         "env": {
-          "DBEAVER_DEBUG": "false",
+          "DBEAVER_READ_ONLY": "true",
+          "DBEAVER_ALLOWED_CONNECTIONS": "prod-readonly",
           "DBEAVER_TIMEOUT": "60000"
         }
       },
@@ -54,12 +68,12 @@
           "DBEAVER_TIMEOUT": "30000"
         }
       },
-      "custom_path": {
+      "restricted": {
         "command": "dbeaver-mcp-server",
         "env": {
-          "DBEAVER_PATH": "/custom/path/to/dbeaver",
-          "DBEAVER_DEBUG": "false",
-          "DBEAVER_TIMEOUT": "45000"
+          "DBEAVER_READ_ONLY": "true",
+          "DBEAVER_DISABLED_TOOLS": "drop_table,alter_table",
+          "DBEAVER_ALLOWED_CONNECTIONS": "analytics-db,reporting-db"
         }
       }
     }

package.json

@@ -1,6 +1,6 @@
 {
   "name": "dbeaver-mcp-server",
-  "version": "1.2.4",
+  "version": "1.2.5",
   "description": "Production-ready Model Context Protocol server for universal database access through DBeaver connections - supports 200+ database types",
   "main": "dist/index.js",
   "type": "module",

src/index.ts

@@ -176,7 +176,7 @@ class DBeaverMCPServer {
    * Get all connections, filtered by the whitelist.
    */
   private async getFilteredConnections(): Promise<DBeaverConnection[]> {
-    const connections = await this.getFilteredConnections();
+    const connections = await this.configParser.parseConnections();
     if (!this.allowedConnections) return connections;
     return connections.filter((conn) => this.isConnectionAllowed(conn));
   }
@@ -185,7 +185,7 @@ class DBeaverMCPServer {
    * Get a single connection by ID/name, respecting the whitelist.
    */
   private async getConnection(connectionId: string): Promise<DBeaverConnection | null> {
-    const connection = await this.getConnection(connectionId);
+    const connection = await this.configParser.getConnection(connectionId);
     if (!connection) return null;
     if (!this.isConnectionAllowed(connection)) return null;
     return connection;