| mcp | Oracle SQLcl MCP Server (built into SQLcl 25.4+) | ||||
|---|---|---|---|---|---|
| mcpUrl | https://docs.oracle.com/en/database/oracle/sql-developer-command-line/26.1/sqcug/using-oracle-sqlcl-mcp-server.html | ||||
| testedVersion | SQLcl 26.1.0.0 / sqlcl-mcp-server 1.0.0 | ||||
| testedAt | 2026-05-05 | ||||
| maintainer | @giancarloerra | ||||
| category | databases | ||||
| status | probed | ||||
| tags |
|
Wraps the Oracle SQLcl built-in MCP server (SQLcl 25.4+). SQLcl is Oracle's command-line client for Oracle Database; from version 25.4 it ships an MCP server that exposes saved connections, schema metadata, and SQL execution as MCP tools.
This lens locks the surface to read-only by:
- Blocking
run-sqlcl— the SQLcl meta-command tool can executeHOST(shell escape),SPOOL,SCRIPT/START, and other client-side primitives that have nothing to do with an LLM data path. Hidden from the surface entirely. sqlGuard-ingrun-sql— the SQL execution tool accepts any SQL string. JanuScope's keyword guard rejects statements containingINSERT / UPDATE / DELETE / DROP / CREATE / ALTER / TRUNCATE / GRANT / MERGE / RENAME / etc., lettingSELECTandWITH ... SELECTqueries through.- Redacting PII in result frames (CSV from
run-sql, JSON fromschema-information). - Auditing every tool call to
~/mcp-audit-oracle.jsonl.
block—run-sqlcl(SQLcl meta-commands incl shell escape).sqlGuard—run-sqlonly,sqlArg: sql,readOnly: true.instructions— read-only banner reminding the LLM to uselist-connections→connect→schema-information→run-sql.redact— field-path rules on common PII field names (lower AND upper case for Oracle's default UPPERCASE identifier folding) plus value-shape regexes for SSN and PAN-shaped digit runs.audit— JSONL compliance log at~/mcp-audit-oracle.jsonl.
No dbSchema: SQLcl's own schema-information tool exposes the same
data on demand and is the canonical path the MCP advertises to clients.
Probed against SQLcl 26.1 / sqlcl-mcp-server 1.0.0 on 2026-05-05:
| Tool | Kind | Treatment |
|---|---|---|
list-connections |
read (metadata) | passes through |
connect |
state | passes through |
disconnect |
state | passes through |
schema-information |
read (metadata) | passes through |
dbtools-get-tool-request |
read (status) | passes through |
run-sql |
arbitrary SQL | sqlGuard ed |
run-sqlcl |
arbitrary CLI | blocked |
- Oracle SQLcl 25.4 or later on PATH (the lens spawns
sql -mcp):- Download: https://www.oracle.com/database/sqldeveloper/technologies/sqlcl/download/
- Or direct:
https://download.oracle.com/otn_software/java/sqldeveloper/sqlcl-latest.zip - Unzip and put
<sqlcl-dir>/binon PATH. - Verify:
sql -Vshould printSQLcl: Release 25.4 Productionor newer.
- A SQLcl named connection for the database the LLM may read:
The MCP's
sql /nolog SQL> connect -save my-readonly-conn -savepwd readonly_user/<pwd>@//host:port/SERVICE SQL> exit
list-connectionstool will returnmy-readonly-conn; the LLM usesconnect my-readonly-connbefore running queries. - A read-only Oracle user at the data path (layer 3, mandatory
for production). The
sqlGuardoverlay rejects writes at the proxy, but the database role is the only thing that physically prevents writes if anything else (SQLDeveloper, sqlplus, a CI job) connects to the same DB. Provision the user withCREATE SESSIONandSELECTon the schemas the LLM should see; do not grantINSERT / UPDATE / DELETE / CREATEeven on the lens's own workspace. See SECURITY.md.
SQLcl reads its connection definitions from your local SQLcl
configuration (managed via connmgr). JanuScope does not relay or
rename any credentials — whatever SQLcl saves locally, it keeps using.
There are no MCP-specific environment variables.
If you need to point SQLcl at a non-default config directory, set
SQLCL_HOME or JAVA_TOOL_OPTIONS per Oracle's docs; both pass
through to the spawned target unchanged.
{
"mcpServers": {
"oracle-db": {
"command": "januscope",
"args": ["--config", "oracle-db-sqlcl"]
}
}
}The lens spawns sql -mcp directly; SQLcl picks up the saved
connection from your user-level SQLcl config.
A live tools/list against sql -mcp returned the seven tools shown
in the table above. The probe was driven against Oracle Database 26ai
Free Release 23.26.1.0.0 running in gvenzl/oracle-free on Docker
Desktop. The lens config blocks run-sqlcl outright and applies
keyword-level write guards to run-sql, leaving list-connections,
connect, disconnect, schema-information, dbtools-get-tool-request,
and the read-only-shaped run-sql available to the LLM.
SQLcl 26.1's MCP server speaks MCP protocol 2024-11-05 rather than
the latest 2025-06-18. JanuScope is protocol-agnostic and does not
re-negotiate the version. If your MCP client requests 2025-06-18,
SQLcl downgrades the response to 2024-11-05 with a
WARNING: Client requested unsupported protocol version log line on
stderr. This is benign — JanuScope drops the stderr line and the
session proceeds normally on the older protocol.
- 2026-05-05 — Initial contribution (@giancarloerra). Probed against SQLcl 26.1.0.0 + Oracle Database 26ai Free Release 23.26.1.0.0 (linux/arm64) on Docker Desktop.