Trino MCP Server in Go

A high-performance Model Context Protocol (MCP) server for Trino implemented in Go. This project enables AI assistants to seamlessly interact with Trino's distributed SQL query engine through standardized MCP tools.

GitHub Workflow Status Go Version Trivy Scan SLSA 3 Go Report Card Go Reference Docker Image GitHub Release License: MIT

Trust Score

Overview

This project implements a Model Context Protocol (MCP) server for Trino in Go. It enables AI assistants to access Trino's distributed SQL query engine through standardized MCP tools.

Trino (formerly PrestoSQL) is a powerful distributed SQL query engine designed for fast analytics on large datasets.

Architecture

Key Components:

  • AI Clients: Various MCP-compatible applications

  • Authentication: Optional OAuth 2.0 with OIDC providers

  • MCP Server: Go-based server with dual transport support

  • Data Layer: Trino cluster connecting to multiple data sources

Features

  • ✅ MCP server implementation in Go

  • ✅ Trino SQL query execution through MCP tools

  • ✅ Catalog, schema, and table discovery

  • ✅ Docker container support

  • ✅ Supports both STDIO and HTTP transports

  • ✅ OAuth 2.0 authentication with OIDC provider support (Okta, Google, Azure AD)

    • Native mode: Direct OAuth with zero server-side secrets

    • Proxy mode: Centralized OAuth with fixed/allowlist redirect URIs

    • HMAC-SHA256 state signing for multi-pod deployments

    • PKCE support for enhanced security

    • Defense-in-depth security model with four independent validation layers

  • ✅ StreamableHTTP support with JWT authentication (upgraded from SSE)

  • ✅ Backward compatibility with SSE endpoints

  • ✅ Compatible with Cursor, Claude Desktop, Windsurf, ChatWise, and any MCP-compatible clients.

Installation & Quick Start

Install:

# Homebrew
brew install tuannvm/mcp/mcp-trino

# Or one-liner (macOS/Linux)
curl -fsSL https://raw.githubusercontent.com/tuannvm/mcp-trino/main/install.sh | bash

Run (Local Development):

export TRINO_HOST=localhost TRINO_USER=trino
mcp-trino

For production deployment with OAuth, see Deployment Guide and OAuth Architecture.

Usage

Supported Clients: Claude Desktop, Claude Code, Cursor, Windsurf, ChatWise

Available Tools: execute_query, list_catalogs, list_schemas, list_tables, get_table_schema, explain_query

For client integration and tool documentation, see Integration Guide and Tools Reference.

Configuration

Key Variables: TRINO_HOST, TRINO_USER, TRINO_SCHEME, MCP_TRANSPORT, OAUTH_PROVIDER

OAuth Configuration:

# Native mode (most secure - zero server-side secrets)
export OAUTH_ENABLED=true OAUTH_MODE=native OAUTH_PROVIDER=okta
export OIDC_ISSUER=https://company.okta.com OIDC_AUDIENCE=https://mcp-server.com

# Proxy mode (centralized credential management)
export OAUTH_MODE=proxy OIDC_CLIENT_ID=app-id OIDC_CLIENT_SECRET=secret
export OAUTH_REDIRECT_URI=https://mcp-server.com/oauth/callback  # Fixed mode (localhost-only)
export OAUTH_REDIRECT_URI=https://app1.com/cb,https://app2.com/cb  # Allowlist mode
export JWT_SECRET=$(openssl rand -hex 32)  # Required for multi-pod deployments

Performance Optimization:

# Focus AI on specific schemas only (10-20x performance improvement)
export TRINO_ALLOWED_SCHEMAS="hive.analytics,hive.marts,hive.reporting"

For complete configuration, see Deployment Guide, OAuth Architecture, and Allowlists Guide.

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

License

This project is licensed under the MIT License - see the LICENSE file for details.

CI/CD and Releases

This project uses GitHub Actions for continuous integration and GoReleaser for automated releases.

Continuous Integration Checks

Our CI pipeline performs the following checks on all PRs and commits to the main branch:

Code Quality

  • Linting: Using golangci-lint to check for common code issues and style violations

  • Go Module Verification: Ensuring go.mod and go.sum are properly maintained

  • Formatting: Verifying code is properly formatted with gofmt

Security

  • Vulnerability Scanning: Using govulncheck to check for known vulnerabilities in dependencies

  • Dependency Scanning: Using Trivy to scan for vulnerabilities in dependencies (CRITICAL, HIGH, and MEDIUM)

  • SBOM Generation: Creating a Software Bill of Materials for dependency tracking

  • SLSA Provenance: Creating verifiable build provenance for supply chain security

Testing

  • Unit Tests: Running tests with race detection and code coverage reporting

  • Build Verification: Ensuring the codebase builds successfully

CI/CD Security

  • Least Privilege: Workflows run with minimum required permissions

  • Pinned Versions: All GitHub Actions use specific versions to prevent supply chain attacks

  • Dependency Updates: Automated dependency updates via Dependabot

Release Process

When changes are merged to the main branch:

  1. CI checks are run to validate code quality and security

  2. If successful, a new release is automatically created with:

    • Semantic versioning based on commit messages

    • Binary builds for multiple platforms

    • Docker image publishing to GitHub Container Registry

    • SBOM and provenance attestation

NextCLAUDE.md

Last updated

Was this helpful?