{"id":41605202,"url":"https://github.com/fclairamb/dbbat","last_synced_at":"2026-04-15T01:00:58.231Z","repository":{"id":331742979,"uuid":"1130706997","full_name":"fclairamb/dbbat","owner":"fclairamb","description":"🦇","archived":false,"fork":false,"pushed_at":"2026-04-13T18:13:28.000Z","size":3696,"stargazers_count":0,"open_issues_count":3,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-13T20:12:50.994Z","etag":null,"topics":["audit","iso27001","observability","postgresql","proxy"],"latest_commit_sha":null,"homepage":"https://dbbat.com","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fclairamb.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-01-08T22:25:49.000Z","updated_at":"2026-04-13T18:13:14.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/fclairamb/dbbat","commit_stats":null,"previous_names":["fclairamb/dbbat"],"tags_count":7,"template":false,"template_full_name":null,"purl":"pkg:github/fclairamb/dbbat","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fclairamb%2Fdbbat","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fclairamb%2Fdbbat/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fclairamb%2Fdbbat/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fclairamb%2Fdbbat/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fclairamb","download_url":"https://codeload.github.com/fclairamb/dbbat/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fclairamb%2Fdbbat/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31821685,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-14T18:05:02.291Z","status":"ssl_error","status_checked_at":"2026-04-14T18:05:01.765Z","response_time":153,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["audit","iso27001","observability","postgresql","proxy"],"created_at":"2026-01-24T11:11:14.654Z","updated_at":"2026-04-15T01:00:58.212Z","avatar_url":"https://github.com/fclairamb.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# DBBat - PostgreSQL Observability Proxy\n\n**Give your devs access to prod.**\n\nA transparent PostgreSQL proxy for query observability, access control, and safety. Every query logged. Every connection tracked.\n\n## Documentation\n\nFull documentation is available at **[dbbat.com](https://dbbat.com)**:\n- [Getting Started](https://dbbat.com/docs/intro)\n- [Installation](https://dbbat.com/docs/installation/docker)\n- [Configuration](https://dbbat.com/docs/configuration)\n- [API Reference](https://dbbat.com/docs/api)\n\n## Why DBBat?\n\n**The Problem:**\n- Production databases should not be directly accessible to developers for security and compliance reasons\n- Developers often need access to production data to diagnose issues, debug problems, and understand user behavior\n- Traditional solutions are binary: either full access (risky) or no access (blocks troubleshooting)\n\n**The Solution:**\n\nDBBat acts as a monitoring proxy that allows controlled developer access to production databases with:\n- **Complete monitoring**: Every query and result is logged with full traceability\n- **Strict limitations**: Time-windowed access, read/write controls, query quotas, and data transfer limits\n- **Full audit trail**: Track who accessed what, when, and what data they retrieved\n- **Encrypted credentials**: Database passwords never exposed to users\n- **Granular access control**: Grant temporary access to specific databases with precise permissions\n\n## Features\n\n- **User Management**: Authenticate users with username/password, role-based access control\n- **Database Configuration**: Store target database connections with encrypted credentials\n- **Connection \u0026 Query Tracking**: Log all connections and queries with timing and results\n- **Access Control**: Time-windowed access grants with controls (`read_only`, `block_copy`, `block_ddl`) and quotas\n- **REST API**: Full API for management and observability\n- **PostgreSQL Proxy**: Transparent proxy with wire protocol support\n\n## Quick Start\n\n### Running with Docker\n\n```bash\ndocker run -d \\\n  -e DBB_DSN=\"postgres://user:pass@host:5432/dbbat?sslmode=require\" \\\n  -p 5434:5434 \\\n  -p 8080:8080 \\\n  ghcr.io/fclairamb/dbbat\n```\n\n### Running with Docker Compose\n\nSee [docker-compose installation](https://dbbat.com/docs/installation/docker-compose) for a complete example.\n\n## Usage Example\n\nAll API endpoints are under `/api/v1/`. See the [API Reference](https://dbbat.com/docs/api) for complete documentation.\n\n### 1. Login and get a token\n\n```bash\nTOKEN=$(curl -s -X POST http://localhost:8080/api/v1/auth/login \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\"username\": \"admin\", \"password\": \"admin\"}' | jq -r '.token')\n```\n\n### 2. Create a User\n\n```bash\ncurl -X POST http://localhost:8080/api/v1/users \\\n  -H \"Authorization: Bearer $TOKEN\" \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\n    \"username\": \"developer\",\n    \"password\": \"temppass123\",\n    \"roles\": [\"connector\"]\n  }'\n```\n\n### 3. Configure a Target Database\n\n```bash\ncurl -X POST http://localhost:8080/api/v1/databases \\\n  -H \"Authorization: Bearer $TOKEN\" \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\n    \"name\": \"production\",\n    \"description\": \"Production database\",\n    \"host\": \"db.example.com\",\n    \"port\": 5432,\n    \"database_name\": \"myapp\",\n    \"username\": \"readonly_user\",\n    \"password\": \"dbpass\",\n    \"ssl_mode\": \"require\"\n  }'\n```\n\n### 4. Grant Access\n\n```bash\ncurl -X POST http://localhost:8080/api/v1/grants \\\n  -H \"Authorization: Bearer $TOKEN\" \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\n    \"user_id\": \"\u003cuser-uid\u003e\",\n    \"database_id\": \"\u003cdatabase-uid\u003e\",\n    \"controls\": [\"read_only\"],\n    \"starts_at\": \"2024-01-01T00:00:00Z\",\n    \"expires_at\": \"2024-12-31T23:59:59Z\",\n    \"max_query_counts\": 1000,\n    \"max_bytes_transferred\": 10485760\n  }'\n```\n\n### 5. Connect via Proxy\n\n```bash\npsql -h localhost -p 5434 -U developer -d production\n```\n\n## Configuration\n\n| Variable | Description | Default |\n|----------|-------------|---------|\n| `DBB_DSN` | PostgreSQL DSN for DBBat storage | Required |\n| `DBB_LISTEN_PG` | Proxy listen address | `:5434` |\n| `DBB_LISTEN_API` | REST API listen address | `:8080` |\n| `DBB_KEY` | Base64-encoded AES-256 encryption key | Auto-generated |\n| `DBB_KEYFILE` | Path to file containing encryption key | - |\n| `DBB_RUN_MODE` | Run mode: empty, `test`, or `demo` | - |\n\nSee [Configuration](https://dbbat.com/docs/configuration) for all options.\n\n## Security\n\n- User passwords are hashed with Argon2id\n- Database credentials are encrypted with AES-256-GCM\n- Default admin user (username: `admin`, password: `admin`) is created on first startup - **change this immediately!**\n\n## Architecture\n\n```\nClient -\u003e DBBat (auth + grant check) -\u003e Target PostgreSQL\n```\n\n## Development\n\n```bash\nmake dev          # Start dev environment with hot reload\nmake test         # Run tests\nmake build-app    # Build frontend + backend\nmake lint         # Run linter\n```\n\nSee [CLAUDE.md](CLAUDE.md) for development documentation.\n\n## License\n\nAGPL-3.0\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffclairamb%2Fdbbat","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffclairamb%2Fdbbat","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffclairamb%2Fdbbat/lists"}