refactor: centralize MCP database auth check in resolveDatabase

Move canAccessToDatabase guard into MCPToolUtils.resolveDatabase so all
tools benefit consistently and restricted users who mistype a database
name get the helpful "available databases" list rather than a bare
SecurityException. Also switch to removeIf + canAccessToDatabase for
the available-databases filter, dropping the manual wildcard check.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: robfrank

server/src/main/java/com/arcadedb/server/mcp/tools/ExecuteCommandTool.java

@@ -72,9 +72,6 @@ public static JSONObject execute(final ArcadeDBServer server, final ServerSecuri
     final String command = args.getString("command");
     final int limit = args.getInt("limit", DEFAULT_LIMIT);
 
-    if (!user.canAccessToDatabase(databaseName))
-      throw new SecurityException("User '" + user.getName() + "' is not authorized to access database '" + databaseName + "'");
-
     final Database database = MCPToolUtils.resolveDatabase(server, user, databaseName);
 
     // Analyze once for both permission checking and execution (avoids double parsing)

server/src/main/java/com/arcadedb/server/mcp/tools/GetSchemaTool.java

@@ -57,9 +57,6 @@ public static JSONObject execute(final ArcadeDBServer server, final ServerSecuri
 
     final String databaseName = args.getString("database");
 
-    if (!user.canAccessToDatabase(databaseName))
-      throw new SecurityException("User '" + user.getName() + "' is not authorized to access database '" + databaseName + "'");
-
     final Database database = MCPToolUtils.resolveDatabase(server, user, databaseName);
 
     final Schema schema = database.getSchema();

server/src/main/java/com/arcadedb/server/mcp/tools/MCPToolUtils.java

@@ -39,13 +39,13 @@ public static ServerDatabase resolveDatabase(final ArcadeDBServer server, final
       final String databaseName) {
     if (!server.existsDatabase(databaseName)) {
       final Set<String> installed = new TreeSet<>(server.getDatabaseNames());
-      final Set<String> allowed = user.getAuthorizedDatabases();
-      if (!allowed.contains("*"))
-        installed.retainAll(allowed);
+      installed.removeIf(db -> !user.canAccessToDatabase(db));
       throw new IllegalArgumentException(
           "Database '" + databaseName + "' does not exist. Available databases: " + installed
               + ". Use one of these names or call list_databases to refresh the list.");
     }
+    if (!user.canAccessToDatabase(databaseName))
+      throw new SecurityException("User '" + user.getName() + "' is not authorized to access database '" + databaseName + "'");
     return server.getDatabase(databaseName);
   }
 }

server/src/main/java/com/arcadedb/server/mcp/tools/QueryTool.java

@@ -20,13 +20,13 @@
 
 import com.arcadedb.database.Database;
 import com.arcadedb.query.QueryEngine;
-import com.arcadedb.server.mcp.MCPConfiguration;
 import com.arcadedb.query.sql.executor.Result;
 import com.arcadedb.query.sql.executor.ResultSet;
 import com.arcadedb.serializer.JsonSerializer;
 import com.arcadedb.serializer.json.JSONArray;
 import com.arcadedb.serializer.json.JSONObject;
 import com.arcadedb.server.ArcadeDBServer;
+import com.arcadedb.server.mcp.MCPConfiguration;
 import com.arcadedb.server.security.ServerSecurityUser;
 
 import java.util.Collections;
@@ -73,9 +73,6 @@ public static JSONObject execute(final ArcadeDBServer server, final ServerSecuri
     final String query = args.getString("query");
     final int limit = args.getInt("limit", DEFAULT_LIMIT);
 
-    if (!user.canAccessToDatabase(databaseName))
-      throw new SecurityException("User '" + user.getName() + "' is not authorized to access database '" + databaseName + "'");
-
     final Database database = MCPToolUtils.resolveDatabase(server, user, databaseName);
 
     // Verify the query is actually read-only using semantic analysis