[baobun]

> So, how would we do that? The underlying API token provides complete access to the database and the MCP server is issuing all of the queries as god (the service_role).

I guess almost always you can do it with a proxy... Hook the MCP server up to your proxy (having it think it's the DB) and let the application proxy auth directly to the resource (preferrable with scoped and short-lived creds), restricting and filtering as necessary. For a Postgres DB that could be pgbouncer. Or you (cough) write up an ad-hoc one in go or something.

Like, you don't need to give it service_role for real.

[saurik]

Sure. If the MCP server is something you are running locally then you can do that, but you are now subject to parser differential attacks (which, FWIW, is the bane of existence for tools like pgbouncer, both from the perspective of security and basic functionality)... tread carefully ;P.

Regardless, that is still on the other side of the MCP server: my contention with tptacek is merely about whether we can do this filtration in the client somewhere (in particular if we can do it with business logic between the ticket parser and the SQL executor, but also anywhere else).