The easiest MCP database server to build is also the riskiest:
Expose a broad query tool.
Point it at production.
Trust the model to behave.
That is not a production access model. It is a demo.
For real teams, the tool catalog should be designed with least privilege:
- workflow-specific tools
- approved views instead of raw tables
- per-user and tenant scope
- read/write separation
- row, time, and cost budgets
- redaction before summarization
- approval gates for mutations
- structured refusal when scope is missing
The tool list is not just developer convenience. It is part of the permission boundary.
Longer version: Least-privilege tool catalogs for MCP database servers
AI agents do better when the safe path is also the narrow path.
Top comments (0)