Tool discovery is useful in a demo.
In production, it can become a permission problem.
If an MCP database server exposes every action an engineer might find useful, the agent has to choose safely every time.
That is too much responsibility to put in a prompt.
A safer pattern is an allowlist:
- expose fewer tools
- make each tool specific
- bind tools to approved views or templates
- keep broad tools behind stronger gates
- return policy context with every result
- audit which tool was used and why
“Run SQL” is a broad capability.
“Read monthly revenue from the approved reporting view” is a bounded workflow.
Those two tools may both be read-only, but they are not the same risk.
Longer version: MCP database tool allowlists
The job is not to give the agent every database power.
The job is to make the approved path easier than the dangerous one.
Top comments (0)