how are you scoping MCP server permissions so an agent cant hit the wrong table
ok so two things im stuck on. 1) i give the agent a postgres MCP and it technically can run anything the connection role can, which means one bad tool call and its DELETE on prod. i dont want a full audit every run. 2) the docs handwave at least privilege but i cant find anyone actually posting how they carve it up in practice. right now im doing a read-only role for the MCP connection and a separate write path that goes through my own function schema with a confirm step, so the model literally cant call destructive stuff through the socket. feels clunky. is there a cleaner pattern people run, per-tool allowlists on the server side maybe? whats actually holding up for you in the real world not the blog post version
No comments yet - start the discussion.