mcp-data-gateway¶
Controlled, read-only access to PostgreSQL for AI agents — through a fixed set of MCP tools, never a raw database connection.
The gateway treats the agent as an untrusted client and puts every safety guarantee in code and in the database, not in the agent's good behavior. It is a focused reference implementation of a safe agent-to-database pattern on a small public dataset.
What this project proves¶
Each of these is demonstrated in code and checked in CI (see validation):
- A fixed MCP tool surface with no raw-SQL-execution tool.
- Every tool argument validated against allow-lists; values passed as bound parameters, never interpolated into SQL.
- A deny-by-default, read-only SQL guard in front of the driver.
- A read-only database session and a
SELECT-only PostgreSQL role — the authoritative control — that refuse direct writes. - JSON-safe output and one structured audit line per call, with no raw SQL or credentials.
- Continuous proof: lint, tests, audit, a strict docs build, live-database integration, and a non-root container image build.
Explore¶
-
Architecture
Components and the request path, with a rendered diagram.
-
Security model
The defense-in-depth layers and what each does not cover.
-
Implementation journey
How it was built, phase by phase, with the boundary of each step.
-
Validation
What is actually proven, and by which tests and CI jobs.
-
Production considerations
What is demonstrated versus what a real deployment still requires.
-
Demo walkthrough
Run the gateway locally with Docker.
Scope and status¶
This shows the controls end to end; it is not a turnkey product. See production considerations for exactly what is and isn't provided.