Skip to content

feat: MCP three-tier query safety with server-side confirmation#839

Merged
datlechin merged 9 commits intomainfrom
feat/mcp-query-safety
Apr 23, 2026
Merged

feat: MCP three-tier query safety with server-side confirmation#839
datlechin merged 9 commits intomainfrom
feat/mcp-query-safety

Conversation

@datlechin
Copy link
Copy Markdown
Collaborator

@datlechin datlechin commented Apr 23, 2026

Summary

  • Three-tier query classification: safe (SELECT), write (UPDATE/DELETE), destructive (DROP/TRUNCATE)
  • Write queries use the connection's safe mode level for confirmation (native macOS dialog when set to Alert or higher)
  • Destructive queries require confirm_destructive_operation tool with explicit confirmation phrase
  • INSERT exempt from write confirmation (additive, non-destructive)
  • CTE-prefixed writes (WITH...DELETE) properly detected
  • RETURNING clause routes to fetchRows so result rows are returned
  • Multi-statement queries blocked via SQLStatementScanner
  • MCP confirmation dialog appears on key window instead of bouncing dock icon
  • Server-side trust model: confirmation dialogs controlled by the connection's safe mode setting

Test plan

  • SELECT query runs immediately
  • UPDATE/DELETE with safe mode "Alert" shows native macOS confirmation dialog
  • UPDATE/DELETE with safe mode "Silent" executes without dialog
  • DROP TABLE via execute_query returns error directing to confirm_destructive_operation
  • confirm_destructive_operation with correct phrase executes
  • confirm_destructive_operation with wrong phrase rejects
  • INSERT executes without confirmation
  • Multi-statement query (; separated) is rejected
  • CTE write (WITH...DELETE) is classified as write
  • Confirmation dialog appears on the app window, not dock bounce

@datlechin
feat: MCP three-tier query safety with server-side confirmation
eff6fcf 
- Safe (SELECT/SHOW/EXPLAIN): executes immediately
- Write (UPDATE/DELETE): forces native macOS confirmation dialog
- Destructive (DROP/TRUNCATE): requires confirm_destructive_operation tool + native dialog
- INSERT exempt from confirmation (additive, non-destructive)
- CTE-prefixed writes (WITH...DELETE) properly detected
- RETURNING clause routes to fetchRows for result rows
- Multi-statement queries blocked via SQLStatementScanner
- Server-side trust model: confirmation cannot be bypassed by MCP client
@datlechin
fix: MCP confirmation dialog appears on key window instead of bouncin…
a619835 
…g dock icon
@datlechin
fix: respect connection safe mode level for MCP writes instead of for…
8e4375b 
…ced alert
@datlechin
fix: accurate tool description, only activate app when dialog will show
f475412
@datlechin
docs: simplify MCP safety CHANGELOG entry
c52d885
@datlechin
docs: add security, privacy and data safety section to MCP docs
9bb4199
@datlechin datlechin force-pushed the feat/mcp-query-safety branch from ab116d1 to 9bb4199 Compare April 23, 2026 04:03
@datlechin datlechin merged commit 749eccf into main Apr 23, 2026
2 checks passed
@datlechin datlechin deleted the feat/mcp-query-safety branch April 23, 2026 04:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@datlechin