Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uk4Dw-00FKE3-72 for pgsql-hackers@arkaria.postgresql.org; Thu, 07 Aug 2025 17:16:16 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1uk4Du-007ReS-R3 for pgsql-hackers@arkaria.postgresql.org; Thu, 07 Aug 2025 17:16:14 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uk3le-006y7r-Ta for pgsql-hackers@lists.postgresql.org; Thu, 07 Aug 2025 16:47:02 +0000 Received: from mail-oa1-x2c.google.com ([2001:4860:4864:20::2c]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1uk3lc-001IC1-0q for pgsql-hackers@postgresql.org; Thu, 07 Aug 2025 16:47:02 +0000 Received: by mail-oa1-x2c.google.com with SMTP id 586e51a60fabf-30ba01fca64so429821fac.2 for ; Thu, 07 Aug 2025 09:47:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tigerdata.com; s=google; t=1754585218; x=1755190018; darn=postgresql.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=n+Nep++mG6ZNIsxgByMsppSgLLFgmr0GxHFYgAftQEg=; b=CGVWhwaqY7D9Dq5mDV23Bjz3rOeA65NSW1Q/2ROa+NIslzE1mjGju9kdLGIG61W8pV Tj4Do6tdiJDul69KyxLQxtS8NhDtzQ8EGL6a5vrX9Gw1P3kAgE27UAQO+CsxvbyRsu0W atbKnh8vqH/5Dd9ytDF8LMzc7xPUJNVtwfFsAcReT2k/79ztDQOvyDirLRSqyCMI+E/x bjT/8H8B2ydyJsvInmDBBgFRvKDx+0URuApLzAKECN04U1A9Q0PiPPMN3lYUYkGFgrTW hbuwp083NRygdNUnTOziinNhlWYzhf6rlUYxPOHDnGJW2PQVgDthV0NowqhFVgD9Ohb7 PmSA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1754585218; x=1755190018; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=n+Nep++mG6ZNIsxgByMsppSgLLFgmr0GxHFYgAftQEg=; b=FwlDoQcWzTf6KhpkU6Q5n02FzoTcovAxBvvrGhZjHHvPrwcgxF6bvF3ejZhYhRc0E0 f/0CUnPxYuLpBD6i2a8Y1ldu6oAMHsBPLxElyDnrVeZ/y12Ww6HThMYhD3N7zFJKk+VQ cvR1WpR0UaaXY4YHLh4Cv8t1/WfIzJ3DpMWQj/Ua9AG45wQyINZZY+g+3COAYRxOona4 /gansXDS44bG6tP8AQmMqktbRw2D8GjIxDCke/oYwEo9lYatiarXByXVmQfslWZnEJm6 1tY1+ifchIX0GWW0DsxorwLvDXMyHYf5kP1hjxYtjYZT57raCLlQRgdWn6enPFW3lDwV mPQw== X-Gm-Message-State: AOJu0YwXOyfrO2WHzGl8S2fQhlm2+tEnoR0HUFXGrs42zoSP/4K0T5g8 hSmc0HVWuJztLyEa0OuMnFLqz2W1fPNJ4MSALJVy4xpI9bg6rekiTLME26Xe9YmCEvl8vrwQu8s DwZ1RzAUgOScZWorxRxKZ8/t1P7Wn2tAO3wNbDq63Es6I0phcw5SJ0b4= X-Gm-Gg: ASbGncuyV4X+nLh25ZAfafLJ+6sRknexY7fJl1WWNUmHGK3C8p7Y+Gk9K3uDOsCnj8u ttEX/+qnp5XxikyaIPt1QORI5+Nu2JbQ6sWtESqqRqgE9SgId9mW3N1a1OLzajIuy9R0RA9cPYd 0VTvFYjBj6QMMoFT2ZnsiKMz7HsYhRqX3ZsdgkasGN2o8AneUnO9J4+nBtj45ej7grNSODvyWhH xa2+sST X-Google-Smtp-Source: AGHT+IGOrJEkFGmU89yTTGUhYjeMfotErA7tizMbuEWQvOA3oHQlTVakHQk+kjVl2QnrLSu/eDG4rlF9kPeK+o+vMTI= X-Received: by 2002:a05:6871:230f:b0:306:a149:f4ae with SMTP id 586e51a60fabf-30c1d55531emr415971fac.36.1754585217908; Thu, 07 Aug 2025 09:46:57 -0700 (PDT) MIME-Version: 1.0 From: Mat Arye Date: Thu, 7 Aug 2025 12:46:47 -0400 X-Gm-Features: Ac12FXykI8xghAJeKUVLjgKiHiuCjfa04Lh2UMJlNad7OJIQlZBGbIcnkrYg0gU Message-ID: Subject: Read-only connection mode for AI workflows. To: pgsql-hackers Content-Type: multipart/alternative; boundary="000000000000a454aa063bc934ea" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000a454aa063bc934ea Content-Type: text/plain; charset="UTF-8" Hi All, A common desire for AI agents accessing the database is to have read-only access for the agents. You can create special roles with explicit assignment or use pg_read_all_data but this is cumbersome and not very ergonomic. Often, people want to use an existing role but as part of a connection that is marked "read-only". This can be done with the transaction_read_only GUC, however the AI could unset that in all kinds of clever ways by executing SQL commands. For example, a popular MCP server (I am NOT affiliated with) goes through all kinds of hoops to avoid this: https://github.com/crystaldba/postgres-mcp It would be nice to force a connection into read-only mode. Connection setup is usually not AI controlled while the SQL executed sometimes is. That's why being able to control read-only mode on the connection level would be useful. I'd be happy to submit a patch if there is interest in this feature (especially if I get some pointers to where people would like to see this implemented). Thanks, Mat TigerData --000000000000a454aa063bc934ea Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi All,

A common desire for AI agents a= ccessing the database is to have read-only access for the agents. You can c= reate special roles with explicit assignment or use=C2=A0pg_read_all_data b= ut this is cumbersome=C2=A0and not very ergonomic. Often, people want to us= e an existing role but as part of a connection that is marked "read-on= ly". This can be done with the=C2=A0transaction_read_only GUC, however= the AI could unset that in all kinds of clever ways by executing SQL comma= nds.=C2=A0

For=C2=A0example, a popular MCP server = (I am NOT affiliated with) goes through all kinds of hoops to avoid this:= =C2=A0https://github= .com/crystaldba/postgres-mcp

It would be nice = to force a connection into read-only mode. Connection setup is usually=C2= =A0not AI controlled while the SQL executed sometimes is. That's why be= ing able to control read-only mode on the connection level would be useful.=

I'd be happy to submit a patch if there is in= terest in this feature (especially if I get some pointers to where people w= ould like to see this implemented).

Thanks,
<= div>Mat
TigerData
--000000000000a454aa063bc934ea--