Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w2FQu-0007f2-2u for pgsql-hackers@arkaria.postgresql.org; Mon, 16 Mar 2026 21:25:04 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1w2FQt-00DD0y-2h for pgsql-hackers@arkaria.postgresql.org; Mon, 16 Mar 2026 21:25:03 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w2FQt-00DD0k-1i for pgsql-hackers@lists.postgresql.org; Mon, 16 Mar 2026 21:25:03 +0000 Received: from momjian.us ([72.94.173.45]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1w2FQq-000000004pG-1GjN for pgsql-hackers@postgresql.org; Mon, 16 Mar 2026 21:25:02 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=momjian.us; s=2026010100; h=In-Reply-To:Content-Transfer-Encoding:Content-Type: MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-ID:Content-Description; bh=c+8tnS9Hz20Jt+J9xEzmy5kkRQ6W9DvxnkKjRBLE4q8=; b=thD0AhMHYjyUOWvK9400pRpBkz NLuvv0Sd/ZQsIUB0PaVPyGUzS4n1DrqNdWCsyPzRhkhh2RZcslINKxnFqxYAkSf3Hh/AYpCxl74uH dnjbu9CTKyfc9RJQmopdePxDGI5ciEI07ePRHokNDEotUc9rMhTBZ6ctvx2tNJ3zMq9Xdfk7WfqRH VHbAtsSI+JsRWbx453KpzEJJJ7ksnmMNZj43ud19Wr6lXCg83ifYATbK7rD5zS0a6GC59+73W/bNa Yiqx6I3RpVBElmE9KFJnJ3DDPoK0XkHendY6OMWBPmgRVcYbcv8JoE+gEhyqH+J8pVsnAcYahnEvd 6OKLOCbw==; Received: from bruce by momjian.us with local (Exim 4.98.2) (envelope-from ) id 1w2FQq-000000009IN-0Tjf; Mon, 16 Mar 2026 17:25:00 -0400 Date: Mon, 16 Mar 2026 17:25:00 -0400 From: Bruce Momjian To: Andrei Lepikhov Cc: Jack Bonatakis , pgsql-hackers Subject: Re: Read-only connection mode for AI workflows. Message-ID: References: <64f1c69a-ceff-4b17-8298-58f255d075fc@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Mon, Mar 16, 2026 at 10:01:22PM +0100, Andrei Lepikhov wrote: > > Additionally, I believe this is the key point. Setting read-only at the > > connection level alleviates any concern about an AI agent exploiting > > misconfigured permissions to escalate its privileges (e.g. `select > > unset_cluster_readonly(); drop table users;`). > > > > > Also, which commands do you want to restrict? For instance, vacuum > > > isn't a DML command, but it can still change the state of table > > > pages and pg_catalog. > > This functionality is now out of the Postgres core logic. It is not hard to > add to the extension, though, let's say as a string GUC, where you may add > any utility command you want to reject in read-only mode. So, depends on > specific cases. > ... > > That said, once you start thinking about the precise scope of what > > should be allowed or disallowed, the design space becomes quite large. > > It may be worth clarifying the intended guarantees of such a feature > > before discussing implementation details. > > Right now as an extension pg_readonly guarantees standard core XactReadOnly > behaviour. > > > > > I do think the underlying problem of safely exposing databases to > > automated agents is becoming increasingly common, so it seems like a > > useful area to explore. I agree the need a read-only sessions is going to get more urgent with MCP. Why doesn't the community code have a read-only session option that can't be changed? -- Bruce Momjian https://momjian.us EDB https://enterprisedb.com Do not let urgent matters crowd out time for investment in the future.