Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w2Dc8-0005zl-2i for pgsql-hackers@arkaria.postgresql.org; Mon, 16 Mar 2026 19:28:33 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1w2Dc5-00CLZP-2t for pgsql-hackers@arkaria.postgresql.org; Mon, 16 Mar 2026 19:28:30 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w2Dc5-00CLZH-0s for pgsql-hackers@lists.postgresql.org; Mon, 16 Mar 2026 19:28:30 +0000 Received: from fout-b1-smtp.messagingengine.com ([202.12.124.144]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1w2Dc2-000000003oV-23eV for pgsql-hackers@postgresql.org; Mon, 16 Mar 2026 19:28:29 +0000 Received: from phl-compute-03.internal (phl-compute-03.internal [10.202.2.43]) by mailfout.stl.internal (Postfix) with ESMTP id F0A941D00271 for ; Mon, 16 Mar 2026 15:28:26 -0400 (EDT) Received: from phl-imap-17 ([10.202.2.105]) by phl-compute-03.internal (MEProxy); Mon, 16 Mar 2026 15:28:27 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bonatak.is; h=cc :content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm1; t=1773689306; x=1773775706; bh=af9UwKoZON +bNO/ktbYNSaXjhN/unOBnbTrWEE7pPYY=; b=Z3Vy8ddqVY3yO6h0y1yLeUbvrA P9BySa+F5SXIZGD5BMF9v69E0ddIX5Pf0TfKD/KVy9ct+1XBNmMMzUwvk4fSZc9y OCH5JWjWLY/ZWpFqOjtbkwtbMFqn5cOUjJZVJfkDMpeKGOcmkFFpnKatTyeRYNnC EWBAWvcT6PXYuD/ijwr62ydyjXj1tRoDt14HRopq7la//9duxgRdLWHFOPGFJoO6 ZA7Aq025b9213IQDoDbYGv5MPH+a/enQvcJtbQR5qmvAMcbYlikOc5zNZfpx7eXO N4ACSwZm38Rch8IeWqm27GFIho8v+hWZ1jU9dbVLBM/I+fRYThuU6Pu89XNw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t= 1773689306; x=1773775706; bh=af9UwKoZON+bNO/ktbYNSaXjhN/unOBnbTr WEE7pPYY=; b=obyQ7sbOkLfHU3f7KzB6DGGmLJHoRW1PibVM+dO10CiO2nj+G/r hhdHY0IBkYrB7d0Uoavpm4eR5qmfh8VSujKnGzp7ysf5hOPsQnodCBQtbMGszcRl GcE3HPpzF36sb8oZ60/XwHD8OUhn24VeMoB+6PebxHNYuZ1+vLp7FXQQeepvAjfC pXNb7CUAXZykeaAfm7Usub3pLdXglsw67rnAhuWPUz7KOQ1MIHAGl14rpp8d67Tv eSgXJ/dTnO3QFfKP65jy5V75bKSYdwUJ8tH5IlB25rpF1hsNOSI++1X6edRoafAk 3iMEgqs8VkDgNyKhwDAymr/+GD4fMeYTWhA== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefgedrtddtgddvleelvddvucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu rghilhhouhhtmecufedttdenucenucfjughrpefoggffhffvkfgjfhfutgesrgdtreerre dttdenucfhrhhomhepfdflrggtkhcuuehonhgrthgrkhhishdfuceojhgrtghksegsohhn rghtrghkrdhisheqnecuggftrfgrthhtvghrnhepteegfeeiieffheegtdfgudeftdfgte ehleduteduleegieefteelfeffjeevjedvnecuvehluhhsthgvrhfuihiivgeptdenucfr rghrrghmpehmrghilhhfrhhomhepjhgrtghksegsohhnrghtrghkrdhishdpnhgspghrtg hpthhtohepuddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepphhgshhqlhdqhhgr tghkvghrshesphhoshhtghhrvghsqhhlrdhorhhg X-ME-Proxy: Feedback-ID: iecce486f:Fastmail Received: by mailuser.phl.internal (Postfix, from userid 501) id 5B375C4007B; Mon, 16 Mar 2026 15:28:26 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface MIME-Version: 1.0 X-ThreadId: A1lDsSkU_Q0F Date: Mon, 16 Mar 2026 15:28:06 -0400 From: "Jack Bonatakis" To: pgsql-hackers Message-Id: In-Reply-To: <64f1c69a-ceff-4b17-8298-58f255d075fc@gmail.com> References: <64f1c69a-ceff-4b17-8298-58f255d075fc@gmail.com> Subject: Re: Read-only connection mode for AI workflows. Content-Type: multipart/alternative; boundary=5f522b20fbcb4e73b5ce299be30dc959 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --5f522b20fbcb4e73b5ce299be30dc959 Content-Type: text/plain Content-Transfer-Encoding: 7bit On Mon, Mar 16, 2026, at 2:08 PM, Andrei Lepikhov wrote: > I believe the pg_readonly [1] extension does what you're looking for, so > you might want to give it a try. Hi Andrei, Please correct me if I am mistaken, but it looks like pg_readonly operates at the database or cluster level. If I understand Mat's proposal correctly, and based on my own experience integrating LLM-based tools with databases, one might desire to set a particular connection to be read-only while leaving the rest of the connections to operate normally (read/write). Now, I would hope that someone building an AI integration that is not intended to write to or manage the system would be doing so off of a read-replica where pg_readonly would make more sense, but I would wager that this will not always be the case. > Connection setup is usually not AI controlled while the SQL executed sometimes is. That's why being able to control read-only mode on the connection level would be useful. Additionally, I believe this is the key point. Setting read-only at the connection level alleviates any concern about an AI agent exploiting misconfigured permissions to escalate its privileges (e.g. `select unset_cluster_readonly(); drop table users;`). > Also, which commands do you want to restrict? For instance, vacuum isn't a DML command, but it can still change the state of table pages and pg_catalog.