Least-privilege tool catalogs for MCP database servers: expose fewer actions to AI agents
The easiest MCP database server to build is also the riskiest: expose a broad query tool, point it at production, and trust the model to behave.
That is not a production access model. It is a demo.
For real teams, the tool catalog should be designed with least privilege. The agent should only see the actions, fields, scopes, and data surfaces needed for the workflow in front of it.
The tool list is a permission boundary
Many teams treat MCP tool descriptions like documentation. In production, they are closer to an access-control surface.
If a tool is visible, the agent may try to use it. If the parameters are too broad, the agent may construct a request that technically works but violates the intended workflow.
Related: MCP tool descriptions are a security boundary.
Start from workflows, not tables
A least-privilege catalog starts with questions like:
- Which business workflow needs this tool?
- Which user or tenant is allowed to invoke it?
- Which approved views can it read?
- Which fields must never be returned?
- What row, time, and cost budgets apply?
- Does the action require approval?
That usually produces a smaller and safer catalog than “query any table.”
Related: Approved views for AI database agents.
Separate read tools from write tools
Read tools and write tools should not share the same permission shape.
A reporting tool might be read-only, scoped to approved views, and limited by row count. A mutation tool should include dry-run mode, approval gates, before/after evidence, and audit events.
Related: Approval gates for AI database writes.
Fail closed when scope is missing
If tenant scope, identity, schema version, or approval state is missing, the tool should not guess. It should return a structured refusal that tells the agent exactly what is missing.
That turns safety into a normal part of the workflow instead of an afterthought.
Related: Fail-closed MCP database tools.
Where Conexor fits
Conexor is MCP infrastructure for teams connecting AI clients to databases and APIs. The goal is not simply to expose data. It is to expose the right tool surface with scoped credentials, approved views, budgets, and audit trails.