Database MCP

MCP security boundary

Synapsor constrains the database state transition; it does not make all MCP usage secure.

Overview

Synapsor protects the database path it owns: reviewed semantic tools, trusted context, no model-facing raw SQL, evidence-backed proposals, approval boundaries, allowed-column guards, conflict checks, idempotent writeback, receipts, and replay.

Synapsor does not protect a compromised MCP host, malicious local runner binary, stolen database credentials outside the runner, unsafe non-Synapsor tools, data already disclosed to a model, or prompt injection itself.

Keep the narrower claim: MCP connects the agent; Synapsor controls whether a database action becomes durable business state.

Developer notes

Keep runner tokens and database URLs out of git and browser code.
Use least-privilege read credentials and separate write credentials.
Scope runner tokens to one project/source.
Do not give runner tokens approval permission.

Boundary

boundary.txt

MCP client
  -> Synapsor semantic tool
  -> trusted context + evidence + proposal
  -> approval/policy
  -> trusted runner writeback
  -> receipt/replay

Examples

text

Not covered: compromised MCP host, unrelated MCP servers, OAuth bugs outside Synapsor, stolen local credentials, prompt injection itself, or data already returned to a model.