On Mon, Mar 16, 2026 at 10:01:22PM +0100, Andrei Lepikhov wrote: > > Additionally, I believe this is the key point. Setting read-only at the > > connection level alleviates any concern about an AI agent exploiting > > misconfigured permissions to escalate its privileges (e.g. `select > > unset_cluster_readonly(); drop table users;`). > > > > > Also, which commands do you want to restrict? For instance, vacuum > > > isn't a DML command, but it can still change the state of table > > > pages and pg_catalog. > > This functionality is now out of the Postgres core logic. It is not hard to > add to the extension, though, let's say as a string GUC, where you may add > any utility command you want to reject in read-only mode. So, depends on > specific cases. > ... > > That said, once you start thinking about the precise scope of what > > should be allowed or disallowed, the design space becomes quite large. > > It may be worth clarifying the intended guarantees of such a feature > > before discussing implementation details. > > Right now as an extension pg_readonly guarantees standard core XactReadOnly > behaviour. > > > > > I do think the underlying problem of safely exposing databases to > > automated agents is becoming increasingly common, so it seems like a > > useful area to explore.
I agree the need a read-only sessions is going to get more urgent with MCP. Why doesn't the community code have a read-only session option that can't be changed? -- Bruce Momjian <[email protected]> https://momjian.us EDB https://enterprisedb.com Do not let urgent matters crowd out time for investment in the future.
