Sidequery

MCP Server Security

Threat model, safe defaults, and least-privilege guidance for running the MCP server.

The MCP server lets an AI assistant run tools against your semantic layer. Treat it like a privileged service.

uvx sidemantic mcp-serve --help

Usage: sidemantic mcp-serve

Threat Model

  • The assistant can issue queries through the tools you expose.
  • Query results may contain sensitive data depending on your models and permissions.

Safe Defaults

  • Run MCP against read-only credentials when possible.
  • Scope the models directory to a vetted repo path (not your home dir).
  • Avoid exposing the MCP server on a network interface unless you have a hard boundary and auth layer.

Least Privilege Checklist

  • Warehouse credentials: read-only, limited datasets/schemas.
  • Network: local-only or behind a trusted proxy.
  • Audit: capture compiled SQL + query logs.

Operational Guidance

  • Use --demo to validate the integration without touching production data.
  • If you can’t explain what a tool does, don’t expose it to MCP.