The MCP server lets an AI assistant run tools against your semantic layer. Treat it like a privileged service.

```bash doc-test
uvx sidemantic mcp-serve --help
```

```text doc-expected-contains
Usage: sidemantic mcp-serve
```

## Threat Model

- The assistant can issue queries through the tools you expose.
- Query results may contain sensitive data depending on your models and permissions.

## Safe Defaults

- Run MCP against **read-only** credentials when possible.
- Scope the models directory to a vetted repo path (not your home dir).
- Avoid exposing the MCP server on a network interface unless you have a hard boundary and auth layer.

## Least Privilege Checklist

- Warehouse credentials: read-only, limited datasets/schemas.
- Network: local-only or behind a trusted proxy.
- Audit: capture compiled SQL + query logs.

## Operational Guidance

- Use `--demo` to validate the integration without touching production data.
- If you can’t explain what a tool does, don’t expose it to MCP.