Docs/AI Assistants (MCP)

MCP safety and privacy

DBConvert Streams MCP server is read-only by design and runs on your own infrastructure — locally on your machine over stdio (the desktop app), or as a service inside your DBConvert Streams deployment over HTTP (Docker / server). Either way it's your hardware, never ours. This page is the complete list of guarantees and tradeoffs.

What cannot happen

Nothing your AI does through the MCP server can change your data, configuration, or stream state:

  • No INSERT / UPDATE / DELETE / TRUNCATE
  • No DROP / ALTER / CREATE / DDL of any kind
  • No index creation
  • No row editing
  • No connection edits, additions, or deletions
  • No stream control in this version — no starting, stopping, pausing, resuming, or resetting streams, and no CDC checkpoint or bootstrap-state resets (this may change later, behind explicit safeguards)
  • No file writes, deletes, or uploads
  • No credential changes
  • No S3 object mutation
  • No arbitrary SQL — only SELECT and WITH ... SELECT statements pass the safety filter. Everything else is rejected at the MCP server before reaching your database

When the AI suggests a change, you (or DBConvert Streams via the UI) run it. The AI never touches the trigger.

What the AI sees

When you ask your AI assistant to inspect or analyze something, the MCP server returns:

  • Connection names, types, and IDs (never DSNs or passwords)
  • Database, schema, and table names
  • Column definitions and metadata (types, nullability, defaults, indexes, foreign keys, DDL)
  • Sample rows from tables you ask about (bounded by default to 100 rows, max 1000)
  • SELECT query results (same row caps)
  • File names, schemas, and sample data from local file connections
  • Stream status, statistics, recent errors, and log entries (redacted — see below)

Log redaction

Anything returned from stream logs passes through six redaction layers before reaching the AI:

What gets replacedExample beforeExample after
Field-name match (any field whose name contains password, passwd, secret, apikey, api_key, token, credential, credentials, accesskey, access_key, privatekey, private_key, passphrase)"apikey": "sk-abc...""apikey": "REDACTED"
DSN credentialspostgres://admin:s3cr3t@host:5432/dbpostgres://admin:REDACTED@host:5432/db
Bearer tokensBearer eyJhb...Bearer REDACTED
Authorization headersAuthorization=...Authorization=REDACTED
Sensitive-keyword values in SQLpassword = 'abc'password = REDACTED
Email and IPv4 addresses[email protected], 10.0.0.5***@***.***, ***.***.***.***

Field-name matching is case-insensitive and uses substring matching, so apiKey, API_KEY, user_password, ssh_passphrase, and client_secret all hit.

Response size limits

Tool responses are capped at 256 KB (soft target) and 1 MB (hard cap). If the AI asks for a huge result, the server returns a truncated answer with truncated: true and a Warnings entry. The AI sees the signal and asks you to narrow the query rather than silently returning partial data.

Activity logging

Every tool call your AI makes is recorded in the MCP server log file (stream-mcp.log next to the workspace database for the desktop app; inside the container for a Docker deployment) with:

  • Tool name (e.g. dbconvert_run_select)
  • Your user ID
  • Duration
  • Output size in bytes
  • Field names the AI passed — never the values

No queries, DSNs, or sensitive values are written to the audit log. If you want to know what your AI did, tail the log and look for mcp tool call entries.

What goes to your AI provider

The MCP server never sends your data anywhere — your AI client does. Keep the two roles separate:

  • The MCP server is yours, not ours. It runs on your machine over stdio (desktop app) or inside your own DBConvert Streams deployment over HTTP (Docker / server), and only ever responds to your AI client's requests — over standard input/output locally, or over HTTPS to your own host. It never initiates a connection to DBConvert or any AI provider; it does not send anything anywhere on its own.
  • Your AI client is a separate program (Claude Code, Cursor, Copilot, etc.) that sends prompts and tool results to its provider (Anthropic, OpenAI, etc.) so the model can respond. Whatever the AI sees, the provider sees.

So any sample rows, query results, schema definitions, or log entries the AI fetches via MCP get sent to your AI provider as part of the chat context.

Keeping data from the AI provider

If some data must never leave your environment, use these controls — strongest first.

1. Restrict at the database. The strongest line of defense, because it limits what any tool can read:

  • The MCP server can read every connection in its workspace — there's no per-connection opt-out, and simply not asking about one is not a hard guarantee (an over-eager or prompt-injected AI can still query it).
  • The fix: connect with a read-only database user that cannot see the sensitive tables — see Read-only database users below for a copy-paste grant. The connection itself is fine to keep for Data Explorer and streams.
  • To rule the data out completely: don't connect an MCP client to that workspace at all.

2. Limit which tools the AI can call. Turn off what you don't need so the AI can inspect but never run queries:

  • Copilot — the 🔧 tool picker
  • CursorSettings → Tools & MCP, then expand the server
  • Windsurf — the MCPs icon in the Cascade panel
  • Claude Code — permission rules: add the tool to permissions.deny via /permissions or settings.json, e.g. mcp__dbconvert-streams__dbconvert_run_select

3. Use a self-hosted AI if your client supports it — the MCP server works with any MCP-compliant client, so nothing has to reach a third-party provider at all.

Read-only database users

A ready-to-use grant for the read-only user from control 1 above. The MCP server already filters non-SELECT SQL at the application layer; this adds a second, independent layer at the database itself, so even if that filter ever has a bug, writes are still rejected:

-- PostgreSQL example
CREATE USER ai_readonly WITH PASSWORD 'change-me';
GRANT CONNECT ON DATABASE mydb TO ai_readonly;
GRANT USAGE ON SCHEMA public TO ai_readonly;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO ai_readonly;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO ai_readonly;

Then use ai_readonly as the connection user in DBConvert Streams.

Summary

  • The MCP server cannot modify your data, connections, or streams. It can only read and advise.
  • The MCP server runs on your own infrastructure (local machine or your Docker host) and never sends data to DBConvert or an AI provider on its own. Your data only leaves your environment if your AI client sends it to its provider.
  • Sensitive values in logs are redacted across six categories (secrets plus email/IP addresses) before any data reaches the AI.
  • For data that absolutely cannot leave your environment, keep it behind a read-only database user, or out of any MCP-connected workspace.
PreviousSetupNextExample: SQL exploration