An open API service indexing awesome lists of open source software.

https://github.com/developerz-ai/db-mcp-gateway

Self-hosted MCP gateway: AI agents get audited, SSO-gated, read-only database access without ever holding a DB credential.
https://github.com/developerz-ai/db-mcp-gateway

ai-agents audit-log claude-code database mcp model-context-protocol oidc postgres rust security self-hosted sso

Last synced: about 3 hours ago
JSON representation

Self-hosted MCP gateway: AI agents get audited, SSO-gated, read-only database access without ever holding a DB credential.

Awesome Lists containing this project

README

          

# db-mcp-gateway πŸ›‘οΈ

**Self-hosted MCP gateway for AI agents that need database access β€” without ever handing out a database URL.** πŸ”

Your team deploys it once. Developers add one URL to their AI agent's MCP config. The gateway holds every credential, enforces SSO-driven permissions, and writes an append-only audit log on every query.

---

## πŸ›οΈ Three pillars

| Pillar | What it means |
|---|---|
| πŸ” **Credentials never leave the gateway** | No DB URL on a laptop, ever. No tool returns one. No log line contains one. |
| πŸ‘€ **Identity end-to-end** | Every query traces SSO user β†’ group β†’ grant β†’ audit row. |
| πŸ“œ **Config-as-code** | Permissions live in YAML, reviewed by PR. No in-band admin UI, by design. |

---

## ✨ What's in the box

- πŸ€– **MCP tool surface** β€” `list_databases`, `describe_schema`, `sample_table`, `run_query`, `explain`, `get_query_history`.
- πŸ”‘ **OIDC SSO** β€” Okta, Google Workspace, Entra, Authentik, Keycloak. Browser-flow login from the agent (no embedded browser needed).
- 🎯 **Read-only by default, writes opt-in per grant** β€” per-database least-privilege roles; a `query_write` grant permits data writes (INSERT/UPDATE/DELETE), never schema changes. Statement timeouts and row caps enforced at the DB *and* gateway layer.
- πŸ“‹ **Permissions in YAML** β€” group Γ— server Γ— database Γ— action, with per-grant constraints (`require_reason`, `row_limit`, `statement_timeout_ms`, allow/deny schemas, time windows).
- πŸ“Š **Synchronous audit log** β€” user, SQL, reason, row count, duration, outcome. Hot retention in Postgres, optional S3/GCS/Azure archive, OTLP/syslog/stdout sinks.
- 🐳 **Boring deployment** β€” `docker pull` + one YAML file + one Postgres.

---

## 🚧 Status

**v1.1.1 β€” stable.** In production use. Pull it: `docker pull ghcr.io/developerz-ai/db-mcp-gateway:1.1.1` β€” multi-arch (`linux/amd64`, `linux/arm64`). Targets: PostgreSQL and MongoDB (MySQL/MSSQL rejected at boot). See [`docs/deployment/releasing.md`](docs/deployment/releasing.md) for the compatibility policy.

---

## 🎯 Who Should Use This

**For Platform/SRE Teams:** Enable AI agent database access without credential exposure or compliance risk. Complete audit trail with SSO integration.

**For Backend Developers:** Query production databases safely using natural language. No database passwords on your laptop, every query attributed to your identity.

**For Data Analytics:** Self-service access to multiple databases (PostgreSQL, MySQL, MongoDB) through a single interface with built-in resource limits.

**For Security/Compliance:** Centralized database access control with user attribution, query logging, and enforceable constraints (timeouts, row limits, schema filtering).

---

## πŸ’‘ Key Use Cases

- **AI Agent Database Access:** Claude Code agents query production databases for debugging and analysis without ever handling database credentials
- **Analytics Without Direct Access:** Business analysts ask questions in natural language, gateway enforces read-only and resource limits automatically
- **Multi-Database Workflows:** AI agents query across PostgreSQL, MySQL, and MongoDB with unified security and audit trail
- **Production Debugging with Compliance:** On-call engineers investigate incidents with enforced reason logging and time limits

**[Read detailed use cases β†’](docs/use-cases.md)**

---

## ✨ Key Features

**πŸ” Zero-Trust Security:** Database credentials never leave the gateway. No URLs, passwords, or connection strings reach AI agents or developer laptops.

**πŸ‘€ Complete User Attribution:** Every query logged with SSO user identity, SQL statement, reason, timestamp, and results. Full compliance audit trail.

**πŸ›‘οΈ Built-in Safety:** Statement timeouts, row limits, read-only enforcement, and schema filtering prevent runaway queries and accidental data modification.

**πŸ“‹ Git-Based Permissions:** Access control defined in YAML files, reviewed via PR, with complete change history. No admin UI to maintain.

**πŸ€– MCP-Native:** Purpose-built for AI agents with complete tool surface (list databases, describe schema, run queries, explain plans, query history).

**πŸ—οΈ Multi-Database:** Single gateway supports PostgreSQL, MySQL, and MongoDB with consistent security model and unified audit trail.

**[Read complete feature documentation β†’](docs/features.md)**

---

## πŸš€ Quick links

| If you're… | Read |
|---|---|
| πŸ’‘ Trying to understand what this is | [`docs/initial-idea/01-overview.md`](docs/initial-idea/01-overview.md) |
| πŸ› οΈ A developer whose org already runs it | [`docs/usage/first-query.md`](docs/usage/first-query.md) (5-min walkthrough) β†’ [`docs/usage/claude-code.md`](docs/usage/claude-code.md) (reference) |
| πŸ—οΈ A platform/SRE deploying it | [`docs/deployment/quickstart.md`](docs/deployment/quickstart.md) |
| πŸ€– Adding it to a non-Claude MCP client | [`docs/usage/other-agents.md`](docs/usage/other-agents.md) |
| πŸ“¦ Cutting a release | [`docs/deployment/releasing.md`](docs/deployment/releasing.md) |
| 🚫 Wondering what it *won't* do | [`docs/initial-idea/10-non-goals.md`](docs/initial-idea/10-non-goals.md) |
| πŸ—ΊοΈ Tracking what's built vs planned | [`docs/initial-idea/11-roadmap.md`](docs/initial-idea/11-roadmap.md) |
| πŸ“Š Performance benchmarks | [`docs/benchmarks.md`](docs/benchmarks.md) |
| βš–οΈ vs alternatives | [`docs/comparison.md`](docs/comparison.md) |

---

## ⚑ One-minute mental model

```
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β” MCP/HTTPS β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” pg wire β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ agent β”‚ ──────────────▢ β”‚ gateway β”‚ ────────────▢ β”‚ target β”‚
β”‚ (Claude β”‚ bearer: jwt β”‚ β”‚ ro role per β”‚ DBs β”‚
β”‚ Code) β”‚ ◀────────────── β”‚ authz+audit β”‚ ◀──────────── β”‚ β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ tool result β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”˜ result rows β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
β”‚
β–Ό
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ state DB β”‚
β”‚ (sessions + β”‚
β”‚ audit log) β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
```

---

## 🧱 Tech stack

| Concern | Choice |
|---|---|
| Language | Rust (stable) |
| Async runtime | tokio |
| HTTP | axum |
| DB driver | sqlx |
| Config | serde + YAML, validated at boot |
| State store | Postgres (co-deployed) |
| Distribution | OCI image β€” `ghcr.io/developerz-ai/db-mcp-gateway` |

---

## πŸ“¦ Pulling the image

Public on GHCR β€” no auth needed to pull:

```bash
docker pull ghcr.io/developerz-ai/db-mcp-gateway:latest
```

Pinned to a version (recommended in prod):

```bash
docker pull ghcr.io/developerz-ai/db-mcp-gateway:1.1.1
```

Multi-arch (amd64 + arm64). Built reproducibly from a `v*` git tag β€” see [`docs/deployment/releasing.md`](docs/deployment/releasing.md).

---

## 🀝 Adding it to Claude Code

```bash
claude mcp add --transport http db-gateway --scope project https://db.internal.acme.com
```

That's the whole client-side setup. First call triggers SSO. Walk through it end-to-end in [`docs/usage/first-query.md`](docs/usage/first-query.md), or jump to the full reference in [`docs/usage/claude-code.md`](docs/usage/claude-code.md).

---

## πŸ“œ License

MIT. See [`LICENSE`](LICENSE).