Part of the Governed Agent Stack: free, on-prem building blocks for an AI agent you can point at a real database and audit.
Read-only Model Context Protocol server for SQL databases. Lets LLMs (Claude, Cursor, ChatGPT, Continue) introspect and query SQL Server, Postgres, and SQLite with a layered safety stack:
- Connection-level read-only:
pyodbc readonly=True, PostgresSET TRANSACTION READ ONLY - AST validation: sqlglot parses every query and rejects anything that isn't a
SELECT(catches DML smuggled in CTEs) - Linter pass: sql-sop checks every query and rejects error-severity findings; warnings are surfaced to the LLM as advisory output
- Role-based access (optional): query-warden blocks tables and columns outside the asker's role when a policy is configured
Multi-server: configure several databases in one servers.yaml, the LLM picks which one to target per call.
| Tool | Purpose |
|---|---|
list_servers() |
Enumerate configured servers + their dialect |
list_databases(server?) |
List databases on a server |
list_tables(server?, database?, schema?) |
List tables, optionally filtered by schema |
describe_table(table, server?, schema?) |
Columns, types, nullability, defaults |
get_table_sample(table, n=10, server?, schema?) |
Quick SELECT TOP n / LIMIT n |
run_query(sql, server?) |
Execute arbitrary SELECT through the layered safety stack |
explain_query(sql, server?) |
Return execution plan (engine-specific) |
search_objects(query, server?) |
Find tables and columns by name fragment |
All tools accept an optional server to target a specific entry from servers.yaml. Default server is used when omitted.
You can log every run_query to an append-only file, so later you can see what an agent actually ran and how it turned out. The server writes the record, not the model.
Off by default. Switch it on with agent-blackbox:
pip install "sql-explorer-mcp[audit]"
export SQL_EXPLORER_AUDIT_DB=/path/to/audit.db # log each run_query here
export SQL_EXPLORER_AUDIT_HASH=1 # optional: store a hash of the SQL, not the textEach row keeps the SQL, the server, the outcome (ok, blocked or error), row count and timing. If the variable isn't set, or agent-blackbox isn't installed, it does nothing. Read it back with agent-blackbox verify, stats or export.
Restrict which tables and columns a role may query. The role check runs after the linter and before execution, so out-of-role access is blocked before it reaches the database.
Off by default. Switch it on with query-warden:
pip install "sql-explorer-mcp[rbac]"
export SQL_EXPLORER_POLICY=/path/to/policy.yaml # query-warden role policy
export SQL_EXPLORER_ROLE=operator # the role to enforceIf the variable isn't set, or query-warden isn't installed, it does nothing. See query-warden for the policy format.
Mask PII in the rows a query returns, before they go back to the model: the agent sees <EMAIL_ADDRESS> or <PERSON>, not the real values.
Off by default. Switch it on with pii-veil:
pip install "sql-explorer-mcp[mask]"
export SQL_EXPLORER_MASK=1 # mask PII in result rows
export SQL_EXPLORER_MASK_COLUMNS=customer,email # optional: only these columnspii-veil uses Microsoft Presidio when it's installed, with a regex fallback otherwise. If masking isn't enabled or pii-veil isn't installed, rows are returned unchanged.
pip install sql-explorer-mcp
# or
pipx install sql-explorer-mcpFor SQL Server, install Microsoft ODBC Driver 18. Postgres and SQLite drivers ship as dependencies.
Copy servers.example.yaml to servers.yaml and edit. Passwords are read from environment variables, never stored in the file.
default_server: lab
servers:
lab:
dialect: mssql
host: localhost
port: 1433
database: BusinessLab
auth: sql
username: sa
password_env: SQL_EXPLORER_LAB_PASSWORD
production:
dialect: mssql
host: BUSINESS-SQL
database: SI
auth: windows # uses Trusted_Connection
max_rows: 500
warehouse:
dialect: postgres
host: db.internal
database: warehouse
username: readonly
password_env: WAREHOUSE_PG_PASSWORDThe config file is searched in this order:
$SQL_EXPLORER_CONFIGif set./servers.yaml(current directory)~/.sql-explorer-mcp/servers.yaml
Add to ~/Library/Application Support/Claude/claude_desktop_config.json (Mac) or %APPDATA%\Claude\claude_desktop_config.json (Windows):
{
"mcpServers": {
"sql-explorer": {
"command": "sql-explorer-mcp",
"env": {
"SQL_EXPLORER_CONFIG": "/full/path/to/servers.yaml",
"SQL_EXPLORER_LAB_PASSWORD": "your-lab-password"
}
}
}
}Restart Claude Desktop. The seven tools appear under Settings → Tools.
Add to .cursor/mcp.json:
{
"mcpServers": {
"sql-explorer": {
"command": "sql-explorer-mcp",
"env": { "SQL_EXPLORER_CONFIG": "/full/path/to/servers.yaml" }
}
}
}sql-explorer-mcpReads stdin/stdout in MCP protocol. Use the MCP Inspector to test interactively:
npx @modelcontextprotocol/inspector sql-explorer-mcpLLM submits SQL
│
▼
┌──────────────────┐
│ Layer 2 (sqlglot)│ Parse, reject if not exactly one SELECT
└────────┬─────────┘ Catches: INSERT, UPDATE, DELETE, MERGE, EXEC,
│ CREATE, DROP, ALTER, smuggled DML in CTEs,
│ multiple statements
▼
┌──────────────────┐
│ Layer 3 (sql-sop)│ Lint, reject if any error-severity findings
└────────┬─────────┘ Warnings (W*) returned as advisory output,
│ don't block execution.
▼
┌──────────────────┐
│ Layer 1 (driver) │ pyodbc readonly=True / Postgres SET TXN READ ONLY
└────────┬─────────┘ Final defence at the protocol layer.
▼
Database
│
▼
Result rows (capped at server.max_rows)
Failure at any layer returns a structured result the LLM can read and react to:
{
"passed": false,
"layer": "select-only",
"reason": "Forbidden statement type in query: Delete"
}- Read-only by enforcement, not convention. A misconfigured login isn't your only protection.
- Multi-engine from day 1. Same tool surface across SQL Server, Postgres, SQLite. Same
servers.yaml. - Multi-server in one process. Switch between lab and production by passing
server="production"instead of restarting. - Linter-aware. Uses sql-sop to flag patterns that compile fine but signal poor query habits (SELECT *, unbounded queries, etc.).
- Result caps. Every tool clamps row counts (max 1000 default) so a curious LLM can't pull 100k rows into context.
| Server | Dialects | Read-only | Linter pass | Multi-server |
|---|---|---|---|---|
| sql-explorer-mcp | mssql, postgres, sqlite | ✓ (3 layers) | ✓ via sql-sop | ✓ |
| various community mssql-mcp | mssql | depends | ✗ | usually ✗ |
| various postgres-mcp | postgres | depends | ✗ | usually ✗ |
git clone https://github.com/Pawansingh3889/sql-explorer-mcp
cd sql-explorer-mcp
pip install -e ".[dev]"
pytest -vMIT