mcp-postgres

The server implements robust read-only enforcement through the `is_read_only` function, which explicitly checks for and blocks all common write/destructive SQL keywords (INSERT, UPDATE, DELETE, DROP, ALTER, TRUNCATE, CREATE, GRANT, REVOKE). This check is applied to all `query` calls and even to the `WHERE` clause in `count_rows`. Database credentials are loaded securely from environment variables, preventing hardcoding. Table and schema names in `sample_data` and `count_rows` are dynamically inserted with identifier quoting to mitigate SQL injection risk, though direct parameterization of identifiers isn't standard in `asyncpg`. No `eval` or similar dangerous dynamic code execution is present. Queries are logged locally.