feat: MCP safety annotations + privacy policy for directory submissions

[ajitpratap0]

Summary

Prerequisites for Phase 1 promotion - getting listed on awesome-go, Anthropic MCP Directory, and awesome-mcp-servers.

MCP Safety Annotations

Added to all 7 tools in pkg/mcp/server.go:

• readOnlyHint: true (all tools only parse/analyze SQL)
• destructiveHint: false (never destructive)
• idempotentHint: true (same input = same output)
• openWorldHint: false (no external side effects)

Required by the Anthropic MCP Directory Policy - "a hard requirement derived from the MCP Directory Policy."

Privacy Policy Page

New page at gosqlx.dev/privacy/ covering:

• Website: static, no analytics, no tracking
• WASM Playground: all parsing in-browser, nothing sent to servers
• Remote MCP Server: stateless, no query logging, IP rate-limit data cleared after 10min
• VS Code Extension: runs locally, no telemetry
• Third-party service links (GitHub, Render)
• Footer link added

Required by Anthropic MCP Directory submission.

🤖 Generated with Claude Code

[claude]

Claude finished @ajitpratap0's task —— View job

---

Comprehensive PR Review

I've completed a thorough review of PR #387. This is a well-executed implementation that adds required safety annotations for Anthropic MCP Directory submission and includes a professional privacy policy page.

Todo List

• Read repository CLAUDE.md for context
• Review MCP safety annotations in pkg/mcp/server.go
• Review privacy policy implementation in website/src/pages/privacy.astro
• Review footer changes in website/src/components/Footer.astro
• Analyze code quality and best practices
• Check for potential bugs and security concerns
• Evaluate performance considerations
• Assess test coverage needs
• Provide comprehensive feedback

---

✅ Overall Assessment: LGTM

This PR is ready for merge with some minor suggestions for future enhancement. All changes are correctly implemented and serve their intended purpose for Phase 1 promotion.

Code Quality & Best Practices

Excellent ✅

• MCP Annotations: All 7 tools properly annotated with correct safety hints:
  • readOnlyHint: true - Accurate since all tools only parse/analyze SQL
  • destructiveHint: false - Correct, no destructive operations
  • idempotentHint: true - Accurate, same input produces same output
  • openWorldHint: false - Correct, no external side effects or network calls
• Consistency: All tools have identical safety annotations, which is appropriate since they all perform read-only SQL analysis
• Privacy Policy: Well-structured, comprehensive, and accurately describes the actual data handling practices

Security Analysis

Secure ✅

• MCP Annotations: The safety annotations accurately reflect the actual behavior of the tools - critical for security-conscious AI assistants
• Privacy Policy: Correctly states no data collection/logging practices and references appropriate third-party policies
• No Sensitive Information: No credentials, API keys, or sensitive data exposed

Performance Considerations

Minimal Impact ✅

• MCP Server: Safety annotations add negligible overhead - they're metadata used by MCP clients during tool selection
• Website: New privacy page is static content with no JavaScript or external resources

Test Coverage Assessment

Adequate for scope ✅

• Current Coverage: Existing MCP tests in pkg/mcp/ (9 test files) cover tool registration and server functionality
• Recommendation: Consider adding a test to verify all 7 tools have the required safety annotations, example:

func TestAllToolsHaveSafetyAnnotations(t *testing.T) {
    cfg := DefaultConfig()
    srv := New(cfg)
    
    // Test would verify each registered tool has all 4 required annotations
    // This ensures compliance with Anthropic MCP Directory requirements
}

Specific Findings

pkg/mcp/server.go pkg/mcp/server.go:87-90,107-110,132-135,148-151,164-167,180-183,196-199

• ✅ Correctly Applied: All 28 safety annotation calls (7 tools × 4 annotations) are properly applied
• ✅ Accurate Values: Each annotation value correctly reflects the actual tool behavior
• ✅ Compliant: Meets Anthropic MCP Directory Policy requirements

website/src/pages/privacy.astro

• ✅ Comprehensive Coverage: All GoSQLX services properly documented
• ✅ Accurate Claims: Privacy statements match actual implementation (verified against source code)
• ✅ Professional Quality: Well-structured with proper links to third-party policies
• ✅ Accessibility: Good semantic structure with proper headings

website/src/components/Footer.astro website/src/components/Footer.astro:17

• ✅ Proper Integration: Privacy link correctly added to Resources section
• ✅ Consistent Styling: Follows existing footer link patterns

Minor Suggestions (Non-blocking)

1. Future Enhancement: Consider adding automated tests to ensure safety annotations remain consistent across all tools
2. Documentation: The new safety annotations could be mentioned in docs/MCP_GUIDE.md for completeness

Validation

I verified this implementation against:

• ✅ Anthropic MCP Directory Policy requirements
• ✅ GoSQLX coding standards from CLAUDE.md
• ✅ Existing MCP server architecture
• ✅ Privacy policy best practices

Recommendation: Approve and merge - This PR successfully implements all requirements for Phase 1 promotion with high code quality.

---