Multi-Tenancy Support: Scoping MCP Queries to Tenant ID via RLS Session Variables

[bruceHansen]

I'm integrating the Postgres MCP server into a multi-tenant Ruby on Rails application, where each LLM/agent query (via tools like execute_sql) needs to be automatically scoped to a specific company's company_id (UUID) for security and isolation. This is to enable safe, agent-driven database interactions without exposing tenant-specific data across boundaries.

Quick Background
Use Case: Rails app with shared Postgres DB, tables like users and orders have a company_id column. Queries come from a chat agent that calls MCP remotely.

Current Limitation: execute_sql takes raw SQL, so without modifications, agents could generate unscoped queries.

My Approach:
Enable Row-Level Security (RLS) on tables with a policy like:

USING (company_id = current_setting('app.current_tenant')::uuid)
WITH CHECK (company_id = current_setting('app.current_tenant')::uuid);

This auto-filters queries without changing SQL.

Fork/modify execute_sql to accept an optional tenant_id param (validated UUID), then inject SET LOCAL app.current_tenant = '{tenant_id}' before executing the SQL (and reset after). Keeps it transaction-local to avoid leakage.
Proposed diff (in the tool function):

from typing import Optional
import uuid

async def execute_sql(
    sql: str = Field(description="SQL to run", default="all"),
    tenant_id: Optional[str] = Field(
        description="Tenant/Company ID (UUID) for RLS scoping (optional)",
        default=None,
        regex=r'^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$',
    )
) -> ResponseType:
    """Executes a SQL query, scoped to tenant_id via session variable."""
    try:
        if tenant_id:
            try:
                uuid.UUID(tenant_id)
            except ValueError:
                return format_error_response(f"Invalid tenant_id: must be a valid UUID")

        sql_driver = await get_sql_driver()
        
        if tenant_id:
            set_sql = f"SET LOCAL app.current_tenant = '{tenant_id}'"
            await sql_driver.execute_query(set_sql)
        
        rows = await sql_driver.execute_query(sql)
        
        if tenant_id:
            await sql_driver.execute_query("RESET app.current_tenant")
        
        if rows is None:
            return format_text_response("No results")
        return format_text_response(list([r.cells for r in rows]))
        
    except Exception as e:
        logger.error(f"Error executing query for tenant {tenant_id}: {e}")
        return format_error_response(str(e))

This adds the param to the tool schema for agents to use.
From Rails/agent: Pass tenant_id from current_company.id.

Questions

• Has anyone else implemented multi-tenancy with MCP? (E.g., per-tenant connections, schema isolation, or similar RLS hacks?)
• Any gotchas/best practices for production (e.g., validation against a tenants table, perf impact)?
• Would this be a useful core feature? If so, should I clean it up and open a PR? Happy to iterate!