An MCP for your Postgres DB | POSETTE: An Event for Postgres 2026

Name: An MCP for your Postgres DB | POSETTE: An Event for Postgres 2026
Uploaded: 2026-06-16T20:50:48+00:00
Description: Pamela Fox presents a practical design discussion on building Model Context Protocol (MCP) servers for PostgreSQL, focusing on how tool interfaces affect...

2 days ago by Pamela Fox

Pamela Fox presents her POSETTE 2026 talk on designing Model Context Protocol (MCP) servers for PostgreSQL, with a focus on how MCP tool design choices affect how reliably and safely LLMs translate user intent into SQL.

Overview

What MCP is (Model Context Protocol)

MCP is an open standard for connecting LLMs to external systems via explicit, discoverable tools.
In the database context, an MCP server can expose a PostgreSQL database through tools that the model can call.

Demo: querying a database with a GitHub Copilot agent

The talk includes a demo of querying a database using a GitHub Copilot agent.

MCP server design spectrum: exploratory vs operational

The talk frames MCP database tools along a spectrum:
- Exploratory designs prioritize flexibility (but can increase risk).
- Operational designs prioritize safety and predictability (but can reduce flexibility).

Common failure modes when LLMs interact with databases

Pamela Fox highlights several recurring problems that show up when LLMs generate or execute database queries:

SQL injection risks when user input is incorporated unsafely.
Accidental mutations, such as unintended DELETE or UPDATE operations.
Unbounded or expensive queries that can be slow or costly.
Intent mismatch, where the SQL executed doesn’t match what the user meant.

Tool argument styles: free-form SQL vs structured inputs

The talk compares multiple approaches to MCP tool design for PostgreSQL:

Free-form SQL tools
- Maximum flexibility.
- Higher risk (injection, mutations, unpredictable query shapes).
Read-only SQL tools
- Restrict operations to SELECT to reduce mutation risk.
Fully-typed tools
- Use structured, typed inputs instead of raw SQL.
- Emphasizes safety and predictability by constraining what the model can request.

Using elicitation to improve safety and success

The talk discusses using MCP elicitation to ask the user for clarification/confirmation in ambiguous or risky scenarios.
This is positioned as a way to reduce incorrect or dangerous tool calls when intent is unclear.

Tool selection challenges (multiple tables or databases)

When an MCP server exposes multiple tools (for multiple tables or databases), the model has to reliably choose the right tool.
The talk explores the “tool selection problem” and how MCP server design can help or hinder correct tool choice.

Video chapters

00:00 – Music & introduction
01:02 – Demo: querying a database with GitHub Copilot agent
01:57 – What is MCP (Model Context Protocol)?
02:51 – MCP server design spectrum (exploratory vs operational)
03:29 – Free-form SQL: maximum flexibility & risk
05:01 – Addressing problems: schema scaling & mutations
07:58 – Read-only SQL: only allowing selects
13:26 – Fully-typed tools: maximum safety
15:22 – Using elicitation for user confirmation
17:19 – Tool selection: challenges with multiple tools
21:46 – Choosing the right MCP approach