Read only cli commands#156
Conversation
The read_only config flag previously only refused destructive Tiger MCP tool calls. Extend it to the equivalent CLI commands (service create, fork, start, stop, resize, update-password, delete) so a single config flip prevents accidental mutation through either entry point. CheckReadOnly + ErrReadOnly move from internal/tiger/mcp/errors.go to internal/tiger/common/errors.go so both packages share them. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
tiger db connect and tiger db connection-string now OR the --read-only flag with the global read_only config option, so flipping the config on guarantees that any database session opened through the CLI is opened with the tsdb_admin.read_only_connection GUC — matching how the db_execute_query MCP tool already behaves. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
nathanjcochran
left a comment
nathanjcochran
left a comment
There was a problem hiding this comment.
Left two minor comments, but overall LGTM! ✅
| // CheckReadOnly returns ErrReadOnly if read-only mode is enabled. Callers | ||
| // should invoke this before any destructive API call. | ||
| func CheckReadOnly(cfg *config.Config) error { | ||
| if cfg != nil && cfg.ReadOnly { |
There was a problem hiding this comment.
In what case would cfg be nil? It looks like the prior version of this function (which was moved here from the ./internal/tiger/mcp package) always assumed cfg was non-nil (which makes sense to me - I believe we usually error-out if we can't load the config). Just want to make sure we don't end up silently ignoring an error that caused the config to not load, and reporting that read-only mode is not enabled (when it actually might be).
| The global read_only config option (or TIGER_READ_ONLY=true) also forces this | ||
| behavior, so connection strings produced while read-only mode is on always | ||
| open read-only sessions. |
There was a problem hiding this comment.
Should we include a similar note in the tiger db connect description/help text? That command's help text doesn't include much about read-only mode at all, except for one example of using the --read-only flag.
2 participants
Extend read-only mode enforcement to CLI commands and DB connections
Previously, read-only mode only blocked MCP tool calls. This PR extends the gate to:
common.CheckReadOnlybefore any API request--read-onlyflag withcfg.ReadOnly, so the global config forces read-only PostgreSQL sessions even without the flag@ggodeke requested the change, we prefer a more locked-down experience in the tiger CLI compared to ghost