Commit cefe3cf
oraclemcp P1-3: read-only enforcement layers + least-privilege docs
Bead oracle-qmwz.2.3. enforcement.rs: read_only_setup_statements (SET
TRANSACTION READ ONLY at READ_ONLY, layer B) + is_allowed_alter_session (the
§6.5 ALTER SESSION allowlist — NLS/schema/optimizer only, rejects security/
audit context + SET ROLE). docs/oraclemcp/least-privilege.md documents layer A
(the only hard boundary) with the recommended minimal grants + indirect-write
footguns. Layer C (classifier + level gate) already built. Honest caveat on
AUTONOMOUS_TRANSACTION carried. Tests + clippy -D warnings + fmt clean.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>1 parent 4b7cb82 commit cefe3cf
4 files changed
Lines changed: 160 additions & 1 deletion
File tree
- .beads
- crates/oraclemcp-guard/src
- docs/oraclemcp
0 commit comments