Read only cli commands#156
Conversation
nathanjcochran
left a comment
nathanjcochran
left a comment
There was a problem hiding this comment.
Left two minor comments, but overall LGTM! ✅
| // CheckReadOnly returns ErrReadOnly if read-only mode is enabled. Callers | ||
| // should invoke this before any destructive API call. | ||
| func CheckReadOnly(cfg *config.Config) error { | ||
| if cfg != nil && cfg.ReadOnly { |
There was a problem hiding this comment.
In what case would cfg be nil? It looks like the prior version of this function (which was moved here from the ./internal/tiger/mcp package) always assumed cfg was non-nil (which makes sense to me - I believe we usually error-out if we can't load the config). Just want to make sure we don't end up silently ignoring an error that caused the config to not load, and reporting that read-only mode is not enabled (when it actually might be).
There was a problem hiding this comment.
You're right. Every caller passes cfg.Config from a successful common.LoadConfig, which already errors out on load failure, so we never reach this with a nil cfg. Dropping the check 👍
The read_only config flag previously only refused destructive Tiger MCP tool calls. Extend it to the equivalent CLI commands (service create, fork, start, stop, resize, update-password, delete) so a single config flip prevents accidental mutation through either entry point. CheckReadOnly + ErrReadOnly move from internal/tiger/mcp/errors.go to internal/tiger/common/errors.go so both packages share them. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
tiger db connect and tiger db connection-string now OR the --read-only flag with the global read_only config option, so flipping the config on guarantees that any database session opened through the CLI is opened with the tsdb_admin.read_only_connection GUC — matching how the db_execute_query MCP tool already behaves. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
aprimakina
force-pushed
the
read-only-cli-commands
branch
from
323e806 to
228eb73
Compare
2 participants
Extend read-only mode enforcement to CLI commands and DB connections
Previously, read-only mode only blocked MCP tool calls. This PR extends the gate to:
common.CheckReadOnlybefore any API request--read-onlyflag withcfg.ReadOnly, so the global config forces read-only PostgreSQL sessions even without the flag@ggodeke requested the change, we prefer a more locked-down experience in the tiger CLI compared to ghost