You're viewing a demo portfolio

Join the waitlist
PRSM
This tool is no longer present in the server's latest manifest. Showing the last observed version (server version 0.1.0).

manage_rls

Inactive

Tool of io.github.butterbase-ai/mcp

declared in 0.1.0

Manage Row-Level Security (RLS): enable on tables, create/update/delete policies, list, and one-shot user isolation setup. Actions: - "enable": Enable RLS on a table (foundation — no policies yet) - "create_policy": Create a custom RLS policy with USING / WITH CHECK expressions - "update_policy": Atomically update an existing policy (drops and re-creates in one tx) - "create_user_isolation": One-shot — enable RLS, create policy so users see only their rows, install auto-populate trigger - "list": List all RLS policies for the app (and tables_with_rls without policies) - "delete": Delete one policy (if policy_name set) or ALL policies on the table (and disable RLS) Parameters by action: enable: { app_id, action: "enable", table_name } create_policy: { app_id, action: "create_policy", table_name, policy_name, command?, role?, using_expression?, with_check_expression?, restrictive?, user_column? } update_policy: { app_id, action: "update_policy", table_name, policy_name, command?, role?, using_expression?, with_check_expression?, restrictive? } create_user_isolation: { app_id, action: "create_user_isolation", table_name, user_column, public_read_column? } list: { app_id, action: "list" } delete: { app_id, action: "delete", table_name, policy_name? } Built-in roles (assigned automatically by the platform — you never create them): - butterbase_anon: no auth header → "anon" in policies - butterbase_user: valid end-user JWT → "user" in policies; current_user_id() returns user id - butterbase_service: platform API key → automatic full-access bypass; no policy needed create_policy guidance: - command defaults to ALL. SELECT/DELETE: only using_expression. INSERT: only with_check_expression. UPDATE/ALL: both. - role: omit to apply to all roles, or set "anon" / "user" to scope and prevent cross-role policy leaks. - restrictive: true → policy is AND'd with permissive ones; useful for cross-table checks that must always hold. - user_column: pass to install a BEFORE INSERT trigger that auto-fills the column from current_user_id() — without it, clients must include the column in POST bodies or insert is rejected with AUTH_RLS_POLICY_VIOLATION. - For UUID columns, cast: current_user_id()::uuid Cross-table subqueries pitfall: EXISTS(SELECT 1 FROM other_table WHERE ...) inside a policy runs under the SAME user's RLS context. If other_table has user_isolation, the subquery only sees the current user's rows, even for "public" rows. Fix: add a permissive SELECT policy on the referenced table for the rows the subquery needs, OR use "create_user_isolation" with public_read_column to set this up in one call. create_user_isolation does: 1. Enables RLS on the table 2. User isolation policy (rows where user_column = current_user_id()) 3. Auto-populate trigger for user_column on INSERT 4. Auto service bypass policy 5. If public_read_column set: extra SELECT policies for butterbase_user + butterbase_anon allowing reads where that boolean column is true ("own rows + public read" pattern in one call) delete behavior: - With policy_name: removes that single policy (RLS stays enabled) - Without policy_name: removes ALL policies AND disables RLS — table becomes globally accessible Common errors: - VALIDATION_TABLE_NOT_FOUND: create the table with manage_schema (action: "apply") first - VALIDATION_COLUMN_NOT_FOUND: user_column missing from the table - VALIDATION_INVALID_TYPE: user_column must be UUID or TEXT - RLS_TYPE_MISMATCH: cast types in expressions, e.g. current_user_id()::uuid - RLS_INVALID_EXPRESSION: SQL syntax error - RESOURCE_NOT_FOUND: policy doesn't exist (update_policy) — use create_policy first Idempotency: enable, create_policy, update_policy, create_user_isolation, delete — all safe to retry.

Parameters schema

{
  "type": "object",
  "$schema": "http://json-schema.org/draft-07/schema#",
  "required": [
    "app_id",
    "action"
  ],
  "properties": {
    "role": {
      "enum": [
        "anon",
        "user"
      ],
      "type": "string",
      "description": "create_policy/update_policy. Scope to butterbase_anon or butterbase_user. Recommended."
    },
    "action": {
      "enum": [
        "enable",
        "create_policy",
        "update_policy",
        "create_user_isolation",
        "list",
        "delete"
      ],
      "type": "string",
      "description": "The action to perform"
    },
    "app_id": {
      "type": "string",
      "description": "The app ID"
    },
    "command": {
      "enum": [
        "SELECT",
        "INSERT",
        "UPDATE",
        "DELETE",
        "ALL"
      ],
      "type": "string",
      "description": "create_policy/update_policy. Default: ALL."
    },
    "table_name": {
      "type": "string",
      "description": "Required for enable/create_policy/update_policy/create_user_isolation/delete."
    },
    "policy_name": {
      "type": "string",
      "description": "Required for create_policy/update_policy. Optional for delete (omit to remove ALL policies). Alphanumeric + underscores."
    },
    "restrictive": {
      "type": "boolean",
      "description": "create_policy/update_policy. If true, AS RESTRICTIVE policy (AND with permissive)."
    },
    "user_column": {
      "type": "string",
      "description": "create_policy: install BEFORE INSERT auto-populate trigger. create_user_isolation: required, the user-id column."
    },
    "using_expression": {
      "type": "string",
      "description": "create_policy/update_policy. SQL for USING clause. Required for SELECT/DELETE/ALL/UPDATE."
    },
    "public_read_column": {
      "type": "string",
      "description": "create_user_isolation only. Boolean column — adds SELECT policies for user/anon allowing reads where this is true."
    },
    "with_check_expression": {
      "type": "string",
      "description": "create_policy/update_policy. SQL for WITH CHECK clause. Required for INSERT."
    }
  },
  "additionalProperties": false
}

What this tool wraps· 0 endpoints

min confidence0.700.50

No endpoints wrapped at confidence ≥ 0.70.

Parent server

io.github.butterbase-ai/mcp

https://github.com/butterbase-ai/butterbase-oss

1/7 registries
View full server →