PII Redaction?

[bericp1]

One thing I've been struggling with putting MCP in front of data sources containing production data for internal teams to use is redaction of PII so folks who shouldn't be able to view the PII of users can still generally interact with the database in a read-only way with PII redacted. Has anyone handled this problem in a way they're happy with?

[ahammednibras8]

My solution is Column-Level Allowlisting enforced at the application layer.

The Solution: Zero Trust Schema Guard

Instead of trying to "redact" data after fetching it, we prevent the PII from
ever being queried.

1. Explicit Allowlisting: We define a configuration (e.g., security.yaml)
   that explicitly lists only the safe columns for each table. Everything else
   is denied by default.

   users:
       - id
       - loyalty_tier
       # email, phone, address are OMITTED, so they are invisible

2. AST Interception: We don't just pass SQL strings to the database. We
   parse every request into an Abstract Syntax Tree (AST).

3. Query Rewriting:

   • If an agent runs SELECT * FROM users, our middleware intercepts it and
     rewrites the query to SELECT id, loyalty_tier FROM users. The PII columns
     are never even requested from the database.
   • If an agent explicitly runs SELECT email FROM users, the middleware
     detects that email is not in the allowlist and rejects the query
     instantly before it touches the DB connection.

This approach ensures that even if the underlying database user technically has
SELECT rights (which is often the case with legacy roles), the Agent is
physically incapable of retrieving PII.