DAAM
Alpha
Login Sign Up
Getting Started
Using DAAM
CLIAccess RequestsMCP
Administration
OrganizationsPoliciesData MaskingRow FiltersSingle Sign-OnNotificationsAPI KeysAudit Log
Infrastructure
AgentScopeArchitecture

MCP for AI Coding Agents

daam-cli ships a Model Context Protocol (MCP) server that lets AI coding agents like Claude Code request time-limited database access through the same admin-approved workflow you use yourself. The AI cannot bypass admin approval, cannot run SQL through MCP, and never sees database credentials. It asks for access, an admin reviews it, and once approved the AI connects to a local Postgres port through your existing tunnel.

How It Works

The MCP server is an access broker, not a SQL execution engine. The AI calls MCP tools to discover databases, file an access request with a justification, poll for approval, and get a localhost connection string. Once approved, the AI runs SQL through its own Bash/psql tooling against that local port. Every query continues to flow through the daam-agent, picking up masking, row filters, and audit unchanged.

  • Admin approval is still the only gate. Filing a request via MCP does not grant access: an admin still approves, modifies, or denies it.
  • The MCP server acts as you. It loads your existing OAuth credentials from the CLI credential store and files requests on your behalf. There is no separate AI service identity.
  • Read-only by convention. Tool descriptions nudge the AI toward narrow investigative reads. Admins can still approve write grants for genuine emergencies: the control plane does not server-side reject them.
  • Every request is marked. AI-filed requests carry an origin = "mcp" stamp so admins, emails, webhooks, and audit logs can distinguish them.

Requirements

  • An org with the Access Requests feature (Pro or Enterprise plan). MCP rides the same plan gate as console-filed access requests.
  • An AI client that speaks MCP over stdio. daam-cli mcp install writes the config for Claude Code automatically in v1; any other MCP client (Cursor, Continue, etc.) can use --print to copy the JSON snippet manually.
  • Linux or macOS. Windows is not supported in v1.
  • A daam-cli login on the profile you want the AI to use. Install does not log you in, so run daam-cli login first if you haven't already.

MCP is part of the Access Requests feature and is available on Pro and Enterprise plans. Free organizations can still install daam-cli but the AI's request_access tool will return a feature_disabled error.

Install

Run the install command to register the MCP server with your AI client's config file:

$ daam-cli mcp install
  ✓ Installed daam MCP for Claude Code (profile: <default>, entry: daam)
    Restart Claude Code to use.
    Config: /home/<user>/.config/Claude/claude_desktop_config.json

On macOS the config lives at ~/Library/Application Support/Claude/claude_desktop_config.json. The command is idempotent: re-running it with the same arguments is a no-op.

Flags

FlagDescription
--client claudeAI client whose config to write. v1 supports only claude. To target any other MCP client, use --print.
--profile NAMEdaam profile to bind into the entry. Defaults to your current profile. Useful when you work across multiple organizations.
--name NAMEEntry key inside mcpServers. Defaults to daam. Use a different name when installing multiple profiles into one client.
--printEmit the JSON snippet to stdout and exit, without touching any config file. For Cursor, Continue, and other MCP clients.
--yesNon-interactive: do not prompt before writing.

Manual install for other clients

Run with --print to emit the JSON snippet, then paste it into your client's MCP config:

$ daam-cli mcp install --print
{
  "mcpServers": {
    "daam": {
      "command": "/usr/local/bin/daam-cli",
      "args": ["mcp"]
    }
  }
}

Profile binding is fixed at install time. Switching the active CLI profile (via DAAM_PROFILE or profile set-default) does not affect already-running MCP servers. They continue to use the profile they were installed against. Re-run install --profile other-org with a different --name to register a second profile in the same AI client.

What the AI Can Do

The MCP server exposes eight tools over stdio. Tool descriptions are part of the API contract, and they shape how the AI uses the surface. Full input and output shapes are documented at the Model Context Protocol specification.

ToolPurpose
list_databasesDiscover databases registered in the org.
list_my_accessActive grants, pending requests, and recent decisions. The AI calls this before requesting access to avoid filing duplicates.
describe_schemaCached schema for a database (schemas, tables, columns, types, comments). Available regardless of current access, so the AI can use it to write a precise justification.
refresh_schemaForce the daam-agent to re-introspect the upstream schema. Rate-limited to once per 60 seconds per database.
request_accessFile an access request for admin approval. Required: database and justification. Optional: duration (default 1h, max 8h), tables, row_filter, and per-table column allow-lists.
get_access_requestPoll the status of a filed request: pending, approved, active, denied, cancelled, or expired.
cancel_access_requestWithdraw a pending request when the investigation pivots. Idempotent.
get_connection_stringEnsure a local tunnel is running and return postgresql://localhost:<port>/<db>. Requires an active grant.

SQL itself is run through the AI's existing tooling (Bash + psql) against the localhost connection string. There is no SQL execution surface in MCP. Queries flow through the daam-agent normally, picking up masking, row filters, and audit log entries.

Approval Flow

From your perspective as a developer with an AI assistant:

  1. The AI calls list_databases and describe_schema to understand what's available and which tables it needs.
  2. The AI calls request_access with a justification, target database, optional table/column scope, and duration.
  3. An org admin receives a notification (email, webhook, Slack, etc.) flagged as AI-originated. The email subject is prefixed with [AI agent] and webhook payloads carry "origin": "mcp".
  4. The admin reviews the request in the console. AI-filed requests show a purple MCP badge in the queue and on the request detail page (see the admin-side documentation).
  5. On approval, the AI's polling on get_access_request sees the status flip to active, calls get_connection_string, and connects via psql against localhost.
  6. On expiry, the daam-agent revokes grants. Subsequent queries fail with permission errors. The AI can call list_my_access, see the expiry, and re-request if needed.

Approval may take minutes or hours depending on admin availability. The AI polls with backoff (2s, 5s, 15s, 60s). Long-running requests are normal, not a failure.

Troubleshooting

The single-screen diagnostic is daam-cli mcp doctor. It checks the profile, OAuth token, control plane reachability, AI client config, filesystem permissions, and the local tunnel registry:

$ daam-cli mcp doctor
daam MCP Doctor

Profile:        acme-corp
CLI version:    0.1.0
Control plane:  https://daam.dev (reachable, 38ms, HTTP 200)

Authentication
  ✓ Token present, expires in 47m
  ✓ Refresh token present

AI clients
  ✓ Claude Code (config at /home/<user>/.config/Claude/claude_desktop_config.json)
    └── entry "daam" → /usr/local/bin/daam-cli mcp

Filesystem
  ✓ /home/<user>/.daam (writable)
  ✓ /home/<user>/.daam/tunnels (mode 0700, writable)
  ✓ /home/<user>/.daam/mcp.log (12KB, last write 3m ago)

Tunnels (active)
  (none)

Result: ✓ all required checks passed

Lines beginning with are required failures (doctor exits non-zero). Lines beginning with ! are advisory: a missing AI client config or an empty tunnel registry is normal before first use.

MCP server logs are written to ~/.daam/mcp.log (rotating, 10MB cap, 3 backups). Stdout is reserved for the MCP protocol; every diagnostic message goes to stderr or this file.

Uninstall

Remove the MCP entry from your AI client's config:

$ daam-cli mcp uninstall
  ✓ Removed daam MCP entry "daam" from Claude Code
    Config: /home/<user>/.config/Claude/claude_desktop_config.json

Uninstall is idempotent: removing a missing entry does not touch the file at all. Use --name to target a specific entry when multiple are installed.

Uninstall only removes the AI-client config entry. OAuth credentials, tunnel registry, and the MCP log file under ~/.daam/ are left in place. Remove them manually if you want a clean slate.

Security Model

The MCP server runs locally on your machine and acts as you, loading your OAuth tokens from the daam CLI credential store. There is no separate AI service identity, and no token is ever sent to the AI client.

The trust gate is admin approval of access requests, exactly as it is for human-filed requests. The MCP server itself enforces no access policy. Spoofing the origin = "mcp" marker has no security consequence. It is metadata used for admin UI distinction and observability, not authorization.

What MCP cannot do:

  • Bypass admin approval.
  • Open a tunnel without an active grant.
  • Run SQL through the MCP surface (there is no SQL execution tool).
  • Issue credentials to itself or escalate beyond your existing org membership.

For non-human service identities (CI jobs, cron-driven automation), use API Keys.