Merge pull request #114 from diksipav/112-exclude-mutating-tools-in-read-mode

Disable mutating tools in read-only mode

Author: gregnr

README.md

@@ -51,7 +51,7 @@ Replace `<personal-access-token>` with the token you created in step 1. Alternat
 
 The following options are available:
 
-- `--read-only`: Used to restrict the server to read-only queries. Recommended by default. See [read-only mode](#read-only-mode).
+- `--read-only`: Used to restrict the server to read-only queries and tools. Recommended by default. See [read-only mode](#read-only-mode).
 - `--project-ref`: Used to scope the server to a specific project. Recommended by default. If you omit this, the server will have access to all projects in your Supabase account. See [project scoped mode](#project-scoped-mode).
 - `--features`: Used to specify which tool groups to enable. See [feature groups](#feature-groups).
 
@@ -150,7 +150,18 @@ To restrict the Supabase MCP server to read-only queries, set the `--read-only`
 npx -y @supabase/mcp-server-supabase@latest --read-only
 ```
 
-We recommend you enable this by default. This prevents write operations on any of your databases by executing SQL as a read-only Postgres user. Note that this flag only applies to database tools (`execute_sql` and `apply_migration`) and not to other tools like `create_project` or `create_branch`.
+We recommend enabling this setting by default. This prevents write operations on any of your databases by executing SQL as a read-only Postgres user (via `execute_sql`). All other mutating tools are disabled in read-only mode, including:
+`apply_migration`
+`create_project`
+`pause_project`
+`restore_project`
+`deploy_edge_function`
+`create_branch`
+`delete_branch`
+`merge_branch`
+`reset_branch`
+`rebase_branch`
+`update_storage_config`.
 
 ### Feature groups