> hypequery

Safety model

Use MCP as a governed capability boundary for agents.

MCP should expose a governed analytics layer, not a database console.

With Hypequery MCP, the agent can only use the datasets and metrics you register. It receives tools for discovery and semantic querying. It does not receive a raw SQL execution tool.

What MCP constrains

  • which datasets are visible
  • which named metrics are callable
  • which dimensions and measures can be requested
  • which filter operators the tool schema accepts
  • query execution through the dataset client
  • tenant scoping when the server is configured with a trusted tenantId

MCP can also expose relationship metadata through schema introspection, but current dataset execution is still same-dataset.

What MCP does not replace

MCP does not replace authentication, authorization, or tenant identity. The stock stdio server receives tool calls from a local MCP client and executes them through the analytics dataset client you provide.

Do not expose a shared multi-tenant MCP server unless the process is already scoped to one tenant. Treat MCP clients as powerful local operators, not public end-user clients.

Safer patterns

Prefer one of these patterns:

  • run MCP for local development or internal admin use only
  • expose only non-sensitive aggregate datasets
  • attach only the named metrics agents should call
  • run a tenant-specific MCP process with tenantId
  • keep sensitive tables out of the exported datasets registry
  • inspect generated SQL in tool response metadata while testing

Registry boundary

The exported datasets registry is the main boundary.

export const datasets = {
  orders: {
    ...Orders,
    metrics: { revenue },
  },
};

If a dataset is not in this object, the MCP server cannot list it, introspect it, or query it.

If a metric is not attached to the dataset registry, the agent cannot call it through query_metric.

Tenant boundary

If registered datasets have tenantKey, the MCP server requires a trusted tenant scope. In the programmatic API, pass tenantId.

await createMCPServer({
  datasets,
  analytics,
  tenantId: 'tenant_123',
});

The server forwards that value into dataset execution as runtime tenant context. Agents should not choose tenant ids through filters.

The hypequery-mcp CLI does not accept a tenantId, so it cannot serve tenant-keyed datasets — startup fails with MCP server tenantId is required for tenant-scoped datasets. Serve multi-tenant datasets through the programmatic createMCPServer({ ..., tenantId }) instead, one process per tenant.

Raw SQL boundary

The MCP server exposes semantic tools:

  • list_datasets
  • get_dataset_schema
  • query_dataset
  • query_metric

It does not expose a generic run_sql tool.

Programmatic usage

Start the Hypequery MCP server from a Node process.

Embedded Runtime

Run hypequery definitions directly inside your application runtime

On this page

What MCP constrainsWhat MCP does not replaceSafer patternsRegistry boundaryTenant boundaryRaw SQL boundary