g14wxz/commerce-database-architect

Database architecture skills, docs, and rules for high-demand multi-tenant commerce platforms (PostgreSQL source of truth, Neo4j as derived GraphRAG projection, transactional outbox, RLS-based tenant isolation). Includes live schema introspection workflow via Postgres MCP.

Quality

97%

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

Securityby

Passed

No known issues

MCP Server Configuration

Name: g14wxz/commerce-database-architect
Rating: 97.27272727272728 (1 reviews)
Author: g14wxz

The agent expects a Postgres MCP server exposing read-only tools.

Approved servers

postgres-mcp-pro (Crystal DBA) — preferred; supports --access-mode=restricted
pgEdge Postgres MCP — read-only by default
Cloud-vendor MCPs (Supabase, Neon) with ?read_only=true

Forbidden

@modelcontextprotocol/server-postgres — archived July 2025 with a SQL injection CVE.

Read-only role

CREATE ROLE mcp_readonly LOGIN PASSWORD '...';
GRANT CONNECT ON DATABASE your_db TO mcp_readonly;
GRANT USAGE ON SCHEMA public TO mcp_readonly;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO mcp_readonly;
ALTER DEFAULT PRIVILEGES IN SCHEMA public
  GRANT SELECT ON TABLES TO mcp_readonly;
ALTER ROLE mcp_readonly SET default_transaction_read_only = on;
ALTER ROLE mcp_readonly SET statement_timeout = '5s';
ALTER ROLE mcp_readonly SET idle_in_transaction_session_timeout = '10s';

.mcp.json

{
  "mcpServers": {
    "postgres-mcp-pro": {
      "command": "uvx",
      "args": ["postgres-mcp", "--access-mode=restricted"],
      "env": {
        "DATABASE_URI": "${env:READONLY_DATABASE_URL}"
      }
    }
  }
}

Connection string lives in the env var, never in the committed file. Production introspection targets a read replica.