Access control & audit

ide99 is designed so the agent cannot perform a dangerous action without you knowing. That means: four permission levels per call, plus a local audit log that's never sent anywhere.

Four buttons in the Allow / Deny dialog

For any MCP tool call, ide99 shows a modal:

Claude Code → run db_query_write
  UPDATE orders SET status='paid' WHERE id IN (123, 456);

[ Allow once ]
[ Allow read-only session ]
[ Allow with confirm for each ]
[ Deny ]

Button	What
Allow once	Allow this exact call. Will ask again next time.
Allow read-only session	For this agent session, allow only read tools (SELECT, EXPLAIN, schema_*). Writes still ask.
Allow with confirm for each	Allow the conversation overall, but EVERY write still requires confirmation.
Deny	Reject the call. The agent gets an error and continues without the data.

A session = the time the client is connected. Closing Claude Code or disconnecting the MCP server resets all permissions.

What ALWAYS requires confirmation

These tools can never be "pre-approved" by any of the buttons above — they always show a separate dialog:

db_drop — DROP TABLE / INDEX / VIEW
db_truncate — TRUNCATE
pg_terminate_backend — kill someone's session
Any db_query_write against a connection with prod env — even after Allow read-only session, these go through confirmation

On a prod connection, db_drop requires you to type the table name for confirmation, just like in the regular form.

Connection read-only mode and MCP

If Read-only is on in the connection form, the MCP agent physically cannot write through ide99. Even if you accidentally clicked Allow — the Postgres driver in ide99 fails with read-only transaction. Last line of defense.

Authorized clients

Settings → AI / MCP → Authorized clients shows connection list:

Field	Meaning
Name	Self-reported client name: "Claude Code on Mac", "Cursor", "Windsurf"
First connected	When it first connected
Last activity	Last tool call
Pre-approved tools	List of tools you Allowed for the current session
Revoke	Revoke the session: connection drops, all pre-approvals reset

After Revoke, the client must reconnect (typically auto), and ide99 shows a dialog on the first call of any tool.

Audit log

Every MCP call is written to mcp-audit.log — a local JSONL file.

OS	Path
macOS	`~/Library/Application Support/ide99/mcp-audit.log`
Linux	`~/.config/ide99/mcp-audit.log`
Windows	`%APPDATA%\ide99\mcp-audit.log`

Sample line:

{
  "ts": "2026-05-22T12:13:14.567Z",
  "client": "claude-code",
  "client_id": "0c9b...",
  "tool": "db_query_write",
  "args": {"sql": "UPDATE orders SET status='paid' WHERE id IN (123, 456);"},
  "connection": "db_prod",
  "decision": "allow_once",
  "duration_ms": 42,
  "rows_affected": 2
}

The log file rotates when it exceeds 50 MB — older rotations as .1.gz, .2.gz, etc. You can open it directly from ide99: Settings → AI / MCP → Open audit log.

What's NOT in the log

Result row contents. Only count.
Agent prompts and LLM-provider responses (those are in your client's logs, not ide99's).
Encrypted values (passwords from pg_authid, etc.).

What to do if the agent acts strangely

Open the audit log: see the last 100 calls — what the agent attempted and what your decision was.
If you see a suspicious Allow — Revoke the client in Authorized clients. That resets pre-approvals.
While debugging, switch the connection to Read-only — even if the agent tries to write, Postgres refuses.

MCP in ide99 — which 20 tools are available.
Connect AI clients — Claude Code / Cursor / Windsurf configs.
Privacy & telemetry — what ide99 sends out (spoiler: nothing without your permission).