Absolutely. If the tools were only from Supabase, then yes, you could use Postgres roles. However, most people use a combination of tools (GitHub, Stripe, Linear, etc.), and each has different permission models. I wanted to implement a solution that works generically across tools rather than requiring separate security configurations for each service. This doesn't preclude one from limiting the access scope at the database, though.

For reference, this was the thread that led me to work on this.

https://news.ycombinator.com/item?id=44502318

This was precisely why I posted Tansive on Show HN this morning -

https://news.ycombinator.com/item?id=44499658

MCP is generally a bad idea for stuff like this.