The Data Masking MCP feature plugin helps users plan, review, apply, and validate data masking rule changes for ShardingSphere-Proxy logical databases. Mask rules apply directly to logical columns. This feature only generates and applies masking rule DistSQL. It does not generate physical DDL, index suggestions, data migration, or extra probing SQL.
runtimeDatabases should point to Proxy logical databases, not physical storage databases.Users describe the masking goal in an AI application that integrates ShardingSphere-MCP.
Examples:
<logic-database>.orders.phone already has a masking rule.<logic-database>.orders.phone, keep the first 3 and last 4 characters, and preview it without execution.* as the replacement character.Users should review masking rule DistSQL, algorithm properties, and side-effect scope before approving any side-effecting execution.
When using natural language, include the following information when possible:
| Information | Description | Example |
|---|---|---|
| Logical database, table, and column | Specify the ShardingSphere-Proxy logical object to configure. | “Configure masking for <logic-database>.orders.phone.” |
| Schema or namespace | Recommended for multi-schema logical databases. | “The schema is public.” |
| Operation type | Create, alter, or drop a masking rule. | “Create a masking rule” or “drop the masking rule for this column.” |
| Masking goal | Describe retained characters, replacement characters, or other masking effects. | “Keep the first 3 and last 4 phone-number characters, and replace the middle part with *.” |
| Algorithm preference | Specify an algorithm, or let MCP recommend one from algorithms available from Proxy. | “List data masking algorithms available from the current Proxy.” or “Prefer the keep-first-n-last-m algorithm.” |
| Algorithm properties | Provide retained character counts and replacement characters. | “Keep the first 3 and last 4 characters, and use * as the replacement character.” |
| Operation | Natural language example | Content to review |
|---|---|---|
| Create | “Plan phone-number masking for orders.phone and preview it without execution.” |
The new masking rule, masking algorithm, and properties. |
| Alter | “Change the previous masking rule to keep the first 3 and last 4 characters.” | The altered masking rule and whether sibling masking columns are preserved. |
| Drop | “Drop the masking rule for orders.phone and preview the impact first.” |
Whether the target column rule is dropped and whether sibling masking columns are preserved. |
After a plan is generated, review:
Some masking algorithm parameters may need to be supplied by operators in a controlled way, such as replacement characters or custom algorithm properties. Use a secret reference object in algorithm properties:
{
"primary_algorithm_properties": {
"replace-char": {
"secret_ref": "placeholder://secret-value-1"
}
}
}
The secret_ref in a placeholder object only marks a sensitive slot for manual replacement.
Planning, preview, execution results, and validation output show only neutral placeholders or ******; they do not echo secret_ref or real sensitive values.
If a rule change still contains sensitive placeholders, automatic execution returns secret_reference_manual_execution_required before side effects. Operators should replace real values outside MCP and the AI application, then execute manually.
Preview first, then review rule DistSQL and side-effect scope before execution.
| Phase | Natural language example | User focus |
|---|---|---|
| Preview | “Preview the previous masking rule plan without executing it.” | Inspect rule DistSQL, algorithm, and properties before execution. |
| Execute | “Confirm and execute the previous plan.” | Confirm that the side-effecting change has been reviewed. |
| Manual execution | “Export a manual execution package without automatic execution.” | Let operators review and execute in a controlled environment. |
| Validate | “Validate whether the previous masking rule has taken effect.” | Check rule state and workflow execution result. |
For the general review flow of rule changes, see Rule Change Flow.