Skip to content

MCP server for Delta Lake and Iceberg

DeltaForge ships a built-in MCP server (Model Context Protocol). Plug it into Claude, Cursor, or GitHub Copilot Chat once and those tools can browse your Delta Lake and Iceberg catalog, trace lineage, validate SQL, and inspect pipelines, all under your existing roles and audit log.

Catalog discovery, SQL validation, lineage, pipeline inspection
Scoped tokens, RBAC enforcement, tool-call audit logging
Runs inside your network: the AI sees results, not your storage credentials
Claude Cursor Copilot Your Agent MCP Gateway RBAC+Audit DeltaForge Catalog SQL Engine Lineage Pipelines Audit Log AUDIT TRAIL [09:14:02] claude.tool ALLOW extract_lineage(orders_fact) [09:14:09] copilot.tool DENY drop_table(prod.customers) [scope]

What the tools give the assistant

Not a thin wrapper around execute_sql. Purpose-built tools so the assistant uses typed metadata instead of inventing SQL against tables it has never seen.

Catalog discovery

The assistant can browse zones, schemas, tables, views, columns, row counts, and version history. It writes SQL against your real catalog, not hallucinated column names.

SQL validation and planning

The engine runs the actual DeltaForge parser and returns exact line and column positions for every error. Query plan inspection with row estimates lets the assistant fix plans before you run them.

Lineage and impact analysis

The assistant can trace which pipelines and views depend on a column before suggesting a refactor. Upstream and downstream traversal in one call. No more "I renamed it and the report broke."

Pipeline inspection

Read pipeline source SQL, check run status, review schedules, and get a workspace overview. The assistant can triage a failed run, read the source, validate the failing statement, and propose a fix.

Trust model

The MCP server is a thin adapter over the same control plane your humans use. The same RBAC, the same audit log, the same scoped-token model.

RBAC on tool calls

If a role cannot SELECT a column, the model cannot either. No second permission system to configure or keep in sync with the main one.

Scoped tokens

Issue per-agent tokens with explicit tool allow-lists, schema scopes, and expiration. A read-only agent literally cannot reach DROP, INSERT, or pipeline mutation.

Tool-call audit logging

Tool name, arguments, identity, and outcome land in the same audit log as human queries. Reconstruct exactly what an agent saw and did.

Runs in your network

The MCP server runs inside your DeltaForge deployment. The model provider receives prompts and tool results, not your storage credentials or raw table data.

Wire it up in one command

Install delta-forge-mcp, then run one install command per tool. It writes the config to Claude Desktop, Cursor, or Codex automatically.

# Install
brew install delta-forge-mcp

# Wire into your AI tools
delta-forge-mcp install claude
delta-forge-mcp install cursor
delta-forge-mcp install codex

# Claude Desktop config written automatically:
# { "mcpServers": { "deltaforge": { "command": "delta-forge-mcp" } } }

Frequently asked questions

Short answers to the questions teams ask before wiring an AI assistant into their lakehouse

Is there an MCP server for Delta Lake?

Yes. DeltaForge ships delta-forge-mcp, a built-in Model Context Protocol server for Delta Lake and Iceberg tables. One install command wires it into Claude Desktop, Cursor, or Codex, and the assistant gets catalog discovery, SQL validation, lineage, and pipeline inspection.

How do AI agents query a lakehouse safely?

Through tools the engine governs. Every MCP tool call passes the same RBAC checks as a human query, scoped tokens limit which tools and schemas an agent can reach, and every call lands in the audit log. The agent cannot overreach regardless of how it is prompted.

Does the model provider see my data or credentials?

No. The MCP server runs inside your DeltaForge deployment. The model provider receives prompts and tool results, never your storage credentials, and never raw table contents beyond what a tool result deliberately returns.

Why typed tools instead of one execute_sql tool?

A single execute_sql wrapper forces the assistant to invent SQL against tables it has never seen. Purpose-built tools give it typed catalog metadata, exact parser errors with line and column, lineage edges, and pipeline source, so its answers are grounded in your real schema.

Further reading

Hands-on guides to the SQL your assistant will be writing through these tools

MERGE, UPDATE and DELETE on Delta Lake Without Spark

Full DML on Delta tables in plain SQL: exactly the statements an assistant can draft, validate, and lineage-check through the MCP tools.

Run Cypher on Parquet and Delta Tables Without Neo4j

Graph queries over lakehouse tables, another surface the catalog and validation tools expose to your AI assistant.

Delta Lake Change Data Feed in SQL

Row-level change tracking in SQL, useful when an agent needs to reason about what changed in a table and when.

Give your AI assistant a job, not a sandbox

Install delta-forge-mcp and Claude, Cursor, or Copilot can work against your actual catalog under your existing access controls.