1 comments

  • dimitarst an hour ago

    Author here - as people wire AI agents directly to their databases they usually connect their agents with one super user, not the right for the person using the agent.As result the agent creates a valid SELECT that can return rows the user wasn't allowed to see.

    The other alternative is a limited account with the user visibility, who doesn't have an idea there is another data outside of it's view and confidently answers with incomplete data presented as complete.

    No SQL injections, no errors, just confident but terribly wrong answer build from wrong data.

    Prompts don't fix this - they are requests rather than control layer. So this is a deterministic, LLM-free guard built over sqlglot. It parses the generated SQL, resolves the columns to their DB tables, check tables/columns access based on user's role (deny-by-default), injects filters, and rewrites or refuses before query runs. The agent still sees the whole catalog, so it can say "cost data exists, but it's outside your access" instead of mislabeling revenue as profit. But only executes what's permitted.

    The part that makes this solid are the tests.

    Honest caveats: this solution makes SQL access safe. Analytical correctness is another topic, not touched here.

    Would love to read your feedback.