<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Leo David</title>
    <description>The latest articles on DEV Community by Leo David (@leodavidsec).</description>
    <link>https://dev.to/leodavidsec</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4017417%2F495cd5fe-5b76-46e1-a98e-311a0a5691b7.jpg</url>
      <title>DEV Community: Leo David</title>
      <link>https://dev.to/leodavidsec</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/leodavidsec"/>
    <language>en</language>
    <item>
      <title>Your AI agent has the same database access you do. That's the problem.</title>
      <dc:creator>Leo David</dc:creator>
      <pubDate>Mon, 06 Jul 2026 16:07:18 +0000</pubDate>
      <link>https://dev.to/leodavidsec/your-ai-agent-has-the-same-database-access-you-do-thats-the-problem-2go6</link>
      <guid>https://dev.to/leodavidsec/your-ai-agent-has-the-same-database-access-you-do-thats-the-problem-2go6</guid>
      <description>&lt;p&gt;Give an AI agent access to your systems and it inherits your permissions —&lt;br&gt;
all of them. It can read every customer record, delete every product,&lt;br&gt;
send every email, issue every refund. Not because it's malicious. Because&lt;br&gt;
it's authenticated, it's authorized, and nothing between the agent and your&lt;br&gt;
data asks the one question that matters:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;"Is this specific action safe to run, right now?"&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Your identity provider already checked &lt;em&gt;who&lt;/em&gt; the agent is. Your guardrails&lt;br&gt;
already checked whether the &lt;em&gt;prompt&lt;/em&gt; was toxic. But a perfectly&lt;br&gt;
authenticated agent, with legitimate permissions and a clean prompt, can&lt;br&gt;
still run the equivalent of &lt;code&gt;DELETE FROM products&lt;/code&gt; — and every layer you&lt;br&gt;
have says "looks fine."&lt;/p&gt;

&lt;p&gt;That gap is what we built &lt;a href="https://github.com/Reeflex-io/reeflex" rel="noopener noreferrer"&gt;Reeflex&lt;/a&gt;&lt;br&gt;
to close. It's open source (Apache-2.0), it runs in front of your&lt;br&gt;
resources, and its entire base policy is five rules you can read in about&lt;br&gt;
a minute.&lt;/p&gt;
&lt;h2&gt;
  
  
  The five rules
&lt;/h2&gt;

&lt;p&gt;An agent wants to do something. Reeflex turns that action into a small,&lt;br&gt;
boring description — what verb, how many things, reversible or not, does it&lt;br&gt;
leave the system — and runs it past five rules:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;R1 — reads pass.&lt;/strong&gt; Looking at internal data is allowed. The gate stays
out of the way for the overwhelming majority of actions, which are
harmless.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;R2 — big irreversible changes in production wait for a human.&lt;/strong&gt;
Force-deleting a broad batch of products in production doesn't get
blocked forever; it gets &lt;em&gt;held&lt;/em&gt; until a person says yes.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;R3 — system-wide destruction is refused outright.&lt;/strong&gt; An irreversible,
systemic change in production — "delete everything" — isn't a thing you
approve. It's a thing you re-scope. It's the one permanent block.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;R4 — everything else is allowed by default.&lt;/strong&gt; If no high-risk axis
matched, the action runs. The gate is a floor for the dangerous cases,
not a tax on the normal ones.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;R5 — the session has a delete budget.&lt;/strong&gt; More on this one below, because
it's the rule that catches the clever attack.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;That's the whole policy. No machine-learning risk score, no thousand hidden&lt;br&gt;
signatures — five rules, in plain readable code, that you can audit in the&lt;br&gt;
time it takes to make coffee.&lt;/p&gt;

&lt;p&gt;And one invariant underneath all five: the gate &lt;strong&gt;fails closed&lt;/strong&gt;. If the&lt;br&gt;
decision engine is unreachable — crashed, partitioned, misconfigured —&lt;br&gt;
nothing goes through. A safety layer that fails open is a safety layer you&lt;br&gt;
don't have.&lt;/p&gt;
&lt;h2&gt;
  
  
  The clever attack: death by a thousand small cuts
&lt;/h2&gt;

&lt;p&gt;Here's the rule we're proudest of. Say your policy holds any bulk delete&lt;br&gt;
over 20 items. An agent — misaligned, hijacked, or just confused by a bad&lt;br&gt;
instruction — figures out it can delete 500 products by asking a hundred&lt;br&gt;
times for 5 each. Every single request looks innocent. Under most systems,&lt;br&gt;
all hundred go through.&lt;/p&gt;

&lt;p&gt;Banks have caught this trick for fifty years. It's called &lt;em&gt;structuring&lt;/em&gt;, or&lt;br&gt;
&lt;em&gt;smurfing&lt;/em&gt;: breaking one suspicious transaction into many small ones to&lt;br&gt;
slip under the reporting threshold. Reeflex borrows the countermeasure&lt;br&gt;
directly — R5 keeps a &lt;strong&gt;cumulative budget per session&lt;/strong&gt;. The hundredth&lt;br&gt;
batch of five trips the same limit the single batch of 500 would have.&lt;br&gt;
Fragmenting a dangerous action buys the attacker exactly nothing.&lt;/p&gt;

&lt;p&gt;We keep saying the policy is readable, so here is R5 — the entire&lt;br&gt;
fragmentation guard, verbatim from the repo:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight rego"&gt;&lt;code&gt;&lt;span class="c1"&gt;# R5: session delete budget — fragmentation resistance.&lt;/span&gt;
&lt;span class="n"&gt;r5_require_approval_budget&lt;/span&gt; &lt;span class="n"&gt;if&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
    &lt;span class="n"&gt;prior_deletes&lt;/span&gt; &lt;span class="o"&gt;:=&lt;/span&gt; &lt;span class="n"&gt;object&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;get&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;input&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="s2"&gt;"cumulative"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="s2"&gt;"count_by_verb"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="s2"&gt;"delete"&lt;/span&gt;&lt;span class="p"&gt;],&lt;/span&gt; &lt;span class="m"&gt;0&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
    &lt;span class="n"&gt;prior_deletes&lt;/span&gt; &lt;span class="o"&gt;+&lt;/span&gt; &lt;span class="n"&gt;input&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;magnitude&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;count&lt;/span&gt; &lt;span class="o"&gt;&amp;gt;&lt;/span&gt; &lt;span class="n"&gt;delete_session_budget&lt;/span&gt;
    &lt;span class="ow"&gt;not&lt;/span&gt; &lt;span class="n"&gt;input&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;approval&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;present&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Prior deletes this session, plus this batch, against one budget. That's the&lt;br&gt;
whole trick — and it's the kind of code an auditor can actually sign off&lt;br&gt;
on.&lt;/p&gt;

&lt;p&gt;None of these rules are invented. Each one is a decades-old safety&lt;br&gt;
principle pointed at a new target: change management (R2), safety&lt;br&gt;
engineering (R3), transaction thresholds and fraud velocity checks (R5).&lt;br&gt;
New rules for a new domain; old, proven ideas underneath.&lt;/p&gt;
&lt;h2&gt;
  
  
  What it deliberately does NOT catch
&lt;/h2&gt;

&lt;p&gt;This is the part most security tools won't tell you, so here it is first:&lt;br&gt;
&lt;strong&gt;the base policy does not catch everything, and any tool that claims it&lt;br&gt;
does is lying.&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;An agent reading 10,000 customer records is just a read. R1 allows it.
That's exfiltration, and the base rules don't see it. (A mass-read guard
is a natural extension — but it's not on by default, and we won't pretend
it is.)&lt;/li&gt;
&lt;li&gt;Publishing one product at the wrong price is a single, reversible edit.
Allowed. Correctness of content isn't something impact rules can judge.&lt;/li&gt;
&lt;li&gt;A patient attacker rotating across sessions dilutes the per-session
budget.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The five rules govern &lt;em&gt;structural, destructive impact&lt;/em&gt;, and they do it&lt;br&gt;
well. They are a strong floor, not a ceiling. The policy is plain code —&lt;br&gt;
extend it in an afternoon.&lt;/p&gt;

&lt;p&gt;We think saying this out loud is the whole point. A gate you can't inspect&lt;br&gt;
isn't a gate you can trust.&lt;/p&gt;
&lt;h2&gt;
  
  
  The other half: nothing happens in the dark
&lt;/h2&gt;

&lt;p&gt;Two things make the rules usable in real life instead of just correct on&lt;br&gt;
paper.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Observe mode.&lt;/strong&gt; Turn Reeflex on and it changes nothing — it watches. Every&lt;br&gt;
action gets a verdict written to the audit log, but everything still runs.&lt;br&gt;
You get a report of what &lt;em&gt;would&lt;/em&gt; have been held or denied, on your real&lt;br&gt;
traffic, before you enforce a single thing. Install it on a Monday, read&lt;br&gt;
what your agents actually did all week, then flip enforcement on with&lt;br&gt;
thresholds you've already tuned.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;The decision is yours.&lt;/strong&gt; When a rule says "wait for a human," Reeflex&lt;br&gt;
doesn't make the second call — it hands you the decision, with the context&lt;br&gt;
to make it in five seconds. A human approves it (HITL), or an agent &lt;em&gt;you&lt;br&gt;
designate&lt;/em&gt; does — a private model, a supervisor agent, your call, never the&lt;br&gt;
agent that raised the hold. We call that pattern&lt;br&gt;
&lt;a href="https://github.com/Reeflex-io/reeflex/blob/main/docs/why-reeflex.md#ail" rel="noopener noreferrer"&gt;AIL — agent-in-the-loop&lt;/a&gt;.&lt;br&gt;
Or your existing approval workflow does it. We flag; you rule. And every&lt;br&gt;
handover is recorded: who approved what, when, under which rule. That&lt;br&gt;
record happens to be exactly the evidence an auditor asks for.&lt;/p&gt;

&lt;p&gt;The decision path itself has &lt;strong&gt;zero LLM in it.&lt;/strong&gt; Same action in, same&lt;br&gt;
verdict out, every time. We're not using AI to police AI — the whole point&lt;br&gt;
is a layer that's boring, deterministic, and explainable.&lt;/p&gt;
&lt;h2&gt;
  
  
  Try it in thirty seconds — no install
&lt;/h2&gt;

&lt;p&gt;We run a public evaluation endpoint with a public token. This is a real&lt;br&gt;
engine making a real decision — an agent trying to hard-delete 50 items in&lt;br&gt;
production:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;curl &lt;span class="nt"&gt;-s&lt;/span&gt; https://api-dev.reeflex.io/v1/decide &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;-H&lt;/span&gt; &lt;span class="s1"&gt;'content-type: application/json'&lt;/span&gt; &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;-H&lt;/span&gt; &lt;span class="s1"&gt;'authorization: Bearer reeflex-eval-public-2026'&lt;/span&gt; &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;-d&lt;/span&gt; &lt;span class="s1"&gt;'{"action":{"verb":"delete","ability":"wordpress/delete-post"},
       "axes":{"reversibility":"irreversible","blast_radius":"broad","externality":"internal"},
       "magnitude":{"count":50},
       "target":{"environment":"production"},
       "agent":{"session_id":"sess-devto"}}'&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;





&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight json"&gt;&lt;code&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"decision"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"require_approval"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"rule"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"reeflex.policy/irreversible_broad_prod"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"reason"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"irreversible broad change in production requires human approval"&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;(Response trimmed for readability — the live one also carries a &lt;code&gt;hold_id&lt;/code&gt;&lt;br&gt;
and an expiry timestamp. That's not decoration: the engine just created a&lt;br&gt;
real, resolvable hold you could approve through the API.)&lt;/p&gt;

&lt;p&gt;The gate is free forever. Everything that keeps you safe — the engine, the&lt;br&gt;
five rules, human approval, observe mode, the kill switch, audit, SIEM&lt;br&gt;
export — is open source and always will be.&lt;/p&gt;

&lt;p&gt;What's covered &lt;strong&gt;today&lt;/strong&gt;: Claude Code (every tool call, via a PreToolUse&lt;br&gt;
hook), WordPress/WooCommerce (a standard plugin), and n8n workflows.&lt;br&gt;
Database and GraphQL adapters are on the roadmap — and the adapter contract&lt;br&gt;
is a public spec, so you don't have to wait for us.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;pip &lt;span class="nb"&gt;install &lt;/span&gt;reeflex-claude      &lt;span class="c"&gt;# governs a Claude Code agent&lt;/span&gt;
npm i n8n-nodes-reeflex         &lt;span class="c"&gt;# a gate node for your n8n workflows&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Run your own engine with one &lt;code&gt;docker compose up&lt;/code&gt;, or start against the&lt;br&gt;
public endpoint above. See how it all fits together at&lt;br&gt;
&lt;a href="https://reeflex.io" rel="noopener noreferrer"&gt;reeflex.io&lt;/a&gt;, and the code is on GitHub at&lt;br&gt;
&lt;a href="https://github.com/Reeflex-io/reeflex" rel="noopener noreferrer"&gt;github.com/Reeflex-io/reeflex&lt;/a&gt;.&lt;br&gt;
Break it, fork it, tell us where the rules are wrong. The clone that&lt;br&gt;
improves the rules is a clone that improves the standard — and that's a&lt;br&gt;
trade we'll take every time.&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Reeflex — a seatbelt for the AI acting on your systems.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>ai</category>
      <category>security</category>
      <category>opensource</category>
      <category>sre</category>
    </item>
  </channel>
</rss>
