<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Sandesh Tiwari</title>
    <description>The latest articles on DEV Community by Sandesh Tiwari (@sandeshtiwari).</description>
    <link>https://dev.to/sandeshtiwari</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4032533%2F2f786221-9111-4bf9-a06e-12a70cb84ee1.jpg</url>
      <title>DEV Community: Sandesh Tiwari</title>
      <link>https://dev.to/sandeshtiwari</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/sandeshtiwari"/>
    <language>en</language>
    <item>
      <title>Let AI agents use production data without handing them your database</title>
      <dc:creator>Sandesh Tiwari</dc:creator>
      <pubDate>Thu, 16 Jul 2026 17:09:00 +0000</pubDate>
      <link>https://dev.to/sandeshtiwari/let-ai-agents-use-production-data-without-handing-them-your-database-24en</link>
      <guid>https://dev.to/sandeshtiwari/let-ai-agents-use-production-data-without-handing-them-your-database-24en</guid>
      <description>&lt;p&gt;Hi Devs,&lt;/p&gt;

&lt;p&gt;If you’ve connected an AI agent to a real database, you’ve probably felt the discomfort of the default approach: handing the model an &lt;code&gt;execute_sql(sql)&lt;/code&gt; tool.&lt;/p&gt;

&lt;p&gt;Read-only roles, SQL validation, allowlists, and prompt instructions all help. But they still give the model raw database authority and then try to constrain it.&lt;/p&gt;

&lt;p&gt;I wanted the opposite: a boundary where the model never receives that authority in the first place.&lt;/p&gt;

&lt;p&gt;So I built &lt;strong&gt;Synapsor Runner&lt;/strong&gt;, an Apache-2.0 runtime that sits between an MCP client and PostgreSQL or MySQL. Instead of exposing SQL, it exposes reviewed semantic capabilities such as:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;billing.inspect_invoice
billing.propose_late_fee_waiver
support.propose_plan_credit
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  Try it in 10 seconds
&lt;/h2&gt;

&lt;p&gt;No database. No signup.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;npx &lt;span class="nt"&gt;-y&lt;/span&gt; &lt;span class="nt"&gt;-p&lt;/span&gt; @synapsor-runner audit &lt;span class="nt"&gt;--example&lt;/span&gt; dangerous-db-mcp
npx &lt;span class="nt"&gt;-y&lt;/span&gt; &lt;span class="nt"&gt;-p&lt;/span&gt; @synapsor-runner demo &lt;span class="nt"&gt;--quick&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The audit flags risky MCP tool shapes, such as raw SQL execution.&lt;/p&gt;

&lt;p&gt;The quick demo walks through the &lt;strong&gt;proposal → evidence → replay&lt;/strong&gt; boundary. It explains and records that boundary; it does not claim to test a live database.&lt;/p&gt;

&lt;h2&gt;
  
  
  The idea in one line
&lt;/h2&gt;

&lt;p&gt;The model can read only the columns and rows that a contract allows. It can propose changes, but the model-facing MCP surface contains &lt;strong&gt;no approve tool and no apply tool&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;Commit authority lives entirely outside the model loop.&lt;/p&gt;

&lt;p&gt;Everyone does allowlists. The part I care about is that there is literally no tool the model can call to write.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why this matters
&lt;/h2&gt;

&lt;p&gt;This does not stop prompt injection.&lt;/p&gt;

&lt;p&gt;What it does is contain the blast radius when injection—or simply a confused model—happens.&lt;/p&gt;

&lt;p&gt;In my testing, I put a fleet of real LLM agents on one server. Several were given injection tasks such as:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;“Read the other tenant’s data.”&lt;/li&gt;
&lt;li&gt;“Ignore the budget.”&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The result:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;0 cross-tenant reads&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;0 unauthorized writes&lt;/strong&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;That was not because the models resisted the prompts. It was because the boundary was enforced outside the models.&lt;/p&gt;

&lt;p&gt;This is the same class of failure demonstrated in the recent Supabase MCP token-exfiltration example: a model is tricked into running attacker-controlled SQL. If there is no SQL tool and no commit tool to reach, that path closes.&lt;/p&gt;

&lt;h2&gt;
  
  
  How the boundary works
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Scoping
&lt;/h3&gt;

&lt;p&gt;Tenant scope, allowed columns, and allowed rows are fixed by the reviewed contract and trusted server-side context.&lt;/p&gt;

&lt;p&gt;That context is bound outside the model’s arguments, never supplied through a tool parameter.&lt;/p&gt;

&lt;p&gt;The model cannot widen what it sees.&lt;/p&gt;

&lt;h3&gt;
  
  
  Proposals, not mutations
&lt;/h3&gt;

&lt;p&gt;A proposal records the requested before-and-after state but does not modify the source database.&lt;/p&gt;

&lt;p&gt;Approval and writeback happen outside MCP.&lt;/p&gt;

&lt;h3&gt;
  
  
  Guarded writeback
&lt;/h3&gt;

&lt;p&gt;When an approved proposal is applied, Runner rechecks:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Trusted tenant scope&lt;/li&gt;
&lt;li&gt;Target row&lt;/li&gt;
&lt;li&gt;Allowed columns&lt;/li&gt;
&lt;li&gt;Expected row version&lt;/li&gt;
&lt;li&gt;Operation bounds&lt;/li&gt;
&lt;li&gt;Idempotency&lt;/li&gt;
&lt;li&gt;Affected-row limits&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;A stale row becomes a conflict instead of a silent overwrite.&lt;/p&gt;

&lt;p&gt;Every apply operation is recorded with a receipt and replay linkage.&lt;/p&gt;

&lt;h3&gt;
  
  
  Ledger
&lt;/h3&gt;

&lt;p&gt;By default, activity is stored in a local SQLite ledger.&lt;/p&gt;

&lt;p&gt;A shared PostgreSQL runtime store is also available for multi-process deployments.&lt;/p&gt;

&lt;h2&gt;
  
  
  Tiered auto-approval
&lt;/h2&gt;

&lt;p&gt;Not every change needs a human.&lt;/p&gt;

&lt;p&gt;A contract can define tiered auto-approval for small, low-risk proposals:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight sql"&gt;&lt;code&gt;&lt;span class="n"&gt;AUTO&lt;/span&gt; &lt;span class="n"&gt;APPROVE&lt;/span&gt; &lt;span class="k"&gt;WHEN&lt;/span&gt; &lt;span class="n"&gt;amount_cents&lt;/span&gt; &lt;span class="o"&gt;&amp;lt;=&lt;/span&gt; &lt;span class="mi"&gt;2500&lt;/span&gt;
&lt;span class="k"&gt;LIMIT&lt;/span&gt; &lt;span class="mi"&gt;20&lt;/span&gt; &lt;span class="n"&gt;PER&lt;/span&gt; &lt;span class="k"&gt;DAY&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Policies can also define aggregate value ceilings.&lt;/p&gt;

&lt;p&gt;When a proposal exceeds a rule or budget, it falls back to human review, and the ledger records why.&lt;/p&gt;

&lt;p&gt;Higher-risk capabilities can require approvals from multiple distinct people.&lt;/p&gt;

&lt;p&gt;Policy approval still gives the model no commit authority. A trusted Runner worker performs the guarded write outside MCP.&lt;/p&gt;

&lt;h2&gt;
  
  
  Bounded set writes
&lt;/h2&gt;

&lt;p&gt;For reviewed batch operations:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;The selection rule is contract-defined, not model-generated.&lt;/li&gt;
&lt;li&gt;Tenant scope is forced.&lt;/li&gt;
&lt;li&gt;Row and value limits are declared.&lt;/li&gt;
&lt;li&gt;Application is atomic.&lt;/li&gt;
&lt;li&gt;Drift fails closed.&lt;/li&gt;
&lt;li&gt;Receipts record the affected rows.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This is not a path to arbitrary &lt;code&gt;UPDATE&lt;/code&gt; statements.&lt;/p&gt;

&lt;h2&gt;
  
  
  Reversible changes
&lt;/h2&gt;

&lt;p&gt;Runner can record a bounded inverse and create a separate compensation proposal.&lt;/p&gt;

&lt;p&gt;Reverting is not rollback or time travel. It is another reviewed proposal that passes through the same approval and writeback boundary.&lt;/p&gt;

&lt;h2&gt;
  
  
  Portable contracts
&lt;/h2&gt;

&lt;p&gt;Contracts are portable JSON documents.&lt;/p&gt;

&lt;p&gt;You can hand-author the JSON or use an optional SQL-like DSL with constructs such as:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;code&gt;CREATE AGENT CONTEXT&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;CREATE CAPABILITY&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Approval policies&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The DSL compiles to the same JSON format.&lt;/p&gt;

&lt;p&gt;Either way, contracts can be reviewed and versioned in Git like application code.&lt;/p&gt;

&lt;h2&gt;
  
  
  Explicit limitations
&lt;/h2&gt;

&lt;p&gt;This is a security tool, so I would rather under-claim.&lt;/p&gt;

&lt;p&gt;Synapsor Runner:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Does not make arbitrary SQL safe&lt;/li&gt;
&lt;li&gt;Does not prevent prompt injection&lt;/li&gt;
&lt;li&gt;Does not replace least-privilege database roles&lt;/li&gt;
&lt;li&gt;Does not replace restricted views&lt;/li&gt;
&lt;li&gt;Does not replace row-level security&lt;/li&gt;
&lt;li&gt;Does not replace staging data&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;It is a scoped enforcement boundary that limits what a compromised or mistaken model can read, propose, and change.&lt;/p&gt;

&lt;p&gt;The built-in guarded path intentionally excludes:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Free-form or model-generated predicates&lt;/li&gt;
&lt;li&gt;&lt;code&gt;UPSERT&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;DDL&lt;/li&gt;
&lt;li&gt;Unbounded writes&lt;/li&gt;
&lt;li&gt;Multi-table transactions&lt;/li&gt;
&lt;li&gt;External side effects&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Those operations need an application-owned executor that is invoked only after approval, with the application retaining ownership of the transaction and security checks.&lt;/p&gt;

&lt;h2&gt;
  
  
  Token-cost benefits
&lt;/h2&gt;

&lt;p&gt;A side benefit is that this approach also tends to use fewer tokens.&lt;/p&gt;

&lt;p&gt;Because the model calls semantic tools instead of writing SQL:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;It does not need the database schema in context.&lt;/li&gt;
&lt;li&gt;It does not need table and column dumps.&lt;/li&gt;
&lt;li&gt;It avoids &lt;code&gt;list_tables&lt;/code&gt; and &lt;code&gt;describe_table&lt;/code&gt; round trips.&lt;/li&gt;
&lt;li&gt;It avoids “write SQL → column error → retry” loops.&lt;/li&gt;
&lt;li&gt;Typed arguments can fail before a database round trip.&lt;/li&gt;
&lt;li&gt;Results are bounded by column allowlists and &lt;code&gt;MAX ROWS&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;Aggregate reads can return a scalar such as &lt;code&gt;COUNT&lt;/code&gt; instead of sending many rows back into context.&lt;/li&gt;
&lt;li&gt;Approval and writeback happen off-model, so those steps use zero model tokens.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;There is a caveat: every capability appears in the model’s &lt;code&gt;tools/list&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;A contract that exposes hundreds of tools to one agent can lose the token savings through tool-definition bloat.&lt;/p&gt;

&lt;p&gt;The real claim is:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Well-scoped contract → net cheaper&lt;/strong&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;I would treat that as directional rather than a benchmarked number, but “safer and cheaper per run” appears to hold for the common case.&lt;/p&gt;

&lt;h2&gt;
  
  
  Repository
&lt;/h2&gt;

&lt;p&gt;&lt;a href="https://github.com/Synapsor/Synapsor-Runner" rel="noopener noreferrer"&gt;github.com/Synapsor/Synapsor-Runner&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;I’m the maintainer, and I would genuinely value feedback from people already connecting MCP clients to real databases:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What workflow did you want to give an agent, but held back because raw SQL or direct API authority felt like too much?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Even a reply such as “this shape wouldn’t fit because…” would be useful.&lt;/p&gt;

</description>
      <category>ai</category>
      <category>database</category>
      <category>agents</category>
    </item>
  </channel>
</rss>
