Natural-language SQL should not go straight from prompt to production query.
The generated SQL may look reasonable.
The database may accept it.
But the plan can still be dangerous:
- full table scan
- accidental cross join
- missing tenant/date filter
- unbounded aggregate
- query touching the wrong approved surface
- estimated rows far above budget
For MCP database servers, I think an explain-plan preflight should be a normal production pattern.
Not because every user wants to read query plans.
Because the system needs a way to catch expensive or suspicious queries before execution, and leave evidence for review when an answer matters.
Longer version: Explain plans for AI database agents
A model can generate SQL. The tool layer should decide whether it is safe enough to run.
Top comments (0)