2026-07-10 · Will Milewski
Nothing watches what your AI agent runs against your database.
Prompt guardrails watch what an agent says. Data proxies were built for humans. We built the missing layer, and open-sourced it.
Teams are handing AI agents access to production databases. It is the fastest way to make an agent useful, and the fastest way to end a quarter early. The agent generates SQL, and something runs it. The question nobody has a good answer for is: what decides whether that query should run at all?
The defenses are the wrong shape
Look at what teams reach for, and where each one stops:
- Prompt guardrails (Lakera, LLM Guard) govern what the model says. They screen prompts and output. They do not stop a valid, destructive
DELETEthe agent decides to run. - Data-access proxies and DB firewalls (Satori, Cyral, Imperva) govern SQL, but they were built for humans and BI tools hitting warehouses, not for an agent hitting your operational database. Heavyweight, enterprise, human-shaped.
- The hand-rolled blocklist, a read replica, a restricted user, a list of banned keywords, is what most teams actually run. A keyword blocklist sails right past a comment-obfuscated subquery. A read replica does not stop read-scope exfiltration or enforce per-agent column policy. And you maintain it forever.
Between "what the agent says" and "data access for humans" is a layer nobody was watching: what an agent does to the database. That is the layer Terminus governs.
Default-deny at the action boundary
Terminus parses the SQL and returns allow, deny, or a safe rewrite, before anything runs. It has no database of its own; every decision comes from the query string, so it is fast and stateless. The posture is default-deny: a query executes only on an explicit allow, and anything Terminus is unsure about is denied.
Run it as the MCP server your agent calls, and the guarantee becomes structural. The agent
gets two tools, query and execute, and never a database connection
string. The executor alone holds credentials and runs nothing the policy engine did not
already allow. There is no bypass to find, because there is no other door. A denied query
comes back with a policy-compliant rewrite, re-validated through the same engine, so the agent
keeps working instead of failing blind. And every decision lands in a tamper-evident,
independently verifiable audit chain, with the raw SQL never stored, only a keyed digest.
We measured it, and we show our work
We ran the same model through the same adversarial scenarios twice: once against a direct database connection, once with Terminus as its only path to the data. An attack counted only when real database state changed or a seeded secret appeared in a result, never from what the agent said.
Terminus took attack success from 46.7% to 0.0%, and raised benign-task completion from 83% to 100%.
That benign number matters as much as the attack number: a control that blocks attacks by blocking everything is useless. Zero of 3,126 SQL-injection payloads from a pinned third-party corpus reached the database. The testing is first-party, and we say so; what makes it checkable is that every figure reproduces from a few commands. The full method is in the efficacy brief.
Why open source
A security control you cannot read is a security control you cannot trust. So the enforcement core is free and open under AGPL-3.0: the sidecar, the MCP enforcement point, the policy engine, per-agent identity, remediation, and the local verifiable audit chain. Self-host it, audit it, put it in your critical path without depending on us to stay up.
Where we are going: a control plane that learns what each agent actually accesses and tightens its least-privilege policy for you, so you stop hand-writing and maintaining it, plus central approvals and an audit witness that routes to your own SIEM. That is the commercial layer, and it is on the roadmap. The core is here today.
Try it, or try to beat it
The repo is on GitHub. If you can get a query past the enforcement, that is the most useful thing you could send us, disclose it responsibly and we will fix it in the open. And if your team is giving an agent write access to a production database, we are taking a small number of design partners: [email protected].
Default-deny. Fail-closed. Provable.