InterceptAI · open source
Your AI agent should not hold a database connection. Terminus does, and decides what every query is allowed to run. An open-source, default-deny MCP server (or HTTP sidecar): per-agent identity, a verifiable audit trail, and a safe rewrite when it says no. Guard what your agents do, not just what they say.
Default-deny on every query. Allow, deny, or a safer rewrite, before anything runs.
Unbypassable by construction.
Terminus runs as the MCP server your agent calls, exposing only query and execute. The agent never receives a connection string; the executor alone holds credentials and runs nothing the policy engine did not already allow. High-risk writes wait for a human.
Govern the action.
A default-deny policy, schema and column whitelist, and smuggling detection, gated by per-agent identity. Each agent can only run what you allowed it.
Provable, not just logged.
Every decision lands in a tamper-evident, independently verifiable audit chain. Raw SQL is never stored, only a keyed digest. The evidence an EU AI Act or SOC 2 auditor asks for.
Fix, do not just block.
A deny returns a policy-compliant rewrite, re-validated through the same engine, so the agent retries and keeps working instead of failing blind.
A high-risk write does not just get blocked. It gets held for a person, who sees the exact SQL, then approves or denies with a signature.
DELETEs from an AI agent, held on the operator console (running against the live control plane). The operator reveals the actual statement, sees the eight fields they cryptographically sign, and approves one while denying the other. Every decision lands in the verifiable audit chain, attributed to the person who made it.
Read every line. Self-host it. Put it in your critical path without depending on anyone.
The enforcement core is free and open under AGPL-3.0: the sidecar, the MCP enforcement point, the policy engine, per-agent identity, remediation, and the local verifiable audit chain. A security control you cannot read is a security control you cannot trust.
The commercial Terminus control plane is for teams operating this across a fleet. Its first piece runs today: when an agent attempts a high-risk write, the control plane holds it for a human, who reviews the exact statement and approves or denies it with a cryptographic signature, and every decision is recorded in the audit chain attributed to that operator (shown above). Still ahead on the roadmap: a least-privilege autopilot that learns each agent's access and tightens its policy for you, and an audit witness that routes to your own SIEM.
Design partner program
It is early. The first design partner is free.
If your team is giving an AI agent broad-read or write access to a production database, put Terminus in front of it and see what it catches. Free, in exchange for public feedback and a few warm intros.