AI agents are being pointed at production databases. The safe way to do that is not trust, it is a gatekeeper: one identity that can reach the data, running policy over every statement, writing every verdict to a ledger nobody can quietly edit. Try it below.
The rule here is the smallest useful policy: reads pass, writes and DDL are refused, and both outcomes are recorded. The production version does much more (schema scoping, row limits, PII masking), but the shape never changes: policy first, database second, ledger always.
The demo above is the policy alone. In the real stack, the policy lives in a gateway container that owns the only credential with access to the data platform. Agents, notebooks and BI tools hold no database identity at all. Whatever they want, they ask the gateway, and the gateway answers with an allow, a refusal, or a rewritten, bounded query.
The identity wiring is the part most setups skip, so I wrote it as a Terraform module: a Microsoft Fabric workspace where the gateway's service principal is the only granted data role, secret rotation and the audit sink included, honest documentation of what the preview provider cannot enforce yet. The module goes public alongside a live walkthrough.
The standards half: a SQL reviewer with 38 rules and 149 tests that catches the mistakes before they ship. 500+ downloads a month.
Reviewed a maintainer's data-redaction PR in a reverse-ETL tool: two verified findings (a bucket-name leak and an unstable node id), both fixed same day, my handle in the fix commit.
Contributions merged into Apache Superset, sqlglot, Open Food Facts and a dozen other data tools. Small fixes, real users.