A text-to-SQL agent generates destructive production SQL.
database.query DELETE FROM customersallow reads; require approval for bounded writes; deny destructive deletes and DDL
capfence replay db-audit.jsonl --policy policies/database.yamlactor, query class, payload hash, environment, matched rule
A text-to-SQL style workflow maps generated requests into coarse database capabilities before dispatch.
CapFence sits in the adapter before the database connection and evaluates coarse request class, environment, and approval state.
Read-only work can proceed while configured writes or schema changes are denied or approval-gated. Serious SQL enforcement still needs database-native controls.
Operational Pattern 04: Database Write & Schema-Change Boundary
Text-to-SQL agents can generate destructive queries. CapFence evaluates the request class before the database connection executes it.
Threat
An analytics agent generates destructive production SQL.
database.query DELETE FROM customersRequest
actor: analytics-agent
capability: database.query.production
payload: {"sql": "DELETE FROM customers"}
environment: productionPolicy
deny:
- capability: database.query.production
contains: "DROP TABLE"
- capability: database.query.production
contains: "DELETE FROM"
require_approval:
- capability: database.write.production
allow:
- capability: database.read.productionDecision
decision: DENY
reason: destructive_sql_pattern
query_executed: falseThe database connection does not receive the denied query.
Replay
capfence replay db-audit.jsonl --policy policies/database.yamlUse replay to test whether candidate SQL rules would block prior generated queries.
Audit
Record actor, query class, payload hash, environment, matched rule, decision, and replay identifier.
What CapFence does not solve
CapFence is not a full SQL firewall or query optimizer. Keep database-native permissions, transaction controls, backups, and query review in place.