Interdict: A Postgres Safety Layer Against Rogue AI Agents
Interdict simulates risky SQL writes from AI agents before execution, measures exact blast radius, makes changes undoable, and blocks unsafe statements without human approval.
Interdict addresses a risk that emerges as AI agents gain direct write access to production databases: role-based permissions can tell you whether an action is allowed, but not how much data it will touch or whether it can be undone. Interdict sits as an MCP-based safety layer in front of Postgres, parsing every statement with a real Postgres AST parser (not regex), simulating risky writes in a throwaway transaction to report the exact row count affected, and holding them for human approval before execution.
Approved writes are automatically made reversible, while writes that can't be safely recorded are blocked outright. Every blocked statement comes with a machine-readable reason and a suggested fix so the agent can self-correct and retry. Approvals happen through a terminal command rather than the chat interface, ensuring the operator token never reaches the agent.
On performance, the hot-path overhead is kept in the microsecond range (2.6 µs p50, 2.7 µs p99), targeting near-zero added latency compared to raw asyncpg, with CI failing any build exceeding 5 ms p99. Among 343 automated tests are concurrency race tests, fault injection (connection drops, timeouts, audit log failures), and evasion attacks (comments, casing, encoding tricks) — reported at 0% missed dangerous statements and 0% false blocks across the test corpora.
The project is still a developer preview; the maintainers recommend using a least-privilege Postgres role and reviewing policy files before pointing it at production data. Simulation and undo cannot reverse external side effects such as triggers or sequence consumption, so those write shapes are blocked by default.