A Deterministic Guard Stops LLM Agents From SQL Overfetching
An open-source, LLM-free guard checks agent-generated SQL against user roles before execution, preventing text-to-SQL systems from overfetching sensitive data.
LLM-powered text-to-SQL agents typically connect to databases through a single privileged service identity rather than as the actual requesting user, which means a technically valid query can still return data the user was never entitled to see. This project introduces a deterministic, non-LLM guard that parses agent-generated SQL with sqlglot, checks it against the asker's role-based permissions, injects row-level filters, and only then allows execution—rejecting anything it can't verify as safe.
What sets it apart is that the agent retains full visibility into the catalog's metadata, including tables it can't query, allowing it to give honest, appropriately scoped answers labeled FULL, SCOPED, or INCOMPLETE instead of silently mislabeling restricted data. The repo ships with a LangChain-based demo notebook showing three roles receiving correctly different answers to the same question, a 121-test suite—74 of which are red-team bypass attempts—and an MIT license.
For engineers, the significance lies in moving access enforcement for LLM agents out of prompt engineering and into a deterministic, auditable layer outside the model, making it easier to meet security and compliance requirements when deploying LLM-driven data access tools in production.