A safe way to let coding agents interact with your database (without prod write access)
Posted by National_Purpose5521@reddit | programming | View on Reddit | 15 comments
A lot of teams try to make coding agents safe by blocking SQL writes, adding command allowlists, or inserting approval dialogs.
In practice, this doesn’t work.
If an agent has any general execution surface (shell, runtime, filesystem), it will eventually route around those restrictions to complete the task. We’ve repeatedly seen agents generate their own scripts and modify state even when only read-only DB tools were exposed.
I put together a tutorial showing a safer pattern:
- isolate production completely
- let agents operate only on writable clones
- require migrations/scripts as the output artifact
- keep production updates inside existing deployment pipelines
vibecoder012@reddit
my setup right now is kinda mixed cursor for bigger work and lighter tools like wozcode for quick experiments works better than relying on just one tool honestly
bt7two74@reddit
I can’t even trust agents with my local db and you guys are here giving agents access to the db and telling it not to do anything. The other day gemini tried to drop entire tables on my local db and recreate everything from memory and that was when I decided agents are never going near any of my databases not even local.
National_Purpose5521@reddit (OP)
we are not giving agents access directly to the db. That’s exactly why Tier 2 talks specifically about a clone, and all changes go through human-reviewed migration scripts - that way your production and even your local DB remain untouched.
Tier 1 is intentionally unsafe to demonstrate how agents can bypass read-only controls.
This tutorial is about safe experimentation, not giving AI free access to databases.
Zeragamba@reddit
Question: What problem are you trying to solve with agents, and can the same problem be solved with a traditional system?
aviboy2006@reddit
my point of view doing agent on database write operation feel scary. Because while code itself sometime its make many mistakes. I remembered when i asked to not push specific private file to github but still did because of session context lost. I will recommend if really want to do have some guardrails and rollback option ready.
ClideLennon@reddit
OMFG, you guys are giving Claude access to your prod databases?
BlueGoliath@reddit
Database? More like vibebase.
National_Purpose5521@reddit (OP)
Haha no - the whole point is that they don’t get prod access. The pattern is about isolating production completely and only letting the agent work against a writable clone, with prod updates going through the normal migration pipeline like any other change.
ClideLennon@reddit
Yeah, I use a dev environment. And I don't even give it access to my dev database. I'm going to run those migrations. I'm going to run those seeds. I can do that. I don't need it to do that for me.
National_Purpose5521@reddit (OP)
Manual control is obviously the safest way.
My tutorial is meant to show a safe workflow when you do want the agent to help and leverage its capabilities. like automate out more stuff safely.
It will only touche writable clones, never production, and all changes go through human-reviewed deployment pipelines
codeserk@reddit
Sounds like yes with extra steps
National_Purpose5521@reddit (OP)
the tutorial ends with the recommendation to avoid even read access to prod. The first section intentionally demonstrates how “read-only” controls fail if execution surfaces exist. The actual pattern is clone + pipeline with zero prod credentials exposed to the agent.
VanillaOk4593@reddit
For secure database interactions with AI agents, https://github.com/vstorm-co/database-pydantic-ai offers a solid SQL toolset for SQLite/PostgreSQL with read-only modes. It's built to be safe and integrates easily. I've used it to avoid any accidental writes in my setups.
asklee-klawde@reddit
agent security is critical. read-only replicas are smart but agents still need write access eventually
National_Purpose5521@reddit (OP)
Absolutely. agents eventually need write access to be useful, but the safe way is what Tier 2 shows in the tutorial. let them write to clones, generate reviewed migration scripts, and never touch production credentials.