{"slug": "i-built-a-personal-agentic-os-that-runs-my-dba-work-with-approval-gates-audit-a", "title": "I built a personal \"Agentic OS\" that runs my DBA work — with approval gates, audit trails, and a $0.01 morning brief", "summary": "An Oracle Apps DBA built a personal 'Agentic OS' that runs AI agents for database administration work with approval gates, audit trails, and cost accounting. The system enforces trust via tool tiers (read, write, spend, prod-touch) and a kernel that gates actions based on tier, not model output. A live test caught a real security hole where a lazy prefix rule would have allowed a SQL DELETE command through, which was then fixed and added as a regression test.", "body_md": "I'm an Oracle Apps DBA. My whole job is built on one instinct: **nothing touches a production system without me knowing exactly what it's about to do.**\n\nSo when I started building AI agents to run my daily work, I refused to do the usual thing — hand a model a shell and hope. Instead I spent the time building a small operating system around the agents. Here's what came out of it.\n\n*(2-min demo: launching a live DB diagnostic, watching the agent think in real time, and the moment an agent tries to write a file and gets frozen by the approval gate.)*\n\nSix agents (\"skills\"), each a folder with a manifest and a prompt:\n\nAdding a skill = dropping in a folder:\n\n```\n# skills/ebs-dba/manifest.yaml\nname: ebs-dba\ndescription: Read-only Oracle/EBS diagnostics - reports findings only\ntriggers: [awr, top sql, blocking, tablespace]\nmodel: claude-opus-4-8\ntools: [oracle-dba.*]        # glob allowlist against MCP tools\nrisk: read-only              # read-only | write | spend | prod-touch\nrequires_approval: false\nschedule: null               # or a cron expression\n```\n\nThe AI was the easy part. The trust model is the product.\n\nEvery tool registers with a **tier**: `read`\n\n, `write`\n\n, `spend`\n\n, or `prod-touch`\n\n. The kernel enforces gates **from the tier — never from anything the model says**:\n\n`read`\n\nruns automatically (all Oracle tools register as read; there is `npm run build`\n\ncan never be replayed as `rm -rf`\n\nThe tier of a shell command is decided per-call:\n\n``` php\n# \"git status\", \"pytest\", \"npm run build\"  -> read, runs free\n# \"vercel --prod\", \"terraform apply\"       -> spend, hard gate\n# anything else                            -> write, gated\n# sqlite3 is allowed only if the SQL is SELECT-only:\nif cmd.startswith(\"sqlite3 \") and \"select\" in cmd.lower() \\\n        and not SQLITE_WRITE_RE.search(cmd):\n    return Tier.READ\n```\n\nFun fact: my first live test caught a real hole here. The model ran `sqlite3 -header -column ...`\n\n— flags I hadn't anticipated — and a lazy prefix rule I'd written would have let a `DELETE`\n\nthrough unprompted. The test suite now has a regression case for it. **Live runs find what unit tests don't.**\n\nEvery run writes to SQLite *and* a per-run JSONL file: every model turn, every tool call with arguments and duration, every approval decision, and the token cost accumulating turn by turn.\n\n``` bash\n$ agentos runs\n  20260705-0027  daily-brief   done   6264/723 tokens   $0.0099\n  20260705-0022  research      done   115606/3411       $0.6633\n  20260705-0020  patch-triage  done   25647/3659        $0.2197\n```\n\nThat research run cost 66 cents — and I know it to four decimal places, because an agent platform without cost accounting is a platform you'll turn off the first time a bill surprises you.\n\nA FastAPI app on localhost (single HTML file, zero CDNs, nothing leaves the machine) that tails the audit log over SSE. Launch a run from any terminal and you watch it think live in the browser: MCP server connects, the actual SQL it ran, the cost ticking up, and — when it hits a gate — a red approval card with the dry-run JSON and approve/deny buttons.\n\n`uv`\n\n— anthropic, mcp, typer, apscheduler, fastapi, pyyaml, rich`mcp-oracle-dba`\n\nserver plugs in with one YAML entryThe current version answers when asked and runs on schedule. The next one **notices things on its own**: a sentinel loop polling a live database every few seconds — blocking sessions, tablespace pressure, concurrent-request backlogs — that triggers an investigation agent automatically and delivers a root-cause report before I'd have opened a terminal. Real database, real locks, zero prompts typed.\n\nThat's the next post. If you've built approval gates or agent audit trails differently, I'd genuinely like to hear how — this pattern feels like something we should be converging on as an industry.\n\n*Questions about the permission model or the MCP wiring? Ask below — I'll answer everything.*", "url": "https://wpnews.pro/news/i-built-a-personal-agentic-os-that-runs-my-dba-work-with-approval-gates-audit-a", "canonical_source": "https://dev.to/rkondoju/i-built-a-personal-agentic-os-that-runs-my-dba-work-with-approval-gates-audit-trails-and-a-521f", "published_at": "2026-07-12 14:35:53+00:00", "updated_at": "2026-07-12 14:45:33.188887+00:00", "lang": "en", "topics": ["ai-agents", "ai-safety", "ai-infrastructure", "developer-tools"], "entities": ["Oracle", "Claude", "MCP", "FastAPI", "SQLite"], "alternates": {"html": "https://wpnews.pro/news/i-built-a-personal-agentic-os-that-runs-my-dba-work-with-approval-gates-audit-a", "markdown": "https://wpnews.pro/news/i-built-a-personal-agentic-os-that-runs-my-dba-work-with-approval-gates-audit-a.md", "text": "https://wpnews.pro/news/i-built-a-personal-agentic-os-that-runs-my-dba-work-with-approval-gates-audit-a.txt", "jsonld": "https://wpnews.pro/news/i-built-a-personal-agentic-os-that-runs-my-dba-work-with-approval-gates-audit-a.jsonld"}}