{"slug": "i-gave-my-ai-agent-database-access-then-i-built-a-firewall-so-it-couldn-t-wipe", "title": "I gave my AI agent database access. Then I built a firewall so it couldn't wipe prod.", "summary": "A developer built a deterministic outbound firewall for AI agents after witnessing a LangChain-style agent generate a DROP TABLE command during a cleanup task. The firewall, released as the agentx-security-sdk Python package, intercepts tool calls before execution using pattern-based rules to block destructive actions like destructive SQL, prod writes, and SSRF attempts. The developer is seeking feedback from others running real Python agents to identify missing dangerous action shapes.", "body_md": "A few months ago I gave an autonomous agent write access to a real database. It was a LangChain-style loop — plan, call a tool, observe, repeat and one of the tools ran SQL.\n\nIt worked great in the demo. Then I watched it, during a \"clean up the test rows\" task, generate this:\n\n```\nsql\nDROP TABLE users;\n\nIt didn't run (staging, and I was watching). But the lesson landed: the LLM doesn't know the difference between a destructive command and a safe one until it's already calling the tool. And by then your code is one cursor.execute() away from an incident.\n\n**\"AI firewalls\" guard the wrong side**\n\nWhen I went looking for protection, almost everything in the \"LLM security\" space guards the inbound side — prompt injection, jailbreaks, PII in the input. Useful, but it's the wrong end for an autonomous agent. My problem wasn't a malicious prompt. It was a well-meaning agent emitting a catastrophic action.\n\nWhat I actually wanted was a firewall on the outbound side; the tool calls themselves:\n\n- destructive SQL (DROP TABLE, unscoped DELETE)\n- writes to prod / ALTER ... DROP COLUMN\n- SSRF and cloud-metadata fetches (169.254.169.254)\n- bulk secret / API-key reads\n- runaway retry loops draining your token budget\n\nAnd critically: I wanted the catch to be deterministic. If your safety layer is itself an LLM call, it's slower, costs money, and can be talked out of it. A DROP TABLE should be blocked by a rule, not a vibe.\n\n**The 2-minute version you can run right now**\n\nI ended up building this and putting the SDK on PyPI. Here's the whole thing; it blocks a live DROP TABLE offline, with no API key, using built-in policy seeds:\n\npip install agentx-security-sdk\n\nfrom agentx_sdk import agentx_protect, is_block\n\n@agentx_protect(agent_id=\"demo\")\ndef run_sql(query: str, db_session=None):\n    print(\"EXECUTED (DANGER):\", query)   # never reached\n    return {\"ok\": True}\n\nresult = run_sql(query=\"Please clean up: DROP TABLE users\nprint(\"BLOCKED:\", is_block(result))       # -> True, offline, no key\n\nOne decorator on your tool function. The destructive call gets intercepted before your\nfunction body runs, and you get a block result back insteateway,\nno account, no LLM in the hot path as it runs entirely on your machine.\n\n▎ Note: the package is agentx-security-sdk (import path agentx_sdk), version ≥ 0.3.11.\n\n**How the block works**\n\nThe decorator wraps your tool call and runs the arguments through a layer of deterministic\nchecks before execution including pattern + structural rules for s\n(destructive SQL, prod writes, SSRF targets, secret-store reads, no-progress loops). If a rule trips, the call returns a block instead of executing. No  the floor, which is why it works with no key and adds negligible latency.\n\nThere's more above that floor — it can escalate ambiguous-but-dangerous actions for a human-in-the-loop decision, circuit-break a runaway loop, reframe and retry the run instead of just dying. But the part I want you to be able to verify in 2 minutes without trusting me is the whole point of leading with it.\n\n**Why I'm posting this**\nI'm looking for a handful of people running real Python agents; something that touches a\nlive DB, cloud, files, or money, ideally unattended to stack and\ntell me where it's wrong. Not a launch, not a sales pitch. I want to know:\n\n- Does it catch the thing that would've bitten you?\n- What dangerous action shape is it missing?\n\nIf you've ever thought \"what happens when this agent does something irreversible at 2am,\" I'd genuinely like your take.\n\n- Try it live (keyless quickstart): https://bit.ly/agentfirewall\n- Community / tell me what broke: https://discord.gg/PmWR\n- Or just reply here. Bonus points for the war story that made you click.\n\nIf your agent never touches anything irreversible, ignore me. If it does, the repro's two minutes, and DROP TABLE is a bad way to find out  the hard way.\n```\n\n", "url": "https://wpnews.pro/news/i-gave-my-ai-agent-database-access-then-i-built-a-firewall-so-it-couldn-t-wipe", "canonical_source": "https://dev.to/vdalal/i-gave-my-ai-agent-database-access-then-i-built-a-firewall-so-it-couldnt-wipe-prod-83c", "published_at": "2026-06-24 18:46:26+00:00", "updated_at": "2026-06-24 19:09:21.968957+00:00", "lang": "en", "topics": ["ai-agents", "ai-safety", "developer-tools", "large-language-models", "artificial-intelligence"], "entities": ["LangChain", "PyPI", "agentx-security-sdk", "agentx_sdk"], "alternates": {"html": "https://wpnews.pro/news/i-gave-my-ai-agent-database-access-then-i-built-a-firewall-so-it-couldn-t-wipe", "markdown": "https://wpnews.pro/news/i-gave-my-ai-agent-database-access-then-i-built-a-firewall-so-it-couldn-t-wipe.md", "text": "https://wpnews.pro/news/i-gave-my-ai-agent-database-access-then-i-built-a-firewall-so-it-couldn-t-wipe.txt", "jsonld": "https://wpnews.pro/news/i-gave-my-ai-agent-database-access-then-i-built-a-firewall-so-it-couldn-t-wipe.jsonld"}}