Knowledge
Everything we've learned, in one place.
Hands-on guides, field-note essays, and honest comparisons from shipping agentic systems against real production databases.
Guides
Build it right, the first time.
OrmAI with Drizzle
Drizzle is the ORM of choice for teams who want type safety without code generation. Here's how to wrap it with OrmAI's policy engine.
OrmAI with Prisma
Wrap your Prisma client with OrmAI's policy engine. Field-level redaction, tenant scoping, and audit logs over Prisma — without changing your schema.
Production checklist for agent + database systems
The 30 things to verify before letting your agent talk to a real database. Compiled from incidents, audits, and three years of shipping.
OrmAI as an MCP server for Claude
Expose OrmAI's policy-enforced tools as a Model Context Protocol server. Drop it into Claude Desktop, Cursor, or any MCP client.
OrmAI with the Vercel AI SDK
Expose OrmAI tools to the Vercel AI SDK so your Next.js / Hono / Sveltekit agent has type-safe, policy-enforced database access.
OrmAI with LangGraph
Wire OrmAI tools into a LangGraph state machine so each node has scoped, audited database access.
Write operations with approval gates
How to let an agent mutate state without losing your nerve. Reason-required writes, two-person approvals, dry runs, and rollback by design.
Query budgets and runaway agents
Bound how much your agent can scan, return, mutate, and spend per minute. The patterns that keep one curious prompt from melting your database.
Audit logs you'll actually trust
What to log, where to put it, and how to query it when the security team asks 'what did the agent do?'
Field-level redaction for PII
Stop your agent from ever seeing what it shouldn't. Mask, hash, or deny columns at the policy level — without touching application code.
Multi-tenant isolation for AI agents
How to enforce tenant scoping for every read and write your AI agent makes — and why doing it any other way leaks data.
Quickstart: OrmAI with FastAPI and SQLAlchemy
Stand up a policy-enforced agent database layer in 5 minutes. SQLAlchemy models, FastAPI endpoints, OrmAI policy, and a working tool call you can hand to Claude or GPT.
Articles
Essays and field notes.
-
Agent–database anti-patterns: a field guide
Eleven things we see teams do that cause production agent–database incidents, and what to do instead. Compiled from audits and incident reviews.
-
Choosing between MCP, function calling, and policy runtimes
These three terms get conflated. They solve different problems, at different layers, and you usually want at least two of them. A practical disambiguation.
-
Designing audit trails LLMs can't tamper with
When the agent has tools, the audit log becomes a target. Here's how to design one that survives a determined LLM (or a determined attacker reaching the LLM).
-
Capability-based security for AI agents
What it would mean to design agent permissions the way capability-secure operating systems were designed. A blueprint.
-
From RAG to safe writes
Most teams shipped a RAG-only agent in 2024. The next step — letting the agent change state — is a different category of engineering. Here's the path.
-
Capability tokens for AI: a primer
An old idea from operating systems is becoming load-bearing for agent security. Here's what capability tokens are, and why your agent toolkit should think in them.
-
The agent–data security gap nobody is talking about
Most AI safety attention is on the model. The next class of incidents will be at the model–database boundary, and the industry is unprepared.
-
Why text-to-SQL fails in production
It works in demos. It works on a single user's database. It does not work as the safety story for a multi-tenant SaaS agent. Here's the failure-mode catalog.
-
Spider benchmark: 0 unsafe operations vs. 23 for text-to-SQL
We replayed the entire Spider benchmark — 1,034 natural-language queries across 200 databases — through OrmAI and a strong text-to-SQL baseline. Here's what we found.
Comparisons
OrmAI vs. the alternatives.
vs. hand-rolled tools
OrmAI vs. hand-rolled tools
Writing one bespoke function per agent capability is safer than raw SQL, and far easier to ship than people admit. Here's where it works, and where it falls apart at scale.
vs. MCP database servers
OrmAI vs. MCP database servers
MCP database servers expose your DB to any MCP-aware client. OrmAI is policy-first, in-process, and shipped inside your application. Here's when each is the right choice.
vs. raw SQL
OrmAI vs. raw SQL
Why exposing a raw SQL handle to your AI agent is the wrong default — and what the right default looks like.
vs. text-to-SQL
OrmAI vs. text-to-SQL
Text-to-SQL turns natural language into SQL strings. OrmAI turns natural language into typed tool calls. Here's why that distinction matters in production.