PitchHut logo
Interdict
Safeguarding AI interactions with Postgres databases.
Pitch

Interdict acts as a protective layer for AI agents interacting with Postgres databases. By simulating the impact of writes before execution and enabling safe undos, it prevents catastrophic data loss while providing detailed explanations and suggested corrections for every blocked statement. This ensures safer database operations and robust oversight.

Description

Interdict: The Essential Safety Layer for AI-Driven Database Operations

Interdict serves as a protective safety layer between AI agents and Postgres databases, effectively mitigating the risks associated with unauthorized or erroneous write operations. With AI agents increasingly interacting with production databases, a single incorrect statement has the potential to cause substantial data loss. Traditional permission models are inadequate as they verify whether a role can modify a table but fail to assess the real impact of those modifications.

Key Features

  • Impact Measurement: Interdict first simulates each write operation in a temporary transaction, providing feedback on the potential consequences before executing. For instance, it may indicate that “this DELETE would affect 2,300,000 rows,” holding the command for necessary human approval instead of executing it blindly.
  • Undo Capability: All permissible write operations are logged, allowing for easy reversibility. A simple command can revert changes with a comprehensive audit trail, while unsafe writes are proactively blocked.
  • Clear Explanations for Blocked Actions: Whenever an operation is blocked, Interdict provides a machine-readable reason and recommendations for correction, enabling the AI agent to self-correct and attempt the operation once more.

Example Usage

> UPDATE accounts SET balance = 0                ⛔ blocked: no WHERE — would hit every row
> UPDATE accounts SET balance = 0 WHERE id = 1   ✓ UPDATE 1   (undo id 3811adb4)
> DELETE FROM accounts WHERE balance < 2000      ⚠ held: would delete 2,300,000 rows → approve
> \undo                                          ✓ reverted — rows restored

Performance Metrics

MetricResult
Cost added per statement (warm)2.6 µs p50 / 2.7 µs p99
End-to-end overhead vs raw asyncpg≈ 0 ms — CI fails any build over 5 ms p99
Dangerous statements missed (red corpus)0% of 40
Safe statements wrongly blocked (green corpus)0% of 18
Blast-radius measurementexact row counts, live
Undo round-trip~4 ms, conflict-checked, exact restore
Automated tests343, run in CI on every commit

Interdict’s architecture encompasses real-parallelism race tests, fault injection, and evasion attacks to ensure reliability and robustness. For detailed methodology, refer to the benchmark results.

How It Works

Interdict processes queries through the following pipeline:

AI agent ──(MCP)──> [thin adapter] ──> [SAFETY ENGINE] ──> Postgres
                        parse → classify → policy → (simulate?) → decide
                                              │        (record undo on writes)
                                          async: audit log, advisory intent check
  • Utilizes a robust parser instead of simplistic regex, ensuring safety against various query manipulations.
  • The system is designed to operate in microseconds with efficient simulation and logging components running asynchronously to avoid delays.
  • Writes Fail Closed: Uncertainty in operations results in a write being blocked, keeping read operations unaffected.

Configuration Options

VariableDefaultPurpose
AGENT_DB_DSNlocal dev DSNTarget Postgres.
AGENT_POLICYpolicies/default.yamlConfigurable policy definitions.
AGENT_OPERATOR_TOKENunsetToken for approving held writes. Required for security.
AGENT_APPROVAL_TTL_SECONDS1800Duration that held writes remain approvable.
AGENT_AUDIT_LOG~/.interdict/audit.jsonlAsync log of actions taken with the system.

Important Considerations

  • Interdict focuses on mitigating user errors such as excessive row deletions and ensures reversibility but does not claim to capture every conceivable SQL error.
  • Operations affecting external systems such as triggers and sequences are monitored, with some adjustments blocked to ensure data integrity.
  • Integrators should employ a least-privilege model initially while the system is in a developer preview stage.

Project Structure

engine/      # core functionalities: parse, classify, audit, simulate, undo
adapters/    # microservice component for communication
policies/    # user-defined policies in YAML format
corpus/      # query testing libraries (red for blocks, green for safe)
benchmarks/  # performance testing framework
tests/       # test suite for functionality validation
website/     # project landing page (interdict.vercel.app)

Interdict empowers developers and organizations to safely leverage AI in database transactions while maintaining the integrity and security of their data.

0 comments

No comments yet.

Sign in to be the first to comment.