Tool Module

Database Tool

Safe SQL queries for AI agents.
Enterprise-grade data access without the risk.

Inactive

January 2026

The Problem

Agents need data access

But SQL is dangerous

            Give an AI agent unrestricted database access and you're one hallucination away from DROP TABLE production_data. We need data access, but we need it safe.
        

Safety Architecture

Six-layer safety system

✓ Layer 1: Read-only database connections
✓ Layer 2: DDL/DML statement blocking
✓ Layer 3: Row limit enforcement (default 1,000)
✓ Layer 4: Query timeout protection (default 30s)
✓ Layer 5: SQLite-specific pragma restrictions
✓ Layer 6: Graceful error handling & logging

Layer 1

Read-only by design

Database-Level Enforcement

SQLite connections open with ?mode=ro URI parameter. Write operations are rejected by the driver itself before any application code runs.

No Escape Hatch

Even if query validation fails, the database itself rejects write operations. Defense in depth means multiple layers must fail before damage occurs.

The database doesn't trust us. That's exactly what we want.

Layer 2

Query validation

# Blocked patterns (case-insensitive regex)
DANGEROUS_PATTERNS = [
    r'\b(DROP|CREATE|ALTER|TRUNCATE)\b',      # DDL
    r'\b(INSERT|UPDATE|DELETE|REPLACE)\b',    # DML
    r'\b(PRAGMA\s+(?!query_only))\w+',        # SQLite pragmas
    r';\s*\w+',                               # Multiple statements
]

# Validation happens before execution
if any(re.search(p, query, re.IGNORECASE) for p in DANGEROUS_PATTERNS):
    raise ValueError("Query contains forbidden operations")

Layers 3 & 4

Performance guardrails

Row Limits

Default 1,000 rows, configurable per query. Prevents agents from accidentally fetching millions of records and overwhelming context windows.

Query Timeouts

Default 30-second timeout. Kills runaway queries before they lock up resources. Agents learn to write efficient queries.

1,000

Default Row Limit

30s

Query Timeout

Usage

Safe query execution

# Agent issues a database_query tool call
{
  "name": "database_query",
  "parameters": {
    "connection_string": "sqlite:///data/app.db?mode=ro",
    "query": "SELECT name, email FROM users WHERE active = 1",
    "row_limit": 500
  }
}

# Returns structured data
{
  "columns": ["name", "email"],
  "rows": [...],
  "row_count": 247,
  "truncated": false,
  "execution_time": "0.023s"
}

Development Snapshot

Built in a single commit

1

Commit

3,644

Lines of Python

67

Test Functions

1

Contributor

SQLite: Shipped

Full adapter with read-only connections, file-based access, and pragma safety. 352 lines in adapters/sqlite.py.

PostgreSQL / MySQL: Planned

Base adapter interface defined (124 lines). Client-server backends are referenced in code comments but not yet implemented.

Sources & Methodology

How we got these numbers

Data as of February 20, 2026 · Feature status: Inactive (repo in ~/dev/ANext/Inactive/)

Git log analysis git log --oneline on amplifier-module-tool-database → 1 commit found (13856db, 2026-01-21)

Line counts find . -name "*.py" | xargs wc -l → 3,644 lines across 25 files

Test function count grep -r "def test_" tests/ --count → 67 test functions across 4 test files

Contributor analysis git log --format="%an" | sort | uniq -c → 1 contributor (Sam Schillace, 100%)

Safety architecture grep -r "class\|def " src/database_tools/safety/ → 5 safety components identified

Known gaps: Test pass/fail rates not verified (pytest not run). Bundle adoption claims from previous deck version not verified and removed. PostgreSQL/MySQL support status is "planned" per code comments, not shipped.

Safe data access
for every agent.

Six layers of protection. Zero compromises.
One commit that solves the hardest problem in agent-database interaction.

amplifier-tool-database
Part of the Amplifier ecosystem