I built faz, an MCP server that sits between your agent and your databases and runs every query through a safety pipeline before execution.
Last Friday, a Cursor agent running Claude Opus 4.6 deleted PocketOS's entire production database and all backups in 9 seconds. This is the problem. When your agent connects to a database via MCP, there's nothing between the agent and raw query execution. No RBAC, no injection detection, no audit trail. The agent gets whatever access the token gives it, and most tokens have way more scope than they should.
faz is that missing layer. Your agent connects to faz. faz connects to your databases. Every query passes through 5 safety stages before anything gets executed:
- Prompt Guard catches destructive intent before parsing
- RBAC Gate per-table read/write/append/none permissions in a single YAML config
- AST Checker hard-blocks DDL (DROP, ALTER, TRUNCATE) unless you explicitly allow it
- Injection Analyser SQL tautologies, MongoDB $where, Cypher APOC, ES script injection, each query language handled separately
- Guardrails auto-injects LIMIT, timeouts, and row caps
Blocked queries return a structured response telling the agent exactly which stage blocked it and why. Everything, allowed and blocked, is logged as structured JSONL.
14 databases supported: Postgres, MySQL, Oracle, MongoDB, CouchDB, Elasticsearch, OpenSearch, Neo4j, Cassandra, DynamoDB, Weaviate, Qdrant, Milvus, Pinecone.
Would love feedback from anyone building MCP integrations. What's missing?