SQL-Guardian
Overview
SQL-Guardian is a query-only database agent that executes SELECT statements inside a sandboxed WebAssembly runtime. It demonstrates how MPP's permission model enforces read-only data access with zero write paths, zero exfiltration vectors, and zero schema-mutation capabilities.
Ship a database tool that an AI agent can invoke — without ever worrying aboutDROP TABLE.Manifest
[package]
name = "sql-guardian"
version = "0.3.0"
description = "Read-only SQL query tool with WASM isolation"
authors = ["MPP Reference Team"]
license = "Apache-2.0"
[runtime]
target = "wasm32-wasi"
memory = "64MB"
[permissions]
database = "read-only"
network = "deny"
fs = "deny"
[signing]
algorithm = "Ed25519"
key_id = "mpp-reference-2025"Architecture
The tool operates within a single WASM module loaded by the MPP runtime. All database interaction passes through a capability-gated host function that enforces the declaredread-only permission at the ABI boundary.
Execution Flow
- Agent Request: The host AI agent sends a natural-language or structured query to the tool via the MPP invoke interface.
- Query Parsing: The WASM module parses the input, builds a parameterised
SELECTstatement, and validates it against a strict SQL allowlist. - Capability Gate: The runtime's Gatekeeper intercepts the host-function call, verifies the
database = "read-only"permission, and rejects any statement that is not a pure read operation. - Execution & Response: Results are serialised as JSON and returned through the MPP result channel. No data is cached or persisted by the tool.
Security Boundaries
| Layer | Control |
|---|---|
| WASM sandbox | Linear memory isolation — no access to host memory or file system |
| Permission manifest | Declares database: read-only; any write attempt traps the module |
| SQL allowlist | Only SELECT and EXPLAIN statements pass the parser gate |
| Network deny | No outbound connections — eliminates data exfiltration |
| Ed25519 signature | Package integrity is verified before any code is loaded |
Permissions Detail
- database — read-only: The tool can execute
SELECTqueries against a host-provided data source.INSERT,UPDATE,DELETE,CREATE,ALTER, andDROPare all denied at the capability gate. - network — deny: No outbound HTTP, TCP, or UDP access. Query results cannot leave the sandbox.
- fs — deny: No file-system reads or writes. The tool has no persistent state between invocations.
Usage Example
# Install from registry
mpp install sql-guardian@0.3.0
# Verify signature before first run
mpp verify sql-guardian
# ✓ Ed25519 signature valid (key: mpp-reference-2025)
# ✓ Manifest hash matches archive
# ✓ Permissions: database(read-only), network(deny), fs(deny)
# Invoke via CLI
mpp run sql-guardian --input '{"query": "SELECT name, email FROM users LIMIT 10"}'
# Example response
{
"status": "ok",
"rows": [
{ "name": "Alice Chen", "email": "alice@example.com" },
{ "name": "Bob Park", "email": "bob@example.com" }
],
"meta": { "row_count": 2, "elapsed_ms": 12 }
}Threat Mitigations
- SQL Injection: Queries are parameterised at the parsing layer. Raw string interpolation is never performed.
- Data Exfiltration: Network access is denied. Even if the WASM module were compromised, it has no channel to send data out of the sandbox.
- Privilege Escalation: The capability gate is enforced at the host-function boundary, outside the WASM memory space. The tool cannot override it.
- Supply-Chain Tampering: The Ed25519 signature covers the entire archive. Any modification invalidates the signature and prevents execution.
Source & Build
# Clone the reference repo
git clone https://github.com/mpp-protocol/reference-tools.git
cd reference-tools/sql-guardian
# Build the WASM module
cargo build --target wasm32-wasi --release
# Package as .mpp artifact
mpp pack --sign --key ~/.mpp/keys/mpp-reference-2025.keyThe resulting sql-guardian-0.3.0.mpp artifact can be published to any MPP-compatible registry or shared directly as a signed file.