[bon_ai]

the capabilities design is really cool, however to protect against prompt injection to unauthorized db access, couldn't we just use api only agent or db features like pg RLS

[aaronon]

yeah, not really, actually. in my opinion, they may work, but with tradeoffs

api wrappers are safe, but they kill flexibility of AI agent and will have massive maintenance bottleneck

db-level security is a great runtime boundary, but it is completely disconnected from application business logic