Governed Agentic Framework. MCP-Governed and LangGraph- Orchestrated Text-to-SQL.
Molaj, Abhinandan (2025)
2025
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2025121536342
https://urn.fi/URN:NBN:fi:amk-2025121536342
Tiivistelmä
Many organisations would like staff to query enterprise data in natural language instead of writing SQL. However, they are also concerned about unsafe database access, weak audit trails, and changes in model behaviour over time. This thesis studies a governed gateway for tools and data together with a workflow engine that can repeat the same steps. The aim is to make Text-to-SQL safer and easier to audit while still preserving utility, where Text-to-SQL means turning natural-language questions into SQL queries.
This work implements a small end-to-end prototype (MVP). The prototype uses the Model Context Protocol (MCP) as the only route to the database and to selected files. MCP applies policy-before-execution rules before any SQL runs. These rules allow only read-only queries (SELECT-only verb gate), restrict access to a fixed list of tables (table allow-list), and limit how many rows a query may return and how long it may run (row and time caps). LangGraph handles orchestration, runs the workflow steps in a fixed order, and stores checkpoints so that the same run can be repeated later. Every request produces structured log records (telemetry) in JSONL format that record the decision (approved, blocked, or error), the time taken, and, where available, token and cost information. The evaluation compares two configurations on a single internal PostgreSQL schema. Both use the same read-only database role (SELECT-only credential), the same table allow-list, and the same row and time caps. In the first configuration, governance checks are enabled (“rails on”): policy rules are applied before execution and an optional Human-in-the-Loop (HITL) approval step is available. In the second configuration (“rails off”), the system still accesses the same schema through MCP but does not apply these additional checks. Both configurations are run on a small set of straightforward, policy-compliant questions (benign prompts, set D1). In this setting all 20 requests are approved and response times are similar, suggesting that the extra checks add little overhead for routine analytical queries. A separate set of deliberately risky prompts (policy probes, set D2) targets the policy boundary. Switching HITL modes by configuration (for example always approve, always reject, or random decisions) produces clear differences in latency and in how often requests are blocked, while token and cost signals change only slightly. The thesis therefore offers a practical design for governed Text-to-SQL. MCP acts as a gateway with policy-before-execution and logging for all access to data and files. Lang-Graph provides a separate orchestration layer that runs and replays workflows without direct database privileges. This separation of duties, together with a shared telemetry pipeline, supports defence-in-depth and reproducible experiments. The same design can be extended to larger prompt sets, additional datasets, or more advanced HITL policies without changing how measurements are collected.
This work implements a small end-to-end prototype (MVP). The prototype uses the Model Context Protocol (MCP) as the only route to the database and to selected files. MCP applies policy-before-execution rules before any SQL runs. These rules allow only read-only queries (SELECT-only verb gate), restrict access to a fixed list of tables (table allow-list), and limit how many rows a query may return and how long it may run (row and time caps). LangGraph handles orchestration, runs the workflow steps in a fixed order, and stores checkpoints so that the same run can be repeated later. Every request produces structured log records (telemetry) in JSONL format that record the decision (approved, blocked, or error), the time taken, and, where available, token and cost information. The evaluation compares two configurations on a single internal PostgreSQL schema. Both use the same read-only database role (SELECT-only credential), the same table allow-list, and the same row and time caps. In the first configuration, governance checks are enabled (“rails on”): policy rules are applied before execution and an optional Human-in-the-Loop (HITL) approval step is available. In the second configuration (“rails off”), the system still accesses the same schema through MCP but does not apply these additional checks. Both configurations are run on a small set of straightforward, policy-compliant questions (benign prompts, set D1). In this setting all 20 requests are approved and response times are similar, suggesting that the extra checks add little overhead for routine analytical queries. A separate set of deliberately risky prompts (policy probes, set D2) targets the policy boundary. Switching HITL modes by configuration (for example always approve, always reject, or random decisions) produces clear differences in latency and in how often requests are blocked, while token and cost signals change only slightly. The thesis therefore offers a practical design for governed Text-to-SQL. MCP acts as a gateway with policy-before-execution and logging for all access to data and files. Lang-Graph provides a separate orchestration layer that runs and replays workflows without direct database privileges. This separation of duties, together with a shared telemetry pipeline, supports defence-in-depth and reproducible experiments. The same design can be extended to larger prompt sets, additional datasets, or more advanced HITL policies without changing how measurements are collected.