Apr 25 — AI agent deleted PocketOS's entire production DB in 9 seconds. →

Thelastlineof
defensebetween
youragentand
production.

Route agent SQL through a PostgreSQL-aware gateway. Risky writes can require approval, verified recovery points, and auditable restore paths before they touch production.

Start free — no card requiredRead the incident

Your data stays in your infrastructure · Open source core · Self-hosted by default

production-db
LIVE

> agent-gpt4 executing:

A coding-session AI agent deleted a production database. Backstop is built to reduce this class of failure with interception, approval, and recovery readiness.Read the incident, then design for guardrails.Read the full post-mortem →
A coding-session AI agent deleted a production database. Backstop is built to reduce this class of failure with interception, approval, and recovery readiness.Read the incident, then design for guardrails.Read the full post-mortem →
A coding-session AI agent deleted a production database. Backstop is built to reduce this class of failure with interception, approval, and recovery readiness.Read the incident, then design for guardrails.Read the full post-mortem →
A coding-session AI agent deleted a production database. Backstop is built to reduce this class of failure with interception, approval, and recovery readiness.Read the incident, then design for guardrails.Read the full post-mortem →

Built for teams shipping with AI agents

Claude
Codex
AntiGravity
Cursor
Windsurf
LangChain
GitHub
Vercel
Replit
Supabase
Docker
Linear
Claude
Codex
AntiGravity
Cursor
Windsurf
LangChain
GitHub
Vercel
Replit
Supabase
Docker
Linear
Claude
Codex
AntiGravity
Cursor
Windsurf
LangChain
GitHub
Vercel
Replit
Supabase
Docker
Linear

AI agents don't ask permission.

They have your credentials

You gave the agent DATABASE_URL. It can see everything, change everything, delete everything. Without asking.

They don't understand consequences

An LLM doesn't know the difference between a test database and production. It executes what it plans.

It happens in seconds

PocketOS: 9 seconds. By the time you see the Slack alert, the data is gone.

< 0ms
query intercept overhead
0s
average table restore
0
AST risk levels
0
regex SQL parsing paths

Install once. Protected forever.

01

Start

backstop-oss up

Brings up the gateway, sync sidecar, PostgreSQL, and MinIO for the local OSS flow.

02

Intercept

# backstop classifies this before gateway execution
sql>

AST parsing classifies the query as CRITICAL and the gateway checks for a latest recoverable snapshot. No regex. No guessing.

03

Recover

backstop recover \
  --db $DATABASE_URL \
  --storage s3://prod-snaps \
  --table users

The guided recovery flow rebuilds a recovered table, validates it, and prints copyback SQL only after the checks pass.

Two lines. That's it.

import osimport psycopg2import backstopraw_conn = psycopg2.connect(os.environ["DATABASE_URL"])db = backstop.guard(    conn=raw_conn,    storage="s3://prod-snapshots@http://localhost:9000",    actor="gpt-4-agent",    mode="protect",)db.execute("DROP TABLE users")db.commit()
execution flowpending
Query received0ms
AST parse1ms
Recovery verified2ms
Query executes3ms
Event logged4ms

Every query. Classified. Instantly.

query feed
risk level
EXPLAIN SELECT * FROM ordersSAFE
DROP TABLE usersCRITICAL
DELETE FROM paymentsCRITICAL
ALTER TABLE users DROP COLUMN emailHIGH
DELETE FROM sessions WHERE expired = trueHIGH
UPDATE users SET name = 'Ana' WHERE id = 7HIGH
INSERT INTO logs (event) VALUES ('login')HIGH

Built for the age of agents.

AI agents — LangChain, LlamaIndex, Cursor, any OpenAI function-calling agent — can be tagged with an actor identity when wrapped with backstop.guard(conn, actor="langchain-agent-v2", storage="s3://...").

Risky actions are attributed and audited. The gateway can require human approval for HIGH and CRITICAL operations, and table-level destructive actions can be bound to verified recovery points before they touch production data.

Query Intercepted

CRITICAL risk detected in real-time

Snapshot Created

Table state preserved before any mutation

Human Notified

Approval required before agent proceeds

agent audit log
live
AgentQueryRiskStatusTime

Everything you need. Nothing you don't.

Featured

Fast Table Restore

Restore preview first, then recover into a separate table. The full flow stays in your infrastructure and timing depends on table size, storage throughput, and validation steps.

snap_a3f90%
#s3#preview#recovered-table#dry-run
BYOS

Bring Your Own Storage

Snapshots are written to AWS S3 or a compatible endpoint such as MinIO.

#aws-s3#minio#byos
MIT

Open Source Core

Read the SDK, gateway, sidecar, restore engine, and launch drills.

#open-source#auditable

Agent Identity Tracking

Stable actor names connect SQL events to the agent that ran them.

#attribution#actor-id
Durable

Immutable Audit Trail

Audit and snapshot records capture the table, operation, actor, row count, and storage references for review.

#compliance#manifests
local

Parser Benchmark

The CLI includes a local parser benchmark command so you can measure classifier overhead in your own environment.

#performance#ast

Fits into your current stack.

Databases
PostgreSQL
Metadata
SQLite
Python SDK
psycopg2
Python SDK
SQLAlchemy
Python SDK
Django
Agent Integration
MCP clients
Agent Integration
Cursor
Agent Integration
Claude Desktop
Agent Integration
LangChain
Agent Integration
Node SDK
Infrastructure
AWS S3
Infrastructure
MinIO
Infrastructure
Prometheus
Infrastructure
Docker Compose

Start free. Scale when you're ready.

OSS

$0

available today

Open source core
Gateway + sidecar
MCP + Node SDK
Guided recovery CLI
Doctor and drill commands
Use OSS
Most popular

Pro

Soon

planned

Commercial workflow layer
Managed operator experience
Notification integrations
Longer retention options
Hosted control plane
Not shipping today
Follow roadmap

Team

Soon

planned

Org-level policy management
Enterprise identity integrations
Managed audit views
Support and rollout help
Not shipping today
Talk to us

Commercial workflow layer is still being shaped.

The self-hosted OSS core is the product available today. Managed and enterprise workflows are roadmap discussions, not shipped features.

Talk to us

How teams usually make use of it.

CM

Cursor via MCP

Common rollout pattern

Give the AI tool the Backstop MCP server instead of DATABASE_URL. The agent gets SQL tools, but the gateway keeps approval, audit, and recovery decisions in the middle.

pattern://cursor-mcpRecommended setup
TR

Table recovery

Common rollout pattern

Use sidecar snapshots for fast table-level recovery, and keep native PostgreSQL backup plus WAL/PITR for full-database incidents. Backstop is strongest when those two planes are used together.

pattern://table-restoreOperational value
BD

Bypass detection

Common rollout pattern

If an agent or script connects directly to PostgreSQL, Backstop cannot intercept that query. Bypass detection makes this posture visible so teams do not confuse recovery-only mode with prevention.

pattern://bypass-detectionBoundary to know
AW

Approval workflow

Common rollout pattern

Use agent-scoped tokens for execution and operator-scoped tokens for approve or deny. Autonomous agents should be able to request risky work, but not approve their own destructive queries.

pattern://gateway-approvalsRecommended setup
BS

Bring your own storage

Common rollout pattern

Point snapshots and WAL artifacts at your own S3-compatible storage, such as MinIO. The safety and recovery flow stays inside infrastructure you already control.

pattern://storage-byosInfrastructure fit
DP

Dev vs prod policy

Common rollout pattern

Use looser policy in development, stricter policy in production, and explicit pause or quarantine controls for incidents. That balance reduces bypass pressure without giving away protection.

pattern://policy-modesRollout advice
AA

Audit attribution

Common rollout pattern

Stable BACKSTOP_AGENT_ID values make the audit trail readable. They also enable agent quarantine, filtered review, and cleaner incident response when multiple tools touch the same database.

pattern://audit-attributionOperational value
PR

Production readiness

Common rollout pattern

Run the doctor commands, snapshot drills, storage checks, and incident runbooks before rollout. Backstop adds safety value when the operational boundary is understood and rehearsed.

pattern://docs-runbooksOperational value
LM

Local-first metadata

Common rollout pattern

SQLite metadata keeps the OSS core easy to run locally while still giving you durable audit, approval, alert, and snapshot records that a future dashboard can read directly.

pattern://metadata-sqliteArchitecture value

Read every line. Trust what you deploy.

Backstop's core is Apache-2.0 licensed. When a tool stands between an AI agent and your production data, you deserve to read the gateway, sidecar, MCP server, SDKs, restore path, and drills yourself.

View on GitHub
github.com/pratyush2514/Backstop
Open source core
0 stars
0 forks
NOASSERTION
Last commit
Backstop backend root
4 days ago
guptapratyush

Yournextdeploymentshouldn'tbeyour last.

Add a safer control layer in front of production SQL. Approve risky writes, verify recovery readiness, and restore supported table snapshots without leaving your own infrastructure.

Start protecting your database

Free forever for self-hosted. No credit card required.