I've been building QueryBear (https://querybear.com) to fix the database part of this: instead of giving an agent your raw connection string, you give it a read-only MCP URL that only exposes the tables you approve and logs every query. The agent can still query your DB, answer business questions, help debug — it just can't delete anything.
This wild, one of the pieces I was lacking for a very openclaw-esque future. Now I think I have all the mcp tools I need (github, linear, slack, gmail, querybear), all the skills I need, and now can run these on a loop.
Engineers are adopting AI agents faster than any other group. They connect these coding agents to github, slack, linear, jira, datadog, sentry, everything. I saw the limiting factor being the database so sought to build a solution.
But obviously there's a lot that can go wrong giving a raw access point into the database. Querybear is the security layer to protect from anything bad happening.
Been using it for months and we have multiple startups using it and loving it. Have had no issues yet!