Skip to main content

Why SchemaBrain exists

You connected an AI agent to your production database. It can now read every column, including the ones it should never see. It can fabricate a payment_card join because nothing in the API surface says no. And when something goes wrong, the audit trail is whatever the agent decided to tell you. SchemaBrain sits between the agent and the database and changes that contract.

Five minutes to first query

1

Install

uvx schemabrain init
2

Initialize

schemabrain init
The wizard detects your installed MCP hosts (Claude Desktop, Claude Code, Cursor, Windsurf) and shows a menu — press Enter for the detected default, or pass --host X to skip the prompt. It spins up a local Postgres demo with a 12-table SaaS schema and writes a ready-to-use config. Press Enter at every prompt for the demo defaults.
3

See your schema as a graph

pip install 'schemabrain[ui]'
schemabrain dashboard
The payoff: your schema rendered as an interactive knowledge graph — entities as nodes, joins as edges, catastrophic-PII hotspots flagged — alongside a PII matrix of every tagged column, a Refusal Explorer of every blocked query, and a hash-chained Audit Viewer. The dashboard reads the local store directly, so it works before you restart the host.
4

Restart the host and ask

Restart your MCP host so the agent picks up the new tools, then ask: “list the entities you know about, then describe the user entity.”The demo ships a pre-curated entity pack, so this works without an ANTHROPIC_API_KEY. If you connected your own Postgres and skipped entity curation (no Anthropic key on hand), ask “list the tables in my database” instead — that uses the physical-schema tools, which need no entities.
Full walkthrough in Setup. Want the 10-minute tour where you watch an agent get refused a query it can’t answer honestly? Start with First 5 Queries.

Why it’s safe by architecture, not by trust

Read-only by architecture

No execute(). No query(). No session flag the agent can flip. Writes are impossible because no tool accepts arbitrary SQL.

PII-aware by default

Twelve PII categories with three catastrophic-leak categories (credential, payment card, government ID) blocked out of the box.

Audit-evident

Hash-chained audit log. Every tool call writes a row. audit verify proves the chain hasn’t been tampered with.

Structured recovery

When SchemaBrain refuses, it returns a typed envelope with a recovery hint — not a string error the agent has to guess at.

Pick your host

Five MCP-compatible hosts ship with first-class wiring:

Claude Desktop

Claude Code

Cursor

Windsurf

ChatGPT

Compare

How SchemaBrain differs from the obvious neighbours in the AI-database tooling space:

vs. Querybear

Read-only SQL agent for analytics. SchemaBrain is the trust and intelligence layer between any agent and your database — definition-driven, so the agent never writes raw SQL.

vs. Anthropic Postgres MCP

Reference MCP server with direct SQL execution. SchemaBrain refuses SQL at the type level.