pg_guard: Cursor-proof your database

A Postgres proxy with built-in safety features and row-level damage limiting

pg_guard is a Postgres proxy server that sits between your applications and your database, providing real-time query analysis and protection against dangerous operations. It implements transparent TCP proxying with PostgreSQL wire protocol support with human readable messages to help claude/cursor understand how to better make DB calls.

Features

• Query Interception: Analyzes all SQL queries before they reach your database
• Row-Level Damage Limiting: Blocks DELETE/UPDATE operations that would affect too many rows
• Dangerous Query Blocking: Prevents DROP, TRUNCATE, and WHERE-less DELETE operations
• Honeytoken Protection: Detects and blocks access to canary tables
• Mock Snapshots: Logs backup points before destructive operations
• Structured Logging: Clear, parseable logs for monitoring and debugging
• Human Readable Errors: Tells claude/cursor how to change its query to pass the proxy

Quick Start

cargo install pg_guard

pg_guard \
  --listen 0.0.0.0:6543 \
  --db-url postgres://postgres:postgres@localhost:5432/postgres \
  --max-rows 500 \
  --strict

Safety Features

1. Dangerous Query Blocking

-- ❌ BLOCKED: These queries are automatically blocked
DROP TABLE users;
TRUNCATE users;
DELETE FROM users;  -- No WHERE clause

2. Row-Level Damage Limiting

-- ✅ ALLOWED: Affects few rows
DELETE FROM users WHERE id = 123;

-- ❌ BLOCKED: Would affect 1000+ rows (exceeds --max-rows limit)
DELETE FROM users WHERE created_at < '2020-01-01';

3. Honeytoken Detection

-- ❌ BLOCKED: Any access to canary tables
SELECT * FROM _pg_guard_canary;

4. Snapshot Logging

Before allowing destructive operations, pg_guard logs:

[snapshot] Would take backup here
[ALLOW] DELETE FROM users WHERE role = 'inactive' → 12 rows