Sqlsure Open Source: Add a Deterministic Guardrail to AI-Generated SQL

Developer Tejus Arora has shifted SQL semantic validation from probability to a deterministic engine. Sqlsure uses rule-based static analysis to block the kinds of fatal errors that large models most commonly make when generating SQL. The idea is simple, but it hits a real pain point.
A Small Tool That Hits AI-Generated SQL Right Where It Hurts
On July 11, developer Tejus Arora open-sourced a GitHub project called Sqlsure. Less than a day after being posted on Show HN, it shot to the front page. Its positioning is straightforward: add a layer of “deterministic semantic checks” to AI-generated SQL. In plain English: before you throw LLM-written SQL into a production database, let Sqlsure run a deterministic rules-based inspection on it first.
It sounds minor, but anyone who has used Copilot, Cursor, or Claude Code over the past two years to generate complex SQL has probably been burned by this before: a missing JOIN condition, a forgotten tenant isolation field in the WHERE clause, an aggregate function without a GROUP BY, or something even subtler — SQL that is syntactically valid and even passes EXPLAIN, yet is semantically wrong. Traditional linters often miss these issues, unit tests may not cover them, and once deployed, the result can be dirty data, incorrect billing, or even cross-tenant data leaks.
Sqlsure is trying to solve exactly this layer: the gray area between “can it run” and “does it produce the correct result.”

Why the Word “Deterministic” Matters
Right now, mainstream SQL validation approaches usually fall into two categories: either let another LLM review the SQL, or execute it and inspect the results. The first is a probabilistic game; the second is far too risky for production environments. Sqlsure takes an old-school approach: abstract common semantic errors into a set of rules, perform static analysis, and output deterministic pass/fail results with precise error locations.
The value of this approach lies in its reproducibility. Run the same SQL a hundred times, and Sqlsure will always return the same judgment. You can plug it into CI, pre-commit hooks, or agent toolchains without worrying that something passing today will fail tomorrow. In contrast, using GPT to review SQL written by GPT is essentially using probability to check probability — and when something breaks, you can’t even reliably reproduce the issue.
This also reflects a clear trend in AI engineering over the past six months: while agents are becoming more autonomous, the surrounding tooling is moving in the opposite direction — toward determinism. Recently, many projects have focused on typed tool-call validation and strict schema constraints for structured outputs. Sqlsure is part of the same wave:
LLMs handle generation, deterministic tools provide the safety net.
What Exactly Does It Check?
Based on the README and examples, Sqlsure currently covers several categories of checks. Ordered roughly by importance:
1. Schema Consistency
The most basic and arguably most useful layer. Feed Sqlsure a schema (DDL or extracted directly from a database), and it verifies whether referenced table names, column names, and types actually exist and match correctly. LLMs frequently hallucinate nonexistent columns or write userId instead of user_id, causing failures halfway through execution. Static analysis catches these issues instantly.
2. JOIN Semantics
This is where AI systems fail most often. Sqlsure checks whether JOIN conditions make sense — for example, if two tables clearly relate through foreign keys but the ON clause uses the wrong fields, or if a Cartesian product appears without an explicit CROSS JOIN declaration. Experienced DBAs spot these mistakes immediately; models often miss them entirely.
3. Aggregation and Grouping
Cases where non-aggregated columns appear in SELECT without being included in GROUP BY occur at absurd frequency in AI-generated SQL. Older MySQL versions may silently allow this, while Postgres throws an error outright. Sqlsure hardcodes these semantic rules so issues surface earlier and more clearly than relying on database runtime errors.
4. Tenant/Permission Field Checks (This Is the Standout Feature)
You can configure fields that must appear in WHERE clauses, such as tenant_id or org_id. This directly targets one of the most dangerous classes of SaaS bugs: cross-tenant data leakage. Relying on a model to consistently remember these constraints is unreliable. Enforcing them deterministically with Sqlsure is the kind of approach serious engineering teams actually want.
5. Dangerous Operation Detection
Checks for things like UPDATE or DELETE statements without WHERE clauses, risky full-table scans, implicit type conversions, and more. Some overlap exists with traditional SQL linters, but combining these checks with semantic analysis significantly reduces false positives.
What Usage Looks Like
A typical setup inserts Sqlsure between SQL generation and execution. The pseudocode looks roughly like this:
from sqlsure import Checker
checker = Checker(schema="./schema.sql", rules="./sqlsure.yaml")
sql = llm.generate(prompt) # Let the model write SQL
result = checker.check(sql)
if not result.ok:
# Feed errors back to the model and regenerate
sql = llm.regenerate(prompt, feedback=result.errors)
else:
db.execute(sql)
Business rules can be declared in configuration files:
required_predicates:
- table: orders
columns: [tenant_id]
- table: users
columns: [org_id]
forbidden:
- unbounded_delete
- unbounded_update
- cross_join_implicit
The intent behind this interface design is obvious:
Act as the “compiler” for agents.
The LLM is effectively the programmer, while Sqlsure becomes the uncompromising type checker. Failed checks produce structured error messages that are fed back into the model for rewriting, forming a self-correcting loop. This is far more reliable than having a model review itself because the feedback is deterministic and explainable.

Where It Fits Compared to Existing Solutions
There are already several tools somewhat similar to Sqlsure, but none overlap completely:
- sqlfluff, sqlglot: Established SQL static analysis tools strong in syntax and formatting. They mostly ignore semantic validation and business rules. Sqlsure feels more like an added “semantic + business rule” layer on top of sqlglot (the README explicitly mentions using sqlglot for AST parsing).
- Database-native EXPLAIN / dry-run: Can catch some issues, but requires connecting to a database, incurs higher costs, and doesn’t consider things like missing tenant filters to be errors at all.
- LLM-as-judge: Having another model review the SQL. Non-deterministic, slow, expensive — all the usual problems.
- PromptQL, Vanna, and similar text-to-SQL frameworks: These focus on “how to generate SQL.” Sqlsure focuses on “how to validate it afterward.” The two are complementary.
In that sense, Sqlsure resembles a TypeScript-style type checker for SQL: it doesn’t stop you from writing code, but it prevents obviously problematic code from shipping.
Limitations and Things Worth Watching
A few caveats:
First, rule coverage determines how many bugs it can catch. The project is still early-stage, and its rule set mainly reflects mainstream English-language database conventions. Common issues in Chinese-language environments — such as Chinese column names or cross-dialect function differences — may require community contributions.
Second, semantic correctness does not equal business correctness. Sqlsure can guarantee that SQL is structurally sound and schema-consistent, but it cannot determine whether a query actually answers the user’s question correctly. Nor is it trying to. That still requires testing and human review.
Third, performance and dialect support. Postgres, MySQL, and SQLite appear supported today, but support for analytical warehouse dialects like ClickHouse, BigQuery, and Snowflake remains something to watch. Teams building AI-powered analytics agents care deeply about this.
Fourth, rule maintenance costs. The fate of projects like this is predictable: once adoption grows, the rule library expands exponentially. Managing rule priority and reducing false positives becomes the same classic challenge faced by all static analysis tools.
One Takeaway
Sqlsure is not flashy. In fact, it almost feels “anti-AI” — its purpose is to compress the freedom of large models back into a controllable box. But that is exactly what AI coding infrastructure needs right now. Over the past six months, too many agent projects have sprinted toward greater autonomy only to fail disastrously in production. Tools like Sqlsure that willingly act as “guardrails” may ultimately be the missing piece needed to bring AI-generated code into serious production environments.
If you’re building text-to-SQL products or integrating AI assistants into internal data platforms, this project is worth cloning immediately. The integration cost is low, and the payoff is immediate — especially the moment you enable the rule requiring tenant_id in every query. You’ll be glad you added it before an incident forced you to.
As a side note, if you’re comparing SQL generation quality across multiple models — GPT, Claude, DeepSeek, and others — OpenAI Hub lets you access these mainstream models through a single API key, with direct connectivity in China and OpenAI-compatible formatting. Combined with Sqlsure, it’s convenient for large-scale evaluation.
References
- sqlsure/sqlsure - GitHub: The main Sqlsure repository, including full documentation, rule configuration, and Python/CLI usage examples.



