AI agents are often stuck in "read-only" mode. Granting raw SQL access is a security nightmare, yet building bespoke APIs for every agent action is too rigid to adapt.

Cori solves this by placing enforcement at the very last mile: the data layer.

It acts as a secure MCP kernel that turns database schemas into typed tools governed by simple YAML policies. This allows you to safely enable controlled writes and build thousands of capable agents without maintaining endless API boilerplate or risking your data.

Who we are: We are two engineers who have spent years navigating the rigid security constraints of large enterprises. We built Cori to bridge the gap between strict compliance and actually leveraging the full power of autonomous agents.

Very nice — congratulations on the project! I have a few questions

How does Cori handle live updates to authorization policies without risking inconsistent permissions for long-running agents?

What is the recommended strategy for revoking or rotating Biscuit tokens issued to autonomous agents that may run for hours or days?

How extensible is Cori’s tool generation model when you need domain-specific operations or workflows that go beyond simple CRUD actions?

Congrats on the launch, this tackles a real problem!

I like the "last mile at the data layer" approach vs building agent-specific APIs. How do you think about invariants that span multiple writes or tables? For example, rules that only make sense across a sequence of operations, not a single CRUD action.

Do you see those living purely in the orchestration layer, or something Cori might eventually support more natively?