Read-Only Enforcement

Thallus enforces strict read-only access to your external databases. This is a safety guarantee — no matter what question you ask, Thallus will never modify, delete, or insert data in your production systems.

The safety guarantee

External database connections are always read-only. This is not configurable, not overridable, and enforced at the code level. It's a deliberate design choice: you should be able to connect your production database without worrying that an agent might accidentally run a destructive query.

How enforcement works

Every query goes through a multi-layer validation pipeline before it reaches your database:

Query generated
Validation layers
Execute

Every query passes through multiple validation layers before reaching your database. Write operations, administrative commands, multi-statement queries, and dangerous functions are all blocked. Comments are stripped before validation to prevent obfuscation.

If any layer rejects the query, it never reaches your database. The agent receives a clear error explaining what was blocked and why.

Additional safeguards

Beyond query validation, several runtime protections limit the impact of any individual query:

Query Timeout Row Limit Rate Limit
  • Query timeout — Configurable per connection. Long-running queries are automatically cancelled. This prevents runaway queries from consuming database resources.
  • Row limit — Configurable per connection. Large result sets are truncated with a warning to the agent.
  • Rate limiting — Prevents excessive querying with per-user, per-organization, and per-connection limits.
  • Connection health check — The connection is verified before each query execution, catching stale or revoked credentials early.

The exception: uploaded tables

Uploaded CSV and XLSX tables can optionally allow modifications. This is safe because modifications only affect the platform's copy of your data — your original files are never changed, and no external system is affected.

See Uploaded Table Permissions for details on enabling modifications for uploaded tables.