Database Provisioning Agent
An agent that spins up new database instances, applies schemas, creates users and roles, seeds initial data, and configures access — all from a reproducible blueprint.
The Problem
Provisioning a new database for a feature branch, staging environment, or new microservice involves dozens of manual steps: create the instance, apply the schema, set up roles and permissions, configure connection pooling, seed reference data, and update service configs. This is slow, error-prone, and rarely documented end-to-end.
How It Works
- The agent reads your existing MDL models from the Legible semantic layer to understand the target schema
- It generates DDL for the complete database: tables, indexes, constraints, functions, and views
- It creates roles with least-privilege grants based on the application's access patterns
- It seeds reference data and optionally generates test data
- It outputs connection strings and credentials for the new instance
Blueprint
agent:
type: claude
description: Database instance provisioning and setup
components:
sandbox:
image: ghcr.io/nvidia/openshell/sandbox-base:latest
resources:
cpus: "2.0"
memory: "4g"
inference:
profiles:
anthropic:
model: claude-sonnet-4-20250514
provider_type: anthropic
policies:
network: policy.yaml
Network policy:
version: "1.0"
rules:
- name: legible-mcp
protocol: tcp
port: 443
destination: "your-legible-instance.example.com"
- name: db-host
protocol: tcp
port: 5432
destination: "your-db-host.example.com"
- name: cloud-api
protocol: tcp
port: 443
destination: "*.amazonaws.com"
Usage
legible agent create provisioner --blueprint db-provisioning --profile anthropic
legible agent connect provisioner
# Inside the sandbox:
# > Create a new PostgreSQL database for the payments microservice
# > Base the schema on the orders and payments models from the semantic layer
# > Create roles: payments_app (read-write), payments_readonly, payments_admin
# > Seed the reference tables (currencies, payment_methods, countries)
# > Generate connection strings for each role
What the Agent Creates
| Component | Details |
|---|---|
| Database | New database or schema with correct encoding and collation |
| Tables | Full DDL from MDL model definitions with proper types, constraints, and defaults |
| Indexes | Primary keys, foreign keys, and indexes inferred from query patterns |
| Roles | Least-privilege roles: app (CRUD), readonly (SELECT), admin (DDL + GRANT) |
| Grants | Table-level and column-level permissions per role |
| Reference data | Seed scripts for lookup tables and configuration data |
| Connection config | Connection strings, pgbouncer config, environment variables |
| Documentation | Schema diagram (Mermaid), ER description, role permissions matrix |
Example Output
-- Generated by Database Provisioning Agent
-- Target: payments service database
CREATE DATABASE payments
WITH ENCODING = 'UTF8'
LC_COLLATE = 'en_US.UTF-8'
TEMPLATE = template0;
\c payments
-- Roles
CREATE ROLE payments_app LOGIN PASSWORD 'generated-secret-1';
CREATE ROLE payments_readonly LOGIN PASSWORD 'generated-secret-2';
CREATE ROLE payments_admin LOGIN PASSWORD 'generated-secret-3';
-- Schema from MDL models
CREATE TABLE payment_methods (
id SERIAL PRIMARY KEY,
name VARCHAR(50) NOT NULL UNIQUE,
is_active BOOLEAN DEFAULT true
);
CREATE TABLE transactions (
id BIGSERIAL PRIMARY KEY,
order_id BIGINT NOT NULL,
amount NUMERIC(12,2) NOT NULL CHECK (amount > 0),
currency CHAR(3) NOT NULL DEFAULT 'USD',
method_id INT REFERENCES payment_methods(id),
status VARCHAR(20) DEFAULT 'pending',
created_at TIMESTAMPTZ DEFAULT now()
);
-- Grants
GRANT SELECT, INSERT, UPDATE ON ALL TABLES IN SCHEMA public TO payments_app;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO payments_readonly;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO payments_admin;
Supported Targets
| Target | Provisioning Method |
|---|---|
| PostgreSQL | Direct DDL via psql |
| MySQL | Direct DDL via mysql client |
| Snowflake | SQL commands via SnowSQL |
| BigQuery | DDL via bq CLI |
| DuckDB | Local file creation |