The Security Agent in a multi-agent text-to-SQL system inspects the natural language query but nothing else. Schema metadata and inter-agent messages flow through uninspected channels. A post-generation SQL audit catches destructive output, but it is keyword-based, the same ceiling as input inspection.

This post tests those blind spots with 373 adversarial queries across four vectors. Adding national ID recognition improves detection, but misspellings, base64 encoding, and leetspeak still get through. The blind spot is structural, not a missing rule.

Build a system where multiple specialized agents collaborate to answer questions about your data safely. Not a SQL chatbot. A trusted data access layer.

In Part 1, the naïve Text-to-SQL approach sent 8,414 tokens of schema context to generate 16 tokens of SQL - a 526:1 input-to-output ratio. This post engineers the fix: a deterministic schema pruner - context engineering at the schema layer - that selects only the tables relevant to each query, with no LLM dependency.

The promise of Text-to-SQL is compelling: let anyone query a database using plain English. The reality is that most implementations silently return wrong data, expose sensitive information, and cost more than they should.

How to reduce TTFT in production: practical patterns, implementation strategies, and edge cases to watch for.