[claude-hackernews] Reply draft: Faz Show HN, MCP-surface gate vs PreToolUse seam (id=48008603)

[NiveditJain]

Summary

• Top-level reply draft on Show HN: Safety layer between AI agents and databases (Faz, https://news.ycombinator.com/item?id=48008603), an MCP-server middleware that intercepts queries between AI agents and a database.
• Engages with OP's MCP-vs-skill design tradeoff (determinism on a separate process), then names the coverage seam: a tool-surface gate only sees calls routed through that surface, so Bash running psql -c "DROP TABLE..." or Write to a migration file CI later applies bypasses it.
• Includes one short custom-policy snippet (block-bash-drop at PreToolUse) tied to that exact bypass route, plus a co-existence framing: Faz inside the MCP path, hooks on everything else.
• Draft only; no submit on HN. The user posts manually after review and merges this PR (= "I posted it").

Discovery + thread URLs

• Discovery path: walked /ask, /show, /news, /shownew, then ran Algolia sweeps for claude code deleted, agent force pushed, agent rm -rf, claude code hooks, agent sandbox, agent tool call policy, cursor deleted. The /shownew feed surfaced the Faz Show HN about an hour into its life.
• Thread: https://news.ycombinator.com/item?id=48008603
• Repo OP linked: https://github.com/fazhq/faz

Anti-pitch gate (matches working shape)

• Gate fit: Show HN of an adjacent product (DB-side safety middleware) where OP is actively soliciting design discussion in-thread.
• One disclosure line at the top; one paragraph of substantive on-topic content that stands without the FailProof mention; ONE custom-policy snippet, no policy names listed; ~115 words; repo URL appears once (in the disclosure).
• No install commands, no comma-listed policy names, no three-scope merge talk, no dashboard plug, no second repo link.

Files

• drafts/2026-05-04T142954Z.md — full draft + insight + notes per INSTRUCTIONS.md Writes section.

Test plan

• Re-read the draft on GitHub for tone, ASCII punctuation, and gate fit.
• If approving: paste the body of the fenced My reply block into the HN composer at https://news.ycombinator.com/item?id=48008603 as a top-level reply, post, then ask Claude to log the comment permalink under comments/.
• If rejecting: close the PR; the draft does not get logged.

Summary by CodeRabbit

• Chores
  • Added a draft document containing technical notes and policy recommendations for system configuration and security practices.

[coderabbitai]

📝 Walkthrough

Walkthrough

A draft Markdown reply is added to a Show HN thread about "Safety layer between AI agents and databases," discussing MCP-server placement for database access enforcement, coverage gaps for destructive operations via alternative routes, and a companion failproofai PreToolUse policy snippet to block Bash DROP commands.

Changes

Draft Show HN Reply

Layer / File(s)	Summary
Content Addition drafts/2026-05-04T142954Z.md	New draft reply covering MCP placement for database boundaries, a bypass gap via Bash/psql, a PreToolUse block-bash-drop policy example, insights for the FailProof team on tool-surface vs harness-hook gates, and notes on Show HN thread structure and Faz discovery.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• [claude-hackernews] Restore drafts/ vs comments/ split: route writes to drafts/ #6: Ensures agent writes and tracks drafts/ directory artifacts; directly supports the drafts/ workflow used in this PR.
• [claude-hackernews] Switch HN automation to drafts-only mode #2: Aligns with the drafts-only workflow and re-established drafts/ directory usage.
• [claude-hackernews] Densify cron prompt to mirror working claude-reddit prompt #5: Modifies the agent's Show HN discovery and draft-comment creation workflow, affecting the same feature pipeline as this draft addition.

Poem

🐰 A reply hops forth to the Show HN thread,
Where gates and safety dance overhead,
MCP guards the way, yet Bash slips through—
But PreToolUse catches what slipped the view!
Wisdom drafted in markdown, neat and true. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and clearly summarizes the main change: a reply draft to a Hacker News Show HN post about Faz, comparing MCP-surface gates vs PreToolUse hooks, with the HN post ID included for reference.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Review rate limit: 4/5 reviews remaining, refill in 12 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@drafts/2026-05-04T142954Z.md`:
- Around line 15-37: The whole reply is wrapped in a triple-backtick fence
causing HN to render all prose as code and triggering markdownlint MD040;
un-wrap the prose so only the policy snippet is preformatted, remove the outer
``` block around the entire section, and render the block-bash-drop policy using
HN-friendly indented code (4 spaces per line) instead of fenced code;
specifically edit the text around the customPolicies.add call (the policy named
"block-bash-drop" and the PreToolUse reference) so the surrounding paragraphs
are plain text and the policy lines are each indented by four spaces.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a1f52d74-719a-4a1d-bdcd-75dc91768e7f

📥 Commits

Reviewing files that changed from the base of the PR and between ebbce06 and 6033568.

📒 Files selected for processing (1)

• drafts/2026-05-04T142954Z.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

HN formatting: remove the outer fenced code block and render only the policy snippet as preformatted text.

Right now the entire reply (prose + policy snippet) is wrapped in a triple-backtick fence (Line 17-37). That will cause the whole comment to render as code on HN, and HN does not support CommonMark triple-backtick fenced code blocks. (news.ycombinator.com)

Also, this is exactly what triggers the markdownlint MD040 warning about missing fenced-code language at Line 17.

Suggested shape:

• Make the prose outside of any triple-backtick fences.
• For the block-bash-drop snippet, use HN-friendly indented code (4 spaces per line) instead of ``` fences (so markdownlint also won’t complain).

Proposed edit (formatting only)

 ## My reply
 
-```
-(disclosure: I work on FailProof AI: https://github.com/exospherehost/failproofai)
+ (disclosure: I work on FailProof AI: https://github.com/exospherehost/failproofai)
 
 The MCP-server placement buys real determinism: the agent can't paraphrase its way around a separate process the way it can a skill, and the DB owner owns the boundary regardless of which agent connects. The tradeoff is coverage. Faz catches DB calls that route through the MCP. If the agent has Bash and runs psql -c "DROP TABLE...", or writes a migration file CI applies later, the safety net never sees it.
 
 That bypass is the seam PreToolUse hooks work at. A small companion policy for the bash route:
 
-  import { customPolicies, deny, allow } from "failproofai";
-  customPolicies.add({
-    name: "block-bash-drop",
-    match: { events: ["PreToolUse"] },
-    fn: ({ toolName, toolInput }) => {
-      if (toolName !== "Bash") return allow();
-      return /\bDROP\s+(TABLE|DATABASE)\b/i.test(toolInput?.command ?? "")
-        ? deny("DROP blocked outside the Faz MCP path")
-        : allow();
-    },
-  });
-
-The two compose: Faz inside the MCP path, hooks on everything that bypasses it.
-```
+    import { customPolicies, deny, allow } from "failproofai";
+    customPolicies.add({
+      name: "block-bash-drop",
+      match: { events: ["PreToolUse"] },
+      fn: ({ toolName, toolInput }) => {
+        if (toolName !== "Bash") return allow();
+        return /\bDROP\s+(TABLE|DATABASE)\b/i.test(toolInput?.command ?? "")
+          ? deny("DROP blocked outside the Faz MCP path")
+          : allow();
+      },
+    });
+
+The two compose: Faz inside the MCP path, hooks on everything that bypasses it.

🧰 Tools

🪛 markdownlint-cli2 (0.22.1)

[warning] 17-17: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@drafts/2026-05-04T142954Z.md` around lines 15 - 37, The whole reply is
wrapped in a triple-backtick fence causing HN to render all prose as code and
triggering markdownlint MD040; un-wrap the prose so only the policy snippet is
preformatted, remove the outer ``` block around the entire section, and render
the block-bash-drop policy using HN-friendly indented code (4 spaces per line)
instead of fenced code; specifically edit the text around the customPolicies.add
call (the policy named "block-bash-drop" and the PreToolUse reference) so the
surrounding paragraphs are plain text and the policy lines are each indented by
four spaces.