Agent Workflows
Agents need context, but they should not receive the original production credential. Give the agent a narrow OneQuery command surface and a task-specific list of approved source identifiers.
Command Surface
Section titled “Command Surface”onequery query exec \ --source <source-identifier> \ --sql "<bounded read-only SQL>"onequery api \ --source <source-identifier> \ <provider-path> \ --jsonUse Run a query for SQL examples and Source API for provider API examples.
Guardrails
Section titled “Guardrails”- Give the agent only the source identifiers needed for the task.
- Require bounded queries and an evidence summary before production recommendations.
- Review audit history after the first run against a new source.
Use Agent tool setup for copy-paste instructions and AGENTS.md snippets.
Example Workflow
Section titled “Example Workflow”- The operator asks the agent to investigate an incident.
- The agent queries Sentry and logs through OneQuery.
- The agent narrows evidence to a source, endpoint, and failure window.
- The agent inspects code locally.
- The agent proposes a patch with a short production evidence summary.
- The operator reviews the diff and the OneQuery audit trail.