QueryShield vs sqlparse vs Vanna.ai guardrails — which is right for me?

Question

Accepted Answer

Short version: - **sqlparse + custom rules:** correct for small in-house projects with one engineer who will maintain the rule set. You will reinvent AST traversal, policy DSL, and evidence logging. Free. - **Vanna.ai built-in guardrails:** correct as part of the Vanna text-to-SQL pipeline for internal/low-stakes use. Regex-level validation, no policy engine, no audit-grade logging. - **Database RLS only:** necessary but not sufficient. Doesn't block schema mutations or scope-creep-style scans. - **QueryShield:** correct when you have multi-tenant data, regulatory exposure (SOC 2, HIPAA, PCI), or more than one LLM agent to govern. AST validator, declarative policy DSL, evidence logging with hash chain, drop-in HTTP API + MCP. Use QueryShield *with* Vanna (Vanna writes the SQL, QueryShield validates it) and *with* RLS (defense in depth). Use sqlparse if you'd rather build it yourself and own the maintenance.