1. In many businesses, different users of the agent should have different read/write permissions to data.
2. Log everything. There will be problems. You'll need to debug, attribute, defend yourself against accusations that the cockup was your fault, etc.
3. If you're just providing read-only then the more you can enforce that at all layers of the stack (e.g., read-only user in the database).
4. Don't give the agent direct SQL access to the database. Write functions in your favourite programming language, expose them as tools to the LLM.
5. Don't make your LLM do maths in its head, they're crap at it. I had some success giving the agent tools that fetch data from the database (where I control the SQL that runs) into a SQLite in agent memory, then the agent can run SQL against that database. Gives you a chance to put the data into an obvious, easy to query, format rather than whatever arcane historic chaotic state your main schema has evolved to).
Do we have to enforce some checks manually or is it not worth to worry(now it's read only right).
And one more doubt, what's the reason u introduced a lite layer in between?