Read-only by design is a smart constraint for agent tooling — eliminates a whole class of "oops the LLM dropped my table" failure modes. Curious about a couple things: how do you handle schema introspection? Do the tools auto-discover tables/columns or is there a config step? And for the query tools, is there any cost/complexity guardrail (e.g. preventing a full sequential scan on a 500M row table)?

No config step, the tools discover everything from pg_catalog at call time. list_schemas → list_tables → describe_table is the typical agent workflow, and there's a query_guide prompt baked in that suggests that progression.

On query guardrails: every query runs in a readonly transaction and results are capped at 500 rows via a wrapping SELECT * FROM (...) sub LIMIT 500. There's also explain_query which returns the plan without executing, so agents can check before running something expensive. That said, there's no cost-based gate that blocks a bad plan automatically; that's an interesting idea worth exploring.