New: give your agents governed data they can query and write to, no warehouse to run.Get started
Nightshift

Policy

Govern exactly what each identity reads and writes.

Open your data up to people and agents without overexposing a single row. A grant binds an identity to what it can read and write, down to the row, the column, and the value, and Nightshift enforces it on every request, so the same table looks different to each caller.

Accessshaped per identity
PersonRoleorderscustomerseventsarr_by_region
Ada Okaforada@acme.comOwnerrwrwrwrw
Lena Parklena@acme.comAdminrwrwrwrw
Marc Diazmarc@acme.comMemberrmaskedr
rw read + writer readmasked column masked denied

Row, column, value

Allow, deny, and mask, exactly where you need to.

Hide the salary column, drop the rows that start with A, mask everything but the last four digits. A grant is arbitrarily specific: one person can be blocked from rows 54, 23, and 15 of a single SAP table while everyone else reads them, and the same query comes back a different shape for each.

  • Filter rows by any predicate over the data
  • Hide or mask columns and individual values
  • The same query returns a different shape per identity
res_partner_euLive1.2k reads · 24h
MCPmcp.nightshift.sh/t/sylow/res_partner_eu

Usage · 24h

namepasses through
emailj•••@•••.com
credit_limitremoved
Served to any agent over MCP · shaped per identity

Writes, not just reads

A grant shapes the write, not just the read.

A bad write corrupts where a bad read only leaks, so writes run through the same policy. A grant scopes what an identity can change, down to the table, the row, and the column. Writes land in versioned Nightshift tables, your connected sources stay read-only, and there is no path for a person or an agent to write around the policy.

  • Grants scope writes by identity, down to the row and column
  • Writes land in versioned Nightshift tables; connected sources stay read-only
  • No unfiltered path to write the data, the same guarantee as reads
ns.collections_worklistv7
invoiceNetSuitebalanceNetSuiteaccountSalesforcepriorityNightshiftactionNightshift
INV-2231$48,200AcmeHighcall
INV-2218$12,400GlobexMedemail
INV-2205$91,750InitechHighescalate
INV-2199$7,300UmbrellaLowemail
INV-2184$26,500SoylentHighcall
NetSuite and Salesforce stay read-only

Monitor, then enforce

Watch a rule before you turn it on.

Start a grant in monitor and Nightshift replays it against real traffic, so you see exactly what it would allow, mask, or block before anyone is affected. Promote it to enforce when you are sure, and roll it back just as fast if you are not.

  • Monitor, Alert, and Enforce as a single control
  • See the impact against live traffic before you commit
  • Promote or roll back without a deploy
support-mask-piiMaskenforced at request time
Principal
Support · group · 2 identities
Resource
*
Condition
any request
Effect
Mask email, phone, account

Enforcement

MonitorAlertEnforce

Why it holds

Why opening your data up stays safe.

Scoped to identity

A grant attaches to people, tokens, and agents, and scopes what each can read and write. The same catalog behaves differently depending on who is asking.

The only door

Policy is not a filter applied after the fact, it is the only door. Every request, read or write, is checked and shaped, so there is no unfiltered path to the data for a person or an agent to find, and no raw-SQL way around it.

Auditable by default

Every read, every write, and every grant change lands in one record, with before and after on each edit.

Open your data up. Keep control.

Start free, write your first grant, and see exactly what each identity gets back. Mask a column, deny a table, and watch the impact before you enforce.

Want to look first? Take the product tour