Core Invariant
This is not a single check — it’s a defense-in-depth system. Four independent layers each prevent writes from reaching production. Even if bugs exist in the router or any single layer, the remaining layers catch it.The Four Layers
Strict Mode
Refuse to serve any requests if the Shadow database is unavailable. Without Shadow, writes have nowhere to go — so Mori shuts down rather than risk routing to Prod.
L1: Routing Assertion
After the Router selects a strategy, verify that write and DDL operations never receive the
ProdDirect strategy. If they do, the request is blocked before execution and a CRITICAL error is logged.L2: Connection Wrapper
Inspect outbound bytes on the Prod connection. If the payload contains write SQL (INSERT, UPDATE, DELETE, DDL), the connection wrapper blocks it. This catches bugs where the Router incorrectly assigns a strategy.
Write Detection
The connection wrapper (L2) inspects outgoing SQL for mutation patterns: Blocked prefixes: INSERT, UPDATE, DELETE, TRUNCATE, CREATE, ALTER, DROP, GRANT, REVOKE CTE writes: DetectsWITH ... INSERT/UPDATE/DELETE patterns
Safe prefixes: SELECT, SET, SHOW, EXPLAIN, BEGIN, COMMIT, ROLLBACK, SAVEPOINT, LISTEN, PREPARE, EXECUTE, DEALLOCATE, DECLARE, FETCH, CLOSE
NoSQL Engines
For NoSQL engines, the write guard is adapted to the protocol:- Redis: Inspects commands for mutating operations (
SET,DEL,HSET,LPUSH, etc.) on the Prod connection - Firestore: Intercepts write RPCs (
Create,Update,Delete,Commit,BatchWrite) before they reach the Prod client
Error Response
When a write guard triggers, the client receives an error response with SQLSTATE codeMR001 (Mori write guard violation). The client connection remains open — only the offending query is rejected.