Cookbook

This page contains five practical workflows that combine multiple MCP tools to solve real governance challenges. Each recipe shows the tool call sequence, expected inputs, and how to interpret the results.

These examples use SQL syntax for clarity. The supported agent workflow in this release is Snowflake Intelligence through the core.agent_* wrappers, but the canonical SQL tool sequence shown here is still the underlying source of truth.

For a repeatable Snowflake buyer demo, run bash scripts/run_demo_reliability_gate.sh in the app repository. It seeds the METATATE_DEMO.PUBLIC tables used below and writes Markdown plus JSON evidence for every recipe.

---

Recipe 1: Governance-Aware AI Coding Assistant

Scenario: An AI agent is helping a developer write a data pipeline. Before generating SQL, the agent needs to understand what tables are available, what rules apply, and whether the generated query is compliant.

Tool Sequence

discover-context → get-decision-context → validate-query-context

Step 1: Discover available tables

SELECT METATATE_APP.CORE.DISCOVER_CONTEXT(
  OBJECT_CONSTRUCT(
    'database', 'METATATE_DEMO',
    'schema', 'PUBLIC'
  )
);

The agent now knows which tables exist, their sensitivity levels, and whether they contain PII. It uses this to decide which tables to reference.

Step 2: Get governance context for the target table

SELECT METATATE_APP.CORE.GET_DECISION_CONTEXT(
  OBJECT_CONSTRUCT('table_name', 'METATATE_DEMO.PUBLIC.CUSTOMERS')
);

The agent learns about policies, compliance requirements, retention rules, and business context. It can now generate SQL that respects these constraints (e.g., avoiding restricted columns, applying filters for data minimization).

Step 3: Validate the generated query

CALL METATATE_APP.CORE.VALIDATE_QUERY_CONTEXT(
  OBJECT_CONSTRUCT(
    'sql', 'SELECT customer_id, account_status, region FROM METATATE_DEMO.PUBLIC.CUSTOMERS WHERE region = ''US''',
    'operation', 'read',
    'intended_use', 'reporting'
  )
);

The validation confirms compliance. If issues are found, the agent revises the query and validates again.

Result: The developer gets a governance-compliant query without needing to manually review policy documentation.

---

Recipe 2: Pre-Query PII Audit

Scenario: Before an analyst runs a query against a customer table, an automated check verifies PII exposure and masking status.

Tool Sequence

inspect-data-meaning → (review PII columns) → authorize-use

Step 1: Inspect columns for PII

SELECT METATATE_APP.CORE.INSPECT_DATA_MEANING(
  OBJECT_CONSTRUCT('table_name', 'METATATE_DEMO.PUBLIC.CUSTOMERS')
);

Review the response for columns where is_pii is true. Check the masking object to confirm masking is enabled and the analyst's role is not in exempt_roles.

Step 2: Authorize the specific use case

CALL METATATE_APP.CORE.AUTHORIZE_USE(
  OBJECT_CONSTRUCT(
    'table_name', 'METATATE_DEMO.PUBLIC.CUSTOMERS',
    'operation', 'read',
    'intended_use', 'analytics',
    'actor_role', 'DATA_ANALYST',
    'columns', ARRAY_CONSTRUCT('CUSTOMER_ID', 'EMAIL', 'ACCOUNT_STATUS', 'LAST_LOGIN')
  )
);

If the decision is ALLOW or CONDITIONAL (with acceptable conditions like masking), the analyst proceeds. If DENY, the analyst knows exactly why and what to do next.

Result: PII exposure is checked before any data is touched. The audit trail captures the authorization decision for compliance.

---

Recipe 3: Authorization Check Before Data Export

Scenario: A data engineer wants to export customer data to an external CRM system. Before initiating the export, the pipeline checks whether the operation is authorized under current governance policies.

Tool Sequence

authorize-use → (conditional?) → explain-why

Step 1: Request authorization for export

CALL METATATE_APP.CORE.AUTHORIZE_USE(
  OBJECT_CONSTRUCT(
    'table_name', 'METATATE_DEMO.PUBLIC.CUSTOMERS',
    'operation', 'export',
    'intended_use', 'external_sharing',
    'actor_role', 'DATA_ENGINEER',
    'columns', ARRAY_CONSTRUCT('CUSTOMER_ID', 'NAME', 'EMAIL', 'COMPANY', 'ACCOUNT_STATUS'),
    'destination', OBJECT_CONSTRUCT(
      'system', 'Salesforce',
      'jurisdiction', 'US'
    ),
    'consumer_jurisdiction', 'EU'
  )
);

Step 2: If CONDITIONAL, review conditions

The response might include conditions like:

• "Exclude or mask EMAIL column before export"
• "Log export event for the applicable internal privacy control"
• "Obtain data steward approval for cross-border transfer"

Step 3: Explain the decision for the audit log

CALL METATATE_APP.CORE.EXPLAIN_WHY(
  OBJECT_CONSTRUCT('decision_id', 'dec_xyz789')
);

The full trace shows which policies triggered each condition, giving the data engineer clear guidance on what to change. The snapshot_status field confirms whether policies have changed since the decision was made.

Result: The export pipeline has a documented authorization decision with full traceability. If conditions are met, the export proceeds. If denied, the reason is clear.

---

Recipe 4: Column Sensitivity Discovery Across a Database

Scenario: A security team wants a comprehensive map of sensitive columns across all governed tables in a database. This is useful for security audits, data classification reviews, or planning masking strategies.

Tool Sequence

discover-context → inspect-data-meaning (for each table)

Step 1: Discover all governed tables in the database

SELECT METATATE_APP.CORE.DISCOVER_CONTEXT(
  OBJECT_CONSTRUCT('database', 'METATATE_DEMO')
);

Step 2: Inspect columns for each table

For each table returned in step 1, call inspect-data-meaning:

-- Table 1
SELECT METATATE_APP.CORE.INSPECT_DATA_MEANING(
  OBJECT_CONSTRUCT('table_name', 'METATATE_DEMO.PUBLIC.CUSTOMERS')
);

-- Table 2
SELECT METATATE_APP.CORE.INSPECT_DATA_MEANING(
  OBJECT_CONSTRUCT('table_name', 'METATATE_DEMO.PUBLIC.ORDERS')
);

-- Table 3
SELECT METATATE_APP.CORE.INSPECT_DATA_MEANING(
  OBJECT_CONSTRUCT('table_name', 'METATATE_DEMO.PUBLIC.CUSTOMER_EVENTS')
);

Building a Sensitivity Report

An AI agent can aggregate the results into a structured report:

Table	Column	Sensitivity	PII	Masking
CUSTOMERS	EMAIL	confidential	Yes	partial
CUSTOMERS	SSN	restricted	Yes	hash
CUSTOMERS	NAME	confidential	Yes	redact
ORDERS	ORDER_ID	internal	No	none
CUSTOMER_EVENTS	DEVICE_ID	medium	Yes	hash
CUSTOMER_EXPORTS	EMAIL	high	Yes	partial

Result: The security team has a complete column-level sensitivity map built from live governance data, not stale spreadsheets.

---

Recipe 5: Control Coverage Reporting

Scenario: A governance lead needs to generate a report of all tables tagged with a customer-defined privacy control, including their governance posture, PII exposure, and retention policies.

Tool Sequence

discover-context (with control tag filter) → get-decision-context (for each table)

Step 1: Find all tables governed by a privacy control tag

SELECT METATATE_APP.CORE.DISCOVER_CONTEXT(
  OBJECT_CONSTRUCT(
    'compliance_any', ARRAY_CONSTRUCT('privacy_sensitive')
  )
);

Step 2: Get governance context for each tagged table

SELECT METATATE_APP.CORE.GET_DECISION_CONTEXT(
  OBJECT_CONSTRUCT('table_name', 'METATATE_DEMO.PUBLIC.CUSTOMERS')
);

From each response, extract:

• Control tags: policy_summary.compliance_frameworks and policy_summary.tags
• Retention: retention.period, retention.trigger, retention.action
• Policy coverage: policy_summary.policy_count and policy_summary.enforceable_count
• Business ownership: business_context.owner and business_context.steward

Building the Compliance Report

An AI agent can compile this into a structured compliance report:

Table	Control Tags	Policies (Enforced)	Retention	PII Columns	Owner	Steward
CUSTOMERS	privacy_sensitive, restricted_transfer	3 (2 enforced)	7 years / archive	5	data_engineering	jane.doe@co.com
USER_EVENTS	privacy_sensitive	2 (2 enforced)	2 years / delete	2	analytics	bob.smith@co.com
CONSENT_LOG	retention_required	1 (1 enforced)	10 years / archive	1	legal	alice.jones@co.com

Optional: Deep-Dive into Column-Level PII

For tables with high PII column counts, follow up with inspect-data-meaning to get the full column breakdown:

SELECT METATATE_APP.CORE.INSPECT_DATA_MEANING(
  OBJECT_CONSTRUCT('table_name', 'METATATE_DEMO.PUBLIC.CUSTOMERS')
);

Result: The governance lead has an up-to-date, policy-backed control coverage report built from live governance metadata rather than manual documentation.

---

Tips for Building Workflows

1. Start broad, then narrow. Use discover-context to find relevant tables, then drill into specifics with get-decision-context and inspect-data-meaning.

2. Always validate before executing. Call validate-query-context before running any AI-generated SQL to catch governance issues early.

3. Capture decision IDs. When using authorize-use, store the decision_id for audit purposes. Use explain-why to retrieve the full trace if questions arise later.

4. Normalize intended_use before direct SQL calls. The canonical authorize-use and validate-query-context tools work best with canonical labels such as analytics, reporting, marketing, or ml_training. In the app UI, the AI-assisted preparation flow can translate natural language into those labels before the SQL tool runs.

5. Check snapshot_status. When explaining a historical decision, check the snapshot_status field. If it shows stale, the governance policies have changed since the decision was made -- consider re-evaluating.