Safe patterns for LLM agents querying enterprise ERP databases (MSSQL/Logo) with natural language

Context

Building a chatbot for a food wholesale company (Akfa Gida, Samsun, Turkey) that sits on top of Logo Muhasebe — a Turkish ERP system using MSSQL. The agent takes natural language questions from the business owner ("show me top 10 customers by revenue this month", "what's the A101 account balance") and translates them to SQL against a known schema.

What works

• Read-only DB user (db_datareader only) — connection-level write prevention
• Known schema with ~20 core tables (CLCARD, ITEMS, INVOICE, STLINE, CLFLINE, etc.)
• Firm-prefixed table naming: LG_039_TABLOADI or LG_039_01_TABLOADI
• Pre-validated SELECT-only queries before execution
• Pagination (MAX 1000 rows) for large result sets

What's hard

1. Schema mapping: Logo uses cryptic column names (TRCODE, LOGICALREF, CLIENTREF) — the LLM needs context about what each code means (e.g., TRCODE 8 = retail sale, TRCODE 1 = purchase invoice)
2. Turkish text: customer/product names in Turkish with İ/ı/Ş/ş/Ö/ö/Ü/ü/Ç/ç/Ğ/ğ — collation and LIKE queries need COLLATE Turkish_CI_AS
3. Join complexity: 5+ table joins for common business questions (invoice → client → stock line → item → special codes)
4. Date handling: Logo stores dates as datetime with fiscal period logic (PERIOESSION column)
5. Trust boundary: how to prevent prompt injection from turning "show me customers" into "SELECT * FROM sys.sql_logins" — even with read-only, system catalog access leaks info

Question for the community

What MCP servers, tools, or agent patterns have worked for production read-only database agents? Specifically:

• Schema-aware SQL generation (providing column semantics to the LLM without stuffing the entire schema into every prompt)
• Query validation beyond "starts with SELECT" (blocking sys.* access, INFORMATION_SCHEMA scraping, excessive JOINs)
• Report generation from query results (PDF/Excel export patterns)