Rewind Ops

The undo layer for AI agents — intercepts risky tool calls, checkpoints MongoDB state, previews blast radius, and enables one-click rollback before damage is done.

Comment

Inspiration

Every week there's a new headline about an AI agent gone rogue — cancelling the wrong subscription, deleting production data, or issuing unauthorized refunds. As we build more powerful autonomous agents that connect to real databases and tools via MCP (Model Context Protocol), the question isn't if something will go wrong — it's when.

We asked ourselves: What if every AI agent action came with a built-in undo button? What if there was a safety layer that could sit between any agent and any tool, classify risk in real time, snapshot state before mutation, and let humans approve or roll back with a single click?

That's RewindOps — Ctrl+Z for AI agents.

What it does

RewindOps is a transparent safety proxy that wraps any MCP-powered agent with six layers of protection:

  1. Risk Classification — Every write action is scored by a deterministic policy engine (billing fields, enterprise customers, destructive operations all increase risk).
  2. State Checkpointing — Full MongoDB document snapshots are captured before any mutation, supporting INSERT, UPDATE, and DELETE rollback patterns.
  3. Blast Radius Preview — Gemini 2.5 generates a human-readable explanation of exactly what will change, which records are affected, and the business impact.
  4. Human Approval Gate — Medium and high-risk actions pause execution and present an approval card to the user.
  5. Execution Receipts — A complete audit trail with timestamps, user identity, proposed vs. applied changes.
  6. One-Click Rollback — Instantly restore any checkpointed state with verified before/after comparison.

We demonstrate this on AcmeSub, a fictional subscription management platform where an AI support agent handles cancellations, refunds, and plan changes — all flowing through the RewindOps safety pipeline.

How we built it

Agent Layer: We used Google Cloud Agent Builder with Gemini 2.5 Flash as the LLM, running on the Google ADK (Agent Development Kit) code-first runtime. The agent has access to both RewindOps custom tools and the MongoDB MCP Server.

MongoDB MCP Integration: We connect to the official MongoDB MCP Server via STDIO transport — ADK spawns the MCP process directly using npx, managing the full lifecycle with zero external infrastructure. We programmatically filter the tool surface to expose only find, count, and aggregate, stripping away 26 administrative/mutation tools that could destabilize the system.

Safety Pipeline: Six custom ADK FunctionTools implement the full RewindOps flow — classify_risk, create_checkpoint, preview_blast_radius, request_approval, execute_action, and rollback_action. A before_tool_callback intercepts every MCP write call as a safety net.

Backend: FastAPI serves the agent via Server-Sent Events (SSE) for real-time streaming, with Motor (async MongoDB driver) handling all database operations against MongoDB Atlas.

Frontend: Next.js 14 with TypeScript and Tailwind CSS powers a premium dark-themed UI with real-time SSE streaming, rich markdown rendering, interactive tool cards (risk badges, blast radius previews, approval gates, execution receipts), persistent chat history, and action history with user-scoped filtering.

Auth: Clerk provides authentication with JWT verification on both frontend (Next.js middleware) and backend (JWKS validation), ensuring all actions are tied to a verified user identity stored in MongoDB.

Challenges we ran into

  • MCP Schema Crashes: Several MongoDB MCP administrative tools have blank schemas that caused Gemini's API parser to crash. We solved this by implementing strict tool_filter to expose only query tools.
  • Rollback for all operation types: Supporting rollback for INSERT (delete the inserted doc), UPDATE (restore snapshot), and DELETE (re-insert the doc) required careful checkpoint design with operation-type-aware restore logic.
  • Agent output formatting: The LLM returns unstructured text, but we needed premium card-based UI. We built a custom markdown parser that detects structured patterns (numbered lists, grouped bullet lists, key-value pairs) and renders them as color-accented interactive cards.
  • Auth token timing: Clerk's auth token wasn't ready when React components mounted, causing empty data on page load. We solved this by gating API calls on auth readiness and setting the token getter before the first fetch.

Accomplishments that we're proud of

  • Zero-config MCP: The MongoDB MCP Server runs via STDIO with no external proxy — just npx and go.
  • 13 passing tests covering all checkpoint, risk classification, and rollback modes.
  • True reversibility: INSERT, UPDATE, and DELETE operations all support verified rollback with before/after comparison.
  • Production-grade UI: Real-time SSE streaming, persistent chat history, interactive safety cards, and user-scoped audit trails.

What we learned

  • The MCP ecosystem is powerful but young — tool schemas vary wildly and defensive filtering is essential.
  • Google ADK's before_tool_callback is an incredibly elegant pattern for building safety interceptors.
  • Deterministic risk scoring paired with LLM-generated blast radius explanations gives the best of both worlds — consistency and explainability.

What's next for RewindOps AI

  • Multi-database support — extend checkpointing beyond MongoDB to PostgreSQL, Firestore, and DynamoDB.
  • Policy-as-code — let teams define custom risk rules in YAML/JSON.
  • Agent-agnostic SDK — publish RewindOps as a drop-in middleware for any MCP-powered agent, not just ADK.
  • Deployment to Google Cloud Agent Builder — run the full pipeline on Vertex AI with Cloud Run and Agent Engine.

Built With

  • clerk
  • fastapi
  • gemini-2.5
  • google-adk
  • google-cloud-agent-builder
  • mongodb-atlas
  • mongodb-mcp-server
  • motor-(async-mongodb)
  • next.js
  • python
  • tailwind-css
  • typescript
Share this project:

Updates