🤖 AI Summary
This work addresses the challenge of deploying Text-to-SQL systems across trust boundaries, where existing approaches struggle to simultaneously ensure policy compliance, answer coverage, and computational efficiency while precisely controlling the semantic roles of column usage. We propose a syntax-aware constrained decoding mechanism that aligns column usage policies—such as for output, filtering, or aggregation—with SQL grammar productions, dynamically applying token-level logits masking during decoding to deterministically prevent unauthorized column usage within a single generation pass. Our method elevates column-level access control from mere existence checks to fine-grained semantic role enforcement, achieving zero leakage without sacrificing coverage. Evaluated on Spider-CU and two other benchmarks, it attains 0% leakage, up to 88.7% coverage, and incurs less than a 10% token overhead over the baseline, with execution accuracy confirming effective semantic alignment.
📝 Abstract
Text-to-SQL is increasingly deployed across trust boundaries between data providers and users. Such deployment must balance three competing requirements: policy compliance, answer coverage, and bounded cost. Existing approaches typically decide refusal based on which columns a query mentions and enforce it stochastically. Whether a query is compliant, however, depends not only on which columns appear but on how they are used, and stochastic enforcement cannot deterministically rule out violations. We formalize this requirement as a column-use policy over semantic use: output, filter condition, and aggregation argument. We integrate the policy by aligning each role with grammar productions tracked by the decoder. The resulting system, PCC-SQL, applies a per-token logits mask that deterministically eliminates single-query column-use violations on the supported SQL fragment in a single decoding pass. Across three benchmarks and three open-source models, PCC-SQL achieves 0% Leakage Rate and Coverage up to 88.7% on Spider-CU, while staying within +10% tokens of direct prompting. We additionally assess semantic alignment with execution accuracy.