Unlock the Full Potential
of a Complex SQL System
with AI-Assisted Intelligence
An AI-powered strategy to autonomously map, document, and navigate a 500+ stored procedure codebase — secured by NVIDIA NemoClaw, operated daily by Claude Code.
Complex systems deserve better tooling
A large SQL codebase built over years carries deep business logic and hard-won institutional knowledge. The opportunity is to surface that knowledge — making it accessible to AI tools and new team members alike, without losing any of what the team has built.
Systems evolve faster than documentation
This is true of every production system at scale. The stored procedure inventory grew organically to serve real business needs — the challenge now is giving AI tools the context map they need to work effectively with it.
Deep knowledge is an asset — and a risk
The team holds significant expertise about how this system works. That expertise is valuable. This strategy captures it in a structured, durable format so it's available to everyone — not just the people who have been here longest.
AI tools need structured context to be reliable
Without a system map, any AI tool will explore blindly — burning through its working memory before it can reason about dependencies. The .md strategy gives Claude Code the context it needs to operate correctly on complex systems.
Onboarding complexity grows with the system
The more interconnected the stored procedures, the longer it takes for a new team member to build a reliable mental model. Structured context files dramatically reduce that ramp-up time for anyone joining the project.
A three-layer intelligent stack
The solution combines an autonomous AI agent with a context management strategy and enterprise security — each layer doing exactly what it's best at, and working with the existing codebase rather than around it.
NVIDIA NemoClaw
The autonomous agent. Runs an OpenClaw agent inside a secure OpenShell sandbox. Reads 500+ SQL files in batches, analyzes stored procedures, and generates the documentation files — with zero risk of data exfiltration.
- One-command install and deploy
- Kernel-level security enforcement
- Runs once to generate the knowledge base
- Policy-based — auditable via YAML
.md Context Strategy
The knowledge base. A hierarchy of Markdown files that maps the entire SQL codebase into structured, navigable documentation. Not human docs — AI-optimized context designed to be loaded efficiently.
- CLAUDE.md: global rules, always loaded
- context-index.md: navigation routing
- context-sql-[domain].md: per-module inventory
- Lives in Git — versioned like code
Claude Code · or Junie
The daily driver. Developers interact with the .md files as source of truth through whichever AI coding agent the team already uses. Both Claude Code and JetBrains Junie are fully compatible with this strategy — and we already hold Junie licenses.
- Reads context files at session start
- Loads only the relevant module per task
- Operates at 20–30% context — not 80%+
- Updates .md files after each task
The team already has Junie licenses —
and the strategy works natively
The .md context strategy is not tied to any specific AI coding tool. It is based on an open standard that both Claude Code and JetBrains Junie read natively — which means there is no additional tooling cost for the daily development layer.
Native context file. Auto-loaded at session start. Designed specifically for Claude Code workflows.
// CLAUDE.md loaded automatically
Equivalent open standard. Auto-loaded by Junie at session start. Recognized by multiple agents simultaneously.
// same strategy, same result
Junie navigates and reads files autonomously — the same way Claude Code does. It can load context-index.md, identify which domain file is relevant, and load it without manual intervention.
Junie supports Anthropic Claude, OpenAI, Google, and others via BYOK. The team can use the same Claude model through Junie — maintaining quality parity with Claude Code.
The team already holds Junie licenses. Using Junie as the daily driver means the development layer of this strategy has no incremental licensing cost — only NemoClaw and the LLM API are new.
The team's Mac setup is
already sufficient
The entire stack runs on Apple Silicon Macs — no additional hardware required. With 64 GB of unified memory, the team can run local LLM inference directly on their machines, keeping sensitive data entirely on-premise if needed.
One-command install. Metal GPU acceleration automatic. Exposes an OpenAI-compatible API on localhost:11434 — exactly what NemoClaw needs as inference backend.
brew install ollama
# Run Nemotron (18 GB, 98 tok/s)
ollama run nemotron3-nano-30b
Apple's own ML framework — built from scratch for unified memory architecture. Noticeably faster tokens/sec than Ollama on the same model. Developer-oriented, no GUI.
pip install mlx-lm
# Run Nemotron via mlx-community
mlx_lm.generate \
--model mlx-community/\
Nemotron-3-Nano-30B-4bit
Desktop app with model browser, Metal acceleration built in, and a local server compatible with OpenAI API. Good for exploring models before committing to one for the NemoClaw workflow.
lmstudio.ai
# Search and download
Nemotron-3-Nano-30B
Why AI tools need structured context
to work with large codebases
Before the .md strategy makes sense, it helps to understand one fundamental constraint of every AI model: the context window. This is why the strategy is necessary — and why without it, any AI tool will struggle on a system of this size, regardless of how good the tool is.
Drag the slider to see what happens to response quality as more SQL files get loaded into a session:
- ✗Forgets decisions made 20 messages ago
- ✗Contradicts earlier analysis
- ✗Misses SP dependencies
- ✗Re-asks for files already read
- ✗Proposes changes conflicting with system rules
- ✓Tracks cross-SP dependencies accurately
- ✓Consistent reasoning throughout
- ✓Respects rules set at session start
- ✓Catches dangerous operations
- ✓Reliable from first to last message
A curated knowledge layer
that grows with the team
The goal isn't to give Claude more context — it's to give Claude the right context on demand. The .md file hierarchy acts as a structured navigation system that reflects the team's own mental model of the codebase.
## System
- DB Engine: SQL Server 2019, instance PROD-SQL-01
- Default schema: dbo · Financial data: finance
- Naming: SPs prefixed usp_, tables UPPER_SNAKE_CASE
- Context files: /docs/context/
## Critical Rules
- [NEVER] Modify usp_cl_period_close without DBA sign-off
- [NEVER] DELETE on MOVEMENTS table directly — use usp_void_movement
- All writes to finance schema must use explicit transactions
## Navigation
Read context-index.md to find which file to load for any task.
## Task Routing
| Task | Load this file |
| Invoice generation / billing | context-sql-billing.md |
| Payment processing | context-sql-payments.md |
| Financial reports / exports | context-sql-reporting.md |
| Month-end / period close | context-sql-period-close.md ⚠ |
| Inventory / stock movements | context-sql-inventory.md |
## ⚠ WARNING — Do Not Touch Without Review
- usp_cl_period_close: irreversible fiscal period seal, no rollback
- usp_pay_batch_transfer: moves funds, triggers external bank API
// Generated by NemoClaw analysis agent
### usp_bill_generate_invoice
Purpose: Creates a new invoice record from an approved order
Reads: ORDERS, ORDER_ITEMS, CUSTOMERS, TAX_CONFIG
Writes: INVOICES, INVOICE_LINES, AUDIT_LOG
Calls: usp_pay_validate_credit, usp_util_log_audit
[Safe to modify with tests]
### usp_bill_cancel_invoice
Purpose: Voids an invoice, triggers credit note generation
Reads: INVOICES, PAYMENTS
Writes: INVOICES (status), CREDIT_NOTES, AUDIT_LOG
[WARN] Cannot cancel if payment already settled
## Execution Order (full billing cycle)
1. usp_bill_validate_order → 2. usp_bill_generate_invoice
3. usp_bill_send_notification → 4. usp_bill_update_order_status
Do
- After any SP modification, update the relevant context-sql-[module].md
- Treat context file updates as part of the task definition
- Keep CLAUDE.md under 50 lines — it loads every session
- Use /compact at natural task boundaries, not reactively
Don't
- Put credentials, connection strings or IPs in any context file
- Generate all context files in one giant session — degrades quality
- Mix domain analysis with code changes in the same session
- Treat context files as documentation for humans — they're AI instructions
NVIDIA NemoClaw —
the autonomous generation engine
Announced at GTC 2026, NemoClaw is OpenClaw with enterprise-grade security baked in. It runs an autonomous agent inside an OpenShell security sandbox — the agent that will analyze all 500+ SQL files and write the .md knowledge base for us.
"Every company needs an OpenClaw strategy" — Jensen Huang
NemoClaw is OpenClaw + OpenShell: a secure runtime that enforces policy-based guardrails at the kernel level. The agent runs inside an isolated sandbox with network deny-by-default, filesystem isolation, and all LLM calls proxied through the OpenShell gateway. API keys never touch the agent — they're injected at runtime.
Enterprise security
by design, not by policy
Security isn't a configuration option here — it's the fundamental architecture. OpenShell enforces isolation at the kernel level. Policies can't be bypassed by the agent, even if the agent is compromised.
Network isolation
Egress is denied by default. The agent cannot reach any external host unless explicitly listed in the policy YAML. For our use case: only the Claude API endpoint is allowed. Any other outbound attempt is blocked instantly and logged.
Filesystem isolation
The agent can only write to /sandbox and /tmp. Your SQL files are mounted read-only at /sql-input — the agent can read them but cannot modify, delete, or copy them anywhere outside the defined output path.
Process isolation
Landlock, seccomp, and network namespaces enforce at the kernel level. The agent cannot escalate privileges, fork unauthorized processes, or modify its own security constraints. This is the same model used in browser tab isolation.
Inference isolation
All LLM API calls route through the OpenShell gateway proxy. The agent never holds the API key — it's injected at runtime. This means even if the agent were compromised, it couldn't exfiltrate credentials.
Audit trail
Every LLM call, every network request (allowed or blocked), every file write is logged. The audit_log: true configuration captures what was sent to the model and what came back — full compliance traceability.
GitOps policy management
Security policies live in a YAML file that can be version-controlled and reviewed via pull request. Hot-reloadable — changes take effect without restarting the sandbox. This means policy changes have the same review process as code changes.
default: deny # deny ALL outbound by default
allow:
- host: api.anthropic.com # only Claude API
port: 443
proto: https
filesystem:
mounts:
- host: /path/to/sql/files
sandbox: /sql-input
readonly: true # agent can read, never modify
- host: /path/to/md-output
sandbox: /md-output
readonly: false
inference:
provider: anthropic
model: claude-sonnet-4-6
audit_log: true # every LLM call logged
From zero to operational
in 6 steps
The full implementation path — from installing NemoClaw to having Claude Code use the generated knowledge base in daily development.
Install NemoClaw
One command installs the CLI, OpenShell runtime, Docker sandbox, and the onboarding wizard. Requires Ubuntu 22.04+, Node.js 20+, Docker. Sandbox image is ~2.4 GB.
curl -fsSL https://www.nvidia.com/nemoclaw.sh | bash
# Run the interactive setup wizard
nemoclaw onboard
# Set inference provider key
export ANTHROPIC_API_KEY="sk-ant-..."
Configure security policy
Write the policy YAML and apply it to the sandbox. Network deny-by-default, SQL files mounted read-only, audit logging enabled.
nemoclaw policy apply sql-agent policy.yaml
# Verify sandbox is configured correctly
nemoclaw sql-agent status
Write agent identity (SOUL.md)
Define who the agent is and what it must/must not do. This is the agent's persistent identity — a system prompt that survives across runs.
You are a SQL codebase analyst. Read SPs, generate docs.
You do not execute SQL. You do not connect to databases.
## Rules
- Process files in batches of max 25 per domain
- Flag DELETE/DROP/TRUNCATE with [WARN]
- Never include credentials, IPs, or data values in output
- Write all output to /md-output/
Run the analysis agent
Connect to the sandbox and give the agent its task. For 500+ files, expect 2–4 hours. The agent runs autonomously — you can disconnect and reconnect.
# Paste this task to the agent:
Analyze all SQL files in /sql-input/.
Step 1: Group files by business domain → /md-output/domain-map.md
Step 2: For each domain, generate context-sql-[domain].md
Step 3: Generate context-index.md with routing + warnings
Step 4: Generate CLAUDE.md with global conventions
Process one domain fully before starting the next.
openshell gateway status # view security events
Extract and commit to Git
Copy the generated .md files from the mounted output directory to your project repository. Review, then commit like any other code.
# Review and commit
git add docs/context/
git commit -m "feat: add AI-generated SQL context files"
CLAUDE.md ← always loaded by Claude Code
context-index.md
domain-map.md
context-sql-billing.md
context-sql-payments.md
context-sql-reporting.md
context-sql-period-close.md
Daily use with Claude Code
From this point, NemoClaw is no longer needed day-to-day. Developers use Claude Code with the generated .md files as source of truth. The standard workflow:
Read context-index.md. Today's task: [describe task].
Tell me which context files to load, then load them.
Summarize what you know before we start.
Add any new SPs to the inventory.
Flag any new [WARN] conditions you identified.
What this costs vs.
what it returns
The investment is small. The return starts in week one and compounds every time a developer doesn't have to rediscover the system from scratch.
- Install NemoClaw
- Configure security policy
- Write agent identity
- Agent runs autonomously
- Generates all .md files
- Review + commit to Git
- 2 devs using Claude Code
- Track exploration time saved
- Refine context files
- Roll out to full team
- Knowledge base compounds
- Onboarding drastically faster
- +A structured, navigable map of the system — generated automatically
- +Context-building overhead cut from hours to minutes per task
- +New team member ramp-up time significantly reduced
- +SP dependencies visible before any change is made
- →NemoClaw just launched — early adoption builds institutional advantage
- →Pilot cost is minimal — proves value before full commitment
- →Knowledge base compounds in value the longer it's maintained
- →Team expertise is preserved in a durable, versioned format