Developers juggling disconnected layers of data models, access policies, and API endpoints may find respite in ZenStack—a new open-source framework that consolidates application architecture into a single schema definition. By extending Prisma's schema language, ZenStack introduces declarative security policies, computed fields, and validation rules alongside traditional data modeling.

Article illustration 1

Coherent Schema: The Architectural Backbone

ZenStack's schema acts as a centralized blueprint where developers define:
- Data models and relations
- Attribute validations (e.g., @email, @length)
- Row-level access rules via @@allow/@@deny directives
- Polymorphic relationships and computed fields

The syntax deliberately mirrors Prisma's, enabling seamless migration through file renaming. Crucially, security rules are colocated with data models—like restricting Post access to authors or admins:

model Post {
  @@allow('read', published)
  @@allow('all', auth().id == authorId || auth().role == 'ADMIN')
}
Article illustration 2

Policy-Enforcing ORM: Security by Default

The generated ORM (built atop Kysely) bakes security into every query. When initialized with user context, it automatically filters data based on schema policies:

const db = new ZenStackClient(schema)
  .$use(new PolicyPlugin())
  .$setAuth(currentUser); // Enforces access control

Notable capabilities include:
- Prisma-like query API with policy enforcement
- SQL builder for complex joins
- Runtime validation of inputs
- Plugin system for query lifecycle hooks

Article illustration 3

Automatic API Generation

ZenStack's most compelling feature is its zero-code REST/GraphQL API that mirrors the ORM. Since access control is handled at the ORM layer, frameworks like Next.js or Express expose secure CRUD endpoints with minimal configuration:

// Next.js route handler
const handler = NextRequestHandler({ getClient });
// Instantly handles GET/POST/PUT/DELETE
Article illustration 4

Simultaneously, it generates type-safe TanStack Query hooks for frontends. A React component fetches policy-compliant data without manual API wiring:

const { data } = client.user.useFindUnique({
  where: { id: userId },
  include: { posts: true } // Automatically filtered by policy
});

AI and Maintenance Advantages

The schema-first approach offers unexpected benefits for AI-assisted development: a concise, unambiguous model improves LLM accuracy for code generation. By deriving APIs, validation, and security from the schema, ZenStack also reduces codebase bulk—simplifying maintenance.

Article illustration 5

Shifting Full-Stack Paradigms

ZenStack represents a broader trend toward consolidated application frameworks. By unifying traditionally separate concerns—data, security, and API layers—it eliminates entire categories of boilerplate while enforcing consistency. Early adopters like Veeva and CodeRabbit report accelerated development cycles, though the approach demands upfront schema design rigor. As applications grow in complexity, such integrated stacks may become essential for maintainable, secure systems.

Source: ZenStack Documentation