ObjectQL
Business objects as structured Zod metadata
ObjectQL is the Data Layer of ObjectStack. Business objects, fields, relations, validation, queries, and permissions are defined once as Zod schemas — not hidden inside ad-hoc SQL queries, ORM glue, or JavaScript strings. The same metadata drives the database, REST APIs, typed SDKs, UI props, and MCP tools, so humans and AI agents see exactly the same shape of the business.
You define the object in Zod. We generate the rest.
One schema becomes a database table, REST API, typed SDK call, UI prop set, and MCP tool — all permission-aware.
// customer.object.ts
import { defineObject, z } from '@objectstack/objectql';
export const Customer = defineObject({
name: 'Customer',
fields: {
company_name: z.string().min(1),
account_manager: z.ref('User'),
total_revenue: z.derived(({ row }) =>
sum('Order.amount').where({ customer: row.id })
),
},
permissions: {
read: role.in('sales', 'finance'),
write: row.account_manager.is(currentUser),
},
agentTools: ['list', 'get', 'create', 'updateRevenue'],
});// Generated from the same Zod metadata:
// Database → typed table + indexes + derived columns
// REST API → GET/POST/PATCH /customers (permission-aware)
// SDK → customers.list({...}) with TS types
// UI props → ObjectUI views inherit field types + labels
// MCP tools → customer.list / customer.get / customer.updateRevenue
// exposed to AI agents with the SAME row-level
// permissions as a human user.Why ObjectQL?
One Zod source of truth. Engine-enforced permissions. Storage-agnostic by design.
Engine-Enforced Permissions
RBAC, tenant isolation, and field-level policies are declared in metadata and compiled into the data layer — WHERE clauses, projection masks, write guards. There is no middleware to forget and no UI guard to bypass. AI agents inherit the same enforcement as the user they act for.
Storage-Agnostic by Design
The same Zod-defined objects run over Postgres, MongoDB, Redis, Excel, or your legacy proprietary system via Drivers. Switching storage is configuration, not a rewrite. Mount a marketing spreadsheet next to production Postgres with one unified permission model.
Derived Fields as Metadata
Computed and relational fields are declared in the schema and compiled to efficient database expressions — aggregations, joins, derivations. Your business definitions live next to your data, not buried in scattered query builders or N+1 loops.
ObjectQL vs. ORM + Hand-Wired Stack
ObjectQL is not just an ORM — it is the metadata spine of an AI-native backend.
One Zod schema drives DB, API, SDK, UI, and MCP tools.
Models, DTOs, validators, OpenAPI, and UI types drift constantly.
Declared in metadata, enforced by the engine across every surface.
Re-implemented per route, UI, and AI tool — easy to bypass.
Swap Drivers (Postgres / Mongo / Excel) with no business code change.
Tightly coupled to a specific dialect or ORM library.
MCP tools generated from the same permissioned metadata.
Bespoke tool definitions that drift from the real backend.
Any Data Source. Same Metadata.
Drivers are plugins loaded by the Control Layer. The same Zod-defined business objects run over each of them.
PostgreSQL
Production-grade relational backbone. JSONB-optimized with full support for CTEs and window functions.
MySQL
High-concurrency relational store. 8.0+ feature set, tuned for web-scale workloads.
SQLite
Local-first ready. Ideal for embedded tools, edge devices, and zero-infra prototypes.
SQL Server
Enterprise relational store. Native T-SQL support with seamless Azure SQL integration.
Oracle Database
Wrap legacy enterprise systems behind ObjectQL metadata without forced migration.
MongoDB
Document store with schema-to-document mapping and aggregation pipeline support.
Excel / CSV
Mount spreadsheets as first-class data sources. Same permissions, same APIs, same MCP tools.
Use Cases
From AI-operated internal tools to multi-tenant business platforms.
Agent-Operated Internal Tools
Build inventory, ops, and admin tools where copilots can safely read and mutate business data. Every object, action, and permission is declarative metadata, so an AI agent can be given a scoped, auditable surface — never raw SQL or a screen-scraped UI.
Heterogeneous Enterprise Data
Unify Oracle, Postgres, MongoDB, Redis, and Excel behind one Zod-defined object model. Generate the same REST APIs, SDK calls, and MCP tools regardless of which Driver holds the data underneath.
Multi-Tenant SaaS Backends
Tenant isolation, field-level security, and per-role queries are derived from metadata. Ship vertical SaaS with auditable, agent-ready APIs from day one — no parallel security model to maintain.
Define Your Business Once.
Let Humans And Agents Operate It Safely.
Stop scattering business logic across SQL, JavaScript, and UI state. Make objects, permissions, workflows, APIs, UI metadata, and agent tools one structured Zod source of truth — analyzable, versioned, and auditable end to end. Launch July 2026.