Auto-generated GraphQL API from Drizzle schema, running on Cloudflare Durable Objects with per-instance SQLite storage. Modelled closely after Hasura's GraphQL API and permission system — same query/mutation patterns, row-level/column-level rules, session variable resolution, and role-based access control.
Warning: This is an experimental project and should not be used in production. It's a learning exercise and proof of concept, not a battle-tested framework.
- Drizzle schema -> GraphQL schema generation
- Query, by-PK, cursor pagination, insert/update/delete operations
- Row-level and column-level authorization rules
- JWT auth (RS256 via JWKS, or HS256 shared secret)
- Durable Object + SQLite runtime on Cloudflare Workers
- Vitest unit + integration test coverage
pnpm installcp .dev.vars.example .dev.varsUpdate .dev.vars with real auth values.
pnpm devGraphQL endpoint: http://127.0.0.1:8787/graphql
GraphiQL: available at /graphql when ENABLE_GRAPHIQL=true.
pnpm dev- start local Workerpnpm deploy- deploy with Wranglerpnpm db:generate- generate Drizzle migration + migration barrelpnpm db:migrate- run migrationspnpm test- run typecheck + all testspnpm test:unit- unit tests onlypnpm test:integration- integration tests only
Worker auth is the trust boundary:
- Worker verifies JWT/admin secret.
- Worker injects trusted identity headers (
X-Role,X-User-Id). - Durable Object executes GraphQL with permission rules.
Incoming Authorization, X-Role, X-User-Id, and X-Admin-Secret are stripped before forwarding.
src/- runtime sourcetest/- test suitesdrizzle/- generated migrationspermissions.config.ts- default permission ruleswrangler.json- Cloudflare Worker/DO config
- License: MIT (
LICENSE) - Security reporting: see
SECURITY.md - Contribution guide: see
CONTRIBUTING.md