Fwiw, I went down the path of trying to do something similar with Drizzle and gave up since it was in such a state of flux (this was last year). There are (were) a ton of edge cases around trying to add automatic filters to queries to the point that it was hard to justify not just rolling my own ORM.
umairnadeem123•1h ago
Two pitfalls I’d watch: 1) Don’t pretend you can out-ORM the DB: ultimately enforce in the database (RLS/GRANTs/policies), and treat ORM permissions as a compile-time/ergonomic layer. 2) Make privilege boundaries explicit at function boundaries (who creates the scoped handle?) so you don’t end up with ambient auth context leaking everywhere.
If you can generate SQL that is provably policy-complete (or at least auditable), that’s a big win.
iosifnicolae2•1h ago
That raises a key question: how do we design a backend that's secure, safe, and robust enough to support a wide range of use cases while still being extensible enough for user-driven customization?
carlual•5m ago
-[MCP](https://zenstack.dev/blog/database-to-mcp)
-[Agent](https://zenstack.dev/blog/ai-agen)
From my experience, a declarative and flexible AuthZ layer is the cornerstone of everything.