Agent-era backend · public beta

Ship at agent speed.
Without agent-speed
bugs.

AI coding tools write backends faster than you can audit them. StealthQL is the runtime contract that fails the build before they ship an auth leak, a cross-tenant read, or a quiet over-share.

npm install stealthqlSee the attack lab
45attack tests, generated
0cross-tenant reads
30slocal runtime boot
01 / Schematables
Define your tables in plain JavaScript. Types, relationships, indexes — inferred end-to-end.
02 / Authactors
Magic links, sessions, multi-tenant actors — built in. Just code in the capsule.
03 / Policiesrules
Row-level rules with auto-generated attack tests. If Bob can read Alice's invoice, the build fails.
04 / Functionslogic
Server functions that run with the same actor and policies as your queries. No middleware tax.
05 / Storagefiles
Uploads that obey the same row-level policies as your tables. The file knows who owns it.
06 / Shareslinks · signatures
7d
Share a row, table, file, or signature flow as a signed link. Field-level visibility, expiration, revoke.
The Capsule · hover to inspect · figure 1
Backends used to be cloud projects.
Things you rented. Dashboards you babysat.
Bills that arrived while you slept.
That era is over.
A new species of backend
/ 01 The capsule

Six layers.
One portable object.

A capsule is the whole backend — schema, auth, policies, functions, storage, shares — compiled into a single artifact that lives in your repo. Clone it, run it, deploy it. The same object, everywhere.

01Schematables · types
02Authactors · sessions
03Policiesrow-level rules
04Functionsbusiness logic
05Storagefiles · uploads
06Shareslinks · proposals · signatures

When you clone the repo, the backend comes with it.
There is nothing else to set up.

/ 02 How it works

Write. Run. Deploy.

The code is the backend. There is no other source of truth. Nothing to keep in sync.

i

Write

Your schema, rules, and functions live in files inside your project — alongside your frontend, in the same git history.

ii

Run

A real backend boots on your laptop. Real Postgres, real auth, real data. Stored on your disk. No internet required.

npm run dev
iii

Deploy

The same capsule runs in production — on StealthQL Cloud, or on your own servers. One command, one URL, real users.

stealthql deploy
Works with
Next.jsNext.js
ViteVite
AstroAstro
SvelteKitSvelteKit
ReactReact
React NativeReact Native
/ 03 Three minutes

From nothing to a live website.

StealthQL Managed is the default deploy. Click once. We do the rest. Your capsule, your data, our ops.

+ 5s

Install

Add the package to your project.

npm install stealthql
+ 30s

Build

Scaffold a capsule with secure defaults — or import from a CSV.

npx stealthql init
+ 60s

Deploy

Choose Managed. We provision the server, gate the deploy on policy + security tests, issue TLS.

npx stealthql deploy
2:50

Live

Capsule built. Gates passed. Server provisioned. TLS issued. Dashboard live. Share portal live.

✓ your-app.stealthql.app

Prefer to self-host? npx stealthql deploy --own-droplet writes the scripts and walks you through your own DigitalOcean (or Vercel + DO split). Same capsule, your infrastructure, $0.

/ 04 Attack lab

Let the agent build it.
Make the runtime attack it.

Cursor, Claude Code, and Codex read the repo contract, propose schema and policy changes, then StealthQL generates the backend and the attack suite before the agent can call it done.

Cursor · connected via STEALTHQL_AGENT.md
y You
Build me an invoicing SaaS — customers, invoices, line items. Add Stripe and shareable invoice links so customers can view without an account.
c Claude
Read STEALTHQL_AGENT.md
Wrote stealth.schema.request.json — 4 tables, 2 actors, 1 share
Ran stealthql schema preview
Ran stealthql schema apply --test
Generated stealth.schema.js — 4 tables
Generated stealth.auth.js — actors + row-level rules
Generated stealth.functions.js — Stripe webhook handler
Generated stealth.shares.js — public invoice link
Generated stealth.policy.test.js — 45 attack tests
All 45 attack tests passed · backend ready at localhost:8787

The agent can still move fast. The difference is that auth leaks, cross-tenant reads, unsafe service-token writes, and accidental over-shares become failing tests instead of production incidents.

↳ act two

Make the runtime refuse the leak.

Build-time tests catch leaks the agent might write into your code. Runtime classification catches leaks the agent might send out of your code. Mark a field as aiReadable: false and StealthQL intercepts every outbound HTTP request to known LLM endpoints — refusing any payload that contains the marked field, writing every attempt to the ledger.

Most appssilent leak · no audit trail
// agent code, your app await openai.chat.completions.create({ model: 'gpt-4', messages: [{ role: 'user', content: `${patient.name} reports...`, }], }); // PII left the building. ✗ no one will know until the breach.
StealthQLrefused at the wire · ledger entry written
// stealth.schema.js patients: { id: { type: 'id' }, name: { type: 'string', aiReadable: false }, ssn: { type: 'string', aiReadable: false }, } // $ stealthql logs --recent ✗ outbound LLM call refused at app/agent.ts:42 destination: api.openai.com/v1/chat/completions payload contained patients.name (aiReadable: false) actor: u_clinic_admin · ledger entry x9k4f...

The agent-era thesis as a real feature, not a marketing claim. Mark a field, and the runtime refuses the request — at the wire, every time, with a record in the ledger.

/ 05 What's different

Backends are no longer cloud projects.
They are portable objects.

i.

The backend is portable.

Clone the repo and the backend comes with it: schema, policies, auth, functions, seeds, storage rules, test users — all of it.

ii.

The data is shareable.

Create a link to a table, row, file, or dashboard. Field-level visibility, expiration, revoke anytime. Across capsules, too.

iii.

The policies are attacked.

Every policy change generates security tests. If Bob can read Alice's invoice, the build fails. Your security is verified every time you save.

iv.

Production is replayable.

A bug happens. StealthQL reconstructs the data, actor, function call, policy decision, and side effects locally. No log archaeology.

v.

The capsule is embeddable.

Same backend, same policy layer, on Tauri, Electron, and React Native. Sync between local and server is end-to-end-encrypted by the same primitive. The line between “app” and “backend” goes away.

vi.

The schema migrates itself.

Rename a column and the runtime writes the migration, updates the policies, and proves the old rules still hold. Migrations are everyone's worst experience. Inverted.

/ 06 Sharing

Every capsule shares like a document.

Send a link to a row, a file, a dashboard, a signature flow. The recipient sees only what you allow. Revoke it whenever you want.

Most teams skip this entirely and ship a “sign up to view” wall. You don't have to.

↳ also a share mode

Signed packets, by the same primitive.

A signature is a share with a canvas. The recipient signs in the browser; the runtime stores the ink as an image blob in your Storage bucket; the row and the ledger record only hashes and references. Reach the moment where you need to prove what was signed — and the answer is one query away.

browser canvasbase64 transportruntime decodesimage bytes in Storagehash + reference in the ledger

The base64 is a transport convenience between canvas and runtime. It never lands in a row. The runtime decodes it, stores the actual image bytes as a blob, writes only bucket / key / sha256 / bytes / contentTypeinto the row, plus the hash of the document the user was signing and the hash of the whole signed packet. Replay any signature from the evidence record and StealthQL points at the actual blob with cryptographic proof it hasn't been altered since the moment of signing — every byte chained, every step replayable.

↳ across capsules

Even with another capsule.

Two StealthQL deployments establish trust by exchanging capsule hashes. A share crosses the boundary, signed by the source, verified by the target. Both sides hold the same audit trail. Clinic A refers a patient to Clinic B— A doesn't give B database access, B can't see anything outside the share, and the audit trail is one chain that spans both sides.

FHIR and TEFCA spent a decade trying to bureaucracy this into existence. StealthQL ships it as a primitive. The audit trail spans both sides. The data never leaves a row that wasn't shared.

/ 07 Admin panel killer

Delete the admin panel.
Share the table.

Clients, accountants, vendors, and ops teams can edit the slice you expose. Every change is validated, logged, and queued for approval. A spreadsheet is now a permissioned database interface.

Proposal #4218[email protected] · 2 minutes ago · invoiceList share
invoice.status
draftpaid
Approved by schema
invoice.due_date
2026-05-012026-05-15
Approved by schema
invoice.amount
$500$50
Rejected · read-only
invoice.internal_note
[private]"trying to hide a fee"
Rejected · private field
2 of 4 changes can be applied

Approve, reject, or merge with one click. Every change — applied or not — is logged forever in the event ledger.

/ 08 Security

Agent mistakes become failing tests.

Most backend leaks are small review misses: a route trusts a raw ID, a share exposes one field too many, or a service token writes user-supplied data. StealthQL turns those misses into runtime checks and generated tests.

Most appsleaks by default
// alice asks for her invoice GET /api/invoices/inv_123 ✓ ok, that's hers // alice changes one digit GET /api/invoices/inv_124 ✗ leaked: bob's invoice GET /api/invoices/inv_125 ✗ leaked: carol's invoice
StealthQLsafe by default
// alice asks for her invoice GET /api/invoices/inv_123 ✓ row + encrypted handles // alice tries to peek at bob's GET /api/invoices/inv_124 ✗ permission denied // updates require a handle POST /api/invoices/update { handle: 'h_x7Zq8p3kL...' } // signed, single-use, alice-only

Every row ships with an encrypted handle bound to the actor, the session, and the capsule itself. Knowing someone else's ID isn't enough. The handle can't be forged. On most backends, IDOR is "did anyone test for it?" Here it's "can you even break it?"

↳ and: caught before it ships

Even your service tokencan't be tricked.

The other classic backend leak isn't IDOR — it's the confused deputy. A logged-in user POSTs a body. Your route parses it. Then it calls a service client with full power and writes whatever the body said. The service token meant for cron jobs and Stripe webhooks just became a deputy for member-supplied data. npx stealthql test security fails CI on the exact route shape that allows this — body parse + createStealthServiceClient() + service.mutate() in the same handler.

Most appsfails security tests · cannot ship
// app/api/invoices/[id]/route.ts export async function PATCH(req) { const body = await req.json(); const stealth = createStealthServiceClient(); await stealth.mutate('invoices', body); return Response.json({ ok: true }); } // $ npx stealthql test security ✗ confused-deputy at route.ts:3 service client wrote data sourced from a request body fix: mutate as the human, or add the override comment
StealthQLmutates as the human · row policies enforced
// app/api/invoices/[id]/route.ts export async function PATCH(req) { const body = await req.json(); const stealth = stealthFromRequest(req); await stealth.mutate('invoices', body); return Response.json({ ok: true }); } // $ npx stealthql test security ✓ 172 passed · 0 failed // row handle, ownership check, field policy — all enforced

Need to override (a Stripe webhook genuinely needs the service client and writes data sourced from a third-party body)? Add // stealthql-confused-deputy-ok: stripe webhook · verified signature with the reason. The escape-hatch is intentional, auditable, and lives in your git history alongside the route — not in a config file someone forgot to read.

↳ and: explained

Why did this row appear?

For any allowed read, the runtime can produce a sentence: which actor field matched which row field via which policy, with the rule's hash. For any refused read, it tells you what would have been needed. Devtools for policies — and the agent can debug its own decisions.

Allowedtraceable to a single rule
// $ stealthql explain \ // --request 'GET /api/invoices/inv_123' \ // --as alice ✓ allowed row 42 visible because: actor.activeOrgId = 'org_acme' matched row.orgId via policy invoices.read.any[0] ruleHash 5f6be1c2
Refusedtells you what would unlock it
// $ stealthql explain \ // --request 'GET /api/invoices/inv_999' \ // --as alice ✗ refused would have been allowed if actor had role 'admin' or actor.activeOrgId = 'org_globex' no rule matched the current actor

The agent that wrote the policy can debug why the policy refused a request. So can the human reviewing the PR. The policy stops being a black box.

/ 09 Time-travel

Yesterday is a query.

The hash-chained ledger already holds every prior state of every row. We just gave you the verb. Ask for any moment in your backend's history and it answers in one query.

↳ replayable as a tarball

Hand support the moment before the bug.

Every backend, at every prior state, can be exported as a single artifact. The capsule plus the ledger up to time T is a fully reproducible backend. Tar it, ship it, replay it on a laptop in thirty seconds. Customer support stops asking for screenshots.

What did the dashboard look like before the bug? One query. Who saw what last Tuesday? One query.Time isn't a separate system anymore.

/ 10 Audit readiness

The capsule is also the evidence.

Generate an auditor-ready evidence bundle from the same capsule that enforces your backend. Map your tables to the controls they cover and StealthQL assembles a hash-chained record from the ledger — what was enforced, when, by which rule. The auditor still does the audit.

↳ and: right-to-erasure evidence

Delete a user. Hand them the receipt.

Every SaaS has the right-to-erasure problem. Most ship a button and a prayer. StealthQL emits a signed deletion receipt: which tables the data was removed from, the last hash before deletion, the removal hash, the timestamp — signed by your deployment's signing key. Verifiable by anyone holding the deployment's public key. No special access required.

The receipt is a single JSON document, signed by your deployment's signing key. It names every table the data left, the hash of the database immediately before the deletion, the hash immediately after, and the moment in time. Anyone holding the deployment's public key can verify it without ever touching your servers — including the user, their counsel, or an auditor preparing a control narrative. An audit-ready erasure proof, by construction.

/ 11 The GraphQL question

GraphQL solved 2015's frontend pain.

REST endpoint sprawl hurt frontend teams every sprint, so GraphQL spread from the bottom up. In 2026, the daily pain is different: agents are writing backend code faster than anyone can audit tenancy, field access, and service-token boundaries.

GraphQLsame feature, real codebase
api/ ├── schema.graphql SDL · types, queries, mutations ├── resolvers/ │ ├── invoice.ts field resolvers │ ├── customer.ts field resolvers │ └── lineItem.ts field resolvers ├── dataloaders/ │ ├── invoiceByCustomer.ts solve N+1 │ └── customerById.ts solve N+1 ├── auth/ │ ├── context.ts extract user from JWT │ ├── directives.ts @auth checks per field │ └── guards.ts resolver-level checks ├── codegen.yml generate client types └── server.ts Apollo bootstrap
files to maintain in sync12
StealthQLsame feature, the whole feature
app/ ├── stealth.schema.js tables · fields · types ├── stealth.auth.js actors · row-level rules └── stealth.functions.js your business logic // your client const invoice = await db.invoices .where({ id }) .include('customer', 'lineItems') .first(); // policies enforced. // types inferred. // no resolver in sight.
files to maintain in sync3

GraphQL made data fetching feel safe enough for humans. StealthQL makes backend generation safe enough for agents.

A runtime contract instead of another review checklist
/ 12 Bring what you have

One repo. One package.
One deploy command.

Bring what you have. The migration paths are built in. The capsule absorbs the rest.

Supabase

Your tables, rules, users, storage, and functions — into your repo in one command. npx stealthql import-supabase.

Firebase

Your data, on your machine in dev, your server in production. Always yours.

Prisma + REST

Auth lives next to your data. Every policy is tested before you ship.

Convex

Local-first by default. Run the whole thing on your laptop, no internet required.

/ 13 Pricing

Free to build. Easy to ship.

The runtime is Apache 2.0 and free forever. StealthQL Studio is the proprietary dashboard that makes the capsule feel like a product: hosted by us, or licensed into your own walls.

Free

Open-source runtime only. Build locally, self-host on your own DigitalOcean Droplet or Vercel + DO split, fork the package, audit it line by line, and build your own admin if you want one.

$0

StealthQL Managed

The default deploy. We host the runtime and Studio: capsule hash verified, policy and security tests gate the deploy, share portals live, deploy doctor, daily backups, TLS managed. Eject anytime.

From $39/mo
Starter $39 · Builder $79 · Agency $199

Agency

Multiple client capsules, white-label portals, multi-app Studio dashboard, team access, extended audit retention. Built for the people building backends for other people.

From $199/mo

Self-Hosted Studio

Run Studio in your VPC. Same dashboard, evidence mode, Agent WAF, replay, and deploy gates; your runtime and data stay inside your network. License key, updates while current.

From $499/mo
Team $499/mo · Site $14k/yr

Scale

Everything in Self-Hosted Studio plus dedicated support, SSO, compliance paperwork, signed BAA, custom SLAs, private networking, and multi-capsule federation.

Custom

Your backend runtime is yours forever. Studio is the dashboard that makes it operational: hosted by us for speed, self-hosted under license when your data cannot leave the building.

/ 14 Licensing

Open runtime. Proprietary Studio.

The package gets distribution because developers can install it anywhere. The dashboard is the paid product: the polished operating system for capsules, portals, evidence, replay, and agent-safe deploys.

Apache 2.0

stealthql runtime

Install it, fork it, audit it, ship it. Local dev and self-hosted production never require Studio.

npm install stealthql
Commercial license

StealthQL Studio

The dashboard, replay workbench, capsule templates, deploy center, evidence mode, and Agent WAF are proprietary. Free hosted tier, paid managed tiers, self-hosted license for regulated teams.

license.stealthql.com
Enterprise / OEM

Private walls

Run Studio in your VPC, behind SSO, with offline grace. No redistribution or resale without a separate embedded/OEM agreement.

Self-Hosted Studio Site
/ 15 Questions

The things people ask before they install.

i.

How does StealthQL help with AI-written backend code?

StealthQL gives Cursor, Claude Code, and Codex a repo-native backend contract. Agents can propose schema, auth, policy, function, and share changes, but the runtime generates attack tests and fails the build before auth leaks, cross-tenant reads, unsafe service-token writes, or over-shares ship.
ii.

Is StealthQL a database, a backend, or a framework?

StealthQL is a backend runtime for the agent era. It compiles your schema, auth, policies, functions, storage, sync, and shares into a capsule that can run locally, on StealthQL Managed, or on your own infrastructure.
iii.

Can I still use SQL?

Yes. StealthQL is built around Postgres-compatible data. You can use the generated client, raw SQL, or both. Policies still apply.
iv.

Where is my data stored?

On your laptop in development (in a private runtime data directory outside the repo). On StealthQL Managed or your own server in production. You can move it anytime via npx stealthql export.
v.

Does my data go to GitHub when I push?

No. Your code goes to GitHub. Your data stays on whatever machine is running the backend.
vi.

Can my customers edit data in Excel or Google Sheets?

Yes. Any share can have CSV round-trip turned on. The recipient exports to CSV, edits in Excel or Sheets, re-uploads. Schema and policies validate the upload, then changes go into a proposal queue for you to approve — never written directly.
vii.

Can I bootstrap the backend from an existing spreadsheet?

Yes. Drop a CSV or XLSX into the wizard or run npx stealthql import-csv. StealthQL infers tables, columns, types, tenant boundaries, auth roles, shares, and policy tests automatically.
viii.

What about multi-region or global distribution?

Most apps never need it. When you do, point your capsule at Cloudflare and your data lives at the edge automatically. One config flag, no networking expertise, no re-platforming.
ix.

What about point-in-time recovery?

Production capsules are continuously snapshotted. Roll back to any moment in the last 30 days with one command. The append-only event ledger replays to any timestamp deterministically.
x.

What if StealthQL goes away?

Run npx stealthql export. You get the full source, data, ledger, and rules as a portable bundle. Your app keeps running. The runtime is Apache 2.0 open source forever.
xi.

What is open source, and what is paid?

The stealthql npm runtime is Apache 2.0: install it anywhere, fork it, audit it, redistribute it. StealthQL Studio is proprietary: the hosted dashboard is included with managed plans, and regulated teams can license Self-Hosted Studio to run the same dashboard in their own VPC.

Let the agent build it.
Make it prove it.

$npm install stealthql
or

 

Self-host today on Apache 2.0.
Local runtime, generated attack tests, deploy when the gates pass.