The latest articles on DEV Community by explita (@explita). https://dev.to/explita https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3942119%2Fc5779919-5f00-42f1-8671-d5dc87859e21.png https://dev.to/explita en explita Fri, 22 May 2026 08:08:21 +0000 https://dev.to/explita/stop-manually-stripping-prisma-inputs-generate-zod-schemas-guard-your-db-automatically-56mj https://dev.to/explita/stop-manually-stripping-prisma-inputs-generate-zod-schemas-guard-your-db-automatically-56mj <p>If you use Prisma, you already know it's a fantastic ORM with excellent developer experience. But there's a common friction point almost all of us hit when building real-world APIs: <strong>input validation and sanitization</strong>.</p> <p>Prisma is strict. If a user passes an unknown field in a <code>.create()</code> or <code>.update()</code> payload (like an injected <code>isAdmin: true</code>), Prisma throws an error. So what do you do? You end up writing tedious mapping functions, picking fields manually, or writing massive Zod schemas by hand to validate and strip out the junk before it reaches Prisma.</p> <p>What if your Prisma schema could just... do it all for you?</p> <p>Enter <a href="https://github.com/explita/prisma-guard" rel="noopener noreferrer"><strong>Prisma Guard</strong></a> 🛡️.</p> <h2> What is Prisma Guard? </h2> <p>Prisma Guard is the ultimate Prisma companion designed to bridge the gap between database models and API validation. It does two main things:</p> <ol> <li> <strong>Runtime Protection (The Guard):</strong> A Prisma Client extension that silently strips unknown fields from your queries at runtime.</li> <li> <strong>Schema Generation (The Magic):</strong> Automatically transforms your <code>.prisma</code> models into robust, decorated Zod schemas with complete type-safety.</li> </ol> <p>It's completely zero-config out of the box (it even manages your <code>.gitignore</code> and Prettier formatting for generated files), but offers immense power for those who need custom validation logic.</p> <h2> ✌️ Two Ways to Use It </h2> <p>Depending on your needs, you can use Prisma Guard in two modes.</p> <h3> Mode 1: Runtime Protection Only (The Quick Fix) </h3> <p>If you just want to stop Prisma from throwing errors when random fields are passed from the frontend, just add the extension to your client:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">PrismaClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@prisma/client</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">prismaGuard</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@explita/prisma-guard</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">prisma</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PrismaClient</span><span class="p">().</span><span class="nf">$extends</span><span class="p">(</span><span class="nf">prismaGuard</span><span class="p">());</span> <span class="c1">// Any extra fields passed to 'data' will be silently stripped</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">email</span><span class="p">:</span> <span class="dl">"</span><span class="s2">user@example.com</span><span class="dl">"</span><span class="p">,</span> <span class="na">poisonField</span><span class="p">:</span> <span class="dl">"</span><span class="s2">will be removed</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// Poof! Gone.</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <h3> Mode 2: Full Validation &amp; Schema Generation (Recommended) </h3> <p>This is where the real magic happens. By running <code>npx prisma-guard</code>, it reads your Prisma schema and generates perfect Zod schemas.</p> <p><strong>Your Prisma Schema:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>model User { id String @id @default(cuid()) email String @unique password String createdAt DateTime @default(now()) } </code></pre> </div> <p><strong>What you get:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">UserCreateSchema</span> <span class="o">=</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">email</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">trim</span><span class="p">().</span><span class="nf">min</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="p">{</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">This field is required</span><span class="dl">"</span> <span class="p">}),</span> <span class="na">password</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">trim</span><span class="p">().</span><span class="nf">min</span><span class="p">(</span><span class="mi">1</span><span class="p">),</span> <span class="c1">// id and createdAt are managed by Prisma defaults or omitted entirely depending on your config!</span> <span class="p">});</span> </code></pre> </div> <h2> 💎 Advanced Type Ergonomics &amp; Dual Schemas </h2> <p>One of the biggest headaches with schema generation is that a "public" API schema shouldn't include sensitive internal database fields (like <code>secretApiKey</code> or <code>tenantId</code>).</p> <p>Prisma Guard handles this beautifully by generating <strong>Dual Schemas</strong> for every model:</p> <ol> <li> <strong>Public Schemas</strong> (<code>UserCreateSchema</code>): Respects your omission rules. Perfect for API request validation.</li> <li> <strong>Scalar Schemas</strong> (<code>UserCreateScalarSchema</code>): Includes <em>every</em> database field. Perfect for internal services and database operations.</li> </ol> <p>It also exports a suite of ergonomic TypeScript types (<code>UserCreate</code>, <code>UserUpdate</code>, <code>UserCreateRequired</code>) so your service layers are always perfectly typed.</p> <h2> 🎨 The Power of Decorators (and the <code>v</code> proxy) </h2> <p>Sometimes <code>z.string()</code> isn't enough. You need <code>.email()</code>, <code>.min(8)</code>, or custom refinement logic. Prisma Guard lets you define this cleanly using triple-slash comments (<code>///</code>).</p> <p>Instead of polluting your Prisma schema with massive strings of Zod code, Prisma Guard introduces the <strong><code>v</code> proxy</strong> in a <code>prisma-guard.config.js</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// prisma-guard.config.js</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">defineConfig</span><span class="p">,</span> <span class="nx">v</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@explita/prisma-guard</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="nf">defineConfig</span><span class="p">({</span> <span class="na">decorators</span><span class="p">:</span> <span class="p">{</span> <span class="c1">// Chain validations onto the inferred Prisma type</span> <span class="na">email</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nx">chain</span><span class="p">.</span><span class="nf">email</span><span class="p">().</span><span class="nf">trim</span><span class="p">().</span><span class="nf">toLowerCase</span><span class="p">(),</span> <span class="c1">// Completely override a type</span> <span class="na">strongPassword</span><span class="p">:</span> <span class="nx">v</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">min</span><span class="p">(</span><span class="mi">12</span><span class="p">).</span><span class="nf">regex</span><span class="p">(</span><span class="sr">/</span><span class="se">[</span><span class="sr">A-Z</span><span class="se">]</span><span class="sr">/</span><span class="p">),</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p>Then, you just use them in your Prisma schema!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>model User { id String @id /// @zod.use(email) email String /// @zod.use(strongPassword) password String } </code></pre> </div> <h3> IDE Superpowers 🪄 </h3> <p>No one likes typing out decorators from memory. Prisma Guard includes an incredible <code>npx prisma-guard metadata --vscode</code> command that automatically installs VS Code snippets for every Zod method. You literally get autocompletion inside your <code>.prisma</code> files!</p> <h2> ⚡ Blazing Fast Performance </h2> <p>You might be thinking: <em>"Doesn't a runtime guard slow down my queries?"</em></p> <p>The answer is no. The runtime guard is designed for ultra-low latency. It uses strict $O(n)$ complexity (looping only over predefined schema fields instead of arbitrary user input), memoized whitelists, and hot-path early exits.</p> <p>In benchmarks of 100,000 recursive sanitization iterations on a complex payload:</p> <ul> <li> <strong>Total duration</strong>: <code>221.26ms</code> </li> <li> <strong>Average per query</strong>: <strong><code>2.21 microseconds</code> (<code>0.0022ms</code>)</strong> </li> </ul> <p>If your database query takes 10-50ms, adding 0.0022ms introduces <strong>virtually 0% overhead</strong>.</p> <h2> 🚀 Get Started in 2 Minutes </h2> <p>Stop wasting time manually maintaining Zod schemas that drift out of sync with your database.</p> <ol> <li>Install the package: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> @explita/prisma-guard </code></pre> </div> <ol> <li>Initialize your config: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx prisma-guard init </code></pre> </div> <ol> <li>Generate the magic: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx prisma-guard </code></pre> </div> <p>Check out the full documentation, advanced relation handling, and custom schema generation features on our <a href="https://github.com/explita/prisma-guard" rel="noopener noreferrer">GitHub Repository</a>.</p> <p>If Prisma Guard saves you time, I'd deeply appreciate a ⭐ on GitHub! Let me know what you think in the comments below. Happy coding! 🚀</p> prisma typescript zod node explita Thu, 21 May 2026 12:25:08 +0000 https://dev.to/explita/stop-writing-manual-database-triggers-automatic-audit-logging-in-prisma-4l83 https://dev.to/explita/stop-writing-manual-database-triggers-automatic-audit-logging-in-prisma-4l83 <p><strong>Picture this:</strong> A critical database record is modified or deleted in production. Customer support is flooded, and your manager asks, <em>"Who did this, what was changed, and what did it look like before?"</em></p> <p>If you don't have audit logging set up, you're stuck digging through database transaction logs, parsing raw server outputs, or doing forensic database recovery. It's stressful, slow, and completely avoidable.</p> <p>But building audit logging is notoriously tedious:</p> <ul> <li> <strong>Database Triggers</strong> are hard to maintain, slow, and don't know anything about your application context (like the HTTP Request IP or the active User Session).</li> <li> <strong>Manual Service Logging</strong> requires you to write boilerplate code around every database update, mutation, and delete in your entire codebase. One missing line, and your audit log is incomplete.</li> </ul> <p>To solve this once and for all, I built <strong>Prisma Audit Log</strong>. </p> <p>It’s a native Prisma Client extension that automatically intercepts your queries (<code>create</code>, <code>update</code>, <code>delete</code>, <code>upsert</code>, and batch operations) to log changes. Because it runs directly inside your application code, it captures full request context and user details seamlessly.</p> <p>Here is how to set it up and what it gives you.</p> <h3> 1. The Audit Log Schema </h3> <p>First, add an <code>AuditLog</code> model to your <code>schema.prisma</code> file. This is where your audit records will be stored:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>model AuditLog { id String @id @default(cuid()) userId String? @map("user_id") recordId String @map("record_id") action String // "create" | "update" | "delete" model String // E.g. "User", "Post" oldData Json? @map("old_data") newData Json? @map("new_data") changedFields String[] @map("changed_fields") ipAddress String? @map("ip_address") userAgent String? @map("user_agent") metadata Json? createdAt DateTime @default(now()) @map("created_at") @@map("audit_logs") } </code></pre> </div> <h3> 2. Basic Extension Setup </h3> <p>You can register the audit log extension on your existing <code>PrismaClient</code> in seconds:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">PrismaClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@prisma/client</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">auditLogExtension</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@explita/prisma-audit-log</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getAuthContext</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/lib/auth</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// Your auth/request storage</span> <span class="kd">const</span> <span class="nx">prisma</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PrismaClient</span><span class="p">().</span><span class="nf">$extends</span><span class="p">(</span> <span class="nf">auditLogExtension</span><span class="p">({</span> <span class="c1">// 1. Context-Aware Logging: Automatically capture user/network context</span> <span class="na">getContext</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="nf">getAuthContext</span><span class="p">();</span> <span class="k">return</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">session</span><span class="p">?.</span><span class="nx">userId</span> <span class="o">||</span> <span class="dl">"</span><span class="s2">anonymous</span><span class="dl">"</span><span class="p">,</span> <span class="na">ipAddress</span><span class="p">:</span> <span class="nx">session</span><span class="p">?.</span><span class="nx">ip</span><span class="p">,</span> <span class="na">userAgent</span><span class="p">:</span> <span class="nx">session</span><span class="p">?.</span><span class="nx">userAgent</span><span class="p">,</span> <span class="na">metadata</span><span class="p">:</span> <span class="p">{</span> <span class="na">tenantId</span><span class="p">:</span> <span class="nx">session</span><span class="p">?.</span><span class="nx">tenantId</span><span class="p">,</span> <span class="p">},</span> <span class="p">};</span> <span class="p">},</span> <span class="c1">// 2. Data Sanitization: Mask passwords or security tokens globally</span> <span class="na">maskFields</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">password</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">token</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">creditCard</span><span class="dl">"</span><span class="p">],</span> <span class="na">maskValue</span><span class="p">:</span> <span class="dl">"</span><span class="s2">[REDACTED]</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// 3. Fine-grained filtering per model</span> <span class="na">fieldFilters</span><span class="p">:</span> <span class="p">{</span> <span class="na">User</span><span class="p">:</span> <span class="p">{</span> <span class="na">exclude</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">refreshToken</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">passwordSalt</span><span class="dl">"</span><span class="p">],</span> <span class="p">},</span> <span class="na">Payment</span><span class="p">:</span> <span class="p">{</span> <span class="na">include</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">id</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">amount</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">status</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">createdAt</span><span class="dl">"</span><span class="p">],</span> <span class="c1">// Whitelist only</span> <span class="p">},</span> <span class="p">},</span> <span class="c1">// 4. Skip unnecessary logging (e.g. high-frequency sessions)</span> <span class="na">skip</span><span class="p">:</span> <span class="p">({</span> <span class="nx">model</span><span class="p">,</span> <span class="nx">operation</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">model</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">Session</span><span class="dl">"</span> <span class="o">&amp;&amp;</span> <span class="nx">operation</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">create</span><span class="dl">"</span><span class="p">)</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">},</span> <span class="p">})</span> <span class="p">);</span> </code></pre> </div> <h3> 3. What Happens Under the Hood? </h3> <p>Once registered, you write your normal database queries, and Prisma Audit Log handles the rest behind the scenes.</p> <p>For example, when you perform a normal Prisma update:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">update</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="dl">"</span><span class="s2">user_abc</span><span class="dl">"</span> <span class="p">},</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">email</span><span class="p">:</span> <span class="dl">"</span><span class="s2">newemail@example.com</span><span class="dl">"</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="dl">"</span><span class="s2">ADMIN</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p>The extension intercepts this, calculates the diff between the database state before and after, and creates a record that looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"log_12345"</span><span class="p">,</span><span class="w"> </span><span class="nl">"userId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"admin_user_id"</span><span class="p">,</span><span class="w"> </span><span class="nl">"recordId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"user_abc"</span><span class="p">,</span><span class="w"> </span><span class="nl">"action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"update"</span><span class="p">,</span><span class="w"> </span><span class="nl">"model"</span><span class="p">:</span><span class="w"> </span><span class="s2">"User"</span><span class="p">,</span><span class="w"> </span><span class="nl">"oldData"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"user_abc"</span><span class="p">,</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="w"> </span><span class="s2">"oldemail@example.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"role"</span><span class="p">:</span><span class="w"> </span><span class="s2">"USER"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"newData"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"user_abc"</span><span class="p">,</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="w"> </span><span class="s2">"newemail@example.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"role"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ADMIN"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"changedFields"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"email"</span><span class="p">,</span><span class="w"> </span><span class="s2">"role"</span><span class="p">],</span><span class="w"> </span><span class="nl">"ipAddress"</span><span class="p">:</span><span class="w"> </span><span class="s2">"192.168.1.1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"userAgent"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Mozilla/5.0..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"metadata"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"tenantId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"tenant_1"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"createdAt"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-05-21T13:15:34Z"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> 4. Key Developer-First Features </h3> <p>Here are some details I built in to keep database logs clean, performant, and safe:</p> <h4> 🔇 Noise-Free Update Logs </h4> <p>Have you ever seen audit logs filled with thousands of rows where nothing actually changed? Prisma updates often touch a model's <code>updatedAt</code> field or re-save unmodified fields. Prisma Audit Log automatically detects if <strong>only</strong> the timestamp fields changed, and quietly skips creating an audit entry. Your logs stay clean and noise-free.</p> <h4> ⚡ Efficient Batch Processing </h4> <p>When you run bulk operations like <code>createMany</code>, <code>updateMany</code>, or <code>deleteMany</code>, inserting audit logs one-by-one is a performance killer. The extension groups and batches these operations, falling back gracefully to single inserts only when necessary.</p> <h4> 🔌 Send Logs Anywhere </h4> <p>By default, the extension saves audit logs directly to your <code>AuditLog</code> table using the Prisma schema above. But if you want to stream logs to an external service (like Datadog, Axiom, or a Kafka queue), you can override the target using a custom <code>logger</code> callback:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nf">auditLogExtension</span><span class="p">({</span> <span class="na">logger</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">logs</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Send logs to Elasticsearch, Datadog, or cloud storage</span> <span class="k">await</span> <span class="nx">datadogClient</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">logs</span><span class="p">);</span> <span class="p">}</span> <span class="p">})</span> </code></pre> </div> <h3> Give it a try! 🚀 </h3> <p>Prisma Audit Log is open-source (MIT licensed) and ready for use. If you're building systems that require database compliance, transparency, or debugging reassurance, give it a spin:</p> <ul> <li> <strong>NPM</strong>: <code>npm i @explita/prisma-audit-log</code> </li> <li> <strong>GitHub</strong>: <a href="https://github.com/explita/prisma-audit-log" rel="noopener noreferrer">github.com/explita/prisma-audit-log</a> </li> </ul> <p><em>If this helps you sleep a bit better at night knowing your database history is safe, I'd love a GitHub ⭐! Let me know in the comments if you have any questions or feature suggestions.</em></p> prisma audit logging typescript explita Thu, 21 May 2026 12:11:49 +0000 https://dev.to/explita/why-i-built-my-own-typescript-rpc-framework-and-why-you-might-actually-want-it-32b9 https://dev.to/explita/why-i-built-my-own-typescript-rpc-framework-and-why-you-might-actually-want-it-32b9 <p>I have a problem.</p> <p>Every time I start building a Next.js application, I find myself fighting the exact same set of friction points:</p> <ol> <li> <strong>Fragile Type Safety</strong>: Type safety that works beautifully on the server but quietly disintegrates or requires manual alignment across the network boundary.</li> <li> <strong>Dev-Loop Bloat</strong>: Codegen tools and compilation steps that add 15 to 30 seconds of waiting time to my dev loop.</li> <li> <strong>Imprecise Error Handling</strong>: Catching errors that is either overly verbose (try-catch blocks wrapping every handler) or non-existent.</li> <li> <strong>Manual Plumbing</strong>: Wiring up Redis caching, rate limiting, and circuit breakers manually, procedure by procedure, project by project.</li> </ol> <p>So, I did the classic, slightly unhealthy developer thing: <strong>I built my own solution.</strong></p> <p>It’s called <strong>Actyx RPC</strong>. And before you roll your eyes at the mention of another "typesafe RPC framework" (trust me, I know there are like seventeen of these now) — <strong>hear me out</strong>. Actyx isn't just about sharing types; it's about solving the practical, everyday headaches of production backend development in TypeScript.</p> <p>Here is how it works and why it’s become my go-to stack.</p> <h2> 1. The Foundation: A Composable Base Procedure </h2> <p>Instead of setting up boilerplate for every route, Actyx uses a builder pattern. You define a base procedure instance that handles authentication, error mapping, telemetry, and input enrichment globally. Every procedure you create from this base builder automatically inherits these behaviors.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">createProcedure</span><span class="p">,</span> <span class="nx">RedisCache</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@explita/actyx-rpc</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">redirect</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/navigation</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// Optional: Spin up Redis for cross-serverless caching and rate limiting</span> <span class="c1">// const redisClient = new Redis("redis://localhost:6379");</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">procedure</span> <span class="o">=</span> <span class="nf">createProcedure</span><span class="p">({</span> <span class="c1">// cache: new RedisCache({ redis: redisClient, defaultTTL: "5m" }),</span> <span class="c1">// 1. Establish the request context (Auth, session, user roles)</span> <span class="k">async</span> <span class="nf">createContext</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getSession</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">session</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">ok</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">reason</span><span class="p">:</span> <span class="dl">"</span><span class="s2">INVALID_SESSION</span><span class="dl">"</span> <span class="p">};</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">ok</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">ctx</span><span class="p">:</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">session</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="nx">session</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">role</span><span class="p">,</span> <span class="p">},</span> <span class="p">};</span> <span class="p">},</span> <span class="c1">// 2. Automatically handle context failures (like redirects or custom errors)</span> <span class="c1">// This is only called when the createContext returns an object with ok:false</span> <span class="na">onContextError</span><span class="p">:</span> <span class="k">async </span><span class="p">({</span> <span class="nx">reason</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">loginPath</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">/login</span><span class="dl">"</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">reason</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">INVALID_SESSION</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">_redirect</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">redirect</span><span class="p">(</span><span class="nx">loginPath</span><span class="p">),</span> <span class="p">};</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">success</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">reason</span><span class="p">:</span> <span class="dl">"</span><span class="s2">UNAUTHORIZED</span><span class="dl">"</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Unauthorized access</span><span class="dl">"</span><span class="p">,</span> <span class="p">};</span> <span class="p">},</span> <span class="c1">// 3. Centralized error mapping — no try/catch pyramids in your handlers!</span> <span class="nf">onError</span><span class="p">({</span> <span class="nx">error</span><span class="p">,</span> <span class="nx">ctx</span> <span class="p">})</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="s2">`[Error in </span><span class="p">${</span><span class="nx">ctx</span><span class="p">.</span><span class="nx">handlerName</span><span class="p">}</span><span class="s2">]:`</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="c1">// Map database constraints (like Prisma unique key violations) globally</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span><span class="p">.</span><span class="nx">code</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">P2002</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">This record already exists</span><span class="dl">"</span><span class="p">,</span> <span class="na">reason</span><span class="p">:</span> <span class="dl">"</span><span class="s2">CONFLICT</span><span class="dl">"</span><span class="p">,</span> <span class="na">statusCode</span><span class="p">:</span> <span class="mi">409</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> <span class="p">},</span> <span class="c1">// 4. Enrich every incoming handler input with context variables automatically</span> <span class="nf">enrichInput</span><span class="p">(</span><span class="nx">ctx</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">userId</span> <span class="p">};</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p>Now, every procedure created from this <code>procedure</code> builder gets auth context checks, global error transforms, and user ID injection with <strong>zero</strong> additional lines of code.</p> <h3> 2. Defining and Calling Procedures </h3> <p>Actyx RPC keeps procedures simple. You define inputs using your validator of choice (Zod, Valibot, ArkType, Joi, Yup, or custom resolvers) and resolve them as either <code>.query()</code> (for reads) or <code>.mutation()</code> (for writes).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">z</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">zod</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">zodResolver</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@explita/actyx-rpc/resolvers/zod</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">db</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/lib/db</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">procedure</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./base-procedure</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// Create a mutation procedure</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">createPost</span> <span class="o">=</span> <span class="nx">procedure</span> <span class="p">.</span><span class="nf">name</span><span class="p">(</span><span class="dl">"</span><span class="s2">createPost</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">input</span><span class="p">(</span> <span class="nf">zodResolver</span><span class="p">(</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">title</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">min</span><span class="p">(</span><span class="mi">1</span><span class="p">),</span> <span class="na">body</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">min</span><span class="p">(</span><span class="mi">10</span><span class="p">),</span> <span class="p">}),</span> <span class="p">),</span> <span class="p">)</span> <span class="p">.</span><span class="nf">mutation</span><span class="p">(</span><span class="k">async </span><span class="p">({</span> <span class="nx">ctx</span><span class="p">,</span> <span class="nx">input</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// ctx.userId is fully typed and available</span> <span class="c1">// input.title and input.body are validated, typed, and sanitized</span> <span class="c1">// input.userId is injected from enrichInput!</span> <span class="k">return</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">post</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">title</span><span class="p">:</span> <span class="nx">input</span><span class="p">.</span><span class="nx">title</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">input</span><span class="p">.</span><span class="nx">body</span><span class="p">,</span> <span class="na">authorId</span><span class="p">:</span> <span class="nx">input</span><span class="p">.</span><span class="nx">userId</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p>When you call this procedure, Actyx returns a <strong>Go-style <code>[data, error]</code> tuple</strong>. No try/catch blocks needed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="p">[</span><span class="nx">post</span><span class="p">,</span> <span class="nx">err</span><span class="p">]</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">createPost</span><span class="p">({</span> <span class="na">title</span><span class="p">:</span> <span class="dl">"</span><span class="s2">A Brand New Post</span><span class="dl">"</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="dl">"</span><span class="s2">This is a body longer than ten characters.</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">toast</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="nx">err</span><span class="p">.</span><span class="nx">message</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">post</span><span class="p">.</span><span class="nx">id</span><span class="p">);</span> <span class="c1">// 'post' is fully typed!</span> </code></pre> </div> <h3> 3. The Features That Surprised Me (DX Wins) </h3> <p>While building Actyx, I added a few features to solve my own development fatigue, and they turned out to be absolute game-changers:</p> <h4> 💡 The <code>.mock()</code> Method (For Parallel Development) </h4> <p>Seeding and maintaining local databases just to test a frontend feature is exhausting. Actyx introduces first-class mocking directly in the builder chain:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">getUser</span> <span class="o">=</span> <span class="nx">procedure</span> <span class="p">.</span><span class="nf">name</span><span class="p">(</span><span class="dl">"</span><span class="s2">getUser</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">mock</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="dl">"</span><span class="s2">user_mock_123</span><span class="dl">"</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Jane Doe (Mocked)</span><span class="dl">"</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="dl">"</span><span class="s2">jane@example.com</span><span class="dl">"</span><span class="p">,</span> <span class="p">}))</span> <span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="k">async </span><span class="p">({</span> <span class="nx">input</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// This expensive DB query is skipped when MOCKing is active!</span> <span class="k">return</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">users</span><span class="p">.</span><span class="nf">findUnique</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">input</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p>Set <code>ACTYX_MOCK="true"</code> in your environment variables, and the backend handlers are bypassed. The middleware, session validation, and inputs are still processed, but your database is never touched. Frontend devs can code against a "perfect" mock state while the backend is still being designed.</p> <h4> 🧠 Caching with a Brain (SWR Built-in) </h4> <p>Actyx comes with Stale-While-revalidate (SWR) caching out of the box. You don't need Redis to get started; an in-memory cache adapter works by default, but you can plug in Redis as you scale:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">getPost</span> <span class="o">=</span> <span class="nx">procedure</span> <span class="p">.</span><span class="nf">cache</span><span class="p">({</span> <span class="na">ttl</span><span class="p">:</span> <span class="dl">"</span><span class="s2">5m</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// Fresh for 5 minutes</span> <span class="na">staleTime</span><span class="p">:</span> <span class="dl">"</span><span class="s2">1m</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// Becomes stale after 1 minute</span> <span class="na">staleWhileRevalidate</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// Serve stale data, refresh in the background</span> <span class="na">key</span><span class="p">:</span> <span class="p">({</span> <span class="nx">input</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="s2">`post:</span><span class="p">${</span><span class="nx">input</span><span class="p">.</span><span class="nx">id</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">})</span> <span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="k">async </span><span class="p">({</span> <span class="nx">input</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">post</span><span class="p">.</span><span class="nf">findUnique</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">input</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <h4> 🛡️ Serverless-Friendly Rate Limiting </h4> <p>Because Actyx can plug directly into your Redis cache adapter, rate limiting persists across serverless function invocations (like Vercel Serverless/AWS Lambda instances).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">sendMessage</span> <span class="o">=</span> <span class="nx">procedure</span> <span class="p">.</span><span class="nf">rateLimit</span><span class="p">({</span> <span class="na">limit</span><span class="p">:</span> <span class="mi">10</span><span class="p">,</span> <span class="na">window</span><span class="p">:</span> <span class="dl">"</span><span class="s2">1m</span><span class="dl">"</span><span class="p">,</span> <span class="na">key</span><span class="p">:</span> <span class="p">(</span><span class="nx">ctx</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">userId</span><span class="p">,</span> <span class="c1">// Limit requests per user</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">You're sending messages too fast!</span><span class="dl">"</span><span class="p">,</span> <span class="p">})</span> <span class="p">.</span><span class="nf">mutation</span><span class="p">(</span><span class="k">async </span><span class="p">({</span> <span class="nx">input</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="k">await</span> <span class="nx">messageService</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">input</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <h4> 🔗 Inter-Procedure Calling (Zero Network Hops) </h4> <p>When procedures call other procedures, network overhead and duplicated auth logic usually slow things down. Actyx uses <code>AsyncLocalStorage</code> under the hood. When one procedure calls another, it bypasses context re-creation and authentication entirely while keeping the context secure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">getAuditLog</span> <span class="o">=</span> <span class="nx">procedure</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="k">async </span><span class="p">({</span> <span class="nx">ctx</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">logs</span><span class="p">.</span><span class="nf">findMany</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">userId</span> <span class="p">}</span> <span class="p">});</span> <span class="p">});</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">getUserDashboard</span> <span class="o">=</span> <span class="nx">procedure</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="k">async </span><span class="p">({</span> <span class="nx">ctx</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">users</span><span class="p">.</span><span class="nf">findUnique</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">userId</span> <span class="p">}</span> <span class="p">});</span> <span class="c1">// This nested call automatically inherits the parent's auth context!</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">logs</span><span class="p">]</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getAuditLog</span><span class="p">();</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">user</span><span class="p">,</span> <span class="nx">logs</span> <span class="p">};</span> <span class="p">});</span> </code></pre> </div> <h3> 4. What Else is in the Box? </h3> <p>To make Actyx a production-ready choice, I added several advanced features:</p> <ul> <li> <strong>OpenTelemetry</strong>: Native instrumentation so you can trace why a specific procedure is running slow at 3 AM.</li> <li> <strong>Automatic OpenAPI Specs</strong>: Auto-generate standard OpenAPI JSON files to keep documentation from rotting.</li> <li> <strong>Circuit Breakers</strong>: Prevent cascading failures when third-party microservices go down.</li> <li> <strong>Adaptive Compression</strong>: Native support for gzip, deflate, and brotli.</li> <li> <strong>Timeouts</strong>: Safe defaults to prevent hanging server processes.</li> <li> <strong>React Hooks</strong>: Built-in hooks (<code>useQuery</code>, <code>useMutation</code>, <code>useInfiniteQuery</code>) for frontend state synchronization.</li> </ul> <h3> What I Haven't Figured Out Yet </h3> <p>Actyx is working great for my production projects, but it’s still in active development. Here’s what’s currently on my drawing board:</p> <ol> <li> <strong>Bidirectional WebSockets</strong>: SSE (Server-Sent Events) streaming works perfectly for one-way flows (like LLM stream responses), but full bidirectional WS subscriptions are still being refined.</li> <li> <strong>Performance Benchmarks</strong>: It feels lightning-fast under typical workloads, but I want to perform strict load/torture tests to publish concrete numbers.</li> </ol> <p>If you have experience building scalable RPC networks or websocket adapters, I'd love to hear how you approached those challenges!</p> <h3> Give it a Spin 🚀 </h3> <p>Actyx RPC is entirely open-source (MIT licensed). Break it, inspect it, and tell me what you think.</p> <ul> <li> <strong>NPM</strong>: <code>npm i @explita/actyx-rpc</code> </li> <li> <strong>GitHub</strong>: <a href="https://github.com/explita/actyx-rpc" rel="noopener noreferrer">github.com/explita/actyx-rpc</a> </li> </ul> <p><em>P.S. — The name "Actyx" comes from "action" + "tyx" (as in type safety). Naming is hard. If you have a better suggestion, I'm all ears!</em></p> api nextjs showdev typescript