Rufus Gladness

Get In Touch
All Projects/Tenet

Tenet

An opinionated, enterprise-grade API framework for Node.js built for security and scalability. Tenet transforms backend development by making security checks 'opt-out' by default and replacing repetitive middleware boilerplate with declarative configuration, ensuring speed to MVP and long-term maintainability.

View on GitHub

Project Gallery

Tenet API framework dashboard showing request pipeline and metrics
Tenet API framework dashboard showing request pipeline and metrics - Image 1
Tenet API framework dashboard showing request pipeline and metrics - Image 2

Project Overview

Tenet is designed to solve the common challenges of building secure, compliant, and scalable SaaS applications without reinventing the wheel. Unlike most frameworks that require you to 'opt-in' to security checks, Tenet is **Security by Default**—meaning every handler automatically enforces strict input sanitization, authentication, and rate limiting unless explicitly exempted. By leveraging a declarative configuration object (`HandlerConfig`) and first-class TypeScript support, Tenet eliminates boilerplate and guarantees that inputs and database contexts are strictly typed and safe before your business logic ever runs.

Key Features

Security by Default

Security is 'opt-out', not 'opt-in'. Every handler comes with strict input sanitization, authentication checks, CSRF protection, and secure HTTP headers automatically.

Configuration over Boilerplate

Stop writing the same 20 lines of middleware. Use a declarative `HandlerConfig` object to describe behavior (e.g., 'Authenticated, Rate Limited'), and the framework constructs the pipeline for you.

First-Class Type Safety

Inputs are derived automatically from Zod schemas, and database context is generated from Prisma, ensuring the `user`, `tenant`, and `input` in api handlers are guaranteed to be present and correct.

Sophisticated Request Pipeline

Requests traverse a rigorous 'Shield -> Context -> Guard' pipeline that handles rate limiting, tenant resolution, and validation before reaching business logic.

Compliance Ready

Enforces patterns that satisfy security audits (SOC2/GDPR) out of the box, with built-in audit logging and uniform API structures.

Technical Highlights

  • implemented a 'Shield, Context, Guard' pipeline architecture that validates requests in layers before execution
  • Created a declarative configuration system using sophisticated TypeScript generics to infer types from Zod schemas
  • Built automatic multi-tenancy using Prisma Client Extensions to inject row-level security logic directly into query builders
  • Integrated Redis for distributed infrastructure, handling rate limiting, response caching, and idempotency
  • Wrapped Express.js to provide modern async features and strict typing while maintaining access to its vast ecosystem

Architecture

Design Patterns

Pipeline ArchitectureDeclarative ConfigurationDependency InjectionAdapter PatternGuard Pattern

Key Components

  • The Shield (Security Headers & Sanitization)
  • The Context (Auth & Tenant Resolution)
  • The Guard (Zod Validation)
  • The Handler (Business Logic)
  • Redis Rate Limiter

Scalability Features

  • Stateless architecture suitable for containerized deployment
  • Distributed rate limiting via Redis
  • Horizontal scaling support
  • Efficient database connection pooling with Prisma

Code Samples

Declarative Handler Configuration

Define *what* you want, not *how* to do it. The framework handles the rest.

export const createOrder = createAuthenticatedHandler({
  // 1. The Guard: Strict Input Validation
  schema: z.object({
    productId: z.string().uuid(),
    quantity: z.number().min(1).max(100)
  }),

  // 2. The Context: Configuration instead of middleware
  rateLimit: { window: '1m', max: 5 },
  audit: { action: 'ORDER_CREATED', resource: 'Order' },

  // 3. The Handler: Clean, Typed Business Logic
  handler: async ({ input, user, tenant, prisma }) => {
    // 'input' is typed, 'user' is authenticated, 'tenant' is resolved
    return prisma.order.create({
      data: {
        ...input,
        userId: user.id,
        tenantId: tenant.id
      }
    });
  }
});

Challenges & Solutions

Designing a system where security is 'opt-out' without compromising flexibility. The solution was a hierarchical configuration system where defaults are secure, but specific rules can be overridden declaratively for specific endpoints.

Achieving seamless multi-tenancy. I utilized Prisma's Client Extensions to inject security filters, ensuring that data leaks are prevented at the application level by scoping every query to the active tenant automatically.

Balancing modern developer experience with proven stability. I chose to wrap Express (battle-tested) rather than choosing a newer, less mature runtime, adding a layer of strong typing and async handling on top to get the best of both worlds.

Results & Impact

  • Speed to MVP: Startups get a production-ready foundation with Auth and Multi-Tenancy out of the box.
  • Standardization: A uniform structure means any developer can understand the codebase immediately.
  • Reduced Risk: 'Security by Default' philosophy eliminates common vulnerabilities like missing auth checks or XSS.
  • Developer Experience: strict typing and reduced boilerplate allow developers to focus 100% on unique product value.
Want a technical cofounder?