ObjectStackObjectStack Protocol

Kernel Architecture

The Design of the ObjectOS Kernel. The centralized engine for Identity, Security, and Sync.

ObjectOS is the "Operating System" of the stack. While ObjectQL deals with Data, ObjectOS deals with Control.

It acts as a middleware kernel that sits between the API and the Database Driver, ensuring that every data access is authenticated, authorized, and compliant with business rules.

The Kernel Layers

1. The Identity Layer (Who?)

Before any logic runs, the Kernel resolves the actor.

  • Authentication: OIDC, SAML, or LDAP.
  • Session Management: Stateless JWT or Session Store.
  • Context Injection: Loading userId, role, and organization into the request context.

2. The Policy Layer (Can they?)

The Kernel enforces the "Defense in Depth" security model.

  • Profile Check: Does this user have license to use this App?
  • Object Permission: Can they READ the Contract object?
  • Field Level Security (FLS): Are they allowed to see contract_value?
  • Sharing Rules: Do they have access to this specific record?

3. The Logic Layer (What happens?)

This is the "Business Logic" container.

  • Triggers: Synchronous logic (beforeInsert).
  • Flows: Visual orchestration (Approval Process).
  • Jobs: Asynchronous tasks (Send Email).

4. The Sync Layer (Where is it?)

ObjectOS is designed for Local-First operation.

  • Change Data Capture (CDC): Tracking the "Delta" of every transaction.
  • Replication: Syncing these deltas to edge devices (SQLite) or data warehouses (Snowflake).

On this page

The Kernel Layers1. The Identity Layer (Who?)2. The Policy Layer (Can they?)3. The Logic Layer (What happens?)4. The Sync Layer (Where is it?)