dazzle-dsl 0.71.133

DAZZLE — declarative SaaS framework with built-in compliance (SOC 2, ISO 27001), provable RBAC, and graph features

DAZZLE

A semantic substrate for AI-collaborative software. Model your business. Ship your product. Pass your audit.

Dazzle is a declarative framework for building SaaS applications — and a research project exploring what software architecture looks like when AI collaborators are treated as first-class readers and writers of the codebase. You describe your business in structured .dsl files: entities, roles, rules, workflows, events. The runtime executes that description directly. There is no code generation step, no scaffold to maintain, and no second source of truth.

cd examples/simple_task && dazzle serve
# UI:  http://localhost:3000
# API: http://localhost:8000/docs

---

The thesis

Traditional software architecture is optimized for humans. Files, modules, conventions, and abstractions are arranged to fit a programmer's working memory.

That optimization is no longer the only one that matters. An increasing share of software work — exploration, modification, review, refactor, test — happens with an AI collaborator in the loop. Codebases that scatter meaning across controllers, models, migrations, and templates burn context window on plumbing the model already understands. Codebases whose intent is encoded in a typed, inspectable graph let the model spend its attention on the actual problem.

Dazzle is a bet that semantic compression — putting your application's meaning in one inspectable, machine-readable form — produces software that is easier to evolve, easier to audit, and easier to collaborate on with both humans and machines. The DSL is not a shortcut to a generated codebase. It is the codebase.

---

Design principles

Eleven stated positions, defended in the ADRs:

1. The DSL is the source of truth. API specs, tests, compliance evidence, and runtime behaviour are all derived from the same IR.
2. No code generation. The runtime executes the IR directly. No regeneration drift, no generated files to maintain.
3. Anti-Turing by design. The DSL has no arbitrary computation. Everything is statically inspectable, lintable, and verifiable.
4. PostgreSQL only. One capable relational database plus disciplined semantics beats distributed-systems sprawl for the workloads Dazzle targets.
5. Server-rendered HTML + HTMX. No SPA framework, no build toolchain, no client-state fragmentation.
6. Fragments as the only escape hatch. When the DSL can't express it, you reach for a fragment — a constrained, named, semantically-tagged piece of custom rendering. Not arbitrary frontend.
7. Append-oriented history. Events, decisions, and grants are logged. Auditors don't need to spelunk; the trail is part of the substrate.
8. Provable RBAC. Scope rules compile to a formal predicate algebra and are statically validated against the FK graph.
9. No hidden singletons. Dependencies are explicit (RuntimeServices, ServerState) — readable by both humans and agents.
10. No backwards-compat shims. Pre-1.0, clean breaks beat layered workarounds. Callers are updated in the same commit.
11. Bump on every fix. Every push gets a unique semantic version — deployment traceability over release ceremony.

If you disagree with one of these, you'll probably disagree with the rest. That's the point of stating them up front.

---

Why Dazzle

Your business model IS the application

Most frameworks ask you to express your business logic across scattered files — controllers, models, migrations, middleware, templates. When requirements change, you update all of them and hope they stay in sync.

Dazzle inverts this. You write what your business is — entities, roles, permissions, workflows, state machines — and the runtime executes it directly. Change the DSL, refresh the browser. The DSL is the single source of truth for your application, your API spec, your test suite, and your compliance documentation.

Built for the compliance conversation

If you're building SaaS — especially in regulated industries — you will face auditors. They will ask: who can access what? how are changes controlled? where is sensitive data classified?

Most teams answer these questions retroactively, combing through code to produce evidence. Dazzle derives the answers from the DSL itself:

• Access control is declared in the DSL and provably enforced. Every permission is statically verifiable.
• State machines model approval workflows, transitions, and four-eyes authorization.
• Compliance evidence is extracted automatically. Run dazzle compliance compile --framework soc2 and get a structured audit report showing which controls your DSL satisfies.
• Grant-based RBAC supports delegated, time-bounded access with approval workflows — the kind of access governance auditors want to see.

Dazzle currently supports ISO 27001 and SOC 2 Trust Services Criteria out of the box, with automatic evidence mapping from your DSL declarations to specific framework controls.

From idea to running product, fast

module my_app
app todo "Todo Application"

entity Task "Task":
  id: uuid pk
  title: str(200) required
  completed: bool=false
  created_at: datetime auto_add

surface task_list "Tasks":
  uses entity Task
  mode: list
  section main:
    field title "Title"
    field completed "Done"

Save this as app.dsl, run dazzle serve, and you have:

• A PostgreSQL-backed database with correct types and constraints
• CRUD API endpoints with pagination, filtering, and sorting
• A rendered list UI with sortable columns, search, and a create form
• OpenAPI documentation at /docs
• A health endpoint with deployment integrity verification

That's a todo app. The same language scales to 39-entity accountancy platforms with double-entry ledgers, multi-step onboarding wizards, and role-based dashboards. You add complexity only where your business needs it.

---

What you can model

Capability	What it does	Why it matters
Entities	Data models with types, constraints, relationships	Your domain model, declared once
Surfaces	List, detail, create, review views	UI and API from the same declaration
Workspaces	Role-based dashboards with filtered regions	Each persona sees what they need
State Machines	Lifecycle transitions with guards and approval	Business processes enforced, not just documented
Access Control	Cedar-style permit/forbid rules, scope predicates	Provable RBAC — auditors can verify mechanically
Grant Schemas	Delegated, time-bounded access with approval	Four-eyes authorization, SOC 2-ready
Processes	Multi-step workflows with saga patterns	Durable business operations
Experiences	Onboarding wizards, checkout flows	Guided multi-step user journeys
Ledgers	TigerBeetle-backed double-entry accounting	Financial-grade transaction integrity
Graphs	Entity relationships with CTE traversal and algorithms	Network analysis, shortest paths, community detection
HLESS Events	Intent/Fact/Observation/Derivation event semantics	Replay correctness, audit lineage, no "events as a vague bucket"
Fragments	Constrained custom rendering inside generated surfaces	Differentiated UX without losing semantic integrity
Integrations	Declarative API bindings with triggers and mappings	Connect to Stripe, HMRC, Xero, and more
LLM Jobs	Classification, extraction, generation tasks	AI capabilities without prompt engineering sprawl
Compliance	Maps DSL constructs to ISO 27001 and SOC 2 controls	Control-coverage evidence, gaps flagged

For the full DSL reference, see docs/reference/index.md.

Vocabulary glossary

A few Dazzle keywords don't map one-to-one onto industry terms. If you're skim-reading the DSL for the first time:

Dazzle term	What other communities call this
surface	view, page, screen — a UI/API endpoint with one entity and one mode
workspace	dashboard, role home, console
experience	wizard, flow, multi-step form
rhythm	recurring cadence, scheduled review, periodic ritual
archetype	persona pattern, role family
hless	event-stream semantics (HLESS = High-Level Event Semantics Specification — why this name)
fragment	escape-hatch component, custom partial

---

Compliance and security

Dazzle treats compliance as a first-class concern, not an afterthought.

Automated evidence extraction

Every DSL construct that relates to security — access rules, data classification, state machine transitions, process workflows — is automatically mapped to compliance framework controls. Run:

dazzle compliance compile --framework iso27001   # ISO 27001 audit
dazzle compliance compile --framework soc2       # SOC 2 TSC audit
dazzle compliance gaps --framework soc2          # Show unmet controls

The output is a structured AuditSpec showing which controls are evidenced (your DSL satisfies them), which are gaps (your DSL should cover them but doesn't), and which are excluded (physical security, HR — outside DSL scope).

Provable access control

Scope rules compile to a formal predicate algebra, statically validated against the FK graph at dazzle validate time. The verification framework has three layers:

Layer	What it proves
Static Matrix	Every (role, entity, operation) combination is computed from the DSL
Dynamic Verification	The running app is probed as every role to confirm runtime matches the matrix
Decision Audit Trail	Every access decision is logged with the matched rule and outcome

dazzle rbac matrix    # Generate the access matrix (no server needed)
dazzle rbac verify    # Verify runtime matches the matrix (CI gate)
dazzle rbac report    # Compliance report for auditors

See RBAC Verification and Compliance for details.

---

What Dazzle is not for

Stating this directly because it matters:

• Real-time collaborative editing. No CRDT layer, no client-state model.
• Graphics-heavy or canvas-based interfaces. Server-rendered HTML is not the right substrate.
• Local-first or offline-first applications. Authority lives on the server and in PostgreSQL.
• General-purpose programming. The DSL is deliberately not Turing-complete. If you need arbitrary computation, you need a different tool — or you write a fragment.
• Replacing your existing codebase wholesale. Dazzle is most useful for new applications where governance, workflow, and audit are first-class concerns from day one.

The framework is strongest for enterprise SaaS, workflow systems, operational tooling, and governance-heavy applications. That's the bet.

---

Quick Start

# Install
brew install manwithacat/tap/dazzle   # macOS/Linux (auto-registers MCP server)
# or: pip install dazzle-dsl

# Run the example
cd examples/simple_task
dazzle serve

# Open http://localhost:3000 for the UI
# Open http://localhost:8000/docs for the API

Supported runtime: Python 3.12+ · PostgreSQL · macOS / Linux. CI exercises Python 3.12 — the project's single supported minor version.

---

Architecture

DSL Files  →  Parser + Linker  →  AppSpec (IR)  →  Runtime (live app)
                                                 →  OpenAPI / AsyncAPI specs
                                                 →  Test generation
                                                 →  Compliance evidence
                                                 →  Fidelity scoring

The DSL is parsed into a typed intermediate representation (AppSpec IR). The runtime executes the IR directly — no code generation step. Every artifact (API specs, tests, compliance reports, demo data) is computed from the same IR.

This architecture is deliberately anti-Turing: the DSL has no arbitrary computation, which means Dazzle can statically validate, lint, measure fidelity, and reason about your application. What you declare is what runs.

The frontend uses server-rendered HTML with HTMX — zero build toolchain, stable technology, and full visibility into what the runtime produces. For UX that the generated surfaces can't express, fragments provide a constrained escape hatch: named, semantically-tagged custom rendering that remains connected to the entity and surface graph.

For the full architecture, see docs/architecture/overview.md. For the event-semantics rationale, see docs/architecture/hless-deep-dive.md.

---

AI-assisted development

Dazzle ships as both a runtime and an AI development environment. When used with Claude Code (via MCP), you get access to 26 tools with 170+ operations that span the full lifecycle:

Stage	What the tools do
Spec to DSL	Turn a natural-language idea into validated DSL — entity discovery, lifecycle identification, persona extraction
Test and Verify	Generate stories, design tests, execute at three tiers (API, browser, LLM-guided), seed demo data
Analyze and Audit	Quality pipeline, agent-powered gap discovery, visual composition analysis, RBAC policy verification
Site and Brand	Manage public site structure, copy, theme, and design tokens from spec files
Stakeholder Ops	Launch readiness scores, investor pitch generation, user/session management

The agent framework uses an observe-decide-act-record loop to autonomously explore running applications, discover gaps, and propose DSL fixes. Discovery modes include persona-based exploration, CRUD completeness analysis, workflow coherence checks, and headless DSL/KG analysis.

For the full MCP tool reference, see Architecture: MCP Server. For how the autonomous slash-command harness drives day-to-day development on the framework itself, see Autonomous Harness.

Claude Code integration

# Homebrew: MCP server auto-registered during installation
brew install manwithacat/tap/dazzle

# PyPI: Register manually
pip install dazzle-dsl
dazzle mcp setup

# Verify
dazzle mcp check

---

Examples

Example	Complexity	What it demonstrates
simple_task	Beginner	3 entities, state machine, personas, workspaces, access control
contact_manager	Beginner	CRM with relationships and list/detail surfaces
support_tickets	Intermediate	Ticket lifecycle with state machines and assignments
ops_dashboard	Intermediate	Workspace stages and aggregate metrics
fieldtest_hub	Advanced	Full-featured demo with integrations
pra	Advanced	15 DSL files covering every construct: ledgers, processes, LLM, services

---

IDE support

Full LSP implementation: real-time diagnostics, hover docs, go-to-definition, auto-completion, document symbols.

dazzle lsp run           # Start the LSP server
dazzle lsp check         # Verify dependencies
dazzle lsp grammar-path  # TextMate grammar for syntax highlighting

Works with VS Code, Neovim, Emacs, and any editor supporting LSP. See docs/reference/index.md for editor setup.

---

Documentation

• Evaluating Dazzle — skeptical-evaluator walkthrough: see the claims demonstrated in ~30 min
• Security & Compliance Claims — claim-by-claim inventory: status, enforcement, tests, known gaps
• Agent Workflow Guide — end-to-end AI-agent spec-edit loop: spec change → DSL edit → validate → tests → human review → deploy
• DSL Reference — complete guide to all DSL constructs
• HLESS deep dive — event semantics and why they're named this way
• Graphs — entity graph relationships, CTE traversal, algorithms
• Compliance — ISO 27001 + SOC 2 evidence pipeline
• RBAC Verification — provable access control
• Autonomous Harness — Claude Code slash commands + methodology
• ADRs — architectural decisions, defended
• Architecture — system design, pipeline, MCP server
• Getting Started — installation, quickstart, first app
• Examples — runnable example applications

---

About this project

Dazzle is a research project exploring what application substrates look like when AI collaborators are treated as first-class readers and writers. It is developed in the open, primarily by a single author, with heavy AI assistance — both in the framework itself and in the example apps built on top of it. Release cadence is high (every fix gets a unique version for deployment traceability) and pre-1.0 breaks are intentional rather than apologetic. If you're evaluating Dazzle for production use, talk to us first.

Contributing

See CONTRIBUTING.md.

License

MIT — see LICENSE