GraphJin GraphJin gives AI agents one governed graph across your databases, files, APIs, and source code — GraphQL and MCP in, one optimized, policy-checked operation out. home home home _index.md

Connect your AI agents to every database you run. Get answers backed by evidence.

Most teams hand-wire a brittle tool for every question an agent might ask. GraphJin auto-learns your databases, files, APIs, and source code into one governed graph — and ships the agent that works it.

Under the hood: a compiler, not a framework. Agents ask in a small graph query language models get right on the first try — each request compiles into one optimized, policy-checked operation. Bring Claude or Codex over MCP, or use the built-in agent.

Single Go binary · 12+ engines · Apache 2.0 · in production since 2019

GraphJin Agent · localhost:8083/agent
Which account is most at risk of churning?
query_catalog
discover -> accounts · invoices · usage_events
execute_graphql
1 optimized query · churn signals by account

Evidence checked · 2 reads · 1 execution

Meridian Robotics — renewal in 9 days, 2 failed payments, usage down sharply.

Answers it can't fake

A ledger in Go records what actually ran. Unbacked claims flip answered to blocked — the fake answer never leaves the server.

Ask in plain English. Get real data back.

The hero window is the short version — here is the full loop, tool call by tool call. Claude Desktop, Codex, or any MCP client talks to GraphJin: the agent discovers the shape, validates its query, and GraphJin compiles it into one optimized database query — then answers with rows it can reason over.

Claude Desktop
who's the top customer?
query_catalog
discover -> customers · purchases · products (2 relationships)
validate_where_clause
validate -> filters ok on customers, purchases · order_by total_spent
execute_graphql
{ customers { id full_name email purchases { quantity product { price } } } }
one optimized query, no N+1, no resolvers
SELECT json_agg(__sj.json) AS customers
FROM customers AS c
LEFT JOIN LATERAL (
  SELECT sum(p.quantity * pr.price) AS total_spent
  FROM purchases p
  JOIN products pr ON pr.id = p.product_id
  WHERE p.customer_id = c.id
) __agg ON true
ORDER BY __agg.total_spent DESC NULLS LAST
LIMIT 5;

Done

Based on the purchase data, here are the top customers ranked by total spend:

RankCustomerEmailOrdersItemsTotal Spent
01Antwan Friesenfrancohirthe@medhurst.com20124$928.45
02Lon Cruickshankmargaretbailey@ruecker.info2094$586.50
03Susana Schaeferjewelpowlowski@osinski.biz2091$580.72

Antwan Friesen is the top customer with almost $1,000 in purchases, about 60% more than the runner-up.

Your agent is only as good as what it can see.

$2.5 trillion goes into AI this year — and a capable model still enters your stack blind. It doesn't know your schema, your permissions, your saved queries, or where a field is written in code — so it works from memory and guesses.

AI agentworks from memoryno map · no guardrails????DatabaseRemote APIsFilesSource code
$2.5T1

A tool for every question

Worldwide AI spend in 2026 — yet teams still hand-write a brittle API or MCP tool for each thing an agent might ask. The surface never keeps up, and every new question is new glue code.

21%2

Guesses, not facts

The best model's success rate on real enterprise text-to-SQL — down from 91% on academic benchmarks. Without a map, agents invent joins, fake fields, and confuse API shape with database shape.

88%3

Too risky for production

Organizations that saw an AI-agent security incident in the past year. Handing an agent raw credentials means hoping it guesses right — so it stays read-only, shallow, or boxed out.

The fix isn't a smarter prompt. It's giving the agent the map — and the guardrails. And it isn't another raw connector: 43% of tested MCP servers shipped with command-injection flaws.4

Sources: 1. Gartner, Jan 2026 · 2. Spider 2.0, ICLR 2025 · 3. Gravitee State of AI Agent Security, 2026 · 4. Equixly, 2025

One graph your agent can explore — within bounds you set.

Instead of brittle hand-written APIs, point GraphJin at the systems you already run. It auto-learns the shape and exposes one governed graph the agent can explore: one query — in a graph language models handle far better than raw SQL — across every database, file, remote API, and your own source code, including the relationships across them.

Not a read-only BI copilotNot another MCP-to-database connectorNot a pile of hand-written wrappers
policy boundary · one config · within boundsDatabaseRemote APIsFilesSource codeGraphJinone graph · GraphQL · MCPdata · files · APIs · code — and the relationships across them
EX

Explore, don't guess

Discover schemas, relationships, and examples from the live system, not from memory.

1Q

One query, every system

Databases, files, APIs, and code join in a single request.

WB

Within bounds

One config decides what each agent can see, run, and change.

GraphJin is the only open-source system where agents work your data and your source code under one compiled policy — with every answer checked against an execution ledger before it leaves the server. Compiling queries in production since 2019 — watch the ledger catch a fake answer.

One instruction in. One evidence-backed answer out.

Above, an external client drives the loop, tool call by tool call. GraphJin can also run that loop itself — POST one instruction and get back a typed answer your code can branch on.

01 — The ask

POST one instruction

One curl with a plain-English instruction. No orchestration framework, no tool wiring — the whole loop lives behind a single endpoint, enabled by three lines of YAML.

02 — The loop

GraphJin runs it — as the caller

Discovery, validation, and execution happen inside the server, under the caller's identity and row-level security. Every step is protocol-guarded in Go and written to the execution ledger.

03 — The answer

Typed JSON, checked against the ledger

status, answer, data, evidence, actions — every claim cross-checked against what actually ran before it leaves the server. Your code branches on status, not prose.

terminal
# enable once in agentic.yml:
#   agent: { enabled: true, provider: openai,
#            model: gpt-4.1-mini, api_key_env: OPENAI_API_KEY }

curl -sS localhost:8080/api/v1/agent \
  -H 'content-type: application/json' \
  -d '{"instruction": "What should we prioritize next?"}'
response.json
{
  "status": "answered",
  "answer": "Start the Northstar run — priority 1, largest volume.",
  "data": [
    { "priority": 1, "product": "Northstar Blend 340g", "bags": 420 },
    { "priority": 2, "product": "Harbor Espresso 1kg", "bags": 80 }
  ],
  "evidence": {
    "protocol": {
      "catalog_ids": ["table:ops:public.production_orders"],
      "executions": [{ "has_data": true }]
    }
  },
  "actions": [
    { "step": 1, "tool": "query_catalog", "status": "ok" },
    { "step": 2, "tool": "execute_graphql", "status": "ok" }
  ]
}
3 lines of YAML to enableMCP tool · REST · SSE streamingWeb-console chat built inKill-switch: agent.read_only
ID

Runs as the caller

The agent inherits the request's identity. Core roles and row-level security decide what it can read or write — the same enforcement as any GraphQL request, with a capability profile that can't be spoofed from a request body.

EV

Answers it can't fake

Protocol guards in Go force discovery, validation, and evidence before execution. Skip a step and answered downgrades to blocked — with a machine-actionable refusal naming the exact unblock steps, not a lecture. Watch one get caught.

7B

Any code-capable model

The loop is generated JavaScript in a sandbox, not provider function-calling. Point agent.base_url at any OpenAI-compatible endpoint — vLLM, Ollama, OpenRouter, a local 7B — or set agent.sampling: auto and borrow the calling MCP client's model. No server-side key at all.

The model made up an answer. The ledger caught it.

A real run against the coffee-roastery demo. Every real tool call goes through Go, which keeps its own ledger of what actually happened — what was discovered, what ran, what returned data. The model's words never write that ledger, and after the run GraphJin cross-checks every claim against it. Deterministically, in Go — where a clever prompt can't reach.

01 — The ask

The query never runs

"Which roast batches should be held for quality review?" The model reaches for the saved query but skips the required detail inspection, so the guard rejects the call. No rows ever come back.

02 — The bluff

The model invents a table

Instead of reporting the miss, it writes a confident quality-review table — batch codes, reasons, recommendations. Plausible, well-formatted, and completely made up.

03 — The catch

Go checks the ledger

No successful execution in the ledger means the claims have no evidence. GraphJin flips answered to blocked and returns the refusal on the right — the fake table never leaves the server.

response.json
{
  "status": "blocked",
  "refusal": {
    "code": "saved_query_detail_required",
    "blocked_action": "execute_saved_query",
    "because": [
      "protocol violation: inspect query_catalog(id: \"saved_query:batch_quality_snapshot\") before execute_saved_query"
    ],
    "unblock": [
      {
        "tool": "query_catalog",
        "args": { "id": "saved_query:batch_quality_snapshot" },
        "reason": "Inspect the saved query detail before executing it."
      }
    ],
    "lawful_alternative": "Inspect the saved query detail first, then execute the approved saved query.",
    "retryable": true
  }
}

Captured live. The actual response from this run — trimmed, not retouched. The refusal is machine-actionable: it names the exact unblock step, so a calling agent corrects course and retries instead of guessing.

Ledger written by Go, not the modelModel history is untrustedDeterministic post-run checkRuns as the caller — RLS still applies

The smoke suite jailbreak-tests this in every demo vertical. A model told to skip discovery and mutate anyway gets status: "blocked" and a machine-actionable refusal with unblock steps — asserted end-to-end on every smoke run. Watch the loop live: every demo streams each tool call — green dot or red — at localhost:8080/agent.

Five demos. Real domains. One command each.

Not toy schemas — each demo boots a full vertical: schema, seeded operational data, saved queries, workflows, and the agent wired in. Seeds anchor to today, so the data never goes stale. Delete the demo/ folder to reset. Pick a domain and start interrogating it.

5 verticals6 database enginesCodeSQL + files + OpenAPI sources12 workflows · 12 saved queries
:8080Postgres · BigQuery-emu · CodeSQL

Coffee roastery

Roast schedules, cupping scores, sensor telemetry, production orders — the flagship agentic demo.

"Which roast batch should be held for quality — and why?"

graphjin serve --demo --path examples/coffee-roastery
:8083SQLite — zero Docker

SaaS ops

Accounts, subscriptions, invoices, support tickets — built into the binary; boots in seconds, no clone, no containers.

"Which account is most at risk of churning?"

graphjin serve --demo
:8081MySQL · BigQuery-emu · JWT roles

Corrugated plant

Work orders, corrugator runs, downtime, quality holds — behind real role-gated auth.

"Which work orders should the corrugator run first?"

graphjin serve --demo --path examples/corrugated-plant
:80828 sources — Mongo · files · OpenAPI

PCB fab

Fab orders, yield analytics, test measurements, Gerber files, a live supplier API — one graph.

"Which fab order should we release next — and what's the evidence?"

graphjin serve --demo --path examples/pcb-fab

Just want the classic GraphQL starter? webshop — single Postgres, RBAC, a Stripe-style remote join, recursive comments. graphjin serve --demo --path examples/webshop

Works with all your databases.
And more.

Point GraphJin at as many systems as you need — Postgres for users, MySQL for orders, Snowflake, Redshift, and BigQuery for analytics, Cassandra or Keyspaces for CQL workloads, MongoDB for events, HTTP APIs for remote services, object storage for files, and CodeSQL for source trees — and query them through a single GraphQL endpoint. Joins, remote joins, subscriptions, search, and mutations compose across systems in one request, so an AI assistant can reason across the data, APIs, files, and code without learning every backend.

PostgreSQL MySQL MariaDB MongoDB SQLite SQL Server Oracle CockroachDB YugabyteDB Snowflake Redshift BigQuery Cassandra / Keyspaces AWS Aurora Cloud SQL HTTP APIs S3 / GCS / Files Code

One compiler. Any system. Any client.

Point GraphJin at databases, object storage, source trees, and remote APIs. It's a compiler, not a resolver framework: it learns the live shape, plans the work, and emits one optimized database operation — then enforces RBAC and serves AI assistants, REST clients, and federated routers from the same engine. No N+1, no resolver code, test-backed against real compiler paths.

Any clientAI agents · REST · MCPone config · RBAC · allow-listsGraphJin compilerGraphQL -> one queryDatabasesRemote APIsFiles & codeGraphQL, REST, and MCP in — one optimized operation out.

Discover, check, validate, act.

GraphJin is the governed graph agents use to understand a real organization. It auto-learns the live surface, compiles GraphQL into database and source-backed work, and keeps policy visible enough for both humans and models to inspect.

gj_catalog -> evidence -> gj_security -> validate/preview -> governed action -> observe/refresh
01 — Discover

gj_catalog

Find schemas, relationships, syntax, workflows, capabilities, examples, and evidence before choosing a path.

02 — Check

gj_security

Read effective policy and high-risk findings before config, workflow, file, code, or mutation actions.

03 — Validate

preview

Validate filters, inspect generated work, run approved workflows, or preview CodeSQL changes before applying.

04 — Act

governed surface

Execute through GraphQL, MCP, saved queries, workflows, and guarded source operations instead of raw credentials.

Safer agents, not smaller agents.

GraphJin makes agents safer by giving them explicit boundaries, not by making them blind. Agents can explore more of the live organization because policy, evidence, and action paths are inspectable and enforced.

One config defines the AI surface.

Humans can review and diff the policy. Models can inspect the same posture through gj_catalog and gj_security before acting. GraphJin enforces that policy across GraphQL, MCP, workflows, code, files, APIs, and databases.

RBAC and row filters

Roles, table permissions, column blocks, automatic filters, and mutation limits are enforced inside the compiler.

Saved queries and allow-lists

Production agents can run named, reviewed query contracts instead of inventing arbitrary operations at runtime.

Read-only source boundaries

Filesystems, CodeSQL, databases, and control-plane tables can expose discovery without granting writes.

Preview before change

CodeSQL change sets require file hashes, exact ranges, old text, optional locks, and a preview/apply loop.

Connect any agent over MCP, in one command.

GraphJin ships a built-in Model Context Protocol (MCP) server — so Claude, Codex, or any MCP client can explore and query your data through the same governed surface.

One command wires GraphJin into Claude Desktop, Codex, or any MCP host. From there the agent discovers what exists, validates its query, checks policy, and runs only what you've approved — no hand-written tool for every question.

Run it locally for development, or as a hosted HTTP endpoint for your team — gated by MCP OAuth or the same JWT/OIDC identity as the main API.

GraphJin MCPdiscovery to governed actionDiscovergj_catalogValidatewhere-clauseCheckgj_securityActgoverned graphobserve & refresh

CodeSQL: query your code as well.

CodeSQL indexes your source tree into a read-only SQLite graph. Agents can ask where a column is used, which code references it, which symbol owns that reference, and what guarded change set would update it — all through the same GraphQL interface.

agent asksWhere is users.email used?
GraphQL · gj_code
query {
  gj_code(where: {
    name: { eq: "users.email" }
    kind: { eq: "db_ref" }
  }) {
    path
    symbol_name
  }
}
matched rows3
api/users.gogetUser
api/invoices.tscreateInvoiceHandler
graph/schema.gouserType
tree-sitter → read-only SQLite
kind=filekind=symbolkind=db_refkind=doc

A full backend, not just an agent gateway.

The same binary and config that govern the AI surface also run your realtime, files, remote APIs, auth, and federation — no extra services to operate.

1Auditable config for agent access across the AI surface.
12+Database and warehouse engines through one GraphQL surface.
0Lines of resolver code. The compiler does the work.
FS

Files as tables

Uploads stream to local disk, S3, R2, or GCS; each bucket is a queryable table you can join with the rest of your schema.

API

Remote APIs

Drop in an OpenAPI 3 spec and its operations become joinable, RBAC-aware fields with per-spec auth caching.

RT

Realtime

Subscribe with the same GraphQL; cursor-based SSE and WebSocket streams resume after a drop, with polls batched into one statement.

JWT

Authentication

JWT and OIDC from Auth0, Firebase, Okta, or any JWKS — one auth pipeline across HTTP, WebSocket, SSE, and MCP.

WF

Workflows

Discover approved workflows and run them through GraphQL, REST, MCP, or the CLI.

RDS

Caching

Response caching on Redis with an in-memory fallback and stale-while-revalidate.

CLI

One binary CLI

Dev server, database toolchain, device-code login, and MCP wiring. What runs in CI matches production.

FED

Federation

Advanced: flip a flag and every keyed table becomes an Apollo Federation v2 subgraph.

Run it in two minutes.

Three commands: install, boot a real demo, connect your agent.

1

Install the binary

curl -fsSL https://graphjin.com/install.sh | bash

Or brew install dosco/graphjin/graphjin

2

Boot the built-in demo

graphjin serve --demo

The binary ships with the SaaS ops demo — SQLite, no Docker, extracted to ./graphjin-demo with seeded data, saved queries, and workflows. Add a model key to ./.env (OPENAI_API_KEY, ANTHROPIC_API_KEY, or GOOGLE_APIKEY) and the built-in agent switches on; the flagship vertical is --path examples/coffee-roastery from a clone.

3

Connect your AI client

graphjin mcp add claude

Using Codex? graphjin mcp add codex

That's it. Open the web console at localhost:8083 — chat with the built-in agent at localhost:8083/agent, or ask from your MCP client. Real schema, real rows, evidence-backed answers.