This article is part of my submission to the H0: Hack the Zero Stack hackathon, in the Monetizable B2B App track.
Most "AI apps" treat the model as a stateless add-on: a chat UI tacked onto a CRUD app, calls billed to an API key the developer hopes nobody finds. The database stores the chat history; everything interesting happens outside it.
For a B2B SaaS where the AI writes financial records, drafts livestock medical notes, and creates operational tasks on behalf of paying customers, that approach fails. You need governance: who asked the AI, what tool it called, what it tried to write, what it actually wrote, how many credits it consumed, who approved the draft, who rejected it, why. All of this must be auditable weeks later, scoped per-tenant, and enforceable at the database level β not at the API layer hoping the model never hallucinates a missing tenant ID.
This article walks through the governance schema I built into FarmOps Desk for the H0 hackathon, and the two patterns that make it work: atomic credit reservation and per-farm autonomy tiers.
Treat AI governance as a database primitive, not a feature. The schema enforces the invariants; the application is a thin layer over them. If the application has a bug, the database still prevents the unacceptable outcomes (a customer going into negative credits, a draft pretending to be confirmed, a tenant-A operation touching tenant-B data).
That means every interesting AI action lives in a small set of tables:
| Table | Purpose |
|---|---|
ai_runs |
|
| One row per model invocation. Feature, model, tokens, latency, status, summaries. The index of "what did the AI do". | |
credit_ledger |
|
Append-only ledger of credit grants/deductions. The financial truth. balance_after >= 0 enforced by CHECK. |
|
assistant_drafts |
|
Pending AI writes β every record the assistant wants to create lands here first. record_type + status state machine (pending β confirmed / discarded ). |
|
ai_recommendations |
|
Non-mutating AI suggestions (no draft). Status pending β approved / rejected . |
|
ai_evals |
|
| Rule-based code evals of assistant outputs (clinical safety filter, schema conformance). | |
ai_feedback |
|
Thumbs up/down + free text. Joined back to ai_runs for offline analysis. |
|
memories |
|
| Durable farm facts (e.g. "vaccinates on Mondays", "Pond 3 is the nursery") distilled from chat. | |
embeddings |
|
| pgvector. Per-farm RAG index for documents, conversation summaries, memories. |
The relational spine: farms.id
is the tenant boundary. Every row in every table above carries farm_id
. Every query filters by it. A hallucination that tries to write to another farm can't β the row-level check is the schema, not a function the LLM can forget to call.
The classic serverless AI bug: two concurrent requests for the same farm both observe credit_balance = 1
, both proceed, both invoke Bedrock, both call the settleCredits function afterward. The user gets charged for 2 runs on a 1-credit balance. This is a TOCTOU race that scales linearly with concurrency.
The naive fix is SELECT ... FOR UPDATE
inside a transaction. That works but it doesn't compose with the metering pattern: you want to reserve 1 credit before the run (so the user can't start 10 concurrent runs on a 5-credit balance), then settle after the run with the actual cost.
My pattern:
-- reserveCredit(farmId): atomically deduct 1 IF balance > 0
UPDATE farms
SET credit_balance = credit_balance - 1
WHERE id = $1
AND credit_balance > 0
RETURNING credit_balance;
This is a single conditional UPDATE. Postgres serializes concurrent calls at the row level. Exactly one of N concurrent calls returns a row when balance = 1
; the rest get rowCount = 0
and throw CreditError
. No advisory lock, no transaction, no two-phase protocol.
After the run completes:
// settleCredits(farmId, actualCredits, reason, aiRunId)
// actualCredits <= 0 β refund the reservation
// actualCredits === 1 β no-op (reservation was exact)
// actualCredits > 1 β deduct the extra, best-effort
The credit_ledger
table captures both legs (reservation + settle) so the audit trail reconstructs the actual cost of any run. A judge looking at /admin/evidence
can match a credit_ledger
row to its ai_runs
row and see: 1 reserved, 3 actual, 2 deducted at settle.
This pattern generalizes to any metered-resource problem (storage quotas, rate limits, seat counts) where you need "reserve N if available, settle later" semantics.
A small backyard poultry farm in Kaduna has different risk tolerance than a 5,000-bird commercial operation in Lagos. Some farms want the AI to suggest; others want it to act. The autonomy tier is a per-farm setting in farms.ai_autonomy
:
| Tier | Behavior |
|---|---|
suggest |
|
| AI cannot write anything. Tools throw if called. User gets text suggestions only. | |
draft |
|
AI creates assistant_drafts rows. User confirms or discards. Default for new farms. |
|
auto |
|
| AI writes directly for trusted categories (tasks, notes, feed logs). Still drafts financial/destructive writes. |
The crucial design choice: financial and destructive writes are hardcoded to draft, regardless of autonomy tier. No farm can opt out of human confirmation for a sale, expense, mortality event, or recommendation approval. The autonomy tier only controls the no-op write categories.
Implementation: farms.ai_autonomy
is the tier; farms.ai_auto_categories
is a JSONB allowlist for the auto
tier; farms.ai_record_autonomy
is per-record-type override. The lib/ai/draft-executor.ts
resolves all three before each write. The schema is the source of truth; the executor is a small dispatcher.
// Pseudo
function resolveAutonomy(farm, recordType) {
if (FINANCIAL_DESTRUCTIVE.has(recordType)) return 'draft' // hardcoded floor
if (farm.ai_autonomy === 'suggest') return 'suggest'
if (farm.ai_autonomy === 'auto' && farm.ai_auto_categories.includes(recordType)) return 'auto'
return 'draft'
}
This is the AI-safety pattern that doesn't depend on prompt engineering. The model can be convinced to do anything; the executor refuses the write at the schema level.
RAG in a multi-tenant B2B has a specific shape: every vector query is scoped by farm_id
, the corpus is per-tenant (documents, conversation summaries, memories), and the index must be transactional with the writes (a deleted document must not appear in search results).
Standalone vector databases (Pinecone, Weaviate) solve the vector problem but create a second source of truth: the vector DB says "doc X is relevant", you have to round-trip to Postgres to authorize the read, and the two can drift. You also pay for a separate service.
pgvector inside Aurora collapses the two into one. The vector column lives on the same row as the tenant ID:
CREATE TABLE embeddings (
id TEXT PRIMARY KEY,
farm_id TEXT NOT NULL,
source_type TEXT NOT NULL, -- 'memory' | 'document' | 'convo_summary'
source_id TEXT NOT NULL,
content TEXT NOT NULL,
embedding VECTOR(1024) NOT NULL
);
CREATE INDEX ON embeddings
USING hnsw (embedding vector_cosine_ops)
WITH (m = 16, ef_construction = 64);
-- Per-farm RAG query: tenant scoping + vector search in one shot
SELECT id, content, 1 - (embedding <=> $1) AS score
FROM embeddings
WHERE farm_id = $2 -- tenant boundary
OR farm_id = '__global__' -- shared knowledge base (vaccination schedules, biology)
ORDER BY embedding <=> $1
LIMIT 4;
The farm_id filter runs first; the HNSW scan runs against the filtered subset. A hallucinated query for tenant-A can't reach tenant-B's embeddings β the WHERE clause is enforced by Postgres, not by prompt engineering.
The hackathon's first hard requirement is AWS Database as the primary backend. I chose Aurora PostgreSQL over DynamoDB for one reason: financial-grade operations require relational integrity.
My credit_ledger
enforces balance_after >= 0
with a CHECK constraint. My assistant_drafts
enforces record_type IN ('mortality','feed_use','sale','expense','water','weight','symptom','note')
with a CHECK β the AI cannot draft a record type that doesn't exist. My farm_members
enforces the join table invariant (farm_id, user_id)
UNIQUE. None of these are expressible in DynamoDB without application-level enforcement.
The trade-off: Aurora is a heavier operational lift than DynamoDB (connection pooling, failover tuning, vacuuming). For a hackathon, I accepted the complexity because the integrity invariants are the product.
ββββββββββββββββ OIDC JWT ββββββββββββββββ
β Vercel β ββββββββββββββΊ β STS β
β Functions β β (AssumeRole) β
ββββββββ¬ββββββββ ββββββββ¬ββββββββ
β β
β 15-min IAM token β
βΌ βΌ
ββββββββββββββββ ββββββββββββββββ
β RDS Signer β β Bedrock β
β (DB auth) β β Runtime β
ββββββββ¬ββββββββ ββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββββββββββββββββββββββββββ
β Aurora PostgreSQL 17 + pgvector β
β ββββββββββββββ ββββββββββββββ βββββββββββ β
β β farms β β ai_runs β β memoriesβ β
β β ...40+ β β credit_ β β embed- β β
β β tables β β ledger β β dings β β
β β β β drafts β β β β
β ββββββββββββββ ββββββββββββββ βββββββββββ β
ββββββββββββββββββββββββββββββββββββββββββββββββ
Two IAM roles: AWS_ROLE_ARN
(DB-only, permission-boundary-capped) and BEDROCK_ROLE_ARN
(AI-only, no DB access). Blast-radius minimization at the trust boundary.
Building AI governance as a database primitive isn't the typical approach. Most LLM applications default to a simple messages
table and a chat UI, treating the AI as an external novelty. But when building for agricultural operations, a farmer's data integrity is just as critical as a bank's.
By enforcing invariants natively in the relational schemaβusing integer kobo for financial accuracy, FOR UPDATE
row locks to prevent race conditions, append-only ledgers, and a per-farm autonomy state machineβthe application guarantees safety before the AI ever generates a response.
The patterns described here are designed to go beyond a proof-of-concept. They demonstrate how to build shipping-grade, multi-tenant AI systems where data integrity is structurally guaranteed by the database itself.
docs/ARCHITECTURE.md
This project is built for the H0 Hack the Zero Stack hackathon (#H0Hackathon), in the Monetizable B2B App track. It deploys on Vercel with Amazon Aurora PostgreSQL as the primary backend. I created this piece of content for the purposes of entering the hackathon.