AI Governance as a Database Primitive: Building FarmOps Desk on Aurora + pgvector + Bedrock

A developer built FarmOps Desk, a B2B SaaS for farm management, using Aurora, pgvector, and Bedrock. The system treats AI governance as a database primitive with atomic credit reservation and per-farm autonomy tiers to enforce tenant isolation and prevent race conditions. The schema includes tables for AI runs, credit ledger, assistant drafts, and embeddings, all scoped by farm ID.

This article is part of my submission to the H0: Hack the Zero Stack hackathon, in the Monetizable B2B App track. Most "AI apps" treat the model as a stateless add-on: a chat UI tacked onto a CRUD app, calls billed to an API key the developer hopes nobody finds. The database stores the chat history; everything interesting happens outside it. For a B2B SaaS where the AI writes financial records, drafts livestock medical notes, and creates operational tasks on behalf of paying customers, that approach fails. You need governance: who asked the AI, what tool it called, what it tried to write, what it actually wrote, how many credits it consumed, who approved the draft, who rejected it, why. All of this must be auditable weeks later, scoped per-tenant, and enforceable at the database level — not at the API layer hoping the model never hallucinates a missing tenant ID. This article walks through the governance schema I built into FarmOps Desk https://github.com/captjay98/v0-farmops for the H0 hackathon, and the two patterns that make it work: atomic credit reservation and per-farm autonomy tiers . Treat AI governance as a database primitive, not a feature. The schema enforces the invariants; the application is a thin layer over them. If the application has a bug, the database still prevents the unacceptable outcomes a customer going into negative credits, a draft pretending to be confirmed, a tenant-A operation touching tenant-B data . That means every interesting AI action lives in a small set of tables: | Table | Purpose | |---|---| ai runs | One row per model invocation. Feature, model, tokens, latency, status, summaries. The index of "what did the AI do". | credit ledger | Append-only ledger of credit grants/deductions. The financial truth. balance after = 0 enforced by CHECK. | assistant drafts | Pending AI writes — every record the assistant wants to create lands here first. record type + status state machine pending → confirmed / discarded . | ai recommendations | Non-mutating AI suggestions no draft . Status pending → approved / rejected . | ai evals | Rule-based code evals of assistant outputs clinical safety filter, schema conformance . | ai feedback | Thumbs up/down + free text. Joined back to ai runs for offline analysis. | memories | Durable farm facts e.g. "vaccinates on Mondays", "Pond 3 is the nursery" distilled from chat. | embeddings | pgvector. Per-farm RAG index for documents, conversation summaries, memories. | The relational spine: farms.id is the tenant boundary. Every row in every table above carries farm id . Every query filters by it. A hallucination that tries to write to another farm can't — the row-level check is the schema, not a function the LLM can forget to call. The classic serverless AI bug: two concurrent requests for the same farm both observe credit balance = 1 , both proceed, both invoke Bedrock, both call the settleCredits function afterward. The user gets charged for 2 runs on a 1-credit balance. This is a TOCTOU race that scales linearly with concurrency. The naive fix is SELECT ... FOR UPDATE inside a transaction. That works but it doesn't compose with the metering pattern: you want to reserve 1 credit before the run so the user can't start 10 concurrent runs on a 5-credit balance , then settle after the run with the actual cost. My pattern: -- reserveCredit farmId : atomically deduct 1 IF balance 0 UPDATE farms SET credit balance = credit balance - 1 WHERE id = $1 AND credit balance 0 RETURNING credit balance; This is a single conditional UPDATE. Postgres serializes concurrent calls at the row level. Exactly one of N concurrent calls returns a row when balance = 1 ; the rest get rowCount = 0 and throw CreditError . No advisory lock, no transaction, no two-phase protocol. After the run completes: // settleCredits farmId, actualCredits, reason, aiRunId // actualCredits <= 0 → refund the reservation // actualCredits === 1 → no-op reservation was exact // actualCredits 1 → deduct the extra, best-effort The credit ledger table captures both legs reservation + settle so the audit trail reconstructs the actual cost of any run. A judge looking at /admin/evidence can match a credit ledger row to its ai runs row and see: 1 reserved, 3 actual, 2 deducted at settle. This pattern generalizes to any metered-resource problem storage quotas, rate limits, seat counts where you need "reserve N if available, settle later" semantics. A small backyard poultry farm in Kaduna has different risk tolerance than a 5,000-bird commercial operation in Lagos. Some farms want the AI to suggest; others want it to act. The autonomy tier is a per-farm setting in farms.ai autonomy : | Tier | Behavior | |---|---| suggest | AI cannot write anything. Tools throw if called. User gets text suggestions only. | draft | AI creates assistant drafts rows. User confirms or discards. Default for new farms. | auto | AI writes directly for trusted categories tasks, notes, feed logs . Still drafts financial/destructive writes. | The crucial design choice: financial and destructive writes are hardcoded to draft, regardless of autonomy tier. No farm can opt out of human confirmation for a sale, expense, mortality event, or recommendation approval. The autonomy tier only controls the no-op write categories. Implementation: farms.ai autonomy is the tier; farms.ai auto categories is a JSONB allowlist for the auto tier; farms.ai record autonomy is per-record-type override. The lib/ai/draft-executor.ts resolves all three before each write. The schema is the source of truth; the executor is a small dispatcher. // Pseudo function resolveAutonomy farm, recordType { if FINANCIAL DESTRUCTIVE.has recordType return 'draft' // hardcoded floor if farm.ai autonomy === 'suggest' return 'suggest' if farm.ai autonomy === 'auto' && farm.ai auto categories.includes recordType return 'auto' return 'draft' } This is the AI-safety pattern that doesn't depend on prompt engineering. The model can be convinced to do anything; the executor refuses the write at the schema level. RAG in a multi-tenant B2B has a specific shape: every vector query is scoped by farm id , the corpus is per-tenant documents, conversation summaries, memories , and the index must be transactional with the writes a deleted document must not appear in search results . Standalone vector databases Pinecone, Weaviate solve the vector problem but create a second source of truth: the vector DB says "doc X is relevant", you have to round-trip to Postgres to authorize the read, and the two can drift. You also pay for a separate service. pgvector inside Aurora collapses the two into one. The vector column lives on the same row as the tenant ID: CREATE TABLE embeddings id TEXT PRIMARY KEY, farm id TEXT NOT NULL, source type TEXT NOT NULL, -- 'memory' | 'document' | 'convo summary' source id TEXT NOT NULL, content TEXT NOT NULL, embedding VECTOR 1024 NOT NULL ; CREATE INDEX ON embeddings USING hnsw embedding vector cosine ops WITH m = 16, ef construction = 64 ; -- Per-farm RAG query: tenant scoping + vector search in one shot SELECT id, content, 1 - embedding <= $1 AS score FROM embeddings WHERE farm id = $2 -- tenant boundary OR farm id = ' global ' -- shared knowledge base vaccination schedules, biology ORDER BY embedding <= $1 LIMIT 4; The farm id filter runs first; the HNSW scan runs against the filtered subset. A hallucinated query for tenant-A can't reach tenant-B's embeddings — the WHERE clause is enforced by Postgres, not by prompt engineering. The hackathon's first hard requirement is AWS Database as the primary backend . I chose Aurora PostgreSQL over DynamoDB for one reason: financial-grade operations require relational integrity. My credit ledger enforces balance after = 0 with a CHECK constraint. My assistant drafts enforces record type IN 'mortality','feed use','sale','expense','water','weight','symptom','note' with a CHECK — the AI cannot draft a record type that doesn't exist. My farm members enforces the join table invariant farm id, user id UNIQUE. None of these are expressible in DynamoDB without application-level enforcement. The trade-off: Aurora is a heavier operational lift than DynamoDB connection pooling, failover tuning, vacuuming . For a hackathon, I accepted the complexity because the integrity invariants are the product. ┌──────────────┐ OIDC JWT ┌──────────────┐ │ Vercel │ ─────────────► │ STS │ │ Functions │ │ AssumeRole │ └──────┬───────┘ └──────┬───────┘ │ │ │ 15-min IAM token │ ▼ ▼ ┌──────────────┐ ┌──────────────┐ │ RDS Signer │ │ Bedrock │ │ DB auth │ │ Runtime │ └──────┬───────┘ └──────────────┘ │ ▼ ┌──────────────────────────────────────────────┐ │ Aurora PostgreSQL 17 + pgvector │ │ ┌────────────┐ ┌────────────┐ ┌─────────┐ │ │ │ farms │ │ ai runs │ │ memories│ │ │ │ ...40+ │ │ credit │ │ embed- │ │ │ │ tables │ │ ledger │ │ dings │ │ │ │ │ │ drafts │ │ │ │ │ └────────────┘ └────────────┘ └─────────┘ │ └──────────────────────────────────────────────┘ Two IAM roles: AWS ROLE ARN DB-only, permission-boundary-capped and BEDROCK ROLE ARN AI-only, no DB access . Blast-radius minimization at the trust boundary. Building AI governance as a database primitive isn't the typical approach. Most LLM applications default to a simple messages table and a chat UI, treating the AI as an external novelty. But when building for agricultural operations, a farmer's data integrity is just as critical as a bank's. By enforcing invariants natively in the relational schema—using integer kobo for financial accuracy, FOR UPDATE row locks to prevent race conditions, append-only ledgers, and a per-farm autonomy state machine—the application guarantees safety before the AI ever generates a response. The patterns described here are designed to go beyond a proof-of-concept. They demonstrate how to build shipping-grade, multi-tenant AI systems where data integrity is structurally guaranteed by the database itself. docs/ARCHITECTURE.md This project is built for the H0 Hack the Zero Stack hackathon H0Hackathon , in the Monetizable B2B App track. It deploys on Vercel with Amazon Aurora PostgreSQL as the primary backend. I created this piece of content for the purposes of entering the hackathon.