Recruiter Walkthrough

ERP/commerce SaaS — per-subdomain tenant isolation, BullMQ workers, plan checkout + webhooks, AI assistant via secured endpoints.

Multi-tenant financial platform with master admin panel, OpenAI assistant with heuristic fallback, plans/tier model — live in production.

Industrial SaaS — shared-schema isolation, resource:action permissions, full audit trail, subscription state machine enforced via middleware.

AI sales-training platform — OpenAI + Gemini, dynamic scenarios, streamed responses, provider fallback, output evaluation rubrics.

Law firms publish marketing content that must be jurisdiction-compliant, fast and cheap. Today that runs through fragmented N8N flows + an Express/ECS service: hard to version, weak retries, no per-tenant cost visibility, and real legal risk if a bad claim ships. Lexora consolidates this into one observable platform — the same class of problems I've solved across UPVEND, Caixaly, and TouchFind.

Non-deterministic AI output (hallucinations, malformed JSON, refusals), runaway token cost, cross-tenant data leakage, provider rate limits, and compliance violations that can't be 'rolled back' once published. Each risk has an explicit mitigation in the system — patterns I've applied in Sales Launch and production AI assistants.

A Next.js App Router monolith (UI + API + Server Actions) fronting Supabase Postgres with RLS, Redis-backed BullMQ workers for async pipelines, AI observability tracing, Stripe for event-driven billing, and adapters for Claude/Gemini/Perplexity/DALL-E, CourtListener and WordPress.

Every workflow becomes a typed BullMQ job contract: code-reviewed, versioned, retried with backoff, and pushed to a DLQ on exhaustion. Jobs carry tenant_id and emit tokens/cost/trace data — eliminating the visual-flow black box I've replaced in multiple production systems.

Isolation lives in Postgres. FORCE ROW LEVEL SECURITY binds every row to auth.jwt() ->> 'tenant_id'. A forgotten WHERE clause can't leak data; cross-tenant attempts return 0 rows and log a critical audit event — the same discipline I enforce with tenantId scoping + middleware resolvers.

Each LLM call produces a trace with input/output tokens and cost, attributed to the tenant via the metering queue. Budget guardrails warn at 85% and hard-stop at 100%, reconciled with Stripe usage records — modeled after Caixaly and UPVEND billing flows.

Layered resilience: retry with exponential backoff + jitter → fallback to a secondary provider → fall back to cached research and flag for human review. Exhausted jobs land in the DLQ with full payload and stacktrace for replay.

Beyond logs: structured traces capture evaluation, compliance and hallucination scores per generation. Non-deterministic test suites gate publishing; jurisdiction rule packs block prohibited claims before they ship.

Strangler-fig: run BullMQ alongside N8N, migrate one pipeline at a time behind feature flags, shadow-run for parity, then cut over. RLS and observability land before legacy is removed, so we always have a rollback path.

Stabilize and instrument first, migrate the riskiest pipelines next, then harden security, billing and compliance — finishing by decommissioning N8N and consolidating ECS into the monolith.