DEV Community: Manikant Kella

Firewall and governance for your LLM usage

Manikant Kella — Wed, 17 Dec 2025 06:37:46 +0000

Xano AI-Powered Backend Challenge: Full-Stack Submission

Manikant Kella

Dec 14 '25

PromptShield AI – An AI Cost & Risk Firewall Built with Xano

#devchallenge #xanochallenge #ai #backend

Comments 8

5 min read

Guardrail your LLMs

Manikant Kella — Mon, 15 Dec 2025 18:06:39 +0000

Xano AI-Powered Backend Challenge: Full-Stack Submission

Manikant Kella

Dec 14 '25

PromptShield AI – An AI Cost & Risk Firewall Built with Xano

#devchallenge #xanochallenge #ai #backend

Comments 8

5 min read

As teams build AI-powered apps, one issue shows up fast 👉 runaway LLM costs with no guardrails. Thats where PromptShield AI comes into picture

Manikant Kella — Mon, 15 Dec 2025 05:59:38 +0000

Xano AI-Powered Backend Challenge: Full-Stack Submission

Manikant Kella

Dec 14 '25

PromptShield AI – An AI Cost & Risk Firewall Built with Xano

#devchallenge #xanochallenge #ai #backend

Comments 8

5 min read

PromptShield AI – An AI Cost & Risk Firewall Built with Xano

Manikant Kella — Sun, 14 Dec 2025 16:51:17 +0000

This is a submission for the Xano AI-Powered Backend Challenge: Full-Stack, AI-First Application

PromptShield AI – An AI Cost & Risk Firewall for LLM Applications

As teams rapidly build agentic apps and AI-powered features, one problem shows up almost immediately:

LLM costs explode, usage becomes opaque, and there are no guardrails.

Developers lack:

Per-user and per-feature budgets
Visibility into token and cost usage
Protection against risky prompts (PII, secrets)
Smart routing to cheaper models when budgets are exceeded

PromptShield AI solves this by acting as an intelligent backend control plane that sits between applications and LLM providers.

It enforces:

Cost budgets (tenant / user / feature)
Usage analytics and spend visibility
Safety and routing policies
Multi-provider cost control

The result is a production-ready AI infrastructure backend, not just a wrapper around LLM APIs.

🧱 Architecture Overview

Backend: Xano (Postgres, APIs, background jobs, AI workflows)
Frontend: Lovable.dev (low-code SaaS dashboard)
AI-first approach: Backend generated with AI, refined by hand
Public API + Admin UI: Production-ready by design

🎬 Demo

🔗 Live Application:

https://promptshield.lovable.app/

💻 Source Code (GitHub):

https://github.com/Manikant92/promptshield_ai

🎥 Demo Walkthrough Video:

📸 Product Screenshots

🔎 Swagger / Public API:

https://x8ki-letl-twmt.n7.xano.io/api:q5xLch4v

The dashboard shows real API keys, budgets, policies, providers, and usage analytics powered entirely by Xano.

🧠 The AI Prompt I Used (Backend Generation)

All backend workflows, API definitions, and schema refinements are tracked in the GitHub repository below for transparency and reproducibility:

👉 https://github.com/Manikant92/promptshield_ai

I used XanoScript with an AI-first workflow to generate the initial backend.

Below is the original prompt used to bootstrap the system:

You are an expert backend architect building a production-ready, multi-tenant AI infrastructure backend using Xano.

Build a backend called "PromptShield AI" — an AI Cost & Risk Firewall that sits between applications and multiple LLM providers (OpenAI, Anthropic, etc.) to enforce budgets, rate limits, and safety policies before requests reach the LLM.

The backend must be secure, scalable, and suitable for public API consumption.


Create the initial backend for PromptShield AI with the following requirements:

1. Core Concept
PromptShield AI acts as a proxy API for LLM calls. Applications send standard chat/completion payloads to PromptShield, which enforces usage policies, budgets, and risk checks before forwarding requests to LLM providers.

2. Database Schema (Postgres)
Design tables for:
- tenants (org_id, name, plan, created_at)
- api_keys (key, tenant_id, status, last_used_at)
- users (user_id, tenant_id, role)
- llm_providers (provider, model, cost_per_1k_tokens)
- usage_logs (tenant_id, user_id, feature, provider, model, tokens_in, tokens_out, cost, timestamp)
- budgets (tenant_id, scope_type [tenant/user/feature], scope_id, daily_limit, monthly_limit)
- policies (tenant_id, preferred_models, fallback_model, blocked_categories)

3. API Endpoints
Create the following APIs:

POST /llm/proxy
- Accepts OpenAI-compatible chat/completion payload
- Authenticates using API key
- Identifies tenant, user, and feature
- Performs budget checks and policy enforcement
- Routes request to the selected LLM provider
- Logs token usage and cost

POST /limits/configure
- Allows tenants to define per-user, per-feature, or per-tenant budgets
- Supports daily and monthly limits

GET /usage/summary
- Returns aggregated usage by tenant, user, feature, and model
- Optimized for dashboards

4. AI Logic
Use AI workflows to:
- Classify prompts for risky categories (PII, secrets, unsafe content)
- Block or redact requests that violate policy
- Automatically downgrade to cheaper models when nearing budget limits
- Detect anomalous usage spikes (e.g., sudden 10x increase)

5. Background Jobs
- Aggregate daily and monthly usage
- Recalculate remaining budgets
- Run anomaly detection periodically

6. Security & Scalability
- Multi-tenant isolation
- Rate limiting per API key
- Clean error responses
- Extensible provider abstraction

7. Output
Generate:
- Database tables
- API endpoint logic
- AI workflows
- Background jobs
Use clean, maintainable naming and comments suitable for a production backend.

Do NOT generate frontend code.
Focus entirely on the backend implementation in Xano.

This prompt allowed AI to quickly generate a solid baseline backend, which I then refined heavily inside Xano.

## 🛠️ How I Refined the AI-Generated Backend in Xano

AI gave me a starting point — **human refinement made it production-ready**.

### Key Improvements I Made in Xano

#### 🔐 Security & Multi-Tenancy
- Introduced tenant isolation across all tables
- Added API key lifecycle management (create, revoke, rotate)
- Hardened error handling and rate limits

#### 💰 Cost & Budget Enforcement
- Added scoped budgets (tenant / user / feature)
- Implemented background aggregation jobs for daily & monthly usage
- Enabled budget thresholds and warning states

#### 🧠 AI Logic Enhancements
- Added prompt classification for risky categories (PII, secrets)
- Implemented policy-based model fallback when budgets are exceeded
- Designed provider abstraction for future expansion

#### 📊 Observability & Analytics
- Normalized usage logs for dashboards
- Enabled cost-by-model and cost-by-feature views
- Optimized APIs for frontend consumption

Before: AI-generated CRUD-style endpoints

After: A scalable, secure AI infrastructure backend suitable for real-world use

🎨 Frontend: Turning APIs into a Product

I connected the Xano backend to Lovable.dev to build a clean, enterprise-style dashboard.

The UI allows users to:

Manage API keys securely
Define and monitor budgets
Configure routing and safety policies
Analyze token and cost usage with filters and charts

This step demonstrated how Xano’s backend capabilities translate directly into product value.

🚀 My Experience with Xano

What I Loved

AI + Human workflow: AI for speed, Xano for control
Background jobs: Perfect for cost aggregation and analytics
Clean API design: Easy to connect to any frontend
Production mindset: Xano encourages scalable patterns by default

Challenges

Thinking through multi-tenant isolation correctly (worth the effort)
Designing APIs that balance flexibility and simplicity

Overall, Xano made it incredibly easy to go from idea → AI-generated backend → production-grade system in a very short time.

🏁 Final Thoughts

PromptShield AI is not just a demo — it’s a realistic example of how AI-assisted backend development, combined with thoughtful human refinement, can produce scalable, secure, and maintainable systems.

Xano was the perfect platform to bring this idea to life.

Thanks for checking it out! 🚀

How I Built an AI-Powered Website Modernizer in 3 Days with Kiro

Manikant Kella — Fri, 05 Dec 2025 18:38:32 +0000

I built ReVitalize - an AI-powered platform that transforms outdated websites into modern, accessible designs - in just 3 days using Kiro. What would typically take 2-3 weeks became a weekend project thanks to Kiro's context-aware vibe coding.

The Result:

60+ files of production-ready code
Complete AI transformation pipeline
Beautiful UI with animations
Side-by-side preview system
Chat refinement, component extraction, accessibility auditing
Export to ZIP and GitHub

The Secret: Natural conversations with an AI that actually remembers context and evolves with you.

The Problem: Outdated Websites Everywhere

Have you ever visited a website that looks like it's from 1995? Plain HTML, no styling, broken layouts? Companies like Berkshire Hathaway still run websites that look ancient!

I thought: "What if AI could instantly modernize any outdated website?"

That's how ReVitalize was born - an AI-powered tool that transforms any website in seconds, not weeks.

The Kiro Difference: Context-Aware Development

Before Kiro: The Traditional Approach

1. Plan everything upfront (2-3 days)
2. Write detailed specs (1 day)
3. Set up project structure (1 day)
4. Build features one by one (1-2 weeks)
5. Debug and refine (3-4 days)
6. Write documentation (1-2 days)

Total: 2-3 weeks

With Kiro: Iterative Conversations

Day 1: "Build a full production-grade application called ReVitalize"
       → 60+ files generated with complete architecture

Day 2: "Make UI much better, add example sites"
       → Beautiful landing page with animations

Day 3: "Preview isn't showing" → Fixed with debugging
       "Token limit exceeded" → Switched to better model
       "Secure API keys" → Complete security audit

Total: 3 days

What Makes Kiro Special?

1. Context Awareness

Traditional AI coding tools forget context. You have to re-explain everything.

Kiro remembers:

Previous conversations
Project structure
Design decisions
Code patterns

Example:

Me: "Add example sites with auto-fill"
Kiro: *Remembers the URLInputForm component*
      *Updates LandingPage to pass URL*
      *Modifies TransformationWorkspace*
      *Updates all connected components*

No need to specify which files to modify. Kiro knows.

2. Intelligent Problem-Solving

When we hit a token limit error with GPT-4 Turbo:

Me: "Token limit exceeded"
Kiro: "Let me analyze the OpenAI pricing table..."
      "GPT-4o Mini has 200K TPM vs 30K for GPT-4 Turbo"
      "It's also 98% cheaper!"
      *Updates all model references*
      *Updates UI branding*
      *Creates documentation*

Kiro didn't just fix the error - it optimized our entire approach.

3. Vibe Coding

Instead of writing detailed specs, I had natural conversations:

// Traditional approach:
"Create a React component called LandingPage with:
- Animated gradient background using Framer Motion
- Three floating orbs with different animation delays
- Hero section with gradient text
- Feature grid with 9 cards
- Hover effects on cards
- Stats section with 4 metrics
- CTA section
- Footer with links"

// With Kiro:
"Make UI much better than this reference website"

// Result: 500+ lines of beautiful code in 5 minutes

The Build Process: A Day-by-Day Breakdown

Day 1: Architecture & Core Features

Initial Prompt:

Build a full production-grade application called ReVitalize,
an AI-powered platform that modernizes any outdated website.

What Kiro Generated:

Complete Next.js 14 project structure
TypeScript configuration
API routes for scraping, transformation, refinement
React components (URLInput, Preview, Chat, etc.)
AI integrations (OpenAI, Google Gemini)
Puppeteer scraping system
Type definitions
Documentation

Files Created: 60+
Time: ~2 hours of conversation

Day 2: UI/UX & Refinement

Conversations:

Me: "Make UI much better than reference website"
Kiro: *Creates stunning landing page*
      - Animated gradient background
      - Floating orbs animation
      - Feature cards with hover effects
      - Professional typography

Me: "Add example sites that auto-populate"
Kiro: *Adds 4 example cards*
      *Implements click-to-fill*
      *Updates all connected components*

Me: "Text size too large"
Kiro: *Adjusts all typography*
      *Maintains hierarchy*
      *Updates responsive breakpoints*

Time: ~4 hours of iterative refinement

Day 3: Debugging & Polish

The Preview Problem:

Me: "Preview isn't showing"
Kiro: *Adds comprehensive logging*
      *Identifies issue: React imports instead of HTML*
      *Creates React-to-HTML converter*
      *Implements three-level fallback system*
      *Generates beautiful fallback HTML*

The Token Limit Issue:

Me: "Token limit exceeded"
Kiro: *Analyzes OpenAI pricing*
      *Suggests GPT-4o Mini*
      *Updates all references*
      *Documents the change*

Security Audit:

Me: "Check for hardcoded API keys"
Kiro: *Scans entire codebase*
      *Finds exposed keys*
      *Updates .gitignore*
      *Clears sensitive data*
      *Creates SECURITY.md*

Time: ~6 hours of problem-solving

The Most Impressive Moments

1. Complete AI Transformation System

One conversation generated:

// src/lib/ai/openai.ts
- Smart prompt engineering
- Structured JSON output
- React-to-HTML conversion
- Three-level fallback system
- Error handling
- Comprehensive logging
- Theme-specific guidelines

// 500+ lines of production-ready code
// Time: 5 minutes

2. Beautiful Landing Page

// src/components/LandingPage.tsx
- Animated gradient background
- Three floating orbs with physics
- Hero section with triple gradient text
- 9 feature cards with hover-to-expand
- Stats section with animated counters
- Premium CTA section
- Professional footer

// 800+ lines with Framer Motion
// Time: 10 minutes

3. Security Audit & Fix

# One prompt: "Check for hardcoded API keys"

# Kiro:
1. Scanned entire codebase
2. Found exposed keys in .env.local
3. Updated .gitignore with comprehensive rules
4. Cleared all sensitive data
5. Created SECURITY.md with guidelines
6. Updated .env.example with documentation

# Files modified: 4
# Time: 3 minutes

Key Features That Made the Difference

1. Steering Documents

Created transformation-rules.md in .kiro/steering/:

## LLM Output Format

Always return JSON matching this exact structure:
{
  "summary": "...",
  "components": [...],
  "final_build": { "files": [...] }
}

Impact: Consistent AI outputs, no parsing errors, predictable structure.

2. Spec-Driven Development

Created .kiro/spec.yaml:

features:
  - url_input
  - scraping
  - ai_transformation
  - preview
  - chat_refinement
  - export

api_endpoints:
  - POST /api/scrape
  - POST /api/transform
  - POST /api/refine

Impact: Clear architecture, consistent APIs, complete features.

3. Iterative Conversations

Broad → Specific → Refine → Polish

"Build ReVitalize" 
  → "Add example sites"
    → "Make text smaller"
      → "Fix preview display"

Each conversation built on the previous context.

The Technical Stack

Frontend:

Next.js 14 (App Router)
TypeScript
Tailwind CSS
Framer Motion
React Syntax Highlighter

Backend:

Next.js API Routes
Puppeteer (scraping)
Cheerio (HTML parsing)

AI:

OpenAI GPT-4o Mini (primary)
Google Gemini 1.5 Flash (fallback)

All generated and integrated by Kiro through conversations.

Challenges & How Kiro Helped

Challenge 1: Model Selection

Problem: Started with GPT-5.1 (doesn't exist), then GPT-4 Turbo (token limits)

Kiro's Solution:

"Let me analyze the OpenAI pricing table...
GPT-4o Mini has:
- 200K TPM (vs 30K)
- 98% cheaper
- Optimized for code generation
- Perfect for your use case"

Result: No more token errors, 98% cost reduction

Challenge 2: Empty Preview

Problem: Preview showed "No preview available"

Kiro's Solution:

1. Added comprehensive logging
2. Identified issue: AI generating React imports
3. Created React-to-HTML converter
4. Implemented three-level fallback
5. Generated beautiful fallback HTML

Result: Preview always works, even if AI fails

Challenge 3: Security

Problem: API keys potentially exposed

Kiro's Solution:

1. Scanned entire codebase
2. Found all sensitive data
3. Updated .gitignore
4. Created security guidelines
5. Documented best practices

Result: Production-ready security

What I Learned

1. Context is Everything

Traditional AI tools lose context. Kiro maintains it across conversations, making iterative development natural.

2. Hybrid Approach Works Best

Spec-driven for initial architecture
Vibe coding for refinement and debugging
Steering docs for consistency

3. AI as Partner, Not Tool

Kiro doesn't just generate code - it:

Debugs with you
Suggests optimizations
Maintains consistency
Writes documentation
Solves problems

4. Speed Without Sacrificing Quality

3 days of development with Kiro produced:

Production-ready code
Comprehensive error handling
Security best practices
Complete documentation
Beautiful UI/UX

The Results

ReVitalize Features:

✅ Instant website transformation
✅ Side-by-side comparison
✅ 5 theme options
✅ Chat refinement
✅ Component extraction
✅ Accessibility audit
✅ Export to ZIP/GitHub
✅ Beautiful animations

Development Stats:

Time: 3 days (vs 2-3 weeks)
Files: 60+ production-ready
Lines of Code: ~5,000+
Cost per transformation: $0.003
Performance: 15-20 seconds per transformation

Try It Yourself

Want to experience Kiro's power?

ReVitalize Demo: [https://youtu.be/-qBKbOdIa7U]
GitHub: [https://github.com/Manikant92/ReVitalize]

Get Kiro: [https://kiro.dev/]

Final Thoughts

Kiro changed how I approach development. Instead of:

Planning everything upfront
Writing detailed specs
Building in isolation
Debugging alone

I now:

Start building immediately
Refine through conversation
Iterate with an AI partner
Solve problems together

The future of development isn't about replacing developers - it's about augmenting our capabilities with AI that truly understands context.

If you're still writing boilerplate by hand or spending hours on repetitive tasks, you're missing out on what's possible with context-aware AI development.

Questions?

Drop a comment below! I'd love to hear about your experiences with AI-assisted development.

Built with ❤️ using Kiro for the Kiroween Hackathon

AICHA: AI-Powered Healthcare Assistant with Permit.io Authorization

Manikant Kella — Sun, 04 May 2025 10:40:42 +0000

This is a submission for the Permit.io Authorization Challenge: AI Access Control

What is AICHA?

AICHA (AI-powered Healthcare Assistant) is a modern healthcare management platform that uses artificial intelligence to help doctors, nurses, and administrators deliver better care. With features like AI-driven medical analysis, treatment suggestions, and secure patient data management, AICHA is designed to make healthcare smarter and safer.

But with great power comes great responsibility—especially when it comes to sensitive medical data and AI features. That's why AICHA uses Permit.io for fine-grained, externalized authorization, ensuring that only the right people can access the right features at the right time.

How AICHA Leverages Permit.io, Gemini AI, and Supabase.

Permit.io Integration:

Permit.io is the backbone of AICHA's access control and security.
Every time a user logs in or tries to use a feature (like running Gemini AI analysis or viewing patient data), AICHA checks with Permit.io to see if they're allowed.
All access policies (who can do what, when, and where) are managed centrally in Permit.io, not scattered in the code.
User roles and permissions are synced from Supabase to Permit.io, so changes are reflected instantly.
Permit.io logs every permission check and action for auditing and compliance.
This means:
- Only doctors in the right department can run Gemini AI analysis on their patients
- Nurses can view results but not run or approve AI features
- Admins can manage everything, but all actions are tracked
Permit.io makes it easy to update policies (like restricting AI use to working hours) without changing any code—just update the policy in the dashboard.

Gemini AI Integration:

AICHA uses Google Gemini AI to power its medical analysis and treatment suggestion features.
Doctors can submit patient data for analysis, and Gemini provides:
- Disease risk predictions
- AI-generated treatment recommendations
- Natural language explanations for results
Gemini's advanced language and reasoning capabilities help make AI suggestions more accurate and explainable for medical staff.
All AI-powered actions are protected by Permit.io policies, so only authorized users can access Gemini features.

Supabase Integration:

Supabase is used as the backend database for AICHA.
It stores:
- User accounts and roles
- Patient records
- Audit logs of all actions (including Permit.io permission checks)
Supabase's real-time features help keep user data and permissions in sync with Permit.io.
When users are created or updated in Supabase, they are automatically synced to Permit.io for up-to-date access control.

Key Features of AICHA (and Who Gets to Use Them)

AICHA is built for different types of users, each with their own set of features:

Administrators
- Full access to all patient records and system settings
- Manage users and roles
- Approve or audit AI analysis and treatments
Doctors
- Run AI-powered medical analysis on patient data
- Suggest and approve treatments
- View and update patient records
Nurses
- View patient records and AI analysis results
- Monitor patient vitals
Patients (optional/future)
- View their own health records and AI-generated reports

How does AICHA make sure only the right people can do these things?

That's where Permit.io comes in! Every action—like running an AI analysis or viewing a patient record—is checked against Permit.io's policies before it happens. This means:

Doctors can't approve treatments for patients outside their department
Nurses can't run AI analysis, but can view results
Admins can do everything, but every action is logged for compliance

Why Permit.io? (vs. Traditional Authorization)

Traditionally, access control is hard-coded into the app. This means:

Authorization logic is scattered everywhere
Changing permissions means changing code (and redeploying)
It's easy to miss a check, leading to security holes
Auditing who did what is a pain

With Permit.io (externalized authorization):

All policies are managed in one place (the Permit.io dashboard or config)
You can update permissions instantly—no code changes needed
Every access check is logged automatically
It's easy to create complex, context-aware rules (like department-based or time-based access)

Example:

Want to let doctors run AI analysis only during working hours? Just update the policy in Permit.io—no code changes required!

How AICHA Leverages Permit.io (In Simple Terms)

Role-Based Access: Each user is assigned a role (admin, doctor, nurse) and only sees features they're allowed to use.
Context-Aware Policies: Access can depend on department, time of day, or even the type of AI analysis.
User Management: Users are synced from our database to Permit.io, so roles and permissions are always up to date.
Real-Time Checks: Every time a user tries to do something important, AICHA checks with Permit.io to see if it's allowed.
Audit Logging: Every action is logged for compliance and security.

Setting Up Permit.io for AICHA (For First-Time Users)

Option 1: Manual Setup via Permit.io Dashboard

Create a Permit.io Account:
- Go to Permit.io and sign up
- Create a new project called "AICHA"
Configure Resources:
Navigate to the Resources tab and create three key resources:

a. Patient Records:

   Key: patients
   Name: Patient Records
   Description: Medical patient information
   Actions:
     - create (Create new patient records)
     - read (View patient information)
     - update (Modify patient details)
     - delete (Remove patient records)
   Attributes:
     - department_id: string
     - record_type: string

b. AI Analysis:

   Key: ai_analysis
   Name: AI Analysis
   Description: AI-powered medical analysis
   Actions:
     - run (Execute AI analysis)
     - approve (Approve analysis results)
     - view (View analysis reports)
   Attributes:
     - analysis_type: string
     - department_id: string

c. Treatment Plans:

   Key: treatment
   Name: Treatment Plans
   Description: Patient treatment recommendations
   Actions:
     - suggest (Create treatment suggestions)
     - approve (Approve treatment plans)
     - view (View treatment details)
   Attributes:
     - department_id: string
     - treatment_type: string

Set Up Roles and Permissions: Create the following roles with specific permissions:

a. Administrator:

   Key: admin
   Permissions:
     - create:patients
     - read:patients
     - update:patients
     - delete:patients
     - run:ai_analysis
     - approve:ai_analysis
     - view:ai_analysis
     - suggest:treatment
     - approve:treatment
     - view:treatment

b. Doctor:

   Key: doctor
   Permissions:
     - read:patients
     - update:patients
     - run:ai_analysis
     - view:ai_analysis
     - suggest:treatment
     - approve:treatment
     - view:treatment

c. Nurse:

   Key: nurse
   Permissions:
     - read:patients
     - view:ai_analysis
     - view:treatment

Get API Credentials:
- Go to Settings > API Keys
- Copy your API key, project ID, and environment
- Add them to your .env file:
```
 PERMIT_API_KEY=your_api_key
 PERMIT_PROJECT_ID=your_project_id
 PERMIT_ENVIRONMENT=dev
```

Option 2: Automated Setup (Using Our Scripts)

If you want to set up everything automatically, just run our setup script!

Configure your .env file (see above)
Run the setup script:

   cd backend
   npm install
   node scripts/permit-setup.js

This will:

Create all resources and roles in Permit.io
Set up permissions and policies
Sync all users from your database

How Permissions Are Checked in AICHA

Whenever a user logs in or tries to use a feature, AICHA:

Checks their role and department
Asks Permit.io if they're allowed to do the action (like run AI analysis)
If Permit.io says yes, the action happens; if not, it's blocked
Every check and action is logged for auditing

Example:

// Check if a doctor can run AI analysis
const canRunAI = await permit.checkAIAccess(currentUser, 'diagnosis', patientDepartment);
if (!canRunAI) {
  return res.status(403).json({ error: 'Not allowed to run AI analysis' });
}

Core Implementation Files (How We Use Permit.io)

1. permit.js (Core Permit.io Integration)

const { Permit } = require('@permit.io/permit-node');
const dotenv = require('dotenv');
dotenv.config();

class PermitService {
  constructor() {
    this.permit = new Permit({
      token: process.env.PERMIT_API_KEY,
      pdp: "https://cloudpdp.api.permit.io",
      projectId: process.env.PERMIT_PROJECT_ID,
      environment: process.env.PERMIT_ENVIRONMENT
    });
    this.initializeSyncService();
  }
  async initializeSyncService() {
    const { syncUsers } = require('./permit-sync-users');
    await syncUsers();
    setInterval(syncUsers, 5 * 60 * 1000);
  }
  async checkPermission(user, action, resource) {
    return await this.permit.check(user.id, action, resource);
  }
  async checkContextualPermission(user, action, resource, context) {
    const baseContext = {
      user: { role: user.role, department_id: user.department_id },
      resource: { type: resource, department_id: context.department_id },
      time: new Date().toLocaleTimeString('en-US', { hour12: false })
    };
    return await this.permit.check(user.id, action, resource, { ...baseContext, ...context });
  }
  async checkAIAccess(user, analysisType, patientDepartment) {
    const context = { analysis_type: analysisType, department_id: patientDepartment, time: new Date().toLocaleTimeString('en-US', { hour12: false }) };
    return await this.checkContextualPermission(user, 'run', 'ai_analysis', context);
  }
  async checkTreatmentAccess(user, treatmentType, patientDepartment) {
    const context = { treatment_type: treatmentType, department_id: patientDepartment };
    return await this.checkContextualPermission(user, 'suggest', 'treatment', context);
  }
  async logAudit(userId, action, resource, details) {
    await this.permit.audit.log({ user: userId, action, resource, details });
  }
}
module.exports = new PermitService();

What does this do?

Connects to Permit.io
Syncs users
Checks permissions (including context-aware checks)
Logs every important action

2. permit-utils.js (Permission Helpers)

async function checkAccess(permit, user, action, resource) {
  const permitted = await permit.check(user.id, action, resource);
  if (!permitted) return false;
  const context = {
    user: { role: user.role, department_id: user.department_id },
    resource: { type: resource, department_id: user.department_id }
  };
  return await permit.checkWithContext(user.id, action, resource, context);
}
module.exports = { checkAccess };

What does this do?

Checks if a user can do something, with extra context (like department)

3. permit-sync-users.js (User Sync)

const { Pool } = require('pg');
const permit = require('./permit');
const dotenv = require('dotenv');
dotenv.config();
const pool = new Pool({
  user: process.env.DB_USER,
  host: process.env.DB_HOST,
  database: process.env.DB_NAME,
  password: process.env.DB_PASSWORD,
  port: process.env.DB_PORT
});
async function syncUsers() {
  try {
    const result = await pool.query(`
      SELECT u.id, u.email, u.role, u.department_id, u.first_name, u.last_name
      FROM users u
      WHERE u.active = true
    `);
    for (const user of result.rows) {
      await permit.users.sync({
        key: user.id,
        email: user.email,
        firstName: user.first_name,
        lastName: user.last_name,
        attributes: { role: user.role, department_id: user.department_id }
      });
    }
    console.log(`✅ Successfully synced ${result.rows.length} users with Permit.io`);
  } catch (error) {
    console.error('❌ Error syncing users:', error);
  } finally {
    await pool.end();
  }
}
module.exports = { syncUsers };

What does this do?

Syncs all active users from our database to Permit.io, so permissions are always up to date

4. permit.json (Resource & Role Config)

{
  "resources": {
    "patients": {
      "name": "Patient Records",
      "actions": ["create", "read", "update", "delete"]
    },
    "ai_analysis": {
      "name": "AI Analysis",
      "actions": ["run", "approve", "view"]
    },
    "treatment": {
      "name": "Treatment Plans",
      "actions": ["suggest", "approve", "view"]
    }
  },
  "roles": {
    "admin": {
      "permissions": ["create:patients", "read:patients", "update:patients", "delete:patients", "run:ai_analysis", "approve:ai_analysis", "view:ai_analysis", "suggest:treatment", "approve:treatment", "view:treatment"]
    },
    "doctor": {
      "permissions": ["read:patients", "update:patients", "run:ai_analysis", "view:ai_analysis", "suggest:treatment", "approve:treatment", "view:treatment"]
    },
    "nurse": {
      "permissions": ["read:patients", "view:ai_analysis", "view:treatment"]
    }
  }
}

What does this do?

Defines all resources, actions, and roles for Permit.io

5. permit-setup.js (Automated Setup Script)

const { Permit } = require('@permit.io/permit-node');
const dotenv = require('dotenv');
const { syncUsers } = require('../utils/permit-sync-users');
dotenv.config();
const permit = new Permit({
  token: process.env.PERMIT_API_KEY,
  pdp: "https://cloudpdp.api.permit.io",
  projectId: process.env.PERMIT_PROJECT_ID,
  environment: process.env.PERMIT_ENVIRONMENT
});
const resources = {
  patients: {
    name: "Patient Records",
    description: "Medical patient information",
    actions: ["create", "read", "update", "delete"],
    attributes: { department_id: "string", record_type: "string" }
  },
  ai_analysis: {
    name: "AI Analysis",
    description: "AI-powered medical analysis",
    actions: ["run", "approve", "view"],
    attributes: { analysis_type: "string", department_id: "string" }
  },
  treatment: {
    name: "Treatment Plans",
    description: "Patient treatment recommendations",
    actions: ["suggest", "approve", "view"],
    attributes: { department_id: "string", treatment_type: "string" }
  }
};
const roles = {
  admin: {
    name: "Administrator",
    description: "Full system access",
    permissions: ["create:patients", "read:patients", "update:patients", "delete:patients", "run:ai_analysis", "approve:ai_analysis", "view:ai_analysis", "suggest:treatment", "approve:treatment", "view:treatment"]
  },
  doctor: {
    name: "Doctor",
    description: "Medical staff with AI access",
    permissions: ["read:patients", "update:patients", "run:ai_analysis", "view:ai_analysis", "suggest:treatment", "approve:treatment", "view:treatment"]
  },
  nurse: {
    name: "Nurse",
    description: "Basic medical staff access",
    permissions: ["read:patients", "view:ai_analysis", "view:treatment"]
  }
};
async function setupPermit() {
  try {
    console.log('🚀 Starting Permit.io setup...');
    for (const [key, resource] of Object.entries(resources)) {
      console.log(`Creating resource: ${resource.name}`);
      await permit.api.resources.create({ key, name: resource.name, description: resource.description, actions: resource.actions, attributes: resource.attributes });
    }
    for (const [key, role] of Object.entries(roles)) {
      console.log(`Creating role: ${role.name}`);
      await permit.api.roles.create({ key, name: role.name, description: role.description, permissions: role.permissions });
    }
    console.log('Syncing users...');
    await syncUsers();
    console.log('✅ Setup completed successfully!');
  } catch (error) {
    console.error('❌ Setup failed:', error);
    process.exit(1);
  }
}
setupPermit();

What does this do?

Creates all resources and roles in Permit.io
Sets up permissions and attributes
Syncs users from the database

Validating Permit.io Functionality at Runtime

Every time a user logs in or tries to use a feature, AICHA checks with Permit.io to see if they're allowed
All permission checks are context-aware (role, department, time, etc.)
All actions are logged for auditing
User roles and permissions are kept in sync automatically

Conclusion

AICHA shows how externalized authorization with Permit.io makes it easy to build secure, flexible, and auditable healthcare apps. With Permit.io, you can:

Control who can access AI features and sensitive data
Update policies instantly without code changes
Keep a full audit trail for compliance
Make your app safer and easier to manage

Project Repo

https://github.com/Manikant92/AICHA

Demo

Subtitles.ai - There is an ability in every disability

Manikant Kella — Mon, 11 Apr 2022 17:22:36 +0000

Innovative Ideas Challenge

Introduction

The Innovative Ideas category is an ideal choice where I want to leverage Deepgram STT to solve the problem for Hard of Hearing Community(Deaf). I had experience with Deepgram as part of this hackathon where I have submitted one project leveraging Deepgram STT. Due to time constraints, I couldn't be able to submit the solution as a project, but want to bring to notice that with DG STT, real world problems can be solved.

My Deepgram Use-Case

We all know we are in a Sound tech era and there is always a problem for deaf and people with some or other hearing problems (Hard of Hearing Community) where they face many challenges what the others are speaking it can be during phone call interactions, Zoom/Teams/Slack meetings, any YouTube video, any movie watching channel/video or even to listening to audio channels like Spotify etc.,.

With Deepgram STT, there comes the power where subtitles can be generated as generic way without integration with any apps like mentioned above.

An Windows App can be built using Python Tkinter GUI and Deepgram STT and via websocket programming, everything that is getting played/listened can be heard via Windows mic and generate the subtitles so that Hard of Hearing Community can enjoy keeping aside all their disabilities.

Dive into Details

In order to solve the problem for Hard of Hearing people, we can build an Windows (since its the OS majority of the users use) application which converts all sound apps with Subtitles under the bar which makes an effective solution for Hearing problem users.
It converts any application sound that is getting played or listened (Youtube, Netflix, Prime, Spotify, Zoom/Teams call, any Video, any Audio etc.,.) to on Windows OS into Subtitles of any language preference the user have.
Now using the app, without disturbing their other apps, it displays Subtitles (leveraging Deepgram STT) near taskbar of Windows for any sound getting listened to or played to.
It can also have the capability of displaying subtitles in any language the user prefers to.

Conclusion

With Deepgrams STT tech, there is an ability for every disability.
Impacting the Hard of Hearing community with a generic solution where they can leverage the app to full extent with DG STT.
Expand the same solution for Mac, Linux, Android users.

VProfressor.ai - A 24x7 Virtual Professor for Students

Manikant Kella — Mon, 11 Apr 2022 16:56:41 +0000

Overview of My Submission

Education is everything. Knowledge empowers anything.

That said, Covid-19 forced students to virtual learning where students are struggling to interact and get timely feedback, new learnings, clarifications with the professor or friends due to various reasons.

To solve the problem, we came up with web application where it helps the students and increase their speed, efficiency of learning and also get their doubts clarified with additional learnings.

VProfessor.ai contains different features designed to facilitate online learning. Users can upload a wav/mp3/ text files. Then, a Deepgram STT transcript of the audio is returned, along with a summary of the data. This includes key words and main topics, Wikipedia page links, current events from NewsAPI, and recommended YouTube videos. From here, users can either read the summary report on the website or download it as a pdf for their personal studying. Additionally, students may "ask the professor" a question, and get a quick short answer for themselves which leverages wolframalpha api's.

Submission Category

Wacky Wildcards

Link to Code on GitHub

GitHub Link: https://github.com/Manikant92/DG_VProfressor.ai

Additional Resources / Info

Demo Video: https://youtu.be/hPWR2ED0NK4

With just this piece of code comes the entire power for application.

  async function transcribe(file){
    const streamSource = {
      stream: fs.createReadStream(file),
      mimetype: mime.getType(file),
    };

    const response = await deepgram.transcription.preRecorded(streamSource, {
      punctuate: false,
      utterances: true,
    });
    console.log("DG Response" + response);

    var srtTranscript = response.toSRT(); // toWebVTT() //toSRT()
    srtTranscript = srtTranscript.replace(/\d+/g, '');
    srtTranscript = srtTranscript.replace(/:/g,'');
    srtTranscript = srtTranscript.replace(/-/g,'');
    srtTranscript = srtTranscript.replace(/>/g,'');
    srtTranscript = srtTranscript.replace(/,/g,'');
    console.log("DG SRT Transcript" + srtTranscript);
    return srtTranscript;
  }

Dive into Details

We are leveraging Deepgram Speech-to-Text API and use it to convert audio/video files to a written transcript.
With Azure Text Analytics, we will generate an analysis report containing transcript, summary, and keywords.
With that keywords output, we will use the Wikipedia API, NewsAPI to generate links based on the keywords. To provide more information, we will also create a system to search recommended YouTube videos based on a search query, which used the YouTube-Data API.
We are using Azure Blob Storage to store video/audio files.
An additional feature of "ask the professor" is provided to users, where users can search any questions or doubts, it fetches the answer from wolframalpha api and displays to user.

Impact

It creates a wide impact and provides huge benefits to all Students due to Virtual mode of learning during Covid-19.
It saves students time and effort where they can get all information at one place.
It increases efficiency of students/users.
It improves speed of learning.
A one stop app which integrates with multiples api's and makes it easy for students for learning.

Conclusion

Deepgram STT is so accurate and fast which makes it more reliable for students education.
With Deepgram STT comes the whole power for entire application.