DEV Community: Ugur Aslim The latest articles on DEV Community by Ugur Aslim (@uaslimcreate). https://dev.to/uaslimcreate https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3944682%2F3e1d4e4c-3b03-470e-a011-7a23fad062c5.jpeg DEV Community: Ugur Aslim https://dev.to/uaslimcreate en Multi-Tenant FastAPI + React: Architecture Decisions Explained Ugur Aslim Thu, 21 May 2026 18:34:11 +0000 https://dev.to/uaslimcreate/multi-tenant-fastapi-react-architecture-decisions-explained-43km https://dev.to/uaslimcreate/multi-tenant-fastapi-react-architecture-decisions-explained-43km <p>Building multi-tenant SaaS is a sequence of architecture decisions where the wrong choices compound. A tenant isolation model that seemed reasonable at 10 tenants becomes a migration nightmare at 1000. An auth pattern that "works" creates a security gap under load.</p> <p>This post documents every significant architecture decision in CitizenApp — a GDPR-compliant citizen management SaaS — and the reasoning behind each one. I'll be direct about the tradeoffs and what I'd do differently.</p> <h2> Tenant Isolation: Row-Level vs Schema-Per-Tenant vs Database-Per-Tenant </h2> <p>This is the first decision that constrains everything downstream.</p> <p><strong>Three options:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Strategy</th> <th>Isolation</th> <th>Complexity</th> <th>Migration cost</th> <th>Cross-tenant queries</th> </tr> </thead> <tbody> <tr> <td> <code>tenant_id</code> column</td> <td>Logical</td> <td>Low</td> <td>Low</td> <td>Easy</td> </tr> <tr> <td>Schema per tenant</td> <td>Physical</td> <td>Medium</td> <td>High</td> <td>Hard</td> </tr> <tr> <td>Database per tenant</td> <td>Full</td> <td>High</td> <td>Very high</td> <td>Impossible</td> </tr> </tbody> </table></div> <p>For CitizenApp, I chose <strong><code>tenant_id</code> column on every table</strong>. Here's the reasoning:</p> <ul> <li> <strong>Scale:</strong> Under 500 tenants at launch. Schema-per-tenant is worth the complexity at 10,000+ tenants when you need schema-level customisation.</li> <li> <strong>GDPR compliance:</strong> Logical isolation is sufficient for GDPR if implemented correctly. Physical isolation adds ops complexity without a compliance benefit at this scale.</li> <li> <strong>Query patterns:</strong> I need cross-tenant analytics for the admin dashboard (aggregate counts, not row data). Schema-per-tenant makes this significantly harder.</li> <li> <strong>Migration tooling:</strong> Alembic works cleanly with a single schema. Per-schema migrations require custom tooling.</li> </ul> <p><strong>The implementation:</strong></p> <p>Every data model inherits from a base that enforces <code>tenant_id</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">TenantMixin</span><span class="p">:</span> <span class="n">tenant_id</span><span class="p">:</span> <span class="n">Mapped</span><span class="p">[</span><span class="nb">int</span><span class="p">]</span> <span class="o">=</span> <span class="nf">mapped_column</span><span class="p">(</span> <span class="nc">ForeignKey</span><span class="p">(</span><span class="sh">"</span><span class="s">tenants.id</span><span class="sh">"</span><span class="p">),</span> <span class="n">nullable</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="n">index</span><span class="o">=</span><span class="bp">True</span> <span class="p">)</span> <span class="k">class</span> <span class="nc">VatandasModel</span><span class="p">(</span><span class="n">TenantMixin</span><span class="p">,</span> <span class="n">Base</span><span class="p">):</span> <span class="n">__tablename__</span> <span class="o">=</span> <span class="sh">"</span><span class="s">vatandas</span><span class="sh">"</span> <span class="nb">id</span><span class="p">:</span> <span class="n">Mapped</span><span class="p">[</span><span class="nb">int</span><span class="p">]</span> <span class="o">=</span> <span class="nf">mapped_column</span><span class="p">(</span><span class="n">primary_key</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">ad_soyad</span><span class="p">:</span> <span class="n">Mapped</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="o">=</span> <span class="nf">mapped_column</span><span class="p">(</span><span class="nc">String</span><span class="p">(</span><span class="mi">200</span><span class="p">))</span> <span class="n">tc_no</span><span class="p">:</span> <span class="n">Mapped</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="o">=</span> <span class="nf">mapped_column</span><span class="p">(</span><span class="nc">String</span><span class="p">(</span><span class="mi">11</span><span class="p">))</span> <span class="c1"># encrypted at rest </span> <span class="c1"># ... </span></code></pre> </div> <p><strong>The enforcement layer — Repository pattern:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">CitizenRepository</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">db</span><span class="p">:</span> <span class="n">AsyncSession</span><span class="p">,</span> <span class="n">tenant_id</span><span class="p">:</span> <span class="nb">int</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">db</span> <span class="o">=</span> <span class="n">db</span> <span class="n">self</span><span class="p">.</span><span class="n">tenant_id</span> <span class="o">=</span> <span class="n">tenant_id</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_all</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">skip</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">0</span><span class="p">,</span> <span class="n">limit</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">100</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">list</span><span class="p">[</span><span class="n">VatandasModel</span><span class="p">]:</span> <span class="n">result</span> <span class="o">=</span> <span class="k">await</span> <span class="n">self</span><span class="p">.</span><span class="n">db</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="nf">select</span><span class="p">(</span><span class="n">VatandasModel</span><span class="p">)</span> <span class="p">.</span><span class="nf">where</span><span class="p">(</span><span class="n">VatandasModel</span><span class="p">.</span><span class="n">tenant_id</span> <span class="o">==</span> <span class="n">self</span><span class="p">.</span><span class="n">tenant_id</span><span class="p">)</span> <span class="p">.</span><span class="nf">offset</span><span class="p">(</span><span class="n">skip</span><span class="p">)</span> <span class="p">.</span><span class="nf">limit</span><span class="p">(</span><span class="n">limit</span><span class="p">)</span> <span class="p">)</span> <span class="k">return</span> <span class="n">result</span><span class="p">.</span><span class="nf">scalars</span><span class="p">().</span><span class="nf">all</span><span class="p">()</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_by_id</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">citizen_id</span><span class="p">:</span> <span class="nb">int</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">VatandasModel</span> <span class="o">|</span> <span class="bp">None</span><span class="p">:</span> <span class="n">result</span> <span class="o">=</span> <span class="k">await</span> <span class="n">self</span><span class="p">.</span><span class="n">db</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="nf">select</span><span class="p">(</span><span class="n">VatandasModel</span><span class="p">)</span> <span class="p">.</span><span class="nf">where</span><span class="p">(</span> <span class="n">VatandasModel</span><span class="p">.</span><span class="nb">id</span> <span class="o">==</span> <span class="n">citizen_id</span><span class="p">,</span> <span class="n">VatandasModel</span><span class="p">.</span><span class="n">tenant_id</span> <span class="o">==</span> <span class="n">self</span><span class="p">.</span><span class="n">tenant_id</span> <span class="c1"># always scoped </span> <span class="p">)</span> <span class="p">)</span> <span class="k">return</span> <span class="n">result</span><span class="p">.</span><span class="nf">scalar_one_or_none</span><span class="p">()</span> </code></pre> </div> <p>The <code>tenant_id</code> filter is in the repository, not the endpoint. Endpoints never construct raw queries — they call repository methods. This makes it structurally difficult to accidentally return cross-tenant data.</p> <p><strong>What I'd add now:</strong> PostgreSQL Row-Level Security policies as a second enforcement layer. Even if application code has a bug, RLS at the database level ensures no cross-tenant data leaks. It's belt-and-suspenders isolation.</p> <h2> JWT Design: What's in the Token and Why </h2> <p>Token design has permanent consequences. Tokens issued today will be used until they expire — you can't retroactively change their structure without forcing re-login.</p> <p><strong>CitizenApp's access token payload:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="p">{</span> <span class="sh">"</span><span class="s">sub</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">42</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># user_id </span> <span class="sh">"</span><span class="s">tenant_id</span><span class="sh">"</span><span class="p">:</span> <span class="mi">7</span><span class="p">,</span> <span class="c1"># tenant scope — embedded, not looked up per request </span> <span class="sh">"</span><span class="s">role</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">operator</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># rbac role — same reasoning </span> <span class="sh">"</span><span class="s">email</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">user@co.com</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># for audit logging without a DB lookup </span> <span class="sh">"</span><span class="s">exp</span><span class="sh">"</span><span class="p">:</span> <span class="mi">1716307200</span><span class="p">,</span> <span class="c1"># 15 minutes </span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">access</span><span class="sh">"</span> <span class="p">}</span> </code></pre> </div> <p><strong>Why <code>tenant_id</code> and <code>role</code> are in the token:</strong></p> <p>Every request needs these. If they're not in the token, every API call requires a database lookup to find the user's tenant and role. At 100 requests/second, that's 100 unnecessary DB queries/second. With token-embedded claims, the FastAPI middleware extracts everything it needs from the token signature verification — zero DB round-trips for auth.</p> <p><strong>The tradeoff:</strong> If you change a user's role, the old token is still valid for up to 15 minutes. This is acceptable for CitizenApp. If immediate revocation were required, I'd use short-lived tokens (5 minutes) plus a Redis token blocklist.</p> <p><strong>Refresh token rotation:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">rotate_refresh_token</span><span class="p">(</span> <span class="n">db</span><span class="p">:</span> <span class="n">AsyncSession</span><span class="p">,</span> <span class="n">old_token</span><span class="p">:</span> <span class="nb">str</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">tuple</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="nb">str</span><span class="p">]:</span> <span class="n">stored</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">get_refresh_token</span><span class="p">(</span><span class="n">db</span><span class="p">,</span> <span class="n">old_token</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">stored</span> <span class="ow">or</span> <span class="n">stored</span><span class="p">.</span><span class="n">is_revoked</span><span class="p">:</span> <span class="c1"># Possible token theft — revoke entire family </span> <span class="k">await</span> <span class="nf">revoke_token_family</span><span class="p">(</span><span class="n">db</span><span class="p">,</span> <span class="n">stored</span><span class="p">.</span><span class="n">family_id</span><span class="p">)</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Token reuse detected</span><span class="sh">"</span><span class="p">)</span> <span class="k">await</span> <span class="nf">revoke_token</span><span class="p">(</span><span class="n">db</span><span class="p">,</span> <span class="n">old_token</span><span class="p">)</span> <span class="n">new_access</span> <span class="o">=</span> <span class="nf">create_access_token</span><span class="p">(</span><span class="n">stored</span><span class="p">.</span><span class="n">user_id</span><span class="p">,</span> <span class="n">stored</span><span class="p">.</span><span class="n">tenant_id</span><span class="p">)</span> <span class="n">new_refresh</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">create_refresh_token</span><span class="p">(</span><span class="n">db</span><span class="p">,</span> <span class="n">stored</span><span class="p">.</span><span class="n">user_id</span><span class="p">,</span> <span class="n">stored</span><span class="p">.</span><span class="n">family_id</span><span class="p">)</span> <span class="k">return</span> <span class="n">new_access</span><span class="p">,</span> <span class="n">new_refresh</span> </code></pre> </div> <p>Refresh tokens use family-based rotation. If a refresh token is used twice (token theft scenario), the entire family is revoked. This forces re-login and stops the attacker even if they got the token first.</p> <h2> RBAC: Three Roles, One Decision Point </h2> <p>CitizenApp has three roles: <code>admin</code>, <code>operator</code>, <code>viewer</code>.</p> <p><strong>What I didn't do:</strong> Fine-grained permissions per action. CASL, custom permission tables, or middleware that checks <code>user.permissions.includes("citizen:delete")</code>.</p> <p><strong>Why not:</strong> Premature flexibility. At three roles with clear semantics, a permission matrix adds indirection without value. The role hierarchy is:</p> <ul> <li> <code>viewer</code> → read-only access to citizen data</li> <li> <code>operator</code> → read + write citizen data, run imports</li> <li> <code>admin</code> → everything + user management + billing + tenant settings</li> </ul> <p><strong>The FastAPI implementation:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">require_role</span><span class="p">(</span><span class="o">*</span><span class="n">roles</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="k">def</span> <span class="nf">dependency</span><span class="p">(</span><span class="n">current_user</span><span class="p">:</span> <span class="n">UserModel</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_current_user</span><span class="p">)):</span> <span class="k">if</span> <span class="n">current_user</span><span class="p">.</span><span class="n">role</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">roles</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">403</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Insufficient permissions</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">current_user</span> <span class="k">return</span> <span class="n">dependency</span> <span class="c1"># Usage </span><span class="nd">@router.delete</span><span class="p">(</span><span class="sh">"</span><span class="s">/citizens/{id}</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">delete_citizen</span><span class="p">(</span> <span class="nb">id</span><span class="p">:</span> <span class="nb">int</span><span class="p">,</span> <span class="n">user</span><span class="p">:</span> <span class="n">UserModel</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="nf">require_role</span><span class="p">(</span><span class="sh">"</span><span class="s">admin</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">operator</span><span class="sh">"</span><span class="p">)),</span> <span class="n">repo</span><span class="p">:</span> <span class="n">CitizenRepository</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_citizen_repo</span><span class="p">),</span> <span class="p">):</span> <span class="bp">...</span> <span class="nd">@router.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/users</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">list_users</span><span class="p">(</span> <span class="n">user</span><span class="p">:</span> <span class="n">UserModel</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="nf">require_role</span><span class="p">(</span><span class="sh">"</span><span class="s">admin</span><span class="sh">"</span><span class="p">)),</span> <span class="bp">...</span> <span class="p">):</span> <span class="bp">...</span> </code></pre> </div> <p>Clean, readable, testable. When the permission model needs to evolve, it's one function.</p> <p><strong>The audit trail connects here:</strong> Every destructive action logs <code>user_id</code>, <code>tenant_id</code>, <code>action</code>, <code>target_id</code>, and <code>before</code>/<code>after</code> states. Compliance requires knowing <em>who</em> did <em>what</em> to <em>which record</em> at <em>what time</em>. The role doesn't change the requirement — it just determines whether the action was permitted.</p> <h2> Encryption at Rest: Fernet Over Column-Level Encryption </h2> <p>PII like the TC identity number (Turkish national ID) must be encrypted at rest. Three options:</p> <ol> <li> <strong>Application-level encryption (Fernet/AES)</strong> — encrypt in Python before INSERT</li> <li> <strong>PostgreSQL column encryption (pgcrypto)</strong> — encrypt at the database level</li> <li> <strong>Transparent Data Encryption</strong> — encrypt at the filesystem/disk level</li> </ol> <p>I chose <strong>application-level Fernet encryption</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">cryptography.fernet</span> <span class="kn">import</span> <span class="n">Fernet</span> <span class="k">class</span> <span class="nc">EncryptionService</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">key</span><span class="p">:</span> <span class="nb">bytes</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">fernet</span> <span class="o">=</span> <span class="nc">Fernet</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="k">def</span> <span class="nf">encrypt</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">value</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="n">fernet</span><span class="p">.</span><span class="nf">encrypt</span><span class="p">(</span><span class="n">value</span><span class="p">.</span><span class="nf">encode</span><span class="p">()).</span><span class="nf">decode</span><span class="p">()</span> <span class="k">def</span> <span class="nf">decrypt</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">value</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="n">fernet</span><span class="p">.</span><span class="nf">decrypt</span><span class="p">(</span><span class="n">value</span><span class="p">.</span><span class="nf">encode</span><span class="p">()).</span><span class="nf">decode</span><span class="p">()</span> <span class="c1"># SQLAlchemy event listener — transparent to the rest of the code </span><span class="nd">@event.listens_for</span><span class="p">(</span><span class="n">VatandasModel</span><span class="p">.</span><span class="n">tc_no</span><span class="p">,</span> <span class="sh">"</span><span class="s">set</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">encrypt_tc_no</span><span class="p">(</span><span class="n">target</span><span class="p">,</span> <span class="n">value</span><span class="p">,</span> <span class="n">oldvalue</span><span class="p">,</span> <span class="n">initiator</span><span class="p">):</span> <span class="k">if</span> <span class="n">value</span> <span class="ow">and</span> <span class="ow">not</span> <span class="n">value</span><span class="p">.</span><span class="nf">startswith</span><span class="p">(</span><span class="sh">"</span><span class="s">gAAAAA</span><span class="sh">"</span><span class="p">):</span> <span class="c1"># not already encrypted </span> <span class="n">target</span><span class="p">.</span><span class="n">tc_no</span> <span class="o">=</span> <span class="n">encryption_service</span><span class="p">.</span><span class="nf">encrypt</span><span class="p">(</span><span class="n">value</span><span class="p">)</span> </code></pre> </div> <p><strong>Why not pgcrypto:</strong> pgcrypto requires the encryption key to be available to PostgreSQL. That means it's accessible to anyone with database access. Application-level encryption keeps the key in the application environment (Render secrets), separate from the database.</p> <p><strong>Why not TDE:</strong> TDE protects against physical disk theft. It doesn't protect against a compromised database user or a SQL injection that returns raw table data. Application-level encryption does.</p> <p><strong>Key rotation:</strong> Fernet supports key rotation via <code>MultiFernet</code>. Old ciphertext decrypts with old key; new data encrypts with new key. Zero-downtime rotation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># During rotation window </span><span class="n">fernet</span> <span class="o">=</span> <span class="nc">MultiFernet</span><span class="p">([</span><span class="n">new_key_fernet</span><span class="p">,</span> <span class="n">old_key_fernet</span><span class="p">])</span> </code></pre> </div> <h2> Database: Async SQLAlchemy Patterns </h2> <p>CitizenApp uses FastAPI with <code>asyncpg</code> and async SQLAlchemy. This is the right choice but it has sharp edges.</p> <p><strong>Session scoping:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">get_db</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="n">AsyncGenerator</span><span class="p">[</span><span class="n">AsyncSession</span><span class="p">,</span> <span class="bp">None</span><span class="p">]:</span> <span class="k">async</span> <span class="k">with</span> <span class="nc">AsyncSessionLocal</span><span class="p">()</span> <span class="k">as</span> <span class="n">session</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="k">yield</span> <span class="n">session</span> <span class="k">await</span> <span class="n">session</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="k">except</span> <span class="nb">Exception</span><span class="p">:</span> <span class="k">await</span> <span class="n">session</span><span class="p">.</span><span class="nf">rollback</span><span class="p">()</span> <span class="k">raise</span> </code></pre> </div> <p>Each request gets its own session. Auto-commit on success, auto-rollback on exception. No manual transaction management in endpoint code.</p> <p><strong>The N+1 trap:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># BAD: N+1 queries </span><span class="n">citizens</span> <span class="o">=</span> <span class="k">await</span> <span class="n">repo</span><span class="p">.</span><span class="nf">get_all</span><span class="p">()</span> <span class="k">for</span> <span class="n">c</span> <span class="ow">in</span> <span class="n">citizens</span><span class="p">:</span> <span class="n">c</span><span class="p">.</span><span class="n">audit_count</span> <span class="o">=</span> <span class="k">await</span> <span class="n">audit_repo</span><span class="p">.</span><span class="nf">count_for</span><span class="p">(</span><span class="n">c</span><span class="p">.</span><span class="nb">id</span><span class="p">)</span> <span class="c1"># N extra queries </span> <span class="c1"># GOOD: single query with subquery </span><span class="n">stmt</span> <span class="o">=</span> <span class="p">(</span> <span class="nf">select</span><span class="p">(</span><span class="n">VatandasModel</span><span class="p">,</span> <span class="n">func</span><span class="p">.</span><span class="nf">count</span><span class="p">(</span><span class="n">AuditModel</span><span class="p">.</span><span class="nb">id</span><span class="p">).</span><span class="nf">label</span><span class="p">(</span><span class="sh">"</span><span class="s">audit_count</span><span class="sh">"</span><span class="p">))</span> <span class="p">.</span><span class="nf">outerjoin</span><span class="p">(</span><span class="n">AuditModel</span><span class="p">,</span> <span class="n">AuditModel</span><span class="p">.</span><span class="n">citizen_id</span> <span class="o">==</span> <span class="n">VatandasModel</span><span class="p">.</span><span class="nb">id</span><span class="p">)</span> <span class="p">.</span><span class="nf">where</span><span class="p">(</span><span class="n">VatandasModel</span><span class="p">.</span><span class="n">tenant_id</span> <span class="o">==</span> <span class="n">tenant_id</span><span class="p">)</span> <span class="p">.</span><span class="nf">group_by</span><span class="p">(</span><span class="n">VatandasModel</span><span class="p">.</span><span class="nb">id</span><span class="p">)</span> <span class="p">)</span> </code></pre> </div> <p>Async SQLAlchemy doesn't protect you from N+1. You have to think about it explicitly. I caught several in code review — a query in a loop is always a red flag.</p> <p><strong>The lazy loading trap:</strong></p> <p>Async SQLAlchemy doesn't support lazy loading. Any relationship access outside a transaction raises <code>MissingGreenlet</code>. You must declare what you need upfront:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">stmt</span> <span class="o">=</span> <span class="p">(</span> <span class="nf">select</span><span class="p">(</span><span class="n">UserModel</span><span class="p">)</span> <span class="p">.</span><span class="nf">options</span><span class="p">(</span><span class="nf">selectinload</span><span class="p">(</span><span class="n">UserModel</span><span class="p">.</span><span class="n">tenant</span><span class="p">))</span> <span class="c1"># explicit eager load </span> <span class="p">.</span><span class="nf">where</span><span class="p">(</span><span class="n">UserModel</span><span class="p">.</span><span class="nb">id</span> <span class="o">==</span> <span class="n">user_id</span><span class="p">)</span> <span class="p">)</span> </code></pre> </div> <h2> Migration Strategy: Alembic in Production </h2> <p>Every schema change in CitizenApp is an Alembic migration. No exceptions. No <code>CREATE TABLE</code> in the application startup code.</p> <p><strong>The pattern that works:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Never autogenerate directly to production</span> alembic revision <span class="nt">--autogenerate</span> <span class="nt">-m</span> <span class="s2">"add_ai_credits_to_users"</span> <span class="c"># Review the generated file</span> <span class="c"># Add explicit data migrations if needed</span> alembic upgrade <span class="nb">head</span> </code></pre> </div> <p><strong>Zero-downtime migrations — the rules:</strong></p> <ol> <li> <strong>Never rename a column directly.</strong> Add the new column, backfill, update application code, then drop the old column in a separate migration run.</li> <li> <strong>New NOT NULL columns need a DEFAULT or a two-step migration.</strong> Adding <code>NOT NULL</code> without a default locks the table.</li> <li> <strong>Index creation should be CONCURRENT.</strong> <code>CREATE INDEX CONCURRENTLY</code> doesn't lock reads/writes. Standard <code>CREATE INDEX</code> does. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># In Alembic migration — concurrent index </span><span class="n">op</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">"</span><span class="s">CREATE INDEX CONCURRENTLY IF NOT EXISTS ix_vatandas_tenant_created ON vatandas(tenant_id, created_at DESC)</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>Alembic doesn't generate CONCURRENTLY by default. You have to write it manually.</p> <h2> Frontend Architecture: React 19 + TanStack Query </h2> <p><strong>State management decision:</strong> No Redux, no Zustand. TanStack Query for server state, <code>useState</code> for local UI state.</p> <p>The vast majority of React state is server data — citizen lists, user lists, audit logs. TanStack Query handles fetching, caching, background refresh, and optimistic updates. There's no global client-side state that needs a store.</p> <p><strong>React 19 <code>useOptimistic</code> for instant UX:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="kd">const</span> <span class="p">[</span><span class="nx">optimisticCitizens</span><span class="p">,</span> <span class="nx">addOptimistic</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useOptimistic</span><span class="p">(</span><span class="nx">citizens</span><span class="p">);</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">handleDelete</span><span class="p">(</span><span class="nx">id</span><span class="p">:</span> <span class="kr">number</span><span class="p">)</span> <span class="p">{</span> <span class="nf">addOptimistic</span><span class="p">(</span><span class="nx">prev</span> <span class="o">=&gt;</span> <span class="nx">prev</span><span class="p">.</span><span class="nf">filter</span><span class="p">(</span><span class="nx">c</span> <span class="o">=&gt;</span> <span class="nx">c</span><span class="p">.</span><span class="nx">id</span> <span class="o">!==</span> <span class="nx">id</span><span class="p">));</span> <span class="c1">// instant</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">deleteCitizen</span><span class="p">(</span><span class="nx">id</span><span class="p">);</span> <span class="k">await</span> <span class="nx">queryClient</span><span class="p">.</span><span class="nf">invalidateQueries</span><span class="p">([</span><span class="dl">"</span><span class="s2">citizens</span><span class="dl">"</span><span class="p">]);</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{</span> <span class="c1">// useOptimistic rolls back automatically on error</span> <span class="nx">toast</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Delete failed</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The UI updates immediately. If the API call fails, the optimistic update rolls back. Users get instant feedback without fake loading states.</p> <p><strong>Tenant context:</strong></p> <p>The tenant is embedded in the JWT. The frontend decodes it (without verification — signature verification is the server's job) to personalise the UI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="kd">function</span> <span class="nf">useTenant</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nf">getItem</span><span class="p">(</span><span class="dl">"</span><span class="s2">access_token</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">token</span><span class="p">)</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nf">atob</span><span class="p">(</span><span class="nx">token</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">"</span><span class="s2">.</span><span class="dl">"</span><span class="p">)[</span><span class="mi">1</span><span class="p">]));</span> <span class="k">return</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">tenant_id</span><span class="p">,</span> <span class="na">plan</span><span class="p">:</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">plan</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>This is fine. The frontend showing wrong data is a UX problem. The backend returning wrong data would be a security problem. The backend always validates the token independently.</p> <h2> What I'd Change </h2> <p><strong>1. PostgreSQL RLS from day one.</strong><br><br> Application-level <code>tenant_id</code> filtering is correct but not sufficient as a <em>guarantee</em>. RLS at the database layer would make it impossible for a bug in the repository layer to expose cross-tenant data. Retrofitting RLS on an existing schema is painful — it should be designed in from the start.</p> <p><strong>2. Separate read and write models (CQRS-lite).</strong><br><br> The list endpoints in CitizenApp do a lot of work: filter, sort, paginate, aggregate audit counts. This would be cleaner with dedicated read models or database views optimised for list queries, separate from the write models.</p> <p><strong>3. Stricter API versioning.</strong><br><br> CitizenApp is currently on v1 with no formal versioning. For a multi-tenant SaaS where different tenants may be on different frontend versions, <code>/api/v1/</code> from the start with a migration plan for v2 would have been smarter.</p> <p><strong>4. Event sourcing for audit.</strong><br><br> The audit log records events but not the full before/after state for every field. Reconstructing "what did this record look like at this point in time" requires replaying events. A proper event-sourced audit table with full snapshots would make compliance reporting significantly easier.</p> <h2> The Bottom Line </h2> <p>Multi-tenant SaaS architecture is about <strong>defaults that are safe by construction</strong>. Tenant isolation in the repository layer, role enforcement in dependencies, encryption at the ORM level — the goal is to make the dangerous thing hard to do accidentally.</p> <p>Every architectural decision in CitizenApp was made with the assumption that I would make mistakes later. The architecture's job is to make those mistakes non-catastrophic.</p> <p><em>Building a multi-tenant SaaS and want a second opinion on the architecture? <a href="https://dev.to/contact">I'm available for consulting.</a></em></p> fastapi react python architecture How I Built 9 Claude AI Features into a Production SaaS Ugur Aslim Thu, 21 May 2026 18:32:21 +0000 https://dev.to/uaslimcreate/how-i-built-9-claude-ai-features-into-a-production-saas-3l https://dev.to/uaslimcreate/how-i-built-9-claude-ai-features-into-a-production-saas-3l <p>Nine AI features. One production SaaS. Zero hallucinated data in the user's face.</p> <p>That last part is harder than it sounds.</p> <p>This is a full technical breakdown of how I designed, built, and shipped nine Claude Haiku features into CitizenApp — a GDPR-compliant citizen management platform. I'll cover the architecture, the security decisions, the failure modes I had to defend against, and what I'd do differently.</p> <h2> Why Haiku, Not Sonnet or Opus </h2> <p>Every AI feature in CitizenApp uses <code>claude-haiku-4-5</code>. The reasoning was deliberate:</p> <p><strong>Cost.</strong> This is a multi-tenant SaaS. Each AI call deducts from the tenant's credit balance. Haiku is significantly cheaper per token than Sonnet — which means I can offer meaningful AI functionality at the Free tier without destroying margins.</p> <p><strong>Speed.</strong> Most features are interactive — the user is waiting. Haiku's latency is typically under 2 seconds for the prompt sizes I'm sending. Sonnet would double or triple that.</p> <p><strong>Sufficient capability.</strong> For structured tasks — SQL generation, data summarisation, duplicate record comparison — Haiku is good enough. I don't need Opus-level reasoning. I need fast, cheap, reliable JSON out.</p> <p><strong>Consistent timeout budget.</strong> Every AI call has a 20-second timeout. Haiku almost always completes in under 5. That matters when you're running on Render's free tier.</p> <h2> The Credit System </h2> <p>Before the features themselves: every AI call in CitizenApp costs credits. This is enforced at the API layer, not the frontend.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">deduct_credits</span><span class="p">(</span><span class="n">db</span><span class="p">:</span> <span class="n">AsyncSession</span><span class="p">,</span> <span class="n">tenant_id</span><span class="p">:</span> <span class="nb">int</span><span class="p">,</span> <span class="n">amount</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">1</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="n">tenant</span> <span class="o">=</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">TenantModel</span><span class="p">,</span> <span class="n">tenant_id</span><span class="p">)</span> <span class="k">if</span> <span class="n">tenant</span><span class="p">.</span><span class="n">ai_credits</span> <span class="o">&lt;</span> <span class="n">amount</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">402</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Insufficient AI credits</span><span class="sh">"</span><span class="p">)</span> <span class="n">tenant</span><span class="p">.</span><span class="n">ai_credits</span> <span class="o">-=</span> <span class="n">amount</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> </code></pre> </div> <p>Simple. No credits, no AI call. The <code>402 Payment Required</code> response tells the frontend to show the upgrade prompt. Credits are deducted <em>before</em> the Claude API call — if the call fails, I refund them. This prevents users from draining credits on broken requests.</p> <p>Stats queries cost 1 credit. Live DB queries cost 2. The pricing reflects actual Claude token consumption.</p> <h2> Feature 1: CSV Column Mapping </h2> <p><strong>The problem:</strong> Users import citizen data from spreadsheets. The column headers are inconsistent — <code>TC No</code>, <code>tc_no</code>, <code>Kimlik No</code>, <code>ID Number</code> — all mean the same thing. Asking users to manually map every import is a UX failure.</p> <p><strong>The implementation:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">ai_map_columns</span><span class="p">(</span><span class="n">headers</span><span class="p">:</span> <span class="nb">list</span><span class="p">[</span><span class="nb">str</span><span class="p">])</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="n">prompt</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"""</span><span class="s">You are mapping CSV column headers to a fixed schema. Schema fields: tc_no, ad_soyad, dogum_tarihi, cinsiyet Headers: </span><span class="si">{</span><span class="n">headers</span><span class="si">}</span><span class="s"> Return JSON only: {{</span><span class="sh">"</span><span class="s">tc_no</span><span class="sh">"</span><span class="s">: </span><span class="sh">"</span><span class="s">header or null</span><span class="sh">"</span><span class="s">, </span><span class="sh">"</span><span class="s">ad_soyad</span><span class="sh">"</span><span class="s">: </span><span class="sh">"</span><span class="s">header or null</span><span class="sh">"</span><span class="s">, </span><span class="sh">"</span><span class="s">dogum_tarihi</span><span class="sh">"</span><span class="s">: </span><span class="sh">"</span><span class="s">header or null</span><span class="sh">"</span><span class="s">, </span><span class="sh">"</span><span class="s">cinsiyet</span><span class="sh">"</span><span class="s">: </span><span class="sh">"</span><span class="s">header or null</span><span class="sh">"</span><span class="s">}}</span><span class="sh">"""</span> <span class="n">response</span> <span class="o">=</span> <span class="k">await</span> <span class="n">anthropic_client</span><span class="p">.</span><span class="n">messages</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span> <span class="n">model</span><span class="o">=</span><span class="sh">"</span><span class="s">claude-haiku-4-5</span><span class="sh">"</span><span class="p">,</span> <span class="n">max_tokens</span><span class="o">=</span><span class="mi">200</span><span class="p">,</span> <span class="n">messages</span><span class="o">=</span><span class="p">[{</span><span class="sh">"</span><span class="s">role</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">user</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">content</span><span class="sh">"</span><span class="p">:</span> <span class="n">prompt</span><span class="p">}]</span> <span class="p">)</span> <span class="k">return</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">response</span><span class="p">.</span><span class="n">content</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="n">text</span><span class="p">)</span> </code></pre> </div> <p><strong>What I learned:</strong> Keep the schema description short and the output format rigid. Early versions asked Claude to "suggest the best mapping" — vague enough that it would sometimes return explanatory text instead of JSON. Specifying <code>Return JSON only:</code> with the exact structure eliminated this.</p> <p><strong>Failure mode handled:</strong> If <code>json.loads</code> throws, fall back to fuzzy string matching. AI is the first attempt, not the only one.</p> <h2> Feature 2: Natural Language Search </h2> <p><strong>The problem:</strong> Users need to filter 50,000+ citizen records. SQL is not the interface.</p> <p><strong>The implementation:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">ALLOWED_COLUMNS</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">ad_soyad</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">dogum_tarihi</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">cinsiyet</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">created_at</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">il</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ilce</span><span class="sh">"</span><span class="p">}</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">nl_to_sql_filter</span><span class="p">(</span><span class="n">query</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">tenant_id</span><span class="p">:</span> <span class="nb">int</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="n">prompt</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"""</span><span class="s">Convert this natural language query to a PostgreSQL WHERE clause. Table: vatandas Available columns: </span><span class="si">{</span><span class="sh">'</span><span class="s">, </span><span class="sh">'</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">ALLOWABLE_COLUMNS</span><span class="p">)</span><span class="si">}</span><span class="s"> tenant_id is always </span><span class="si">{</span><span class="n">tenant_id</span><span class="si">}</span><span class="s"> — always include it. Query: </span><span class="sh">"</span><span class="si">{</span><span class="n">query</span><span class="si">}</span><span class="sh">"</span><span class="s"> Return only the WHERE clause starting with </span><span class="sh">'</span><span class="s">WHERE</span><span class="sh">'</span><span class="s">. No explanation.</span><span class="sh">"""</span> <span class="n">response</span> <span class="o">=</span> <span class="k">await</span> <span class="n">anthropic_client</span><span class="p">.</span><span class="n">messages</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span> <span class="n">model</span><span class="o">=</span><span class="sh">"</span><span class="s">claude-haiku-4-5</span><span class="sh">"</span><span class="p">,</span> <span class="n">max_tokens</span><span class="o">=</span><span class="mi">300</span><span class="p">,</span> <span class="n">messages</span><span class="o">=</span><span class="p">[{</span><span class="sh">"</span><span class="s">role</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">user</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">content</span><span class="sh">"</span><span class="p">:</span> <span class="n">prompt</span><span class="p">}]</span> <span class="p">)</span> <span class="n">clause</span> <span class="o">=</span> <span class="n">response</span><span class="p">.</span><span class="n">content</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="n">text</span><span class="p">.</span><span class="nf">strip</span><span class="p">()</span> <span class="nf">validate_sql_clause</span><span class="p">(</span><span class="n">clause</span><span class="p">)</span> <span class="c1"># raises on dangerous patterns </span> <span class="k">return</span> <span class="n">clause</span> </code></pre> </div> <p><strong>The critical part — <code>validate_sql_clause</code>:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">BLOCKED</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">drop</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">delete</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">update</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">insert</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">alter</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">exec</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">;</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">union</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">sleep</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">pg_</span><span class="sh">"</span><span class="p">]</span> <span class="k">def</span> <span class="nf">validate_sql_clause</span><span class="p">(</span><span class="n">clause</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="n">lower</span> <span class="o">=</span> <span class="n">clause</span><span class="p">.</span><span class="nf">lower</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">lower</span><span class="p">.</span><span class="nf">startswith</span><span class="p">(</span><span class="sh">"</span><span class="s">where</span><span class="sh">"</span><span class="p">):</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sh">"</span><span class="s">Invalid clause</span><span class="sh">"</span><span class="p">)</span> <span class="k">for</span> <span class="n">pattern</span> <span class="ow">in</span> <span class="n">BLOCKED</span><span class="p">:</span> <span class="k">if</span> <span class="n">pattern</span> <span class="ow">in</span> <span class="n">lower</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Blocked pattern: </span><span class="si">{</span><span class="n">pattern</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>Never trust LLM output with SQL. The allowed columns list is in the prompt — if Claude generates a column not in that list, SQLAlchemy will raise a column-not-found error before anything executes. Defense in depth.</p> <h2> Feature 3: Anomaly Detection </h2> <p><strong>The problem:</strong> Bad data accumulates. Future birthdates, 1890-born citizens, missing gender on 40% of records. Users need to find it without writing reports.</p> <p><strong>The implementation:</strong> I run five deterministic checks in Python — no AI involved in detecting the anomalies:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">detect_anomalies</span><span class="p">(</span><span class="n">citizens</span><span class="p">:</span> <span class="nb">list</span><span class="p">[</span><span class="nb">dict</span><span class="p">])</span> <span class="o">-&gt;</span> <span class="nb">list</span><span class="p">[</span><span class="nb">dict</span><span class="p">]:</span> <span class="n">issues</span> <span class="o">=</span> <span class="p">[]</span> <span class="n">today</span> <span class="o">=</span> <span class="n">date</span><span class="p">.</span><span class="nf">today</span><span class="p">()</span> <span class="k">for</span> <span class="n">c</span> <span class="ow">in</span> <span class="n">citizens</span><span class="p">:</span> <span class="k">if</span> <span class="n">c</span><span class="p">[</span><span class="sh">"</span><span class="s">dogum_tarihi</span><span class="sh">"</span><span class="p">]</span> <span class="ow">and</span> <span class="n">c</span><span class="p">[</span><span class="sh">"</span><span class="s">dogum_tarihi</span><span class="sh">"</span><span class="p">]</span> <span class="o">&gt;</span> <span class="n">today</span><span class="p">:</span> <span class="n">issues</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">:</span> <span class="n">c</span><span class="p">[</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">future_dob</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">severity</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">high</span><span class="sh">"</span><span class="p">})</span> <span class="k">if</span> <span class="n">c</span><span class="p">[</span><span class="sh">"</span><span class="s">dogum_tarihi</span><span class="sh">"</span><span class="p">]</span> <span class="ow">and</span> <span class="n">c</span><span class="p">[</span><span class="sh">"</span><span class="s">dogum_tarihi</span><span class="sh">"</span><span class="p">].</span><span class="n">year</span> <span class="o">&lt;</span> <span class="mi">1900</span><span class="p">:</span> <span class="n">issues</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">:</span> <span class="n">c</span><span class="p">[</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">implausible_dob</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">severity</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">medium</span><span class="sh">"</span><span class="p">})</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">c</span><span class="p">[</span><span class="sh">"</span><span class="s">cinsiyet</span><span class="sh">"</span><span class="p">]:</span> <span class="n">issues</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">:</span> <span class="n">c</span><span class="p">[</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">missing_gender</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">severity</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">low</span><span class="sh">"</span><span class="p">})</span> <span class="k">return</span> <span class="n">issues</span> </code></pre> </div> <p>Claude's role is to <em>summarise</em> the results:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">summary_prompt</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"""</span><span class="s">Summarise these data quality issues in 2-3 sentences for a non-technical admin: </span><span class="si">{</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">issue_counts</span><span class="p">)</span><span class="si">}</span><span class="s"> Be specific about numbers. Suggest the highest-priority fix first.</span><span class="sh">"""</span> </code></pre> </div> <p>This is the right division of labour. Python finds the issues deterministically. Claude explains them in plain language. AI never makes the binary "is this an anomaly" judgment — it just communicates results.</p> <h2> Feature 4: AI Daily Briefing </h2> <p>The simplest feature architecturally. Every morning, the admin dashboard can show a 3-4 sentence Claude-generated briefing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">stats</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">total_records</span><span class="sh">"</span><span class="p">:</span> <span class="mi">12847</span><span class="p">,</span> <span class="sh">"</span><span class="s">missing_gender</span><span class="sh">"</span><span class="p">:</span> <span class="mi">342</span><span class="p">,</span> <span class="sh">"</span><span class="s">missing_dob</span><span class="sh">"</span><span class="p">:</span> <span class="mi">89</span><span class="p">,</span> <span class="sh">"</span><span class="s">potential_duplicates</span><span class="sh">"</span><span class="p">:</span> <span class="mi">23</span><span class="p">,</span> <span class="sh">"</span><span class="s">created_last_7_days</span><span class="sh">"</span><span class="p">:</span> <span class="mi">156</span> <span class="p">}</span> <span class="n">prompt</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"""</span><span class="s">You are a data assistant. Write a 3-4 sentence briefing for an admin about the current state of their citizen database. Be concise and actionable. Stats: </span><span class="si">{</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">stats</span><span class="p">)</span><span class="si">}</span><span class="sh">"""</span> </code></pre> </div> <p><strong>Lesson:</strong> Don't send raw PII to the API. Stats are safe. Individual citizen records are not. I aggregate before sending.</p> <h2> Feature 5: AI Duplicate Merge </h2> <p>This was the most complex feature to get right.</p> <p><strong>The problem:</strong> The duplicate detection identifies <em>potential</em> duplicates by similarity score. But merging them requires judgment — which record has the correct spelling? Which birthdate is more likely accurate?</p> <p><strong>The implementation:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">ai_merge_suggest</span><span class="p">(</span><span class="n">record_a</span><span class="p">:</span> <span class="nb">dict</span><span class="p">,</span> <span class="n">record_b</span><span class="p">:</span> <span class="nb">dict</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="c1"># Mask TC no before sending to Claude </span> <span class="n">safe_a</span> <span class="o">=</span> <span class="p">{</span><span class="n">k</span><span class="p">:</span> <span class="n">v</span> <span class="k">for</span> <span class="n">k</span><span class="p">,</span> <span class="n">v</span> <span class="ow">in</span> <span class="n">record_a</span><span class="p">.</span><span class="nf">items</span><span class="p">()</span> <span class="k">if</span> <span class="n">k</span> <span class="o">!=</span> <span class="sh">"</span><span class="s">tc_no</span><span class="sh">"</span><span class="p">}</span> <span class="n">safe_b</span> <span class="o">=</span> <span class="p">{</span><span class="n">k</span><span class="p">:</span> <span class="n">v</span> <span class="k">for</span> <span class="n">k</span><span class="p">,</span> <span class="n">v</span> <span class="ow">in</span> <span class="n">record_b</span><span class="p">.</span><span class="nf">items</span><span class="p">()</span> <span class="k">if</span> <span class="n">k</span> <span class="o">!=</span> <span class="sh">"</span><span class="s">tc_no</span><span class="sh">"</span><span class="p">}</span> <span class="n">prompt</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"""</span><span class="s">Compare these two citizen records and suggest the best merged version. Record A (id=</span><span class="si">{</span><span class="n">record_a</span><span class="p">[</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">): </span><span class="si">{</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">safe_a</span><span class="p">)</span><span class="si">}</span><span class="s"> Record B (id=</span><span class="si">{</span><span class="n">record_b</span><span class="p">[</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">): </span><span class="si">{</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">safe_b</span><span class="p">)</span><span class="si">}</span><span class="s"> Return JSON: {{ </span><span class="sh">"</span><span class="s">keep_id</span><span class="sh">"</span><span class="s">: &lt;id of the record to keep as primary&gt;, </span><span class="sh">"</span><span class="s">merged</span><span class="sh">"</span><span class="s">: {{</span><span class="sh">"</span><span class="s">ad_soyad</span><span class="sh">"</span><span class="s">: </span><span class="sh">"</span><span class="s">...</span><span class="sh">"</span><span class="s">, </span><span class="sh">"</span><span class="s">dogum_tarihi</span><span class="sh">"</span><span class="s">: </span><span class="sh">"</span><span class="s">YYYY-MM-DD</span><span class="sh">"</span><span class="s">, </span><span class="sh">"</span><span class="s">cinsiyet</span><span class="sh">"</span><span class="s">: </span><span class="sh">"</span><span class="s">E/K</span><span class="sh">"</span><span class="s">}}, </span><span class="sh">"</span><span class="s">confidence</span><span class="sh">"</span><span class="s">: </span><span class="sh">"</span><span class="s">high|medium|low</span><span class="sh">"</span><span class="s">, </span><span class="sh">"</span><span class="s">reasoning</span><span class="sh">"</span><span class="s">: </span><span class="sh">"</span><span class="s">one sentence explanation</span><span class="sh">"</span><span class="s"> }}</span><span class="sh">"""</span> </code></pre> </div> <p><strong>TC identity number (TC kimlik no) is always masked before sending to Claude.</strong> This is non-negotiable. It's PII, it's regulated, and it's not needed for the merge decision. The <code>keep_id</code> in the response tells the backend which record to promote — Claude never sees or decides on the TC number.</p> <p><strong>Claude's output is never applied automatically.</strong> It's a suggestion displayed to the admin, who clicks "Apply" to confirm. The AI is an advisor, not an actor.</p> <h2> Feature 6: Natural Language Reports </h2> <p><strong>The problem:</strong> Admins need custom data exports. "Give me all female citizens born between 1960 and 1970 in Ankara" is not a filter the UI can anticipate.</p> <p><strong>The implementation:</strong> A dedicated <code>/reports</code> page accepts a natural language query, sends it to Claude for SQL filter generation (same pattern as Feature 2), shows a preview table, then allows CSV/TSV export — all client-side using <code>Blob</code> and <code>URL.createObjectURL</code>.</p> <p>The backend generates the filtered dataset. The download happens in the browser. No server-side file generation, no temp file cleanup, no storage costs.</p> <h2> Features 7 &amp; 8: AI Chat — Stats and Live DB Query </h2> <p>The floating chat widget was the most technically interesting feature.</p> <p><strong>Two modes in one endpoint:</strong></p> <ol> <li><p><strong>Stats mode</strong> — Claude answers questions from aggregate statistics only. "How many records are missing a birthdate?" The answer comes from pre-computed stats, not a live query.</p></li> <li><p><strong>DB query mode</strong> — For questions that can't be answered from stats, Claude generates a SQL <code>SELECT</code> statement that the backend executes directly.</p></li> </ol> <p>The DB query mode required careful safety engineering:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">SAFE_QUERY_RULES</span> <span class="o">=</span> <span class="sh">"""</span><span class="s"> Generate a PostgreSQL SELECT query. Hard rules: - Only query table: vatandas - Never include column: tc_no - Always filter: WHERE tenant_id = {tenant_id} - Always add: LIMIT 100 - No subqueries, no JOINs to other tables - No aggregations that could expose cross-tenant data </span><span class="sh">"""</span> <span class="k">def</span> <span class="nf">validate_generated_query</span><span class="p">(</span><span class="n">sql</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">tenant_id</span><span class="p">:</span> <span class="nb">int</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="n">sql_lower</span> <span class="o">=</span> <span class="n">sql</span><span class="p">.</span><span class="nf">lower</span><span class="p">().</span><span class="nf">strip</span><span class="p">()</span> <span class="k">assert</span> <span class="n">sql_lower</span><span class="p">.</span><span class="nf">startswith</span><span class="p">(</span><span class="sh">"</span><span class="s">select</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">Must be SELECT</span><span class="sh">"</span> <span class="k">assert</span> <span class="sh">"</span><span class="s">tc_no</span><span class="sh">"</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">sql_lower</span><span class="p">,</span> <span class="sh">"</span><span class="s">tc_no is blocked</span><span class="sh">"</span> <span class="k">assert</span> <span class="sa">f</span><span class="sh">"</span><span class="s">tenant_id = </span><span class="si">{</span><span class="n">tenant_id</span><span class="si">}</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">sql_lower</span><span class="p">,</span> <span class="sh">"</span><span class="s">tenant_id filter required</span><span class="sh">"</span> <span class="k">assert</span> <span class="sh">"</span><span class="s">limit</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">sql_lower</span><span class="p">,</span> <span class="sh">"</span><span class="s">LIMIT required</span><span class="sh">"</span> <span class="c1"># Extract and enforce limit </span> <span class="n">limit_match</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="nf">search</span><span class="p">(</span><span class="sa">r</span><span class="sh">"</span><span class="s">limit\s+(\d+)</span><span class="sh">"</span><span class="p">,</span> <span class="n">sql_lower</span><span class="p">)</span> <span class="k">if</span> <span class="n">limit_match</span> <span class="ow">and</span> <span class="nf">int</span><span class="p">(</span><span class="n">limit_match</span><span class="p">.</span><span class="nf">group</span><span class="p">(</span><span class="mi">1</span><span class="p">))</span> <span class="o">&gt;</span> <span class="mi">100</span><span class="p">:</span> <span class="n">sql</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="nf">sub</span><span class="p">(</span><span class="sa">r</span><span class="sh">"</span><span class="s">limit\s+\d+</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">LIMIT 100</span><span class="sh">"</span><span class="p">,</span> <span class="n">sql</span><span class="p">,</span> <span class="n">flags</span><span class="o">=</span><span class="n">re</span><span class="p">.</span><span class="n">IGNORECASE</span><span class="p">)</span> <span class="k">return</span> <span class="n">sql</span> </code></pre> </div> <p>The query executes with a 5-second statement timeout at the database level. If Claude generates something slow, it gets cancelled.</p> <p><strong>Query result display:</strong> Results are shown in a collapsible <code>QueryBlock</code> with the SQL visible above the data table. Users can see exactly what ran. Transparency matters when AI is touching your database.</p> <h2> Feature 9: AI Audit Trail Explainer </h2> <p>The audit log records 30+ event types — <code>citizen_created</code>, <code>bulk_import</code>, <code>login_failed</code>, <code>2fa_enabled</code>, etc. Non-technical admins can't interpret raw event streams.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">explain_audit_events</span><span class="p">(</span><span class="n">events</span><span class="p">:</span> <span class="nb">list</span><span class="p">[</span><span class="nb">dict</span><span class="p">])</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="c1"># Strip internal IDs and technical fields </span> <span class="n">safe_events</span> <span class="o">=</span> <span class="p">[</span> <span class="p">{</span><span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="n">e</span><span class="p">[</span><span class="sh">"</span><span class="s">event_type</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">user</span><span class="sh">"</span><span class="p">:</span> <span class="n">e</span><span class="p">[</span><span class="sh">"</span><span class="s">user_email</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">time</span><span class="sh">"</span><span class="p">:</span> <span class="n">e</span><span class="p">[</span><span class="sh">"</span><span class="s">created_at</span><span class="sh">"</span><span class="p">]}</span> <span class="k">for</span> <span class="n">e</span> <span class="ow">in</span> <span class="n">events</span><span class="p">[:</span><span class="mi">20</span><span class="p">]</span> <span class="c1"># Last 20 events only </span> <span class="p">]</span> <span class="n">prompt</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"""</span><span class="s">Summarise this audit log in plain language for a non-technical admin. Note any unusual patterns (multiple failed logins, bulk operations, permission changes). 2-4 sentences maximum. Events: </span><span class="si">{</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">safe_events</span><span class="p">)</span><span class="si">}</span><span class="sh">"""</span> </code></pre> </div> <p>Cap at 20 events. Don't send the full log. Keep the token budget predictable.</p> <h2> What I'd Do Differently </h2> <p><strong>1. Add structured output from the start.</strong><br><br> Anthropic's tool use / structured output API is cleaner than prompt engineering <code>Return JSON only</code>. I retrofitted it on some features. It should have been the default.</p> <p><strong>2. Cache more aggressively.</strong><br><br> The daily briefing doesn't need to be generated every page load. A 6-hour Redis cache with background refresh would cut AI costs significantly. Currently it regenerates on every dashboard open.</p> <p><strong>3. Separate AI service layer.</strong><br><br> All nine features call Claude via a thin wrapper in <code>app/services/ai.py</code>. This is good for centralised error handling and logging. What I should have added sooner: a proper prompt registry so prompts are versioned and testable independently of the endpoint logic.</p> <p><strong>4. Test AI outputs, not just AI calls.</strong><br><br> My test suite mocks the Anthropic client. That's necessary but insufficient — it doesn't catch prompt regressions. A small set of golden-output integration tests against real Claude (run weekly, not on every CI run) would give me confidence that prompt changes don't silently break feature behaviour.</p> <h2> The Result </h2> <p>Nine features, all in production, all credit-metered, all with safety validation on AI outputs. The platform handles real data for real users.</p> <p>The engineering pattern that made this possible: <strong>AI generates, Python validates, humans confirm.</strong> The LLM is never the last line of defence.</p> <p><em>Building AI features into your product? <a href="https://dev.to/contact">Let's talk about what that looks like.</a></em></p> ai claude python saas