Show HN: I built an OSHA compliance SaaS for oilfields using only LLMs(basincheck.com)
basincheck.com
Show HN: I built an OSHA compliance SaaS for oilfields using only LLMs
https://basincheck.com
2 comments
Thanks! This is definitely the part that kept me up at night as a non-traditional dev.
My philosophy was to write as little security code as possible myself and rely on battle-tested infrastructure:
Auth & User Data: I rely entirely on Supabase Auth (which is based on the GoTrue API). I don't touch password hashing or session management logic directly.
Data Access: I use PostgreSQL Row Level Security (RLS) policies extensively. Every request to the DB has to pass a policy like auth.uid() = company_id. This ensures that even if there’s a bug in my frontend code, the database layer rejects unauthorized access.
Inputs: I use Zod for strict schema validation on all API routes to prevent weird injections before they even hit the DB.
Since this is for Oil & Gas (sensitive compliance data), I also made a hard rule: No AI agents have write-access to the database. The AI only suggests text/codes in the UI, and a logged-in human must click "Save."
My philosophy was to write as little security code as possible myself and rely on battle-tested infrastructure:
Auth & User Data: I rely entirely on Supabase Auth (which is based on the GoTrue API). I don't touch password hashing or session management logic directly.
Data Access: I use PostgreSQL Row Level Security (RLS) policies extensively. Every request to the DB has to pass a policy like auth.uid() = company_id. This ensures that even if there’s a bug in my frontend code, the database layer rejects unauthorized access.
Inputs: I use Zod for strict schema validation on all API routes to prevent weird injections before they even hit the DB.
Since this is for Oil & Gas (sensitive compliance data), I also made a hard rule: No AI agents have write-access to the database. The AI only suggests text/codes in the UI, and a logged-in human must click "Save."
Congrats on the launch! How are you handling security?
The Product BasinCheck (https://basincheck.com) replaces the clipboard/Excel workflow for Safety Managers in the Permian Basin. It handles offline audits, hot work permits, and automates OSHA 300 logs.
The Stack
Next.js (App Router): Monorepo setup lets me spin out features as standalone free tools for SEO/lead gen.
Supabase: The path of least resistance for backend/auth.
Resend: For all transactional/marketing emails.
Stripe: Stuck with the standard despite the Polar/Lemon Squeezy hype. The SDK coverage made it easier for LLMs to generate reliable integration code.
AI: Used for parsing incident descriptions to suggest OSHA codes. Hard rule: AI is read-only/suggestion mode. A human (Safety/HSE manager) must approve every classification.
The "Vibe Coding" Reality Check
The biggest lesson so far: AI leaves logic gaps. I asked the AI to "alert me on new signups," which it did—for email/password forms. I missed my first real user for 5 days because the AI didn't intuitively know to hook those same alerts into the Google OAuth callback.
Fix: Moved logic from client-side to Postgres triggers on auth.users to catch everything at the DB level.
Happy to answer questions on the prompting workflow or the "boring" industrial tech stack.