Constructive has unveiled a groundbreaking Postgres platform designed with security as a foundational principle. This innovative solution implements Row-Level Security (RLS) policies at the moment of table creation, eliminating the reliance on later application-side configurations that can often lead to vulnerabilities.
Postgres Focus
The San Francisco-based company is directing its efforts toward teams engaged in developing back-end systems, particularly those utilizing AI-assisted tools. In environments where schema alterations and database permissions can be generated at a pace that outstrips developers’ ability to review them, Constructive aims to enforce permissions and maintain data integrity directly at the database level before any application code is executed.
This launch comes on the heels of significant growth in Constructive’s open-source developer tools, which have surpassed an impressive 100 million downloads on npm. These tools encompass SQL parsers, migration systems, and introspection utilities that are integral to Postgres development workflows.
As Postgres continues to gain traction in both web and enterprise software, it has emerged as a default choice for new applications. Constructive posits that this increasing adoption, coupled with the rise of AI-assisted development, heightens the risk of misconfigured database permissions.
In the platform’s core workflow, teams select an access model, and a compiler generates tables with the necessary policies applied right from the start. This approach embeds access rules within the database structure, significantly reducing the need for manual RLS configurations later in the development process.
Additionally, the platform features a migration strategy that ensures deterministic outputs during schema changes, thereby making security guarantees both reproducible and verifiable across different environments.
Another noteworthy component is the validation of Row-Level Security within CI/CD pipelines, which allows for the authorization logic to be tested through automated checks, rather than relying on a set of opaque database rules that are only reviewed sporadically.
Execution Layer
The platform also boasts a serverless execution layer that enables functions to run in tandem with the database. Functions can be written in various languages, including TypeScript, Python, Rust, C, or within Docker-composed runtimes, all while adhering to the same database-enforced permission model.
Constructive promotes this model as a means to maintain consistent access controls across services and collaborators, extending even to AI agents that may execute tasks against production data with limited oversight.
This approach relies on tooling that operates beneath the application layer, utilizing abstract syntax trees to represent code structure. Constructive asserts that this methodology allows for the deterministic derivation of security rules, which can then be uniformly applied across databases and their associated interfaces.
“We trusted software when it moved at human speed—slow enough for developers to inspect every line,” remarked Dan Lynch, founder and CEO of Constructive. “AI-assisted development alters this dynamic, making traditional review processes obsolete. When human scrutiny becomes the bottleneck, security must be integrated into the architecture from the outset.”
Ecosystem Links
Constructive’s parsing technology has found applications in various Postgres-related platforms, including Supabase, Neon, and Gel Data. Notably, Neon has been acquired by Databricks, while Gel Data is now part of Vercel.
The company highlights its security compiler, which transforms schemas into secure configurations at compile time, and has filed provisional patents related to this technology.
Constructive contends that many database-level access control failures arise from misconfigurations rather than vulnerabilities within the underlying database engines. By applying security rules during table creation, the potential for such failures is mitigated, as policies become an integral part of the schema rather than an optional step added post-implementation.
Background and Scale
With nearly a decade of experience in Row-Level Security, Lynch previously founded Brandcast, a company backed by Marc Benioff and later acquired by TIME, serving enterprise clients such as General Electric.
Constructive reports that its open-source tools are currently operational across more than 10 million databases, including deployments at Supabase and Databricks. The download rate of its tools has surged, tripling from 32 million to over 100 million in the past 18 months.
The platform is now available in a commercial private beta, with early access tailored for enterprise teams eager to enhance their database security frameworks.