All work

Zalio

AI-native operations platform — a multi-tenant “company brain” with a governed LLM agent runtime.

Year

2026

Role

Founding Software Engineer

Stack

Encore.devTypeScriptPostgreSQLReactTanStack StartExpoBetter AuthMCPHashiCorp VaultRedisNSQDockerMeilisearchLiveKit

Multi-tenant

pool tenancy + RLS

MCP

governed tool server

Real-time

WebSocket + Pub/Sub

Cross-platform

web · iOS · Android

Zalio gives operations teams a governed “company brain”: a provider-neutral LLM agent runtime over their own data, real-time chat, and cross-platform clients — multi-tenant from the database up and deployed self-hosted.

The problem

Operations teams sit on data spread across finance, member activity and marketing — with no safe way to let AI act on it. Zalio unifies that data and exposes it to LLM agents through a governed, auditable runtime, without leaking one tenant’s data to another or letting agents act without oversight.

Architecture

  • Multi-tenant pool tenancy modeled on the AWS Well-Architected SaaS Lens — every tenant-scoped row carries an organizationId with silo-ready invariants, so a pool → bridge migration needs no data-model surgery.
  • PostgreSQL Row-Level Security with per-request SET LOCAL tenant context inside transactions, a least-privilege app_user role, and tenant-context middleware that fails closed.
  • Service-oriented Encore.ts backend with explicit domain boundaries — separate api, auth, chat and agents services, each with its own database and migrations.
  • Provider-neutral LLM agent runtime with a deny-by-default tool catalog, per-tool policy re-checks, citations, approval queues and full audit logging.
  • A Model Context Protocol (MCP) server (JSON-RPC 2.0) exposing governed, filtered tool manifests to external agents over HTTP with bearer-token auth.
  • Envelope-at-rest secret encryption — a pluggable cipher backed by HashiCorp Vault Transit in production and AES-256-GCM + HKDF as fallback, decrypting by ciphertext prefix for zero-downtime key migration.
  • Event-driven core — every domain state change emits a domain_event; NSQ Pub/Sub fans out side-effects (WebSocket broadcast, search indexing, push) while HTTP stays the authoritative write path.
  • Real-time, Messenger-class chat — WebSocket delivery with sequence-aware reconnection, ULID time-ordered message IDs, denormalized reply previews and a repository-pattern storage layer.

What I built

I designed and built the foundational slice of the agent runtime — the governance, guardrail, agent-execution, secret-cipher and model-provider layers — alongside the multi-tenant data model, authentication and the real-time chat system, deployed self-hosted via Docker and Coolify.

Status

The governance, guardrail, agent-runtime, secret-cipher and model-provider slices are implemented. Live MCP dispatch, memory retrieval, full RLS enforcement and billing are in progress toward the target posture — the system is architected so each lands without reworking the data model.

Next project

Gnosis Document Intelligence