AI

Constructive: Nine Years of Open Source, 100 Million Downloads, and the Security Layer AI Desperately Needs

Jonathan Taylor

Jonathan Taylor

5 min read
Constructive: Nine Years of Open Source, 100 Million Downloads, and the Security Layer AI Desperately Needs

TL;DR: Constructive is what happens when someone spends nine years building the open-source plumbing that powers 100 million npm downloads — then turns around and builds a company on top of it. I met founder Dan Lynch in San Francisco last week. He’s a genius. And the product is a direct answer to a problem that’s about to eat the entire backend ecosystem alive: AI-generated code with zero security guarantees.

The Problem Nobody Wants to Talk About

Here’s the uncomfortable truth about the current AI development boom: the code is getting generated faster than humans can review it.

Lovable, Bolt, Replit — these platforms can spin up a production-ready Postgres database in seconds. That’s incredible. It’s also terrifying. Because “production-ready” and “production-secure” are not the same thing.

Remember the Moltbook incident? A social network for AI agents that exposed millions of API keys and credentials due to misconfigured Row-Level Security. That wasn’t an edge case. That’s what happens when speed outpaces security — and it’s happening everywhere.

As Dan Lynch, Constructive’s founder and CEO, put it: “We trusted software when it moved at human speed — slow enough for developers to inspect every line. AI makes that model obsolete. When human review becomes the bottleneck, security can’t be an afterthought — it has to be baked into the architecture.”

He’s right. And he’s been right about this longer than anyone I know.

Nine Years in the Making

I met Dan in San Francisco last week. The guy is a genius — and I don’t use that word casually.

Here’s what most people don’t know: Dan has been building the open-source foundation of what became Constructive for nine years. That’s what the 100 million downloads are about. Not marketing. Not hype. Nine years of building PostgreSQL parsing, migration, and introspection tools that now run in production across more than 10 million databases.

His track record speaks for itself. His previous company, Brandcast, was backed by Marc Benioff and served Fortune 500 clients including General Electric before being acquired by TIME. Before that, he co-founded Amaze/Famo.us (acquired by AMZE). The man has raised over $120 million across his ventures.

But what makes Dan different from most repeat founders is that he went deep — not wide. He spent the last decade working at the abstract syntax tree level of PostgreSQL. Not the application layer where everyone else plays. The structural DNA of the database itself.

“Abstract syntax trees are the structural DNA of software,” Lynch told me. “By operating at that layer, we can define and propagate security deterministically — before applications are written and long before they run.”

The Open-Source Foundation

Let’s talk about what those 100 million downloads actually represent. Dan’s open-source tools — originally under the LaunchQL umbrella, now consolidated under Constructive — are the kind of infrastructure that’s invisible until you realize it powers everything:

  • pgsql-parser — The PostgreSQL query parser for Node.js. If you’ve ever parsed SQL in a JavaScript application, there’s a good chance Dan’s code was involved. 214+ stars, widely forked, and used by platforms you use every day.
  • libpg-query-node — The Node.js port of libpg_query, supporting PostgreSQL versions 15 through 17 with version-specific type packages. This is the bridge between Postgres’s C-based parser and the JavaScript ecosystem.
  • postgres-ast-deparser — An AST toolkit and deparser written in pure PL/pgSQL. This is the kind of tool that makes database engineers weep with joy.
  • pgsql-test / supabase-test — The RLS testing framework that Paul Copplestone, CEO of Supabase, publicly praised: “44 databases and 246 tests in 4 seconds … supabase-test by LaunchQL is looking very nice.”
  • pgpm — The Postgres package manager. Think npm but for database modules. Greg Kemnitz, who contributed to the original Postgres implementation alongside Michael Stonebraker at UC Berkeley, called it out: “What pgpm is doing isn’t extension management — it’s application-level modularity for Postgres. That distinction matters, because it lets developers think about their database the same way they think about their application: as composable, installable building blocks.”

These tools collectively tripled from 32 million to over 100 million npm downloads in just 18 months. Constructive’s core parsing technology is used by Supabase, Neon (acquired by Databricks), and Gel Data (acquired by Vercel). This isn’t a startup hoping to find product-market fit. This is someone who already built the infrastructure the industry depends on, now building the platform on top of it.

What Constructive Actually Does

The product itself is elegantly simple in concept, brutally hard in execution: make security structural, not optional.

When you create a table in Constructive, you choose an access model and a compiler creates the table with RLS policies applied at creation time. Not after. Not as a “best practice” you might forget. At creation. The security is compiled in.

As schemas evolve, deterministic migrations produce identical outputs — making guarantees reproducible and verifiable. Authorization is testable end-to-end, with CI/CD pipelines validating RLS so what used to be opaque security logic becomes verifiable code.

It also includes a language-agnostic serverless execution layer — functions in TypeScript, Python, Rust, C, or Docker-composed runtimes that automatically inherit the same database-enforced permission model.

Constructive’s security compiler is supported by multiple provisional patent filings. It transforms schemas into structurally secure configurations at compile-time, eliminating entire classes of misconfiguration responsible for many high-profile breaches.

How It Stacks Up

Let’s be honest about the competitive landscape.

Supabase is the most obvious comparison — and ironically, one of Constructive’s biggest users via the open-source tools. Supabase gives you a Postgres database with a UI for managing RLS policies. It’s great for getting started. But RLS in Supabase is still manual, policy-by-policy configuration. Miss one? You have a security hole. Supabase doesn’t compile security into the schema — you bolt it on after. For hobby projects, that’s fine. For production systems handling sensitive data in an age where AI agents are generating and modifying your database schemas? That’s a ticking time bomb.

Convex takes a different approach entirely — it’s not even Postgres. It’s a proprietary backend-as-a-service with its own query language and data model. Convex is slick, real-time, and developer-friendly. But you’re locked in. Your data lives in their format, on their infrastructure, queried with their syntax. When Convex decides to change pricing, pivot their product, or (God forbid) shut down, you’re holding the bag. Constructive sits on Postgres — the same database powering OpenAI’s 800 million monthly users. You can always take your data and leave.

PlanetScale was MySQL-based and recently pivoted (and stumbled). Neon is serverless Postgres, great for scaling, but focused on the compute layer — not security or modularity. Hasura gives you instant GraphQL on Postgres but doesn’t fundamentally address the security compilation problem.

Constructive isn’t competing with these on features. It’s competing on philosophy: security shouldn’t be something you add. It should be something you can’t forget.

The Timing Is Perfect

Three trends are converging right now:

  1. Postgres has won. It’s the default database for modern software. OpenAI runs on it. Every major cloud provider offers managed Postgres. This isn’t a bet — it’s a settled question.
  2. AI-generated code is exploding. Platforms like Lovable and Bolt generate production Postgres databases in seconds. Speed is up. Security review capacity is flat. The gap is widening.
  3. The agentic era is coming. Autonomous AI agents will generate and operate databases with minimal human oversight. A misconfigured RLS policy isn’t just a bug anymore — it’s a high-severity security failure at scale.

Constructive is purpose-built for this exact moment.

The Bottom Line

I’ve spent my career watching people build things. Some of them build fast. Some of them build well. Very rarely do you meet someone who has been quietly building the invisible infrastructure that an entire ecosystem depends on — for nine years — and then has the vision to see where it all needs to go next.

Dan Lynch is that person. Constructive is that product.

The platform is now in commercial private beta. Enterprise teams can request early access at constructive.io.

If you’re building anything with a database underneath — especially if AI is writing any of your code — you should use constructive. I've tried (almost) everything else and none meet the bar constructive sets.

Read more