Level: Senior · Type: Full-time, hands-on Primary stack: Python · FastAPI · PostgreSQL · LLM APIs · React/TypeScript

The role

A senior, hands-on engineer who owns backend architecture, database-level security, and LLM/AI systems — and reviews this code to a high bar. You set the patterns, make the technical decisions, and are the last line of defense on the highest-risk code.

This is an AI-assisted build: AI coding tools generate most of the implementation. Your value is engineering judgment — architecture, technical decisions, rigorous code review, edge cases, and unblocking — not lines typed. Because generation is fast, review is the bottleneck, and reviewing security and data-isolation code is the most critical thing you do.

The depth requirements below are deliberately specific. We expect you to have hands-on, production-grade command of most of them and the ability to reason from first principles about the rest.

Technical depth we expectPython (expert)

• Idiomatic modern Python (3.11+): type hints, dataclasses/pydantic models, generics, protocols.
• Async: asyncio event loop model, async/await, structured concurrency, the blocking-call-in-async-context trap, asyncio.gather vs TaskGroup, cancellation and timeouts.
• Performance: profiling (cProfile/py-spy), where the GIL matters and where it doesn't, when to reach for processes vs threads vs async, memory profiling for long-running services.
• Packaging and dependency hygiene; pinned, reproducible builds.

FastAPI / API design (expert)

• Dependency-injection system, request lifecycle, middleware ordering, background tasks, lifespan events.
• Pydantic v2 models for request/response validation; custom validators; serialization edge cases.
• Server-Sent Events (SSE) and streaming responses — backpressure, client disconnects, partial-failure mid-stream, keep-alives.
• Auth integration: JWT (signing, verification, key rotation, exp/nbf/aud claim validation, clock-skew handling), API-key schemes (hashing, prefixing, one-time display, immediate revocation), OAuth/third-party identity providers.
• Rate limiting, idempotency keys, consistent error envelopes, pagination, request tracing.
• OpenAPI generation and contract discipline (versioned, backward-compatible changes).

PostgreSQL (deep)

• Schema design, normalization trade-offs, constraints, and migration discipline (zero-downtime migrations, expand/contract pattern).
• Indexing: B-tree vs GIN vs GiST, partial and composite indexes, covering indexes, when an index won't be used.
• EXPLAIN (ANALYZE, BUFFERS) — reading query plans, spotting seq scans, nested-loop blowups, and bad row estimates.
• Row-Level Security (RLS): CREATE POLICY, USING vs WITH CHECK, FORCE ROW LEVEL SECURITY, policy interaction with roles, the SET ROLE / session-variable patterns for multi-tenant scoping, and how RLS composes with joins and views.
• Transactions and isolation levels (read-committed vs serializable), locking, deadlocks, SELECT ... FOR UPDATE, advisory locks.
• Connection pooling (PgBouncer, transaction vs session pooling and what breaks in each), pgvector for embedding storage and ANN search (HNSW/IVFFlat trade-offs, recall vs latency).
• JSONB usage and its indexing/perf trade-offs; partitioning for large tables.

Security & multi-tenant data isolation (deep — non-negotiable)

• Threat-model multi-tenant systems; reason rigorously about whether any given query path can leak data across a tenant/permission boundary.
• Enforce isolation at the database layer (RLS), not just in application code; understand why app-layer filtering alone is insufficient.
• Permission-before-retrieval discipline: design so restricted data is never fetched and then discarded — the check precedes the query.
• Append-only / immutable audit trails (REVOKE UPDATE/DELETE, trigger-based history, tamper-evidence).
• Secrets handling, encryption at rest/in transit, PII minimization, timing-attack awareness in auth paths.
• Common web vulns (OWASP Top 10) and their concrete mitigations in this stack.

LLM / AI engineering (production-grade)

• Retrieval and context assembly: chunking strategies, embedding models, similarity search, re-ranking, and assembling context under a hard token budget (counting tokens, prioritization, compression/truncation strategies, graceful degradation when over budget).
• Prompt engineering as a discipline: system/role structuring, few-shot vs zero-shot trade-offs, output-format enforcement (JSON-mode/structured outputs), and prompt-injection awareness.
• Handling non-determinism: temperature/sampling effects, retries, validation-and-repair loops, idempotency around model calls.
• Hallucination control and evaluation: grounding/citation strategies, eval harnesses, regression testing of prompt changes, measuring quality rather than eyeballing.
• Cost/latency engineering: model selection per task, caching, streaming, batching, token accounting.
• Familiarity with at least one major LLM API (Anthropic/OpenAI/Google) at the level of tool-use/function-calling, structured outputs, and streaming.

Frontend (working proficiency via AI tooling)

• React + TypeScript: hooks, state management, rendering/performance pitfalls, and consuming streaming (SSE) APIs in the UI.
• Able to read, debug, and review front-end code and judge data-dense UI behavior — you'll direct AI tools to build it rather than hand-craft it.

Engineering practice

• Test strategy: unit/integration/contract tests, testing async and DB code, fixtures and factories, deterministic tests around non-deterministic systems.
• Git discipline, small reviewable PRs, and the ability to review AI-generated code critically — spotting subtly wrong concurrency, security, and edge-case handling that looks plausible.
• Observability instincts: structured logging, tracing, and metrics that make failures diagnosable.

Core tasks

• Design and own the backend services, APIs, and data model.
• Design and enforce the multi-tenant isolation and permission model at the database layer; be primary reviewer for anything touching it.
• Build the retrieval/context-assembly and extraction pipelines and the prompt/eval discipline around them.
• Direct AI coding tools with precise, constraint-rich prompts; review every PR against binary, testable acceptance criteria.
• Own edge cases, failure paths, and the interface contracts other components depend on.

Requirements

Must-have

• 6+ years production backend engineering in Python, primarily on PostgreSQL, with FastAPI or an equivalent async framework.
• Demonstrable database-security depth (RLS, multi-tenant isolation, audit patterns) with the ability to defend isolation guarantees under questioning.
• Production LLM/RAG experience with real shipped systems — context assembly under token budgets, prompt engineering, eval, hallucination control.
• Proven, high-standard code-review ability.
• Working React/TypeScript proficiency.

Nice-to-have

• pgvector / vector databases and ANN tuning.
• Graph/DAG data modeling and traversal algorithms.
• Regulated-domain experience (fintech/legal-tech/healthcare) with strict isolation and auditability.
• Experience working in an AI-pair-programming / AI-assisted build.

How we'll screen

Both core competencies are tested directly:

• Live RLS / isolation review: given a schema and a set of policies, find the path that leaks data across a boundary and fix it.
• Context-assembly design: design retrieval + assembly under a fixed token ceiling, including what to drop and how to degrade.
• AI-code review: critique a plausible-but-subtly-wrong AI-generated PR (concurrency or permission bug).

A candidate strong in only one of {database security, LLM systems} is not a fit — both depths are required.

Pay: ₹376,828.42 - ₹1,624,144.78 per year

Benefits:

• Paid time off

Work Location: In person