Kajota Pulse landed in the AWS × Vercel "H0: Hack the Zero Stack" hackathon as a Bloomberg-terminal-style dashboard for African micro-commerce—specifically helping "co-sellers" decide what inventory to stock each week. Built on Next.js 16 (App Router) deployed to Vercel, backed by Aurora Serverless v2 running PostgreSQL, and powered by Gemini 2.5 Flash for AI-driven recommendations, the project demonstrates how far serverless infrastructure has come while exposing some genuinely tricky edge cases that don't show up in tutorials.
The Zero Stack Architecture
The stack is lean: Next.js on Vercel handles compute, Aurora Serverless v2 serves as the stateful database layer, and Gemini 2.5 Flash provides structured advice through two dedicated endpoints. MongoDB Atlas Database Triggers stream real product data from the Kajota catalogue into Aurora via a custom ingest endpoint. Five Postgres tables, two SQL views, zero VPC configuration, no connection pooler—Vercel functions handle everything serverless.
Gotcha 1: Aurora's New Networking Model Mandates Passwordless IAM Auth
The team provisioned Aurora Serverless v2 with the new internet-access-gateway networking model to avoid VPC plumbing. The catch? This model mandates IAM database authentication and explicitly doesn't support the RDS Data API. Every password-based connection failed with "PAM authentication failed." The solution involves using AWS SDK's Signer to mint short-lived (15-minute) IAM auth tokens at each database handshake, eliminating any long-lived credential from Vercel env vars or secret managers—a genuinely better security posture once you get past the initial friction.
Gotcha 2: Lambda Shadows Your AWS Credentials
The team set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in Vercel's environment variables to enable IAM token signing. It still failed. The reason: Vercel functions run on Lambda, which injects its own runtime-level AWS credentials that shadow custom env vars. The fix required using custom variable names (PULSE_AWS_*) passed explicitly to the signer constructor, paired with a dedicated IAM user configured with only rds-db:connect permissions scoped to the specific cluster resource.
Gotcha 3: Real Change-Stream Data Breaks Seed Fixtures
Hooking the pipeline to live MongoDB Atlas change streams immediately surfaced three bugs that seed data never reproduces. First, Atlas serializes events as Extended JSON (EJSON)—Mongo _ids arrive as {"$oid":"..."} and prices as {"$numberInt":"9500"}, causing NaN values without proper decoders. Second, collection naming mismatches (cosell_products vs cosellproducts) silently dropped events. Third, change streams deliver events out of order—referenced rows sometimes don't exist yet when FK constraints are enforced. The fix: drop foreign key constraints entirely and treat each table as an independent projection.
Making Gemini Reliable for Live Demos
The recommendation endpoint pulls live signals (trending demand, category margins, competitor stock-outs) and hands them to Gemini 2.5 Flash with a structured-output schema via responseMimeType: "application/json" plus a responseSchema. This ensures clean ranked list rendering instead of fragile prose parsing. Critically, the system includes a deterministic heuristic fallback (demand × margin × opportunity scoring) so the dashboard never renders empty in front of judges or customers—a hard-won lesson about shipping AI features that degrade gracefully.
What Zero Stack Actually Delivers
The architectural wins are real: no servers to patch or scale, Aurora Serverless v2 idles to zero ACUs (cold-start hits ~8s and is pre-warmable), and a single verification script checks the live landing page, Aurora connectivity, both Gemini endpoints, ingest auth gates, and IAM-authenticated row counts. Five for five passing health checks with one command.
Key Takeaways
- Lean into Aurora's IAM-only authentication model—it's more secure than stored passwords once you handle Lambda credential shadowing
- Always test data pipelines against production writes, not fixtures—the three ingestion bugs were invisible until real events hit them
- Ship structured JSON output from LLMs and always include a deterministic fallback—"never empty" beats "usually impressive" in demos
The Bottom Line
This project proves the zero stack is production-viable for serious applications, but only if you're ready to debug credential shadowing and EJSON parsing at 2 AM. The IAM auth requirement isn't a workaround—it's the future of serverless database security, and anyone building on Aurora's new networking model needs to internalize this now.