How it works

A recall stops being a PDF and becomes a decision.

SafeState turns recall status into transaction-time authorization, enforced the moment a secondhand product changes hands.

A directive is published

A manufacturer (or ingested CPSC data) issues a recall against a model — targeted by serial range, lot, or unit.

The safety guard updates

The model's authoritative safety state and epoch are written in one Aurora DSQL transaction.

Every marketplace checks

At listing and at checkout, the gate reads the live state — strongly consistent from any region.

The decision is enforced

Recalled units are blocked at the moment of resale; safe units clear. The owner record follows the product.

Architecture

One logical, strongly-consistent database — across regions.

Vercel · Next.js

Marketplace Gate

Manufacturer Console

Safety Passport

route handlers · IAM token auth

pg / TLS

Amazon Aurora DSQL

Region A

us-east-1

Region B

us-east-2

Witness · us-west-2 (log-only)

active-active · strong consistencyCPSC ingest →

The guarantee

No stale-safe read, ever.

A recall and a sale of the same model write the same guard row, so DSQL's optimistic concurrency control detects the conflict and the loser retries against the new truth.

Run the proof yourself

The data model

safety_guardone row per model — the conflict point + epoch
safety_directivesrecalls / repairs / destroy orders
directive_targetsmodel · lot · serial-range · unit
ownership_transfersexact, audited transfers
transfer_attemptsidempotency keys