Inspiration
Job-scam losses in North America tripled from $90M in 2020 to $501M in 2024.
AI-powered generators have allowed scammers to create incredibly realistic fake job listings, while real candidates suffer from "ghost" listings, duplicate postings, and "resume warehousing" by companies that collect resumes for months with no intention of hiring. The average job seeker wastes 8 to 14 hours per ghost listing submitting high-effort applications into black holes.
Meanwhile, honest, small, bootstrapped companies with real products struggle to get noticed amid the noise of massive platforms optimized to maximize listing volume rather than listing legitimacy.
There is no consumer-facing credit-bureau equivalent for the posting side of the labour market. We wanted to build that bureau—an independent verification engine that analyzes, audits, and stands behind every remote job opportunity with verifiable, primary-source evidence. Lighthouse was born.
What it does
Lighthouse is a PIPEDA-aware, Canada-first verification engine for remote work. Styled with a premium, tactile newspaper broadsheet aesthetic (representing trust, editorial rigor, and primary citations), it allows job seekers to inspect any remote job posting before they waste time applying.
Key Features
- Instant URL Audit: Paste a job link (LinkedIn, Indeed, Job Bank Canada, Greenhouse, Lever, etc.) to normalize the URL (stripping 28 tracking parameters) and trigger an automated, multi-source investigation.
- The Four-Pillar Methodology: Every posting is graded out of 100 based on four strict, weighted dimensions:
- §1 · Real: Does the company exist, and did they write this posting? Checks WHOIS domains, SEC EDGAR/corporate registries, ATS application paths (e.g. Greenhouse/Lever vs. a sketchy Gmail address), copy novelty, and recruiter LinkedIn tenures.
- §2 · Active: Is the role open and being filled this week? Traces archive.org Wayback machine histories, cross-board repost volumes, careers-page HTTP headers (
ETag/Last-Modified), and community discussions on Reddit, Blind, and Hacker News. - §3 · Fair: Is the deal coherent? Inspects compensation percentiles (against Levels.fyi/Glassdoor) and Carta equity benchmarks. It scores scope-to-comp ratio rather than absolute numbers (protecting honest stipends while flagging senior scope at junior pay). It instantly triggers a fail state if process fees, equipment purchases, or pre-interview ID/SSN requests are detected.
- §4 · Credible: Does the company actually do anything? Measures GitHub commit volumes, investor ledgers (Crunchbase), founder histories, and active product surfaces (live billing, status pages, changelogs). We explicitly bias in favor of honest, small, bootstrapped operators with active products over 50-person "AI" shells.
- Evidence Ledger & Citations: Lighthouse provides a completely transparent audit trail. Every score breaks down into clickable primary source citations (WHOIS entries, corporate registries, archive snapshots). No black boxes.
- Daily Ingestion Scraper: Runs a Vercel Cron-triggered scheduler every morning at 04:00 AM ET that polls live job sources (Remote OK, Greenhouse, Lever, Ashby, We Work Remotely), processes new listings, and pushes them into an "Awaiting verification" queue where users can prompt instant audits.
- Privacy-Preserving Rate Limiting: Features a production-grade database rate limiter. To adhere to Canadian privacy standards (PIPEDA, Loi 25), client IP addresses are securely hashed (SHA-256) on the server before storage. Already-verified listings bypass the limiter, ensuring instant (under 50ms) cached reads.
How we built it
We built Lighthouse using a modern, high-performance, and type-safe stack:
- Frontend: Next.js 16 (App Router) and React 19 utilizing Server Components (RSC) to render lightning-fast report pages.
- Styling: Tailwind CSS 4 combined with hand-tuned CSS variables to build our newspaper aesthetic—utilizing warm cream pages (
#faf8f3), card surfaces (#f3eee2), rich ink typography (#14130f), custom drop-caps, and vertical grid rules. - AI Core: Google Gemini 2.5 Flash organized as a two-stage agentic pipeline:
- Stage 1 (Research): Runs Gemini with Google Search Grounding enabled. The model acts as an investigative journalist, performing WHOIS queries, SEC registry searches, levels.fyi comparisons, and forum lookups.
- Stage 2 (Formatter): Coerces the raw textual evidence from Stage 1 into a strict, programmatic JSON schema mapped to our TypeScript types using Gemini's native
responseMimeType: "application/json".
- Database & Persistence: Supabase Postgres with strict Row-Level Security (RLS) policies ("anyone reads; only the server writes" via
service_role). Custom database triggers automatically calculate aggregate company averages, link postings to audits, and maintain audit logs. - Automation & Cron: Vercel Cron triggers a daily API route (
/api/ingest) at 04:00 AM ET, processing background feeds and utilizing a sequential execution queue to safely respect Gemini rate quotas and stay within server timeouts.
Challenges we ran into
- The Grounded Schema Paradox: Gemini does not support Google Search grounding (
googleSearchtool) and structured JSON formatting (responseMimeType) in the same call. We overcame this by architecting a two-stage pipeline. Stage 1 operates at high temperature to gather grounded research into a text-based "evidence pack", which is then passed to a cold (temperature 0.1) Stage 2 model that formats it into our exact database schema without hallucinating structures. - Edge Execution Timeouts: Edge runtimes are too brief for complex multi-query AI research pipelines that average 20–30 seconds. We resolved this by executing our verifications on Next.js API routes configured with a Node.js runtime and a
maxDuration = 60ceiling. - URL Duplicity & Affiliate Creep: Job postings are flooded with tracking IDs, affiliate codes, and session tokens that break caching. We developed a robust normalization utility that strips 28 known tracking parameters (e.g.
utm_*,ref,gh_src,lever-source) and alphabetizes remaining parameters to yield a deterministic cache key. - Rate Limits vs. PIPEDA: Protecting our Google search quota from bot spam required client-level rate limiting. However, storing user IP addresses violates PIPEDA and Quebec's Loi 25. We solved this by building an anonymous sliding-window limiter in Supabase that hashes IP addresses using server-side SHA-256 before storage, keeping the data completely anonymous and compliant.
Accomplishments that we're proud of
- Tactile Newspaper Aesthetic: Moving away from the generic "modern SaaS dashboard" trend. The editorial, newsprint aesthetic commands a feeling of trust, accuracy, and rigorous verification.
- The Scan Screen Sequence: Watching an AI audit in real-time is usually boring. We built a beautiful 16-step animated console that translates the abstract background tasks (WHOIS, Wayback snapshots, GitHub logs, salary percentiles) into a readable, progress-bar ledger so the user understands the exact work being done.
- Coherence-Based Fair Scoring: Creating an algorithmic metric that penalizes rich companies underpaying candidates, while validating bootstrapped teams paying reasonable local stipends for reasonable milestones.
- Zero-Dependency Core: Achieving a premium user interface with vanilla CSS, Next.js, and zero heavy styling dependencies, yielding incredibly fast loading speeds and high accessibility compliance (WCAG 2.1 AA).
What we learned
- Small & Bootstrapped is Valid: Traditional risk assessments penalize young domains and low headcounts. We learned how to build nuanced prompts that value code commits, live product utility, and founder active history over mere corporate longevity.
- Staged Pipelines Prevents Hallucination: Splitting logical tasks (investigation vs. schema enforcement) across separate model steps dramatically increases structured-data accuracy.
- Legitimate Sources Are Key: Partnering with official frameworks like Job Bank Canada (via their XML feed) and parsing clean, standardized ATS formats (Greenhouse, Lever) provides infinitely higher-quality signal bases than aggressive, ToS-violating scraping of private platforms.
What's next for Lighthouse
We built Lighthouse with a "small honest scope and a long honest list of sources." The roadmap ahead includes self-hosting and running local AI agents.
Log in or sign up for Devpost to join the conversation.