A practice-management platform for clinics: patient and client records, intake forms, clinical notes, and document generation, tied into Google Forms, Sheets, and Drive. It was already in daily production use, with real security gaps underneath: cross-tenant access, an SQL-injection vector, a brute-forceable login. I took it to hardened production with zero downtime, and built an automated bot that regression-verifies every change since.
The app was already in production: patient records, intake forms, clinical notes, real clinics depending on it. That is the worst place to find security problems, and there were several. Users could reach other tenants' records through predictable IDs, a sortable-column parameter was an SQL-injection vector, login had no throttling and tokens never expired, and a bug in the encrypted-PII search meant a core feature silently returned wrong results. Every fix had to land on live data, with zero downtime, in a system where a bad migration touches patient information.
Harden every layer of the existing stack rather than rewrite it: close the holes in the API, encrypt and index the data properly, keep the integrations, and put an automated verifier in front of production so nothing regresses. Ship each fix as a zero-downtime migration against live data.
A family of endpoints let an authenticated user reach other tenants' records by walking IDs. Every affected route now enforces tenant scoping at the query level, not just in the UI.
A user-controlled orderBy parameter flowed into raw SQL. It is now checked against an allowlist of sortable columns, so the query builder only ever sees known-safe input.
The login endpoint accepted unlimited attempts and issued tokens that never expired. Added rate limiting on authentication and hard expiry on tokens, killing the brute-force path.
Search over encrypted fields was silently failing because it hashed the ciphertext, which changes on every write. Rebuilt it to hash the plaintext into a dedicated search column, so PII stays AES-256 encrypted and search actually works.
Moved heavy work off the request path into queues, added the missing database indexes, and stopped PII from landing in application logs.
Every schema and data change shipped as a staged, reversible migration against the production database, with clinics online the whole time.
A self-destructing Cloud Run bot drives the app in a real browser (Playwright) and runs 10 checks, including tenant-isolation and injection probes, on every change. It spins up on demand and costs nothing while idle.
The app went from a working product with serious holes to a hardened one with a safety net: tenant isolation enforced in the queries, encrypted PII that is still searchable, and a browser bot that proves every change before it counts as done. All of it landed without taking the clinics offline once.
Book a free call. You will leave with a clear plan for your own AI automation, whether or not we work together.
Book a free call