Accreditation Platform — Security Hardening

• What it is: SaaS for healthcare facility accreditation by US healthtech platform. Consists of backend (API), frontend and facility-portal (facility portal). Deployed on GCP (Cloud Build).
• Type / status / role: web-app (healthcare SaaS) · active · contributor (security) — user made 8 of 134 commits; main authors — Anton Kim <anton@US healthtech platform> (65, founder/CTO of US healthtech platform) and uzaxirr (61). But the user's contribution is a focused security block merged via PR (branch US healthtech platform/davr).
• Active period: repo 2026-03-20 → 2026-04-18; user's contribution — compact security sprint 2026-03-28.

• Languages: TypeScript (frontend), Python (backend — based on SEC ticket profile: JWT middleware, 22 API endpoints, FastAPI-like).
• Frameworks/libraries: frontend — Next.js 15 + React 19 + Tailwind CSS 4 + TanStack Query 5; facility-portal (separate frontend); backend — Python API with JWT/RBAC.
• Infra/deploy: GCP Cloud Build (cloudbuild.yaml, .gcloudignore), docker-compose, Playwright (.playwright-cli), GitHub Actions.
• Notable tools: large CLAUDE.md (29KB) + README (28KB); Linear tickets (SEC-*).

All 8 author commits — security hardening (per messages/tickets SEC-*):

• Authentication (7b3a97b SEC-001/002): User model + JWT middleware + RBAC dependencies.
• Auth endpoints (c152764 SEC-004/006): login/logout/refresh + admin seed.
• RBAC enforcement (46d4a22 SEC-003): enforced RBAC across ALL 22 API endpoints.
• Web vulnerabilities (14a2098 SEC-010/011/012): SSRF protection, path traversal fix, URL validation.
• Plan/docs (dcc5e29, bb1986d): security work plan v2 + 40 Linear tickets + spec updates with audit findings.
• Merged via PR #1, #2 (US healthtech platform/davr).
• Volume: 8 commits, but it's a complete security package (auth + authz + injection protection), not scattered fixes.

By diffs/tickets (user's authorship — security block):

• JWT + RBAC from scratch (SEC-001..004): User model, JWT middleware, RBAC dependencies, login/logout/refresh, admin seed — and RBAC enforcement on all 22 endpoints (not selectively). → Systematic approach to authorization (not "bolted a token on one route").
• Closing OWASP classes (SEC-010..012): SSRF protection (outbound URL validation), path traversal fix, input URL validation. → Knowledge of web vulnerabilities and their targeted closing on a medical (sensitive) platform.
• Security as process: work plan v2 + 40 tickets + spec updates with audit findings → not a one-off patch, but a structured security program. → Matches the user's known security expertise (STRIDE audit, AES-GCM TOTP, lockout in admin_v2).

• Sessions found: 0 in the corresponding directory (verified by normalization). There's .claude/ + large CLAUDE.md → AI assist likely (US healthtech platform team is AI-native overall), but no user sessions here.
• What was done with AI: no data on user's contribution; overall codebase is team work.
• AI workflow patterns: CLAUDE.md as context; Playwright tests.

• User contribution: complete auth/authz layer (JWT+RBAC on 22 endpoints) + closing SSRF/path-traversal/URL injections on a healthcare platform. Small by commit volume, but high by value (security-critical for medical data).