Skip to main content
Download free report
Softblues
Softblues

Claude Code setup · audit and rebuild

A team built a real app with AI. It worked. Underneath, it was 58,000 lines and weeks from a risky go-live.

Claude Code audit of an AI-built app

A food producer's own team built a working operational app with AI: procurement, stock and traceability. The business logic was sound. Underneath, it was a 58,000-line monolith with critical security holes and no tests, weeks from go-live. We ran a Claude Code audit, closed the security exposure in week one, and set out a secure, modular rebuild plus an AI development setup the team keeps building on.

Food producer (anonymised)Food productionClaude Code setupAudit delivered · rebuild proposed
Book a case walkthrough
58K lines
Audited before go-live
An AI-built app that works on the surface, with a shaky foundation being rebuilt into a secure, modular base

The problem

The app worked. The foundation under it didn't.

The team had built something real: a working app for procurement, stock control and traceability, built with AI rather than a traditional development team. With a go-live deadline approaching, they asked us a simple question: is this safe to run the business on, and safe for our team to keep building with AI?

The honest answer was not yet. The business logic was sound, but the foundation underneath was weeks of risk waiting to surface.

What was under the hood

01

Files anyone could open

Sensitive files, passport scans, compliance photos and supplier documents, could be read, replaced or deleted by any signed-in user. Security was enforced only in the interface, not at the data.

02

One 58,000-line file

The whole app was a monolith in a handful of files, with no modules, no build system and no type safety. Every change made it larger and more fragile.

03

No tests, no monitoring

There were no automated tests, so the only way to check a change was to click through by hand, and a production failure might surface only when a customer hit it.

04

Structure that fought the AI

Loading 58,000 lines to change one field drives up cost and drops quality on every future AI edit.

Building with AI wasn't the mistake. The foundation under it was.

What we did

Audit first, close the worst risk, then a plan

We ran this as a Claude Code audit and discovery. It reviewed the whole application and produced four priority findings, two of them go-live blockers. We closed the most urgent one straight away: the storage exposure was locked down on the live system in the first week, so sensitive files stopped being readable by every user.

From there the plan is a structured rebuild that keeps the same app, the same screens, workflows and Firebase backend, but rebuilt on proper foundations: modular React and TypeScript, security enforced at the database, automated tests, a safe deploy pipeline and monitoring. The audit is delivered and the exposure is closed; the rebuild is set out and ready to start.

The setup

From audit to handover

The Claude Code setup: audit and discovery, an immediate security lockdown, enforced security rules, a modular rebuild, automated tests and a safe pipeline, then training and handover so the team keeps building with AI
  1. 1

    Audit and discovery

    A full review of the AI-built application: security, structure, tests and error handling, delivered as priority findings with clear go-live blockers.

  2. 2

    Security lockdown

    The exposed sensitive files are locked down on the live system in the first week, and an access-model workshop defines what each role should actually be allowed to do.

  3. 3

    Enforced security rules

    Firebase security rules rewritten to enforce roles at the data layer, with field-level validation on every business-critical collection, so bad data is stopped at the database.

  4. 4

    Modular rebuild

    The monolith becomes modular React and TypeScript components and organised backend modules: the same app and workflows, rebuilt so each part can be changed in isolation.

  5. 5

    Tests, pipeline and monitoring

    Automated tests on the critical flows, a staging-and-deploy pipeline with rollback, and unified error handling with alerts, so changes cannot silently reach production broken.

  6. 6

    AI dev setup and handover

    The configured AI development environment, project skills and coding standards handed to the in-house team with training, so they keep building with AI safely and cheaply.

Built with

AI development

Claude CodeClaudeProject skills and coding standards

Application

ReactTypeScriptViteFirebaseCloud Functions

Security and safety net

Firebase Security RulesAutomated testingCI/CD pipelineStaging environmentError monitoring

The audit

What the audit found

58K

Lines of code audited

4

Priority findings

2

Go-live blockers (P0)

100%

Handed to the in-house team at go-live

Worst risk closed in week one

The biggest finding, sensitive files readable by any user, was closed on the live system in the first week, before the rebuild even started.

The team keeps building with AI

The AI development environment, skills and coding standards are handed over with training, so the client's own team keeps developing with AI, faster and cheaper in a modular codebase.

Where this applies

More teams are building real software with AI and hitting the same wall: it works, but the foundation is not ready to run a business on. The Claude Code setup is the same wherever that happens, from internal operational tools to customer-facing apps. The same practitioner approach runs across our other builds.

Frequently asked questions

A full review of an application built with AI: how the code is structured, how security is enforced, whether there are tests and error handling, and how it will behave as it scales. We deliver it as a short set of priority findings, with anything that blocks go-live called out clearly. For this client it surfaced four findings, two of them go-live blockers.

No. Building with AI was the right call, and the team should keep doing it. The issue was not the AI, it was the foundation: a single 58,000-line file with no modules, tests or enforced security. The setup fixes the foundation so building with AI becomes safe and cheap, rather than telling anyone to stop.

Sensitive files, passport scans, compliance photos and supplier documents, could be read, replaced or deleted by any signed-in user, because security was enforced only in the interface. We closed that on the live system in the first week, before any other work.

No. Same screens, same workflows, same Firebase backend and the same data, migrated with zero downtime. What changes is underneath: modular code, enforced security, automated tests and a safe deploy pipeline. The app users see stays the same; the foundation becomes production-ready.

When an AI tool has to load thousands of lines to change one field, cost rises, quality drops and every edit needs careful manual checking. In a modular codebase the AI reads only the module it is changing, a few hundred focused lines. Good structure is what makes ongoing AI development cheap and reliable.

A production-ready application and the setup to keep building it themselves: modular code, automated tests, a staging environment and a safe pipeline, plus the configured AI development environment, project skills and coding standards we used, handed over with training. The goal is an in-house team that can keep developing with AI, not a dependency on us.

Built something with AI and not sure it's safe to scale?

If your team has built a real app with AI and a go-live is coming, a Claude Code audit tells you honestly where it stands, closes the urgent risks, and sets you up to keep building with AI safely. Book a call.

Anthropic Partner Network member50+ AI ProjectsGoogle Cloud PartnerTop-5 UK AI Firm
Success Stories

Explore Other Projects

Discover more AI solutions delivering measurable results across industries