Claude Code setup · audit and rebuild
A team built a real app with AI. It worked. Underneath, it was 58,000 lines and weeks from a risky go-live.
Claude Code audit of an AI-built app
A food producer's own team built a working operational app with AI: procurement, stock and traceability. The business logic was sound. Underneath, it was a 58,000-line monolith with critical security holes and no tests, weeks from go-live. We ran a Claude Code audit, closed the security exposure in week one, and set out a secure, modular rebuild plus an AI development setup the team keeps building on.

The problem
The app worked. The foundation under it didn't.
The team had built something real: a working app for procurement, stock control and traceability, built with AI rather than a traditional development team. With a go-live deadline approaching, they asked us a simple question: is this safe to run the business on, and safe for our team to keep building with AI?
The honest answer was not yet. The business logic was sound, but the foundation underneath was weeks of risk waiting to surface.
What was under the hood
Files anyone could open
Sensitive files, passport scans, compliance photos and supplier documents, could be read, replaced or deleted by any signed-in user. Security was enforced only in the interface, not at the data.
One 58,000-line file
The whole app was a monolith in a handful of files, with no modules, no build system and no type safety. Every change made it larger and more fragile.
No tests, no monitoring
There were no automated tests, so the only way to check a change was to click through by hand, and a production failure might surface only when a customer hit it.
Structure that fought the AI
Loading 58,000 lines to change one field drives up cost and drops quality on every future AI edit.
Building with AI wasn't the mistake. The foundation under it was.
What we did
Audit first, close the worst risk, then a plan
We ran this as a Claude Code audit and discovery. It reviewed the whole application and produced four priority findings, two of them go-live blockers. We closed the most urgent one straight away: the storage exposure was locked down on the live system in the first week, so sensitive files stopped being readable by every user.
From there the plan is a structured rebuild that keeps the same app, the same screens, workflows and Firebase backend, but rebuilt on proper foundations: modular React and TypeScript, security enforced at the database, automated tests, a safe deploy pipeline and monitoring. The audit is delivered and the exposure is closed; the rebuild is set out and ready to start.
The setup
From audit to handover

- 1
Audit and discovery
A full review of the AI-built application: security, structure, tests and error handling, delivered as priority findings with clear go-live blockers.
- 2
Security lockdown
The exposed sensitive files are locked down on the live system in the first week, and an access-model workshop defines what each role should actually be allowed to do.
- 3
Enforced security rules
Firebase security rules rewritten to enforce roles at the data layer, with field-level validation on every business-critical collection, so bad data is stopped at the database.
- 4
Modular rebuild
The monolith becomes modular React and TypeScript components and organised backend modules: the same app and workflows, rebuilt so each part can be changed in isolation.
- 5
Tests, pipeline and monitoring
Automated tests on the critical flows, a staging-and-deploy pipeline with rollback, and unified error handling with alerts, so changes cannot silently reach production broken.
- 6
AI dev setup and handover
The configured AI development environment, project skills and coding standards handed to the in-house team with training, so they keep building with AI safely and cheaply.
Built with
AI development
Application
Security and safety net
The audit
What the audit found
Lines of code audited
Priority findings
Go-live blockers (P0)
Handed to the in-house team at go-live
Worst risk closed in week one
The biggest finding, sensitive files readable by any user, was closed on the live system in the first week, before the rebuild even started.
The team keeps building with AI
The AI development environment, skills and coding standards are handed over with training, so the client's own team keeps developing with AI, faster and cheaper in a modular codebase.
Where this applies
More teams are building real software with AI and hitting the same wall: it works, but the foundation is not ready to run a business on. The Claude Code setup is the same wherever that happens, from internal operational tools to customer-facing apps. The same practitioner approach runs across our other builds.
Frequently asked questions
A full review of an application built with AI: how the code is structured, how security is enforced, whether there are tests and error handling, and how it will behave as it scales. We deliver it as a short set of priority findings, with anything that blocks go-live called out clearly. For this client it surfaced four findings, two of them go-live blockers.
No. Building with AI was the right call, and the team should keep doing it. The issue was not the AI, it was the foundation: a single 58,000-line file with no modules, tests or enforced security. The setup fixes the foundation so building with AI becomes safe and cheap, rather than telling anyone to stop.
Sensitive files, passport scans, compliance photos and supplier documents, could be read, replaced or deleted by any signed-in user, because security was enforced only in the interface. We closed that on the live system in the first week, before any other work.
No. Same screens, same workflows, same Firebase backend and the same data, migrated with zero downtime. What changes is underneath: modular code, enforced security, automated tests and a safe deploy pipeline. The app users see stays the same; the foundation becomes production-ready.
When an AI tool has to load thousands of lines to change one field, cost rises, quality drops and every edit needs careful manual checking. In a modular codebase the AI reads only the module it is changing, a few hundred focused lines. Good structure is what makes ongoing AI development cheap and reliable.
A production-ready application and the setup to keep building it themselves: modular code, automated tests, a staging environment and a safe pipeline, plus the configured AI development environment, project skills and coding standards we used, handed over with training. The goal is an in-house team that can keep developing with AI, not a dependency on us.
Built something with AI and not sure it's safe to scale?
If your team has built a real app with AI and a go-live is coming, a Claude Code audit tells you honestly where it stands, closes the urgent risks, and sets you up to keep building with AI safely. Book a call.
Explore Other Projects
Discover more AI solutions delivering measurable results across industries