← Portal Public site Log out
// Stage 03 · Example Report

Full Engagement

Prepared for Meridian Health Ops · April 14, 2026 · CONFIDENTIAL

// This engagement includes
  • Executive Summary
  • Scope & Methodology
  • Technical Findings
  • Architecture Assessment
  • Prioritized Action Plan
  • ✦ Compliance Readiness
  • ✦ Team Enablement
  • ✦ 30-Day Follow-Up Delta
// Sections 1–4 — Standard Audit
Reference — Standard Audit template

The Full Engagement report contains all sections from the Standard Audit (Executive Summary, Scope & Methodology, Technical Findings, Architecture Assessment, and Prioritized Action Plan) using the same format and structure. The example brief for those sections is documented in the Standard Audit report. The three sections below are unique to the Full Engagement tier.

// 5. Compliance Readiness — HIPAA ✦ Full Engagement only
HIPAA Security Rule gap assessment

Meridian Health Ops stores appointment records, provider notes, and insurance identifiers. This constitutes PHI under HIPAA. The following assessment reflects the gap between the current codebase and HIPAA Security Rule requirements. This is an engineering-level readiness assessment intended to inform remediation planning before a formal audit is commissioned — not a substitute for one.

Control Status Finding Ref Notes
Access controls (§164.312(a)) ⚠ Partial CRITICAL-01 Role-based access exists; object-level auth missing on PHI endpoints
Audit logging (§164.312(b)) ✗ Absent HIGH-05 No access log for PHI endpoints. Required under Security Rule.
Encryption in transit (§164.312(e)) ✓ Present TLS enforced via Vercel. No gaps identified.
Encryption at rest (§164.312(a)(2)(iv)) ⚠ Partial MEDIUM-03 Database encrypted; file uploads to S3 bucket not encrypted
Automatic logoff (§164.312(a)(2)(iii)) ✗ Absent LOW-08 Sessions do not expire. Provider sessions remain active indefinitely.
BAA with subprocessors ⚠ Unknown Confirm BAAs with Vercel, Supabase, SendGrid before audit
// Assessment

Not ready for formal HIPAA audit. Two absent controls (audit logging, session expiration) and one partial control (object-level access) would be flagged immediately. Remediation path is well-defined — see action plan. Verify BAAs with all three subprocessors independently of code remediation.

// 6. Team Enablement ✦ Full Engagement only
For the engineer inheriting this codebase

Meridian is onboarding a full-time engineer in May. The following section is written for that engineer — not for the current founders.

What you're inheriting

A coherent Next.js 14 / Prisma / Supabase application. The routing structure is logical and the schema is normalized and readable. The AI that wrote this code understood the domain well. What it consistently missed is authorization at the row level — every new API route was written to check authentication ("is this user logged in?") but not authorization ("does this user have permission to touch this record?"). Assume this pattern exists in any route not explicitly covered in this report.

Recommended review gates before any new route ships
  1. Does this route access a record that belongs to a specific user or organization? If yes, is the ownership check present?
  2. Does this route mutate data? If yes, is CSRF protection applied via the shared middleware?
  3. Does this route touch PHI fields? If yes, is the access logged to the audit table?
Tooling to add immediately
  • eslint-plugin-security — catches common patterns at write time, before review
  • trufflesecurity/trufflehog pre-commit hook — blocks credential commits at the source
  • Prisma middleware for audit logging on all PHI model reads — satisfies HIGH-05 and the HIPAA audit logging control in a single implementation
// 7. 30-Day Follow-Up Delta Report ✦ Full Engagement only
Delivered ~30 days post-initial report

Re-review of all changed files. Verification that fixes are correct. Status update on all findings from the initial report.

Verified resolved6 findings
  • CRITICAL-01 — tenant isolation fix confirmed correct. Org scope enforced on all endpoints.
  • CRITICAL-02 — credentials rotated. Pre-commit hook added. History scrubbed.
  • HIGH-02, HIGH-03, MEDIUM-01, MEDIUM-02 — all confirmed resolved in re-review of changed files.
Partially resolved1 finding
  • ⚠️
    HIGH-05 — audit logging implemented on 4 of 7 PHI endpoints. 3 remaining confirmed in progress for next sprint.
Deferred by client4 findings
  • MEDIUM-04, LOW-06, LOW-07, LOW-08 — client confirmed deferred to Q3 sprint. Accepted risk documented.
New issues introduced during remediationNone
  • No new findings identified in re-review of changed files. Clean remediation pass.
Updated severity distribution after follow-up
0
Critical
1
High (partial)
3
Medium
3
Low

HIPAA readiness update: Conditionally ready. Complete HIGH-05 remediation (remaining 3 endpoints) before scheduling a formal audit.

hello@slopgoblin.dev · SlopGoblin Vibe Code Audit Confidential — Meridian Health Ops internal use only