> product // apra-compliance // the making of
APRA Compliance
how it was made.
CPS 230 compliance software built in three deliberate bursts over five months. Fifty-four commits, zero invented features: every module traces back to the actual APRA standard. The story is slow, considered work in a domain where careless software costs more than no software.
The short version
It started in the last week of December 2025 as a disciplined phase-by-phase build: foundation, standards, assessments, risk register, control templates, BCP testing, incident tracking, service providers, critical operations, ten phases completed in three days. That velocity was a deliberate prototype sprint, not a rush. February brought the serious round: security hardening, multi-entity context, audit trails, board-ready PDF reports, role-based access, and two rounds of real feedback incorporated from "Pip" that touched crashes, sidebar scroll, dark mode contrast, and missing error surfaces. April was about closing the gaps the prototype hadn't needed to care about: 29 cross-tenant data-leakage endpoints guarded, mutation errors surfaced via toast instead of silently swallowed, a multi-tenancy audit script written and acted on, and dependency advisories cleared including a critical auth bypass.
// the build log · mined from the commit history, nothing dramatised
Foundation to full feature set
The first 17 commits, from 27 to 29 December, laid the entire structural foundation: Google OAuth, CPS 230 standards and checklists, assessments with response editing, risk register, control templates with AI suggestions, BCP testing, incidents, service providers, critical operations, AI chat, a glossary, risk appetite settings, and board reports. It reads like an unusual sprint, ten named phases completed across three days, because it was a deliberate prototype, building breadth first to know what the product actually needed to become.
AI integration baked in early
On day three, before any real users had seen the product, the team added an MCP server and Claude Code integration. That choice, treating AI as infrastructure rather than a feature to bolt on later, shaped how the compliance assistant, control suggestions, and board report generation were wired through the rest of the build.
Security, polish, and real feedback
After a two-month pause the February burst (23 commits, 20–25 Feb) was a different quality of work: comprehensive security hardening, data linkages between modules, review cycles, a ready reckoner, activity logs, login/logout tracking, role-based navigation, an entity comparison page, and persistent entity context across every dashboard page. Two rounds of feedback, labelled "Pip feedback" in SESSION.md, drove fixes to crashes, sidebar scroll, table overflow, and dark mode contrast. The team also shipped a global Cmd+K command palette, a KRI dashboard, card/table view toggles across all list pages, and entity branding with R2 storage for logos.
PDF reports and deadline automation
The final February commits added two substantial pieces of infrastructure: server-side PDF board reports generated via Cloudflare Browser Rendering, and Cloudflare Workflows for APRA notification deadline alerts. These are the features that make compliance software useful to an actual board, not just a place to record work, but a system that surfaces obligations before they become problems.
Tenancy, security, and dependency hygiene
April's 14 commits were almost entirely fixes and hardening. A multi-tenancy audit script caught 29 endpoints leaking cross-tenant data; all were patched in two passes. Mutation errors that had been silently swallowed across 16 hook files were surfaced as toasts. A new entity type, Private Health Insurer, was added. Then three dependency bumps cleared 20 advisories including a critical better-auth 2FA bypass and a drizzle-orm SQL injection. The final commit brought orphan SQL migration files into the numbered sequence: the kind of unglamorous hygiene that prevents the next developer from having to untangle a broken migration history.
git log: “fix: add requireEntityAccess guards on 29 endpoints leaking cross-tenant data”
Two consecutive April commits, 11 endpoints, then 18 more, closed gaps an audit script had just found. The honesty of logging the scope matters.
// the roads not taken
Tried, measured, set aside: the judgement lives here as much as in what shipped.
Modals replaced with dedicated pages
Two early decisions, BCP Test as a modal, risk creation as a modal, were both reversed in the same December session. Each got its own dedicated page. The log records the rebuilds without drama: the modals were the wrong shape for the content.
Multi-tenancy audit script before the fix
Rather than manually reviewing endpoints for cross-tenant data leakage, the team wrote an audit script first, let it find the gaps (19 in one pass, 11 more in another), then patched systematically. The script is noted in the commit log as part of the fix, not a separate investigation.
Want something built like this?
This is how we work: in the open, measured, honest about the dead ends.