RFX - Lead Generation at Production Rigor

Proof point → Regulated domains demand auditability. This repo is what auditable engineering looks like: every constraint - legal, performance, security - written down and tested.

🩻 Problem

CharteredHealthPartners needed an MVP to capture and verify qualified UK healthcare-provider leads - in a domain (health data, UK/GDPR) where a sloppy MVP is a liability, not a shortcut.

🔨 Solution

RFX (“Request For X”) - a pnpm monorepo where compliance is code:

Architecture Overview

1. apps/api - Express + TypeScript strict mode, Zod validation middleware, request-ID and security-header middleware, and a maintained OpenAPI spec.
2. apps/web - Next.js + Tailwind, including an explicit download state machine; performance budget (LCP ≤ 1.2s) asserted by tests.
3. Supabase Postgres - append-only SQL migrations including an atomic verify-token RPC and a full row-level-security lockdown migration, with a documented backend-only DB access plan.
4. Terraform IaC - a reusable Supabase module instantiated per environment (dev/stage/prod).
5. AGENTS.md - a written constitution governing AI-assisted development: agent persona, GDPR/UK data-sovereignty constraints (eu-west-2 region pinned), performance budgets, and a “Silent Discard” honeypot protocol (bots receive a fake 200 OK - no DB write, no email).

Quality signals

• GitHub Actions CI gating lint, typecheck, test, and build on PRs to main/staging/production, plus a deploy workflow.
• ~27 test files - security headers, rate limiting, lead submission, verification email, the RLS lockdown itself, terraform-baseline tests, accessibility, performance budget, and UK phone validation.
• 184 commits in ~3 weeks via PR flow with ticket-ID commit messages, an environment-bootstrap runbook with its own test, and a spec-compliance report.

📜 Philosophy

Enterprise discipline at startup speed. Infrastructure is code, compliance constraints live in the repository, and an AI collaborator is governed by a written contract rather than ad-hoc prompts - then held to it by tests.

🎓 Key learnings

• Running an AI-agent-assisted delivery process at production rigor - the operating model, not just the tool.
• Supabase RLS lockdown patterns and atomic verification via Postgres RPC.
• Multi-environment Terraform provisioning and three-branch CI gating.
• Bot mitigation and security hardening for public-facing forms.

📈 Output & impact

• A complete, tested, infrastructure-as-code MVP delivered in three weeks (February–March 2026).
• A reusable template for regulated-domain delivery: spec → constitution → tickets → tested PRs → provisioned environments.

🌍 Why this matters

Platforms & Registries · Trust, Security & Compliance. Any public-facing system that takes verified submissions and holds personal data - in healthcare, finance, or civic tech - has exactly this shape: locked-down data access, audit trails, performance budgets, uptime discipline. The AI-governed delivery model is also how lean teams ship fast without sacrificing rigor.

🚀 Hire me

Shipping in a regulated domain and need rigor without losing speed? Let’s talk → · See also: Lura Identity · The thesis