Skip to content
CiAConsultancy in ActionAI Operations for Real Businesses

Case study · 2026

CIA Client Portal

An AI-drafted portal put through a four-agent adversarial audit — 55 findings, a near-rewritten server, 18/18 smoke tests, and promotion to an always-on supervised service.

A self-service client portal — projects, files, tickets and resources

Industry
Proof build · Client operations
Engagement
Agent-built draft → 4-agent audit → hardening rewrite → always-on service
Result
An AI-drafted portal put through a four-agent adversarial audit — 55 findings, a near-rewritten server, 18/18 smoke tests, and promotion to an always-on supervised service.

The challenge

Consultancies bleed time into email threads: where's the latest report, what's the project status, who's handling the invoice query. A portal fixes that — but a portal is also exactly where software risk concentrates, because sign-in, sessions and file upload/download are the classic attack surface. It's the last thing you want built carelessly.

The first draft of this one was built by an autonomous AI agent team working a board ticket. It looked complete — pages, tables, buttons, the lot. "Looks complete" is precisely the trap with AI-built software: underneath were hardcoded tables, placeholder alerts and pages that never spoke to a real API. The interesting question isn't whether AI can draft a portal in an afternoon — it can — it's what it takes to make that draft genuinely trustworthy.

And it had to graduate from somebody's terminal to something client-facing in behaviour: surviving reboots, restarting itself if it dies, with logs and a health probe — a service, not a demo that lives as long as the laptop lid stays open.

What we built

We audited before we polished: four AI agents reviewed the draft independently and adversarially, and between them surfaced 55 findings across security, correctness, accessibility and operations. That list — not the feature list — set the work order, and the server was near-rewritten around it.

The hardening is specific and checkable. Sessions use crypto-random identifiers with an enforced 8-hour expiry, periodic eviction and genuine server-side logout invalidation; sign-in is rate-limited per IP; uploads go through real storage with sanitised filenames and size caps, and downloads and sharing require an authenticated session. Input lengths are bounded, the error handler never leaks a stack trace, and even the 404 is branded. On the front end every page was wired to its real API — no stub tables left — with all interpolation routed through an escape guard against XSS, the session re-validated on every page load, and accessibility brought up to AA: landmarks, skip links, contrast and 44px touch targets.

Then we proved it and made it permanent: 200 concurrent requests without error, an 18-for-18 smoke suite, the full browser journey — sign-in to dashboard to tickets, files and resources — with zero dead links. The portal now runs as a supervised macOS service with keep-alive (kill it and it respawns, which we verified), logs on disk and a health endpoint for liveness checks — restyled throughout to the CIA brand with no CDN dependencies.

The outcome

What exists is a working portal doing the actual job: sign in, see projects with progress and activity, upload and share real files, raise and track tickets, browse the shared resource library — running for days as a supervised service rather than a process in someone's terminal.

We'll be honest about its scope: it is deliberately a demonstration build. Credentials are demo accounts and the data store is in-memory by design; wiring in a real user store, a database and a content-security policy is the documented next step, not a hidden gap. The hardening pattern — audit, rewrite, verify, supervise — is the part that carries to production unchanged.

The meta-story is the point. Our delivery model is AI does the drafting and governance makes it shippable — and this build shows the second half working: 55 findings caught by our own adversarial audit before a client ever saw the portal. That's the gap between "an AI built it" and "you can trust it" — and closing that gap is exactly what we sell.

An AI agent team drafted it; a four-agent adversarial audit found 55 reasons it wasn't ready. Closing that gap — audit, rewrite, verify, supervise — is the difference between 'an AI built it' and 'you can trust it'.

Five safeguards, in plain English

What it actually does to keep your code and data safe — without the jargon.

1

Sign-ins are rate-limited and sessions actually expire

Repeated failed logins from one address are cut off; sessions use crypto-random identifiers, expire server-side after eight hours, and logging out genuinely invalidates the session rather than just hiding the button.

2

Uploads can't smuggle anything in

Filenames are sanitised, sizes are capped, and every download or share requires an authenticated session — a link can't be walked into by guessing.

3

No pages pretending to work

Every screen talks to its real API — the stub tables and placeholder alerts from the first draft are gone, and everything rendered from data passes through an escape guard against script injection.

4

It can't quietly die

The portal runs as a supervised service: kill the process and it respawns (we tested exactly that), with logs on disk and a health endpoint a monitor can watch.

5

Errors never leak internals

Failures return clean, branded responses — a JSON error or a designed 404 — never a stack trace or a file path that maps the system for an attacker.

How this compares

Indicative — the same scope, delivered three different ways.

UK agency

2–3 months

£30k–£60k

Solo freelancer

1–2 months

£15k–£30k

Consultancy in Action — AI-accelerated

Draft in hours · hardened in a day

A fraction

By the numbers

What was delivered — verified facts from the build, not projected returns.

55
Audit findings surfaced
four independent AI reviewers, adversarial pass before polish
18 / 18
Smoke tests passing
plus the full browser journey with zero dead links
200
Concurrency verified
concurrent requests handled without error
Keep-alive
Uptime model
supervised service — respawns on kill (verified), health probe, logs
8h + rate limit
Session discipline
crypto-random ids, server-side logout, per-IP sign-in limiting
326 lines
Server size
plus ~2k lines of dependency-free front end — small enough to audit fully

Built with

  • Node.js
  • Express
  • Multer (real file storage)
  • Vanilla JS (no framework)
  • launchd (keep-alive service)
  • XSS escape guard
  • CIA brand system

Want something built like this?

We design and ship real, data-driven products — not demos. Tell us what you're trying to make and we'll talk through fit.