Accepting new 2025 CodeWheel AI engagements for AI web, security, and commerce programs.
CodeWheel AI logomarkCodeWheel AI

Case Studies

Real projects showing how we approach AI platform development

We're an early-stage consulting practice building in public. These case studies include completed client work, active projects, and internal capability demonstrations—all showing our technical approach to AI platform development with security testing from day one.

Each study includes honest context about project status, what shipped vs. what's in progress, and lessons learned. No fabricated metrics, no fake testimonials—just real technical work and transparent outcomes.

How case studies differ from blog posts

Blog posts teach the tactics: how to design a production RAG pipeline, how to test prompt injection, how to harden Next.js auth. Case studies show what happens when those tactics are executed end-to-end for a real client-with metrics, timelines, and security evidence.

  • Blog posts: educational deep-dives, tutorials, code samples, and security playbooks.
  • Case studies: business context, problem statements, solution architecture, ROI, and governance artifacts.

Each study follows the same structure so you can compare engagements quickly: background, challenge, approach, results, technologies, and next steps.

What you'll see in every case study

  • Client background and regulatory constraints (anonymized when required).
  • Key challenges that blocked growth or compliance.
  • Security-first delivery approach combining AI development + pen testing.
  • Quantified results: deployment speed, audit outcomes, incident reduction.
  • Tech stack and artifacts delivered (tests, diagrams, guardrails).

Client outcomes & capability demonstrations

Client outcomes and capability demonstrations

A mix of completed client work, in-progress builds, and internal capability demos. Every card includes the context, controls, and outcomes founders ask about when we combine AI development with penetration testing.

Completed · Client project

Rails platform modernization with zero security findings

Client background: Legacy Rails 5.2 SaaS platform serving enterprise customers. Years of schema drift, zero automated tests, and security vulnerabilities were blocking SOC 2 compliance and new deals.

Challenges

  • Database inconsistencies built up across multiple Rails versions.
  • No automated coverage on business-critical workflows.
  • Security audit deadline in eight weeks with auditors requesting evidence.
  • Support team overwhelmed by regressions every time code shipped.

Approach

  • Incremental upgrade path from Rails 5.2 → 6.x → 7.1 with feature flags.
  • Normalized schema, foreign keys, indexing, and background job cleanup.
  • 800+ RSpec tests covering authentication, authorization, billing, and APIs.
  • Row-level security plus audit logging to protect multi-tenant data.
  • CI/CD pipeline with automated security scans and regression tests.

Results

  • External penetration test closed with zero findings.
  • Support backlog dropped 40% once regressions were caught before prod.
  • SOC 2 compliance unblocked and three enterprise deals signed.
  • Engineering team now ships weekly thanks to automated coverage.

0 findings

Pen test

-40% tickets

Support load

800+ tests

RSpec suite

Rails 7.1PostgreSQLRSpecSidekiqTerraform
View full case study →
In progress · RAG platform

AI-powered SEO content platform

Client background: Multi-tenant SEO insights platform using real-time crawling plus RAG to brief marketing teams. Engagement is currently mid-build with weekly releases to staging.

Challenges

  • Keep competitive research private while multiple teams collaborate.
  • Run web crawling and ingestion in real time without leaking data.
  • Control inference spend across Claude + OpenAI while maintaining SLAs.

Approach

  • Next.js frontend with Python ingestion workers and Postgres + pgvector.
  • Multi-LLM orchestration with automatic failover and usage tracking.
  • Real-time observability dashboards for cost, latency, and adoption.
  • Marketing workflow library for brief generation and content review.

Results

  • Week 6 of an eight-week build with staging users generating briefs.
  • Multi-LLM failover reduces inference costs by ~30% versus single provider.
  • Sales and marketing teams already using the platform for live pitches.

Week 6 / 8

Timeline

2 pilot groups

Teams live

-30% costs

Inference spend

Next.jsPythonPostgres + pgvectorClaudeOpenAIPlaywright
Track build updates →
Capability demo · Platform

Multi-tenant AI platform with MCP

Client background: Internal capability build showing how we ship secure MCP-powered platforms. Emphasizes tenant isolation, sandboxed tool execution, and security testing baked into CI/CD.

Challenges

  • Guarantee tenant isolation while running user-supplied MCP tools.
  • Prevent rate-limit abuse across organizations with different workloads.
  • Ship penetration-test-ready logging, alerting, and infrastructure.

Approach

  • Next.js control plane with TypeScript strict mode.
  • Clerk orgs plus Postgres row-level security and pgvector search.
  • Redis-backed rate limiting with anomaly detection for abuse.
  • Containerized MCP execution environments with audited tool allowlists.
  • 2,000+ automated tests covering auth boundaries and security flows.

Results

  • Production-ready staging environment with zero downtime deploys.
  • No rate-limit abuse incidents across staging tenants during testing.
  • Security testing scripts reused across client engagements.

Staging live

Status

2,000+

Security tests

0 recorded

Abuse incidents

Next.jsTypeScriptPostgresRedisDockerClerk
Review MCP security setup →
Want results like this? Contact CodeWheel AI