clinic operating system · live · 2025
An operating system for private clinics.
A practice runs on four tools that never talk: paper schedules, an Excel of invoices, scattered email threads, no record a patient can see. Sinapsa folds the whole patient lifecycle into one codebase — a marketing site that books, an admin console for the clinic, and a private portal for each patient.
Next.js 16PrismaStripe
Beyond booking
- Clinical recordsSOAP & DAP notes, treatment plans, PHQ-9 / GAD-7 / DASS-21 assessments
- Billing in BAMauto-numbered invoices, packages, Stripe, money as Decimal(10,2)
- Automationfive email + SMS workflows for reminders, follow-ups and no-shows
Eight chapters. Open the ones that interest you.
Three independent interfaces mounted from a single Next.js App Router build — each with its own authentication and strictly separated data boundaries. If one gate falls, the next layer still refuses.
Admin console
(admin)/admin · User + RoleThe clinic's central workspace — sections across scheduling, records, billing and settings, each gated by RBAC.
- Dashboard with day's agenda and KPIs
- Patient CRM, timeline and per-client GDPR
- Clinical documentation (SOAP / DAP, TipTap)
- Billing, packages, expenses, analytics
- Audit log of every change
Patient portal
(portal)/portal · PortalUserA private, branded space for each patient. Every query is scoped to that user's clientId.
- Book, reschedule and cancel
- Documents + on-canvas e-signature
- Threaded messages with the clinic
- Invoices and package progress
- Intake questionnaire and reviews
Marketing site
(marketing)/ · anonymous, ISRThe public site with built-in booking and lead capture. Renders from a CMS, with a JSON fallback when the CMS is offline.
- Multi-step booking with OTP
- Three-layer spam protection
- Blog CMS, services, pricing
- Free psychometric tests
- Waitlist and contact form
The functional range a generic booking tool never reaches — from patient acquisition through clinical records to finance.
Scheduling & calendar
Full appointment lifecycle: session types, statuses, weekly availability grid, blocked time, recurring and group sessions. Server-side conflict detection prevents double-booking.
Clinical documentation
Two structured note formats — SOAP and DAP — with a Draft → Finalized lifecycle. Treatment plans track progress per goal. Standardized assessments: PHQ-9, GAD-7, DASS-21 with severity and trend.
Billing & finance
Auto-numbered invoices with PDF generation and statuses. Revenue tracking, expenses by category, session packages. All money is held as Decimal(10,2).
Communication & automation
Five built-in workflows — reminder, follow-up, no-show, payment, welcome — over email and SMS, with configurable triggers and a log of every message sent.
Analytics & reporting
Revenue, attendance rate, session-type mix, new vs returning patients. Time ranges, donut and stacked charts, drill-down and PDF export. Chart labels reach screen readers.
Access & audit
Five admin roles plus a portal role, 27 named permissions. Every create, edit, delete, login and export is logged with user, time and affected record. 2FA and active-session control.
The platform handles protected health information. Every state-changing request runs a chain of checks before it touches the database — the boundary never rests on a single layer.
clinical:write?A walk through the admin console, the marketing site and the patient portal — captured from the running application.








Development ran as end-to-end campaigns, not a feature pile — each round closed findings across many subsystems before the next began. Every round had an audit, then a fix bundle, then a merge through review.
- R0
Migration & CMS
Move to Next.js 16 + Prisma + NextAuth. Marketing CMS with JSON fallback, portal redesign, booking flow with OTP and Turnstile, Telegram AI bot.
- R1
Spam stack & booking integrity
Spam-score engine with 10 signals, honeypot, sliding-window rate limiter, double-booking prevention,
crypto.randomUUIDmeeting links, audit on all booking ops. - R2
Production hardening kit
Upstash rate limiting, SMS OTP, Sentry, password reset, security headers, database indexes, CI/CD pipeline, a complete
.env.example. - R3
Playwright e2e foundation
Happy-path through a performance suite, visual consistency, portal and admin lifecycle tests, API auth-boundary tests, cross-system workflow e2e.
- R4
Security campaign
Critical / high security fixes, e2e CSRF coverage of every mutating admin route, two passes of jsx-a11y and hooks lint cleanup (120+ warnings).
- R5
Admin motion & design system
Motion presets,
layoutIdactive indicator with spring physics, bento dashboard, 2FA rate limit + audit + origin check, password reset invalidates all sessions, sanitized everydangerouslySetInnerHTMLinput. - R6
Decimal money & retention
Moved payments / packages / expenses onto
money.ts, Stripe rounding-drift fix, GDPR coach scope on export, audit-row preservation under GDPR Art. 5(2), coach-timezone date math for blocked time. - R7
Clinical IDOR & Stripe refunds
Closed IDOR holes on notes, assessments, plans, medications and risk assessments. Real Stripe refund calls, handling of
refund / dispute / failedwebhook events, password floor raised to 12 characters. - R8
RBAC for PHI & mobile
Added
clinical:read/write/deletepermissions,READ_ONLYblocked from PHI mutations. CSPframe-ancestors, Sentry header redaction, nativeconfirm()replaced with Radix dialogs, 44×44 touch targets. - R9
Performance & cron observability
Server-shell rendering, react-query tuning, N+1 fixes. Cron jobs write one audit row per run, alert on failure, idempotent reminders. Marketing SEO and structured data.
- R10
UX polish across every section
Empty / loading / error states, mobile cards, live template preview, DSR timeline with SLA timer and export receipts, drill-down analytics, invite flow with role badges — 20+ admin sections combed through.
- R11
Docs, CI, demo mode, generalization
README, CONTRIBUTING, runbooks (incident response, cron, auth recovery, backup / restore), compound DB indexes, an a11y / i18n pass, a
DEMO_MODEthat neutralizes destructive operations, generalization into a clinic SaaS.
Modern, typed, serverless-first. No secrets in code — everything through environment variables.
PHI and GDPR are not an afterthought — they are wired into every route, transaction and cron job.
RBAC on every endpoint
Five admin roles plus a portal role, 27 named permissions. Each API endpoint checks the caller's role before returning data.
Complete audit log
Every create, edit, delete, login and export — with user, time, record and severity (Info / Warning / Critical). Filterable and exportable.
GDPR DSR workflow
Export (a JSON bundle of every row tied to a client) and erasure (cascade delete + tombstone audit). Per-DSR SLA timers, bulk consent, export receipts.
2FA, sessions, passwords
Optional TOTP 2FA with hashed backup codes and trusted devices. Review and kill active sessions per device. Passwords 12+ characters.
CSRF + CSP
Origin check on all state-changing routes (App Router ships no CSRF tokens by default). Strict CSP with frame-ancestors 'none' and a tight default-src 'self'.
Three-layer anti-spam
An ML-based spam score (behaviour, timing, content) + IP rate limit + Cloudflare Turnstile on every public form. Admin review queue and blocklist.
A production platform, not a demo — the whole patient lifecycle in one codebase, hardened across eleven rounds.







