Project MyLeads AI: Secure-by-Design SaaS Architecture
By Shay Mordechai | March 9, 2026
When engineering a modern SaaS platform that handles sensitive customer inquiries and AI interactions, security cannot be an afterthought. This case study outlines the architectural decisions and DevSecOps pipelines behind MyLeads AI, a platform I designed with a strict "Secure-by-Design" philosophy.
The goal was to eliminate external attack surfaces while providing a high-performance User Experience (UX), heavily utilizing AI for development velocity so I could focus entirely on Infrastructure Hardening and Threat Modeling.
Figure 1: The Zero Trust Production Architecture
0. How This Was Built: AI-First Development
Before diving into the architecture, it's worth being transparent about the development approach — because it's inseparable from what made this project possible.
MyLeads AI was built entirely through AI-assisted development, across three distinct phases that mirror how the product itself evolved:
Phase 1 — GitHub Copilot (VS Code): The initial version of the platform was scaffolded using GitHub Copilot inside VS Code. At this stage, the product was a prototype: basic lead capture, simple auth, and a rudimentary chat interface. Copilot accelerated the boilerplate-heavy early work — routing, models, API endpoints — while I focused on the architecture and security decisions.
Phase 2 — Cursor: After roughly a year, I made a deliberate decision to upgrade the entire development workflow to Cursor. This unlocked a fundamentally different mode of working: instead of autocomplete, I was now conducting full architectural conversations with the codebase. Cursor allowed me to refactor the monolith into a clean Next.js + Python monorepo, implement the WASM DLP firewall, and migrate the database layer to Alembic — all at a pace that would have been impossible working line-by-line.
Phase 3 — Iterative AI Studio (Client-Driven Features): The final phase was product-driven. I was working directly with a real client — a coaching business owner — co-designing requirements in real time. Each new feature (voice broadcasts, AI lead qualification, the agency partner portal) was specified through a client conversation, translated into a precise prompt, and implemented via AI. Google AI Studio became the tool of choice for rapid prototyping of the Gemini-powered agentic flows.
1. The "Dark Server" Infrastructure
The core concept of the production environment is invisibility. The AWS EC2 server exposes zero inbound ports (0.0.0.0/0 blocked) to the public internet. All ingress traffic is strictly tunneled and inspected via Cloudflare's Edge Network.
- Identity-Aware Proxy (IAP): SSH access is exclusively proxied via
cloudflaredand requires hardware-key authentication. - Container Isolation: The application stack runs on Red Hat Enterprise Linux (RHEL 10.1) using rootless Podman managed by user-space Systemd, significantly reducing the blast radius of any container compromise.
2. WASM Data Loss Prevention (DLP) Firewall
To mitigate API Over-fetching and Application-Layer Information Disclosure (CWE-209), I implemented a custom WebAssembly (WASM) filter written in Rust, running directly inside the Envoy Proxy.
This firewall uses a Fail-Closed architecture. It inspects outbound JSON payloads and redacts sensitive credentials (like internal tokens) in real-time, ensuring that data bleed is stopped at the network edge before reaching the Next.js Frontend.
3. Out-of-Band Management & The "Airbag"
Admin panels are notorious targets for web exploits. To mitigate this:
- CLI-Only Administration: Admin actions are disabled in the web UI. They are moved to a secure, unified CLI tool accessed only via SSH.
- Global Exception Handler: The system intercepts 500 Internal Server Errors globally, strips stack traces to prevent leakage, renders a localized generic message, and dispatches an out-of-band HTML crash report directly to the engineering team.
4. Data Integrity & Concurrency
Handling highly concurrent webhook events from platforms like Meta requires transactional safety. I configured SQLite with Write-Ahead Logging (WAL) to prevent lock errors. Furthermore, a Dead Letter Queue (DLQ) ensures that failed payloads (e.g., due to AI API timeouts) are safely routed for manual recovery, guaranteeing 0% data loss during Retry Storms.
5. AI Integration: Local vs. Cloud
The platform features a Hybrid AI Engine. Sensitive audio components (like coaching voice notes) are processed completely offline using a locally hosted Faster-Whisper model and natively compiled FFmpeg. Public-facing agentic tasks (conversational memory, lead qualification) are securely offloaded to Google Gemini 2.0 Flash with semantic Redis caching to minimize latency.