Internal Project Management Tool

Overview

An internal project-management tool used to coordinate cross-team work across the Mike Sport group. Lightweight on the backend, hardened on security, and verified by Playwright smoke tests.

Problem

The team needed a single source of truth for project status across multiple tracks (e-commerce, marketing, operations) without paying for an enterprise SaaS that nobody would adopt.

Approach

Build it small. Express on the backend with strong security defaults (JWT, rate limiting, helmet headers, bcrypt) and a clean route surface. Smoke-test the critical flows in Playwright so refactors don't silently break the team's daily tool.

Architecture

• Backend: Node.js + Express 4.22 with JWT-based auth.
• Security middleware: helmet for headers, express-rate-limit for abuse, bcryptjs for passwords.
• Tests: Playwright 1.58.2 covering critical flows.
• Frontend: Standard React/Next stack consuming the API.

Tech stack

• Backend: Node.js, Express 4.22, JWT, bcryptjs
• Security: Helmet, express-rate-limit
• Testing: Playwright 1.58.2
• Auth: JWT-based sessions

Engineering highlights

• Security-first defaults: helmet, rate limiting, JWT, bcrypt all wired by default, not retrofitted.
• Smoke coverage: Playwright tests guard the critical flows so the team's daily tool doesn't regress on routine refactors.
• Tight scope: deliberately minimal surface so it stays maintainable as a side-of-desk tool.

Outcome

In active use across the team. Never had a security incident; never had a Playwright-breaking regression ship to prod.