SouthpawStrings.com is a left-handed-first resource and practice platform: interactive theory tools, user accounts, playlists, sheet music, uploaded practice audio, a configurable Practice Workbench, and community funding integrations. It is live, public, and gaining real users.

The application is purpose-built on established frameworks, rather than assembled from a CMS, site builder, or plugin-heavy platform. Its product design, data model, encryption boundaries, container images, Kubernetes manifests, network rules, and release process were all engineered for this specific service. That keeps the architecture understandable and the product free to evolve around what left-handed guitarists actually need.

It is also entirely a personal project: built outside work hours, on my own equipment, domains, accounts, licences, and hosting. No BTG or customer code, data, systems, documentation, or confidential information was used anywhere in it.

This page walks through what was built and how — a technical case study in bespoke, secure, documented engineering operated to production standards.

The product

From resource hub to integrated practice platform

SouthpawStrings now joins left-handed theory, personal practice material, and real playback tools in one coherent workflow — from learning an idea to rehearsing it with a song.

Left-handed first Interactive theory tools Scale, mode, chord, arpeggio, voicing, interval, metronome, and fretboard tools are designed around left-handed players rather than treating them as an afterthought.
Personal library Playlists, songs & sheets Users can organise songs into playlists, attach multiple PDF or text sheets, scan a sheet for chords, and carry their saved practice state between sessions.
Practice player One player, several layouts YouTube, uploaded audio, sheet-only, and combined layouts share transport controls, page state, A–B loop markers, previous/next navigation, and keyboard or foot-pedal control.
Real audio tools Slow down without tuning down A Web Audio engine provides pitch-preserved slowdown, transpose, waveform navigation, and sample-accurate looping for privately uploaded practice tracks.
Practice Workbench A configurable learning space Players can arrange theory modules and the full practice player on a responsive canvas, save layouts to their account, and reopen the workspace on another device.
Inclusive UX Themes, accessibility & languages Designed light and dark themes, optional colour profiles, responsive and keyboard-aware interfaces, and beta Spanish, German, and Japanese translations broaden how the platform can be used.

The stack

Modern, typed, maintainable

The application is built on Next.js 15 (App Router) with React 19 and TypeScript throughout — a fully typed codebase from the UI down to the database layer. Styling uses Tailwind CSS with shadcn/ui components, and data lives in PostgreSQL 16 accessed through the Prisma 7 ORM (over a connection-pooling driver adapter) with versioned, forward-only schema migrations. The production database runs as a two-instance high-availability CloudNativePG cluster — a primary and standby with automatic failover. Continuous WAL archiving and daily base backups provide point-in-time recovery, while separate logical and offsite copies add another recovery path. Restore capability is drilled, not assumed.

Identity is handled by Auth.js: email/password plus OAuth sign-in with Google, Apple, Microsoft, and Facebook, using provider-appropriate safeguards including PKCE where supported. Apple's client secret is minted at runtime from its signing key rather than stored as a long-lived secret.

The whole thing ships as hardened Docker images, runs on Kubernetes, and fronts the internet through Cloudflare. Automated delivery runs through a self-hosted CI pipeline, and k6 exercises smoke, ramp, spike, and soak scenarios so capacity is measured rather than guessed.

Security by design

Built secure, not patched secure

Security was engineered in from the first commit — then independently reviewed against the codebase, with every significant finding remediated.

Data at rest Field-level encryption User practice data and uploaded files are encrypted with AES-256-GCM before they touch the database, with HMAC blind indexes so features still work without decrypting.
Credentials Modern password handling Salted scrypt hashing with timing-safe comparison — plaintext passwords are never stored. Password resets are hashed, single-use, and time-limited.
Identity MFA & safe account linking Password accounts use TOTP two-factor authentication with single-use recovery codes, and must enable it before writing saved practice data. Unverified-provider sign-ups stay pending; linking or disconnecting a sign-in method requires fresh proof, is audited, and can never remove the account's last way back in.
Headers Hardened HTTP baseline HSTS with preload, a Content-Security-Policy, frame-ancestors denial, nosniff, and strict referrer and permissions policies on every response.
Abuse resistance Rate limiting & CAPTCHA Per-IP rate limiting and Cloudflare Turnstile on sign-in and sign-up, with deliberately generic responses so attackers can't enumerate accounts.
Assurance Reviewed, tested, remediated A full static security review of the entire codebase — auth, APIs, crypto, schema, headers, containers — with findings fixed and documented, plus an automated test suite and continuous integration that gate every change.

Operations

Run to production standards

A platform is only as good as the way it is operated. SouthpawStrings runs with the discipline of an enterprise service.

Ingress Outbound-only public path All public traffic arrives through an outbound-only Cloudflare Tunnel — no inbound ports are open to the internet, anywhere.
Cluster Dedicated DMZ Kubernetes Production is isolated on its own DMZ cluster. Non-root containers, digest-pinned images, layered firewalling, and default-deny network policies keep workloads constrained.
Environments Real prod/dev separation Production and restricted development run on different clusters with separate databases and delivery paths. Guard scripts make destructive operations against production fail closed.
Releases Repeatable, verified deploys Pull requests must pass type, lint, test, migration-safety, and production-build gates. Development deploys automatically; production uses an approved same-digest promotion with a mandatory pre-migration restore point.
Capacity Tested under load, scales on demand k6 scenarios exercise the platform from smoke tests to sustained soak runs, so capacity limits are measured rather than guessed — and the app autoscales across replicas as load arrives.
Continuity High availability & backups The database runs as a primary-and-standby cluster with automatic failover, continuous WAL archiving, daily base backups, and separate offsite copies. Recovery has been proven by drill, alongside health endpoints, audit logging, and written migration and recovery runbooks.

Documentation

Documented like it matters

Engineers love documentation — and businesses need it. An undocumented system is a liability: it can't be audited, can't be handed over, and depends entirely on whoever built it. So SouthpawStrings is documented the way a commercial system should be: every operational procedure is written down, versioned in git alongside the code, and kept current as the platform evolves.

That includes a deployment runbook, database safety procedures, setup guides for every external integration, the security review and its remediations, an architecture overview, and a formal engineering handover document — so another engineer could pick the platform up cold and run it.

That discipline isn't project-specific. As-built documentation, runbooks anyone can follow, and a handover pack are how key-person risk gets removed from any system. If it isn't documented, it isn't finished.

How it was delivered

SouthpawStrings was built engineer-led and AI-accelerated: AI tooling was used to move faster on code, documentation, and testing — with a human engineer reviewing, constraining, and owning every decision. That is the same principle I apply to all professional work: AI as an accelerator, never a substitute for engineering judgement, security boundaries, or accountability.

Professional relevance

What this demonstrates

SouthpawStrings is a music project, not an IT business — but it is honest evidence of engineering discipline. If a guitarists' resource hub warrants encrypted data, multi-factor authentication, zero-trust networking, and a disciplined release process, that says something about the standards applied: documentation, privacy, security, deployment automation, UX, and maintainability are treated as non-negotiable, even on a hobby project.

For commercial IT consulting, cloud, Microsoft 365, infrastructure, automation, or AI engineering work, please contact BTG and mention Andy Denley.