EHR Backend

Most EHR-shaped demos are CRUD with a login. This one is about the hard part of clinical software: who may see which patient’s record, how you prove every access after the fact, and how you change the answer to “who may see what” without a breaking flag-day.

It’s a multi-tenant clinical core in Kotlin / Spring Boot / Postgres serving a REST + FHIR R4 API, with an embedded SMART-on-FHIR authorization server — authorization code + PKCE, standalone patient launch, OIDC, and client-credentials backend services for FHIR Bulk Data $export. Every clinical read and write passes through one deterministic policy spine — organization match → role → SMART scope → launch context → treatment relationship — and leaves audit evidence, including why an access was allowed.

The engineering is in the guarantees: tenancy fails closed (a cross-tenant id is a 404, never a row), the audit log is append-only and enforced by database triggers rather than application discipline, and patient-compartment authorization ships with a shadow-first rollout so an organization can watch what enforcement would do before it ever denies anyone. 387 integration-first tests, synthetic data only, MIT licensed.