Role summary
Own a healthcare web application endtoend across backend (Python/Flask/Celery/Postgres) and frontend (Node.js/Express/HTML/CSS/JS), leading feature delivery, integrations, security, and operations.
Key responsibilities
- End to end ownership
- Plan, design, implement, test, deploy, and monitor features across frontend and backend.
- Maintain high code quality, documentation, and developer experience.
- Backend (Python/Flask)
- Design REST APIs, proxy endpoints, and vendor integrations (e.g., EHR systems, form platforms).
- Implement asynchronous processing pipelines with Celery + Redis (audio/transcripts).
- Optimize Postgres schemas/queries; manage connection pools (psycopg/psycopg_pool).
- Enforce consistent authentication/authorization (API key headers), manage secrets via environment variables.
- Operate with Gunicorn and Docker Compose; maintain conda/venv environments.
- Frontend (Node.js/Express)
- Build secure serverside routes and robust proxy layers to backend APIs.
- Implement sessions, CSRF protection, rate limiting, and security headers (helmet + CSP).
- Integrate thirdparty form systems; implement file uploads (multer) and streaming (PDF/audio).
- Develop pages and flows: login/register, dashboard, patients, action items, billing, invoice generation.
- Media ingestion
- Implement browser recording UX, file validation, and resilient upload/processing flows.
- Coordinate FFmpeg/ffprobe and pydub usage for media processing.
- Data & documents
- Manage patient sections (agenda, summary, transcripts, blueprints), versioning/history, and exports (ZIP, PDF).
- DevOps & operations
- Own Docker Compose and CI/CD pipelines; environment parity for dev/stage/prod.
- Instrument logging, metrics, tracing; set alerts; optimize performance and cost.
- Security & compliance
- Apply best practices: input validation, CSRF, CSP, secure cookies/sessions, SSRF prevention, rate limiting.
- Handle secret management and least privilege for cloud/database access.
- Contribute to security gap analysis and remediation; ensure auditable changes.
- Quality & process
- Write unit/integration tests for critical flows (auth, uploads, proxies, billing).
- Own release notes, migration scripts, rollback plans; drive postmortems and continuous improvement.
Success metrics (first 90 days)
- Standardize API key attachment across all proxy calls; eliminate missing api key errors.
- Stabilize audio/transcript pipeline with retries, idempotency, and user feedback; reduce failures >80%.
- Ship two endtoend features with tests and documentation.
- Introduce base CI (lint/test/build) and minimal deploy workflow; improve release cadence.
- Close top security findings; add monitoring for key endpoints.
Interview focus
- Architecture: consistent API key enforcement across Express proxies and Flask APIs.
- Systems design: async pipelines for audio/transcripts; retry/backoff; idempotency; observability.
- Security: CSP/CSRF/session hardening, SSRF/file upload safety, secrets management.
- Live coding: secure PDF streaming proxy with check vs stream logic and error forwarding.
- DB: schema/index proposals for patient sections/history and efficient exports.
Short job board version
- Title: Senior FullStack Engineer
- Summary: Own a healthcare web app endtoend (Python/Flask/Celery/Postgres + Node/Express). Build secure APIs and proxies, audio/transcript pipelines, dashboards, billing, and PDF/invoice flows. Lead DevOps, security, and performance.
- Musthaves: 5+ yrs; Flask, Celery, Postgres, Node/Express; Docker/Compose; security (CSP/CSRF/headers); file uploads/streaming; CI/CD.
- Nicetohaves: EHR integrations, Form.io, Azure/AWS/GCP, HIPAA workflows.
- Location: [Remote/Hybrid/Onsite]
- Compensation: [Range/Bands]
- Apply: [Email/ATS link]
Requirements
Qualifications
- 5+ years of fullstack development with production ownership.
- Python ecosystem: Flask, Gunicorn, Celery, Redis, Postgres, psycopg, conda/venv, FFmpeg/pydub.
- Node.js ecosystem: Node 18+, Express 5, axios, multer, helmet, expressratelimit, csrf, marked, nodefetch/undici.
- Web app delivery: HTML/CSS/JS, UX for dashboards/wizards/modals/drawers, performance optimization.
- Architecture & operations: Docker/Compose, environment config, secrets via env vars, git workflows.
- Security: API key enforcement, session security, CSRF, CSP, rate limiting, secure headers, file upload safety.
Nice to have
- EHR integrations (Charm or similar), HIPAAaligned workflows.
- Form platforms (Form.io), PDF generation/signing, invoice pipelines.
- Cloud experience (Azure/AWS/GCP) and managed Postgres.
- CI/CD (GitHub Actions), IaC/Terraform, container orchestration.
- Data privacy/compliance experience (audit trails, access controls).
