runbookify
← All plans
Compliance, Quality & Risk / Whistleblower & Ethics Case Management

Ethics Case Triage & Investigation Tracker

Build an internal tool that moves whistleblower and ethics cases through a confidential investigation - conflict-free investigator assignment, need-to-know access, evidence and findings, a lead-approved outcome, and an anonymized case log - with confidentiality and access control enforced at every step.

IntermediateA weekendBuilds onNext.js (App Router) on VercelSupabase (Postgres, Storage, Auth, row-level security)Resend (authorized-only email)
What you'll build

A confidential, access-controlled case tracker where each ethics case is assigned to a conflict-free investigator, evidence and notes are restricted to a per-case need-to-know list, findings and outcome are approved by the ethics lead before close, and reporting only ever leaves the building with identities masked.

Gated download

Enter your email — the plan downloads instantly and a copy lands in your inbox.

By submitting your email you'll also receive the weekly runbookify newsletter. You can unsubscribe at any time.

Before you start

  • A free Supabase account
  • A free Vercel account
  • A free Resend account (for case notifications)
  • Your current case intake list as a CSV or Google Sheet (if you have one)

The problem this kills

A whistleblower report comes in and now you are juggling it across an email thread, a locked spreadsheet, and a shared drive folder that, deep down, you know is not actually locked. The investigator assigned might know the subject. Three people can see notes who never should have. There is no record of who opened the evidence file or when. And when leadership asks for a quarterly ethics report, you are hand-redacting names at midnight, terrified you will miss one.

Sensitive misconduct cases are exactly where a sloppy tool becomes a real liability - to the reporter, to the subject, and to you. Generic ticketing systems leak by default: everyone on the team sees everything. That is the opposite of what an ethics investigation needs.

What you'll build

A focused internal web app that carries an ethics case from a triaged intake all the way to a closed, documented outcome - without ever showing a case to someone who is not explicitly on its need-to-know list. You assign each case to an investigator the tool has confirmed has no conflict of interest. The investigator gathers notes and uploads evidence behind restricted access. They record findings. The ethics lead reviews and approves the substantiated-or-unsubstantiated outcome before the case can be closed, and any disciplinary referral is its own reviewed step. Every view, edit, and file download is written to an immutable audit trail. When it is time to report, you export an anonymized case log with identities masked.

What's inside the Implementation Plan

The plan is a single file you paste into an AI coding agent (Claude Code), which then builds the tool with you step by step - no coding experience required.

Crucially, the plan does not assume your process. It opens by interviewing you about your business - how cases reach you today, who investigates, what your conflict-of-interest rules actually are, how you label case IDs, your real outcome categories, who is allowed to be notified, and your messiest edge cases (a report against the ethics lead, an anonymous reporter, a case that splits in two). It reflects a short tailored spec back to you, you confirm it, and only then does it build a tool shaped to how you really work - not a generic template.

From there it walks you through the data model, the per-case access lists, the conflict check, evidence storage, the approval gate, notifications, the audit trail, and the masked export - each step ending in a ready-to-paste prompt.

The governance it includes (this is the point)

This is not a to-do list with extra steps. Governance is the product:

  • Login so only your team can open the tool at all.
  • Per-case need-to-know access (row-level security): people see only the cases they are explicitly added to - not org-wide visibility. This is the core difference from a normal ticketing tool.
  • Conflict-of-interest check on every investigator assignment, so a case is never handed to someone connected to it.
  • A hard human approval gate: the ethics lead reviews and approves the findings and the outcome before a case can close; a disciplinary referral is a separate reviewed step.
  • An immutable audit trail: who accessed what, who downloaded which evidence file, and when - records that cannot be edited or deleted.
  • Duplicate guards keyed on case ID so the same report can never be opened twice as two cases.
  • Masked reporting: the export strips and pseudonymizes identities so the case log can leave the team safely.

Who it's for

Ethics and compliance investigators, internal-investigations teams, and in-house legal handling sensitive misconduct, harassment, fraud, and whistleblower cases - anyone who needs a real chain of custody and strict confidentiality, not a shared spreadsheet.

You've got this

You do not need to be a developer. You need your process knowledge and about a weekend. Open the Implementation Plan, paste the first prompt, and answer the interview - the agent takes it from there.

Gated download

Enter your email — the plan downloads instantly and a copy lands in your inbox.

By submitting your email you'll also receive the weekly runbookify newsletter. You can unsubscribe at any time.