HIPAA SaaS Laravel backend modernization.

The same client that bought our frontend sprint came back with a backend they couldn't sit on much longer.

Seven Laravel services across two major versions. Repos still targeting PHP 7.3, 7.4, and 8.0.2. Local stack files pointing at MySQL 5.7. The Docker setup still carrying a Node 8 build path for legacy assets. It looked like microservices. It behaved like a distributed monolith — services calling each other directly over HTTP for day-to-day domain behavior, shared service-registry code baked into multiple repos, route versioning duplicated across the stack. They were paying the microservice tax without getting any of the upside.

And then there was the safety net.

There barely was one.

Across seven services we found 184 controllers and 27 meaningful tests. No CI. No contract tests. No dependency audit pipeline. Plus the kind of security debt that doesn't survive a real HIPAA risk analysis: weak authentication boundaries, credential management gaps, missing access controls on internal routes, and rate limiting turned off across the APIs.

For a HIPAA platform, that's the kind of inventory you can't keep.

Before we shipped the modernization, we ran the audit that shaped it. Three components, written for the technical lead and the executive team simultaneously:

1. Modernization Foundation. Where every service was, what it cost to keep there, and what the end state should look like. Current → supportable → boring enough that a normal engineering team can move fast on it.

2. Modernization Roadmap. The phased delivery plan we then executed against.

3. HIPAA and Security Risk. Plain-English risk picture for leadership. OCR's 2024–2025 audit program is leaning harder into Security Rule controls. The proposed December 2024 Security Rule update raises the bar further. We mapped the current backend posture against it. The answer was uncomfortable, and we made it actionable.

• Phase 0: Contained the risk. Locked down the exposed authentication surfaces. Rotated any credentials sitting where they shouldn't be. Restored CSRF where it belonged. Turned rate limiting back on. The work that couldn't stay open for another quarter — done first.
• Phase 1: Built the safety net. Each repo now boots from a clean checkout. CI installs, tests, and runs dependency audits on every push. Smoke tests cover the cross-service flows that actually matter. Contract tests live around the shared service-registry surfaces.
• Phase 2: Moved to current. Staged Laravel and PHP upgrades, in the right order. Laravel 8/9 → 13. PHP 7.3–8.0.2 → 8.5. Node 8 → 24 LTS. MySQL 5.7 → 8.4 LTS. Latest supported versions, supported runtimes, supported tooling.
• Architecture simplification. We delivered a candid read on which services should stay split and which should merge into a modular core. Several were flagged as strong merge candidates — fewer repos, fewer deploy surfaces, fewer coordination costs.

The backend isn't unfixable. It's just not a “bump the dependencies” job. Pretending otherwise is what gets you a Friday-night incident.

Our audit gave the leadership team a clear, sequenced path: contain the risk first, build the safety net second, do the staged upgrades third, and consider architecture simplification only after the platform is stable. No giant rewrite. No “merge everything next month” plan. Real work, in real order.

It also gave them a defensible story for buyers, partners, and HIPAA risk analysis. Security posture shows up in diligence. It shows up in procurement. It shows up the moment one customer asks how access to PHI is controlled. Now there's an answer.

Read-only access to every repo. Senior engineering analysis, not automated scanner output. Findings prioritized by exploit risk and operational impact, not just CVE severity score. Phased recommendations with rough timing per phase, so leadership can plan around it. A risk picture written for both the technical lead and the executive team, in language each of them actually uses.

That's the SprintZero pattern: serious engineering, written like adults are reading it.

If you're running on aging Laravel, weighing whether to stay distributed or consolidate, or carrying compliance exposure you can't keep ignoring — the audit pattern here is what the Codebase X-Ray gives you. One week. Real findings. A real plan, in priority order. With a sprint scope and price attached.