laravel.diagnostic.ly

Full Project Audit Report — February 2026

2,186
Commits
~80K
Lines of Code
18
Months
106
Migrations
5-7
Core Developers
▼ Scroll to explore

Executive Summary

Healthcare diagnostics administration platform built with Laravel 11

4/10
Maintainability
3/10
CI/CD Maturity
<1%
Test Coverage
Med-High
Business Value

Business Value

Functioning multi-tenant healthcare admin platform with real integrations (Twilio, SendGrid, AWS S3, Google Translate, Postalytics). Deployed to production on AWS.

Replacement cost: $300K – $500K

Key Risk

The project has virtually no automated tests — 5 test files, 4 are scaffolding stubs, 1 real test. For a healthcare platform, this is a critical gap.

Delivery Maturity: Low-to-Medium

Development Timeline

18 months of development: Aug 2024 – Feb 2026

Monthly Commit Activity

Development Phases

Aug 2024

Foundation

Laravel setup, Admin module, auth, DB schema, geographic seed data

42 commits
Sep – Dec 2024

Core Build

Login, CRUD pages, messaging, media, accounts, roles, users

367 commits
Jan – Mar 2025

Acceleration

Settings, products, bundles, global configuration, support entities

382 commits
Apr – Jul 2025

Peak Development

Document module (Vue 3 SPA), shared docs, OTP verification, permissions

822 commits
Aug – Oct 2025

Feature Maturation

Document encryption, field mappings, networks, direct mail, triggers

206 commits
Nov – Dec 2025

Advanced Features

Education flows, communication system, Postalytics, templates

317 commits
Jan – Feb 2026

Current

Finance dashboard, order forms, global search (declining velocity)

50 commits

Team Analysis

~15-18 unique contributors, 5-7 core active developers

Contributor Breakdown

Bus Factor Risk

LOW

Critical Risk

Top 3 identities account for 65% of all commits.

IdentityCommitsShare
"design" account88433.9%
Danish Saleem42616.3%
"laraveldiagnostic" (shared)39415.1%

Hotspot Files (most frequently changed)

FileChangesRisk
resources/assets/js/app.js217HIGH
resources/lang/translations.json198MEDIUM
Modules/Document/.../DocumentList.vue93HIGH
Modules/Admin/routes/web.php89HIGH
Modules/Admin/.../navigation.blade.php77MEDIUM
.../GlobalSettingsRepository.php72HIGH
app/Services/TranslationService.php68HIGH

Effort & Cost Estimate

Base estimate: ~7 person-months / ~9,200 person-hours

Lines of Code by Type

Effort by Feature Area

Replacement Cost Estimates

ScenarioLOC/dev/dayPerson-MonthsCost Range
LOW Senior team, high reuse100~4.6$230K – $323K
BASE Mid-level team, typical70~6.6$323K – $452K
HIGH Junior team, learning curve50~9.2$461K – $645K

Architecture

Modular Laravel 11 application with repository + service patterns

Technology Stack

PHP 8.2+Laravel 11MySQLRedisVue 3Vite 5jQueryBootstrap 5DataTablesAWS S3SanctumSpatie RBACTwilioSendGridGoogle TranslatePostalytics

Modular Architecture

2 self-contained modules via nwidart/laravel-modules

Admin Module

Accounts, users, roles, messaging, products, settings, direct mail, education

Document Module

Vue 3 SPA, file upload/S3, folders, permissions, shared docs, OTP verification

Architecture Patterns

Repository PatternGood
Service LayerGood
Hashid ObfuscationGood
Activity LoggingGood
Observer PatternGood

Data Model

106 migrations, key patterns:

  • • Multi-tenant via account_id FK
  • • Polymorphic media relationships
  • • Tree structure for doc folders
  • • Pivot tables for many-to-many
  • • Key-value settings tables

Feature Inventory

ModuleDescriptionIntegrationsMaturity
Account ManagementMulti-tenant CRUD, portal & ecommerce settingsHigh
User & Role MgmtUser CRUD, address management, Spatie RBACSpatieHigh
Messaging SystemTemplates, sets, communication typesTwilio, SendGridHigh
Document MgmtVue 3 SPA, S3, OTP sharing, retentionAWS S3High
Products & BundlesProduct definitions, bundling, mediaMedium
Translation SystemDB-backed i18n, auto-translate, overridesGoogle TranslateMedium
Direct MailTriggers, timing, postage typesPostalyticsEarly
Education FlowsScreen configs, purpose flowsEarly
Case NotesHealthcare case note managementEarly
TelemedicineProvider settingsEarly
Field MappingCategories, IDs, mapping types, networksExternalEarly

Quality Posture

Maintainability: 4/10 — CI/CD Maturity: 3/10

Maintainability Score

CI/CD Pipeline Maturity

Test Coverage CRITICAL

<1%
Estimated Code Coverage
MetricValue
Total test files5
Real test files1
Scaffold/stub tests4
Test frameworkPHPUnit 10

Code Debt Hotspots

!

Monolithic JS file

app.js changed 217 times

!

Single route file

All admin routes in web.php (89 changes)

!

Shared git accounts

3+ shared accounts obscure authorship

!

Generic commit messages

16+ consecutive "update" commits

!

.sass-cache in git

Build artifacts committed to repository

Performance & Scalability Risks

Security Review

OWASP Top 10 mapping for the application

OWASP Top 10 Coverage

A01: Broken Access Control
Partial
A02: Cryptographic Failures
Partial
A03: Injection
Good
A04: Insecure Design
Risk
A05: Security Misconfig
Risk
A06: Vulnerable Components
Unknown
A07: Auth Failures
Standard
A08: Data Integrity
Partial
A09: Logging & Monitoring
Basic
A10: SSRF
Low Risk

Secrets Handling

No .env committed

Only .env.example found

AWS Secrets Manager

Jenkins uses AWS Secrets Manager

Encryption key via env

ENCRYPTION_KEY as env var

!

SSH key during deploy

Key written to disk during deploy

Dependency Risk

28
Direct PHP Dependencies

Includes: Twilio SDK, SendGrid SDK, Google Cloud Translate

No automated dependency vulnerability scanning beyond SonarQube.

Strengths & Weaknesses

Key findings from the audit

Strengths

Modular Architecture

Clean separation via nwidart/laravel-modules

Structured Codebase

Consistent repository + service pattern

Security Basics

Hashids, Sanctum, Spatie RBAC, activity logging

Real Integrations

Twilio, SendGrid, S3, Google Translate, Postalytics

Modern Stack

Laravel 11, PHP 8.2+, Vue 3, Vite 5

Translation System

Auto-translation with per-account overrides

Document Module

Well-designed Vue 3 SPA with API separation

CI Pipeline Exists

SonarQube with quality gate enforcement

Weaknesses

!

Near-Zero Test Coverage

1 real test file in 80K LOC

!

No Staging Environment

Changes go directly to production

!

git pull Deployment

No atomic deploys, no rollback

!

No Tests in CI Pipeline

Quality gate only checks static analysis

!

Shared Git Accounts

Obscures accountability

!

Generic Commit Messages

16+ consecutive "update" commits

!

Monolithic JS File

app.js changed 217 times

!

No Observability

No APM, structured logging, or metrics

Prioritized Recommendations

P0

Add automated tests for critical paths

Auth, document sharing, permissions

Impact: Very HighEffort: 2-3 weeks
P0

Add staging environment

Clone production target with separate database

Impact: Very HighEffort: 1-2 days
P1

Add php artisan test to Jenkins pipeline

Run tests before SonarQube analysis

Impact: HighEffort: 1 hour
P1

Run build & migrations in deploy

composer install, npm run build, php artisan migrate

Impact: HighEffort: 1 day
P1

Eliminate shared git accounts

Every developer gets their own identity

Impact: HighEffort: Very Low
P2

Add PHPStan/Larastan for local static analysis

Catch issues at dev time

Impact: MediumEffort: 1 day
P2

Split app.js into page-specific bundles

Improve frontend performance

Impact: MediumEffort: 1 week
P2

Switch to zero-downtime deployment

Envoy, Deployer, or Laravel Forge

Impact: MediumEffort: 1 week
P3

Add APM/observability

Telescope, Sentry, or New Relic

Impact: MediumEffort: 2 days

30 / 60 / 90-Day Execution Plan

Structured roadmap to reduce risk and improve delivery maturity

Foundation & Risk Reduction

Eliminate the top delivery risks with minimal effort

WeekActionOwnerBudget
1Eliminate shared git accounts; enforce personal identitiesDevOps/CTO$0
1Add .sass-cache to .gitignoreAny dev$0
1Add php artisan test step to JenkinsfileDevOps2 hrs
1-2Set up staging environmentDevOps$100-200/mo
2-3Write feature tests for authentication flowSenior dev3-4 days
3-4Write feature tests for document sharingSenior dev3-4 days
4Add PHPStan level 5 + baseline to CISenior dev1 day
Budget: ~$500-1,000 (infra) + ~2 weeks senior dev time
Outcome: CI runs tests, staging exists, critical paths have coverage

Delivery Maturity

Improve deployment confidence and developer productivity

WeekActionOwnerBudget
5Adopt zero-downtime deployment toolDevOps3-5 days
5-6Add database migration step to deployDevOps1 day
6Add npm audit + composer audit to CIDevOps2 hrs
6-7Split app.js into page-specific bundlesFrontend dev3-5 days
7-8Write tests for account management CRUDDev team1 week
8Add Sentry or Telescope for error trackingDevOps1 day + $26/mo
Budget: ~$500/mo (tooling) + ~3 weeks developer time
Outcome: Atomic deployments with rollback, frontend perf improved

Scale & Compliance Readiness

Prepare for growth and healthcare compliance

WeekActionOwnerBudget
9-10Implement rate limiting on auth + APISenior dev2-3 days
10Add structured logging + log aggregationDevOps2-3 days
10-11Database query optimizationSenior dev3-5 days
11-12Add API documentation (OpenAPI/Swagger)Dev3-5 days
12Implement conventional commits via git hookDevOps1 day
12Healthcare compliance gap analysisCTOExternal audit
Budget: ~$2,000-5,000 (compliance) + ~3 weeks developer time
Outcome: Production-grade observability, API docs, compliance roadmap

Total 90-Day Investment

CategoryLowBaseHigh
Developer time6 weeks (1 FTE)8 weeks (1 FTE)12 weeks (1.5 FTE)
Infrastructure$300/mo$700/mo$1,500/mo
Tooling$26/mo$50/mo$200/mo
External (compliance)$0$2,000$5,000
Total 90-day cost$3K-5K$8K-12K$15K-25K