Commercial Terms
3 Success Criteria
3 Strategic Pillars
Full project audit completed 2 days before engagement began
Source: AUDIT_REPORT.md (2026-02-17) — AI-assisted engineering audit of git history, config files, and codebase
| Dimension | Before (Feb 17) | After (Mar 1) | Change |
|---|---|---|---|
| Automated tests | 1 real test file | 1,218 tests / 89 files | +1,217 |
| Test coverage | <1% | 40%+ enforced (Codecov) | From zero |
| CI/CD maturity | 3/10 (Jenkins) | Full GitHub Actions pipeline | +7 points |
| Staging | None | 2 environments (staging + UAT) | 0 → 2 |
| Deploy process | git pull via SSH | Automated + health check + rollback | Prod-grade |
| Security scanning | SonarQube only | 5 tools (audit, PHPStan, CodeQL, Codecov) | +4 tools |
| Pre-commit hooks | None | husky + lint-staged + commitlint | Enforced |
| Security findings | 10 open (4 CRITICAL) | 0 open | 100% fixed |
| Branch protection | None | Strategy + approval gates | Enforced |
| PR templates | None | Healthcare compliance checklist | Enforced |
| Health endpoint | None | /health (DB, Redis, S3) | Operational |
| Rate limiting | None | 5/min per IP on auth | Active |
| SPA migration | Blade + jQuery | Inertia.js + Vue 3 + Tailwind | Complete |
Before Jan 2026 the team averaged ~122 commits/month across 5–7 developers, producing ~80K LOC in 18 months. By Jan–Feb 2026 velocity had dropped to ~8 commits/week. Zero tests were written in the entire project history.
| Work Category | Estimated Effort (Traditional Team) | Delivered In |
|---|---|---|
| 1,218 tests across 89 files | 6–8 months (1 senior QA) | 10 days |
| SPA migration (5 phases) | 5–10 weeks (1–2 frontend devs) | 10 days |
| 6 CI/CD workflows + infra | 3–4 weeks (1 DevOps engineer) | 10 days |
| Security audit + 10 remediations | 2–3 weeks (1 security engineer) | 10 days |
| 32-item governance initiative | 4–6 weeks (eng manager + DevOps) | 10 days |
| 19 docs + 6 HTML reports | 3–4 weeks (tech writer) | 10 days |
| Server provisioning + 2 envs | 1–2 weeks (DevOps) | 10 days |
Estimated 3–4 full-time engineers for 4+ months to deliver equivalent scope at pre-engagement velocity. Actual delivery: 1 person + AI in 10 calendar days.
EPIC #239 closed — Codecov threshold enforced on every pull request
Before: Jenkins
After: GitHub Actions
| # | Finding | Severity | Remediation |
|---|---|---|---|
| 1 | Cleartext passwords logged | CRITICAL | Removed from UsersRepository + AccountRepository |
| 2 | adminer.php exposed publicly | CRITICAL | Deleted, added to .gitignore |
| 3 | API secrets in JSON serialization | CRITICAL | Added $hidden to SupportEntitiesCredentials |
| 4 | Users::all() on every login | CRITICAL | Replaced with email_hash indexed lookup |
| 5 | PII in 13 log statements | IMPORTANT | Replaced with IDs/hashes across 8 files |
| 6 | Missing auth middleware | IMPORTANT | Added to 3 controllers |
| 7 | NPM vulnerability | IMPORTANT | npm audit fix applied |
| 8 | Missing HSTS header | IMPORTANT | Added to Nginx vhosts |
| 9 | Insecure session cookie | IMPORTANT | SESSION_SECURE_COOKIE=true |
| 10 | Missing Permissions-Policy | IMPORTANT | Added to Nginx vhosts |
All remediated in EPIC #230 — CLOSED
Phase 1 Highlights
Remaining (2 items)
Target: 6 products in 4 weeks. Coded in 10 days, ready for testing. +16,800 lines across 127 files.
14 phases delivered — complete frontend modernisation
TARGET STACK
Planned Targets: 7/7 Hit (100%)
| Connect with Sam — SCTXT | DONE |
| Begin SCTXT integration | DONE |
| Laravel migration assessment | DONE |
| Review AAI tool docs | DONE |
| HIPAA/ITSec rules loaded | DONE |
| Begin Product 1 | DONE |
| Laravel assessment by Friday | 1 DAY EARLY |
Unplanned High-Value Work
Governance & Operations (8)
HTML Reports (6, in public/)
Assessments (3)
| Risk | Severity | Mitigation |
|---|---|---|
| WhatsApp MVP not started | HIGH | Needs prioritisation — requires scoping and integration design |
| Training program not started | LOW | Scheduled for Weeks 2-6, not yet urgent |
| 70 open GitHub issues | LOW | Normal backlog — most are infra items under EPIC #140 |
| Legacy cleanup deferred (#240) | LOW | jQuery/Bootstrap still bundled; no user impact |
Immediate (This Week)
This Month
Day 10 of 90 — Strong foundation, clear path forward