Legal Case Sync — Cross-System Middleware
A PHP 8.2 / Laravel 12 middleware keeping case-record requests in sync across a law firm's case system and support desk — auditable, idempotent, and PII-safe.

The problem
A US law firm ran case-record requests through three disconnected systems: a case-management platform (Litify on Salesforce), a document store (Filevine), and a support desk (Zendesk). Each one held its own copy of the request status, and none of them agreed. What was needed wasn't a dashboard — it was middleware that keeps all three in lockstep automatically, with no dropped updates, no duplicate writes, and no sensitive record data leaking in transit.
Legal-tech has zero tolerance for "close enough": a status update that doesn't land is a compliance gap, and a record that's mishandled on the way through is a privacy incident.
How it's built
A Laravel service sits in the middle, consuming webhooks from all three systems and pushing normalized status back out to whichever ones are behind. MySQL holds the canonical state, and everything downstream of a webhook runs through a queue, which absorbs the fact that each upstream provider has its own quirks and failure modes.
Making retries safe
Nothing gets processed until its webhook signature passes HMAC verification, and every job is written to be idempotent — replaying the same event twice never produces a different result than replaying it once. That combination is what makes bidirectional sync trustworthy: a provider retrying a webhook, or a queue redelivering a job after a crash, can't accidentally double-apply a status change or bounce two systems back and forth against each other.
Tokens, auditability, and redaction
Each integrated provider gets its own OAuth 2.0 credential, refreshed centrally rather than per-request. Every state transition is written to an audit trail, and any PHI/PII is stripped before it's logged or forwarded, so a debugging session or a log aggregator never becomes a second place where sensitive case data lives.
The sync logic — the layer where a bug becomes a compliance gap, not just a UI glitch — is backed by 290+ passing PHPUnit tests, so changes ship without quietly reopening the edge cases that make integrations leak data or drift out of sync.
Outcomes
What this taught me
Integration middleware is invisible right up until it's wrong. On this project idempotency, signature verification, and redaction weren't polish — they were the actual deliverable. The test suite is what made it possible to keep changing the sync logic with confidence, in a domain where a subtle bug isn't just a bug, it's a legal exposure.
Building something similar?
Send a quick note — happy to compare notes on the architecture.