All case studies
NDA client (contract) · Legal-tech · Integrations · 2025

Legal Case Sync — Cross-System Middleware

A PHP 8.2 / Laravel 12 middleware keeping case-record requests in sync across a law firm's case system and support desk — auditable, idempotent, and PII-safe.

3 min read
PHP 8.2Laravel 12MySQLOAuth 2.0Docker
Legal Case Sync — Cross-System Middleware
290+ passing
Tests
Bidirectional
Sync
HMAC + redaction
Security

The problem

A US law firm ran case-record requests through three disconnected systems: a case-management platform (Litify on Salesforce), a document store (Filevine), and a support desk (Zendesk). Each one held its own copy of the request status, and none of them agreed. What was needed wasn't a dashboard — it was middleware that keeps all three in lockstep automatically, with no dropped updates, no duplicate writes, and no sensitive record data leaking in transit.

Legal-tech has zero tolerance for "close enough": a status update that doesn't land is a compliance gap, and a record that's mishandled on the way through is a privacy incident.

How it's built

A Laravel service sits in the middle, consuming webhooks from all three systems and pushing normalized status back out to whichever ones are behind. MySQL holds the canonical state, and everything downstream of a webhook runs through a queue, which absorbs the fact that each upstream provider has its own quirks and failure modes.

Bidirectional sync

Making retries safe

Nothing gets processed until its webhook signature passes HMAC verification, and every job is written to be idempotent — replaying the same event twice never produces a different result than replaying it once. That combination is what makes bidirectional sync trustworthy: a provider retrying a webhook, or a queue redelivering a job after a crash, can't accidentally double-apply a status change or bounce two systems back and forth against each other.

Tokens, auditability, and redaction

Each integrated provider gets its own OAuth 2.0 credential, refreshed centrally rather than per-request. Every state transition is written to an audit trail, and any PHI/PII is stripped before it's logged or forwarded, so a debugging session or a log aggregator never becomes a second place where sensitive case data lives.

Covered by tests

The sync logic — the layer where a bug becomes a compliance gap, not just a UI glitch — is backed by 290+ passing PHPUnit tests, so changes ship without quietly reopening the edge cases that make integrations leak data or drift out of sync.

Outcomes

Bidirectional
Three systems in sync
Case platform, document store, support desk
Idempotent
Safe retries
HMAC-verified, exactly-once effects
290+ tests
Compliance-grade
Audit trail + PHI/PII redaction

What this taught me

Integration middleware is invisible right up until it's wrong. On this project idempotency, signature verification, and redaction weren't polish — they were the actual deliverable. The test suite is what made it possible to keep changing the sync logic with confidence, in a domain where a subtle bug isn't just a bug, it's a legal exposure.

Building something similar?

Send a quick note — happy to compare notes on the architecture.