HIPAA-ready reference architecture for hematology/oncology patient education — Go API, Next.js client, Terraform for GCP.
Problem
Every healthcare web project reinvents the same boring scaffolding: security headers, PHI-aware logging, auth shape, telemetry, Terraform for GCP. I wanted a monorepo that had the boring-but-load-bearing parts right on day one so the interesting product work could start on day two.
Shape
A Go 1.26 API on plain net/http — no framework — sits behind a Next.js 16 client. Terraform provisions Cloud Run, Cloud SQL, Secret Manager, and the OTLP collector. The middleware chain is explicit and ordered: SecurityHeaders → CORS → OTel → Auth stub → RequestLogger.
Build
Tests run in two styles: unit tests for contracts, property-based tests for invariants (rapid on the Go side, fast-check on the frontend). Every property test carries a comment naming the invariant it guards so the coverage story is readable. PHI never enters a span attribute or a log line by convention — the observability code knows which fields are opaque.
Result
This is reference architecture, not a product. It exists so the next healthcare web project I start does not begin with a blank main.go and three weeks of yak-shaving. Compliance, telemetry, and the middleware chain are already load-bearing; the product work gets to start on day two instead of day twenty.
stack
GoNext.jsTypeScriptTerraformGCPOpenTelemetry