Laravel best practices are boring on purpose — they prevent rescue projects. Controllers stay thin; business logic lives in services or actions; authorization uses policies; validation uses Form Requests.
- Pest/PHPUnit on auth and billing paths
- Eager load relationships in list endpoints
- Queue anything over 500ms
- Envoyer/Forge or CI deploy with migrations
- Dependabot or composer audit in CI