Added

• New OverprivilegedDatabaseUserAnalyzer: detects privileged, empty, or passwordless database users and suggests switching to a least-privilege account.
• New HardcodedDatabaseCredentialsAnalyzer: detects database credentials embedded directly in DBAL configuration and suggests moving them to environment variables.
• Repeated lookup detection in NPlusOneAnalyzer: identifies repeated findBy()/findOneBy()-style lookups on non-key columns and suggests batching with IN queries or request-level caching.

Changed

• SensitiveDataExposureAnalyzer: now also flags public getters that expose sensitive entity fields without explicit protection.
• PropertyTypeMismatchAnalyzer: now attaches concrete fix suggestions for PHP/Doctrine type mismatches, including nullability mismatches.
• CollectionInitializationAnalyzer suggestion template now uses the actual mappedBy value when available.

Fixed

• CollectionInitializationAnalyzer: now supports PHP constructor promotion when detecting collection initialization, fixing the false positive reported in #67.

Changed

• Refactored collection initialization detection around dedicated initialization patterns, including promoted properties.
• Removed the duplicate regex-based CollectionEmptyAccessAnalyzer in favor of the AST-based collection initialization analysis path.

Fixed

• SQLInjectionInRawQueriesAnalyzer: now detects unparameterized literals in WHERE clauses of raw SQL queries as an injection risk, instead of only flagging active attack patterns.
• DQLInjectionAnalyzer: now detects Doctrine-generated SQL with concatenated literals and empty bound parameters, indicating unsafe DQL string concatenation.

Changed

• OnDeleteCascadeMismatchAnalyzer now assigns CRITICAL severity for orm_cascade_db_setnull and orm_orphan_db_setnull mismatches
• Suggestion templates for on_delete_cascade_mismatch now render context-aware code snippets per mismatch type

Fixed

• Enable native lazy objects on PHP 8.4+ to fix EntityManager tests with Symfony 8

Added

• New OneToOneInverseSideAnalyzer: detects bidirectional OneToOne mappedBy sides that silently force Doctrine to execute N+1 queries on every load, even when the relation is never accessed. Suggests flipping the owning side, going unidirectional, or using a fetch join
• Configuration node for one_to_one_inverse_side analyzer

Changed

• CompositeKeyComplexityAnalyzer: use ShortClassNameTrait, proper return types, and MappingHelper for Doctrine 2/3/4 compatibility

Added

• New CompositeKeyComplexityAnalyzer: detects entities using composite primary keys that limit Doctrine ORM features (no getReference(), slower identity map, complex FK mappings). Severity: WARNING for 2 columns, CRITICAL for 3+ or when referenced by other entities
• Configuration node for composite_key_complexity analyzer

Fixed

• Hardened all suggestion templates against incomplete context, null values, and division by zero
• Added tests ensuring every template renders without exception with an empty context

Changed

• OnDeleteCascadeMismatchAnalyzer now assigns CRITICAL severity for orm_cascade_db_setnull and orm_orphan_db_setnull mismatches (previously WARNING)
• Suggestion templates for on_delete_cascade_mismatch now render context-aware code snippets per mismatch type instead of a generic template

Added

• New JoinColumnNonPrimaryKeyAnalyzer: detects associations where referencedColumnName points to a non-primary-key column
• New DuplicatePrivateFieldInHierarchyAnalyzer: detects private fields with the same name in an entity and its mapped parent classes
• Configuration nodes for new analyzers

What's Changed

New Features

• 26 previously unconfigurable analyzers now have matching config nodes (users can disable any analyzer)
• Hardcoded thresholds/patterns made user-configurable via DI for 6 analyzers
• Nested relationship N+1 detection analyzer improvements

Bug Fixes

• Fix false positives across 8 analyzers (N+1, eager-loading, lazy-loading, DTO/aggregation, flush-in-loop, division-by-zero, join-counting)
• Fix DivisionByZero premature dedup: protected divisions no longer mask unprotected ones in later queries
• Fix blameable template producing duplicate properties when field is createdBy/updatedBy
• Fix PHPDoc return type mismatch on SensitiveDataExposureAnalyzer
• Fix config key mismatch (query_caching vs query_caching_opportunity)
• Fix SQL injection detection heuristics
• Fix isVendorCode detection and N+1 descriptions

Tests

• Guardrail test ensuring every analyzer has a matching config node
• 25+ new false-positive regression tests
• 2269 tests, 0 failures

Chores

• ECS, PHPStan, PHPMD all clean
• Use Webmozart Assert for type narrowing

Changed

• Refined profiler tab navigation labels with dedicated icon/label/count markup for clearer readability.
• Updated suggestion action labels in the issue panel (Suggested Fix, Hide suggestion).
• Reduced tab control height and tightened spacing for a denser profiler header layout.

Fixed

• Improved dark theme colors for the Slowest Queries table (header, rows, hover states, SQL block, and action button contrast).
• Harmonized light-mode issue-body background color to #fffefc for better visual consistency.
• Removed tab top-accent hover artifacts and ensured tabs fill the full available row width.

Fixed

• Support %kernel.debug% (and other placeholders) for doctrine_doctor.enabled by resolving root enabled config before strict validation.
• Add DI regression tests for %kernel.debug% and string boolean values.

Fixed

• Support %kernel.debug% (and other placeholders) for doctrine_doctor.enabled by resolving root enabled config before strict validation.
• Add DI regression tests for %kernel.debug% and string boolean values.

Changed

• Removed "Show detailed rationale" toggle button from suggestion panels.
• Removed SVG icons from suggestion headers for consistent compact grid layout.
• Removed "Suggested Fix:" prefix from Performance suggestion titles.
• Renamed default suggestion title from "Code Quality Suggestion" to "Suggestion".
• Softer color palette for alerts and suggestion-meta blocks (less aggressive text contrast).
• Reduced font-size, padding, and margin across alert and suggestion-meta blocks for a more compact profiler panel.

Fixed

• PHPStan isset.initializedProperty error: use ReflectionProperty::isInitialized() for readonly property check after unserialization.
• Missing rel="noopener noreferrer" on external Doctrine documentation link.
• Duplicate deduplication key normalization applied per-source before fallback selection.

Fixed

• PHPStan isset.initializedProperty error: use ReflectionProperty::isInitialized() for readonly property check after unserialization.
• Missing rel="noopener noreferrer" on external Doctrine documentation link (target="_blank").
• Duplicate deduplication key normalization applied per-source before fallback selection.

Changed

• Softer color palette for .alert-warning, .alert-danger, and .dd-suggestion-meta-intro blocks (less aggressive text contrast).
• Reduced font-size, padding, and margin across alert and suggestion-meta blocks for a more compact profiler panel.

Highlights

• Profiler UI/UX refresh and panel refactor (CSS/JS decoupled) (#59)
• Prism.js syntax highlighting for suggestion code blocks (#58)
• Safer/cleaner issue model and deduplication improvements (#56, #57, #53, #55)

Additional fixes included

• Issue factory consistency in integrity analyzers (#50)
• Enum consistency and helper extraction refactors (#51, #52)
• Execution-time heuristic cleanup (#47, #48)
• Missing analyzer docs updates (#49)

Notes

• Release tag points to merge PR #59.

Fixed

• Early return in extension when bundle is disabled (#43)
• Validate issue/suggestion class types before instantiation in IssueReconstructor (#32)

Added

• Tests for extension enabled/disabled behavior (#44)

Added

• Symfony 8 compatibility (#10)

Fixed

• Wrap plain text suggestions in <pre><code> to prevent entity encoding (direct commit 0d8d54e)
• Enable native lazy objects for Doctrine ORM test EntityManager (direct commit)

Changed

• Widen webmozart/assert constraint to support v2.x (direct commit b4fe7b6)
• Remove unused bitbag/coding-standard dependency (direct commit e7b59ae)

Fixed

• Resolve CI failures across ECS, PHPMD, PHPStan, and tests (direct commit 0c70d90)

Changed

• Widen webmozart/assert constraint to support v2.x (direct commit b4fe7b6)
• Remove unused bitbag/coding-standard dependency (direct commit e7b59ae)

Fixed

• Backport fixes from main branch:
  • extension early-return behavior when bundle is disabled,
  • IssueReconstructor type validation,
  • suggestion encoding improvements.
• Isolate PropertyTypeMismatchAnalyzer fixtures and fix SafeContext test.

Docs

• Update changelog for v1.0.4.

Traceability

• Packaged as direct commits (c71ebaf, f12e90f, b19d58e).

Fixed

• Resolve profiler suggestion rendering failures.

Traceability

• Direct commit: 23ff95a.

Doctrine Doctor v2.0.0

First stable release of the 2.x series. Requires PHP 8.4+, Doctrine Bundle 3 and Doctrine ORM 3/4.

What's new

• CartesianProductAnalyzer -- detects queries with multiple unrelated JOINs that cause O(n^m) row explosion

Bug fixes

• Profiler suggestion rendering -- suggestions were showing "Unable to Render Suggestion / No template renderer available" because IssueReconstructor was instantiated without the template renderer after Symfony profiler deserialization
• Safe array destructuring in templates -- SafeContext::offsetGet() now returns null for missing keys instead of throwing, so templates with optional context variables (like trigger_location) no longer crash
• Fix nullable constructor parameters (93 PHPStan errors)
• Fix eager_loading template missing trigger_location key
• Fix left_join_with_not_null template wrong context key
• Fix segfault in FrankenPHP worker mode
• Fix N+1 collection-aware suggestions with trigger location

Breaking changes (from 1.x)

• PHP ^8.4 minimum (drop 8.2/8.3)
• doctrine/doctrine-bundle ^3.0 (drop ^2.x)
• doctrine/orm ^3.0|^4.0 (drop ^2.x)
• webmozart/assert ^1.12
• Codebase modernized via Rector (#[\Override], typed constants, array_find())

Performance

• GetReferenceAnalyzer SQL parsing cache: 159ms -> 31ms
• Cache warmup on unique SQL patterns only

Upgrading from 1.x? Update your composer.json to "ahmed-bhs/doctrine-doctor": "^2.0" and ensure you run Doctrine Bundle 3 with Doctrine ORM 3+.

What's Changed

Fixes

• Fix segfault in FrankenPHP worker mode (#4)

Documentation

• Migrate from MkDocs to Just the Docs (Jekyll)
• Add FAQ page and SEO meta tags
• Improve UI with medical-themed design and compact layout

Full Changelog: https://github.com/ahmed-bhs/doctrine-doctor/compare/v1.0.0...v1.0.1

What's Changed

Features

• N+1 collection-aware suggestions: Resolve parent entity and collection field name using Doctrine metadata (e.g. PgiRedmineProject::$projects instead of generic redmineProject)
• Trigger location in N+1 suggestions: Extract first application frame from backtrace to show where lazy loading is triggered (e.g. PgiProjectCrudController::{closure}() in PgiProjectCrudController.php:267)
• New template collection_eager_loading.php with context-aware solutions (addSelect vs EXTRA_LAZY)

Fixes

• Rewrite 3 integrity analyzers (CollectionEmptyAccess, EntityStateConsistency, PropertyTypeMismatch) from runtime to static metadata analysis to prevent OOM crashes
• Fix decimal/bigint type mapping (returns string, not float)
• Fix DoctrineDoctorDataCollector memory handling
• PHPStan level max compliance

Full Changelog: https://github.com/ahmed-bhs/doctrine-doctor/compare/v1.0.1...v1.0.2

🎉 Doctrine Doctor v1.0.0 - First Stable Release

Runtime analysis tool for Doctrine ORM integrated into Symfony Web Profiler.

Highlights

• 66 specialized analyzers detecting performance issues, security vulnerabilities, and code quality problems
• Real-time detection in Symfony Web Profiler with backtrace support
• Production-ready with all CI jobs passing (PHPStan Level 8, PHPMD, ECS, Deptrac, PHPUnit)

Requirements

• PHP 8.2+ (compatible with 8.3 and 8.4)
• Symfony 6.0+ | 7.x
• Doctrine ORM 2.10+ | 3.x | 4.x

Installation

composer require --dev ahmed-bhs/doctrine-doctor

Auto-configured via Symfony Flex.

Changes

CI & Quality

• All 9 CI jobs passing
• Fixed PHP 8.4 compatibility (PHPUnit buffer handling)
• Optimized PHPMD thresholds for analyzer complexity

Documentation

• Updated badges: PHP 8.2+, Symfony 6.0+, PHPStan Level 8
• Corrected 7 default threshold values (n_plus_one: 5, slow_query: 100ms, etc.)
• Added 8 missing analyzers to the documentation

Dependencies

• Minimum PHP version: 8.1 -> 8.2
• Added symfony/var-exporter constraint (^6.4|^7.0)
• Updated phpmyadmin/sql-parser to ^6.0

Analyzer Categories

Full Changelog

https://github.com/ahmed-bhs/doctrine-doctor/compare/v1.1.0-alpha.3...v1.0.0