Php Coding Standards Laravel Package

Technical Evaluation

Architecture Fit

• Laravel Compatibility: The package enforces PHP 8.1+ standards (PHPStan strict rules, Slevomat coding standards) that align with Laravel’s modern ecosystem but may conflict with legacy Laravel projects (<8.1). Ideal for new Laravel projects or greenfield initiatives targeting PHP 8.1+.
• Toolchain Synergy: Integrates seamlessly with Laravel’s existing tooling (e.g., Artisan, CI/CD pipelines) but risks duplication if Laravel already uses PHPStan/PHP_CodeSniffer (e.g., via Laravel Valet or custom configs).
• Metapackage Efficiency: Reduces dependency sprawl by consolidating PHPStan, PHP_CodeSniffer, and security tools into a single dev-master dependency, simplifying maintenance for monorepos or multi-package suites.

Integration Feasibility

• Low-Coupling Design: Can be added as a dev dependency without modifying Laravel’s core logic, making it suitable for incremental adoption.
• CI/CD Readiness: Designed for automated enforcement in pipelines (e.g., GitHub Actions, GitLab CI), with support for:
  • PHPStan (static analysis).
  • PHP_CodeSniffer (linting).
  • Security advisories (dependency scanning).
• Configuration Overhead: Requires minimal setup (e.g., updating phpstan.neon or .phpcs.xml) but may need custom exclusions for Laravel-specific patterns (e.g., dynamic properties, Artisan commands).

Technical Risk

• Unstable Dependency: No stable releases; dev-master introduces risk of breaking changes with Solido Suite updates. Mitigation: Pin to a specific commit hash in composer.json.
• Strictness Overhead: PHPStan’s strict mode and Slevomat rules may block merges if existing code violates standards. Mitigation: Phase adoption (start with security checks, then linting, then strict analysis).
• Toolchain Conflicts: Potential clashes with:
  • Laravel Pint (if enforcing Slevomat standards via PHPCS).
  • Custom PHPStan configs (e.g., project-specific rules).
• Performance Impact: PHPStan/PHP_CodeSniffer runs add CPU/memory overhead in CI/CD, especially for large Laravel apps. Mitigation: Cache results or run in parallel.

Key Questions

1. Standard Alignment: Does Solido’s strictness (e.g., PHPStan max level) conflict with Laravel’s existing practices (e.g., dynamic properties, magic methods)?
2. Toolchain Duplication: Will this replace or supplement existing tools (e.g., Laravel Valet’s PHPStan, custom PHPCS configs)?
3. CI/CD Impact: How will this affect build times? Can results be cached (e.g., GitHub Actions cache)?
4. Maintenance Burden: Who will handle updates if Solido Suite changes rules (e.g., PHPStan version bumps)?
5. Onboarding Cost: What effort is needed to bring the Laravel codebase into compliance (e.g., refactoring dynamic properties)?
6. Laravel-Specific Exclusions: Are there Laravel patterns (e.g., handle() methods, Facades) that need to be excluded from strict rules?

Integration Approach

Stack Fit

• Laravel Ecosystem: Compatible with Laravel 9+ (PHP 8.1+). Works alongside:
  • Laravel Valet: Can coexist if Valet’s PHPStan is configured to exclude Solido’s rules or vice versa.
  • Laravel Forge/Envoyer: Integrates into deployment pipelines for pre-deploy static analysis.
  • Laravel Mix/Vite: No direct impact, but CI/CD integration required.
• Toolchain Compatibility:
  • PHPStan: Can replace or extend Laravel’s built-in PHPStan support (if configured).
  • PHP_CodeSniffer: May replace Laravel’s default PHPCS setup or run alongside it.
  • Security Advisories: Adds dependency scanning (useful for compliance).

Migration Path

1. Add as Dev Dependency:

   composer require --dev solido/php-coding-standards:dev-master
   

   Best Practice: Pin to a specific commit hash for stability:

   "require-dev": {
       "solido/php-coding-standards": "dev-master#a1b2c3d"
   }
   

2. Configure Tools:
   • PHPStan: Update phpstan.neon to include Solido’s rules:

     includes:
         - vendor/solido/phpstan-rules/extension.neon
         - vendor/kcs/phpstan-strict-rules/rules.neon
     

   • PHP_CodeSniffer: Configure .phpcs.xml to use Solido’s standard:

     <config name="standard" value="./vendor/solido/php-coding-standards"/>
     

3. CI/CD Integration: Add checks to Laravel’s GitHub Actions workflow:

   - name: Run PHPCS
     run: vendor/bin/phpcs --standard=./vendor/solido/php-coding-standards --report=full src/
   - name: Run PHPStan
     run: vendor/bin/phpstan analyse --level=max --error-format=github src/
   - name: Security Check
     run: vendor/bin/security-checker security:check
   

4. Incremental Enforcement:
   • Phase 1: Start with security advisories (low risk).
   • Phase 2: Add PHP_CodeSniffer linting (moderate risk).
   • Phase 3: Introduce PHPStan strict rules (high risk; refactor as needed).

Compatibility

• Laravel-Specific Considerations:
  • Artisan Commands: Solido’s rules may flag Laravel’s internal commands (e.g., make:model). Add exclusions:

    excludes:
        - vendor/laravel/framework/src/Console/
    

  • Dynamic Properties: PHPStan’s strict rules may reject Laravel’s use of dynamic properties. Suppress with:

    arguments:
        level: 8
    rules:
        PhpStan\Rules\PHPUnit\DynamicPropertyTestRule: false
    

• Tool Overlap:
  • If using Laravel Pint, decide whether to enforce Slevomat standards via Pint or PHPCS (avoid duplication).
  • Avoid running both PHPStan and Psalm (conflicting static analysis).

Sequencing

1. Phase 1: Add metapackage and security checks (blocking critical vulnerabilities).
2. Phase 2: Integrate PHP_CodeSniffer for linting (fix low-hanging fruit like PSR-12 violations).
3. Phase 3: Enable PHPStan strict rules and refactor code incrementally (e.g., replace dynamic properties with typed properties).
4. Phase 4: Fully integrate into CI/CD with blocking checks for all three tools.

Operational Impact

Maintenance

• Dependency Updates: Requires manual intervention to update dev-master (no semver stability). Mitigation:
  • Pin to commit hashes in composer.json.
  • Schedule quarterly reviews of Solido Suite updates.
• Rule Maintenance: New versions may introduce stricter or changed rules, requiring:
  • Codebase audits to identify violations.
  • Configuration tweaks (e.g., excluding Laravel-specific patterns).
• Toolchain Drift: Risk of deprecated tools (e.g., PHP_CodeSniffer v3). Mitigation: Monitor Solido Suite’s roadmap.

Support

• Debugging: Errors may require deep knowledge of Solido’s rules (limited external documentation). Mitigation:
  • Internal runbooks for common failures (e.g., PHPStan false positives).
  • Dedicated Slack channel for Solido Suite tooling.
• Customization: May need to override or extend Solido’s rules for Laravel-specific cases (e.g., Facades, dynamic properties).
• Documentation: Limited external docs; reliance on Solido Suite’s internal documentation or GitHub issues.

Scaling

• Performance Impact:
  • PHPStan/PHP_CodeSniffer runs add CPU/memory overhead in CI/CD, especially for large Laravel apps (e.g., >50K LOC).
  • Mitigation:
    • Cache results (e.g., GitHub Actions cache).
    • Run in parallel (e.g., split PHPStan analysis by directory).
    • Use --memory-limit to optimize resource usage.
• Team Adoption:
  • Onboarding Cost: Developers must learn:
    • PHPStan strict rules (e.g., max level).
    • Solido’s coding standards (e.g., Slevomat rules).
    • CI/CD integration (e.g., interpreting PHPCS/PHPStan output