Technical Evaluation

Architecture Fit

Psalm is a static analysis tool designed to identify errors, type inconsistencies, and security vulnerabilities in PHP applications. For a Laravel-based product, it aligns well with:

Type Safety: Laravel’s dynamic nature (e.g., magic methods, dynamic properties) can introduce runtime errors. Psalm’s PHP 8+ type system support (e.g., union types, generics, enums) helps enforce stricter typing, reducing edge-case bugs.
Security Analysis: Laravel apps often interact with external systems (APIs, databases, user input). Psalm’s taint tracking (e.g., TaintedLlmPrompt in v7.0) detects injection risks (SQLi, XSS) and unsafe operations (e.g., eval, unserialize).
Legacy Code Modernization: Laravel’s older codebases (pre-PHP 8) benefit from Psalm’s backward-compatible type inference, gradually introducing types via @var, @param, and @return annotations.
Plugin Ecosystem: Psalm’s plugin API (v7.0+) enables custom rules for Laravel-specific patterns (e.g., Eloquent query validation, Blade template safety).

Misalignment Risks:

Performance Overhead: Psalm’s analysis is CPU-intensive (JIT disabled by default in v7.0). Large Laravel monorepos may require parallel scanning or incremental analysis (e.g., --no-cache for CI, cached results locally).
False Positives: Laravel’s dynamic features (e.g., Model::find(), collect()) may trigger noise. Psalm’s --ignore-missing and custom stubs (e.g., for Illuminate\Support) can mitigate this.

Integration Feasibility

Component	Feasibility	Notes
Laravel Core	High	Psalm supports Laravel’s autoloading (Composer) and PSR-4 namespaces.
Eloquent ORM	Medium	Requires custom stubs for `Illuminate\Database\Eloquent\Model`.
Blade Templates	Low	Psalm does not natively parse Blade; workarounds include:
		- Treat Blade as plain PHP (lose template-specific checks).
		- Pre-process Blade to PHP (e.g., `laravel-blade-compiler`).
Service Providers	High	Psalm analyzes container bindings if stubs for `Illuminate\Container` exist.
Queues/Jobs	High	Supports serialized job payloads (with `unserialize` callmap limits).
API Routes	High	Validates route parameters and request validation (if typed).

Key Dependencies:

PHP Version: Psalm 7.0+ requires PHP 8.1+; Laravel 10+ is compatible.
Composer: Must be installed globally or via dev dependency (require-dev vimeo/psalm:^7.0).
IDE Integration: Supports PhpStorm, VSCode (via psalm-ide-helper), and CLI.

Technical Risk

Risk Area	Severity	Mitigation
Analysis Time	High	- Run in CI with `--no-cache` (faster but noisier).
		- Use `--threads=N` for parallel scans.
False Positives	Medium	- Configure `psalm.xml` to ignore known issues (e.g., `MissingReturnType`).
		- Use `@psalm-suppress` for Laravel-specific edge cases.
Stub Maintenance	High	- Leverage community stubs (e.g., `vimeo/psalm-plugin-laravel`).
		- Generate stubs for custom packages using `psalm-plugin`.
Plugin Stability	Medium	- Test plugins in isolated environments before full integration.
Breaking Changes	High	- Psalm 7.0 introduces mutability annotations (backward-incompatible).
		- Gradually adopt via `--alter` and `MissingPureAnnotation`.

Critical Questions for TPM:

Adoption Strategy:
- Should Psalm be mandatory (block PRs on failures) or recommended (opt-in for teams)?
- How will false positives be triaged (e.g., dedicated Slack channel, GitHub label)?
Performance:
- What’s the acceptable scan time for the largest codebase (e.g., 10M LOC)?
- Can incremental analysis (e.g., --changed-files) be implemented in CI?
Tooling:
- Should Psalm replace PHPStan or run in parallel?
- How will Blade template analysis be handled (e.g., pre-compilation hook)?
Maintenance:
- Who owns stub updates (e.g., new Laravel versions)?
- What’s the SLA for Psalm rule updates (e.g., new Laravel security patches)?

Integration Approach

Stack Fit

Layer	Psalm Integration	Tools/Workarounds
Codebase	Analyzes PHP files (ignores Blade by default).	`psalm.xml` configuration.
CI/CD	Runs in GitHub Actions, GitLab CI, or CircleCI as a pre-merge check.	Cache results between runs.
IDE	Integrates with PhpStorm, VSCode (via `psalm-ide-helper`).	Real-time feedback during development.
Monorepo	Supports multiple projects (e.g., `--project-paths`).	Parallel scanning with `--threads`.
Legacy PHP	Works with PHP 7.4+ (Laravel 8+) via type inference.	Gradual annotation with `@var`.

Migration Path

Phase 1: Pilot (2-4 Weeks)
- Scope: Single Laravel module (e.g., auth or api).
- Actions:
  - Install Psalm (composer require-dev vimeo/psalm).
  - Configure psalm.xml with basic rules (e.g., NoUnresolvableReferences).
  - Run in CI with --no-cache and monitor false positives.
- Goal: Establish baseline error count and triage process.
Phase 2: Gradual Rollout (4-8 Weeks)
- Scope: Expand to core services (e.g., users, payments).
- Actions:
  - Add custom stubs for unsupported Laravel classes (e.g., Illuminate\Auth).
  - Introduce mutability annotations (@psalm-pure, @psalm-mutation-free) via --alter.
  - Integrate with IDE for real-time feedback.
- Goal: Reduce critical errors by 30% (e.g., Nullsafe violations).
Phase 3: Full Integration (8-12 Weeks)
- Scope: Entire codebase + Blade templates (if feasible).
- Actions:
  - Implement plugin for Laravel-specific rules (e.g., Eloquent query validation).
  - Configure CI to block high-severity issues (e.g., TaintedLlmPrompt).
  - Train teams on annotating code (e.g., @psalm-param, @psalm-return).
- Goal: Zero high-severity Psalm errors in production-critical paths.
Phase 4: Optimization (Ongoing)
- Actions:
  - Cache analysis results in CI for faster runs.
  - Automate stub generation for new Laravel packages.
  - Benchmark performance and adjust --threads/--memory-limit.

Compatibility

Laravel Feature	Psalm Support	Workaround
Eloquent Models	Partial (requires stubs).	Use `vimeo/psalm-plugin-laravel`.
Blade Templates	None (treated as PHP).	Pre-process with `laravel-blade-compiler`.
Service Container	Limited (needs `Illuminate\Container` stubs).	Annotate bindings manually.

Psalm Laravel Package