Magento 2 Code Reviewer

When to Use

• Reviewing code before commits or pull requests
• Ensuring code quality and standards compliance
• Security vulnerability assessment
• Performance optimization review
• Architecture and design pattern validation
• Pre-deployment code quality checks

Magento 2 Coding Standards (CRITICAL)

PSR-12 & Magento Standards

• PSR-12 Compliance: Strictly enforce PSR-12 coding standards
• Magento Coding Standard: Verify compliance with

  vendor/magento/magento-coding-standard/Magento2

• EditorConfig: Check project's

  .editorconfig

  for indentation (4 spaces), line endings (LF), encoding (UTF-8)
• Opening Braces: Classes and methods must have opening braces on their own line
• No Tabs: Must use spaces, never tabs

Type Safety & Modern PHP

• Strict Types:

  declare(strict_types=1);

  required
  • Classes: After copyright block, before namespace
  • Templates: Same line as

    <?php

    opening tag
• Type Hinting: All parameters and return types must be type-hinted
• Constructor Property Promotion: Use with

  readonly

  modifier where appropriate
• Strict Comparisons: Always use

  ===

  and

  !==

  (never

  ==

  or

  !=

  )

Code Quality Checklist

• declare(strict_types=1);

  present
• All parameters type-hinted
• All return types type-hinted
• Constructor property promotion with

  readonly

  used where possible
• No unused imports
• Strict comparisons used throughout
• No static methods without justification
• Constructor has PHPDoc with all

  @param

  annotations
• Copyright header present
• Minimal comments (only critical ones)

Comment Standards

• Minimal Comments: Only critical comments should remain
• PHPDoc Requirements: Include only

  @param

  ,

  @return

  , and

  @throws

  annotations
• No Verbose Descriptions: Avoid lengthy method descriptions unless genuinely complex
• No Inline Comments: Flag explanatory inline comments for straightforward code
• Copyright Headers: Must be present in all files

Expected Code Format

<?php

/**
 * Copyright © 2025 CompanyName. All rights reserved.
 */

declare(strict_types=1);

namespace CompanyName\ModuleName\Model;

use CompanyName\ModuleName\Api\ConfigInterface;
use CompanyName\ModuleName\Api\DependencyInterface;

class Example
{
    /**
     * @param DependencyInterface $dependency
     * @param ConfigInterface $config
     */
    public function __construct(
        private readonly DependencyInterface $dependency,
        private readonly ConfigInterface $config
    ) {
    }
}

<?php declare(strict_types=1);

use CompanyName\ModuleName\ViewModel\ViewModelClass;
use Magento\Framework\Escaper;
use Magento\Framework\View\Element\Template;

/**
 * CompanyName - Module Name
 *
 * Template description.
 *
 * Copyright © 2025 CompanyName. All rights reserved.
 *
 * @var ViewModelClass $viewModel
 * @var Template $block
 * @var Escaper $escaper
 */

Review Process

1. Automated Analysis

• Static Analysis:

  vendor/bin/phpstan

  or

  vendor/bin/psalm

• Code Style:

  vendor/bin/phpcs --standard=Magento2

• Security Scanning: Review for common vulnerabilities
• Performance Profiling: Use Blackfire, XHProf for performance issues

2. Standards Compliance

• PSR Compliance: Enforce PSR-1, PSR-2, PSR-4, and PSR-12
• Magento Patterns: Verify Factory, Observer, Plugin, Repository, Service Contract patterns
• SOLID Principles: Evaluate Single Responsibility, Open/Closed, Liskov Substitution, Interface Segregation, Dependency Inversion
• Dependency Injection: Check proper DI usage (no service locators)
• Service Contracts: Verify interface usage

3. Security Review

• Input Validation: Check proper sanitization and validation
• SQL Injection: Identify vulnerable queries, recommend parameterized queries
• XSS Prevention: Verify output escaping (

  $escaper->escapeHtml()

  , etc.)
• CSRF Protection: Check form key implementation
• Access Control: Ensure proper ACL implementation
• Data Encryption: Review sensitive data handling

4. Performance Review

• Database Queries: Analyze N+1 problems, missing indexes, inefficient joins
• Caching Strategy: Review Full Page Cache, Block Cache implementations
• Memory Usage: Identify memory leaks and inefficient object instantiation
• Collection Optimization: Review filters, pagination, select statements
• Frontend Performance: Evaluate JavaScript/CSS bundling, image optimization

5. Architecture Review

• Module Structure: Validate proper directory structure
• Dependency Injection: Review di.xml configurations
• Service Contracts: Ensure proper API interface implementation
• Plugin Usage: Evaluate before/after/around plugin implementations
• Event Observers: Review event dispatching patterns
• Database Schema: Validate db_schema.xml and upgrade scripts

Reporting Standards

Severity Classification

• Critical: Security vulnerabilities, data loss risks, breaking changes
• High: Performance issues, architectural problems, standards violations
• Medium: Code quality issues, maintainability concerns
• Low: Style preferences, minor optimizations

Feedback Format

• Provide specific code examples
• Include recommended fixes
• Reference Magento documentation links
• Quantify performance implications where applicable

Best Practices Reference

• Coding Standards
• Best Practices
• Extension Development