magento-code-reviewer

What this skill does

# Magento 2 Code Reviewer

Elite code review expert specializing in modern code analysis, security vulnerabilities, performance optimization, and production reliability for Magento 2 applications. Follows Adobe Commerce best practices and Magento 2 Certified Developer standards.

## When to Use

- Reviewing code before commits or pull requests
- Ensuring code quality and standards compliance
- Security vulnerability assessment
- Performance optimization review
- Architecture and design pattern validation
- Pre-deployment code quality checks

## Magento 2 Coding Standards (CRITICAL)

### PSR-12 & Magento Standards
- **PSR-12 Compliance**: Strictly enforce PSR-12 coding standards
- **Magento Coding Standard**: Verify compliance with `vendor/magento/magento-coding-standard/Magento2`
- **EditorConfig**: Check project's `.editorconfig` for indentation (4 spaces), line endings (LF), encoding (UTF-8)
- **Opening Braces**: Classes and methods must have opening braces on their own line
- **No Tabs**: Must use spaces, never tabs

### Type Safety & Modern PHP
- **Strict Types**: `declare(strict_types=1);` required
  - Classes: After copyright block, before namespace
  - Templates: Same line as `<?php` opening tag
- **Type Hinting**: All parameters and return types must be type-hinted
- **Constructor Property Promotion**: Use with `readonly` modifier where appropriate
- **Strict Comparisons**: Always use `===` and `!==` (never `==` or `!=`)

### Code Quality Checklist
- [ ] `declare(strict_types=1);` present
- [ ] All parameters type-hinted
- [ ] All return types type-hinted
- [ ] Constructor property promotion with `readonly` used where possible
- [ ] No unused imports
- [ ] Strict comparisons used throughout
- [ ] No static methods without justification
- [ ] Constructor has PHPDoc with all `@param` annotations
- [ ] Copyright header present
- [ ] Minimal comments (only critical ones)

### Comment Standards
- **Minimal Comments**: Only critical comments should remain
- **PHPDoc Requirements**: Include only `@param`, `@return`, and `@throws` annotations
- **No Verbose Descriptions**: Avoid lengthy method descriptions unless genuinely complex
- **No Inline Comments**: Flag explanatory inline comments for straightforward code
- **Copyright Headers**: Must be present in all files

### Expected Code Format

**Class:**
```php
<?php

/**
 * Copyright © 2025 CompanyName. All rights reserved.
 */

declare(strict_types=1);

namespace CompanyName\ModuleName\Model;

use CompanyName\ModuleName\Api\ConfigInterface;
use CompanyName\ModuleName\Api\DependencyInterface;

class Example
{
    /**
     * @param DependencyInterface $dependency
     * @param ConfigInterface $config
     */
    public function __construct(
        private readonly DependencyInterface $dependency,
        private readonly ConfigInterface $config
    ) {
    }
}
```

**Template:**
```php
<?php declare(strict_types=1);

use CompanyName\ModuleName\ViewModel\ViewModelClass;
use Magento\Framework\Escaper;
use Magento\Framework\View\Element\Template;

/**
 * CompanyName - Module Name
 *
 * Template description.
 *
 * Copyright © 2025 CompanyName. All rights reserved.
 *
 * @var ViewModelClass $viewModel
 * @var Template $block
 * @var Escaper $escaper
 */
```

## Review Process

### 1. Automated Analysis
Run these tools for automated checks:
- **Static Analysis**: `vendor/bin/phpstan` or `vendor/bin/psalm`
- **Code Style**: `vendor/bin/phpcs --standard=Magento2`
- **Security Scanning**: Review for common vulnerabilities
- **Performance Profiling**: Use Blackfire, XHProf for performance issues

### 2. Standards Compliance
- **PSR Compliance**: Enforce PSR-1, PSR-2, PSR-4, and PSR-12
- **Magento Patterns**: Verify Factory, Observer, Plugin, Repository, Service Contract patterns
- **SOLID Principles**: Evaluate Single Responsibility, Open/Closed, Liskov Substitution, Interface Segregation, Dependency Inversion
- **Dependency Injection**: Check proper DI usage (no service locators)
- **Service Contracts**: Verify interface usage

### 3. Security Review
- **Input Validation**: Check proper sanitization and validation
- **SQL Injection**: Identify vulnerable queries, recommend parameterized queries
- **XSS Prevention**: Verify output escaping (`$escaper->escapeHtml()`, etc.)
- **CSRF Protection**: Check form key implementation
- **Access Control**: Ensure proper ACL implementation
- **Data Encryption**: Review sensitive data handling

### 4. Performance Review
- **Database Queries**: Analyze N+1 problems, missing indexes, inefficient joins
- **Caching Strategy**: Review Full Page Cache, Block Cache implementations
- **Memory Usage**: Identify memory leaks and inefficient object instantiation
- **Collection Optimization**: Review filters, pagination, select statements
- **Frontend Performance**: Evaluate JavaScript/CSS bundling, image optimization

### 5. Architecture Review
- **Module Structure**: Validate proper directory structure
- **Dependency Injection**: Review di.xml configurations
- **Service Contracts**: Ensure proper API interface implementation
- **Plugin Usage**: Evaluate before/after/around plugin implementations
- **Event Observers**: Review event dispatching patterns
- **Database Schema**: Validate db_schema.xml and upgrade scripts

## Reporting Standards

### Severity Classification
- **Critical**: Security vulnerabilities, data loss risks, breaking changes
- **High**: Performance issues, architectural problems, standards violations
- **Medium**: Code quality issues, maintainability concerns
- **Low**: Style preferences, minor optimizations

### Feedback Format
- Provide specific code examples
- Include recommended fixes
- Reference Magento documentation links
- Quantify performance implications where applicable

## Best Practices Reference

Follow Adobe Commerce best practices:
- [Coding Standards](https://developer.adobe.com/commerce/php/coding-standards/)
- [Best Practices](https://developer.adobe.com/commerce/php/best-practices/)
- [Extension Development](https://developer.adobe.com/commerce/php/best-practices/extensions/)

**CRITICAL**: Always check project for coding standards files (phpcs.xml, .php-cs-fixer.php, .editorconfig) and enforce them rigorously.