====== Symfony Architecture & Code Review Checklist ======
===== 1. Architecture Review =====
==== System Design ====
Checklist:
* [ ] Domain-driven design principles followed
* [ ] Business logic separated from framework
* [ ] Controllers remain thin
* [ ] Infrastructure separated from Domain
* [ ] Dependency Injection used everywhere
* [ ] SOLID principles followed
* [ ] High cohesion
* [ ] Low coupling
* [ ] Modular architecture
Recommended Structure:
src/
├── Domain/
│ ├── Entity/
│ ├── ValueObject/
│ ├── Repository/
│ ├── Service/
│ └── Event/
│
├── Application/
│ ├── Command/
│ ├── Query/
│ ├── Handler/
│ ├── DTO/
│ └── UseCase/
│
├── Infrastructure/
│ ├── Persistence/
│ ├── Messaging/
│ ├── ExternalApi/
│ └── Security/
│
├── Presentation/
│ ├── Controller/
│ ├── Request/
│ └── Response/
----
===== 2. Controller Review =====
==== Controller Responsibilities ====
Checklist:
* [ ] Thin controllers
* [ ] No business logic
* [ ] No database logic
* [ ] No external API calls
* [ ] Request validation delegated
* [ ] Proper HTTP responses
Bad:
public function create()
{
// validation
// business logic
// database
// email sending
}
Good:
public function create(
CreateOrderCommand $command
)
{
$this->commandBus->dispatch($command);
}
----
===== 3. Service Layer Review =====
==== Business Services ====
Checklist:
* [ ] Business rules inside services
* [ ] Services reusable
* [ ] Services unit tested
* [ ] No duplicated logic
Example:
OrderService
PaymentService
InventoryService
UserRegistrationService
==== Application Services ====
Checklist:
* [ ] One service per use case
* [ ] Clear responsibility
* [ ] No framework dependencies
----
===== 4. Dependency Injection Review =====
Checklist:
* [ ] Constructor injection used
* [ ] No service locator pattern
* [ ] No container access in code
* [ ] Autowiring used correctly
* [ ] Services private by default
Good:
class OrderService
{
public function __construct(
private OrderRepository $repository
) {}
}
Bad:
$container->get('service');
----
===== 5. Domain Layer Review =====
==== Entities ====
Checklist:
* [ ] Rich domain model
* [ ] Business rules inside entities when appropriate
* [ ] Encapsulation respected
* [ ] No public property abuse
Bad:
public string $status;
Good:
private string $status;
public function markPaid(): void
{
...
}
==== Value Objects ====
Checklist:
* [ ] Money uses Value Object
* [ ] Email uses Value Object
* [ ] Immutable design
Example:
Money
Email
Address
PhoneNumber
----
===== 6. Doctrine Review =====
==== Entity Mapping ====
Checklist:
* [ ] Proper indexes
* [ ] Proper relationships
* [ ] Fetch strategy reviewed
* [ ] Cascade usage reviewed
==== Query Performance ====
Checklist:
* [ ] No N+1 queries
* [ ] JOIN FETCH where needed
* [ ] Pagination used
* [ ] QueryBuilder used correctly
Bad:
foreach ($orders as $order) {
echo $order->getCustomer()->getName();
}
Good:
SELECT o,c
FROM Order o
JOIN FETCH o.customer c
----
===== 7. Database Review =====
==== Migrations ====
Checklist:
* [ ] All schema changes via migration
* [ ] Migration reversible
* [ ] Online migration considered
* [ ] Indexes reviewed
Commands:
php bin/console make:migration
php bin/console doctrine:migrations:migrate
==== Index Review ====
Checklist:
* [ ] Foreign key indexes
* [ ] Search indexes
* [ ] Composite indexes reviewed
----
===== 8. API Review =====
==== REST API ====
Checklist:
* [ ] Proper HTTP methods
* [ ] Proper status codes
* [ ] Versioning strategy
* [ ] OpenAPI documentation
==== Response Structure ====
Checklist:
* [ ] Consistent format
* [ ] Consistent errors
* [ ] Validation errors standardized
Example:
{
"success": true,
"data": {}
}
----
===== 9. Security Review =====
==== Authentication ====
Checklist:
* [ ] Symfony Security configured
* [ ] Stateless API if required
* [ ] Session security reviewed
* [ ] Password hashing configured
==== Authorization ====
Checklist:
* [ ] Voters implemented
* [ ] Access control reviewed
* [ ] Least privilege principle
Good:
$this->denyAccessUnlessGranted(
'ORDER_EDIT',
$order
);
==== Input Security ====
Checklist:
* [ ] Validation everywhere
* [ ] CSRF protection enabled
* [ ] XSS prevention
* [ ] SQL Injection prevention
----
===== 10. Validation Review =====
==== Symfony Validator ====
Checklist:
* [ ] DTO validation
* [ ] Entity validation
* [ ] Custom constraints reviewed
Example:
#[Assert\NotBlank]
#[Assert\Email]
private string $email;
----
===== 11. Messenger Review =====
==== Queue Design ====
Checklist:
* [ ] Heavy tasks async
* [ ] Retry strategy defined
* [ ] Failure transport configured
* [ ] Idempotent handlers
Good Candidates:
* Email sending
* Notification delivery
* File processing
* Report generation
* External API integration
Example:
$messageBus->dispatch(
new ProcessOrderMessage()
);
----
===== 12. Event Driven Design =====
==== Domain Events ====
Checklist:
* [ ] Domain events used
* [ ] Loose coupling
* [ ] Side effects separated
Examples:
OrderCreated
OrderPaid
UserRegistered
InvoiceGenerated
----
===== 13. Caching Review =====
Checklist:
* [ ] HTTP cache strategy
* [ ] Application cache
* [ ] Doctrine cache
* [ ] Cache invalidation strategy
Example:
$cache->get(
'products',
fn() => $repository->findAll()
);
----
===== 14. Logging Review =====
==== Monolog ====
Checklist:
* [ ] Structured logs
* [ ] Error logs
* [ ] Business logs
* [ ] Correlation IDs
Good:
$logger->info(
'Order created',
['orderId' => $orderId]
);
----
===== 15. Performance Review =====
==== Application Performance ====
Checklist:
* [ ] No N+1 queries
* [ ] Cache strategy defined
* [ ] Async processing used
* [ ] Large payloads optimized
==== Doctrine Performance ====
Checklist:
* [ ] Query count reviewed
* [ ] Hydration optimized
* [ ] Batch processing for imports
Example:
$em->flush();
$em->clear();
----
===== 16. Testing Review =====
==== Unit Tests ====
Checklist:
* [ ] Domain services tested
* [ ] Value objects tested
* [ ] Business rules tested
==== Integration Tests ====
Checklist:
* [ ] Doctrine repositories tested
* [ ] External APIs tested
* [ ] Messaging tested
==== Functional Tests ====
Checklist:
* [ ] Controllers tested
* [ ] Authentication tested
* [ ] Authorization tested
Coverage Targets:
* [ ] Critical domain logic > 90%
* [ ] Overall coverage > 70%
----
===== 17. CI/CD Review =====
==== Quality Gates ====
Checklist:
* [ ] PHPStan/Psalm
* [ ] PHPUnit
* [ ] Coding standards
* [ ] Security scan
Pipeline:
Git Push
↓
PHP-CS-Fixer
↓
PHPStan
↓
Unit Tests
↓
Integration Tests
↓
Build
↓
Deploy
----
===== 18. Observability Review =====
==== Monitoring ====
Checklist:
* [ ] Application metrics
* [ ] Queue metrics
* [ ] Database metrics
* [ ] API metrics
==== Tracing ====
Checklist:
* [ ] Request tracing
* [ ] Distributed tracing
* [ ] Correlation IDs
----
===== 19. Production Readiness =====
==== Deployment ====
Checklist:
* [ ] Zero downtime deployment
* [ ] Rollback strategy
* [ ] Configuration management
* [ ] Secret management
==== Scalability ====
Checklist:
* [ ] Stateless application
* [ ] Horizontal scaling supported
* [ ] Shared cache
* [ ] Queue workers scalable
==== Disaster Recovery ====
Checklist:
* [ ] Database backups
* [ ] Restore procedure tested
* [ ] Recovery documentation
----
===== 20. Symfony-Specific Best Practices =====
Checklist:
* [ ] Environment variables used
* [ ] Config split by environment
* [ ] Service autowiring used
* [ ] Service autoconfiguration used
* [ ] Container compiled in production
Production Commands:
php bin/console cache:clear --env=prod
php bin/console cache:warmup --env=prod
composer install --no-dev --optimize-autoloader
----
===== 21. Senior Symfony Review Questions =====
- [ ] Is business logic independent from Symfony?
- [ ] Can domain logic be reused outside HTTP?
- [ ] Are controllers thin?
- [ ] Is Doctrine used efficiently?
- [ ] Are queues used for heavy work?
- [ ] Is every endpoint validated?
- [ ] Is authorization enforced?
- [ ] Can failures be retried safely?
- [ ] Can the application scale horizontally?
- [ ] Will this wake me up at 3 AM?
If all answers are YES, the Symfony application is Production Ready.
----
===== Symfony Architecture Maturity Score =====
^ Category ^ Target ^
| Architecture | 9/10 |
| Domain Design | 9/10 |
| Security | 9/10 |
| Performance | 9/10 |
| Testing | 8/10+ |
| Scalability | 9/10 |
| Observability | 8/10+ |
| Maintainability | 9/10 |
Overall Production Grade Target: >= 85%
For Symfony, one additional review area that many senior teams emphasize is DDD + CQRS + Messenger:
Domain
├── Entities
├── Value Objects
├── Domain Events
└── Repository Interfaces
Application
├── Commands
├── Command Handlers
├── Queries
├── Query Handlers
└── DTOs
Infrastructure
├── Doctrine
├── Messenger
├── Redis
├── External APIs
└── Security
Presentation
├── Controllers
├── API
└── Console Commands