Symfony Architecture & Code Review Checklist

Checklist:

• [ ] Domain-driven design principles followed
• [ ] Business logic separated from framework
• [ ] Controllers remain thin
• [ ] Infrastructure separated from Domain
• [ ] Dependency Injection used everywhere
• [ ] SOLID principles followed
• [ ] High cohesion
• [ ] Low coupling
• [ ] Modular architecture

Recommended Structure:

src/
├── Domain/
│   ├── Entity/
│   ├── ValueObject/
│   ├── Repository/
│   ├── Service/
│   └── Event/
│
├── Application/
│   ├── Command/
│   ├── Query/
│   ├── Handler/
│   ├── DTO/
│   └── UseCase/
│
├── Infrastructure/
│   ├── Persistence/
│   ├── Messaging/
│   ├── ExternalApi/
│   └── Security/
│
├── Presentation/
│   ├── Controller/
│   ├── Request/
│   └── Response/

Checklist:

• [ ] Thin controllers
• [ ] No business logic
• [ ] No database logic
• [ ] No external API calls
• [ ] Request validation delegated
• [ ] Proper HTTP responses

Bad:

public function create()
{
    // validation
    // business logic
    // database
    // email sending
}

Good:

public function create(
    CreateOrderCommand $command
)
{
    $this->commandBus->dispatch($command);
}

Checklist:

• [ ] Business rules inside services
• [ ] Services reusable
• [ ] Services unit tested
• [ ] No duplicated logic

Example:

OrderService
PaymentService
InventoryService
UserRegistrationService

Checklist:

• [ ] One service per use case
• [ ] Clear responsibility
• [ ] No framework dependencies

Checklist:

• [ ] Constructor injection used
• [ ] No service locator pattern
• [ ] No container access in code
• [ ] Autowiring used correctly
• [ ] Services private by default

Good:

class OrderService
{
    public function __construct(
        private OrderRepository $repository
    ) {}
}

Bad:

$container->get('service');

Checklist:

• [ ] Rich domain model
• [ ] Business rules inside entities when appropriate
• [ ] Encapsulation respected
• [ ] No public property abuse

Bad:

public string $status;

Good:

private string $status;
 
public function markPaid(): void
{
    ...
}

Checklist:

• [ ] Money uses Value Object
• [ ] Email uses Value Object
• [ ] Immutable design

Example:

Money
Email
Address
PhoneNumber

Checklist:

• [ ] Proper indexes
• [ ] Proper relationships
• [ ] Fetch strategy reviewed
• [ ] Cascade usage reviewed

Checklist:

• [ ] No N+1 queries
• [ ] JOIN FETCH where needed
• [ ] Pagination used
• [ ] QueryBuilder used correctly

Bad:

foreach ($orders as $order) {
    echo $order->getCustomer()->getName();
}

Good:

SELECT o,c
FROM Order o
JOIN FETCH o.customer c

Checklist:

• [ ] All schema changes via migration
• [ ] Migration reversible
• [ ] Online migration considered
• [ ] Indexes reviewed

Commands:

php bin/console make:migration
php bin/console doctrine:migrations:migrate

Checklist:

• [ ] Foreign key indexes
• [ ] Search indexes
• [ ] Composite indexes reviewed

Checklist:

• [ ] Proper HTTP methods
• [ ] Proper status codes
• [ ] Versioning strategy
• [ ] OpenAPI documentation

Checklist:

• [ ] Consistent format
• [ ] Consistent errors
• [ ] Validation errors standardized

Example:

{
  "success": true,
  "data": {}
}

Checklist:

• [ ] Symfony Security configured
• [ ] Stateless API if required
• [ ] Session security reviewed
• [ ] Password hashing configured

Checklist:

• [ ] Voters implemented
• [ ] Access control reviewed
• [ ] Least privilege principle

Good:

$this->denyAccessUnlessGranted(
    'ORDER_EDIT',
    $order
);

Checklist:

• [ ] Validation everywhere
• [ ] CSRF protection enabled
• [ ] XSS prevention
• [ ] SQL Injection prevention

Checklist:

• [ ] DTO validation
• [ ] Entity validation
• [ ] Custom constraints reviewed

Example:

#[Assert\NotBlank]
#[Assert\Email]
private string $email;

Checklist:

• [ ] Heavy tasks async
• [ ] Retry strategy defined
• [ ] Failure transport configured
• [ ] Idempotent handlers

Good Candidates:

• Email sending
• Notification delivery
• File processing
• Report generation
• External API integration

Example:

$messageBus->dispatch(
    new ProcessOrderMessage()
);

Checklist:

• [ ] Domain events used
• [ ] Loose coupling
• [ ] Side effects separated

Examples:

OrderCreated
OrderPaid
UserRegistered
InvoiceGenerated

Checklist:

• [ ] HTTP cache strategy
• [ ] Application cache
• [ ] Doctrine cache
• [ ] Cache invalidation strategy

Example:

$cache->get(
    'products',
    fn() => $repository->findAll()
);

Checklist:

• [ ] Structured logs
• [ ] Error logs
• [ ] Business logs
• [ ] Correlation IDs

Good:

$logger->info(
    'Order created',
    ['orderId' => $orderId]
);

Checklist:

• [ ] No N+1 queries
• [ ] Cache strategy defined
• [ ] Async processing used
• [ ] Large payloads optimized

Checklist:

• [ ] Query count reviewed
• [ ] Hydration optimized
• [ ] Batch processing for imports

Example:

$em->flush();
$em->clear();

Checklist:

• [ ] Domain services tested
• [ ] Value objects tested
• [ ] Business rules tested

Checklist:

• [ ] Doctrine repositories tested
• [ ] External APIs tested
• [ ] Messaging tested

Checklist:

• [ ] Controllers tested
• [ ] Authentication tested
• [ ] Authorization tested

Coverage Targets:

• [ ] Critical domain logic > 90%
• [ ] Overall coverage > 70%

Checklist:

• [ ] PHPStan/Psalm
• [ ] PHPUnit
• [ ] Coding standards
• [ ] Security scan

Pipeline:

Git Push
 ↓
PHP-CS-Fixer
 ↓
PHPStan
 ↓
Unit Tests
 ↓
Integration Tests
 ↓
Build
 ↓
Deploy

Checklist:

• [ ] Application metrics
• [ ] Queue metrics
• [ ] Database metrics
• [ ] API metrics

Checklist:

• [ ] Request tracing
• [ ] Distributed tracing
• [ ] Correlation IDs

Checklist:

• [ ] Zero downtime deployment
• [ ] Rollback strategy
• [ ] Configuration management
• [ ] Secret management

Checklist:

• [ ] Stateless application
• [ ] Horizontal scaling supported
• [ ] Shared cache
• [ ] Queue workers scalable

Checklist:

• [ ] Database backups
• [ ] Restore procedure tested
• [ ] Recovery documentation

Checklist:

• [ ] Environment variables used
• [ ] Config split by environment
• [ ] Service autowiring used
• [ ] Service autoconfiguration used
• [ ] Container compiled in production

Production Commands:

php bin/console cache:clear --env=prod
php bin/console cache:warmup --env=prod
composer install --no-dev --optimize-autoloader

1. [ ] Is business logic independent from Symfony?
2. [ ] Can domain logic be reused outside HTTP?
3. [ ] Are controllers thin?
4. [ ] Is Doctrine used efficiently?
5. [ ] Are queues used for heavy work?
6. [ ] Is every endpoint validated?
7. [ ] Is authorization enforced?
8. [ ] Can failures be retried safely?
9. [ ] Can the application scale horizontally?
10. [ ] Will this wake me up at 3 AM?

If all answers are YES, the Symfony application is Production Ready.

Overall Production Grade Target: >= 85%

For Symfony, one additional review area that many senior teams emphasize is DDD + CQRS + Messenger:

Domain
├── Entities
├── Value Objects
├── Domain Events
└── Repository Interfaces

Application
├── Commands
├── Command Handlers
├── Queries
├── Query Handlers
└── DTOs

Infrastructure
├── Doctrine
├── Messenger
├── Redis
├── External APIs
└── Security

Presentation
├── Controllers
├── API
└── Console Commands