✅ Code Review Checklist

A comprehensive checklist to ensure code quality and standards compliance during pull request reviews.

🔍 Before Starting Review

• [ ] CI/CD Pipeline: All automated tests pass
• [ ] Build Status: No build errors or warnings
• [ ] PR Description: Clear description of changes and motivation
• [ ] Linked Issues: Related tickets/issues are referenced
• [ ] No Merge Conflicts: Branch is up to date with target branch
• [ ] Reasonable Size: PR is not too large (< 400 lines preferred)

📋 Code Quality Standards

PSR-12 & PHP Standards

• [ ] Strict Types: declare(strict_types=1) at top of every file
• [ ] PSR-12 Compliance: Follows PSR-12 coding standards
• [ ] Naming Conventions: Classes (PascalCase), methods (camelCase), constants (UPPER_SNAKE_CASE)
• [ ] Type Declarations: All parameters and return types are properly typed
• [ ] No Magic Numbers: Constants defined for numeric values
• [ ] Proper Imports: All use statements are organized and necessary
• [ ] No Unused Code: No commented-out code or unused imports

Code Structure

• [ ] Method Length: Methods are focused and < 20 lines when possible
• [ ] Class Responsibility: Each class has single, clear responsibility (SRP)
• [ ] Cyclomatic Complexity: No overly complex nested conditions
• [ ] Early Returns: Uses early returns to reduce nesting
• [ ] DRY Principle: No obvious code duplication
• [ ] KISS Principle: Code is simple and readable, not clever
• [ ] Meaningful Names: Variables and methods have descriptive names

🏗️ Architecture & Design

Laravel Structure

• [ ] Thin Controllers: Controllers only handle HTTP concerns
• [ ] Business Logic: Complex logic is in Services or Actions
• [ ] Data Access: Repository pattern used for database operations
• [ ] Form Requests: Validation is in Form Request classes
• [ ] API Resources: Response transformation uses Resource classes
• [ ] Dependency Injection: Constructor injection used, not manual instantiation
• [ ] Service Provider Bindings: Interfaces bound to implementations

Design Patterns

• [ ] Repository Pattern: Data access properly abstracted
• [ ] Service Layer: Business logic properly organized
• [ ] Action Classes: Single-purpose operations use Action classes
• [ ] Observer Pattern: Model events handled by Observers
• [ ] Factory Pattern: Complex object creation uses Factories
• [ ] No God Classes: No classes with too many responsibilities

SOLID Principles

• [ ] Single Responsibility: Each class has one reason to change
• [ ] Open/Closed: Uses interfaces for extension, not modification
• [ ] Liskov Substitution: Subclasses properly substitutable
• [ ] Interface Segregation: Focused interfaces, not fat ones
• [ ] Dependency Inversion: Depends on abstractions, not concretions

💾 Database & Models

Migrations

• [ ] Naming Convention: Descriptive migration names with dates
• [ ] Rollback Support: down() method properly implements rollback
• [ ] Foreign Keys: Proper foreign key constraints defined
• [ ] Indexes: Indexes added for frequently queried columns
• [ ] Data Types: Appropriate column types and sizes
• [ ] Nullable Fields: Proper nullable/required field definitions

Models & Relationships

• [ ] Fillable/Guarded: Mass assignment protection configured
• [ ] Hidden Fields: Sensitive fields (password, tokens) hidden
• [ ] Casts: Proper attribute casting defined
• [ ] Relationships: Type-hinted relationship methods
• [ ] Scopes: Common queries defined as scopes
• [ ] Soft Deletes: Appropriate use of soft deletes

Query Optimization

• [ ] N+1 Prevention: Eager loading used where appropriate
• [ ] Select Specific: Not using SELECT * unnecessarily
• [ ] Pagination: Large result sets use pagination
• [ ] Query Efficiency: No obvious performance issues
• [ ] Transactions: Database transactions used for related operations

🔒 Security

Input Validation

• [ ] Form Validation: All user input validated via Form Requests
• [ ] Type Safety: Proper type checking and validation rules
• [ ] SQL Injection: No raw queries without parameter binding
• [ ] XSS Prevention: Output properly escaped
• [ ] Mass Assignment: Protected via $fillable or $guarded

Authentication & Authorization

• [ ] Authentication: Proper authentication checks in place
• [ ] Authorization: Policy-based authorization implemented
• [ ] CSRF Protection: CSRF tokens used for state-changing requests
• [ ] API Authentication: Proper API token/OAuth implementation
• [ ] Rate Limiting: API endpoints have rate limiting

Data Protection

• [ ] Sensitive Data: Passwords hashed, sensitive data encrypted
• [ ] Environment Variables: No secrets in code, using .env
• [ ] Logging: No sensitive data logged (passwords, tokens, etc.)
• [ ] Error Messages: Error messages don't leak sensitive information

🧪 Testing

Test Coverage

• [ ] Unit Tests: Business logic has unit tests
• [ ] Feature Tests: API endpoints have feature tests
• [ ] Test Quality: Tests are meaningful, not just for coverage
• [ ] Edge Cases: Edge cases and error conditions tested
• [ ] Test Naming: Test names clearly describe what they test
• [ ] Assertions: Proper assertions, not just "assertTrue(true)"
• [ ] Coverage Target: Maintains or improves test coverage (80%+ goal)

Test Quality

• [ ] Arrange-Act-Assert: Tests follow AAA pattern
• [ ] Test Isolation: Tests don't depend on each other
• [ ] Mock External: External services properly mocked
• [ ] Database Transactions: Uses RefreshDatabase trait
• [ ] No Sleep/Waits: No arbitrary waits in tests

📝 Documentation

Code Documentation

• [ ] DocBlocks: Complex methods have DocBlocks
• [ ] Inline Comments: Complex logic explained with comments
• [ ] README Updates: README updated if public API changes
• [ ] API Documentation: API changes documented (OpenAPI/Swagger)
• [ ] Changelog: CHANGELOG.md updated with notable changes

Code Clarity

• [ ] Self-Documenting: Code is self-explanatory where possible
• [ ] No Misleading Names: Names accurately reflect purpose
• [ ] TODO Comments: No TODOs left without linked tickets
• [ ] Dead Code: No commented-out code blocks

⚡ Performance

• [ ] Lazy Loading: Uses lazy loading where appropriate
• [ ] Eager Loading: Uses eager loading to prevent N+1
• [ ] Caching: Implements caching for expensive operations
• [ ] Queue Jobs: Heavy operations moved to queue jobs
• [ ] Database Indexes: Proper indexes for query performance
• [ ] Memory Usage: No obvious memory leaks or inefficiencies

🔧 Error Handling

• [ ] Try-Catch Blocks: Proper exception handling
• [ ] Custom Exceptions: Uses custom exceptions when appropriate
• [ ] Error Logging: Errors properly logged with context
• [ ] User-Friendly Messages: Error messages are user-friendly
• [ ] Rollback on Error: Database transactions rolled back on errors
• [ ] No Silent Failures: Errors aren't caught and ignored

🌐 API Design (if applicable)

• [ ] RESTful Design: Follows REST conventions
• [ ] HTTP Methods: Correct HTTP methods (GET, POST, PUT, PATCH, DELETE)
• [ ] Status Codes: Appropriate HTTP status codes
• [ ] Response Format: Consistent response structure
• [ ] Versioning: API versioning strategy followed
• [ ] Pagination: List endpoints support pagination
• [ ] Filtering: Appropriate filtering/sorting support

📦 Dependencies

• [ ] No Unnecessary Dependencies: New packages are justified
• [ ] Version Constraints: Proper version constraints in composer.json
• [ ] Security Updates: No known vulnerabilities in dependencies
• [ ] License Compatibility: Package licenses compatible with project

🚀 Deployment Considerations

• [ ] Environment Config: No environment-specific hard-coded values
• [ ] Migrations: Database migrations are safe for production
• [ ] Backwards Compatible: Changes are backwards compatible (if required)
• [ ] Feature Flags: Breaking changes behind feature flags
• [ ] No Breaking Changes: API changes don't break existing clients

🎨 Front-End Integration (if applicable)

• [ ] CORS Configuration: Proper CORS headers
• [ ] JSON Responses: Consistent JSON response structure
• [ ] Error Format: Front-end can parse error responses
• [ ] Documentation: API changes communicated to front-end team

✨ General Best Practices

• [ ] Git History: Clean, logical commits with good messages
• [ ] Branch Naming: Follows branch naming conventions
• [ ] No Debug Code: No dd(), dump(), var_dump(), or console.log()
• [ ] No Commented Code: No large blocks of commented-out code
• [ ] Code Formatting: Code is properly formatted (Pint/CS Fixer)
• [ ] Language: Consistent language (English) in code and comments

💬 Review Comments Guidelines

For Reviewers

Be Constructive

• Explain "why" when requesting changes
• Suggest alternatives, not just point out problems
• Recognize good code and patterns
• Link to relevant documentation

Severity Levels

• 🔴 Blocker: Must be fixed before merge (security, bugs, breaking changes)
• 🟡 Important: Should be fixed (standards violation, maintainability)
• 🔵 Suggestion: Nice to have (style preferences, minor improvements)
• 💡 Question: Seeking clarification or discussion

Example Comments

✅ Good:

🟡 This method is doing too much. Consider extracting the email sending logic into a separate NotificationService. See Service Layer Pattern.

❌ Bad:

This is wrong. Fix it.

📊 Review Completion Checklist

Before approving:

• [ ] All Critical Issues Addressed: No blockers remain
• [ ] Standards Compliance: Code follows team standards
• [ ] Tests Pass: All tests pass locally and in CI
• [ ] Documentation Updated: Changes are documented
• [ ] No Questions Unanswered: All reviewer questions addressed
• [ ] Ready for Production: Confident code can be deployed

---

🎯 Quick Reference Card

Print or bookmark this quick reference:

Red Flags 🚨

• Direct model access in controllers
• Missing type declarations
• No input validation
• N+1 query problems
• Sensitive data in logs
• No tests for new features
• God classes (> 200 lines)
• Methods > 30 lines

Green Flags ✅

• Thin controllers
• Comprehensive tests
• Proper type hints
• Clear naming
• Single responsibility
• Proper error handling
• Security best practices
• Good documentation

---

📝 Living Document: This checklist evolves with our standards. Suggest improvements via pull requests!