Code Pattern Checker
Validate code against Drupal standards and best practices.
Required References
Load these before checking code:
Reference Checks
references/solid-drupal.md
SOLID principles
references/dry-patterns.md
DRY patterns
dev-guides: drupal/security/
Security practices (online)
dev-guides: drupal/sdc/ + drupal/js-development/
CSS/JS/SDC standards (online)
references/quality-gates.md
Gate 1 requirements
For security and frontend checks, WebFetch from https://camoa.github.io/dev-guides/ instead of reading bundled files.
Activation
Activate when you detect:
-
Before committing code
-
After implementation, before task completion
-
/drupal-dev-framework:validate command
-
"Check my code" or "Review this"
-
Invoked by task-completer skill
Gate Enforcement
This skill enforces Gate 1: Code Standards from references/quality-gates.md . Code CANNOT be committed until Gate 1 passes.
Workflow
- Identify Files to Check
Ask if not clear:
Which files should I check?
- All changed files (git diff)
- Specific file(s)
- All files in a component
Your choice:
Use Bash with git diff --name-only to get changed files if option 1.
- Read and Analyze Files
Use Read on each file. For each, check:
PHP Files:
-
PSR-12 / Drupal coding standards
-
Docblocks on classes and public methods
-
Type hints on parameters and returns
-
No deprecated functions
-
Naming: PascalCase classes, camelCase methods
SOLID Principles (references/solid-drupal.md):
-
Single Responsibility - one purpose per class
-
Dependency Inversion - inject dependencies via services.yml
-
No \Drupal::service() in new code (BLOCKING)
-
Interfaces defined for services
DRY Check (references/dry-patterns.md):
-
No duplicate code blocks (BLOCKING)
-
Shared logic in services/traits
-
Leverages Drupal base classes
Security (dev-guides drupal/security/):
-
No raw SQL with user input (BLOCKING)
-
Output escaped (Twig auto, Html::escape)
-
Form tokens present (Form API handles)
-
Access checks on routes (BLOCKING)
-
Input validated via Form API
CSS/SCSS (dev-guides drupal/sdc/ + drupal/js-development/):
-
Mobile-first media queries
-
No !important (BLOCKING)
-
No @extend (BLOCKING)
-
BEM naming convention
-
Drupal behaviors pattern for JS
- Run Automated Tools
Suggest running (user executes):
PHP CodeSniffer
ddev exec vendor/bin/phpcs --standard=Drupal,DrupalPractice {path}
PHPStan (if configured)
ddev exec vendor/bin/phpstan analyze {path}
SCSS Lint (if applicable)
npm run lint:scss
- Report Findings
Format output as:
Code Check: {file or component}
Status: PASS / ISSUES FOUND
Standards Check
| Check | Status | Notes |
|---|---|---|
| PSR-12 | PASS | - |
| Docblocks | ISSUE | Missing on processData() |
| Type hints | PASS | - |
SOLID Principles
| Principle | Status |
|---|---|
| Single Responsibility | PASS |
| Dependency Inversion | PASS |
Security
| Check | Status | Notes |
|---|---|---|
| SQL Injection | PASS | Uses query builder |
| XSS | PASS | Output escaped |
| Access Control | ISSUE | Missing on /admin/custom route |
DRY Check
| Issue | Location |
|---|---|
| Duplicate logic | lines 45-52 and 78-85 |
Issues to Fix (Priority Order)
- Security: Add access check to admin route
- Standards: Add docblock to processData()
- DRY: Extract duplicate logic to private method
Recommendation
- Fix security issue before merge
- Other issues: fix now or create follow-up task
Approved for commit: NO (fix security first) / YES
- Offer Fixes
For each issue, offer to help:
Issue: Missing docblock on processData()
Suggested fix: /**
- Process the input data and return results.
- @param array $data
- The input data array.
- @return array
- The processed results. */
Apply this fix? (yes/no/skip)
Stop Points
STOP and wait for user:
-
After asking which files to check
-
After presenting findings
-
Before applying each fix
-
If security issues found (emphasize fixing)