README

Standalone PHP checker for syntax validation, duplicate-code detection, public API snapshot checks and comment policy checks.

PHPProbe is the checker runtime. It can be used directly as phpprobe, required by tool-combiner packages such as PHPForge, or called from PHP code through the public gateway classes.

Requirements

• PHP >=8.2
• nikic/php-parser >=5.0 <6.0

Install it as a Composer tool dependency:

composer require --dev infocyph/phpprobe

The package ships a Composer binary:

php vendor/bin/phpprobe

Commands

php vendor/bin/phpprobe syntax [options] [paths...]
php vendor/bin/phpprobe duplicates [options] [paths...]
php vendor/bin/phpprobe api [options] [paths...]
php vendor/bin/phpprobe comments [options] [paths...]
php vendor/bin/phpprobe check [options] [paths...]
php vendor/bin/phpprobe config validate [options]
php vendor/bin/phpprobe init [options]
php vendor/bin/phpprobe presets
php vendor/bin/phpprobe preset <name>

Unknown commands print the top-level usage and exit 0. There is no separate --version command. For checker subcommands (syntax, duplicates, api, comments, check), unknown options fail with exit 2.

Onboarding (5 Minutes)

Use this flow for a fresh project:

1. Initialize config:

php vendor/bin/phpprobe init --preset=standard

1. Run all 4 tools together:

php vendor/bin/phpprobe check src tests

1. Add CI reports (optional):

php vendor/bin/phpprobe check --preset=standard --report-dir=build/reports src tests

1. If your project is a library, start API baseline flow:

php vendor/bin/phpprobe api --write-baseline=.phpprobe-api-baseline.json src
php vendor/bin/phpprobe api --baseline=.phpprobe-api-baseline.json src

Tool Map

Quick Start

Common examples:

php vendor/bin/phpprobe syntax
php vendor/bin/phpprobe syntax --format=markdown --parallel=4 src
php vendor/bin/phpprobe duplicates
php vendor/bin/phpprobe duplicates --json
php vendor/bin/phpprobe duplicates --summary-json=build/duplicates-summary.json src
php vendor/bin/phpprobe duplicates --preset=strict --json src
php vendor/bin/phpprobe api --write-baseline=.phpprobe-api-baseline.json src
php vendor/bin/phpprobe api --baseline=.phpprobe-api-baseline.json src
php vendor/bin/phpprobe api --fail-on=error --format=markdown --baseline=.phpprobe-api-baseline.json src
php vendor/bin/phpprobe comments --fail-on=warning src
php vendor/bin/phpprobe comments --strict --json src
php vendor/bin/phpprobe comments --policy=strict --format=markdown src
php vendor/bin/phpprobe check --preset=standard --report-dir=build/reports src tests
php vendor/bin/phpprobe config validate --config=phpprobe.json
php vendor/bin/phpprobe init --preset=standard --with-ci
php vendor/bin/phpprobe presets
php vendor/bin/phpprobe preset standard

Detailed options and output contracts for each tool are documented in the sections below.

Public API

The package-facing checker gateways live directly under src/:

• Infocyph\PHPProbe\SyntaxChecker
• Infocyph\PHPProbe\DuplicateChecker
• Infocyph\PHPProbe\ApiSnapshotChecker
• Infocyph\PHPProbe\CommentChecker

All expose:

public function run(array $args): int

$args is the same argument list that follows the CLI subcommand. For example:

use Infocyph\PHPProbe\ApiSnapshotChecker;
use Infocyph\PHPProbe\CommentChecker;
use Infocyph\PHPProbe\DuplicateChecker;
use Infocyph\PHPProbe\SyntaxChecker;

$syntaxCode = (new SyntaxChecker())->run(['--config=phpprobe.json', 'src']);
$duplicateCode = (new DuplicateChecker())->run(['--preset=strict', '--json', 'src']);
$apiCode = (new ApiSnapshotChecker())->run(['--baseline=.phpprobe-api-baseline.json', 'src']);
$commentCode = (new CommentChecker())->run(['--strict', '--fail-on=warning', 'src']);

Everything else is internal implementation detail, grouped by role:

Config Lookup

The default config filename is phpprobe.json.

When a checker needs a config file and --config was not passed, PHPProbe resolves it in this order:

1. phpprobe.json in the current project root, meaning the current working directory.
2. vendor/infocyph/phpprobe/resources/phpprobe.json under the current project root.
3. resources/phpprobe.json only when the current project itself is infocyph/phpprobe.

If no config can be found, PHPProbe throws a runtime config error.

Preset files are bundled resources. They are resolved from:

1. vendor/infocyph/phpprobe/resources/presets/<name>.json.
2. resources/presets/<name>.json only while developing infocyph/phpprobe itself.

Project-root preset files are not looked up automatically.

When --config=FILE is passed explicitly and that file is missing, unreadable, empty, or invalid JSON, PHPProbe treats it as an empty config and continues with internal defaults plus any CLI options.

Config Format

The bundled resources/phpprobe.json is intentionally small:

{
  "preset": "standard"
}

A full project config may override any part of the selected preset:

{
  "preset": "standard",
  "syntax": {
    "paths": ["src"],
    "exclude": ["src/generated"]
  },
  "duplicates": {
    "paths": ["src"],
    "exclude": ["src/generated"],
    "mode": "audit",
    "normalize": true,
    "fuzzy": true,
    "near_miss": true,
    "min_lines": 5,
    "min_tokens": 90,
    "min_statements": 4,
    "min_similarity": 0.85,
    "baseline": "",
    "write_baseline": "",
    "ignore_fingerprints": [],
    "json": false
  },
  "api": {
    "paths": ["src"],
    "exclude": ["src/generated"],
    "include_protected": true,
    "baseline": "",
    "write_baseline": "",
    "json": false
  },
  "comments": {
    "paths": ["src"],
    "exclude": ["src/generated"],
    "scan_markers": true,
    "fail_on": "error",
    "rules": {
      "comment_marker": {
        "enabled": true
      },
      "commented_out_code_with_weak_reason": {
        "severity": "warning"
      }
    }
  }
}

Config keys accept snake case, kebab case and camel case. For example, min_tokens, min-tokens and minTokens are equivalent. Excludes can be configured as either exclude or exclude_paths. duplicates.ignore_fingerprints suppresses known clone fingerprints without a baseline file. comments.rules lets you toggle rule enabled and override per-rule severity.

Internal duplicate defaults, before any preset is applied, are mode=gate, normalize=true, fuzzy=false, near_miss=false, min_lines=5, min_tokens=70, min_statements=4, min_similarity=0.85, no baseline, no JSON output and no configured paths or excludes.

Internal API defaults are include_protected=true, no baseline, no JSON output and no configured paths or excludes.

Config merge order is:

1. Internal checker defaults.
2. Config-file preset, when present.
3. Explicit values in the config file.
4. CLI --preset=NAME, when present.
5. Explicit CLI flags and CLI paths.

Local config values override the config-file preset. CLI --preset is a run-level override and can override config-file values. Explicit CLI flags still win after that.

Presets

Preset templates live in resources/presets/ and are loaded by Infocyph\PHPProbe\Config\PresetRepository.

Available presets:

The standard, ci, and strict presets include the same default syntax, duplicate, API and comment excludes:

tests, vendor, node_modules, .git, .idea, .vscode, coverage,
.phpunit.cache, .psalm-cache, build, dist, tmp, .tmp, storage,
bootstrap/cache, var/cache

Their duplicate sections also exclude storage/framework/views.

Preset commands:

php vendor/bin/phpprobe presets
php vendor/bin/phpprobe preset standard

presets prints one preset name per line. preset <name> prints the bundled JSON template. Unknown preset names print an error and exit 2. Legacy alias phpstorm is still accepted and resolves to standard.

Combined Check Command

check runs syntax, duplicates, api, and comments in sequence and returns a combined exit code.

php vendor/bin/phpprobe check [options] [paths...]

Options:

Exit behavior:

• If any checker exits 2, combined exit is 2.
• Else if any checker exits non-zero, combined exit is 1.
• Otherwise combined exit is 0.

Config Validate Command

php vendor/bin/phpprobe config validate [options]

Options:

• --config=FILE (default ./phpprobe.json)
• --json (machine-readable result)
• --help

Returns 0 for valid config, 1 for schema/key/type validation errors, and 2 for missing/unreadable/invalid JSON files.

Init Command

php vendor/bin/phpprobe init [options]

Options:

• --preset=NAME (default, standard, ci, strict; default standard)
• --path=FILE (default ./phpprobe.json)
• --with-ci (also writes .github/workflows/phpprobe.yml)
• --force (overwrite existing files)
• --help

Syntax Checker

The syntax checker discovers PHP files, then runs PHP's native lint command against each file:

php -d display_errors=1 -l <file>

Command:

php vendor/bin/phpprobe syntax [options] [paths...]

Options:

Path behavior:

• CLI paths override syntax.paths from config.
• If CLI paths are empty, syntax.paths is used.
• If both are empty, discovery starts from ..
• Config excludes and CLI excludes are merged.

Output and exits:

Comment Policy Checker

The comment checker scans PHP comments using token_get_all() and reports marker tags and commented-out code policy findings.

Command:

php vendor/bin/phpprobe comments [options] [paths...]

Options:

Config-only option: comments.rules allows per-finding overrides such as { "comment_marker": { "enabled": false } } or { "commented_out_code_with_weak_reason": { "severity": "info" } }.

Four enforced policies

1. Marker detection: tags like TODO, FIXME, BUG, HACK, SECURITY, REVIEW, DEPRECATED.
2. Commented-out code requires directly attached tagged reason.
3. Long commented-out blocks require an issue reference.
4. Oversized commented-out blocks are always reported.

Default thresholds:

• min_reason_length = 12
• require_issue_for_blocks_longer_than = 3
• max_allowed_block_lines = 10

Policy-to-finding mapping:

Output and exits:

Public API Snapshot Checker

The API checker parses PHP files with nikic/php-parser, extracts the package-visible surface and can compare it with a saved snapshot. It is intended for library BC drift checks, not type analysis.

Command:

php vendor/bin/phpprobe api [options] [paths...]

Options:

Path behavior:

• CLI paths override api.paths from config.
• If CLI paths are empty, api.paths is used.
• If both are empty, discovery starts from ..
• Config excludes and CLI excludes are merged.

Snapshot contents:

• named classes, interfaces, traits and enums
• top-level namespaced functions
• top-level namespaced constants
• public members always
• protected members unless --public-only is used
• class modifiers, inheritance, implemented interfaces, method signatures, property signatures, constants, enum cases, function signatures and stable fingerprints

Output and exits:

Duplicate Checker

The duplicate checker combines token fingerprints, AST block structure, statement windows, near-miss similarity, grouping, pruning, ranking and optional baseline suppression.

Command:

php vendor/bin/phpprobe duplicates [options] [paths...]

Options:

Config-only option: duplicates.ignore_fingerprints accepts a list of clone fingerprints to suppress without using a baseline file.

Exact accepted forms matter: numeric options, --mode, --baseline and valued --write-baseline=FILE are parsed in equals form. --config, --preset and --exclude also accept split form. --write-baseline may also be passed as a bare flag.

Path behavior:

• CLI paths override duplicates.paths from config.
• If CLI paths are empty, duplicates.paths is used.
• If both are empty, discovery starts from ..
• Config excludes and CLI excludes are merged.

Mode behavior:

• gate: token-window duplicate detection only, unless --near-miss is explicitly passed.
• audit: token-window matching plus statement-window matching and near-miss matching is enabled automatically.

Output and exits:

Duplicate Detection Details

File discovery:

• PHPProbe first tries git ls-files -z --cached --others --exclude-standard.
• It filters discovered PHP files with git check-ignore -z --stdin --no-index.
• If Git discovery is unavailable, it recursively scans the selected paths.
• Recursive fallback skips common infrastructure directories such as .git, .idea, .phpunit.cache, .psalm-cache, .vscode, coverage, node_modules and vendor.

Token normalization:

• Whitespace, comments, doc comments, PHP open tags and close tags are ignored.
• With normalize=true, variables become VAR, numbers become NUM, strings become STR.
• With fuzzy=true, identifiers and names become ID.
• With --exact, token values include token names and original text.

Token clones:

• PHPProbe hashes every normalized token window of min_tokens tokens.
• Matching windows are candidate clones.
• Candidates are extended token-by-token to find the full matching region.
• Overlapping windows in the same file are ignored.
• Clone regions below min_lines are ignored.

AST and statement matching:

• PHPProbe uses nikic/php-parser to index structural blocks.
• Indexed blocks include functions, methods, closures, arrow functions, loops, branches, match arms and try/catch/finally blocks.
• Statement hashes are built from AST shape.
• In audit mode, matching statement windows of min_statements statements are reported as statement clones.

Near-miss matching:

• Near-miss matching compares blocks with the same block type.
• Similarity is weighted as 72% statement-hash similarity and 28% AST-shape similarity.
• Similarity is based on longest-common-subsequence ratio.
• Matches below min_similarity are ignored.

Grouping, pruning and scoring:

• Duplicate pairs are grouped into clone families.
• Contained/weaker clones are pruned.
• Results are ranked by score, line span and similarity.
• Scoring rewards larger clones, more occurrences, higher similarity, structural completeness and near-miss signal; small trivial clones are penalized.

Duplicate JSON Result Shape

phpprobe duplicates --json emits:

{
  "files": 2,
  "total_lines": 100,
  "duplicated_lines": 20,
  "duplicate_percentage": 20.0,
  "known_clones": 0,
  "new_clones": 1,
  "clones": [
    {
      "fingerprint": "...",
      "source": "tokens",
      "score": 120.5,
      "similarity": 1.0,
      "tokens": 90,
      "lines": 10,
      "statements": 0,
      "block_type": "function",
      "occurrences": [
        {
          "file": "src/Example.php",
          "start_line": 10,
          "end_line": 20,
          "lines": 11,
          "context": "function"
        }
      ]
    }
  ]
}

Clone source is one of:

• tokens
• statements
• near_miss

known_clones is populated when a duplicate baseline is read. new_clones is the number of clone groups remaining after baseline suppression.

API JSON Result Shape

phpprobe api --json emits:

{
  "snapshot": {
    "version": 1,
    "generated_at": "2026-05-02T00:00:00+00:00",
    "symbols": [
      {
        "id": "class App\\Service",
        "kind": "class",
        "name": "App\\Service",
        "file": "src/Service.php",
        "line": 5,
        "modifiers": ["final"],
        "extends": "",
        "implements": [],
        "members": [],
        "fingerprint": "..."
      }
    ]
  },
  "baseline": {
    "version": 1,
    "generated_at": "",
    "symbols": []
  },
  "changed": false,
  "changes": {
    "added": [],
    "removed": [],
    "changed": []
  },
  "classifications": {
    "added": [],
    "removed": [],
    "changed": [
      {
        "id": "class App\\Service",
        "impact": "breaking",
        "reason": "Member signature changed: method App\\Service::run()"
      }
    ]
  },
  "impact": {
    "breaking": 1,
    "additive": 0,
    "internal": 0
  }
}

Baselines

Write a baseline:

php vendor/bin/phpprobe duplicates --write-baseline
php vendor/bin/phpprobe duplicates --write-baseline=.phpprobe-duplicates-baseline.json
php vendor/bin/phpprobe api --write-baseline
php vendor/bin/phpprobe api --write-baseline=.phpprobe-api-baseline.json

Use a baseline:

php vendor/bin/phpprobe duplicates --baseline=.phpprobe-duplicates-baseline.json
php vendor/bin/phpprobe api --baseline=.phpprobe-api-baseline.json

This repository does not use a duplicate baseline in CI; duplicate findings are expected to be resolved directly.

Duplicate baseline files contain:

{
  "version": 1,
  "generated_at": "2026-05-02T00:00:00+00:00",
  "clones": [
    {
      "fingerprint": "...",
      "source": "tokens",
      "score": 100.0
    }
  ]
}

API baseline files use the same top-level version, generated_at and symbols shape emitted under the snapshot JSON key. Missing, unreadable, or invalid baseline files now fail with exit code 2. Duplicate baseline files follow the same strict behavior: missing, unreadable, or invalid baselines fail with exit code 2.

Colored Output

Checker text output is colorized on interactive terminals:

• green: successful summaries
• yellow: warning/medium severity lines
• red: error/high/critical summaries
• cyan: baseline write notifications

Color output is automatically disabled for non-TTY streams and when NO_COLOR is set (or TERM=dumb), so CI logs and JSON output stay clean.

CI / Cloud

Workflow: .github/workflows/ci.yml

CI runs:

1. PHPProbe matrix on PHP 8.2, 8.3, 8.4, 8.5:
   • composer validate --strict
   • composer test
   • composer lint
   • composer duplicates
   • composer api
   • composer comments
2. PHPForge integration:
   • checks out infocyph/phpforge
   • injects local phpprobe via Composer path repository
   • runs PHPForge tests

workflow_dispatch supports phpforge_ref to test a specific PHPForge branch/tag/SHA.

Development

Composer scripts:

Useful local checks:

composer validate --strict
composer test
composer check
composer lint
composer duplicates
composer api
composer comments
git diff --check