Skip to content

PHP

Dynamic Regex since v1.0

๐Ÿ˜ Types always in; functions and constants unless private or protected. Magic methods always out.

.php

What gets detected

The public surface spec-sync tracks for PHP.

  • class / abstract class / final class / readonly class
  • interface / trait / enum
  • public function / public static function (skips private/protected and __ magic methods)
  • public const / const at top level

Detection rules

Type declarations (always public)

PHP types are always publicly accessible. Matches class (abstract, final, readonly), interface, trait, and enum.

class AuthService {}
abstract class BaseController {}
final class Config {}
readonly class ValueObject {}
interface Authenticator {}
trait Loggable {}
enum Status { case Active; case Expired; }

Public functions

Top-level functions and class methods marked public (or with no explicit visibility, defaulting to public) are captured. private and protected are excluded.

function standalone_helper(): void {}

class Service {
    public function validate(string $token): bool {}
    public static function create(): self {}
    private function internalCheck(): void {}  // excluded
    protected function helper(): void {}       // excluded
}

Magic method exclusion

Methods whose names start with __ (double underscore) are always excluded: __construct, __toString, __get, etc.

public function __construct() {}  // excluded
public function __toString(): string {}  // excluded
public function getName(): string {}     // included

Constants

public const and top-level const are captured. private const is excluded.

public const DEFAULT_TTL = 3600;   // included
private const INTERNAL_KEY = 'x';  // excluded
const GLOBAL_CONST = 'y';          // included

Example: spec & source

The *.spec.md contract on the left, the PHP source it documents on the right. spec-sync matches the two.

Spec (*.spec.md)

---
module: auth
version: 1
status: stable
files:
  - src/Auth/AuthService.php
---

## Purpose

PHP auth service using JWT validation.

## Public API

| Symbol | Kind | Description |
|--------|------|-------------|
| `AuthService` | class | Main auth class |
| `Authenticator` | interface | Auth contract |
| `validate` | method | Validates a JWT token |
| `DEFAULT_TTL` | const | Default TTL in seconds |

## Change Log

| Date | Change |
|------|--------|
| 2026-01-01 | Initial |

Source

<?php

namespace App\Auth;

class AuthService {
    public const DEFAULT_TTL = 3600;
    private const INTERNAL_KEY = 'secret';

    public function validate(string $token): bool {
        return !empty($token);
    }

    public static function create(): self {
        return new self();
    }

    private function internalCheck(): void {}
}

interface Authenticator {
    public function authenticate(): bool;
}

trait Loggable {
    public function log(): void {}
}

Test-file patterns

Files matching these are excluded from the detected surface.

Pattern Explanation
**/*Test.php PHPUnit test classes: auto-excluded

Caveats

  • PHP does not have true module-level visibility. Class types are always globally accessible.
  • Namespaces are detected but not used to filter exports; all types in all namespaces are included.
  • Dynamic class definitions (class_alias(), eval()) are not detected.
  • Attributes (#[Attribute]) are captured as class declarations if public.

Related languages

Python

๐Ÿ Respects __all__ when present; falls back to top-level defs and classes without underscore prefixes.

Ruby

๐Ÿ”ด Tracks public/private visibility as it scans. Methods before a private marker are public. initialize excluded.
โ† All languages Spec format Found a bug? โ†—