Drupal Compliance Audit - 2026-01-09

Summary

Comprehensive audit of all_drupal_custom modules against Drupal coding standards and best practices. This audit covers 50+ custom modules developed for the LLM Platform.

Audit Scope

• Target: /Users/flux423/Sites/LLM/all_drupal_custom/modules/
• Standards: Drupal 10/11 coding standards, PSR-12, Entity API best practices
• Date: January 9, 2026

---

Critical Issues Found

1. Missing Config Schema Files (CRITICAL)

Configuration schema files are required for all configuration entities and settings. Missing schemas cause:

• Config validation failures
• Translation issues
• Configuration export/import problems

Remediation: Create config/schema/*.schema.yml files for each module.

2. Entity Types Missing Access Handlers (CRITICAL)

Entity types without proper access handlers create security vulnerabilities and fail Drupal's access control model.

Remediation: Add access handler to entity annotations:

*   handlers = {
*     "access" = "Drupal\my_module\MyEntityAccessControlHandler",
*   },

---

Code Quality Issues

3. Static \Drupal:: Calls in Classes (HIGH)

Count: 509 instances across modules

Static \Drupal:: service calls violate dependency injection principles and make code:

• Hard to unit test
• Tightly coupled to container
• Difficult to maintain

Top Offenders:

• Form classes using \Drupal::messenger()
• Controllers using \Drupal::service()
• Entity classes using \Drupal::entityTypeManager()

Remediation: Inject services via constructor or create() method.

4. Missing [object Object] (MEDIUM)

Count: 594 PHP files

Strict types improve code quality and catch type errors early.

Remediation: Add to all PHP files:

<?php

declare(strict_types=1);

5. Missing Return Type Declarations (MEDIUM)

Count: 2,062 functions/methods

Return types are required for:

• PHP 8.x best practices
• Static analysis (PHPStan)
• IDE autocompletion

Remediation: Add return types to all functions:

public function getLabel(): string
public function load(int $id): ?EntityInterface

6. Render Arrays Missing #cache Metadata (MEDIUM)

Count: 2,565 render arrays

Missing cache metadata causes:

• Cache invalidation issues
• Stale content display
• Performance problems

Remediation: Add cache metadata to all render arrays:

$build['content'] = [
  '#markup' => $content,
  '#cache' => [
    'contexts' => ['user.permissions'],
    'tags' => ['node_list'],
    'max-age' => 3600,
  ],
];

7. Direct File Operations (LOW)

Count: 67 file_put_contents() calls

Should use Drupal's FileSystem service for:

• Proper stream wrapper support
• Security handling
• Logging integration

Remediation:

// Before
file_put_contents($path, $content);

// After
\Drupal::service('file_system')->saveData($content, $path);

8. Services Without Interfaces (LOW)

Count: 10+ services

Services should implement interfaces for:

• Testability (mocking)
• Swappability
• Contract definition

---

Passing Checks

---

Remediation Status

Automated Fixes (In Progress)

Manual Review Required

• Service interface extraction
• Cache metadata patterns
• DI refactoring for complex classes

---

Priority Matrix

---

Next Steps

1. Immediate: Fix all P0 issues (config schema, access handlers)
2. This Sprint: Address P1 issues (static Drupal calls)
3. Next Sprint: P2 issues (strict types, return types)
4. Ongoing: P3 issues (cache metadata, file operations)

---

References

• Drupal Coding Standards
• Configuration Schema/Metadata
• Entity Access Control
• Dependency Injection
• Render Arrays and Caching

---

Audit Methodology

This audit was performed using:

• PHPStan static analysis
• PHPCS with Drupal coding standards ruleset
• Custom grep patterns for anti-patterns
• Entity annotation scanning
• Config file inventory

Auditor: AI Compliance Agent Review: Pending human review