Enhance documentation and introduce new rules for architectural constraints

Florian Krämer · Florian Krämer · commit 732423122c1a · 2026-02-10T00:07:44.000+01:00
- Updated README.md to mark the Dependency Constraints Rule as deprecated and introduced the new Forbidden Dependencies Rule, which enforces dependency constraints between namespaces.
- Added detailed documentation for the Forbidden Dependencies Rule and the Forbidden Static Methods Rule, outlining their configurations and use cases.
- Updated Rules.md to include descriptions and examples for the new rules, ensuring clarity on their functionalities.

These changes improve the clarity of the rules and provide guidance for users on enforcing architectural boundaries in their code.
diff --git a/README.md b/README.md
@@ -25,9 +25,11 @@ See individual rule documentation for detailed configuration examples. A [full c
 - [Class Must Be Readonly Rule](docs/rules/Class-Must-Be-Readonly-Rule.md)
 - [Class Must Have Specification Docblock Rule](docs/rules/Class-Must-Have-Specification-Docblock-Rule.md)
 - [Classname Must Match Pattern Rule](docs/rules/Classname-Must-Match-Pattern-Rule.md)
-- [Dependency Constraints Rule](docs/rules/Dependency-Constraints-Rule.md)
+- [Dependency Constraints Rule](docs/rules/Dependency-Constraints-Rule.md) *(deprecated, use Forbidden Dependencies Rule)*
 - [Forbidden Accessors Rule](docs/rules/Forbidden-Accessors-Rule.md)
+- [Forbidden Dependencies Rule](docs/rules/Forbidden-Dependencies-Rule.md)
 - [Forbidden Namespaces Rule](docs/rules/Forbidden-Namespaces-Rule.md)
+- [Forbidden Static Methods Rule](docs/rules/Forbidden-Static-Methods-Rule.md)
 - [Method Must Return Type Rule](docs/rules/Method-Must-Return-Type-Rule.md)
 - [Method Signature Must Match Rule](docs/rules/Method-Signature-Must-Match-Rule.md)
 - [Methods Returning Bool Must Follow Naming Convention Rule](docs/rules/Methods-Returning-Bool-Must-Follow-Naming-Convention-Rule.md)
diff --git a/docs/Rules.md b/docs/Rules.md
@@ -22,6 +22,18 @@ Forbids public and/or protected getters and setters on classes matching specifie
 
 See [Forbidden Accessors Rule documentation](rules/Forbidden-Accessors-Rule.md) for detailed information.
 
+## Forbidden Dependencies Rule
+
+Enforces dependency constraints between namespaces by checking `use` statements and optionally fully qualified class names (FQCNs). This rule prevents classes in one namespace from depending on classes in another, helping enforce architectural boundaries like layer separation.
+
+See [Forbidden Dependencies Rule documentation](rules/Forbidden-Dependencies-Rule.md) for detailed information.
+
+## Forbidden Static Methods Rule
+
+Forbids specific static method calls matching regex patterns. Supports namespace-level, class-level, and method-level granularity. The rule resolves `self`, `static`, and `parent` keywords to actual class names.
+
+See [Forbidden Static Methods Rule documentation](rules/Forbidden-Static-Methods-Rule.md) for detailed information.
+
 ## Property Must Match Rule
 
 Ensures that classes matching specified patterns have properties with expected names, types, and visibility scopes. Can optionally enforce that matching classes must have certain properties.
@@ -224,6 +236,16 @@ services:
         tags:
             - phpstan.rules.rule
 
+    # Forbid specific static method calls
+    -
+        class: Phauthentic\PHPStanRules\Architecture\ForbiddenStaticMethodsRule
+        arguments:
+            forbiddenStaticMethods:
+                - '/^App\\Legacy\\.*::.*/'
+                - '/^DateTime::createFromFormat$/'
+        tags:
+            - phpstan.rules.rule
+
     # Forbid accessors on domain entities
     -
         class: Phauthentic\PHPStanRules\Architecture\ForbiddenAccessorsRule
diff --git a/docs/rules/Forbidden-Dependencies-Rule.md b/docs/rules/Forbidden-Dependencies-Rule.md
@@ -0,0 +1,173 @@
+# Forbidden Dependencies Rule
+
+Enforces dependency constraints between namespaces by checking `use` statements and optionally fully qualified class names (FQCNs). This rule prevents classes in one namespace from depending on classes in another, helping enforce architectural boundaries like layer separation.
+
+> **Note:** This rule replaces the deprecated `DependencyConstraintsRule`. See [Dependency Constraints Rule](Dependency-Constraints-Rule.md) for migration details.
+
+## Configuration Example
+
+### Basic Usage (Use Statements Only)
+
+```neon
+    -
+        class: Phauthentic\PHPStanRules\Architecture\ForbiddenDependenciesRule
+        arguments:
+            forbiddenDependencies: [
+                '/^App\\Domain(?:\\\w+)*$/': ['/^App\\Controller\\/']
+            ]
+        tags:
+            - phpstan.rules.rule
+```
+
+### With FQCN Checking Enabled
+
+```neon
+    -
+        class: Phauthentic\PHPStanRules\Architecture\ForbiddenDependenciesRule
+        arguments:
+            forbiddenDependencies: [
+                '/^App\\Capability(?:\\\w+)*$/': [
+                    '/^DateTime$/',
+                    '/^DateTimeImmutable$/'
+                ]
+            ]
+            checkFqcn: true
+        tags:
+            - phpstan.rules.rule
+```
+
+### With Selective Reference Types
+
+```neon
+    -
+        class: Phauthentic\PHPStanRules\Architecture\ForbiddenDependenciesRule
+        arguments:
+            forbiddenDependencies: [
+                '/^App\\Capability(?:\\\w+)*$/': [
+                    '/^DateTime$/',
+                    '/^DateTimeImmutable$/'
+                ]
+            ]
+            checkFqcn: true
+            fqcnReferenceTypes: ['new', 'param', 'return', 'property']
+        tags:
+            - phpstan.rules.rule
+```
+
+## Parameters
+
+- `forbiddenDependencies`: Array where keys are regex patterns for source namespaces and values are arrays of regex patterns for disallowed dependency namespaces.
+- `checkFqcn` (optional, default: `false`): Enable checking of fully qualified class names in addition to use statements.
+- `fqcnReferenceTypes` (optional, default: all types): Array of reference types to check when `checkFqcn` is enabled.
+- `allowedDependencies` (optional, default: `[]`): Whitelist that overrides forbidden dependencies. If a dependency matches both a forbidden pattern and an allowed pattern, it will be allowed.
+
+## FQCN Reference Types
+
+When `checkFqcn` is enabled, the following reference types can be checked:
+
+- `new` - Class instantiations (e.g., `new \DateTime()`)
+- `param` - Parameter type hints (e.g., `function foo(\DateTime $date)`)
+- `return` - Return type hints (e.g., `function foo(): \DateTime`)
+- `property` - Property type hints (e.g., `private \DateTime $date`)
+- `static_call` - Static method calls (e.g., `\DateTime::createFromFormat()`)
+- `static_property` - Static property access (e.g., `\DateTime::ATOM`)
+- `class_const` - Class constant (e.g., `\DateTime::class`)
+- `instanceof` - instanceof checks (e.g., `$x instanceof \DateTime`)
+- `catch` - catch blocks (e.g., `catch (\Exception $e)`)
+- `extends` - class inheritance (e.g., `class Foo extends \DateTime`)
+- `implements` - interface implementation (e.g., `class Foo implements \DateTimeInterface`)
+
+## Use Cases
+
+### Enforcing Layer Boundaries
+
+Prevent domain classes from depending on infrastructure or presentation layers:
+
+```neon
+    -
+        class: Phauthentic\PHPStanRules\Architecture\ForbiddenDependenciesRule
+        arguments:
+            forbiddenDependencies:
+                '/^App\\Capability\\.*\\Domain/':
+                    - '/^App\\Capability\\.*\\Application/'
+                    - '/^App\\Capability\\.*\\Infrastructure/'
+                    - '/^App\\Capability\\.*\\Presentation/'
+                '/^App\\Capability\\.*\\Application/':
+                    - '/^App\\Capability\\.*\\Infrastructure/'
+                    - '/^App\\Capability\\.*\\Presentation/'
+        tags:
+            - phpstan.rules.rule
+```
+
+### Preventing DateTime Usage in Domain Layer
+
+Encourage the use of domain-specific date/time objects instead of PHP's built-in classes:
+
+```neon
+    -
+        class: Phauthentic\PHPStanRules\Architecture\ForbiddenDependenciesRule
+        arguments:
+            forbiddenDependencies: [
+                '/^App\\Capability(?:\\\w+)*$/': [
+                    '/^DateTime$/',
+                    '/^DateTimeImmutable$/'
+                ]
+            ]
+            checkFqcn: true
+        tags:
+            - phpstan.rules.rule
+```
+
+This will catch:
+
+- `use DateTime;` (use statement)
+- `new \DateTime()` (instantiation)
+- `function foo(\DateTime $date)` (parameter type)
+- `function bar(): \DateTime` (return type)
+- `private \DateTime $date` (property type)
+- And all other reference types listed above
+
+### Whitelist with allowedDependencies
+
+The `allowedDependencies` parameter lets you create a "forbid everything except X" pattern. Dependencies matching both forbidden and allowed patterns will be allowed.
+
+```neon
+    -
+        class: Phauthentic\PHPStanRules\Architecture\ForbiddenDependenciesRule
+        arguments:
+            forbiddenDependencies: [
+                '/^App\\Capability\\.*\\Domain$/': [
+                    '/.*\\\\.*/'
+                ]
+            ]
+            checkFqcn: true
+            allowedDependencies: [
+                '/^App\\Capability\\.*\\Domain$/': [
+                    '/^App\\Shared\\/',
+                    '/^App\\Capability\\/',
+                    '/^Psr\\/'
+                ]
+            ]
+        tags:
+            - phpstan.rules.rule
+```
+
+This will:
+
+- **Allow**: `App\Shared\ValueObject\Money`, `App\Capability\Billing\Invoice`, `Psr\Log\LoggerInterface`
+- **Forbid**: `Doctrine\ORM\EntityManager`, `Symfony\Component\HttpFoundation\Request`
+
+## Diagram
+
+```mermaid
+flowchart TD
+    A[Check Dependency] --> B{Matches forbidden pattern?}
+    B -->|No| C[Allow]
+    B -->|Yes| D{Matches allowed pattern?}
+    D -->|Yes| E[Allow - Override]
+    D -->|No| F[Report Error]
+```
+
+## Backward Compatibility
+
+By default, `checkFqcn` is `false` and `allowedDependencies` is empty, so existing configurations will continue to work exactly as before, checking only `use` statements. The new FQCN checking and allowedDependencies features must be explicitly enabled.
diff --git a/docs/rules/Forbidden-Static-Methods-Rule.md b/docs/rules/Forbidden-Static-Methods-Rule.md
@@ -0,0 +1,116 @@
+# Forbidden Static Methods Rule
+
+Forbids specific static method calls matching regex patterns. This rule checks static method calls against a configurable list of forbidden patterns and supports namespace-level, class-level, and method-level granularity.
+
+The rule resolves `self`, `static`, and `parent` keywords to the actual class name before matching, so forbidden patterns work correctly even when these keywords are used.
+
+## Configuration Example
+
+```neon
+    -
+        class: Phauthentic\PHPStanRules\Architecture\ForbiddenStaticMethodsRule
+        arguments:
+            forbiddenStaticMethods:
+                - '/^App\\Legacy\\.*::.*/'
+                - '/^App\\Utils\\StaticHelper::.*/'
+                - '/^DateTime::createFromFormat$/'
+        tags:
+            - phpstan.rules.rule
+```
+
+## Parameters
+
+- `forbiddenStaticMethods`: Array of regex patterns to match against static method calls. Patterns are matched against the format `FQCN::methodName`.
+
+## Pattern Granularity
+
+Patterns match against the fully qualified class name followed by `::` and the method name. This allows you to forbid static calls at different levels of granularity:
+
+### Namespace-level
+
+Forbid all static calls to any class in a namespace:
+
+```neon
+    forbiddenStaticMethods:
+        - '/^App\\Legacy\\.*::.*/'
+```
+
+This forbids calls like `App\Legacy\LegacyHelper::doSomething()` and `App\Legacy\OldService::run()`.
+
+### Class-level
+
+Forbid all static calls on a specific class:
+
+```neon
+    forbiddenStaticMethods:
+        - '/^App\\Utils\\StaticHelper::.*/'
+```
+
+This forbids all static method calls on `App\Utils\StaticHelper`, regardless of the method name.
+
+### Method-level
+
+Forbid a specific static method on a specific class:
+
+```neon
+    forbiddenStaticMethods:
+        - '/^DateTime::createFromFormat$/'
+```
+
+This forbids only `DateTime::createFromFormat()` while allowing other static methods like `DateTime::getLastErrors()`.
+
+## Use Cases
+
+### Forbid Legacy Static Helpers
+
+Prevent usage of legacy static helper classes to encourage dependency injection:
+
+```neon
+    -
+        class: Phauthentic\PHPStanRules\Architecture\ForbiddenStaticMethodsRule
+        arguments:
+            forbiddenStaticMethods:
+                - '/^App\\Legacy\\.*::.*/'
+                - '/^App\\Helpers\\.*::.*/'
+        tags:
+            - phpstan.rules.rule
+```
+
+### Forbid Specific Factory Methods
+
+Forbid using static factory methods on certain classes while allowing other static methods:
+
+```neon
+    -
+        class: Phauthentic\PHPStanRules\Architecture\ForbiddenStaticMethodsRule
+        arguments:
+            forbiddenStaticMethods:
+                - '/^DateTime::createFromFormat$/'
+                - '/^DateTime::createFromTimestamp$/'
+        tags:
+            - phpstan.rules.rule
+```
+
+### Forbid All Static Calls in Domain Layer
+
+Combine with a broad pattern to forbid all static calls from specific namespaces:
+
+```neon
+    -
+        class: Phauthentic\PHPStanRules\Architecture\ForbiddenStaticMethodsRule
+        arguments:
+            forbiddenStaticMethods:
+                - '/^Illuminate\\Support\\Facades\\.*::.*/'
+        tags:
+            - phpstan.rules.rule
+```
+
+## Handling of self, static, and parent
+
+The rule resolves the keywords `self`, `static`, and `parent` to the actual fully qualified class name before matching against the forbidden patterns. This means:
+
+- `self::create()` inside `App\Service\MyService` is matched as `App\Service\MyService::create`
+- `static::create()` inside `App\Service\MyService` is matched as `App\Service\MyService::create`
+- `parent::create()` inside a child class is matched against the parent class name
+
+Dynamic class names (e.g., `$class::method()`) and dynamic method names (e.g., `DateTime::$method()`) are skipped.
