qoliber / nebula-admin-theme
Nebula admin theme and modules for Magento 2 / Mage-OS. Targets Magento 2.4.7+ (or Mage-OS 2.0+) on PHP 8.1+.
Nebula — Modern Admin Theme for Magento 2 / Mage-OS
Replace Magento's legacy admin theme — bring it into the 21st century.
Nebula modernizes the Magento Admin with a faster interface, cleaner workflows,
dark mode, and developer-friendly customization — without forcing you to
replace Magento itself. It runs alongside your existing store on
Magento 2.4.7+ (or Mage-OS 2.0+) and PHP 8.1+.
Why Nebula
| ⚡ Faster | Native ES modules replace RequireJS; vanilla JS replaces jQuery; Alpine.js 3 replaces KnockoutJS. |
| 🎨 Beautiful | Tailwind CSS 4 styling, dark mode, and 18 built-in skins for client-specific branding. |
| 🧩 Composable | JSON-driven forms and grids plus reusable snippets — clearer definitions in place of sprawling XML UI Components. |
| 🛠️ Developer-friendly | A simpler, more maintainable admin stack. Easier grid and form extensions, fewer moving parts. |
| 🚀 Zero build step | Ships with compiled assets — install and go. |
Who it's for
- Store owners & admin teams — faster daily order, catalog, and content
workflows, with dark mode and pinned navigation. Modernize the back office
without changing your commerce platform. - Developers — a cleaner admin architecture with JSON definitions instead
of XML UI patterns, and straightforward extension points. - Agencies — quicker admin improvements, client branding via skins, and
lower back-office customization costs.
Highlights
- JSON-driven UI — admin forms and grids defined as JSON, with a library of
reusable composable snippets. - Modern frontend — Alpine.js 3, Tailwind CSS 4, native ES modules, no
RequireJS/KnockoutJS/jQuery. - Dark mode + skins — multiple built-in themes; brand per client.
- Focused modules — a clean, modular package (see below) you can adopt
incrementally. - Well tested — extensive PHPUnit and Vitest coverage, plus bridge tests for
third-party compatibility.
Installation
composer require qoliber/nebula-admin-theme
bin/magento setup:upgrade
bin/magento setup:di:compile
bin/magento setup:static-content:deploy -f
bin/magento cache:flush
Then activate the Nebula theme under
Stores → Configuration → Design (adminhtml), or assign it as the admin
theme for your environment.
Requirements
- Magento 2.4.7+ or Mage-OS 2.0+
- PHP 8.1+
Modules
This package ships the following focused modules:
| Module | Responsibility |
|---|---|
Qoliber_Nebula |
Package umbrella + shared configuration |
Qoliber_NebulaComponent |
Core component framework (definitions, snippets, registries) |
Qoliber_NebulaForm |
JSON-driven admin forms |
Qoliber_NebulaGrid |
JSON-driven admin grids |
Qoliber_NebulaTheme |
Theme integration + data providers |
Qoliber_NebulaMenu |
Admin navigation / menu |
Qoliber_NebulaSkin |
Tailwind CSS styling and skins |
Qoliber_NebulaMedia |
Media browser / picker |
Qoliber_NebulaQuill |
Quill WYSIWYG editor integration |
Qoliber_NebulaDirective |
Widget / directive support |
Qoliber_NebulaStore |
Stores, websites, and design-config screens |
Qoliber_NebulaSystem |
System pages and tooling |
Qoliber_NebulaReports |
Reports grids |
Qoliber_NebulaCurrency |
Currency screens |
Qoliber_NebulaUser |
Admin users and roles |
Qoliber_NebulaUiRemoval |
Disables Magento's UI Component reader/generator where Nebula replaces it |
License
Nebula is released under the Nebula Community License (NCL) — a
source-available license. See LICENSE.md for the full terms.
Brought to you by
Changelog — Qoliber Nebula
All notable changes to the Nebula admin theme are recorded here.
The format follows Keep a Changelog;
the project aims to follow Semantic Versioning.
[0.9.0]
Added
- Five modules promoted to the public package:
Qoliber_NebulaCurrency,
Qoliber_NebulaDirective,Qoliber_NebulaReports,Qoliber_NebulaSystem,
andQoliber_NebulaUser. The package now ships 16 modules plus the theme.
Changed
registration.phpupdated to list the published modules.- Version bumped to
0.9.0.
Security
- Grid request hardening — whitelist filter and sort columns against the
grid definition and clamppageSize(MAX_PAGE_SIZE = 200) across all data
providers (CollectionProvider,ProductProvider,CustomerGridProvider,
SalesRuleCouponsGridProvider,AgreementGridProvider,AttributeSetProvider). - Media browser —
MediaPickerrejects path-traversal segments and asserts
the resolved file stays under the media root before deletion. - Toast notifications — render admin messages as text (
textContent),
closing a DOM-XSS vector. DefinitionAccessControltreats an emptyaclstring as unset and falls back
toMagento_Backend::admin(default-deny).
Internal
- Snippet templates no longer use
ObjectManager::getInstance(); ViewModels are
injected viaSnippetViewModelRegistry(or layout XML), throwing if a
view_modelis missing instead of silently service-locating. - Complete PHPDoc coverage on changed PHP (FQDN
@param/@return).
[0.8.0]
Added
- Initial public release.
Requires 2
| Package | Constraint |
|---|---|
| magento/framework | ^103.0 |
| php | ^8.1 |
Compatibility
Each Magento release line is installed on its supported PHP versions, then the module is built (DI compilation + static-content deploy) and its unit and integration suites are run. The matrix shows the lines and PHP versions the module is confirmed to install and run on. Code-quality results further down (phpstan, phpcs, …) are reported separately and never affect compatibility.
Code Quality
Advisory checks against the module's source. Static analysis runs once across the whole module; PHPStan re-runs per Magento + PHP version because resolvable symbols differ between releases. These NEVER affect the Compatibility badge. A phpcs finding can't make a module incompatible.
Static analysis
Coding standards (phpcs), mess detection (phpmd), copy-pasted code (cpd), PHP cross-version compatibility, composer.json validity. Each runs once for the whole module.
| Tool | Status | Findings | Summary |
|---|---|---|---|
| PHPCS | Fail | 2995 | 104 errors, 2891 warnings (ruleset: Magento2) — 778 auto-fixable with phpcbf |
| PHPMD | Warning | 190 | 190 rule violations (MissingImport:68, CyclomaticComplexity:29, UnusedFormalParameter:29, NPathComplexity:23, ExcessiveClassComplexity:11) |
| Cpd | Warning | 13 | 13 duplicated chunks spanning 357 total lines (min-lines=5, min-tokens=70) |
| Composer validate | Info | 1 | valid; 1 advisory note (composer validate --strict) |
PHPStan
Type-checks the module's PHP against a real Magento install at the configured gate level. Re-runs per Magento and PHP version because resolvable symbols differ between releases.
Tests
Unit and integration suites, run for each applicable Magento and PHP version. A test failure speaks to the module's behaviour, not its compatibility with a Magento line, so it is reported here separately and never reddens the compatibility matrix.
Unit tests
| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | N/A | N/A | ||
| 2.4.8 | N/A | N/A | ||
| 2.4.9 | N/A | N/A |
Integration tests
| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | N/A | N/A | ||
| 2.4.8 | N/A | N/A | ||
| 2.4.9 | N/A | N/A |
Security
Security checks run directly against the module: an audit of its declared dependencies for known vulnerabilities (composer audit) and a scan of its source for malware and web-shell signatures. Each runs once. A malware detection fails the version outright.
More from qoliber
View vendorTurn an existing module into recurring revenue.
If you already maintain a Magento 2 module on GitHub or GitLab, listing it on Packagento takes about five minutes. We mirror your tags, handle distribution signing, and route paid licenses through Stripe Connect, so you can keep shipping the way you already do.