chore(phase-3): add PHPStan/PHPCS configs, CI workflow, and Phase 3 plan doc; install dev tools

Author: BitsHost

.github/workflows/ci.yml

@@ -0,0 +1,58 @@
+name: CI
+
+on:
+  push:
+    branches: [ main, refactor-phase-2, feature/** ]
+  pull_request:
+    branches: [ main, refactor-phase-2 ]
+
+jobs:
+  build-test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        php: [ '8.0', '8.1', '8.2', '8.3' ]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: ${{ matrix.php }}
+          extensions: mbstring, json, pdo, pdo_mysql
+          coverage: none
+
+      - name: Validate composer.json and composer.lock
+        run: composer validate --no-check-publish
+
+      - name: Install dependencies
+        run: composer install --no-interaction --no-progress --prefer-dist
+
+      - name: Generate autoload
+        run: composer dump-autoload -o
+
+      - name: PHPStan
+        run: |
+          if [ -f phpstan.neon ] || [ -f phpstan.neon.dist ]; then \
+            vendor/bin/phpstan analyse --no-progress; \
+          else \
+            echo "Skipping PHPStan"; \
+          fi
+
+      - name: PHPCS
+        run: |
+          if [ -f phpcs.xml ] || [ -f phpcs.xml.dist ]; then \
+            vendor/bin/phpcs; \
+          else \
+            echo "Skipping PHPCS"; \
+          fi
+
+      - name: PHPUnit
+        run: |
+          if [ -f phpunit.xml ] || [ -f phpunit.xml.dist ]; then \
+            vendor/bin/phpunit -c phpunit.xml; \
+          else \
+            echo "Skipping PHPUnit"; \
+          fi

composer.json

@@ -25,10 +25,12 @@
     }
   },
   "require-dev": {
-    "phpunit/phpunit": "^10.0"
+    "phpunit/phpunit": "^10.0",
+    "phpstan/phpstan": "^2.1",
+    "squizlabs/php_codesniffer": "^4.0"
   },
   "support": {
     "issues": "https://github.com/BitsHost/php-crud-api-generator/issues",
     "source": "https://github.com/BitsHost/php-crud-api-generator"
   }
-}
+}

docs/PHASE_3_PLAN.md

@@ -0,0 +1,65 @@
+# Phase 3: Hardening and Release Prep
+
+Branch: `feature/phase-3-hardening` (based on `refactor-phase-2`)
+
+## Goals
+- Stabilize API and internal structure (no feature creep)
+- High-confidence release quality: tests + static analysis + style checks
+- Updated documentation (user + developer)
+- Green CI across PHP 8.0–8.3
+
+## Success Criteria
+- Build: Composer autoload OK
+- Static analysis: PHPStan level 7 (target 8)
+- Style: PHPCS PSR-12 clean
+- Tests: PHPUnit passing; coverage ≥ 70% (stretch: 80%+)
+- CI: Green on PR (lint + static + tests)
+- Docs: Up to date (Quickstart, Config, Endpoints, Security, Caching, Observability)
+
+## Workstream Breakdown
+
+### 1) Tests
+- Unit tests for:
+  - Http: Response, ErrorResponder, Middleware (CORS, RateLimit)
+  - Auth: Authenticator (apikey/basic/jwt + DB auth path), role retrieval
+  - Security: Rbac, RbacGuard, RateLimiter
+  - Database: SchemaInspector (via mock PDO), Dialects (quoting)
+  - ApiGenerator: list/count filters, sort, pagination; CRUD behaviors
+  - Observability: RequestLogger, Monitor (metrics, alerts)
+  - Docs: OpenApiGenerator minimal spec
+- Integration smoke tests for Router (list/read/create/update/delete/openapi/login)
+
+### 2) Static Analysis + Style
+- PHPStan config: `phpstan.neon.dist` (level 7 → iterate up)
+- PHPCS config: `phpcs.xml.dist` (PSR-12)
+- Address critical findings; schedule non-critical fixes post-freeze
+
+### 3) CI Pipeline
+- GitHub Actions: `.github/workflows/ci.yml`
+  - Matrix: PHP 8.0, 8.1, 8.2, 8.3
+  - Steps: composer validate → install → dump-autoload → phpstan → phpcs → phpunit
+
+### 4) Docs Updates
+- README: Quickstart with `App\Application\Router` entrypoint
+- CONFIG: `config/api.php` and `config/cache.php` options aligned with `ApiConfig`/`CacheConfig`
+- Endpoints: Actions, filters, sorting, pagination, bulk
+- Security: Auth methods + RBAC usage, examples; rate limit headers
+- Observability: RequestLogger/Monitor paths, rotation/cleanup
+- Caching: CacheManager TTLs, exclusions, varyBy
+- Migration: v2.0.0-dev hard break (wrappers removed; canonical namespaces only)
+
+## Execution Sequence (Suggested)
+1) Baseline run (build/static/tests) → capture issues
+2) Add/fix unit tests per module → quick iterations
+3) Router integration smoke tests
+4) Raise PHPStan level and fix high-signal findings
+5) CI green across matrix
+6) Final docs refresh + examples
+
+## Risk & Mitigation
+- DB-dependent tests: prefer mocks for unit; add optional integration profile later
+- Platform differences (Windows paths): tests use sys_get_temp_dir() and portable paths
+- Flaky tests (timing, rate limit): use deterministic settings in test env
+
+---
+Maintainer note: Keep PRs small and focused (tests per module); keep branch scoped to hardening only.

phpcs.xml.dist

@@ -0,0 +1,20 @@
+<?xml version="1.0"?>
+<ruleset name="PHP-CRUD-API-Generator Coding Standards">
+  <description>PSR-12 with project-specific exclusions.</description>
+  <rule ref="PSR12" />
+
+  <file>src</file>
+  <file>tests</file>
+
+  <exclude-pattern>vendor/*</exclude-pattern>
+  <exclude-pattern>storage/*</exclude-pattern>
+  <exclude-pattern>logs/*</exclude-pattern>
+
+  <!-- Allow long lines in generated docs/tests -->
+  <rule ref="Generic.Files.LineLength">
+    <properties>
+      <property name="lineLimit" value="160"/>
+      <property name="absoluteLineLimit" value="0"/>
+    </properties>
+  </rule>
+</ruleset>

phpstan.neon.dist

@@ -0,0 +1,9 @@
+parameters:
+  level: 7
+  paths:
+    - src
+    - tests
+  ignoreErrors:
+    - '#Cannot call method (.*) on mixed#'
+  reportUnmatchedIgnoredErrors: true
+  tmpDir: .phpstan