Bug Fixes

Author: PDowney

CHANGELOG.md

@@ -53,6 +53,8 @@
 - **Trailing Whitespace**: Removed trailing whitespace (tabs on blank lines) across `export.php`, `download.php`, `cleanup.php`, `admin-page.php`, and `security.php`.
 - **JS File Header**: Converted `admin.js` file header from JSDoc (`/** @package`, `@since`) to plain block comment to avoid TSDoc linter false positives.
 - **Bulk Cleanup Complexity**: Extracted per-file deletion logic from `sse_bulk_cleanup_exports_handler()` into `sse_cleanup_expired_export_file()` helper, reducing cyclomatic complexity from 13 to 8 and NPath complexity from 336 to under 200.
+- **PHPStan Array Shape**: Added `array{filepath: string, filename: string}` shape annotation to `sse_validate_export_file_path()` return type in `security.php`, resolving level-6 error.
+- **PHPStan Ignore Cleanup**: Removed three obsolete `ignoreErrors` patterns from `phpstan.neon` (`$post`, `$wp_query`, `$wpdb`) that are now resolved by the WordPress stubs.
 
 ## 2.0.0 - March 1, 2026
 

includes/security.php

@@ -262,7 +262,7 @@ function sse_validate_filename_format( string $filename ) {
  *
  * @since 2.0.0
  * @param string $filename The filename to validate.
- * @return array|WP_Error Result array with file data or WP_Error on failure.
+ * @return array{filepath: string, filename: string}|WP_Error Result array with file data or WP_Error on failure.
  */
 function sse_validate_export_file_path( string $filename ) {
 	// Get the full path to the file.

phpstan.neon

@@ -16,8 +16,4 @@ parameters:
 
     treatPhpDocTypesAsCertain: false
 
-    ignoreErrors:
-        # Ignore WordPress global variables that might not be defined in test context
-        - '#Variable \$wpdb might not be defined#'
-        - '#Variable \$wp_query might not be defined#'
-        - '#Variable \$post might not be defined#'
+    ignoreErrors: []

readme.txt

@@ -129,6 +129,8 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
 * **Code Quality**: Removed trailing whitespace across 5 include files
 * **Code Quality**: Converted `admin.js` file header to plain block comment (avoids TSDoc linter false positives)
 * **Code Quality**: Extracted `sse_cleanup_expired_export_file()` from bulk cleanup handler to reduce cyclomatic/NPath complexity
+* **Code Quality**: Added `array{filepath, filename}` shape annotation to `sse_validate_export_file_path()` return type
+* **Code Quality**: Removed obsolete PHPStan ignore patterns for WordPress globals now covered by stubs
 
 = 2.0.0 =
 * **Critical Fix**: Fixed bug where automatic export file cleanup via WordPress cron was completely broken due to referer validation blocking cron-triggered deletions