feat: bootstrap pdf signature validator package

Add complete package structure with parser/model APIs, quality gates, CI workflows, and focused tests.\n\nResolve static-analysis blockers (phpmd/psalm), keep all core checks green, and improve mutation-testing quality coverage with additional real-fixture and crypto tests.

Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>

Author: vitormattos

.github/dependabot.yml

@@ -0,0 +1,55 @@
+# SPDX-FileCopyrightText: 2026 LibreCode coop and contributors
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+version: 2
+updates:
+  - package-ecosystem: "composer"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+
+  - package-ecosystem: "composer"
+    directory: "/vendor-bin/phpunit"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "composer"
+    directory: "/vendor-bin/psalm"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "composer"
+    directory: "/vendor-bin/phpstan"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "composer"
+    directory: "/vendor-bin/php-cs-fixer"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "composer"
+    directory: "/vendor-bin/phpmd"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "composer"
+    directory: "/vendor-bin/rector"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "composer"
+    directory: "/vendor-bin/infection"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "composer"
+    directory: "/vendor-bin/deptrac"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/deptrac.yml

@@ -0,0 +1,64 @@
+# SPDX-FileCopyrightText: 2026 LibreCode coop and contributors
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+name: Deptrac
+
+on:
+  push:
+  pull_request:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: deptrac-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  php-version:
+    runs-on: ubuntu-latest
+    outputs:
+      min: ${{ steps.php.outputs.min }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Read PHP min version from composer.json
+        id: php
+        run: |
+          min=$(jq -r '.require.php' composer.json | grep -oP '\d+\.\d+' | head -1)
+          echo "min=$min" >> $GITHUB_OUTPUT
+
+  deptrac:
+    runs-on: ubuntu-latest
+    needs: php-version
+    name: deptrac
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Set up PHP ${{ needs.php-version.outputs.min }}
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: ${{ needs.php-version.outputs.min }}
+          tools: composer:v2
+          coverage: none
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install dependencies
+        run: composer install --no-interaction --prefer-dist
+
+      - name: Run Deptrac
+        run: composer run deptrac
+
+  summary:
+    runs-on: ubuntu-latest
+    needs: deptrac
+    if: always()
+    name: deptrac-summary
+    steps:
+      - name: Summary status
+        run: if ${{ needs.deptrac.result != 'success' && needs.deptrac.result != 'skipped' }}; then exit 1; fi

.github/workflows/lint-php-cs.yml

@@ -0,0 +1,66 @@
+# SPDX-FileCopyrightText: 2026 LibreCode coop and contributors
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+name: Lint PHP CS
+
+on:
+  push:
+  pull_request:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: lint-php-cs-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  php-version:
+    runs-on: ubuntu-latest
+    outputs:
+      min: ${{ steps.php.outputs.min }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Read PHP min version from composer.json
+        id: php
+        run: |
+          min=$(jq -r '.require.php' composer.json | grep -oP '\d+\.\d+' | head -1)
+          echo "min=$min" >> $GITHUB_OUTPUT
+
+  cs-check:
+    runs-on: ubuntu-latest
+    needs: php-version
+
+    name: php-cs
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Set up PHP ${{ needs.php-version.outputs.min }}
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: ${{ needs.php-version.outputs.min }}
+          tools: composer:v2
+          coverage: none
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install dependencies
+        run: composer install --no-interaction --prefer-dist
+
+      - name: Check coding standard
+        run: composer run cs:check || ( echo 'Please run `composer run cs:fix` to format your code' && exit 1 )
+
+  summary:
+    runs-on: ubuntu-latest
+    needs: cs-check
+    if: always()
+    name: lint-php-cs-summary
+    steps:
+      - name: Summary status
+        run: if ${{ needs.cs-check.result != 'success' && needs.cs-check.result != 'skipped' }}; then exit 1; fi

.github/workflows/lint-php.yml

@@ -0,0 +1,62 @@
+# SPDX-FileCopyrightText: 2026 LibreCode coop and contributors
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+name: Lint PHP
+
+on:
+  push:
+  pull_request:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: lint-php-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  php-version:
+    runs-on: ubuntu-latest
+    outputs:
+      min: ${{ steps.php.outputs.min }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Read PHP min version from composer.json
+        id: php
+        run: |
+          min=$(jq -r '.require.php' composer.json | grep -oP '\d+\.\d+' | head -1)
+          echo "min=$min" >> $GITHUB_OUTPUT
+
+  lint:
+    runs-on: ubuntu-latest
+    needs: php-version
+
+    name: php-lint
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Set up PHP ${{ needs.php-version.outputs.min }}
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: ${{ needs.php-version.outputs.min }}
+          coverage: none
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Lint
+        run: composer run lint
+
+  summary:
+    runs-on: ubuntu-latest
+    needs: lint
+    if: always()
+    name: lint-php-summary
+    steps:
+      - name: Summary status
+        run: if ${{ needs.lint.result != 'success' && needs.lint.result != 'skipped' }}; then exit 1; fi

.github/workflows/mutation-tests.yml

@@ -0,0 +1,62 @@
+# SPDX-FileCopyrightText: 2026 LibreCode coop and contributors
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+name: Mutation tests
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+concurrency:
+  group: mutation-${{ github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  php-version:
+    runs-on: ubuntu-latest
+    outputs:
+      min: ${{ steps.php.outputs.min }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+          submodules: recursive
+
+      - name: Read PHP min version from composer.json
+        id: php
+        run: |
+          min=$(jq -r '.require.php' composer.json | grep -oP '\d+\.\d+' | head -1)
+          echo "min=$min" >> $GITHUB_OUTPUT
+
+  infection:
+    runs-on: ubuntu-latest
+    needs: php-version
+
+    name: infection PHP ${{ needs.php-version.outputs.min }}
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+          submodules: recursive
+
+      - name: Set up PHP ${{ needs.php-version.outputs.min }}
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: ${{ needs.php-version.outputs.min }}
+          tools: composer:v2
+          coverage: xdebug
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install dependencies
+        run: composer install --no-interaction --prefer-dist
+
+      - name: Run mutation tests
+        env:
+          XDEBUG_MODE: coverage
+        run: composer run test:mutation

.github/workflows/phpmd.yml

@@ -0,0 +1,66 @@
+# SPDX-FileCopyrightText: 2026 LibreCode coop and contributors
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+name: PHPMD
+
+on:
+  push:
+  pull_request:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: phpmd-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  php-version:
+    runs-on: ubuntu-latest
+    outputs:
+      min: ${{ steps.php.outputs.min }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Read PHP min version from composer.json
+        id: php
+        run: |
+          min=$(jq -r '.require.php' composer.json | grep -oP '\d+\.\d+' | head -1)
+          echo "min=$min" >> $GITHUB_OUTPUT
+
+  phpmd:
+    runs-on: ubuntu-latest
+    needs: php-version
+
+    name: phpmd
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Set up PHP ${{ needs.php-version.outputs.min }}
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: ${{ needs.php-version.outputs.min }}
+          tools: composer:v2
+          coverage: none
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install dependencies
+        run: composer install --no-interaction --prefer-dist
+
+      - name: Run PHPMD
+        run: composer run phpmd
+
+  summary:
+    runs-on: ubuntu-latest
+    needs: phpmd
+    if: always()
+    name: phpmd-summary
+    steps:
+      - name: Summary status
+        run: if ${{ needs.phpmd.result != 'success' && needs.phpmd.result != 'skipped' }}; then exit 1; fi