fix(cache:clear): resolve effective cache path per tool with adversarial coverage

cache:clear now reads the real cache location instead of relying on hard-coded
defaults. Each job parses its native config (NEON, XML, PHP) where possible,
falls back to the documented default otherwise, and surfaces a warning when
the config uses an expression we can't resolve statically.

Bugs fixed during the adversarial audit (would have hit real-world configs):
- PHPStan tmpDir inside services: was misread as PHPStan's tmpDir; now requires
  top-level parameters: context.
- PHPStan/Rector/PhpCsFixer regex picked the first match; now last-wins to
  match runtime behaviour, with comments stripped via token_get_all.
- PHPStan: dynamic-last call after a static call now returns null instead of
  the stale path.
- PHPUnit: cacheDirectory (10+) wins over deprecated cacheResultFile when both
  are present; previous order was inverted.
- Rector default fixed to sys_get_temp_dir().'/rector_cached_files' (was
  /tmp/rector, also non-portable on Windows).
- PHPMD default fixed to .phpmd.result.cache (was .phpmd.cache).
- PHPCS multiple <arg name=cache>: last-wins.
- Meta-args with whitespace-only values trim and fall back to the default.

Last-resort meta-arg cache-dir on RectorJob (no CLI override exists in Rector);
PHPStan emits a placeholder-warning when tmpDir uses %env.X% or similar
unsupported placeholders. PhpCsFixer/PHPCS escape via their real CLI flags.

Docs in docs/cli/cache-clear.md spell out the precedence per tool and warn
that cache-dir is a last-resort with desync risk.

Author: Test

app/Commands/CacheClearCommand.php

@@ -122,16 +122,17 @@ private function clearJobCaches(array $jobs): int
         foreach ($jobs as $name => $jobConfig) {
             $jobInstance = $this->jobRegistry->create($jobConfig);
             $cachePaths = $jobInstance->getCachePaths();
+            $resolutionWarning = $jobInstance->getCacheResolutionWarning();
 
             foreach ($cachePaths as $path) {
-                $cleared += $this->clearPath($name, $path);
+                $cleared += $this->clearPath($name, $path, $resolutionWarning);
             }
         }
 
         return $cleared;
     }
 
-    private function clearPath(string $jobName, string $path): int
+    private function clearPath(string $jobName, string $path, ?string $resolutionWarning = null): int
     {
         if (is_dir($path)) {
             $this->deleteDirectory($path);
@@ -145,7 +146,8 @@ private function clearPath(string $jobName, string $path): int
             return 1;
         }
 
-        $this->line("  \e[90m- $jobName: $path (not found)\e[0m");
+        $suffix = $resolutionWarning !== null ? " — $resolutionWarning" : '';
+        $this->line("  \e[90m- $jobName: $path (not found)$suffix\e[0m");
         return 0;
     }
 

docs/changelog.md

@@ -7,6 +7,15 @@ All notable changes to this project are documented here.
 ### Fixed
 
 - `--fast` / `--fast-branch` no longer leave non-accelerable jobs (`phpunit`, `paratest`, `phpcpd`, `script`, `custom`, `composer-*`) running their full suites when the effective input set is empty (no staged files / no diff vs base). The skip is now universal: any job — accelerable or not, with or without `paths` declared — is skipped with reason `no changes to validate` when the mode produced no input. Restores parity with the v2.x contract ("nothing changed = nothing to run"). Implemented in [`FlowPreparer::filterJobForMode()`](../src/Execution/FlowPreparer.php#L244) via a new universal guard backed by [`ExecutionContext::isEffectiveSetEmpty()`](../src/Execution/ExecutionContext.php). Decision-table coverage in [`tests/Unit/Execution/FlowPreparerTest.php`](../tests/Unit/Execution/FlowPreparerTest.php) (`it_filters_jobs_per_mode_decision_table` with 20 rows).
+- `cache:clear` now resolves the **effective** cache path for each job instead of relying on hard-coded defaults. Previously the command read a regex on the top-level `.neon` (PHPStan, ignoring `includes:` and placeholders) and used hard-coded literals for every other tool — `cache:clear` silently reported "not found" while the real cache lived elsewhere. After the fix:
+    - PHPStan: `tmpDir:` is followed through `includes:` recursively (cycle-safe) and `%currentWorkingDirectory%` / `%rootDir%` are expanded.
+    - Psalm: reads `cacheDirectory` from `psalm.xml`, resolved relative to the XML.
+    - PHPCS: reads job arg `cache`, then `<arg name="cache" value="..."/>` from the ruleset.
+    - PHPUnit: reads `cacheResultFile` and `cacheDirectory` (10+) from `phpunit.xml` / `phpunit.xml.dist`.
+    - Rector: best-effort regex over `cacheDirectory(...)` in `rector.php` (literal, `__DIR__ . '/literal'`, `sys_get_temp_dir() . '/literal'`). Default fixed to `sys_get_temp_dir() . '/rector_cached_files'` (was incorrect `/tmp/rector`, also non-portable on Windows).
+    - PHP-CS-Fixer: best-effort regex over `setCacheFile(...)` in `.php-cs-fixer.php`; respects job arg `cache-file` over the config (matching what php-cs-fixer itself does).
+    - PHPMD: default fixed to `.phpmd.result.cache` (was incorrect `.phpmd.cache`).
+- When Rector / PHP-CS-Fixer config uses a dynamic expression for the cache path (variable, helper, env), `cache:clear` falls back to the default and surfaces a warning explaining why and how to override. Last-resort meta-arg `cache-dir` on the Rector job lets users force a path; PHP-CS-Fixer relies on its existing `cache-file` arg (which the tool itself respects as `--cache-file`). See [`docs/cli/cache-clear.md`](cli/cache-clear.md).
 
 ## [3.3.0]
 

docs/cli/cache-clear.md

@@ -12,15 +12,83 @@ githooks cache:clear [names...] [--config=PATH]
 
 Accepts job names, flow names (resolved to their jobs), or a mix. Without arguments, clears caches for all configured jobs.
 
-## Default cache locations
-
-| Tool | Default cache |
-|---|---|
-| PHPStan | `{sys_get_temp_dir}/phpstan/` (or `tmpDir` from `.neon` config) |
-| PHPMD | `.phpmd.cache` (or `cache-file` from job config) |
-| PHPCS | `.phpcs.cache` |
-| Psalm | `.psalm/cache/` |
-| PHPUnit | `.phpunit.result.cache` |
+## How the cache path is resolved
+
+GitHooks tries to find the **effective** cache path for each job, in this order of precedence:
+
+1. **Job arg in `githooks.php`** — if the tool accepts a CLI flag for the cache, declaring it on the job is the most reliable option.
+2. **Tool's native config file** — for tools whose cache config is declarative (NEON, XML), the path is parsed from there. Includes are followed and placeholders expanded where applicable.
+3. **Default** — the tool's documented default.
+
+| Tool | Native config source | Default if nothing declared |
+|---|---|---|
+| **PHPStan** | `tmpDir:` in the `.neon` (follows `includes:` recursively, expands `%currentWorkingDirectory%` and `%rootDir%`) | `{sys_get_temp_dir}/phpstan/` |
+| **Psalm** | `cacheDirectory` attribute in `psalm.xml` (resolved relative to the XML) | `.psalm/cache/` |
+| **PHPCS** | Job arg `cache` → `<arg name="cache" value="..."/>` in the ruleset XML | `.phpcs.cache` |
+| **PHPUnit** | `cacheResultFile` / `cacheDirectory` attribute in `phpunit.xml` (or `phpunit.xml.dist`, resolved relative to the XML) | `.phpunit.result.cache` |
+| **PHPMD** | Job arg `cache-file` | `.phpmd.result.cache` |
+| **Rector** | Best-effort regex over `cacheDirectory(...)` in `rector.php` (recognises literals, `__DIR__ . '/literal'`, `sys_get_temp_dir() . '/literal'`) | `{sys_get_temp_dir}/rector_cached_files` |
+| **PHP-CS-Fixer** | Job arg `cache-file` (passed as `--cache-file` to the tool, which respects it over the config) → best-effort regex over `setCacheFile(...)` in `.php-cs-fixer.php` | `.php-cs-fixer.cache` |
+
+## Last-resort override: `cache-dir` (Rector only)
+
+When `rector.php` sets `cacheDirectory()` with a dynamic expression — a variable, an environment helper, a custom function — GitHooks **cannot** resolve the path statically. In that case `cache:clear` falls back to the default and prints a warning:
+
+```
+- rector_src: /tmp/rector_cached_files (not found — could not parse cacheDirectory() in rector.php (uses a variable or helper); declare 'cache-dir' on the job to override (last-resort, see docs))
+```
+
+To make `cache:clear` work in this scenario, declare `cache-dir` on the job in `githooks.php` with the **same path** that `rector.php` ends up resolving:
+
+```php
+'rector_src' => [
+    'type'      => 'rector',
+    'config'    => 'rector.php',
+    'cache-dir' => '.rector-cache',   // last-resort override
+    'paths'     => ['src'],
+],
+```
+
+!!! warning "Use only when strictly necessary"
+
+    `cache-dir` duplicates information that already lives in `rector.php`. If you change the path in one file and forget the other, **`cache:clear` will silently delete the wrong (or no) directory** while the real cache stays intact. The default behaviour — let GitHooks parse the config — is always preferable. Reach for `cache-dir` only when:
+
+    - your `rector.php` uses a variable, environment helper, or custom function for `cacheDirectory()`, and
+    - you have a pipeline (CI, Makefile, hook) that relies on `cache:clear` doing the right thing.
+
+    Otherwise prefer rewriting `cacheDirectory()` to a literal or `__DIR__ . '/literal'` form, which GitHooks parses automatically.
+
+## PHPCS with chained rulesets
+
+If your `phpcs.xml` includes another ruleset with `<rule ref="Vendor/Other.xml"/>` and that included ruleset defines `<arg name="cache" value="..."/>`, **GitHooks does not follow refs** — only the cache declaration in the directly referenced ruleset is read.
+
+The fix is the same single-source-of-truth pattern as PHP-CS-Fixer: declare `cache` on the job. PHPCS treats it as the CLI flag `--cache=PATH`, which **wins over any `<arg name="cache">`** in any ruleset (including the included ones). Both runtime and `cache:clear` end up using the path you declared:
+
+```php
+'phpcs_src' => [
+    'type'     => 'phpcs',
+    'standard' => 'qa/phpcs.xml',
+    'cache'    => 'qa/phpcs.cache',   // CLI flag, wins over ruleset (incl. <rule ref>)
+    'paths'    => ['src'],
+],
+```
+
+No duplication risk: phpcs **uses** the path you declared, so the runtime cache and the path that `cache:clear` deletes are guaranteed to match.
+
+## PHP-CS-Fixer caveat
+
+If `.php-cs-fixer.php` sets `setCacheFile()` with a dynamic expression, the same warning is emitted. **Do not** add a meta-arg here — instead use `cache-file` on the job:
+
+```php
+'php_cs_fixer' => [
+    'type'       => 'php-cs-fixer',
+    'config'     => '.php-cs-fixer.php',
+    'cache-file' => '.cache/php-cs-fixer.cache',
+    'paths'      => ['src'],
+],
+```
+
+`cache-file` is a real CLI flag (`--cache-file=...`) that the tool itself respects over `setCacheFile()`. There is no duplication risk: php-cs-fixer **uses** the path you declared, so the runtime cache and the path that `cache:clear` deletes are guaranteed to match.
 
 ## Examples
 

src/Configuration/JobConfiguration.php

@@ -365,7 +365,7 @@ private static function validateArguments(
             // 'time-budget' is recognised so the unknown-key loop doesn't emit a
             // duplicate warning; the dedicated check in validateTimeBudgetKeys()
             // already rejects it as an error (BUG-10).
-            ['executable-path', 'other-arguments', 'ignore-errors-on-exit', 'fail-fast', 'paths', 'rules', 'script', 'accelerable', 'execution', 'executable-prefix', 'cores', 'warn-after', 'fail-after', 'memory', 'time-budget']
+            ['executable-path', 'other-arguments', 'ignore-errors-on-exit', 'fail-fast', 'paths', 'rules', 'script', 'accelerable', 'execution', 'executable-prefix', 'cores', 'warn-after', 'fail-after', 'memory', 'time-budget', 'cache-dir']
         );
 
         self::reportUnknownAndCliOnlyJobKeys($name, $type, $config, $knownKeys, $result);

src/Jobs/CacheResolver/PhpConfigCacheResolver.php

@@ -0,0 +1,185 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Wtyd\GitHooks\Jobs\CacheResolver;
+
+/**
+ * Static-best-effort cache path extractor for PHP config files (rector.php,
+ * .php-cs-fixer.php).
+ *
+ * These tools store cache config inside PHP code, which is not statically
+ * parseable in the general case. We cover the three patterns that show up
+ * in real projects:
+ *
+ *   $config->method('absolute/path')                      → 'absolute/path'
+ *   $config->method(__DIR__ . '/literal')                 → dir(configFile)/literal
+ *   $config->method(\sys_get_temp_dir() . '/literal')     → sys_get_temp_dir()/literal
+ *
+ * Anything dynamic (variables, helpers, env vars) is not extractable. The
+ * caller distinguishes "match" (returns a string) from "no match"
+ * (returns null) — when null, falling back to a default and emitting a
+ * "could not parse" warning is up to the caller.
+ *
+ * The resolver intentionally does not load or execute the config file.
+ */
+final class PhpConfigCacheResolver
+{
+    private const STRING_PATTERN = '(?:\'((?:\\\\.|[^\'\\\\])*)\'|"((?:\\\\.|[^"\\\\])*)")';
+
+    /**
+     * @return string|null Resolved cache path, or null when no recognized
+     *                     pattern matches (or the file is unreadable).
+     */
+    public static function resolve(string $configPath, string $methodName): ?string
+    {
+        $content = self::readSanitizedContent($configPath);
+        if ($content === null) {
+            return null;
+        }
+        $methodEscaped = preg_quote($methodName, '/');
+
+        $allCallOffsets = self::allInvocationOffsets($content, $methodEscaped);
+        if ($allCallOffsets === []) {
+            return null;
+        }
+        $lastCallOffset = max($allCallOffsets);
+
+        $candidates = array_merge(
+            self::collectDirConcat($content, $methodEscaped, $configPath),
+            self::collectSysTempConcat($content, $methodEscaped),
+            self::collectLiteral($content, $methodEscaped)
+        );
+
+        foreach ($candidates as $hit) {
+            if ($hit['pos'] === $lastCallOffset) {
+                return $hit['path'];
+            }
+        }
+        return null;
+    }
+
+    /** @return int[] */
+    private static function allInvocationOffsets(string $content, string $methodEscaped): array
+    {
+        if (preg_match_all('/->\s*' . $methodEscaped . '\s*\(/', $content, $matches, PREG_OFFSET_CAPTURE) === false) {
+            return [];
+        }
+        $offsets = [];
+        foreach ($matches[0] as $match) {
+            $offsets[] = (int) $match[1];
+        }
+        return $offsets;
+    }
+
+    /**
+     * Reads the file and strips PHP comments so commented-out method calls
+     * don't pollute the regex match.
+     */
+    private static function readSanitizedContent(string $configPath): ?string
+    {
+        if (!is_file($configPath) || !is_readable($configPath)) {
+            return null;
+        }
+        $content = file_get_contents($configPath);
+        if ($content === false) {
+            return null;
+        }
+        return self::stripComments($content);
+    }
+
+    private static function stripComments(string $content): string
+    {
+        $tokens = token_get_all($content);
+        if ($tokens === []) {
+            return $content;
+        }
+        $out = '';
+        foreach ($tokens as $token) {
+            if (is_array($token)) {
+                if (in_array($token[0], [T_COMMENT, T_DOC_COMMENT], true)) {
+                    continue;
+                }
+                $out .= $token[1];
+                continue;
+            }
+            $out .= $token;
+        }
+        return $out;
+    }
+
+    /** @return array<int, array{pos: int, path: string}> */
+    private static function collectDirConcat(string $content, string $methodEscaped, string $configPath): array
+    {
+        $regex = '/->\s*' . $methodEscaped . '\s*\(\s*__DIR__\s*\.\s*' . self::STRING_PATTERN . '\s*\)/';
+        $base = dirname(realpath($configPath) ?: $configPath);
+        return self::collectMatches($regex, $content, static function (array $m) use ($base): string {
+            return $base . self::pickLiteral($m);
+        });
+    }
+
+    /** @return array<int, array{pos: int, path: string}> */
+    private static function collectSysTempConcat(string $content, string $methodEscaped): array
+    {
+        $regex = '/->\s*' . $methodEscaped . '\s*\(\s*\\\\?sys_get_temp_dir\s*\(\s*\)\s*\.\s*' . self::STRING_PATTERN . '\s*\)/';
+        $tmp = sys_get_temp_dir();
+        return self::collectMatches($regex, $content, static function (array $m) use ($tmp): string {
+            return $tmp . self::pickLiteral($m);
+        });
+    }
+
+    /** @return array<int, array{pos: int, path: string}> */
+    private static function collectLiteral(string $content, string $methodEscaped): array
+    {
+        $regex = '/->\s*' . $methodEscaped . '\s*\(\s*' . self::STRING_PATTERN . '\s*\)/';
+        return self::collectMatches($regex, $content, static function (array $m): string {
+            return self::pickLiteral($m);
+        });
+    }
+
+    /**
+     * @param callable(array<int, string>): string $resolver
+     * @return array<int, array{pos: int, path: string}>
+     */
+    private static function collectMatches(string $regex, string $content, callable $resolver): array
+    {
+        if (preg_match_all($regex, $content, $matches, PREG_OFFSET_CAPTURE) === false) {
+            return [];
+        }
+        $hits = [];
+        $count = isset($matches[0]) ? count($matches[0]) : 0;
+        for ($i = 0; $i < $count; $i++) {
+            $offset = (int) $matches[0][$i][1];
+            $captured = [
+                $matches[0][$i][0],
+                isset($matches[1][$i]) ? (string) $matches[1][$i][0] : '',
+                isset($matches[2][$i]) ? (string) $matches[2][$i][0] : '',
+            ];
+            $hits[] = ['pos' => $offset, 'path' => $resolver($captured)];
+        }
+        return $hits;
+    }
+
+    /** @param array<int, string> $matches */
+    private static function pickLiteral(array $matches): string
+    {
+        return $matches[1] !== '' ? $matches[1] : ($matches[2] ?? '');
+    }
+
+    /**
+     * Whether the config file declares the given method but with an expression
+     * that we can't resolve statically (variables, function calls other than
+     * __DIR__/sys_get_temp_dir, env vars, ...). Used by callers to decide
+     * whether to surface a "could not parse" warning.
+     */
+    public static function declaresUnresolvable(string $configPath, string $methodName): bool
+    {
+        $content = self::readSanitizedContent($configPath);
+        if ($content === null) {
+            return false;
+        }
+        $methodEscaped = preg_quote($methodName, '/');
+        return preg_match('/->\s*' . $methodEscaped . '\s*\(/', $content) === 1
+            && self::resolve($configPath, $methodName) === null;
+    }
+}