@@ -9,49 +9,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
99
1010### Added
1111
12- - Dev: mutation testing with [ Infection] ( https://infection.github.io/ )
13- (` task test:mutation ` ). The minimum mutation score is configured in
14- ` infection.json5 ` and enforced in CI; escaped mutants are annotated inline
15- on pull requests, and results for ` develop ` are published to the Stryker
16- dashboard (mutation score badge in the README). No effect on the published
17- package.
12+ - Mutation testing with [ Infection] ( https://infection.github.io/ )
13+ (` task test:mutation ` ), run in CI and reported to the Stryker dashboard
14+ (mutation score badge in README)
1815
1916### Changed
2017
21- - CI: the mutation-tests job declares its PHP version and dependency set
22- via a single-entry matrix (` Mutation tests (8.3, prefer-stable) ` ), so
23- the job name makes explicit what mutation testing runs on. No effect on
24- the published package.
25- - Dev: test fixtures use RFC 2606 reserved domains only —
26- ` provider.example.org ` for IdP-side URLs (metadata, authorization) and
27- ` app.example.org ` for application-side URLs (redirect/callback, CLI
28- login), replacing real registrable domains (` app.com ` , ` provider.com ` ,
29- ` other.com ` , ` test.com ` ). No effect on the published package.
30- - Dev: strengthened Security tests based on mutation testing findings —
31- the redirect-route parameters are asserted to reach the router when
32- building a provider redirect URI, ` validateClaims ` is asserted to look
33- up the exact provider key from the session and to merge
34- ` open_id_connect_provider ` into the returned claims, and a request
35- without any ` loginToken ` parameter is asserted to be rejected as
36- unauthorized. No effect on the published package.
37- - Dev: strengthened CLI login flow tests based on mutation testing
38- findings — redeeming an unknown token is asserted to throw
39- ` TokenNotFoundException ` specifically, both cache entries (token and
40- reverse username entry) are asserted removed after a token is used,
41- ` encodeKey ` asserts the exact namespaced encoding instead of only an
42- encode/decode roundtrip, and the CLI login URL is asserted to receive
43- the login token and route. No effect on the published package.
44- - Dev: added a test for ` ItkDevOpenIdConnectBundle::getContainerExtension() `
45- asserting the custom extension is created and memoized (same instance on
46- repeated calls), prompted by mutation testing findings. No effect on the
47- published package.
48- - Dev: strengthened DependencyInjection tests based on mutation testing
49- findings — the extension's container wiring (cache pool reference,
50- provider options mapping, CLI login route arguments) is now asserted
51- explicitly, and the documented invariant that provider keys are not
52- normalized (` my-provider ` ≠ ` my_provider ` ) is covered by a test. No
53- effect on the published package.
54-
18+ - Strengthened tests guided by mutation testing; mutation score raised to
19+ 100% with a CI threshold of 95 (` minCoveredMsi ` in ` infection.json5 ` )
20+ - Test fixtures use RFC 2606 reserved domains (` provider.example.org ` ,
21+ ` app.example.org ` ) instead of registrable domains
5522- CI: bumped ` codecov/codecov-action ` from ` v5 ` to ` v7 ` (restores Codecov's
5623 GPG signing key after the ` codecovsecurity ` account was removed, and moves
5724 the bundled ` github-script ` to Node 24) and set ` fail_ci_if_error: false `
0 commit comments