script-development
diff --git a/‎CHANGELOG.md‎
Lines changed: 4 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎CLAUDE.md‎
Lines changed: 2 additions & 1 deletion b/‎CLAUDE.md‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎README.md‎
Lines changed: 12 additions & 0 deletions b/‎README.md‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎extension.neon‎
Lines changed: 15 additions & 0 deletions b/‎extension.neon‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎src/Rules/EnforceResourceDataValidatorOptInRule.php‎
Lines changed: 262 additions & 0 deletions b/‎src/Rules/EnforceResourceDataValidatorOptInRule.php‎
Lines changed: 262 additions & 0 deletions
diff --git a/‎tests/Fixtures/ResourceDataValidatorOptIn/CompliantInstanceCallResource.php‎
Lines changed: 19 additions & 0 deletions b/‎tests/Fixtures/ResourceDataValidatorOptIn/CompliantInstanceCallResource.php‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎tests/Fixtures/ResourceDataValidatorOptIn/CompliantSelfCallResource.php‎
Lines changed: 22 additions & 0 deletions b/‎tests/Fixtures/ResourceDataValidatorOptIn/CompliantSelfCallResource.php‎
Lines changed: 22 additions & 0 deletions
@@ -6,6 +6,10 @@ The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and
 
 ## [Unreleased]
 
+### Added
+
+- `EnforceResourceDataValidatorOptInRule` — flags classes extending `App\Http\Resources\ResourceData` that declare a non-empty `EAGER_LOAD_COUNT` or `EAGER_LOAD_SUM` constant but do not call `validateRelationsLoaded()` anywhere in their method bodies. Without the call, missing eager-load aggregates fail open as `0` / `null` instead of throwing — silently re-introducing the silent-zero bug closed by kendo PR #1079 (KD-0494). Doctrine: ADR-0009 §EAGER_LOAD validator opt-in. Identifier: `enforceResourceDataValidatorOptIn.missingValidatorCall`. Promoted from kendo PR #1084's Pest arch test (Armorer, merged 2026-05-07 at `db20ea9cf`) — the third instance of the "arch test detects misuse but not omission" enforcement shape, dispositioned for Phase-2 promotion under war-room enforcement queue #55 by the Commander on 2026-05-07. Inheritance is matched via PHPStan reflection (FQCN ancestor traversal) — short-name collisions in unrelated namespaces do NOT match. The base FQCN is parameterizable via the `resourceDataBaseClass` PHPStan parameter (default: `App\Http\Resources\ResourceData`); territories whose `ResourceData` lives elsewhere can override per consumer `phpstan.neon`. Compliant call shapes: `self::validateRelationsLoaded($model)`, `static::validateRelationsLoaded($model)`, `$this->validateRelationsLoaded($model)` (instance form accepted for liberal compatibility with the source-of-truth Pest matcher, even though the base method is `protected static`). Empty-array constants (`EAGER_LOAD_COUNT = []`) do NOT fire — they are no-ops. **Versioning: per ADR-0021 §Versioning, candidate Major bump (the rule surfaces new errors in already-clean code wherever a consumer territory has a `ResourceData` subclass declaring the aggregate constants without the validator call). The release PR will determine whether v0.3.0 collapses this rule into the same Major bump as the staged `LogRule` static-call expansion, or cuts a separate Major.** **Pre-cascade audit required across emmie, kendo, entreezuil, ublgenie, brick-inventory before tagging** — the kendo arch test already closed kendo's standing proof point (`ProjectGithubRepoResourceData`) in PR #1084, but other consumer territories may carry undetected violators. Sister extractions for the FormRequest `toDto()` omission shape (queue #55 instance #2) and the routes `->can()` middleware omission shape (queue #55 instance #1) are deferred to separate dispatches.
+
 ### Changed
 
 - **Doctrine:** corrected publish-channel framing in `CLAUDE.md` (L11 and the Release process section) and the `release.yml` header comment. Public packagist.org has no OIDC Trusted Publishing option today — OIDC is a Private Packagist–only feature (`packagist/artifact-publish-github-action`, GA February 2026). The package's actual publish channel is the standard `https://packagist.org/api/github` push-event webhook (`dev-*` aliases on branch push, versioned releases on tag push via `release.yml`). Migration to Private Packagist would change ally-side Composer consumption (private repo URL + token in `composer.json`) and is a commercial decision; tracking continues on Issue #11. Closes Sapper M1 Finding #2 (doctrine drift on publish channel) and resolves Issue #11 audit. **Versioning:** none (doctrine alignment, no consumer-visible behaviour).
 
@@ -25,9 +25,10 @@ Composer package distributing war-room-doctrine PHPStan rules across `script-dev
 | `ForbidAbortHelperRule` | War-room §Explicit over implicit | `forbidAbortHelper.abortUsed` |
 | `LogRule` | ADR-0001 §Append-only | `logRule.logModification` |
 | `EnforceAuditSnapshotOnRetryRule` | ADR-0001 §Snapshot-on-Retry Safety | `enforceAuditSnapshotOnRetry.firstStatementMustResetState` |
+| `EnforceResourceDataValidatorOptInRule` | ADR-0009 §EAGER_LOAD validator opt-in | `enforceResourceDataValidatorOptIn.missingValidatorCall` |
 | `ConnectionTransactionReturnTypeExtension` | (type extension, no rule) | — |
 
-Phase 2 expands the rule set: `EnforceAuditSnapshotOnRetryRule` (ADR-0001 §Snapshot-on-Retry Safety) is the first Phase 2 addition, promoted from cross-territory Pest arch tests (emmie PR #187, entreezuil PR #139, ublgenie PR #166, kendo PR #1029). `EnforceExplicitHydrationRule` (ADR-0019) is the next Phase 2 candidate.
+Phase 2 expands the rule set: `EnforceAuditSnapshotOnRetryRule` (ADR-0001 §Snapshot-on-Retry Safety) was the first Phase 2 addition, promoted from cross-territory Pest arch tests (emmie PR #187, entreezuil PR #139, ublgenie PR #166, kendo PR #1029). `EnforceResourceDataValidatorOptInRule` (ADR-0009 §EAGER_LOAD validator opt-in) is the second Phase 2 addition, promoted from kendo PR #1084 under war-room enforcement queue #55. `EnforceExplicitHydrationRule` (ADR-0019) is the next Phase 2 candidate.
 
 ## Conventions
 
 
@@ -41,6 +41,7 @@ includes:
 | `ForbidDatabaseManagerInActionsRule` | `forbidDatabaseManager.inAction` | Action constructors | Constructor parameter typed `DatabaseManager` is an error. Inject `ConnectionInterface` instead. |
 | `ForbidAbortHelperRule` | `forbidAbortHelper.abortUsed` | Function calls | `abort()`, `abort_if()`, `abort_unless()` are errors. Throw an explicit `HttpException` subclass instead. |
 | `LogRule` | `logRule.logModification` | `update()` / `delete()` calls | If the receiver type's class name contains `"Log"` or `"logs"` (case-insensitive), error. |
+| `EnforceResourceDataValidatorOptInRule` | `enforceResourceDataValidatorOptIn.missingValidatorCall` | Classes extending `App\Http\Resources\ResourceData` | If the class declares a non-empty `EAGER_LOAD_COUNT` / `EAGER_LOAD_SUM` constant but never calls `validateRelationsLoaded()` in any method, error. |
 
 ### `EnforceActionTransactionsRule` — write-method list
 
@@ -64,6 +65,17 @@ parameters:
 
 Each ignore should carry a comment with rationale. Future versions may add an explicit allow-list parameter — file an issue if you have a recurring need.
 
+### `EnforceResourceDataValidatorOptInRule` — configurable base class
+
+The rule scopes to classes extending `App\Http\Resources\ResourceData` by default. If a territory ships its abstract resource base under a different FQCN, override the `resourceDataBaseClass` parameter in `phpstan.neon`:
+
+```neon
+parameters:
+    resourceDataBaseClass: 'App\Resources\BaseResource'
+```
+
+Inheritance is matched via PHPStan reflection (FQCN ancestor traversal), not short-name matching — a class named `ResourceData` in an unrelated namespace will not be matched. Compliant call shapes are `self::validateRelationsLoaded($model)`, `static::validateRelationsLoaded($model)`, and `$this->validateRelationsLoaded($model)` — the production base method is `protected static`, but the instance form is also accepted for compatibility with the source-of-truth Pest arch test's permissive matcher. Empty-array constants (`EAGER_LOAD_COUNT = []`) do not fire — they are no-ops.
+
 ### Action namespace assumption
 
 `EnforceActionTransactionsRule` and `ForbidDatabaseManagerInActionsRule` only fire on classes whose namespace starts with `App\Actions`. This matches the Laravel convention used in every `script-development` territory. Territories using a different actions namespace should open a PR to make this configurable.
 
@@ -1,3 +1,13 @@
+parameters:
+    # `EnforceResourceDataValidatorOptInRule`: FQCN of the abstract resource
+    # base class. Default matches the kendo / emmie / ublgenie / entreezuil
+    # convention `App\Http\Resources\ResourceData`. Override per consumer
+    # `phpstan.neon` if a territory ships the base under a different FQCN.
+    resourceDataBaseClass: 'App\\Http\\Resources\\ResourceData'
+
+parametersSchema:
+    resourceDataBaseClass: string()
+
 services:
     -
         class: ScriptDevelopment\PhpstanWarroomRules\Rules\EnforceActionTransactionsRule
@@ -14,6 +24,11 @@ services:
     -
         class: ScriptDevelopment\PhpstanWarroomRules\Rules\EnforceAuditSnapshotOnRetryRule
         tags: [phpstan.rules.rule]
+    -
+        class: ScriptDevelopment\PhpstanWarroomRules\Rules\EnforceResourceDataValidatorOptInRule
+        arguments:
+            resourceDataBaseClass: %resourceDataBaseClass%
+        tags: [phpstan.rules.rule]
     -
         class: ScriptDevelopment\PhpstanWarroomRules\Type\ConnectionTransactionReturnTypeExtension
         tags: [phpstan.broker.dynamicMethodReturnTypeExtension]
@@ -0,0 +1,262 @@
+<?php
+
+declare(strict_types = 1);
+
+namespace ScriptDevelopment\PhpstanWarroomRules\Rules;
+
+use PhpParser\Node;
+use PhpParser\Node\Expr\Array_;
+use PhpParser\Node\Expr\MethodCall;
+use PhpParser\Node\Expr\StaticCall;
+use PhpParser\Node\Identifier;
+use PhpParser\Node\Stmt\Class_;
+use PhpParser\Node\Stmt\ClassConst;
+use PhpParser\Node\Stmt\ClassMethod;
+use PHPStan\Analyser\Scope;
+use PHPStan\Node\InClassNode;
+use PHPStan\Reflection\ClassReflection;
+use PHPStan\Rules\Rule;
+use PHPStan\Rules\RuleErrorBuilder;
+
+use function array_filter;
+use function implode;
+use function in_array;
+use function is_array;
+use function sprintf;
+
+/**
+ * Enforces ADR-0009 §EAGER_LOAD validator opt-in: a `ResourceData` subclass
+ * declaring a non-empty `EAGER_LOAD_COUNT` or `EAGER_LOAD_SUM` constant must
+ * call `validateRelationsLoaded()` somewhere in its method bodies. Without
+ * the call, missing eager-load aggregates fail open as `0` / `null` rather
+ * than throwing — silently re-introducing the silent-zero bug closed by
+ * kendo PR #1079 (KD-0494).
+ *
+ * Doctrine source: ADR-0009 §EAGER_LOAD validator opt-in. Codified after
+ * kendo PR #1084 (Armorer, merged 2026-05-07 at db20ea9cf) added a Pest
+ * arch test of this shape; war-room enforcement queue #55 promoted the
+ * Level-1 territory-local arch test to a Level-2 cross-territory PHPStan
+ * rule on 2026-05-07.
+ *
+ * Scope: classes whose ancestor chain includes the configured base FQCN
+ * (default: `App\Http\Resources\ResourceData`). Inheritance is matched
+ * via PHPStan reflection — short-name collisions in unrelated namespaces
+ * do not fire.
+ *
+ * Detection (all three must hold):
+ *   1. Class transitively extends the configured base class.
+ *   2. Class declares at least one of `EAGER_LOAD_COUNT` / `EAGER_LOAD_SUM`
+ *      as an own constant with a non-empty array value (empty array `[]`
+ *      is a no-op and does not fire).
+ *   3. Class body does NOT contain a method-call or static-call with name
+ *      `validateRelationsLoaded` anywhere in any method (recursive walk).
+ *
+ * Compliant call shapes (any one suffices):
+ *   - `self::validateRelationsLoaded($model);`
+ *   - `static::validateRelationsLoaded($model);`
+ *   - `$this->validateRelationsLoaded($model);` (the base method is
+ *      `protected static`; the instance form is also accepted for
+ *      liberal compatibility with the source-of-truth Pest arch test).
+ *
+ * Implementation note: registers on `InClassNode` rather than `Class_` to
+ * guarantee `$scope->getClassReflection()` is available — at the bare
+ * `Class_` node, the scope has not yet entered the class so reflection
+ * may be null. The AST walk is local; we only need to confirm presence
+ * anywhere in the class body, not type-resolve receivers.
+ *
+ * @implements Rule<InClassNode>
+ */
+final class EnforceResourceDataValidatorOptInRule implements Rule
+{
+    private const array TARGET_CONSTANTS = [
+        'EAGER_LOAD_COUNT',
+        'EAGER_LOAD_SUM',
+    ];
+
+    private const string VALIDATOR_METHOD_NAME = 'validateRelationsLoaded';
+
+    public function __construct(
+        private string $resourceDataBaseClass = 'App\Http\Resources\ResourceData',
+    ) {}
+
+    public function getNodeType(): string
+    {
+        return InClassNode::class;
+    }
+
+    public function processNode(Node $node, Scope $scope): array
+    {
+        $classNode = $node->getOriginalNode();
+
+        if (!$classNode instanceof Class_) {
+            return [];
+        }
+
+        if ($classNode->isAbstract()) {
+            return [];
+        }
+
+        $classReflection = $node->getClassReflection();
+
+        if (!$this->extendsResourceDataBase($classReflection)) {
+            return [];
+        }
+
+        $declaredConstants = $this->declaredAggregateConstants($classNode);
+
+        if ($declaredConstants === []) {
+            return [];
+        }
+
+        if ($this->classBodyCallsValidator($classNode)) {
+            return [];
+        }
+
+        return [
+            RuleErrorBuilder::message(sprintf(
+                '%s declares %s but does not call validateRelationsLoaded() — silent-zero bug risk (ADR-0009 / war-room queue #55 / kendo PR #1084 opt-in invariant).',
+                $classReflection->getName(),
+                implode(', ', $declaredConstants),
+            ))
+                ->identifier('enforceResourceDataValidatorOptIn.missingValidatorCall')
+                ->line($classNode->getStartLine())
+                ->build(),
+        ];
+    }
+
+    /**
+     * Inheritance gate: the class must be a (transitive) subclass of the
+     * configured base FQCN. Uses PHPStan reflection — handles intermediate
+     * abstract layers and namespace-relative `extends` clauses. Short-name
+     * collisions in unrelated namespaces do not match.
+     */
+    private function extendsResourceDataBase(ClassReflection $classReflection): bool
+    {
+        if ($classReflection->getName() === $this->resourceDataBaseClass) {
+            return false;
+        }
+
+        return $classReflection->isSubclassOf($this->resourceDataBaseClass);
+    }
+
+    /**
+     * Returns short names of TARGET_CONSTANTS declared on this class with a
+     * non-empty array value. Inherited constants are skipped — only own
+     * declarations on this class create the obligation.
+     *
+     * @return list<string>
+     */
+    private function declaredAggregateConstants(Class_ $node): array
+    {
+        $declared = [];
+
+        foreach ($node->stmts as $stmt) {
+            if (!$stmt instanceof ClassConst) {
+                continue;
+            }
+
+            foreach ($stmt->consts as $const) {
+                $name = $const->name->toString();
+
+                if (!in_array($name, self::TARGET_CONSTANTS, true)) {
+                    continue;
+                }
+
+                if (!$const->value instanceof Array_) {
+                    continue;
+                }
+
+                if ($const->value->items === []) {
+                    continue;
+                }
+
+                $declared[] = $name;
+            }
+        }
+
+        return $declared;
+    }
+
+    /**
+     * Walks every method in the class body looking for a method-call or
+     * static-call to `validateRelationsLoaded`. Only the call's *name* is
+     * checked — any receiver shape (`self::`, `static::`, `$this->`,
+     * `parent::`, `Foo::`) suffices, mirroring the source-of-truth kendo
+     * arch test's permissive matcher.
+     */
+    private function classBodyCallsValidator(Class_ $node): bool
+    {
+        $found = false;
+
+        foreach ($node->stmts as $stmt) {
+            if (!$stmt instanceof ClassMethod) {
+                continue;
+            }
+
+            if ($stmt->stmts === null) {
+                continue;
+            }
+
+            $this->walkNodes($stmt->stmts, function(Node $inner) use (&$found): void {
+                if ($found) {
+                    return;
+                }
+
+                if (
+                    $inner instanceof MethodCall
+                    && $inner->name instanceof Identifier
+                    && $inner->name->toString() === self::VALIDATOR_METHOD_NAME
+                ) {
+                    $found = true;
+
+                    return;
+                }
+
+                if (
+                    $inner instanceof StaticCall
+                    && $inner->name instanceof Identifier
+                    && $inner->name->toString() === self::VALIDATOR_METHOD_NAME
+                ) {
+                    $found = true;
+                }
+            });
+
+            if ($found) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * Recursively walk a list of nodes, invoking `$callback` on each one.
+     * Mirrors `EnforceActionTransactionsRule::walkNodes()` /
+     * `EnforceAuditSnapshotOnRetryRule::walkNodes()` for parity.
+     *
+     * @param array<int|string, Node|null> $nodes
+     */
+    private function walkNodes(array $nodes, callable $callback): void
+    {
+        foreach ($nodes as $node) {
+            if (!$node instanceof Node) {
+                continue;
+            }
+
+            $callback($node);
+
+            foreach ($node->getSubNodeNames() as $name) {
+                $subNode = $node->{$name};
+
+                if ($subNode instanceof Node) {
+                    $this->walkNodes([$subNode], $callback);
+                } elseif (is_array($subNode)) {
+                    $this->walkNodes(
+                        array_filter($subNode, static fn(mixed $item): bool => $item instanceof Node),
+                        $callback,
+                    );
+                }
+            }
+        }
+    }
+}
@@ -0,0 +1,19 @@
+<?php
+
+declare(strict_types = 1);
+
+namespace App\Http\Resources;
+
+use App\Models\Project;
+
+final class CompliantInstanceCallResource extends ResourceData
+{
+    public const array EAGER_LOAD_COUNT = ['issues'];
+
+    public function hydrate(Project $project): void
+    {
+        // Instance form is accepted for liberal compatibility with the
+        // source-of-truth kendo arch test's permissive matcher.
+        $this->validateRelationsLoaded($project);
+    }
+}
@@ -0,0 +1,22 @@
+<?php
+
+declare(strict_types = 1);
+
+namespace App\Http\Resources;
+
+use App\Models\Project;
+
+final class CompliantSelfCallResource extends ResourceData
+{
+    public const array EAGER_LOAD_SUM = ['timeEntries:minutes_spent'];
+
+    public static function fromModel(Project $project): self
+    {
+        self::validateRelationsLoaded($project);
+
+        return new self([
+            'id' => $project->id,
+            'name' => $project->name,
+        ]);
+    }
+}