You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Moves [Unreleased] entries to [0.2.0] — 2026-05-04 with the bottom-of-
file version-link references updated. No code changes.
This release ships:
- EnforceAuditSnapshotOnRetryRule (PR #2) — Phase 2 promotion of the
cross-territory audit-snapshot-on-retry-safety arch test to a canonical
PHPStan rule.
- LogRule.forceDelete / .forceDeleteQuietly coverage extension (PR #3,
closes#1) — BREAKING; closes the SoftDeletes purge-path gap surfaced
by ally review on Back-to-code/ublgenie-app#163.
- composer.json php constraint ^8.3 → ^8.4 (necessary for the new rule's
Pint mb_str_functions normalization output).
- CI matrix collapse to PHP 8.4-only (8.5 add tracked as issue #5).
Per ADR-0021 §Versioning policy: Major bump (new errors in code that
previously passed). Within 0.x this is v0.2.0.
Cascade orders pending:
- ublgenie ^0.1.0 → ^0.2.0 (orders/ublgenie/phpstan-warroom-rules-v0.2.0-cascade-armorer-deployment.md);
gated on Sapper verdict for BranchCredentialAuditLogger exemption.
- emmie / kendo / entreezuil cascades: pre-cascade audit found 0 new
violations on each — straight constraint bump when scheduled.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Copy file name to clipboardExpand all lines: CHANGELOG.md
+5-2Lines changed: 5 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,14 +6,16 @@ The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and
6
6
7
7
## [Unreleased]
8
8
9
+
## [0.2.0] — 2026-05-04
10
+
9
11
### Added
10
12
11
13
-`EnforceAuditSnapshotOnRetryRule` — flags `App\Actions\*` classes whose constructor injects an entity audit logger and whose `$connection->transaction(...)` calls do not begin with an in-memory state reset (`$model->refresh()`, fresh fetch via `->newQuery()->findOrFail(...)` / `->fresh()`, or fresh instantiation via `new ...` / `->newInstance()`). Doctrine: ADR-0001 §Snapshot-on-Retry Safety. Identifier: `enforceAuditSnapshotOnRetry.firstStatementMustResetState`. Promoted from cross-territory Pest arch tests (emmie PR #187, entreezuil PR #139, ublgenie PR #166, kendo PR #1029). Receiver detection is type-based (`Illuminate\Database\ConnectionInterface` subtype) — replaces territory-specific property-name matching (`$this->db` vs `$this->connection`). Escape hatch: `// @audit-snapshot-retry-safety: <rationale>` marker preceding the transaction call.
12
14
13
15
### Changed
14
16
15
17
-**PHP constraint:** bumped `composer.json``php` from `^8.3` to `^8.4`. The package's Pint config (`mb_str_functions: true`) normalizes `ltrim`/`trim` calls to `mb_ltrim`/`mb_trim`, which are PHP 8.4+ functions. The new rule introduced the first `mb_ltrim`/`mb_trim` callsites; aligning the constraint with the formatter's actual output. All consuming territories already run PHP 8.4 — no real-world impact.
16
-
- **`LogRule` (BREAKING):** extended `FORBIDDEN_METHODS` from `['delete', 'update']` to `['delete', 'forceDelete', 'forceDeleteQuietly', 'update']`. On a `SoftDeletes`-bearing model `->delete()` is a no-op against the underlying row and `->forceDelete()` is the only call that actually purges; the rule's compliance teeth previously rested on the migration-time convention that audit-log models never adopt `SoftDeletes`. Static-call shapes (`Model::destroy()`, `Model::forceDestroy()`, `DB::table('logs')->truncate()`) remain out of scope — `getNodeType()` returns `MethodCall::class`, and static-call coverage is a separate rule expansion. Origin: issue #1, surfaced by ally review on [Back-to-code/ublgenie-app#163](https://github.com/Back-to-code/ublgenie-app/pull/163#discussion_r3160966677). Pre-cascade audit across emmie, kendo, entreezuil, ublgenie surfaced one new violation: `ublgenie/app/Actions/DeleteBranch.php:56` (`InvoiceLog::query()->whereIn(...)->forceDelete()`) — operational/processing log, not an audit log; expected to migrate to consumer-side `phpstan.neon` `ignoreErrors` per package convention. Versioning: per ADR-0021 §Versioning, this is a Major bump (new errors in code that previously passed); within 0.x the next release is `v0.2.0`.
18
+
- **`LogRule` (BREAKING):** extended `FORBIDDEN_METHODS` from `['delete', 'update']` to `['delete', 'forceDelete', 'forceDeleteQuietly', 'update']`. On a `SoftDeletes`-bearing model `->delete()` is a no-op against the underlying row and `->forceDelete()` is the only call that actually purges; the rule's compliance teeth previously rested on the migration-time convention that audit-log models never adopt `SoftDeletes`. Static-call shapes (`Model::destroy()`, `Model::forceDestroy()`, `DB::table('logs')->truncate()`) remain out of scope — `getNodeType()` returns `MethodCall::class`, and static-call coverage is tracked as issue #4. Origin: issue #1, surfaced by ally review on [Back-to-code/ublgenie-app#163](https://github.com/Back-to-code/ublgenie-app/pull/163#discussion_r3160966677). Pre-cascade audit across emmie, kendo, entreezuil, ublgenie surfaced one new violation: `ublgenie/app/Actions/DeleteBranch.php:56` (`InvoiceLog::query()->whereIn(...)->forceDelete()`) — operational/processing log, not an audit log; migrates to consumer-side `phpstan.neon` `ignoreErrors` per package convention. Versioning: per ADR-0021 §Versioning, this is a Major bump (new errors in code that previously passed); within 0.x this ships as `v0.2.0`.
17
19
18
20
## [0.1.1] — 2026-04-29
19
21
@@ -37,6 +39,7 @@ The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and
37
39
- Test coverage is smoke-level for v0.1.0; full matrix for `EnforceActionTransactionsRule` (non-DB property exclusions, nested closure transaction detection, full 18-method write list) lands in a follow-up.
38
40
- Action namespace assumption: rules that scope to Actions match `App\Actions\*`. Lift to a parameter when a non-conforming territory onboards.
0 commit comments