test: cover EnforceCurrentUserAttributeRule fixtures

Adds 10 fixtures and 10 test methods covering every detection branch and
every legitimate-skip case:

Fire (4):
  - RequestUserInController — shape 1 (Request subtype receiver)
  - AuthFacadeInController — shape 3 (Auth::user() static call)
  - AuthHelperInController — shape 2 (auth() helper receiver)
  - RequestUserInControllerWithAssert — exact PR #263 shape; fires once
    on the \$request->user() call (assert is downstream noise)

Silent (5):
  - UsesCurrentUserAttribute — already-canonical #[CurrentUser] adoption
  - RequestUserInFormRequest — FormRequest descendant, by-design exclusion
  - AuthInMiddleware — not a Controller descendant
  - AuthInAction — not a Controller descendant
  - AuthInJob — not a Controller descendant

Mutation-killing:
  - TopLevelAuthCall — top-level call outside any class (kills FalseValue
    mutant on the null-class-reflection branch)

The _stubs.php file provides bracketed-namespace stubs for
Illuminate\Routing\Controller, Illuminate\Http\Request,
Illuminate\Foundation\Http\FormRequest, App\Models\User, and the global
auth() helper — illuminate/routing / illuminate/http are not vendor-installed
on this package, mirroring the AuditSnapshotOnRetry _stubs.php pattern.

60 tests pass, 101 assertions. Coverage 86.00% (≥83 gate); MSI 82.47%
(≥75 gate); Covered MSI 82.47% (≥75 gate). Two LogicalOr mutants on the
Identifier-name guard clauses escape — equivalent-mutant precedent already
accepted on LogRule lines 84/99.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: Goosterhof

tests/Fixtures/CurrentUserAttribute/AuthFacadeInController.php

@@ -0,0 +1,16 @@
+<?php
+
+declare(strict_types = 1);
+
+namespace App\Http\Controllers;
+
+use Illuminate\Routing\Controller;
+use Illuminate\Support\Facades\Auth;
+
+final class AuthFacadeInController extends Controller
+{
+    public function store(): ?object
+    {
+        return Auth::user();
+    }
+}

tests/Fixtures/CurrentUserAttribute/AuthHelperInController.php

@@ -0,0 +1,15 @@
+<?php
+
+declare(strict_types = 1);
+
+namespace App\Http\Controllers;
+
+use Illuminate\Routing\Controller;
+
+final class AuthHelperInController extends Controller
+{
+    public function store(): ?object
+    {
+        return auth()->user();
+    }
+}

tests/Fixtures/CurrentUserAttribute/AuthInAction.php

@@ -0,0 +1,17 @@
+<?php
+
+declare(strict_types = 1);
+
+namespace App\Actions;
+
+use Illuminate\Support\Facades\Auth;
+
+final readonly class AuthInAction
+{
+    // Actions handle authenticated-user resolution via constructor DI (or
+    // explicit DTO passing). The class does not extend Controller — silent.
+    public function execute(): ?object
+    {
+        return Auth::user();
+    }
+}

tests/Fixtures/CurrentUserAttribute/AuthInJob.php

@@ -0,0 +1,18 @@
+<?php
+
+declare(strict_types = 1);
+
+namespace App\Jobs;
+
+use Illuminate\Support\Facades\Auth;
+
+final class AuthInJob
+{
+    // Queue jobs run outside an HTTP request scope; authenticated user
+    // resolution by attribute does not apply. Not a Controller descendant —
+    // silent.
+    public function handle(): ?object
+    {
+        return Auth::user();
+    }
+}

tests/Fixtures/CurrentUserAttribute/AuthInMiddleware.php

@@ -0,0 +1,16 @@
+<?php
+
+declare(strict_types = 1);
+
+namespace App\Http\Middleware;
+
+use Illuminate\Support\Facades\Auth;
+
+final class AuthInMiddleware
+{
+    // Middleware does not extend Illuminate\Routing\Controller — silent.
+    public function handle(): ?object
+    {
+        return Auth::user();
+    }
+}

tests/Fixtures/CurrentUserAttribute/RequestUserInController.php

@@ -0,0 +1,16 @@
+<?php
+
+declare(strict_types = 1);
+
+namespace App\Http\Controllers;
+
+use Illuminate\Http\Request;
+use Illuminate\Routing\Controller;
+
+final class RequestUserInController extends Controller
+{
+    public function store(Request $request): ?object
+    {
+        return $request->user();
+    }
+}

tests/Fixtures/CurrentUserAttribute/RequestUserInControllerWithAssert.php

@@ -0,0 +1,24 @@
+<?php
+
+declare(strict_types = 1);
+
+namespace App\Http\Controllers;
+
+use App\Models\User;
+use Illuminate\Http\Request;
+use Illuminate\Routing\Controller;
+
+use function assert;
+
+final class RequestUserInControllerWithAssert extends Controller
+{
+    public function store(Request $request): User
+    {
+        // Exact PR #263 shape — the assert is downstream noise; only the
+        // $request->user() call fires.
+        $user = $request->user();
+        assert($user instanceof User);
+
+        return $user;
+    }
+}

tests/Fixtures/CurrentUserAttribute/RequestUserInFormRequest.php

@@ -0,0 +1,27 @@
+<?php
+
+declare(strict_types = 1);
+
+namespace App\Http\Requests;
+
+use Illuminate\Foundation\Http\FormRequest;
+use Illuminate\Http\Request;
+
+final class RequestUserInFormRequest extends FormRequest
+{
+    // FormRequest descendants are intentionally out of scope — container-
+    // attribute injection does not apply to FormRequest::rules() / toDto() /
+    // authorize() invocations. Both call shapes below must be silent.
+    public function authorize(): bool
+    {
+        return $this->user() !== null;
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    public function payload(Request $request): array
+    {
+        return ['user' => $request->user()];
+    }
+}

tests/Fixtures/CurrentUserAttribute/TopLevelAuthCall.php

@@ -0,0 +1,10 @@
+<?php
+
+declare(strict_types = 1);
+
+use Illuminate\Support\Facades\Auth;
+
+// Top-level call outside any class — `$scope->getClassReflection()` returns
+// null, so the rule must short-circuit at the no-class-reflection gate.
+// Silent. Kills the FalseValue mutant on the null-reflection guard.
+Auth::user();

tests/Fixtures/CurrentUserAttribute/UsesCurrentUserAttribute.php

@@ -0,0 +1,19 @@
+<?php
+
+declare(strict_types = 1);
+
+namespace App\Http\Controllers;
+
+use App\Models\User;
+use Illuminate\Container\Attributes\CurrentUser;
+use Illuminate\Routing\Controller;
+
+final class UsesCurrentUserAttribute extends Controller
+{
+    // Canonical replacement shape — container-attribute injection resolves
+    // the authenticated user. No body call required; the rule must not fire.
+    public function store(#[CurrentUser] User $user): User
+    {
+        return $user;
+    }
+}