Merge pull request #21 from script-development/chore/oidc-doctrine-drift

Author: Goosterhof

.github/workflows/release.yml

@@ -1,12 +1,15 @@
 # Release workflow — runs on tag push (v*).
 #
-# Composer packages on Packagist auto-sync from the configured Git repository,
-# so this workflow's primary job is to (1) re-run the CI gates on the tagged
+# Composer packages on public packagist.org auto-sync from the configured Git
+# repository via push-event webhook (https://packagist.org/api/github), so
+# this workflow's primary job is to (1) re-run the CI gates on the tagged
 # commit and (2) create a GitHub release pointing at the changelog entry.
 #
-# Packagist Trusted Publishing (OIDC) is TBD pending an audit of Packagist's
-# OIDC support relative to fs-packages' npm Trusted Publishing setup. Until
-# then, Packagist relies on the standard repo-webhook auto-update path.
+# OIDC Trusted Publishing on Packagist is currently a Private Packagist–only
+# feature (packagist/artifact-publish-github-action); public packagist.org
+# has no OIDC option today. Migrating would change ally-side Composer
+# consumption (private repo URL + token in composer.json) and is a commercial
+# decision tracked in Issue #11 — out of scope for this workflow until adopted.
 
 name: Release
 

CHANGELOG.md

@@ -8,6 +8,7 @@ The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and
 
 ### Changed
 
+- **Doctrine:** corrected publish-channel framing in `CLAUDE.md` (L11 and the Release process section) and the `release.yml` header comment. Public packagist.org has no OIDC Trusted Publishing option today — OIDC is a Private Packagist–only feature (`packagist/artifact-publish-github-action`, GA February 2026). The package's actual publish channel is the standard `https://packagist.org/api/github` push-event webhook (`dev-*` aliases on branch push, versioned releases on tag push via `release.yml`). Migration to Private Packagist would change ally-side Composer consumption (private repo URL + token in `composer.json`) and is a commercial decision; tracking continues on Issue #11. Closes Sapper M1 Finding #2 (doctrine drift on publish channel) and resolves Issue #11 audit. **Versioning:** none (doctrine alignment, no consumer-visible behaviour).
 - **`LogRule` (BREAKING):** extended to cover the static-call shapes `Model::destroy(...)` and `Model::forceDestroy(...)` on Log-named classes. `getNodeType()` broadened from `MethodCall::class` to `CallLike::class` and `processNode` branches on `MethodCall` vs `StaticCall`. Both shapes emit the same `logRule.logModification` identifier so consumer `phpstan.neon` `ignoreErrors` entries cover the whole rule with one identifier (the previous rule's compliance teeth depended on `delete`/`forceDelete` instance shapes; on a non-soft-delete log model `Model::destroy([1])` purges and `Model::forceDestroy([1])` always purges — both slipped through). `DB::table('logs')->truncate()` is intentionally still out of scope — Builder receiver type carries no Log-named class reference and the table name lives in a string argument; matching that needs a shape-specific call-chain rule. Tracked separately. Versioning: per ADR-0021 §Versioning, this is a Major bump (new errors in code that previously passed); within 0.x this ships as `v0.3.0`. **Pre-cascade audit required across emmie, kendo, entreezuil, ublgenie before tagging** — surface any `::destroy(`/`::forceDestroy(` calls on Log-named classes and route operational-log false positives to consumer-side `phpstan.neon` `ignoreErrors` (same convention used in v0.2.0 for `ublgenie/app/Actions/DeleteBranch.php`). Resolves issue #4.
 - **CI:** added PHP 8.5 to the `ci.yml` and `release.yml` test matrices alongside 8.4 (`['8.4']` → `['8.4', '8.5']`). PHP 8.5.0 was released 2025-11-20; the war-room dev environment already runs 8.5.5 locally, so PRs were getting ad-hoc 8.5 coverage during pre-push but no CI signal. Adding (rather than replacing) keeps 8.4 — the `composer.json` `^8.4` contractual minimum — covered. `shivammathur/setup-php@v2` supports 8.5 since GA. Resolves issue #5.
 - **CI:** added line-coverage measurement and a threshold gate. `ci.yml` switches `coverage: none` → `coverage: pcov` on both 8.4 and 8.5 matrix legs (PCOV is line-coverage-only and faster than Xdebug — debugger features aren't needed). New composer scripts: `test:coverage` (runs PHPUnit with `--coverage-clover=build/logs/clover.xml --coverage-text`) and `coverage:check` (runs `bin/coverage-check.php`, a standalone clover parser — no extra runtime dependency added to a static-analysis package for a single CI gate). Two new CI steps replace the `Tests` step: **Tests with coverage** and **Coverage threshold gate**. Clover XML is uploaded as a per-leg artifact (`clover-php-${{ matrix.php }}`, 14-day retention) so reviewers can inspect uncovered lines without spelunking through workflow logs. **Initial threshold: 83%** — the measured baseline is 83.92% (240/286 lines across `src/`), set 0.92 percentage points lower to absorb trivial fluctuation on equivalent-but-renamed code. Class coverage (0/6) and method coverage (39%) are intentionally unmeasured by the gate v1; per the issue's deliberation, line coverage is the right v1 signal and branch/method coverage is a follow-up after the line gate is bedded in. The 16-percentage-point gap to 100% audits as defensive guard clauses on unexpected node shapes (the kind of branch the issue itself flagged as "genuinely hard to fixture" — `LogRule`'s static-call branch falls back when `$node->class` is `Expr` rather than `Name`); a follow-up issue will audit and ratchet the threshold upward to 90%+. Versioning: none (pure CI/test-infra, no consumer-visible behaviour). Resolves issue #9.

CLAUDE.md

@@ -8,7 +8,7 @@ Composer package distributing war-room-doctrine PHPStan rules across `script-dev
 - **Static analysis:** PHPStan 2.x (target framework — the package extends it)
 - **Test:** PHPUnit 11 (extends `PHPStan\Testing\RuleTestCase`)
 - **Format:** Pint (canonical config from war-room `templates/pint.json`)
-- **Publish:** OIDC Trusted Publishing to Packagist (no stored tokens)
+- **Publish:** Auto-sync to public packagist.org via repository webhook (`https://packagist.org/api/github`, push-trigger; `dev-*` aliases on branch push, versioned releases on tag push via `release.yml`). OIDC Trusted Publishing on Packagist is currently a Private Packagist–only feature (`packagist/artifact-publish-github-action`); public packagist.org has no OIDC option today. Migration to Private Packagist is tracked in Issue #11 — out of scope until adopted (would change ally-side Composer consumption).
 
 ## Doctrine source
 
@@ -60,7 +60,7 @@ Consuming territories pin `^1.0`. Any rule that would surface new errors in alre
 - `main` is always release-ready.
 - Pull requests must update `CHANGELOG.md` under an `[Unreleased]` section.
 - A release PR moves `[Unreleased]` to a versioned heading and tags the merge commit (`v1.x.y`).
-- Trusted Publishing pipeline picks up the tag and publishes to Packagist.
+- Packagist's webhook auto-sync picks up the tag and publishes the release; `release.yml` re-runs CI gates on the tagged commit and creates a GitHub release referencing the matching CHANGELOG entry.
 
 ## What this territory does NOT do