Merge pull request #7 from script-development/feat/logrule-static-call-coverage

feat(LogRule): cover Model::destroy / Model::forceDestroy static calls

Author: Goosterhof

CHANGELOG.md

@@ -8,6 +8,7 @@ The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and
 
 ### Changed
 
+- **`LogRule` (BREAKING):** extended to cover the static-call shapes `Model::destroy(...)` and `Model::forceDestroy(...)` on Log-named classes. `getNodeType()` broadened from `MethodCall::class` to `CallLike::class` and `processNode` branches on `MethodCall` vs `StaticCall`. Both shapes emit the same `logRule.logModification` identifier so consumer `phpstan.neon` `ignoreErrors` entries cover the whole rule with one identifier (the previous rule's compliance teeth depended on `delete`/`forceDelete` instance shapes; on a non-soft-delete log model `Model::destroy([1])` purges and `Model::forceDestroy([1])` always purges — both slipped through). `DB::table('logs')->truncate()` is intentionally still out of scope — Builder receiver type carries no Log-named class reference and the table name lives in a string argument; matching that needs a shape-specific call-chain rule. Tracked separately. Versioning: per ADR-0021 §Versioning, this is a Major bump (new errors in code that previously passed); within 0.x this ships as `v0.3.0`. **Pre-cascade audit required across emmie, kendo, entreezuil, ublgenie before tagging** — surface any `::destroy(`/`::forceDestroy(` calls on Log-named classes and route operational-log false positives to consumer-side `phpstan.neon` `ignoreErrors` (same convention used in v0.2.0 for `ublgenie/app/Actions/DeleteBranch.php`). Resolves issue #4.
 - **CI:** added PHP 8.5 to the `ci.yml` and `release.yml` test matrices alongside 8.4 (`['8.4']` → `['8.4', '8.5']`). PHP 8.5.0 was released 2025-11-20; the war-room dev environment already runs 8.5.5 locally, so PRs were getting ad-hoc 8.5 coverage during pre-push but no CI signal. Adding (rather than replacing) keeps 8.4 — the `composer.json` `^8.4` contractual minimum — covered. `shivammathur/setup-php@v2` supports 8.5 since GA. Resolves issue #5.
 
 ## [0.2.0] — 2026-05-04

src/Rules/LogRule.php

@@ -5,17 +5,22 @@
 namespace ScriptDevelopment\PhpstanWarroomRules\Rules;
 
 use PhpParser\Node;
+use PhpParser\Node\Expr\CallLike;
 use PhpParser\Node\Expr\MethodCall;
+use PhpParser\Node\Expr\StaticCall;
 use PhpParser\Node\Identifier;
+use PhpParser\Node\Name;
 use PHPStan\Analyser\Scope;
+use PHPStan\Rules\IdentifierRuleError;
 use PHPStan\Rules\Rule;
 use PHPStan\Rules\RuleErrorBuilder;
 
 use function in_array;
 
 /**
- * Forbids update() / delete() / forceDelete() / forceDeleteQuietly() calls on
- * classes whose name contains "Log" or "logs".
+ * Forbids update / delete / forceDelete / forceDeleteQuietly instance calls and
+ * destroy / forceDestroy static calls on classes whose name contains "Log" or
+ * "logs".
  *
  * Doctrine source: ADR-0001 §Append-only — audit records have no UPDATE, no DELETE.
  *
@@ -25,39 +30,89 @@
  * shouldn't depend on the migration-time convention that audit-log models never
  * adopt SoftDeletes.
  *
+ * `Model::destroy()` / `Model::forceDestroy()` static-call shapes are covered
+ * for the same reason: on a non-soft-delete log model `Model::destroy([1])`
+ * does purge, and `Model::forceDestroy([1])` always purges. Both shapes share
+ * the `logRule.logModification` identifier so consumer suppressions cover the
+ * whole rule with one entry.
+ *
  * Substring matching is intentionally broad. False positives on classes like
  * "Catalog", "Blog", "Terminology", or domain models that include "log" in the
  * name should be suppressed per-territory via phpstan.neon ignoreErrors,
  * scoped to the offending path.
  *
- * Static-call shapes (`Model::destroy()`, `Model::forceDestroy()`,
- * `DB::table('logs')->truncate()`) are not covered — `getNodeType()` returns
- * `MethodCall::class`. Static-call coverage is a separate rule expansion.
+ * `DB::table('logs')->truncate()` is intentionally not covered — the receiver
+ * type is `Illuminate\Database\Query\Builder` (no Log-named class reference),
+ * the table name lives in a string argument, and matching that requires a
+ * shape-specific rule that inspects the call chain. Tracked separately.
  *
- * @implements Rule<MethodCall>
+ * @implements Rule<CallLike>
  */
 final class LogRule implements Rule
 {
-    private const array FORBIDDEN_METHODS = ['delete', 'forceDelete', 'forceDeleteQuietly', 'update'];
+    private const array FORBIDDEN_INSTANCE_METHODS = ['delete', 'forceDelete', 'forceDeleteQuietly', 'update'];
+
+    private const array FORBIDDEN_STATIC_METHODS = ['destroy', 'forceDestroy'];
 
     public function getNodeType(): string
     {
-        return MethodCall::class;
+        return CallLike::class;
     }
 
     public function processNode(Node $node, Scope $scope): array
+    {
+        if ($node instanceof MethodCall) {
+            return $this->processMethodCall($node, $scope);
+        }
+
+        if ($node instanceof StaticCall) {
+            return $this->processStaticCall($node, $scope);
+        }
+
+        return [];
+    }
+
+    /**
+     * @return list<IdentifierRuleError>
+     */
+    private function processMethodCall(MethodCall $node, Scope $scope): array
     {
         if (
             !$node->name instanceof Identifier
-            || !in_array($node->name->toString(), self::FORBIDDEN_METHODS, true)
+            || !in_array($node->name->toString(), self::FORBIDDEN_INSTANCE_METHODS, true)
         ) {
             return [];
         }
 
-        $calledOnType = $scope->getType($node->var);
+        return $this->errorIfReceiverIsLog($scope->getType($node->var)->getReferencedClasses());
+    }
 
-        $referencedClasses = $calledOnType->getReferencedClasses();
+    /**
+     * @return list<IdentifierRuleError>
+     */
+    private function processStaticCall(StaticCall $node, Scope $scope): array
+    {
+        if (
+            !$node->name instanceof Identifier
+            || !in_array($node->name->toString(), self::FORBIDDEN_STATIC_METHODS, true)
+        ) {
+            return [];
+        }
+
+        $referencedClasses = $node->class instanceof Name
+            ? [$scope->resolveName($node->class)]
+            : $scope->getType($node->class)->getReferencedClasses();
 
+        return $this->errorIfReceiverIsLog($referencedClasses);
+    }
+
+    /**
+     * @param array<int, string> $referencedClasses
+     *
+     * @return list<IdentifierRuleError>
+     */
+    private function errorIfReceiverIsLog(array $referencedClasses): array
+    {
         foreach ($referencedClasses as $referencedClass) {
             if (
                 mb_stripos($referencedClass, 'Log') !== false

tests/Fixtures/LogRule/AuditLog.php

@@ -25,4 +25,20 @@ public function forceDeleteQuietly(): bool
     {
         return true;
     }
+
+    /**
+     * @param array<int, int> $ids
+     */
+    public static function destroy(array $ids): int
+    {
+        return 0;
+    }
+
+    /**
+     * @param array<int, int> $ids
+     */
+    public static function forceDestroy(array $ids): int
+    {
+        return 0;
+    }
 }

tests/Fixtures/LogRule/DestroysAuditLog.php

@@ -0,0 +1,13 @@
+<?php
+
+declare(strict_types = 1);
+
+use App\Models\AuditLog;
+
+final class DestroysAuditLog
+{
+    public function tamper(): void
+    {
+        AuditLog::destroy([1]);
+    }
+}

tests/Fixtures/LogRule/DestroysRegularModel.php

@@ -0,0 +1,13 @@
+<?php
+
+declare(strict_types = 1);
+
+use App\Models\RegularModel;
+
+final class DestroysRegularModel
+{
+    public function purge(): void
+    {
+        RegularModel::destroy([1]);
+    }
+}

tests/Fixtures/LogRule/ForceDestroysAuditLog.php

@@ -0,0 +1,13 @@
+<?php
+
+declare(strict_types = 1);
+
+use App\Models\AuditLog;
+
+final class ForceDestroysAuditLog
+{
+    public function tamper(): void
+    {
+        AuditLog::forceDestroy([1]);
+    }
+}

tests/Fixtures/LogRule/RegularModel.php

@@ -25,4 +25,20 @@ public function forceDeleteQuietly(): bool
     {
         return true;
     }
+
+    /**
+     * @param array<int, int> $ids
+     */
+    public static function destroy(array $ids): int
+    {
+        return 0;
+    }
+
+    /**
+     * @param array<int, int> $ids
+     */
+    public static function forceDestroy(array $ids): int
+    {
+        return 0;
+    }
 }

tests/Rules/LogRuleTest.php

@@ -65,6 +65,32 @@ public function testFlagsForceDeleteQuietlyOnLogClass(): void
         );
     }
 
+    public function testFlagsDestroyOnLogClass(): void
+    {
+        $this->analyse(
+            [__DIR__ . '/../Fixtures/LogRule/DestroysAuditLog.php'],
+            [
+                [
+                    'Logs should not be updated or deleted.',
+                    11,
+                ],
+            ],
+        );
+    }
+
+    public function testFlagsForceDestroyOnLogClass(): void
+    {
+        $this->analyse(
+            [__DIR__ . '/../Fixtures/LogRule/ForceDestroysAuditLog.php'],
+            [
+                [
+                    'Logs should not be updated or deleted.',
+                    11,
+                ],
+            ],
+        );
+    }
+
     public function testIgnoresUpdateOnRegularClass(): void
     {
         $this->analyse(
@@ -81,6 +107,14 @@ public function testIgnoresForceDeleteOnRegularClass(): void
         );
     }
 
+    public function testIgnoresDestroyOnRegularClass(): void
+    {
+        $this->analyse(
+            [__DIR__ . '/../Fixtures/LogRule/DestroysRegularModel.php'],
+            [],
+        );
+    }
+
     protected function getRule(): Rule
     {
         return new LogRule;