release: prep v0.4.0 (CHANGELOG retitle + login-handler false-positive recipe)

[Goosterhof]

What

Release-prep for v0.4.0 (tag-then-cascade model). Doc-only diff — no rule source changes.

• CHANGELOG: [Unreleased] → [0.4.0] — 2026-06-15, with a release-as-a-whole MAJOR header. v0.4.0 ships four new rules (EnforceCurrentUserAttributeRule, ForbidEloquentMutationInControllersRule, EnforceAuditTransactionScopeRule, EnforceFormRequestToDtoRule) plus the two folded NEON-double-backslash no-op fixes.
• README: new EnforceCurrentUserAttributeRule — false positives section documenting the login-handler suppression recipe.

Why the model changed from v0.3.0

Unlike v0.3.0 (audited clean fleet-wide before tag), v0.4.0 is tagged known-dirty. The ^0.{minor} caret means ^0.3 excludes 0.4.0, so tagging auto-adopts nobody — each consumer remediates and goes green on its own ^0.3 → ^0.4 bump PR (Phase B). The per-rule "pre-cascade audit" notes are rewritten from before-tag to per-territory Phase-B bump time accordingly.

Login-handler false positive (n=2)

#[CurrentUser] resolves at method-entry DI time; login handlers resolve the user after Auth::attempt() on a guest/throttle-only route, so the attribute would inject null. The rule can't see routes and the package forbids in-rule exceptions → the canonical fix is a consumer-side ignoreErrors, now documented. Confirmed independently on two territories this session (entreezuil AuthenticatedSessionController::store, ublgenie AuthController::store).

After merge

Tag v0.4.0 on the merge commit → release.yml fires (verified the awk release-notes extraction resolves the v0.4.0 block cleanly). Then per-territory Phase-B ^0.3 → ^0.4 bumps. Tag push is Commander-gated.

Test

Doc-only. CHANGELOG awk-extraction for 0.4.0 validated locally (29-line body, stops at [0.3.0]). CI (ci.yml) is authority for format/phpstan/test.

[Goosterhof]

✅ Approve-worthy

0 blockers · 0 concerns · 1 nit · 1 praise · 1 inline
Round 1. CI green (check (8.4), check (8.5) both pass).

Doc-only release-prep for v0.4.0: retitles the [Unreleased] block to [0.4.0] — 2026-06-15 with a known-dirty tag-then-cascade model, and adds a README login-handler false-positive recipe for EnforceCurrentUserAttributeRule. Scope matches the body exactly — no rule source touched. I verified the load-bearing piece directly: the release.yml awk extractor (.github/workflows/release.yml:66-73) keys on /^## \[/ + [VERSION], so on v0.4.0 it matches ## [0.4.0] — 2026-06-15 and prints through to the next ## [ header ([0.3.0]), capturing the full ### Added / ### Fixed body. The empty ## [Unreleased] sitting above it does not interfere — found stays 0 on that line. The body's "stops at [0.3.0]" claim holds.

Praise: the known-dirty rationale (^0.{minor} caret means ^0.3 excludes 0.4.0, so tagging auto-adopts nobody → per-territory Phase-B remediation) is the honest model for a release that surfaces new errors across the fleet, and it's documented at the point a future reader needs it.

Findings (detail inline)

• Nit — CHANGELOG.md:7 — dangling empty [Unreleased].

Automated war-room agent review — posted because this PR carries the Agent Review Requested label.

[jasperboerhof]

Review Loop · 9/10 · PASS

phpstan-warroom-rules #35 · AC anchor: none (doc-only release prep; no issue/plan/PR-AC anchor) · head ccca727b12

Tip

No findings — clean against the review checklist.

Action

merge-ready

[jasperboerhof]

Auto-approved — review-loop verdict PASS, CI green, no human blocker, no open MAJOR+ threads. See the verdict comment + inline notes.