Clear phpstan-baseline.neon by fixing the underlying test issues

[turegjorup]

Summary

PR #40 added tests/ to PHPStan's paths and grandfathered 46 pre-existing level-8 issues into phpstan-baseline.neon with a note that the baseline should shrink over time. This PR pays that debt down — to zero — and removes the baseline file.

PHPStan still runs at level 8 across src and tests and remains clean.

How the 46 errors were cleared

Six small commits, each isolated and easy to review:

1. Drop nullable from $provider test property — $this->provider is set in setUp() and never assigned null; the ?OpenIdConfigurationProvider declaration was the root cause of 25 Cannot call method X() on …|null errors. Single-character fix, 25 baseline entries removed.
2. Install phpstan/phpstan-mockery for Mockery type stubs — the official extension shipping stubs for the shouldReceive(...)->andReturn(...) fluent API. 8 entries removed.
3. Narrow validateIdToken claim accesses via @var — annotate each call site's local $claims with an object{nonce, aud} shape so the subsequent property reads type-check. 5 entries removed.
4. Fail loudly on missing fixtures and malformed authorization URLs — replaces silent (string) coercion of file_get_contents / parse_url (which masks false returns as empty strings) with a loadMockFixture() helper using assertNotFalse / assertIsArray, plus an assertIsString guard on parse_url. 4 entries removed.
5. Clear remaining level-8 test issues — three small fixes: expectNotToPerformAssertions() replacing assertTrue(true) tautology; reflection-based marker-implementation check replacing constant-folded is_subclass_of tautology; ?int type on MockJWT::\$leeway. 4 entries removed.
6. Delete now-empty phpstan-baseline.neon — and drop its include line from phpstan.neon.

Why no (string) casts for string|false returns

A silent (string) cast of false coerces to the empty string, which then flows into JSON / URL parsing and produces confusing downstream assertion failures rather than the actual diagnostic ("file not readable", "URL has no query"). Commit 4 handles this at the actual error boundary with PHPUnit assertions, so a missing fixture or malformed URL fails the test with a precise message.

Test plan

• task test:coverage — 87 tests, 135 assertions; 100% coverage on OpenIdConfigurationProvider (24/24 methods, 148/148 lines) preserved.
• task analyze:php — PHPStan max level 8, no errors, no baseline.
• task lint:php — clean.
• CI matrix on PR (PHP 8.3/8.4/8.5 × stable/lowest).

Follow-up still owed

Two pre-existing (string) casts in src/Security/OpenIdConfigurationProvider.php (lines 373 and 472) coerce mixed JSON-decoded values to string. They're not the string|false antipattern — the source is JWKS / OIDC discovery payload whose schema specifies strings — but replacing them with explicit is_string guards would catch any future malformed-payload case at the actual boundary. Will follow up separately so this PR stays scoped to the test/baseline cleanup.

🤖 Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (4c8916e) to head (54be58b).

Additional details and impacted files

@@             Coverage Diff             @@
##             develop       #41   +/-   ##
===========================================
  Coverage     100.00%   100.00%           
  Complexity        62        62           
===========================================
  Files              1         1           
  Lines            172       172           
===========================================
  Hits             172       172           

Flag	Coverage Δ
unittests	100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.