Upgrade PHPStan to 2.x and raise analysis level from 6 to 10

- Bump phpstan/phpstan ^2.0 and szepeviktor/phpstan-wordpress ^2.0
- Move the analysis level into phpstan.neon (single source) and raise it to 10
- Add Val, a runtime coercion helper that narrows untyped WordPress boundary
  values (wpdb rows, REST params, superglobals, options) with explicit checks
  instead of blind casts, plus unit tests
- Type value-object fromRow() params as stdClass (what wpdb returns) and map
  columns through Val so unexpected shapes degrade safely
- Use %i identifier placeholders for table names in all wpdb::prepare() calls
  so every query string is a literal and identifiers are escaped by WordPress;
  raises the minimum WordPress version to 6.2 where %i was introduced
- Guard wpdb::prepare() null result before wpdb::query() in updateTax()
- Fix nullable get_permalink()/strtotime() handling, list types at REST and
  capability call sites, dead null-coalescing on checked superglobals, and
  narrow get_users() results before mapping
- Register Val method names with the ValidatedSanitizedInput sniff so it
  validates the real sanitizer around each superglobal read
- Update repository unit tests for the %i placeholder arguments

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

src/Payment/PaymentReportController.php

@@ -4,6 +4,7 @@ declare(strict_types=1);
 namespace Unsupervised\Schedular\Payment;
 
 use Unsupervised\Schedular\Auth\RoleManager;
+use Unsupervised\Schedular\Val;
 
 class PaymentReportController {
 
@@ -21,8 +22,8 @@ class PaymentReportController {
 		}
 
 		// phpcs:disable WordPress.Security.NonceVerification.Recommended -- read-only report filters, no state change.
-		$month        = $this->sanitizeMonth( isset( $_GET['month'] ) ? sanitize_text_field( wp_unslash( $_GET['month'] ) ) : '' );
-		$instructorId = isset( $_GET['instructor_id'] ) ? absint( $_GET['instructor_id'] ) : 0;
+		$month        = $this->sanitizeMonth( isset( $_GET['month'] ) ? sanitize_text_field( Val::string( wp_unslash( $_GET['month'] ) ) ) : '' );
+		$instructorId = isset( $_GET['instructor_id'] ) ? absint( Val::int( $_GET['instructor_id'] ) ) : 0;
 		// phpcs:enable WordPress.Security.NonceVerification.Recommended
 
 		$instructorId = $this->scopeInstructor( $instructorId );
@@ -58,8 +59,8 @@ class PaymentReportController {
 		check_admin_referer( self::EXPORT_ACTION );
 
 		// phpcs:disable WordPress.Security.NonceVerification.Recommended -- nonce checked above.
-		$month        = $this->sanitizeMonth( isset( $_GET['month'] ) ? sanitize_text_field( wp_unslash( $_GET['month'] ) ) : '' );
-		$instructorId = isset( $_GET['instructor_id'] ) ? absint( $_GET['instructor_id'] ) : 0;
+		$month        = $this->sanitizeMonth( isset( $_GET['month'] ) ? sanitize_text_field( Val::string( wp_unslash( $_GET['month'] ) ) ) : '' );
+		$instructorId = isset( $_GET['instructor_id'] ) ? absint( Val::int( $_GET['instructor_id'] ) ) : 0;
 		// phpcs:enable WordPress.Security.NonceVerification.Recommended
 
 		$instructorId = $this->scopeInstructor( $instructorId );
@@ -92,7 +93,8 @@ class PaymentReportController {
 	 */
 	private function buildReport( string $month, int $instructorId ): PaymentReport {
 		$start = $month . '-01 00:00:00';
-		$end   = gmdate( 'Y-m-d H:i:s', strtotime( $month . '-01 00:00:00 +1 month' ) );
+		$endTs = strtotime( $month . '-01 00:00:00 +1 month' );
+		$end   = false === $endTs ? $start : gmdate( 'Y-m-d H:i:s', $endTs );
 
 		$rows = array_map(
 			static function ( Payment $payment ): array {