Upgrade PHPStan to 2.x and raise analysis level from 6 to 10

- Bump phpstan/phpstan ^2.0 and szepeviktor/phpstan-wordpress ^2.0
- Move the analysis level into phpstan.neon (single source) and raise it to 10
- Add Val, a runtime coercion helper that narrows untyped WordPress boundary
  values (wpdb rows, REST params, superglobals, options) with explicit checks
  instead of blind casts, plus unit tests
- Type value-object fromRow() params as stdClass (what wpdb returns) and map
  columns through Val so unexpected shapes degrade safely
- Use %i identifier placeholders for table names in all wpdb::prepare() calls
  so every query string is a literal and identifiers are escaped by WordPress;
  raises the minimum WordPress version to 6.2 where %i was introduced
- Guard wpdb::prepare() null result before wpdb::query() in updateTax()
- Fix nullable get_permalink()/strtotime() handling, list types at REST and
  capability call sites, dead null-coalescing on checked superglobals, and
  narrow get_users() results before mapping
- Register Val method names with the ValidatedSanitizedInput sniff so it
  validates the real sanitizer around each superglobal read
- Update repository unit tests for the %i placeholder arguments

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

src/Policy/PolicyEndpoint.php

@@ -4,6 +4,7 @@ declare(strict_types=1);
 namespace Unsupervised\Schedular\Policy;
 
 use Unsupervised\Schedular\Auth\RoleManager;
+use Unsupervised\Schedular\Val;
 
 class PolicyEndpoint {
 
@@ -13,6 +14,11 @@ class PolicyEndpoint {
 		private PolicyService $service,
 	) {}
 
+	/**
+	 * Registers this endpoint's REST routes.
+	 *
+	 * @param non-falsy-string $route_namespace REST namespace the routes are registered under (e.g. `us-scheduler/v1`).
+	 */
 	public function registerRoutes( string $route_namespace ): void {
 		register_rest_route(
 			$route_namespace,
@@ -74,7 +80,7 @@ class PolicyEndpoint {
 	 * `both`-scoped policies).
 	 */
 	public function index( \WP_REST_Request $request ): \WP_REST_Response {
-		$scope    = (string) $request->get_param( 'scope' );
+		$scope    = Val::string( $request->get_param( 'scope' ) );
 		$policies = in_array( $scope, [ Policy::SCOPE_SIGNUP, Policy::SCOPE_BOOKING ], true )
 			? $this->policies->findForScope( $scope )
 			: $this->policies->findAll();
@@ -108,12 +114,12 @@ class PolicyEndpoint {
 	}
 
 	public function create( \WP_REST_Request $request ): \WP_REST_Response|\WP_Error {
-		$title = sanitize_text_field( (string) $request->get_param( 'title' ) );
+		$title = sanitize_text_field( Val::string( $request->get_param( 'title' ) ) );
 		if ( '' === $title ) {
 			return $this->invalid( __( 'A policy title is required.', 'unsupervised-schedular' ) );
 		}
 
-		$slugParam = sanitize_text_field( (string) $request->get_param( 'slug' ) );
+		$slugParam = sanitize_text_field( Val::string( $request->get_param( 'slug' ) ) );
 		$slug      = sanitize_title( '' !== $slugParam ? $slugParam : $title );
 		if ( '' === $slug ) {
 			return $this->invalid( __( 'A valid policy slug is required.', 'unsupervised-schedular' ) );
@@ -123,7 +129,7 @@ class PolicyEndpoint {
 			return new \WP_Error( 'duplicate_slug', __( 'A policy with that slug already exists.', 'unsupervised-schedular' ), [ 'status' => 409 ] );
 		}
 
-		$scope = (string) ( $request->get_param( 'acceptance_scope' ) ?? Policy::SCOPE_BOOKING );
+		$scope = Val::string( $request->get_param( 'acceptance_scope' ) ?? Policy::SCOPE_BOOKING );
 		if ( ! in_array( $scope, Policy::VALID_SCOPES, true ) ) {
 			return $this->invalid( __( 'Invalid acceptance scope.', 'unsupervised-schedular' ) );
 		}
@@ -134,12 +140,12 @@ class PolicyEndpoint {
 	}
 
 	public function addVersion( \WP_REST_Request $request ): \WP_REST_Response|\WP_Error {
-		$policy = $this->policies->findById( absint( $request->get_param( 'id' ) ) );
+		$policy = $this->policies->findById( absint( Val::int( $request->get_param( 'id' ) ) ) );
 		if ( null === $policy ) {
 			return $this->notFound();
 		}
 
-		$body = wp_kses_post( (string) $request->get_param( 'body' ) );
+		$body = wp_kses_post( Val::string( $request->get_param( 'body' ) ) );
 		$id   = $this->service->addDraftVersion( (int) $policy->id, $body );
 
 		return new \WP_REST_Response( [ 'id' => $id ], 201 );
@@ -155,7 +161,7 @@ class PolicyEndpoint {
 			return $this->invalid( __( 'Only draft versions can be edited.', 'unsupervised-schedular' ) );
 		}
 
-		$body = wp_kses_post( (string) $request->get_param( 'body' ) );
+		$body = wp_kses_post( Val::string( $request->get_param( 'body' ) ) );
 		$this->versions->updateBody( (int) $version->id, $body );
 
 		return new \WP_REST_Response(
@@ -173,7 +179,7 @@ class PolicyEndpoint {
 			return $version;
 		}
 
-		$this->service->publishVersion( (int) $request->get_param( 'id' ), (int) $version->id );
+		$this->service->publishVersion( Val::int( $request->get_param( 'id' ) ), (int) $version->id );
 
 		return new \WP_REST_Response(
 			[
@@ -202,8 +208,8 @@ class PolicyEndpoint {
 	 * Load the version named in the route and confirm it belongs to the policy.
 	 */
 	private function loadVersionForPolicy( \WP_REST_Request $request ): PolicyVersion|\WP_Error {
-		$policyId = absint( $request->get_param( 'id' ) );
-		$version  = $this->versions->findById( absint( $request->get_param( 'vid' ) ) );
+		$policyId = absint( Val::int( $request->get_param( 'id' ) ) );
+		$version  = $this->versions->findById( absint( Val::int( $request->get_param( 'vid' ) ) ) );
 
 		if ( null === $version || $version->policyId !== $policyId ) {
 			return $this->notFound();