Develop

.gitattributes

@@ -14,5 +14,4 @@
 /phpstan.neon   export-ignore
 /phpunit.xml    export-ignore
 /psalm.xml      export-ignore
-/Makefile       export-ignore
-/composer.lock
+/Makefile       export-ignore

.github/workflows/ci.yml

@@ -0,0 +1,48 @@
+name: CI
+
+# ARFA 1.3 / KaririCode Spec V4.0 — Unified CI Pipeline
+# Runs on every push and PR targeting main or develop.
+# Full pipeline: cs-fixer → phpstan (L9) → psalm → phpunit (pcov)
+# Zero tolerance: any tool failure blocks the merge.
+
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main, develop]
+  workflow_dispatch:
+
+jobs:
+  quality:
+    name: Quality Pipeline (ARFA 1.3)
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      # PHP 8.4 + pcov (mandatory driver per ARFA 1.3 §Testing)
+      - uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.4'
+          extensions: mbstring, xml
+          coverage: pcov
+
+      # Pure dependency install — no scripts to avoid environment pollution
+      - name: Install dependencies
+        run: composer install --no-interaction --prefer-dist --no-progress --no-scripts
+
+      # Bootstrap kcode.phar from the official KaririCode release
+      - name: Install kcode (KaririCode Devkit)
+        run: |
+          wget -q https://github.com/KaririCode-Framework/kariricode-devkit/releases/latest/download/kcode.phar
+          chmod +x kcode.phar
+          sudo mv kcode.phar /usr/local/bin/kcode
+
+      # Generate .kcode/ configs: phpunit.xml.dist, phpstan.neon, psalm.xml, etc.
+      - name: Initialize devkit (.kcode/ generation)
+        run: kcode init
+
+      # cs-fixer → phpstan (L9) → psalm → phpunit
+      # Exit code ≠ 0 fails the job (zero-tolerance policy)
+      - name: Run full quality pipeline
+        run: kcode quality

.github/workflows/code-quality.yml

@@ -0,0 +1,204 @@
+name: Code Quality
+
+# ARFA 1.3 / KaririCode Spec V4.0 — Parallel Quality Gates
+# Runs 5 parallel jobs with a quality-summary gate job.
+# Triggers: main, develop, feature branches, PRs, and manual dispatch.
+
+on:
+  push:
+    branches:
+      - main
+      - develop
+      - 'feature/**'
+  pull_request:
+    branches:
+      - main
+      - develop
+  workflow_dispatch:
+
+jobs:
+  # ============================================================================
+  # DEPENDENCY VALIDATION (Spec V4.0 — zero-dep contract)
+  # Validates that composer.json is valid and platform requirements are met.
+  # Sanitizer mandates: zero external runtime dependencies.
+  # ============================================================================
+  dependencies:
+    name: Dependency Validation
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.4'
+          tools: composer:v2
+          coverage: none
+
+      - name: Validate composer.json
+        run: composer validate --strict --no-check-lock
+
+      - name: Install dependencies
+        run: composer install --prefer-dist --no-progress --no-scripts
+
+      - name: Check platform requirements
+        run: composer check-platform-reqs
+
+  # ============================================================================
+  # SECURITY AUDIT (ARFA 1.3 — resilience pillar)
+  # Uses native composer audit — no deprecated security-checker.
+  # ============================================================================
+  security:
+    name: Security Audit
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.4'
+          tools: composer:v2
+          coverage: none
+
+      - name: Install dependencies
+        run: composer install --prefer-dist --no-progress --no-scripts
+
+      - name: Run composer audit
+        run: composer audit --format=plain
+
+  # ============================================================================
+  # STATIC ANALYSIS (Spec V4.0 S14 — Type Safety)
+  # kcode analyse runs PHPStan Level 9 + Psalm (100% type inference).
+  # Both tools must pass with zero errors — enforced by kcode exit code.
+  # ============================================================================
+  analyse:
+    name: Static Analysis — PHPStan L9 + Psalm
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.4'
+          extensions: mbstring, xml
+          coverage: none
+          tools: composer:v2
+
+      - name: Install dependencies
+        run: composer install --prefer-dist --no-progress --no-scripts
+
+      - name: Install kcode
+        run: |
+          wget -q https://github.com/KaririCode-Framework/kariricode-devkit/releases/latest/download/kcode.phar
+          chmod +x kcode.phar
+          sudo mv kcode.phar /usr/local/bin/kcode
+
+      - name: Initialize devkit
+        run: kcode init
+
+      # Runs PHPStan Level 9 then Psalm sequentially — both must pass
+      - name: Run PHPStan + Psalm via kcode
+        run: kcode analyse
+
+  # ============================================================================
+  # CODE STYLE (ARFA 1.3 Naming / Formatting Standards)
+  # kcode cs:fix enforces PSR-12 + PHP 8.4 migrations + KaririCode rules.
+  # --check: dry-run only — fails if any violation exists.
+  # ============================================================================
+  cs-fixer:
+    name: Code Style — PHP CS Fixer
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.4'
+          extensions: mbstring, xml
+          coverage: none
+          tools: composer:v2
+
+      - name: Install dependencies
+        run: composer install --prefer-dist --no-progress --no-scripts
+
+      - name: Install kcode
+        run: |
+          wget -q https://github.com/KaririCode-Framework/kariricode-devkit/releases/latest/download/kcode.phar
+          chmod +x kcode.phar
+          sudo mv kcode.phar /usr/local/bin/kcode
+
+      - name: Initialize devkit
+        run: kcode init
+
+      - name: Check code style (dry-run)
+        run: kcode cs:fix --check
+
+  # ============================================================================
+  # UNIT & INTEGRATION TESTS (ARFA 1.3 §Testing — Zero Tolerance)
+  # pcov is the mandatory driver (performance + accuracy over Xdebug).
+  # Requires: 0 failures, 0 errors, 0 warnings, 0 risky tests.
+  # ============================================================================
+  tests:
+    name: PHPUnit Tests (pcov)
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.4'
+          extensions: mbstring, xml
+          coverage: pcov
+          tools: composer:v2
+
+      - name: Install dependencies
+        run: composer install --prefer-dist --no-progress --no-scripts
+
+      - name: Install kcode
+        run: |
+          wget -q https://github.com/KaririCode-Framework/kariricode-devkit/releases/latest/download/kcode.phar
+          chmod +x kcode.phar
+          sudo mv kcode.phar /usr/local/bin/kcode
+
+      - name: Initialize devkit
+        run: kcode init
+
+      - name: Run tests with coverage (pcov)
+        run: kcode test --coverage
+
+  # ============================================================================
+  # QUALITY SUMMARY — Gate job (if: always())
+  # Aggregates all job results and fails the workflow if any check failed.
+  # Posts a markdown summary to the GitHub Actions run.
+  # ============================================================================
+  quality-summary:
+    name: Quality Summary
+    runs-on: ubuntu-latest
+    needs: [dependencies, security, analyse, cs-fixer, tests]
+    if: always()
+
+    steps:
+      - name: Post quality summary
+        run: |
+          echo "## KaririCode Sanitizer — Quality Report (ARFA 1.3)" >> "$GITHUB_STEP_SUMMARY"
+          echo "" >> "$GITHUB_STEP_SUMMARY"
+          echo "| Check | Result |" >> "$GITHUB_STEP_SUMMARY"
+          echo "|-------|--------|" >> "$GITHUB_STEP_SUMMARY"
+          echo "| Dependency Validation | ${{ needs.dependencies.result }} |" >> "$GITHUB_STEP_SUMMARY"
+          echo "| Security Audit | ${{ needs.security.result }} |" >> "$GITHUB_STEP_SUMMARY"
+          echo "| Static Analysis (PHPStan L9 + Psalm) | ${{ needs.analyse.result }} |" >> "$GITHUB_STEP_SUMMARY"
+          echo "| Code Style (CS Fixer) | ${{ needs.cs-fixer.result }} |" >> "$GITHUB_STEP_SUMMARY"
+          echo "| PHPUnit Tests (pcov) | ${{ needs.tests.result }} |" >> "$GITHUB_STEP_SUMMARY"
+
+          if [ "${{ needs.security.result }}" != "success" ] ||              [ "${{ needs.analyse.result }}" != "success" ] ||              [ "${{ needs.cs-fixer.result }}" != "success" ] ||              [ "${{ needs.tests.result }}" != "success" ]; then
+            echo "" >> "$GITHUB_STEP_SUMMARY"
+            echo "❌ One or more quality gates failed. Merge blocked." >> "$GITHUB_STEP_SUMMARY"
+            exit 1
+          fi
+
+          echo "" >> "$GITHUB_STEP_SUMMARY"
+          echo "✅ All quality gates passed — ARFA 1.3 compliant." >> "$GITHUB_STEP_SUMMARY"

.github/workflows/release.yml

@@ -0,0 +1,80 @@
+name: Release
+
+# ARFA 1.3 / KaririCode Spec V4.0 — Release Pipeline
+# Triggers on semantic version tags (v*).
+# Full quality gate (kcode quality) must pass before release is published.
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: write
+
+jobs:
+  release:
+    name: Quality Gate + GitHub Release
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      # PHP 8.4 + pcov: releases MUST pass with coverage (ARFA 1.3 §Testing)
+      - uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.4'
+          extensions: mbstring, xml
+          coverage: pcov
+          tools: composer:v2
+
+      # --no-scripts prevents accidental environment pollution during release
+      - name: Install dependencies
+        run: composer install --no-interaction --prefer-dist --no-progress --no-scripts
+
+      - name: Install kcode (KaririCode Devkit)
+        run: |
+          wget -q https://github.com/KaririCode-Framework/kariricode-devkit/releases/latest/download/kcode.phar
+          chmod +x kcode.phar
+          sudo mv kcode.phar /usr/local/bin/kcode
+
+      - name: Initialize devkit
+        run: kcode init
+
+      # Full pipeline: cs-fixer → phpstan (L9) → psalm → phpunit (pcov)
+      # Exit code ≠ 0 aborts the release — zero tolerance (ARFA 1.3)
+      - name: Run full quality pipeline (release gate)
+        run: kcode quality
+
+      - name: Extract version from tag
+        id: version
+        run: echo "tag=${GITHUB_REF#refs/tags/}" >> "$GITHUB_OUTPUT"
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: ${{ steps.version.outputs.tag }}
+          name: KaririCode Sanitizer ${{ steps.version.outputs.tag }}
+          draft: false
+          prerelease: false
+          body: |
+            ## KaririCode\Sanitizer ${{ steps.version.outputs.tag }}
+
+            PHP 8.4+ sanitizer engine — **zero external dependencies**, ARFA 1.3 compliant.
+
+            ## Installation
+
+            ```bash
+            composer require kariricode/sanitizer
+            ```
+
+            ## Quality Metrics
+
+            | Metric | Value |
+            |--------|-------|
+            | PHPStan Level | 9 (0 errors) |
+            | Psalm | 100% (0 errors) |
+            | Coverage | 100% |
+            | Dependencies | 0 (runtime) |
+
+            See [CHANGELOG.md](CHANGELOG.md) for details.

.gitignore

@@ -64,3 +64,6 @@ tests/lista_de_arquivos_test.php
 lista_de_arquivos.txt
 lista_de_arquivos_tests.txt
 add_static_to_providers.php
+
+# KaririCode Devkit — generated configs and build artifacts
+.kcode/