From 2c6f3c3b2c9d7cb03ba9a1e42cb5298a1a0aefeb Mon Sep 17 00:00:00 2001
From: turegjorup <ture@ignatz.dk>
Date: Thu, 11 Jun 2026 10:47:56 +0200
Subject: [PATCH] ci: raise minimum mutation score to 95 and condense changelog
 entries

All 115 mutants are killed (100% covered MSI), so the bootstrap
threshold of 78 no longer defends anything; 95 keeps headroom for
run-to-run variance. The Unreleased changelog entries from the
mutation-testing rollout are condensed to the final outcome instead of
the in-flight per-PR steps, matching the tone of earlier releases.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
---
 CHANGELOG.md    | 47 +++++++----------------------------------------
 infection.json5 |  5 +++--
 2 files changed, 10 insertions(+), 42 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bdac88e..2fa67df 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,49 +9,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
-- Dev: mutation testing with [Infection](https://infection.github.io/)
-  (`task test:mutation`). The minimum mutation score is configured in
-  `infection.json5` and enforced in CI; escaped mutants are annotated inline
-  on pull requests, and results for `develop` are published to the Stryker
-  dashboard (mutation score badge in the README). No effect on the published
-  package.
+- Mutation testing with [Infection](https://infection.github.io/)
+  (`task test:mutation`), run in CI and reported to the Stryker dashboard
+  (mutation score badge in README)
 
 ### Changed
 
-- CI: the mutation-tests job declares its PHP version and dependency set
-  via a single-entry matrix (`Mutation tests (8.3, prefer-stable)`), so
-  the job name makes explicit what mutation testing runs on. No effect on
-  the published package.
-- Dev: test fixtures use RFC 2606 reserved domains only —
-  `provider.example.org` for IdP-side URLs (metadata, authorization) and
-  `app.example.org` for application-side URLs (redirect/callback, CLI
-  login), replacing real registrable domains (`app.com`, `provider.com`,
-  `other.com`, `test.com`). No effect on the published package.
-- Dev: strengthened Security tests based on mutation testing findings —
-  the redirect-route parameters are asserted to reach the router when
-  building a provider redirect URI, `validateClaims` is asserted to look
-  up the exact provider key from the session and to merge
-  `open_id_connect_provider` into the returned claims, and a request
-  without any `loginToken` parameter is asserted to be rejected as
-  unauthorized. No effect on the published package.
-- Dev: strengthened CLI login flow tests based on mutation testing
-  findings — redeeming an unknown token is asserted to throw
-  `TokenNotFoundException` specifically, both cache entries (token and
-  reverse username entry) are asserted removed after a token is used,
-  `encodeKey` asserts the exact namespaced encoding instead of only an
-  encode/decode roundtrip, and the CLI login URL is asserted to receive
-  the login token and route. No effect on the published package.
-- Dev: added a test for `ItkDevOpenIdConnectBundle::getContainerExtension()`
-  asserting the custom extension is created and memoized (same instance on
-  repeated calls), prompted by mutation testing findings. No effect on the
-  published package.
-- Dev: strengthened DependencyInjection tests based on mutation testing
-  findings — the extension's container wiring (cache pool reference,
-  provider options mapping, CLI login route arguments) is now asserted
-  explicitly, and the documented invariant that provider keys are not
-  normalized (`my-provider` ≠ `my_provider`) is covered by a test. No
-  effect on the published package.
-
+- Strengthened tests guided by mutation testing; mutation score raised to
+  100% with a CI threshold of 95 (`minCoveredMsi` in `infection.json5`)
+- Test fixtures use RFC 2606 reserved domains (`provider.example.org`,
+  `app.example.org`) instead of registrable domains
 - CI: bumped `codecov/codecov-action` from `v5` to `v7` (restores Codecov's
   GPG signing key after the `codecovsecurity` account was removed, and moves
   the bundled `github-script` to Node 24) and set `fail_ci_if_error: false`
diff --git a/infection.json5 b/infection.json5
index f672303..1cf7f63 100644
--- a/infection.json5
+++ b/infection.json5
@@ -5,8 +5,9 @@
     },
     "threads": "max",
     // Minimum mutation score for covered code; enforced locally and in CI.
-    // Baseline measured at 80% — ratchet up as surviving mutants are killed.
-    "minCoveredMsi": 78,
+    // The suite currently kills all mutants (100%); 95 leaves headroom for
+    // run-to-run variance without letting real test-quality erosion through.
+    "minCoveredMsi": 95,
     "logs": {
         "text": "infection.log",
         "html": "infection.html",