The package test suite should cover every public class and contract behavior.
From package/security:
..\..\vendor\bin\phpunit.batOn Unix-like shells:
../../vendor/bin/phpunitSecurity tests should verify:
- permission and role normalization;
- context authentication, grants, roles, attributes, and clone isolation;
- policy registry add, override, lookup, matching, removal, and clearing;
- authorization grant, deny, abstain, and denial precedence;
- result object metadata and exception behavior;
- CSRF token creation, serialization, matching, expiration, malformed state, validation, consumption, and storage;
- password hash, verify, rehash, and invalid configuration handling;
- exception factory messages and previous exceptions.
Use small fixtures for policies, token storage, and session behavior. Tests should avoid real PHP sessions unless specifically testing the native session package.
Expected denials should usually assert AuthorizationResult state. Broken configuration and invalid security state should assert package-specific exceptions.