Make CI trustworthy (PROC-01..05)

[enesemini]

Closes the PR-1 workstream from audit/REMEDIATION_PLAN.md (PR #22). Fixes PROC-01, PROC-02, PROC-03, PROC-04, PROC-05.

What changed

CI (run-tests.yml)

• New test-parallel job mirroring how developers run the suite (composer test, i.e. pest --parallel). Serial-only CI hid every parallel-specific failure (PROC-01).
• New fresh-install matrix job (PHP 8.2/8.3 × Laravel 11/12) doing a clean dependency resolve — the class of check that would have caught the months-long unsatisfiable composer.json on main (PROC-02). The plan said Laravel 10/11/12, but laravel/sanctum ^4.0 in require makes Laravel 10 unsatisfiable — the ^10.0 in require-dev is dead. Decide in PR-10: drop the claim or fix constraints.
• Test + PHPStan jobs run on PHP 8.3: the harness needs pest-plugin-livewire v4 (PHP ^8.3), which is what pulls in Livewire 4 — the stack local dev runs and PR-5 commits to. On 8.2 the resolver falls back to Livewire 3 and the suite/analysis fail on LW-01..04 mismatches.
• Workflows also trigger for develop (previously CI did not run on PRs targeting it at all).
• Serial job runs pest --no-coverage: phpunit.xml.dist configures coverage reports and Pest 4 aborts (exit 1, zero tests) when they're requested without a coverage driver.

Parallel flakiness root fix (PROC-03)

Every ParaTest worker now boots from its own throwaway copy of the testbench skeleton (TestCase::applicationBasePath(), keyed by UNIQUE_TEST_TOKEN). Workers previously shared one skeleton and raced on:

• generated migrations scanned by every worker's RefreshDatabase → random FileNotFoundException
• app/Aura/Resources (generator-test cleanup vs. every boot's Aura::getAppResources() Finder scan) → random DirectoryNotFoundException, cross-worker resource registration
• public/vendor, compiled Blade views, routes/, plugins/, skeleton composer.json

Narrower fixes don't work: useAppPath() breaks Application::getNamespace() (psr-4 lookup against composer.json). Serial runs keep the shared skeleton. The local skeleton had accumulated 79MB of test junk — cleaned; isolation prevents re-pollution.

Also: Aura::reset() clears mutable static state ($userModel) in the Pest afterEach.

Fixes the new CI immediately caught

• composer.json config: policy.advisories.block: false — current Composer refuses to resolve framework versions with open advisories; EOL Laravel lines never get fixes, so every install failed. Root-package-only config; consumers' own policy is unaffected.
• pest-plugin-livewire: ^3.0|^4.0 — ^4.0 alone requires PHP ^8.3, contradicting the package's php: ^8.2 floor.
• Fields\Datetime class-name case in CreateResourceMigration — 'Fields\DateTime' only autoloads on case-insensitive filesystems (macOS); the command and 4 tests failed on Linux.

PHPStan (PROC-05)

• The workflow had been manually disabled in repo settings — re-enabled, now also runs on PRs and is manually dispatchable.
• Committed baseline (1429 entries) so it fails on new errors only; burn-down per-area later.

Dependabot auto-merge (PROC-04)

• main now has branch protection requiring the P8.3 - prefer-stable - ubuntu-latest check (set via API — previously no protection existed, so --auto merged immediately).
• Follow-up after merge to main: add parallel - P8.3 - prefer-stable to the required checks.

CI state on this PR

• fresh-install ×4, phpstan, code-style: ✅
• serial + parallel suite: ❌ on exactly the 3 known deterministic failures — 2× ResourceEditor (LW-02, owned by PR-5) and 1× CreateTeam (PROC-08, owned by PR-6). Red is now meaningful; PR-5/PR-6 turn it green.

Validation

• 8 consecutive local pest --parallel full-suite runs with only the 3 known failures.
• composer analyse clean against the baseline.
• phpunit-without-teams.xml failures (createSuperAdmin() creates a Team unconditionally) are pre-existing on develop — verified in a clean worktree; PR-6 scope.

🤖 Generated with Claude Code