v0.4.0

gruff-php 0.4.0 - project rules retired, per-file cache on by default, fast single-file scans

Release date: 2026-06-11

Headline

0.4.0 makes per-edit feedback fast and trustworthy: the four whole-project rules are removed (breaking), the per-file cache engages on every default run, and single-file scans drop from tens of seconds to under 0.1s. --include-rule/--exclude-rule now genuinely select rule execution, and eight per-unit rules stop flagging legitimate framework patterns.

Highlights

• BREAKING: removed dead-code.unused-internal-class, dead-code.unused-internal-constant, dead-code.unused-internal-function, and design.single-implementor-interface - sampled false-positive rates of 45-100% on framework code, and each forced a 13-31s whole-project reparse per single-file scan. The catalogue is now 129 rules.
• BEHAVIOUR CHANGE: analyse --include-rule/--exclude-rule now select rule execution - excluded rules neither run nor count toward --fail-on, failureConditions, scoring, or baselines; unknown rule ids are usage errors (exit 2).
• Per-file cache on by default: warm whole-repo corpus scans dropped 33-82s → 1.8-5.0s with byte-identical findings; single-file analyse/hook dropped 13-31s → under 0.1s.
• Eight per-unit precision fixes: naming/test-quality (snake_case test bases and boolean names, closure params, superglobal writes), security (variable-include fixed paths with new treatGlobalConstantsAsFixed/dynamicPathConstants options; sql-concatenation understands prepare(), safe interpolation, non-SQL query()), sensitive-data (high-entropy-string identifier literals; pii-test-fixture synthetic markers).
• Config-less runs no longer hang or write config on piped stdin.

Upgrade

composer require --dev blundergoat/gruff-php:^0.4
vendor/bin/gruff-php --version   # gruff-php 0.4.0