Chirag Aggarwal d86258a6f6 fix: restore runtime guards and widen types missed by PHPStan cleanup ... Three follow-ups from CI that the level-4 pass got wrong: 1. `account.php` / `users.php`: `Document::find()` returns `mixed` (specifically `Document|false` in practice), not `Document`. The earlier `@var Document $oldTarget` docblocks were lies, and the runtime `instanceof Document` guards were load-bearing — removing them caused `Call to a member function isEmpty() on false` 500s on the `PATCH /v1/users/:id/email` and `/phone` endpoints (and the analogous `/v1/account/email`, `/v1/account/phone` flows). Dropped the misleading `@var` docblocks and restored `$oldTarget instanceof Document && !$oldTarget->isEmpty()`. 2. `Installer/Runtime/Config::setEnabledDatabases()` is a boundary that actually takes arbitrary user/compose input — not a trusted `string[]`. The `is_string($v)` filter was covering for that, and `ConfigTest::testSetEnabledDatabasesFiltersInvalid` explicitly asserts it. Widened the PHPDoc to `array<mixed>` and restored `is_string($v) && $v !== ''` in the filter. 3. `OAuth2/Apple::getAppSecret()` wrapped `json_decode` in a `try/catch (\Throwable)` — but `json_decode` without `JSON_THROW_ON_ERROR` returns `null` on failure, it doesn't throw. PHP 8.3's PHPStan flagged the catch as dead (PHP 8.5 didn't, which is why it slipped through locally). Replaced with `if (!\is_array($secret)) throw`, which preserves the original "invalid secret" guard.		2026-04-19 17:52:51 +05:30
..
Appwrite	fix: restore runtime guards and widen types missed by PHPStan cleanup	2026-04-19 17:52:51 +05:30
Executor	chore: bump PHPStan to level 4 and fix all new errors	2026-04-19 17:31:20 +05:30
Utopia/Bus	remove unrelated changes	2026-04-05 20:06:13 +05:30