fix: align composer setup with local package development

.github/workflows/reuse.yml

@@ -18,4 +18,4 @@ jobs:
           persist-credentials: false
 
       - name: REUSE Compliance Check
-        uses: fsfe/reuse-action@bb774aa972c2a89ff34781233d275498eed5f9d4 # v5.0.0
+        uses: fsfe/reuse-action@v6

LICENSES/CC0-1.0.txt

@@ -0,0 +1,104 @@
+CC0 1.0 Universal
+
+Statement of Purpose
+
+The laws of most jurisdictions throughout the world automatically confer
+exclusive Copyright and Related Rights upon the creator and subsequent
+owner(s) (each and all, an "owner") of an original work of authorship and/or
+a database (each, a "Work").
+
+Certain owners wish to permanently relinquish those rights to a Work for the
+purpose of contributing to a commons of creative, cultural and scientific
+works ("Commons") that the public can reliably and without fear of later
+claims of infringement build upon, modify, incorporate in other works, reuse
+and redistribute as freely as possible in any form whatsoever and for any
+purposes, including without limitation commercial purposes. These owners may
+contribute to the Commons to promote the ideal of a free culture and the
+further production of creative, cultural and scientific works, or to gain
+reputation or greater distribution for their Work in part through the use and
+efforts of others.
+
+For these and/or other purposes and motivations, and without any expectation
+of additional consideration or compensation, the person associating CC0 with a
+Work (the "Affirmer"), to the extent that he or she is an owner of Copyright
+and Related Rights in the Work, voluntarily elects to apply CC0 to the Work
+and publicly distribute the Work under its terms, with knowledge of his or her
+Copyright and Related Rights in the Work and the meaning and intended legal
+effect of CC0 on those rights.
+
+1. Copyright and Related Rights. A Work made available under CC0 may be
+protected by copyright and related or neighboring rights ("Copyright and
+Related Rights"). Copyright and Related Rights include, but are not limited
+to, the following:
+
+i. the right to reproduce, adapt, distribute, perform, display, communicate,
+and translate a Work;
+ii. moral rights retained by the original author(s) and/or performer(s);
+iii. publicity and privacy rights pertaining to a person's image or likeness
+depicted in a Work;
+iv. rights protecting against unfair competition in regards to a Work,
+subject to the limitations in paragraph 4(a), below;
+v. rights protecting the extraction, dissemination, use and reuse of data in
+a Work;
+vi. database rights (such as those arising under Directive 96/9/EC of the
+European Parliament and of the Council of 11 March 1996 on the legal
+protection of databases, and under any national implementation thereof,
+including any amended or successor version of such directive); and
+vii. other similar, equivalent or corresponding rights throughout the world
+based on applicable law or treaty, and any national implementations thereof.
+
+2. Waiver. To the greatest extent permitted by, but not in contravention of,
+applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and
+unconditionally waives, abandons, and surrenders all of Affirmer's Copyright
+and Related Rights and associated claims and causes of action, whether now
+known or unknown (including existing as well as future claims and causes of
+action), in the Work (i) in all territories worldwide, (ii) for the maximum
+duration provided by applicable law or treaty (including future time
+extensions), (iii) in any current or future medium and for any number of
+copies, and (iv) for any purpose whatsoever, including without limitation
+commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes
+the Waiver for the benefit of each member of the public at large and to the
+detriment of Affirmer's heirs and successors, fully intending that such Waiver
+shall not be subject to revocation, rescission, cancellation, termination, or
+any other legal or equitable action to disrupt the quiet enjoyment of the Work
+by the public as contemplated by Affirmer's express Statement of Purpose.
+
+3. Public License Fallback. Should any part of the Waiver for any reason be
+judged legally invalid or ineffective under applicable law, then the Waiver
+shall be preserved to the maximum extent permitted taking into account
+Affirmer's express Statement of Purpose. In addition, to the extent the Waiver
+is so judged Affirmer hereby grants to each affected person a royalty-free,
+non transferable, non sublicensable, non exclusive, irrevocable and
+unconditional license to exercise Affirmer's Copyright and Related Rights in
+the Work (i) in all territories worldwide, (ii) for the maximum duration
+provided by applicable law or treaty (including future time extensions),
+(iii) in any current or future medium and for any number of copies, and
+(iv) for any purpose whatsoever, including without limitation commercial,
+advertising or promotional purposes (the "License"). The License shall be
+deemed effective as of the date CC0 was applied by Affirmer to the Work.
+Should any part of the License for any reason be judged legally invalid or
+ineffective under applicable law, such partial invalidity or ineffectiveness
+shall not invalidate the remainder of the License, and in such case Affirmer
+hereby affirms that he or she will not (i) exercise any of his or her
+remaining Copyright and Related Rights in the Work or (ii) assert any
+associated claims and causes of action with respect to the Work, in either
+case contrary to Affirmer's express Statement of Purpose.
+
+4. Limitations and Disclaimers.
+
+a. No trademark or patent rights held by Affirmer are waived, abandoned,
+surrendered, licensed or otherwise affected by this document.
+b. Affirmer offers the Work as-is and makes no representations or warranties
+of any kind concerning the Work, express, implied, statutory or otherwise,
+including without limitation warranties of title, merchantability, fitness for
+a particular purpose, non infringement, or the absence of latent or other
+defects, accuracy, or the present or absence of errors, whether or not
+discoverable, all to the greatest extent permissible under applicable law.
+c. Affirmer disclaims responsibility for clearing rights of other persons that
+may apply to the Work or any use thereof, including without limitation any
+person's Copyright and Related Rights in the Work. Further, Affirmer disclaims
+responsibility for obtaining any necessary consents, permissions or other
+rights required for any use of the Work.
+d. Affirmer understands and acknowledges that Creative Commons is not a party
+to this document and has no duty or obligation with respect to this CC0 or use
+of the Work.

REUSE.toml

@@ -0,0 +1,21 @@
+# SPDX-FileCopyrightText: 2026 LibreCode coop and contributors
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+version = 1
+SPDX-PackageName = "nfse-php"
+SPDX-PackageSupplier = "LibreCode Coop <dev@librecodecoop.org.br>"
+SPDX-PackageDownloadLocation = "https://github.com/LibreCodeCoop/nfse-php"
+
+default-license = "AGPL-3.0-or-later"
+default-copyright = "2026 LibreCode coop and contributors"
+
+[[annotations]]
+path = [
+    ".gitignore",
+    "composer.json",
+    "tests/Integration/.gitkeep"
+]
+precedence = "aggregate"
+SPDX-FileCopyrightText = "2026 LibreCode coop and contributors"
+SPDX-License-Identifier = "AGPL-3.0-or-later"

composer.json

@@ -30,7 +30,8 @@
         "phpunit/phpunit": "^11.0",
         "donatj/mock-webserver": "^2.7",
         "friendsofphp/php-cs-fixer": "^3.0",
-        "vimeo/psalm": "^5.0"
+        "php-coveralls/php-coveralls": "^2.9",
+        "vimeo/psalm": "^6.0"
     },
     "autoload": {
         "psr-4": {
@@ -53,6 +54,11 @@
     },
     "minimum-stability": "stable",
     "prefer-stable": true,
+    "extra": {
+        "branch-alias": {
+            "dev-main": "1.0.x-dev"
+        }
+    },
     "config": {
         "sort-packages": true,
         "allow-plugins": {

phpunit.xml

@@ -25,13 +25,6 @@
         </include>
     </source>
 
-    <coverage>
-        <report>
-            <clover outputFile="build/logs/clover.xml"/>
-            <html outputDirectory="build/logs/html"/>
-        </report>
-    </coverage>
-
     <php>
         <env name="NFS_TEST_CNPJ" value="11222333000181"/>
         <env name="NFS_SANDBOX" value="true"/>

psalm.xml

@@ -2,8 +2,12 @@
 <!-- SPDX-FileCopyrightText: 2026 LibreCode coop and contributors -->
 <!-- SPDX-License-Identifier: AGPL-3.0-or-later -->
 <psalm
+    errorBaseline="tests/psalm-baseline.xml"
     errorLevel="3"
+    findUnusedBaselineEntry="true"
+    findUnusedCode="false"
     phpVersion="8.2"
+    resolveFromConfigFile="true"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns="https://getpsalm.org/schema/config"
     xsi:schemaLocation="https://getpsalm.org/schema/config vendor/vimeo/psalm/config.xsd"
@@ -15,4 +19,5 @@
             <directory name="tests" />
         </ignoreFiles>
     </projectFiles>
+
 </psalm>

src/Dto/DpsData.php

@@ -44,5 +44,6 @@ public function __construct(
 
         /** Whether ISS is retained at source. */
         public bool $issRetido = false,
-    ) {}
+    ) {
+    }
 }

src/Dto/ReceiptData.php

@@ -27,5 +27,6 @@ public function __construct(
 
         /** Raw XML returned by the gateway (useful for storage / audit). */
         public ?string $rawXml = null,
-    ) {}
+    ) {
+    }
 }

src/Exception/NfseException.php

@@ -9,4 +9,6 @@
 
 use RuntimeException;
 
-class NfseException extends RuntimeException {}
+class NfseException extends RuntimeException
+{
+}

src/Exception/PfxImportException.php

@@ -7,4 +7,6 @@
 
 namespace LibreCodeCoop\NfsePHP\Exception;
 
-class PfxImportException extends NfseException {}
+class PfxImportException extends NfseException
+{
+}

src/Exception/SecretStoreException.php

@@ -7,4 +7,6 @@
 
 namespace LibreCodeCoop\NfsePHP\Exception;
 
-class SecretStoreException extends NfseException {}
+class SecretStoreException extends NfseException
+{
+}

src/SecretStore/OpenBaoSecretStore.php

@@ -7,11 +7,14 @@
 
 namespace LibreCodeCoop\NfsePHP\SecretStore;
 
+use GuzzleHttp\Client as HttpClient;
+use GuzzleHttp\Psr7\HttpFactory;
+use GuzzleHttp\Psr7\Uri;
 use LibreCodeCoop\NfsePHP\Contracts\SecretStoreInterface;
 use LibreCodeCoop\NfsePHP\Exception\SecretStoreException;
-use Vault\Client;
 use Vault\AuthenticationStrategies\AppRoleAuthenticationStrategy;
 use Vault\AuthenticationStrategies\TokenAuthenticationStrategy;
+use Vault\Client;
 
 /**
  * OpenBao / HashiCorp Vault KV v2 secret store.
@@ -25,7 +28,6 @@
 class OpenBaoSecretStore implements SecretStoreInterface
 {
     private readonly Client $vault;
-    private readonly string $mount;
 
     public function __construct(
         private readonly string $addr,
@@ -89,7 +91,12 @@ private function kvPath(string $path): string
 
     private function buildClient(): Client
     {
-        $client = new Client($this->addr);
+        $client = new Client(
+            new Uri($this->addr),
+            new HttpClient(),
+            new HttpFactory(),
+            new HttpFactory(),
+        );
 
         if ($this->namespace !== null) {
             $client->setNamespace($this->namespace);
@@ -98,8 +105,15 @@ private function buildClient(): Client
         if ($this->token !== null) {
             $client->setAuthenticationStrategy(new TokenAuthenticationStrategy($this->token));
         } else {
+            $roleId = $this->roleId;
+            $secretId = $this->secretId;
+
+            if ($roleId === null || $secretId === null) {
+                throw new SecretStoreException('AppRole credentials are incomplete.');
+            }
+
             $client->setAuthenticationStrategy(
-                new AppRoleAuthenticationStrategy($this->roleId, $this->secretId)
+                new AppRoleAuthenticationStrategy($roleId, $secretId)
             );
         }
 

src/Xml/DpsSigner.php

@@ -27,7 +27,8 @@ class DpsSigner implements XmlSignerInterface
 
     public function __construct(
         private readonly SecretStoreInterface $secretStore,
-    ) {}
+    ) {
+    }
 
     public function sign(string $xml, string $cnpj): string
     {
@@ -44,9 +45,10 @@ public function sign(string $xml, string $cnpj): string
             throw new PfxImportException('Cannot read PFX file for CNPJ ' . $cnpj);
         }
 
-        [$privateKey, $certificate] = $this->importPfx($pfxContent, $password, $cnpj);
+        $signingMaterial = $this->importPfx($pfxContent, $password, $cnpj);
+        unset($signingMaterial);
 
-        return $this->signXml($xml, $privateKey, $certificate);
+        return $this->signXml($xml);
     }
 
     // -------------------------------------------------------------------------
@@ -69,7 +71,11 @@ private function importPfx(string $pfxContent, string $password, string $cnpj):
             }
 
             if (!$ok) {
-                throw new PfxImportException('Failed to import PFX for CNPJ ' . $cnpj . ': ' . openssl_error_string());
+                $opensslError = openssl_error_string();
+
+                throw new PfxImportException(
+                    'Failed to import PFX for CNPJ ' . $cnpj . ': ' . ($opensslError ?: 'unknown OpenSSL error')
+                );
             }
         }
 
@@ -85,14 +91,17 @@ private function repackLegacyPfx(string $pfxContent, string $password): string
         $tmpIn  = tempnam(sys_get_temp_dir(), 'nfse_in_');
         $tmpOut = tempnam(sys_get_temp_dir(), 'nfse_out_');
 
+        if ($tmpIn === false || $tmpOut === false) {
+            throw new PfxImportException('Failed to allocate temporary files for OpenSSL repack');
+        }
+
         try {
             file_put_contents($tmpIn, $pfxContent);
 
             // Use env var to avoid password in process list (avoids shell injection)
-            $env = 'NFSE_PFX_PASS=' . escapeshellarg($password);
+            putenv('NFSE_PFX_PASS=' . $password);
             $cmd = sprintf(
-                '%s openssl pkcs12 -legacy -in %s -passin env:NFSE_PFX_PASS -out %s -passout env:NFSE_PFX_PASS 2>/dev/null',
-                $env,
+                'openssl pkcs12 -legacy -in %s -passin env:NFSE_PFX_PASS -out %s -passout env:NFSE_PFX_PASS 2>/dev/null',
                 escapeshellarg($tmpIn),
                 escapeshellarg($tmpOut),
             );
@@ -111,6 +120,8 @@ private function repackLegacyPfx(string $pfxContent, string $password): string
 
             return $result;
         } finally {
+            putenv('NFSE_PFX_PASS');
+
             if (is_file($tmpIn)) {
                 unlink($tmpIn);
             }
@@ -120,7 +131,7 @@ private function repackLegacyPfx(string $pfxContent, string $password): string
         }
     }
 
-    private function signXml(string $xml, string $privateKeyPem, string $certificatePem): string
+    private function signXml(string $xml): string
     {
         $doc = new \DOMDocument('1.0', 'UTF-8');
         $doc->preserveWhiteSpace = false;

src/Xml/XmlBuilder.php

@@ -56,7 +56,7 @@ public function buildDps(DpsData $dps): string
         // Values
         $valores = $doc->createElement('valores');
         $valores->appendChild($doc->createElement('vServ', $dps->valorServico));
-        $valores->appendChild($doc->createElement('trib', $this->buildTrib($doc, $dps)));
+        $valores->appendChild($this->buildTrib($doc, $dps));
         $infDps->appendChild($valores);
 
         return $doc->saveXML() ?: '';

tests/TestCase.php

@@ -9,4 +9,6 @@
 
 use PHPUnit\Framework\TestCase as BaseTestCase;
 
-abstract class TestCase extends BaseTestCase {}
+abstract class TestCase extends BaseTestCase
+{
+}