Evaluate phpcs-security-audit integration for PHPStan-based security checks

[coisa]

Problem

Security checks exist via composer audit, but source-code security pattern checks are not currently part of dev-tools automated analysis.

FloeDesignTechnologies/phpcs-security-audit can add static security pattern checks, and its adoption should be considered inside the planned static analysis strategy.

Proposal

Evaluate integrating phpcs-security-audit as a PHPStan-oriented security extension (or complementary analysis step) aligned with PHPStan-first direction in issue #14.

Implementation direction:

• Validate plugin installation and discovery path in the analysis stack.
• Define one security profile focused on high-signal vulnerabilities.
• Keep execution opt-in until baseline/noise profile is stable.
• Report findings with consistent severity labeling.

Goals

• Add security-oriented source analysis in addition to dependency-level audit.
• Reuse existing analysis command shape and output contracts.
• Keep compatibility with both ad-hoc and CI usage.

Expected Benefits

• Immediate security hardening signal without building new tooling from scratch.
• Better alignment between dependency security checks and source-level security checks.

Why Not (if skipped)

• Tooling overlap with ECS security rules in issue Integrate security rules into ECS (Easy Coding Standard) #32 and potential duplicate findings.
• Potential noise in older repositories unless configured with local baselines.

Non-goals

• Replacing all existing ECS/PHPStan coverage.
• Making the security check mandatory for every consumer.

Acceptance Criteria

• A path to adopt (or formally decline) is documented, with risk assessment.
• If adopted, integration points with issue Add dev-tools analyse command for standardized static analysis (PHPStan-first, extensible to Psalm) #14 are defined and documented.
• Security findings are deterministic and have clear severity/action guidance.

Architectural / Isolation Criteria

• MUST: Security check execution remains isolated from formatting/reporting logic.
• MUST: Shared output contracts (--json / deterministic summaries) are preserved where applicable.