Remove doctrine/annotations dependency, use native PHP 8 attributes

[keitamotegi]

Summary

• koriym/attributes (DualReader) を削除し、PHP 8 ネイティブの ReflectionAttribute API に置き換え
• これにより廃止済みの doctrine/annotations への推移的依存を解消
• PHP 最低バージョンを ^8.0 に引き上げ

Changes

• RequiredRolesInterceptor: Doctrine\Common\Annotations\Reader を削除、ReflectionMethod::getAttributes() / ReflectionClass::getAttributes() で Attribute を取得
• ZendAclModule: DualReader / AnnotationReader / AttributeReader の DI バインドを削除
• RequiresRoles: @Annotation / @Target docblock を削除
• テスト・Fake クラスを Attribute のみに統一

Breaking Changes

• PHP 7.x のサポートを終了
• Doctrine アノテーション (@RequiresRoles({"admin"})) は使用不可。#[RequiresRoles(value: ['admin'])] に移行が必要

Summary by Sourcery

Remove third-party annotation readers in favor of PHP 8 native attributes for role-based access control and drop support for PHP 7.

Enhancements:

• Refactor RequiredRolesInterceptor to read RequiresRoles via Reflection attributes instead of an annotation Reader dependency.
• Simplify ZendAclModule bindings by removing Reader- and DualReader-related DI configuration.
• Update RequiresRoles annotation class to a pure PHP 8 Attribute definition with typed properties and constructor.

Build:

• Raise minimum PHP requirement to ^8.0 and remove koriym/attributes from composer dependencies.

Tests:

• Adjust tests and fake resources to use only PHP 8 attributes for RequiresRoles and remove annotation-reader setup in the test bootstrap.

Summary by CodeRabbit

• Breaking Changes

  • Minimum PHP version requirement increased to PHP 8.0 (previously PHP 7.3+)
  • Legacy docblock annotation support removed; only PHP 8+ attributes are supported

• Improvements

  • Role-based access control now uses native PHP 8 attributes
  • Simplified runtime wiring by removing legacy annotation reader dependency
  • CI and tests updated to target PHP 8.x versions

[coderabbitai]

Warning

Rate limit exceeded

@koriym has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 6 minutes and 37 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 6 minutes and 37 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bd11d5bc-8e5e-4824-9096-c9e651c3ab1a

📥 Commits

Reviewing files that changed from the base of the PR and between c8c82f7 and 7da7987.

📒 Files selected for processing (1)

• .coderabbit.yaml

📝 Walkthrough

Walkthrough

Replaced Doctrine/docblock annotation handling with native PHP 8 attributes across the module; tightened composer PHP requirement to ^8.0 and removed koriym/attributes; interceptor and tests updated to use reflection-based attribute resolution; CI matrix and workflow actions updated.

Changes

Cohort / File(s)	Summary
Composer & CI composer.json, .github/workflows/continuous-integration.yml	PHP requirement changed to ^8.0; removed koriym/attributes from require; CI matrix updated to PHP 8.2–8.5; actions versions and composer-cache step modernized.
Attribute definition src/Annotation/RequiresRoles.php	Converted docblock annotation to native PHP #[Attribute(...)]; value is now a typed array via constructor property promotion.
Interceptor logic src/RequiredRolesInterceptor.php	Removed Doctrine Reader dependency; use reflection getAttributes(RequiresRoles::class) and newInstance(); early-return when no attribute; constructor signature simplified to (AclInterface, RoleProviderInterface).
Module wiring src/ZendAclModule.php	Removed bindings and configuration for Doctrine/Dual annotation readers and conditional reader bindings; retained ACL and RoleProvider bindings and interceptor registrations.
Tests — fixtures tests/Fake/FakeResource.php, tests/Fake/FakeClassResource.php	Removed legacy PHPDoc @RequiresRoles(...) annotations; tests now rely solely on attribute-based #[RequiresRoles(...)].
Tests — setup tests/bootstrap.php, tests/RequiredRoleInterceptorTest.php	Removed AttributeReader/DualReader/ServiceLocator setup and imports; simplified interceptor instantiation to accept only AclInterface and RoleProviderInterface.

Sequence Diagram(s)

mermaid
sequenceDiagram
rect rgba(230, 240, 255, 0.5)
participant Caller
participant Interceptor
participant Reflection
participant RoleProvider
participant Acl
rect rgba(230, 240, 255, 0.5)
Caller->>Interceptor: invoke(joinPoint)
Interceptor->>Reflection: getAttributes(RequiresRoles)
alt attribute present
Reflection-->>Interceptor: attribute reflection
Interceptor->>Interceptor: attr = newInstance()
Interceptor->>RoleProvider: get current roles
Interceptor->>Acl: grant permissions for attr.value
Interceptor->>Caller: proceed()
else no attribute
Interceptor->>Caller: proceed() (early return)
end

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 I hopped from docblocks to attributes new,
PHP eight called — I answered true.
Reflection sniffed the roles with care,
Readers gone, light breeze in my hair.
Hooray — permissions checked with a joyful chew 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and directly summarizes the primary change: removing the doctrine/annotations dependency and adopting native PHP 8 attributes throughout the codebase.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Refactors role-based access control to rely solely on native PHP 8 attributes, removes the annotation-reader stack and its dependencies, and raises the minimum PHP version to 8.0.

Sequence diagram for attribute-based role check in RequiredRolesInterceptor

sequenceDiagram
    actor Client
    participant AopInvoker
    participant RequiredRolesInterceptor
    participant MethodInvocation
    participant ReflectionMethod
    participant ReflectionClass
    participant RequiresRolesAttr as RequiresRoles
    participant Acl as AclInterface
    participant RoleProvider as RoleProviderInterface

    Client->>AopInvoker: call securedMethod()
    AopInvoker->>RequiredRolesInterceptor: invoke(MethodInvocation)
    RequiredRolesInterceptor->>MethodInvocation: getMethod()
    MethodInvocation-->>RequiredRolesInterceptor: ReflectionMethod
    RequiredRolesInterceptor->>ReflectionMethod: getAttributes(RequiresRoles)
    ReflectionMethod-->>RequiredRolesInterceptor: attrs[]
    alt no_method_attribute
        RequiredRolesInterceptor->>MethodInvocation: getThis()
        MethodInvocation-->>RequiredRolesInterceptor: targetObject
        RequiredRolesInterceptor->>ReflectionClass: __construct(targetObject)
        RequiredRolesInterceptor->>ReflectionClass: getAttributes(RequiresRoles)
        ReflectionClass-->>RequiredRolesInterceptor: attrs[]
    end
    RequiredRolesInterceptor->>RequiresRolesAttr: newInstance() on attrs[0]
    RequiresRolesAttr-->>RequiredRolesInterceptor: RequiresRoles instance

    RequiredRolesInterceptor->>Acl: addResource(GenericResource(targetClass))
    loop roles in annotation.value
        RequiredRolesInterceptor->>Acl: allow(role, targetClass)
    end
    RequiredRolesInterceptor->>RoleProvider: getRoles()
    RoleProvider-->>RequiredRolesInterceptor: roles[]
    RequiredRolesInterceptor->>Acl: isAllowed(roles[], targetClass)
    Acl-->>RequiredRolesInterceptor: decision
    alt allowed
        RequiredRolesInterceptor->>MethodInvocation: proceed()
        MethodInvocation-->>AopInvoker: result
        AopInvoker-->>Client: result
    else denied
        RequiredRolesInterceptor-->>Client: access denied error
    end

Loading

Class diagram for updated role-based access control components

classDiagram
    class RequiredRolesInterceptor {
        -AclInterface acl
        -RoleProviderInterface roleProvider
        +__construct(AclInterface acl, RoleProviderInterface roleProvider)
        +invoke(MethodInvocation invocation)
    }

    class RequiresRoles {
        <<attribute>>
        +array value
        +__construct(array value)
    }

    class ZendAclModule {
        -AclInterface acl
        -string roleProvider
        +__construct(AclInterface acl, string roleProviderClass)
        +configure() void
    }

    class AclInterface {
    }

    class RoleProviderInterface {
    }

    class MethodInvocation {
        +getMethod() ReflectionMethod
        +getThis() object
        +proceed() mixed
    }

    class ReflectionMethod {
        +getAttributes(string name) array
    }

    class ReflectionClass {
        +__construct(object object)
        +getAttributes(string name) array
    }

    class GenericResource {
        +__construct(string resourceId)
    }

    RequiredRolesInterceptor --> AclInterface : uses
    RequiredRolesInterceptor --> RoleProviderInterface : uses
    RequiredRolesInterceptor ..> RequiresRoles : reads
    RequiredRolesInterceptor --> MethodInvocation : intercepts
    RequiredRolesInterceptor ..> ReflectionMethod : reflects
    RequiredRolesInterceptor ..> ReflectionClass : reflects
    RequiredRolesInterceptor ..> GenericResource : creates

    ZendAclModule --> AclInterface : binds
    ZendAclModule --> RoleProviderInterface : binds

    RequiresRoles <.. ReflectionMethod : attribute
    RequiresRoles <.. ReflectionClass : attribute

Loading

File-Level Changes

Change	Details	Files
Switch RequiredRolesInterceptor from Doctrine annotation reader to native PHP 8 attributes.	Remove Doctrine annotations Reader dependency and constructor parameter from RequiredRolesInterceptor. Use ReflectionMethod::getAttributes and ReflectionClass::getAttributes to fetch RequiresRoles attributes on methods and classes. Instantiate the first found RequiresRoles attribute via newInstance and use its value array when configuring ACL roles. Add typed properties for AclInterface and RoleProviderInterface in RequiredRolesInterceptor.	src/RequiredRolesInterceptor.php
Simplify DI configuration now that annotation readers are no longer used.	Remove DualReader, AnnotationReader, and AttributeReader bindings from the ZendAclModule DI configuration. Keep only bindings for AclInterface and RoleProviderInterface and the interceptor bindings.	src/ZendAclModule.php
Convert RequiresRoles into a pure PHP 8 attribute with typed properties.	Drop @annotation and @target docblocks from RequiresRoles. Declare RequiresRoles as a PHP 8 Attribute targeting methods and classes. Change the value field to a typed public array property and keep the constructor accepting an array.	src/Annotation/RequiresRoles.php
Align tests and fakes with attribute-only configuration and remove attribute reader setup.	Remove Koriym\Attributes and Doctrine reader usage from tests, including RequiredRoleInterceptorTest factory setup. Update fake resource classes to use only the #[RequiresRoles] attribute instead of Doctrine-style docblock annotations. Drop test bootstrap logic that configured AttributeReader in the ServiceLocator.	tests/bootstrap.php tests/RequiredRoleInterceptorTest.php tests/Fake/FakeClassResource.php tests/Fake/FakeResource.php
Raise minimum PHP version and drop koriym/attributes runtime dependency.	Update composer.json to require php ^8.0 only, dropping PHP 7.x support. Remove koriym/attributes from the runtime require section, keeping laminas/laminas-permissions-acl as the ACL implementation dependency.	composer.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[keitamotegi]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• In RequiredRolesInterceptor::invoke(), if no RequiresRoles attribute exists on either the method or class, $attrs will be empty and $attrs[0] will trigger an undefined offset—add a guard to return $invocation->proceed() when no attribute is found to match the previous behavior safely.
• Now that PHP 8 is the minimum, you can simplify RequiresRoles by using constructor property promotion (e.g., public function __construct(public array $value) {}) and drop the separate property declaration and assignment.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In RequiredRolesInterceptor::invoke(), if no RequiresRoles attribute exists on either the method or class, $attrs will be empty and $attrs[0] will trigger an undefined offset—add a guard to return $invocation->proceed() when no attribute is found to match the previous behavior safely.
- Now that PHP 8 is the minimum, you can simplify RequiresRoles by using constructor property promotion (e.g., `public function __construct(public array $value) {}`) and drop the separate property declaration and assignment.

## Individual Comments

### Comment 1
<location path="src/RequiredRolesInterceptor.php" line_range="33-38" />
<code_context>
-        /** @var $annotation RequiresRoles */
-        $annotation = $this->reader->getMethodAnnotation($invocation->getMethod(), RequiresRoles::class);
-        if (! $annotation) {
+        $attrs = $invocation->getMethod()->getAttributes(RequiresRoles::class);
+        if (! $attrs) {
             $class = new \ReflectionClass($invocation->getThis());
-            $annotation = $this->reader->getClassAnnotation($class, RequiresRoles::class);
+            $attrs = $class->getAttributes(RequiresRoles::class);
         }
+        $annotation = $attrs[0]->newInstance();
         $target = get_class($invocation->getThis());
         $this->acl->addResource(new GenericResource($target));
</code_context>
<issue_to_address>
**issue:** Handle the case where no RequiresRoles attribute is present before indexing into $attrs.

If neither the method nor the class has a RequiresRoles attribute, `$attrs` will be empty and `$attrs[0]` will throw. Consider early-returning when no attributes are found to preserve the existing "no annotation → no ACL enforcement" behavior:

```php
$attrs = $invocation->getMethod()->getAttributes(RequiresRoles::class);
if (! $attrs) {
    $class = new \ReflectionClass($invocation->getThis());
    $attrs = $class->getAttributes(RequiresRoles::class);
}

if (! $attrs) {
    return $invocation->proceed();
}

$annotation = $attrs[0]->newInstance();
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[coderabbitai]

🧹 Nitpick comments (1)

src/RequiredRolesInterceptor.php (1)

33-38: Use Ray.Aop's getAnnotation() API instead of raw getAttributes().

MethodInvocation::getMethod() returns Ray\Aop\ReflectionMethod, which provides getAnnotation() and getAnnotations() methods as the idiomatic way to retrieve attributes. While the current code using raw getAttributes() works correctly (ReflectiveMethodInvocation::getMethod() already unwraps weaved objects to inspect the original class), using the framework's intended API is cleaner and more maintainable.

💡 Suggested refactoring

-        $attrs = $invocation->getMethod()->getAttributes(RequiresRoles::class);
-        if (! $attrs) {
-            $class = new \ReflectionClass($invocation->getThis());
-            $attrs = $class->getAttributes(RequiresRoles::class);
-        }
-        if (! $attrs) {
-            return $invocation->proceed();
-        }
-
-        $annotation = $attrs[0]->newInstance();
+        $method = $invocation->getMethod();
+        $annotation = $method->getAnnotation(RequiresRoles::class)
+            ?? $method->getDeclaringClass()->getAnnotation(RequiresRoles::class);
+        if ($annotation === null) {
+            return $invocation->proceed();
+        }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/RequiredRolesInterceptor.php` around lines 33 - 38, Replace the raw
ReflectionAttribute usage with Ray.Aop's annotation API: call
$invocation->getMethod()->getAnnotation(RequiresRoles::class) to fetch the
method-level RequiresRoles annotation, and if that returns null call
$invocation->getMethod()->getDeclaringClass()->getAnnotation(RequiresRoles::class)
(or use the class-level reflection from the invocation) and assign the result to
$annotation; update references to $attrs and newInstance() accordingly so you no
longer use getAttributes() or \ReflectionClass directly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@src/RequiredRolesInterceptor.php`:
- Around line 33-38: Replace the raw ReflectionAttribute usage with Ray.Aop's
annotation API: call
$invocation->getMethod()->getAnnotation(RequiresRoles::class) to fetch the
method-level RequiresRoles annotation, and if that returns null call
$invocation->getMethod()->getDeclaringClass()->getAnnotation(RequiresRoles::class)
(or use the class-level reflection from the invocation) and assign the result to
$annotation; update references to $attrs and newInstance() accordingly so you no
longer use getAttributes() or \ReflectionClass directly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e6f9e5dc-6e9a-42d2-9209-64a840b2100d

📥 Commits

Reviewing files that changed from the base of the PR and between d63394f and 3bc1b0b.

📒 Files selected for processing (8)

• composer.json
• src/Annotation/RequiresRoles.php
• src/RequiredRolesInterceptor.php
• src/ZendAclModule.php
• tests/Fake/FakeClassResource.php
• tests/Fake/FakeResource.php
• tests/RequiredRoleInterceptorTest.php
• tests/bootstrap.php

💤 Files with no reviewable changes (4)

• tests/Fake/FakeClassResource.php
• tests/bootstrap.php
• tests/Fake/FakeResource.php
• src/ZendAclModule.php

[koriym]

@keitamotegi CIの設定が古くなっていて実行できなくなっているようです。

[koriym]

@coderabbitai approve

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/continuous-integration.yml:
- Around line 18-21: Update the CI PHP matrix in
.github/workflows/continuous-integration.yml to include the package's declared
minimum supported versions (add '8.0' and '8.1' alongside the existing
'8.2','8.3','8.4','8.5') so the workflow tests PHP versions matching
composer.json (php: ^8.0); modify the matrix values under the PHP-version list
to include '8.0' and '8.1' and ensure any conditional logic that assumes newer
versions still works with these additions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f0ff59d8-de05-4c98-bed6-146447e2d9ed

📥 Commits

Reviewing files that changed from the base of the PR and between 0f6dec6 and 4dd5dbf.

📒 Files selected for processing (1)

• .github/workflows/continuous-integration.yml

[coderabbitai]

✅ Actions performed

Comments resolved. Approval is disabled; enable reviews.request_changes_workflow to allow explicit top-level @coderabbitai resolve or @coderabbitai approve commands.

[koriym]

@coderabbitai No outstanding blockers. Please resolve all open conversations and approve this PR.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@koriym Sure! I'll resolve all open conversations now. Regarding the PR approval — as noted earlier, the @coderabbitai approve command requires reviews.request_changes_workflow to be enabled in the CodeRabbit settings for this repository. I'll attempt the approval, but you may need to enable that setting if it doesn't go through.

[resolve]
[approve]