Fix PHPStan level 9 type errors

- Add proper type checks for mixed PDO fetch results
- Use is_string/is_int/is_numeric guards before casting
- Add is_array checks before array operations
- Properly extract and validate row data from PDO results

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: mowens3

src/ApiKey/ApiKeyManager.php

@@ -104,7 +104,12 @@ public function validate(string $apiKey): ?ApiKey
         }
 
         $record = $this->storage->get($keyId);
-        if (!is_array($record) || empty($record['hash'])) {
+        if (!is_array($record)) {
+            return null;
+        }
+
+        $hash = $record['hash'] ?? null;
+        if (!is_string($hash) || $hash === '') {
             return null;
         }
 
@@ -114,7 +119,7 @@ public function validate(string $apiKey): ?ApiKey
             return null;
         }
 
-        $expected = (string) $record['hash'];
+        $expected = $hash;
         $actual = $this->hashSecret($secret);
 
         if (!hash_equals($expected, $actual)) {
@@ -133,13 +138,19 @@ public function validate(string $apiKey): ?ApiKey
      */
     private function recordToApiKey(string $keyId, array $record): ApiKey
     {
+        $label = $record['label'] ?? '';
+        $scopes = $record['scopes'] ?? [];
+        $created = $record['created'] ?? 0;
+        $lastUsed = $record['last_used'] ?? null;
+        $expires = $record['expires'] ?? null;
+
         return new ApiKey(
             keyId: $keyId,
-            label: (string) ($record['label'] ?? ''),
-            scopes: array_values(array_filter($record['scopes'] ?? [])),
-            created: (int) ($record['created'] ?? 0),
-            lastUsed: isset($record['last_used']) ? (int) $record['last_used'] : null,
-            expires: isset($record['expires']) ? (int) $record['expires'] : null,
+            label: is_string($label) ? $label : '',
+            scopes: is_array($scopes) ? array_values(array_filter($scopes, 'is_string')) : [],
+            created: is_int($created) ? $created : (is_numeric($created) ? (int) $created : 0),
+            lastUsed: is_int($lastUsed) ? $lastUsed : (is_numeric($lastUsed) ? (int) $lastUsed : null),
+            expires: is_int($expires) ? $expires : (is_numeric($expires) ? (int) $expires : null),
         );
     }
 

src/ApiKey/Storage/PdoStorage.php

@@ -32,9 +32,17 @@ public function getAll(): array
 
         $keys = [];
         while ($row = $stmt->fetch(PDO::FETCH_ASSOC)) {
-            $data = json_decode($row['data'], true);
+            if (!is_array($row)) {
+                continue;
+            }
+            $keyId = $row['key_id'] ?? null;
+            $rawData = $row['data'] ?? null;
+            if (!is_string($keyId) || !is_string($rawData)) {
+                continue;
+            }
+            $data = json_decode($rawData, true);
             if (is_array($data)) {
-                $keys[$row['key_id']] = $data;
+                $keys[$keyId] = $data;
             }
         }
 
@@ -73,11 +81,16 @@ public function get(string $keyId): ?array
         $stmt->execute(['key_id' => $keyId]);
 
         $row = $stmt->fetch(PDO::FETCH_ASSOC);
-        if (!$row) {
+        if (!is_array($row)) {
+            return null;
+        }
+
+        $rawData = $row['data'] ?? null;
+        if (!is_string($rawData)) {
             return null;
         }
 
-        $data = json_decode($row['data'], true);
+        $data = json_decode($rawData, true);
         return is_array($data) ? $data : null;
     }