Fix PHPCS and PHPStan issues across multiple files

[aslamdoctor]

Summary

• Add PHPStan bootstrap file for runtime constants (TWO_FACTOR_DIR, TWO_FACTOR_VERSION) unreachable during static analysis
• Add missing properties ($new, $last_used) to Registration class in includes/Yubico/U2F.php
• Fix PHPDoc types for show_two_factor_login, process_provider, authentication_page, rename_link, delete_link, and pack64
• Fix undefined variable bug in wp_ajax_inline_save where a non-matching key could be incorrectly updated
• Add input validation, sanitization (sanitize_text_field), and wp_unslash for $_POST/$_REQUEST usage in class-two-factor-fido-u2f-admin.php
• Remove redundant isset($user->ID) checks and always-true conditions
• Cast base_convert() result to (int) for array offset usage in base32_encode()

Reference #437

Test plan

• Run ./vendor/bin/phpstan analyse --memory-limit=1G --no-progress — should pass with 0 errors at level 0
• Temporarily set PHPStan level to 3 in phpstan.dist.neon and run analysis — should pass with 0 errors
• Temporarily set PHPStan level to 4 in phpstan.dist.neon and run analysis — should pass with 0 errors
• Run ./vendor/bin/phpcs --standard=WordPress providers/class-two-factor-fido-u2f-admin.php — should pass with 0 errors/warnings
• Verify TOTP authentication and setup still works
• Verify email-based two-factor authentication still works

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: aslamdoctor <aslamdoctor@git.wordpress.org>
Co-authored-by: masteradhoc <masteradhoc@git.wordpress.org>
Co-authored-by: georgestephanis <georgestephanis@git.wordpress.org>
Co-authored-by: kasparsd <kasparsd@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

[masteradhoc]

@aslamdoctor U2F.php and fido-u2f-admin you can ignore, we'll remove them in PR #439 completely.

[georgestephanis]

Whoops my stuff was outdated. That's what I get for being up and working early on a Sunday.

[masteradhoc]

Thanks for your reviews @georgestephanis. Always highly appreciated!! :)

[aslamdoctor]

Can you mark them resolved? I didn't as I wanted to make sure all is ok.

It was on an outdated version.

[Copilot]

Pull request overview

This PR aims to eliminate PHPCS/PHPStan findings across the Two-Factor plugin by adjusting runtime constant initialization for static analysis, tightening PHPDoc types, and refining some provider logic/configuration.

Changes:

• Define TWO_FACTOR_DIR / TWO_FACTOR_VERSION in two-factor.php even when WordPress isn’t loaded (to aid static analysis).
• Update PHPDoc types and simplify some user guards/conditions in core and provider code.
• Adjust PHPStan configuration (including excluding several FIDO U2F provider files from analysis).

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
two-factor.php	Defines plugin constants before the ABSPATH guard to make them visible to static analysis.
providers/class-two-factor-totp.php	Removes a user-ID guard, tweaks whitespace, and casts base_convert() to (int) for array offsets.
providers/class-two-factor-email.php	Updates PHPDoc to WP_User|false and adds early returns when $user is falsy.
class-two-factor-core.php	Updates PHPDoc types and simplifies notice class construction.
phpstan.dist.neon	Excludes FIDO U2F provider files from PHPStan analysis.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[masteradhoc]

adjusted the PR based on the copilot feedback. LGTM.