chore(deps): bump carthage-software/mago from 1.25.2 to 1.26.0

[dependabot]

Bumps carthage-software/mago from 1.25.2 to 1.26.0.

Release notes

Sourced from carthage-software/mago's releases.

Mago 1.26.0

A feature release with two big analyzer additions: closures, arrow functions, plain functions, and methods now auto-infer if-true / if-false assertions from their bodies, so array_filter($xs, fn ($x) => $x instanceof Foo) narrows the result type without any docblock, and two new opt-in settings (strict-array-index-existence, allow-array-truthy-operand) tighten array-ops semantics. The linter gains prefer-array-spread and a deny mode for yoda-conditions. The formatter picks up inline-single-breaking-value-argument (used in the Tempest preset). On the CLI side, mago init now writes a $schema URL pinned to the running version into the generated config, and the published JSON schema is now versioned. The rest is a large batch of analyzer false-positive fixes and a --retain-code-respecting --fix dispatcher.

✨ Features

Analyzer

• Auto-inferred assertions: closures, arrow fns, functions, methods infer if_true / if_false from their body. (#1794, 14269d6)
• strict-array-index-existence: opt-in; tightens array indexing; deprecates allow-possibly-undefined-array-keys. (#1766, 0e563c9)
• allow-array-truthy-operand: opt-in setting that suppresses invalid-operand when arrays are used in logical ops. (#1765, 07f6a24)

Linter

• prefer-array-spread rule: detects array_merge(...) calls that can be rewritten as spread. (#1767, bc8d67a)
• yoda-conditions deny mode: rule gains a deny mode that flags constants on the right of comparisons. (#1785, a4e47e5)

Formatter

• inline-single-breaking-value-argument: keeps a lone breaking value argument inline; off by default, on in Tempest. (#1148, 8964575)

CLI

• $schema in mago.toml: configs accept a $schema URL; mago init writes one pinned to the installed version. (#1771, e71e78b)
• Versioned config schema: schema is now published per release at https://mago.carthage.software/<version>/schema.json. (f1e705d)

🐛 Bug Fixes

Analyzer

• array_filter narrowing via callback: result type is now narrowed using the callback's inferred assertions. (#1794, 14269d6)
• list-destructure-string-key false positive: suppressed when known items already cover the destructure positions. (#1796, b3b11c5)
• Interface property reads possibly undefined: silences false isset / ?? redundancy on interface fields. (#1786, 9e873b0)
• void materialization in unions: combining void with another type now produces T|null, not T. (#1787, 47fb42a)
• redundant-type-comparison after impure @assert: suppressed for impure or value-returning assert calls. (#1781, #831, 53dad31)
• ::class on undefined classes: now reports non-existent-class-like instead of silently typing as class-string. (#1768, 052e0cd)
• unset($var) no longer fires possibly-undefined-variable: unset is a write target, not a read. (#1764, 3f0e7f8)
• Unbounded loop boundary: for ($i = 0; ; $i++) no longer trips the boundary check. (#1762, c64199b)
• Template parameter through new $class-string<T>(): preserves T instead of widening to the constraint. (#1760, 64f3df8)
• Loose-equal falsy values on != <falsy>: drops false-positive narrowings that ignored PHP's loose comparison rules. (#1757, 6b45a66)
• Assigned vars marked possibly-in-scope: removes spurious undefined-variable after conditional assignment. (#1759, 659a8d3)

Codex

• Discriminated tagged-array unions through the combiner: preserves discriminator keys when unioning shapes. (#1775, 426f536)
• Closure named-object cast: now routes through a closure-flagged signature instead of __invoke. (#1770, 068a7eb)

Linter

• no-redundant-yield-from trailing-comma fix: auto-fix no longer leaves a stray , after the inlined element. (#1797, 4b49d01)

... (truncated)

Commits

• 9ae2f7a release: 1.26.0
• 3f29da7 docs: fix broken README links to docs site
• 4b49d01 fix(linter): drop trailing comma in no-redundant-yield-from auto-fix
• 104f972 fix(codex): make clippy happy
• b3b11c5 fix(analyzer): suppress list-destructure key warnings when known items cover ...
• 14269d6 feat(codex): infer if-true/if-false assertions from function-like bodies
• dccf465 chore: update pinned nightly toolchain to nightly-2026-05-06 (#1793)
• 856ceca fix(database): correct column_number for offsets at line start
• e801af1 ci: use signed API commits in update-nightly workflow (#1789)
• 9e873b0 fix(analyzer): mark interface property reads as possibly undefined
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)