fix: satisfy SDK compliance harness 0.8.0

[marandaneto]

Problem

The SDK compliance workflow and local harness need to use SDK test harness release 0.8.0, with reusable GitHub workflow calls pinned to the release commit SHA instead of a mutable tag/branch. Running the updated harness exposed SDK/adapter compliance gaps in this repository.

Changes

• Pins the reusable SDK compliance workflow to PostHog/posthog-sdk-test-harness commit be8b8d5a3f94a249659844e94832e874f049c1e4.\n- Uses ghcr.io/posthog/sdk-test-harness:0.8.0 for local Docker harness runs / workflow harness version inputs.\n- Updates SDK compliance adapter and/or SDK behavior needed to pass the 0.8.0 compliance contract.

Tests

• SDK compliance Docker harness passed locally with project posthog_php_compliance.

[github-actions]

posthog-php Compliance Report

Date: 2026-06-27 12:40:23 UTC
Duration: 95070ms

✅ All Tests Passed!

45/45 tests passed

---

Capture Tests

✅ 29/29 tests passed

View Details

Test	Status	Duration
Format Validation.Event Has Required Fields	✅	11ms
Format Validation.Event Has Uuid	✅	6ms
Format Validation.Event Has Lib Properties	✅	5ms
Format Validation.Distinct Id Is String	✅	5ms
Format Validation.Token Is Present	✅	6ms
Format Validation.Custom Properties Preserved	✅	6ms
Format Validation.Event Has Timestamp	✅	5ms
Retry Behavior.Retries On 503	✅	5314ms
Retry Behavior.Does Not Retry On 400	✅	2009ms
Retry Behavior.Does Not Retry On 401	✅	2008ms
Retry Behavior.Respects Retry After Header	✅	8014ms
Retry Behavior.Implements Backoff	✅	15726ms
Retry Behavior.Retries On 500	✅	5114ms
Retry Behavior.Retries On 502	✅	5113ms
Retry Behavior.Retries On 504	✅	5114ms
Retry Behavior.Max Retries Respected	✅	16526ms
Deduplication.Generates Unique Uuids	✅	11ms
Deduplication.Preserves Uuid On Retry	✅	5113ms
Deduplication.Preserves Uuid And Timestamp On Retry	✅	10310ms
Deduplication.Preserves Uuid And Timestamp On Batch Retry	✅	5116ms
Deduplication.No Duplicate Events In Batch	✅	11ms
Deduplication.Different Events Have Different Uuids	✅	7ms
Compression.Sends Gzip When Enabled	✅	6ms
Batch Format.Uses Proper Batch Structure	✅	5ms
Batch Format.Flush With No Events Sends Nothing	✅	4ms
Batch Format.Multiple Events Batched Together	✅	10ms
Error Handling.Does Not Retry On 403	✅	2008ms
Error Handling.Does Not Retry On 413	✅	2009ms
Error Handling.Retries On 408	✅	5114ms

Feature_Flags Tests

✅ 16/16 tests passed

View Details

Test	Status	Duration
Request Payload.Request With Person Properties Device Id	✅	7ms
Request Payload.Flags Request Uses V2 Query Param	✅	4ms
Request Payload.Flags Request Hits Flags Path Not Decide	✅	4ms
Request Payload.Flags Request Omits Authorization Header	✅	5ms
Request Payload.Token In Flags Body Matches Init	✅	4ms
Request Payload.Groups Round Trip	✅	5ms
Request Payload.Groups Default To Empty Object	✅	5ms
Request Payload.Person Properties Distinct Id Auto Populated When Caller Omits It	✅	4ms
Request Payload.Disable Geoip False Propagates As Geoip Disable False	✅	5ms
Request Payload.Disable Geoip Omitted Defaults To False	✅	4ms
Request Payload.Flag Keys To Evaluate Contains Only Requested Key	✅	4ms
Request Lifecycle.No Flags Request On Init Alone	✅	3ms
Request Lifecycle.No Flags Request On Normal Capture	✅	5ms
Request Lifecycle.Two Flag Calls Produce Two Remote Requests	✅	7ms
Request Lifecycle.Mock Response Value Is Returned To Caller	✅	5ms
Side Effect Events.Get Feature Flag Captures Feature Flag Called Event	✅	7ms

[greptile-apps]

Comments Outside Diff (2)

1. sdk-harness-audit/posthog-php.md, line 232-234 (link)

   PHPUnit suite left failing after merge

   The audit file explicitly records vendor/bin/phpunit --colors=never test/ — exit 1; 18 failures and defers the fixes to a follow-up. The team's first simplicity rule is "Passes all the tests." The payload shape changes in Client.php (renamed api_key → token, always-present groups/person_properties/group_properties/geoip_disable, new flag_keys_to_evaluate) and the UUID generation fix will leave the exact-payload assertions in FeatureFlagTest.php, HttpClientTest.php, etc. in a broken state on main. Merging with a broken unit suite makes it harder to tell whether a future regression was introduced before or after this commit.

   Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

2. sdk_compliance_adapter/adapter.php, line 795-799 (link)

   /capture response UUID is always null

   PHP passes arrays by value, so the uuid that Client::capture() assigns internally via normalizeMessageUuid() is never written back to the adapter's local $message variable. $message['uuid'] ?? null will therefore always be null. If the harness currently accepts null here this is harmless, but any future test that asserts a non-null UUID from /capture will fail silently.

_{Reviews (1): Last reviewed commit: "chore: add SDK compliance harness 0.8.0" | Re-trigger Greptile}

[greptile-apps]

isRetryableStatus and retryAfterMilliseconds are declared private, so TrackedHttpClient in adapter.php copy-pastes both methods verbatim (lines 554–587 of adapter.php). Promoting them to protected lets the subclass call $this->isRetryableStatus(...) / $this->retryAfterMilliseconds(...) directly and satisfies OnceAndOnlyOnce.

Suggested change

	private function isRetryableStatus(int $responseCode): bool
	{
	return $responseCode === 408
	|| $responseCode === 429
	|| ($responseCode >= 500 && $responseCode <= 600);
	}
	/**
	* @param array<int, string> $headers
	*/
	private function retryAfterMilliseconds(array $headers): ?int
	protected function isRetryableStatus(int $responseCode): bool
	{
	return $responseCode === 408
	|| $responseCode === 429
	|| ($responseCode >= 500 && $responseCode <= 600);
	}
	/**
	* @param array<int, string> $headers
	*/
	protected function retryAfterMilliseconds(array $headers): ?int