✅ Use createStub for expectation-less doubles + add CLAUDE.md

CLAUDE.md

@@ -0,0 +1,26 @@
+<!-- file generated with AI assistance: Claude Code - 2026-06-14 -->
+
+# CLAUDE.md
+
+This is a public open-source package maintained under github.com/dmstr.
+
+## Language policy
+
+**Everything in this repository is in English** — commit messages, code,
+comments, and documentation. Do not write German here, even though related
+company/customer projects (e.g. the consuming application) use German. These
+packages are public and English-only.
+
+## Testing
+
+PHPUnit (^12). Run locally with the bundled CLI-only Docker Compose
+(no host PHP required):
+
+    docker compose run --rm php
+
+This installs dependencies and runs `vendor/bin/phpunit`. The same runs in CI
+via `.github/workflows/tests.yml`.
+
+## Requirements
+
+PHP >= 8.4.

tests/Authentication/OAuth2AuthenticationTest.php

@@ -82,7 +82,7 @@ public function testInvalidGrantMarksRequiresReauth(): void
 
     public function testRequiresReauthReadsFromStorage(): void
     {
-        $storage = $this->createMock(TokenStorageInterface::class);
+        $storage = $this->createStub(TokenStorageInterface::class);
         $storage->method('loadTokens')->willReturn([
             'access_token' => null,
             'refresh_token' => null,
@@ -97,7 +97,7 @@ public function testRequiresReauthReadsFromStorage(): void
 
     public function testRequiresReauthSurfacesAsInvalidGrantOnDecorate(): void
     {
-        $storage = $this->createMock(TokenStorageInterface::class);
+        $storage = $this->createStub(TokenStorageInterface::class);
         $storage->method('loadTokens')->willReturn([
             'access_token' => null,
             'refresh_token' => 'r',

tests/Client/Bc4ClientTest.php

@@ -64,7 +64,10 @@ public function testReactiveRefreshOn401ThenRetrySucceeds(): void
             new MockResponse('[]', ['http_code' => 200]),
         ]);
 
-        $auth = $this->makeAuthStub('access-1');
+        // Real mock here (not makeAuthStub): we assert refresh() is called once.
+        $auth = $this->createMock(AuthenticationInterface::class);
+        $auth->method('requiresReauth')->willReturn(false);
+        $auth->method('decorate')->willReturnArgument(0);
         $auth->expects($this->once())->method('refresh');
 
         $client = $this->makeClient($http, $auth);
@@ -110,7 +113,7 @@ public function testRequiresReauthShortCircuits(): void
             new MockResponse('SHOULD_NOT_BE_CALLED', ['http_code' => 200]),
         ]);
 
-        $auth = $this->createMock(AuthenticationInterface::class);
+        $auth = $this->createStub(AuthenticationInterface::class);
         $auth->method('requiresReauth')->willReturn(true);
 
         $client = $this->makeClient($http, $auth);
@@ -165,7 +168,7 @@ private function makeClient(MockHttpClient $http, AuthenticationInterface $auth)
 
     private function makeAuthStub(string $accessToken = 'access-1'): AuthenticationInterface
     {
-        $auth = $this->createMock(AuthenticationInterface::class);
+        $auth = $this->createStub(AuthenticationInterface::class);
         $auth->method('requiresReauth')->willReturn(false);
         // Pass the client through unchanged so MockHttpClient::getRequestsCount()
         // reflects the actual call sequence. Header injection is exercised in