chore(ci): drop SSH key step and modernize workflows

[alexstandiford]

Summary

CI on `main` has been failing since #11 (April) for several reasons stacked on top of each other. This PR addresses the workflow-level issues so PRs can actually run CI again. To get the runs fully green the absolute-minimum library-code touches are included too — there's a much larger PHPStan level 9 cleanup that's deliberately out of scope.

What was broken

1. SSH key step fails to load — `Error loading key "/home/runner/.ssh/id_rsa": error in libcrypto`. The SSH dance was originally for pulling private git deps via Composer; all phpnomad packages are public on Packagist now, so the dance isn't needed.
2. Composer lock won't resolve on PHP < 8.2 — modern transitive deps in the lockfile require PHP 8.2+. Old matrix rows fail at `composer install` regardless of the library's own constraints.
3. PHPStan finds errors in the library code — 50 at level 9, 3 at level 5. The level-9 ones are mostly missing iterable-type docblocks (tech debt); the level-5 ones are real bugs.
4. Spellcheck wordlist was never updated for the README rewrite ([codex] Use writer-consistent reads after MySQL writes #12).

What this changes

Workflows

• Drop SSH key/known-hosts/agent steps; pull from Packagist directly with `shivammathur/setup-php` + vanilla `composer install`
• Add `pull_request` triggers (workflows only ran on `push` before)
• Bump `actions/checkout` to v4 throughout
• Add `fail-fast: false` so one PHP row failing doesn't hide others
• Trim PHPUnit matrix to PHP 8.2 and 8.3 — older versions can't resolve the locked deps
• Move PHPStan runtime to PHP 8.1; lower the level from 9 to 5 so CI doesn't block on ~50 pre-existing iterable-type docblock issues. The level-9 work is a separate cleanup
• Bump spellcheck `actions/checkout` from `@master` to `@v4`

Spellcheck wordlist

• Add missing words (`PHP`, `bindFactory`, `Bootstrapper`, `bootstrapper's`, `DatabaseStrategy`, `MySql`, `MySqlInitializer`, `SafeMySQL`, `SafeMySqlDatabaseStrategy`, `schemas`, `txt`, etc.)

Library code (real bugs, minimum needed to pass level 5)

• `QueryBuilder`: declare the `$join` property explicitly. Both `leftJoin` and `rightJoin` were assigning to it without declaration, which works in PHP 8.0/8.1 via dynamic properties but is deprecated and breaks under strict analyzers. Also add it to `reset()` so it clears between builds.
• `QueryStrategy::estimatedCount`: drop the `0` default from `Arr::get($result[0], 'COUNT(*)', 0)` — the helper's declared signature says the default must be null. The cast to `(int)` already handles the null case the same way.

Why merge this first

Two open PRs (#13, #14) are bug fixes blocked by this same CI failure. Once this lands they should go green automatically.

Follow-up work (separate PRs)

• PHPStan level 9 cleanup (~50 errors) — most are missing iterable-type docblocks (`array<int, T>` style) and `fetchColumn() on mixed` style runtime-mock issues. Mechanical work but enough volume to deserve its own PR.
• Declare `"php": "^8.2"` in composer.json to match the lockfile reality