We ran into a situation where casting a HiddenString was not allowed, but it was cast anyway.

The object was then (silently) cast to an empty string.

I know that in current versions of PHP it is not allowed to throw from a __toString method, but we would have preferred an E_ERROR to be triggered over the silent failure.

As these objects are often used to hide passwords, passphrases et cetera any silent string comparisons should fail very loudly as it opens up all kinds of failure scenarios that are not very obvious.

Throwing in __toString() is allowed since PHP 7.4: https://wiki.php.net/rfc/tostring_exceptions

We'll probably release a PHP 7.4+-only major version that throws in __toString().

Thanks, I appreciate that.