Both Psalm and PHPStan have supported the "literal-string" type for a year:
This type is designed to stop Injection Vulnerabilities (because a developer defined string cannot contain user data).
Could this be supported by PhpStorm?
While full support would be ideal, could you start by not showing a warning? PhpStorm currently says "Undefined class 'literal-string'".