Turns out PHP is a bit stricter on null types than I expected.

src/Application.php

@@ -64,12 +64,12 @@ class Application extends ApplicationBase
         }
     }
 
-    public function getSession(): Session
+    public function getSession(): ?Session
     {
         return $this->session;
     }
 
-    public function setSession(Session $session): void
+    public function setSession(?Session $session): void
     {
         $this->session = $session;
     }

src/Controllers/AuthController.php

@@ -171,15 +171,16 @@ class AuthController extends Controller
     public function logout()
     {
         $app = Application::getInstance();
+        $session = $app->getSession();
 
-        if ($app->session === null) {
+        if ($session === null) {
             echo "You aren't logged in.";
         } else {
             echo "You've been logged out.";
             $this->setCookie('uid', '', -3600);
             $this->setCookie('sid', '', -3600);
-            $app->session->delete();
-            $app->session = null;
+            $session->delete();
+            $app->setSession(null);
         }
 
         return '<meta http-equiv="refresh" content="1; url=/">';

src/Users/Role.php

@@ -11,7 +11,7 @@ class Role extends Model
     public static function createRole(
         string $name,
         ?int $hierarchy = null,
-        Colour $colour = null,
+        ?Colour $colour = null,
         ?string $title = null,
         ?string $description = null,
         bool $secret = false

src/Users/Session.php

@@ -12,7 +12,7 @@ class Session extends Model
     public static function createSession(
         User $user,
         ?string $userAgent = null,
-        Carbon $expires = null,
+        ?Carbon $expires = null,
         ?string $ipAddress = null
     ): Session {
         $ipAddress = $ipAddress ?? IP::remote();