test: add Pest v1 security test infrastructure

[somethingwithproof]

Summary

• Add Pest v1 test scaffold with Cacti framework stubs
• Source-scan tests for prepared statement consistency
• PHP 7.4 compatibility verification tests
• Plugin setup.php structure validation

Test plan

• composer install && vendor/bin/pest passes
• Tests verify security patterns match hardening PRs

[Copilot]

Pull request overview

Adds a Pest v1 test scaffold for the maint plugin with security/compatibility source-scan tests and supporting Composer/Dependabot configuration.

Changes:

• Introduces Pest bootstrap/config and new security-focused tests under tests/Security/.
• Adds a composer.json with Pest as a dev dependency and test bootstrap autoloading.
• Adds a Dependabot configuration file.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
tests/Security/SetupStructureTest.php	Scans setup.php for expected plugin entry points/metadata.
tests/Security/PreparedStatementConsistencyTest.php	Scans key plugin files for unprepared db_* helper usage.
tests/Security/Php74CompatibilityTest.php	Scans for PHP 8+ syntax/functions to preserve PHP 7.4 compatibility.
tests/Pest.php	Loads the test bootstrap for Pest runs.
tests/bootstrap.php	Provides Cacti/framework stubs so tests can run in isolation.
composer.json	Adds Pest v1 as a dev dependency and autoloads the bootstrap.
.github/dependabot.yml	Configures automated dependency update checks (currently for npm + GitHub Actions).

[Copilot]

file_get_contents(realpath(...)) can return false (missing file/realpath failure). Add explicit expectations that the resolved path is not false and that file_get_contents() succeeded, so the test fails with a clear message instead of passing a non-string into Pest matchers.

Suggested change

	$source = file_get_contents(realpath(__DIR__ . '/../../setup.php'));
	it('defines plugin_maint_install function', function () use ($source) {
	expect($source)->toContain('function plugin_maint_install');
	});
	it('defines plugin_maint_version function', function () use ($source) {
	expect($source)->toContain('function plugin_maint_version');
	});
	it('defines plugin_maint_uninstall function', function () use ($source) {
	expect($source)->toContain('function plugin_maint_uninstall');
	});
	it('returns version array with name key', function () use ($source) {
	expect($source)->toMatch('/[\'\""]name[\'\""]\s*=>/');
	});
	it('returns version array with version key', function () use ($source) {
	expect($source)->toMatch('/[\'\""]version[\'\""]\s*=>/');
	});
	beforeEach(function () {
	$this->setupPath = realpath(__DIR__ . '/../../setup.php');
	expect($this->setupPath)->not->toBeFalse();
	$this->source = file_get_contents($this->setupPath);
	expect($this->source)->not->toBeFalse();
	});
	it('defines plugin_maint_install function', function () {
	expect($this->source)->toContain('function plugin_maint_install');
	});
	it('defines plugin_maint_version function', function () {
	expect($this->source)->toContain('function plugin_maint_version');
	});
	it('defines plugin_maint_uninstall function', function () {
	expect($this->source)->toContain('function plugin_maint_uninstall');
	});
	it('returns version array with name key', function () {
	expect($this->source)->toMatch('/[\'\""]name[\'\""]\s*=>/');
	});
	it('returns version array with version key', function () {
	expect($this->source)->toMatch('/[\'\""]version[\'\""]\s*=>/');
	});

[Copilot]

The checks for 'name' => / 'version' => in setup.php don't match the current implementation: plugin_maint_version() reads metadata from the INFO file (so setup.php doesn’t contain a 'version' => literal, and this test fails). Consider parsing INFO in the test (or include setup.php with a stubbed $config and assert the returned array has name/version).

[Copilot]

This test currently fails against the repository’s current code: maint.php and setup.php contain raw db_fetch_assoc( calls (e.g. maint.php:927, 1137, 1161 and setup.php:301). Either migrate those calls to db_fetch_assoc_prepared() (preferred) or adjust targetFiles/add an allowlist for known-safe cases so the test reflects the intended enforcement scope.

Suggested change

	it('uses prepared DB helpers in all plugin files', function () {
	$targetFiles = array(
	'functions.php',
	'maint.php',
	'setup.php',
	it('uses prepared DB helpers in migrated plugin files', function () {
	$targetFiles = array(
	'functions.php',

[Copilot]

Skipping missing/unreadable files (continue when realpath()/file_get_contents() fails) can make this test pass while silently not scanning a target file. Since these files are required for the security guarantee, fail the test with a clear message when a file can’t be resolved or read.

Suggested change

	continue;
	}
	$contents = file_get_contents($path);
	if ($contents === false) {
	continue;
	throw new RuntimeException("Unable to resolve required plugin file: {$relativeFile}");
	}
	$contents = file_get_contents($path);
	if ($contents === false) {
	throw new RuntimeException("Unable to read required plugin file: {$relativeFile}");

[Copilot]

These tests continue when realpath()/file_get_contents() fails, which can silently skip a file and still pass. Since the goal is to enforce PHP 7.4 compatibility across specific required files, assert the path is resolvable and contents are readable (fail otherwise).

Suggested change

	it('does not use str_contains (PHP 8.0)', function () use ($files) {
	foreach ($files as $relativeFile) {
	$path = realpath(__DIR__ . '/../../' . $relativeFile);
	if ($path === false) {
	continue;
	}
	$contents = file_get_contents($path);
	if ($contents === false) {
	continue;
	}
	expect(preg_match('/\bstr_contains\s*\(/', $contents))->toBe(0,
	"{$relativeFile} uses str_contains() which requires PHP 8.0"
	);
	}
	});
	it('does not use str_starts_with (PHP 8.0)', function () use ($files) {
	foreach ($files as $relativeFile) {
	$path = realpath(__DIR__ . '/../../' . $relativeFile);
	if ($path === false) {
	continue;
	}
	$contents = file_get_contents($path);
	if ($contents === false) {
	continue;
	}
	expect(preg_match('/\bstr_starts_with\s*\(/', $contents))->toBe(0,
	"{$relativeFile} uses str_starts_with() which requires PHP 8.0"
	);
	}
	});
	it('does not use str_ends_with (PHP 8.0)', function () use ($files) {
	foreach ($files as $relativeFile) {
	$path = realpath(__DIR__ . '/../../' . $relativeFile);
	if ($path === false) {
	continue;
	}
	$contents = file_get_contents($path);
	if ($contents === false) {
	continue;
	}
	expect(preg_match('/\bstr_ends_with\s*\(/', $contents))->toBe(0,
	"{$relativeFile} uses str_ends_with() which requires PHP 8.0"
	);
	}
	});
	it('does not use nullsafe operator (PHP 8.0)', function () use ($files) {
	foreach ($files as $relativeFile) {
	$path = realpath(__DIR__ . '/../../' . $relativeFile);
	if ($path === false) {
	continue;
	}
	$contents = file_get_contents($path);
	if ($contents === false) {
	continue;
	}
	$readRequiredFile = function (string $relativeFile): string {
	$path = realpath(__DIR__ . '/../../' . $relativeFile);
	if ($path === false) {
	throw new RuntimeException("Unable to resolve required file: {$relativeFile}");
	}
	$contents = file_get_contents($path);
	if ($contents === false) {
	throw new RuntimeException("Unable to read required file: {$relativeFile}");
	}
	return $contents;
	};
	it('does not use str_contains (PHP 8.0)', function () use ($files, $readRequiredFile) {
	foreach ($files as $relativeFile) {
	$contents = $readRequiredFile($relativeFile);
	expect(preg_match('/\bstr_contains\s*\(/', $contents))->toBe(0,
	"{$relativeFile} uses str_contains() which requires PHP 8.0"
	);
	}
	});
	it('does not use str_starts_with (PHP 8.0)', function () use ($files, $readRequiredFile) {
	foreach ($files as $relativeFile) {
	$contents = $readRequiredFile($relativeFile);
	expect(preg_match('/\bstr_starts_with\s*\(/', $contents))->toBe(0,
	"{$relativeFile} uses str_starts_with() which requires PHP 8.0"
	);
	}
	});
	it('does not use str_ends_with (PHP 8.0)', function () use ($files, $readRequiredFile) {
	foreach ($files as $relativeFile) {
	$contents = $readRequiredFile($relativeFile);
	expect(preg_match('/\bstr_ends_with\s*\(/', $contents))->toBe(0,
	"{$relativeFile} uses str_ends_with() which requires PHP 8.0"
	);
	}
	});
	it('does not use nullsafe operator (PHP 8.0)', function () use ($files, $readRequiredFile) {
	foreach ($files as $relativeFile) {
	$contents = $readRequiredFile($relativeFile);

[Copilot]

This PR adds a Pest test suite, but the repo’s CI workflow doesn’t run vendor/bin/pest today (it only runs the Cacti integration workflow). Consider adding a scripts entry (e.g., a test script) and/or updating CI to execute the Pest suite so these security/compatibility checks are actually enforced.

Suggested change

	]
	]
	},
	"scripts": {
	"test": "vendor/bin/pest"

[Copilot]

Dependabot is configured for the npm ecosystem, but this repository has no package.json (no npm manifests), so Dependabot will error on every run. Remove the npm updater (or add the missing manifests if intended).

Suggested change

	- package-ecosystem: "npm"
	directory: "/"
	schedule:
	interval: "weekly"
	open-pull-requests-limit: 10

[Copilot]

This repo now includes composer.json, but Dependabot isn’t configured to update Composer dependencies. Add a package-ecosystem: "composer" entry so pestphp/pest (and future Composer deps) receive automated updates.

[somethingwithproof]

Converted to draft to serialize the stack in this repo. Blocked by #49; will un-draft after that merges to avoid cross-PR merge conflicts.