test: add Pest v1 security test infrastructure

[somethingwithproof]

Summary

• Add Pest v1 test scaffold with Cacti framework stubs
• Source-scan tests for prepared statement consistency
• PHP 7.4 compatibility verification tests
• Plugin setup.php structure validation

Test plan

• composer install && vendor/bin/pest passes
• Tests verify security patterns match hardening PRs

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[Copilot]

Pull request overview

Adds a Pest v1-based security testing scaffold for the quicktree plugin, aiming to validate plugin structure, enforce safer DB helper usage, and prevent accidental adoption of PHP 8+ syntax while also introducing basic repository automation config.

Changes:

• Introduce Pest bootstrap/config plus initial security-focused tests (setup.php structure, prepared-statement usage scan, PHP 7.4 syntax checks).
• Add composer.json dev dependency on Pest to run the new tests.
• Add GitHub automation configs (CodeQL workflow, Dependabot configuration).

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
tests/Security/SetupStructureTest.php	Validates presence of required setup.php hooks and version array keys.
tests/Security/PreparedStatementConsistencyTest.php	Scans plugin source for raw db_* calls to prevent regressions to unprepared queries.
tests/Security/Php74CompatibilityTest.php	Scans for common PHP 8.0+ syntax/API usage to enforce PHP 7.4 compatibility.
tests/Pest.php	Pest entrypoint that loads the test bootstrap.
tests/bootstrap.php	Stubs core Cacti framework functions/constants so plugin code can load in isolation.
composer.json	Adds Pest v1 as a dev dependency and test bootstrap autoloading.
.github/workflows/codeql.yml	Introduces a CodeQL workflow (currently configured for JS/TS).
.github/dependabot.yml	Introduces Dependabot updates for npm and GitHub Actions.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

realpath(__DIR__ . '/../../setup.php') can return false (missing/renamed file), and file_get_contents(false) returns false. Passing that into expect($source)->toContain(...) will error or produce misleading failures; assert the file exists/is readable and fail the test with a clear message if it does not.

Suggested change

	$source = file_get_contents(realpath(__DIR__ . '/../../setup.php'));
	$setupPath = __DIR__ . '/../../setup.php';
	$resolvedSetupPath = realpath($setupPath);
	expect($resolvedSetupPath)
	->not->toBeFalse("Expected setup.php to exist at {$setupPath}.");
	expect(is_readable($resolvedSetupPath))
	->toBeTrue("Expected setup.php to be readable at {$resolvedSetupPath}.");
	$source = file_get_contents($resolvedSetupPath);
	expect($source)
	->not->toBeFalse("Expected to be able to read setup.php at {$resolvedSetupPath}.");

[Copilot]

This test currently targets quicktree.php, but that file contains at least one raw DB helper call (db_fetch_assoc(...) around line ~155), so this test will fail as written. Either migrate those calls to *_prepared equivalents or adjust the test’s target/allowlist so it reflects the current supported behavior.

Suggested change

	describe('prepared statement consistency in quicktree', function () {
	it('uses prepared DB helpers in all plugin files', function () {
	$targetFiles = array(
	'quicktree.php',
	describe('prepared statement consistency in migrated plugin files', function () {
	it('uses prepared DB helpers in setup.php', function () {
	$targetFiles = array(

[Copilot]

Skipping missing/unreadable files (continue when realpath/file_get_contents fails) makes this test pass even if expected source files are absent, which defeats its purpose. Instead, fail the test with a clear assertion when a target file can’t be found or read.

Suggested change

	if ($path === false) {
	continue;
	}
	$contents = file_get_contents($path);
	if ($contents === false) {
	continue;
	}
	expect($path)->not->toBeFalse(
	"Expected target file {$relativeFile} to exist and be resolvable"
	);
	$contents = file_get_contents($path);
	expect($contents)->not->toBeFalse(
	"Expected target file {$relativeFile} to be readable at {$path}"
	);

[Copilot]

These checks silently continue when a file is missing/unreadable, which can make the compatibility tests pass while not actually validating anything. Consider asserting that each expected file exists/is readable (and/or centralizing the file-loading logic) so failures are explicit and actionable.

Suggested change

	it('does not use str_contains (PHP 8.0)', function () use ($files) {
	foreach ($files as $relativeFile) {
	$path = realpath(__DIR__ . '/../../' . $relativeFile);
	if ($path === false) {
	continue;
	}
	$contents = file_get_contents($path);
	if ($contents === false) {
	continue;
	}
	expect(preg_match('/\bstr_contains\s*\(/', $contents))->toBe(0,
	"{$relativeFile} uses str_contains() which requires PHP 8.0"
	);
	}
	});
	it('does not use str_starts_with (PHP 8.0)', function () use ($files) {
	foreach ($files as $relativeFile) {
	$path = realpath(__DIR__ . '/../../' . $relativeFile);
	if ($path === false) {
	continue;
	}
	$contents = file_get_contents($path);
	if ($contents === false) {
	continue;
	}
	expect(preg_match('/\bstr_starts_with\s*\(/', $contents))->toBe(0,
	"{$relativeFile} uses str_starts_with() which requires PHP 8.0"
	);
	}
	});
	it('does not use str_ends_with (PHP 8.0)', function () use ($files) {
	foreach ($files as $relativeFile) {
	$path = realpath(__DIR__ . '/../../' . $relativeFile);
	if ($path === false) {
	continue;
	}
	$contents = file_get_contents($path);
	if ($contents === false) {
	continue;
	}
	expect(preg_match('/\bstr_ends_with\s*\(/', $contents))->toBe(0,
	"{$relativeFile} uses str_ends_with() which requires PHP 8.0"
	);
	}
	});
	it('does not use nullsafe operator (PHP 8.0)', function () use ($files) {
	foreach ($files as $relativeFile) {
	$path = realpath(__DIR__ . '/../../' . $relativeFile);
	if ($path === false) {
	continue;
	}
	$contents = file_get_contents($path);
	if ($contents === false) {
	continue;
	}
	$loadFileContents = function (string $relativeFile): string {
	$path = realpath(__DIR__ . '/../../' . $relativeFile);
	expect($path)->not->toBeFalse("Expected compatibility test file to exist and be readable: {$relativeFile}");
	$contents = file_get_contents($path);
	expect($contents)->not->toBeFalse("Expected compatibility test file to be readable: {$relativeFile}");
	return $contents;
	};
	it('does not use str_contains (PHP 8.0)', function () use ($files, $loadFileContents) {
	foreach ($files as $relativeFile) {
	$contents = $loadFileContents($relativeFile);
	expect(preg_match('/\bstr_contains\s*\(/', $contents))->toBe(0,
	"{$relativeFile} uses str_contains() which requires PHP 8.0"
	);
	}
	});
	it('does not use str_starts_with (PHP 8.0)', function () use ($files, $loadFileContents) {
	foreach ($files as $relativeFile) {
	$contents = $loadFileContents($relativeFile);
	expect(preg_match('/\bstr_starts_with\s*\(/', $contents))->toBe(0,
	"{$relativeFile} uses str_starts_with() which requires PHP 8.0"
	);
	}
	});
	it('does not use str_ends_with (PHP 8.0)', function () use ($files, $loadFileContents) {
	foreach ($files as $relativeFile) {
	$contents = $loadFileContents($relativeFile);
	expect(preg_match('/\bstr_ends_with\s*\(/', $contents))->toBe(0,
	"{$relativeFile} uses str_ends_with() which requires PHP 8.0"
	);
	}
	});
	it('does not use nullsafe operator (PHP 8.0)', function () use ($files, $loadFileContents) {
	foreach ($files as $relativeFile) {
	$contents = $loadFileContents($relativeFile);

[Copilot]

Dependabot isn’t configured to update Composer dependencies, even though this PR adds a composer.json with dev dependencies. Add a package-ecosystem: "composer" entry so Pest (and future PHP deps) receive automated security/version updates.

Suggested change

	open-pull-requests-limit: 10
	open-pull-requests-limit: 10
	- package-ecosystem: "composer"
	directory: "/"
	schedule:
	interval: "weekly"
	open-pull-requests-limit: 10

[Copilot]

This CodeQL workflow is configured to ignore all **/*.php changes and only analyzes javascript-typescript, but this repository contains significant PHP code. If CodeQL is intended to provide security coverage here, remove the PHP paths-ignore and add php (or switch the matrix) so PHP is analyzed too.

[somethingwithproof]

Converted to draft to serialize the stack in this repo. Blocked by #10; will un-draft after that merges to avoid cross-PR merge conflicts.