Skip to content

Development to Main - Add new test fixtures#123

Merged
noelsaw1 merged 8 commits intomainfrom
development
Mar 24, 2026
Merged

Development to Main - Add new test fixtures#123
noelsaw1 merged 8 commits intomainfrom
development

Conversation

@noelsaw1
Copy link
Copy Markdown
Contributor

@noelsaw1 noelsaw1 commented Mar 24, 2026

Description

Type of Change

  • 🐛 Bug fix (non-breaking change which fixes an issue)
  • ✨ New feature (non-breaking change which adds functionality)
  • 💥 Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • 📝 Documentation update
  • 🧪 Test update
  • ♻️ Refactoring (no functional changes)

Related Issue

Fixes #(issue number)

Changes Made

Testing

  • Ran dist/tests/run-fixture-tests.sh - All tests pass
  • Tested against real WordPress plugin/theme
  • Added new test fixtures (if applicable)
  • Verified no new issues in dist/tests/fixtures/clean-code.php

Checklist

  • My code follows the project's coding standards
  • I have updated the documentation (README.md, CHANGELOG.md)
  • I have added tests that prove my fix/feature works
  • All new and existing tests pass
  • I have updated CHANGELOG.md with my changes
  • I have read and agree to the Contributor License Agreement (CLA)

CLA Signature

For first-time contributors: Please comment below with:

I have read and agree to the CLA

This is a one-time requirement. Once signed, you can contribute to all future PRs without re-signing.

Questions about the CLA? See CLA.md or email cla@hypercart.com

Additional Notes

noelsaw1 and others added 8 commits March 23, 2026 21:02
@noelsaw1
Update FEEDBACK-CR-SELF-SERVICE.md
b990bd8
@noelsaw1 @claude
Resolve deferred FP items: admin-only hook whitelist and N+1 loop con…
e04239c 
…tainment

- spo-004: Add admin-only hook whitelist to downgrade inherently-admin hooks
  (admin_notices, admin_init, admin_menu, etc.) to INFO severity instead of
  flagging as missing capability checks
- N+1: Replace line-range heuristic in find_meta_in_loop_line() with
  brace-depth tracking so get_*_meta calls after a loop's closing brace
  are no longer false-positived as N+1 patterns
- Update FEEDBACK-CR-SELF-SERVICE.md, CHANGELOG.md, and 4X4.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@noelsaw1 @claude
Fix admin-only hook whitelist: bypass group_and_add_finding flush
e2c8a60 
The grouping function's flush uses the caller's severity args, which
overwrote the INFO downgrade back to HIGH. Use add_json_finding directly
for whitelisted hooks to preserve the INFO severity.

Verified: credit-registry-forms.php:48 now correctly reports as INFO.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@noelsaw1 @claude
Round 2 FP reduction: pattern tightening, method filtering, cross-rul…
24f2d75 
…e dedup

- limit-multiplier-from-count: tighten JSON search_pattern to require
  count(...) * <number> instead of matching any count() call (24 → 0 FPs)
- rest-no-pagination: add skip_if_context_matches to scripted runner and
  suppress non-GET endpoints (POST/PUT/DELETE/PATCH) via 3-line narrow
  context check (16 → 8 findings)
- Cross-rule dedup: deduplicate overlapping superglobal findings
  (spo-002, unsanitized-read, isset-bypass) in JSON report builder —
  same file:line keeps only the first finding (23 duplicates eliminated)

Total CR self-service findings: 99 → 31 after all rounds of fixes.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@noelsaw1 @claude
Add scanner quick reference and MCP server docs to AGENTS.md
ffa67c7 
- New "WP Code Check Scanner — Quick Reference" section with CLI flags,
  output locations, MCP server config, and pattern library pointer
- Updated version tag to v2.2.9
- Include user-created CLAUDE.md that points agents to AGENTS.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@noelsaw1 @claude
Fix missing code snippets in N+1 pattern findings
1223c9a 
The N+1 check emitted findings with an empty code field because
find_meta_in_loop_line only returned the line number. Now extracts
the actual source line via sed before passing to add_json_finding.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@noelsaw1 @claude
Update CHANGELOG.md for recent fixes and AGENTS.md docs
ff2af3e 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@noelsaw1 @claude
Add FP guard cases to test fixtures for N+1, limit-multiplier, admin-…
0dc6886 
…hook

- n-plus-one-optimized.php: sequential meta calls after loop closure
- limit-multiplier-from-count.php: display/comparison/assignment count() uses
- admin-no-capability.php: admin-only hook whitelist (admin_notices, admin_init, admin_menu)

All 20 fixture validations pass.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@noelsaw1 noelsaw1 merged commit cdacbec into main Mar 24, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@noelsaw1