test: add Pest v1 security test infrastructure

[somethingwithproof]

Summary

• Add Pest v1 test scaffold with Cacti framework stubs
• Source-scan tests for prepared statement consistency
• PHP 7.4 compatibility verification tests
• Plugin setup.php structure validation

Test plan

• composer install && vendor/bin/pest passes
• Tests verify security patterns match hardening PRs

[Copilot]

Pull request overview

Adds a Pest v1 test scaffold and lightweight Cacti stubs to enable security/compatibility checks against the syslog plugin codebase.

Changes:

• Introduces Pest bootstrap/config and several source-scanning security/compatibility tests.
• Adds a composer.json with Pest as a dev dependency and test bootstrap autoloading.
• Adds a CodeQL workflow configuration.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
tests/Security/SetupStructureTest.php	Verifies setup.php defines expected plugin entrypoints and version keys.
tests/Security/PreparedStatementConsistencyTest.php	Scans key plugin files for raw db_* calls to prevent regressions.
tests/Security/Php74CompatibilityTest.php	Scans plugin files for PHP 8-only syntax/function usage.
tests/Pest.php	Loads the test bootstrap for Pest runs.
tests/bootstrap.php	Provides Cacti framework stubs for running tests without full Cacti.
composer.json	Adds Pest v1 as a dev dependency and wires test bootstrap autoloading.
.github/workflows/codeql.yml	Adds CodeQL workflow definition.

[Copilot]

This test will flag legitimate db_* calls that must exist in this repo, so it’s likely to fail immediately (e.g., database.php contains return db_execute(...) inside the syslog_db_* wrappers, and setup.php has db_execute(...) calls for plugin metadata cleanup). Consider excluding database.php (and/or known-safe sections) from scanning, or tightening the check to only prohibit raw db_* usage outside the syslog DB wrapper layer (e.g., enforce syslog_db_* usage in non-wrapper files).

[Copilot]

Silently continue-ing when a target file is missing or unreadable makes this test pass without actually validating anything. Prefer failing the test with a clear message when realpath() or file_get_contents() fails so CI can catch moved/renamed files or unexpected read errors.

Suggested change

	continue;
	}
	$contents = file_get_contents($path);
	if ($contents === false) {
	continue;
	throw new RuntimeException("Unable to resolve target file for prepared statement consistency test: {$relativeFile}");
	}
	$contents = file_get_contents($path);
	if ($contents === false) {
	throw new RuntimeException("Unable to read target file for prepared statement consistency test: {$path}");

[Copilot]

The db_execute stub signature doesn’t match how the plugin calls it (the syslog DB wrappers call db_execute($sql, $log, $syslog_cnn)), which can cause ArgumentCountError if any test loads plugin code. Update the stub to accept the additional optional parameters (log flag / connection) to mirror Cacti’s function signature.

Suggested change

	function db_execute($sql) {
	$GLOBALS['__test_db_calls'][] = array('fn' => 'db_execute', 'sql' => $sql, 'params' => array());
	function db_execute($sql, $log = true, $cnn = false) {
	$GLOBALS['__test_db_calls'][] = array('fn' => 'db_execute', 'sql' => $sql, 'params' => array(), 'log' => $log, 'cnn' => $cnn);

[Copilot]

Similarly, db_execute_prepared is called by the plugin with additional parameters (e.g. $log, $syslog_cnn). The stub should accept those optional arguments to avoid runtime errors when plugin code is executed during tests.

Suggested change

	function db_execute_prepared($sql, $params = array()) {
	function db_execute_prepared($sql, $params = array(), $log = true, $cnn = null) {

[Copilot]

The db_fetch_* stubs accept fewer parameters than the plugin’s wrappers pass through (e.g. db_fetch_cell($sql, $col_name, $log, $cnn) and db_fetch_assoc($sql, $log, $cnn)). If any test includes code paths that invoke these wrappers, this will fatally error; consider updating these stubs to accept the optional $log/$cnn parameters (and $col_name where applicable).

[Copilot]

If setup.php can’t be resolved/read (e.g., path changes), $source becomes false and subsequent string expectations will behave unpredictably and/or emit warnings. Consider asserting that realpath() and file_get_contents() succeeded (fail fast with a clear message) before running toContain / toMatch expectations.

Suggested change

	$source = file_get_contents(realpath(__DIR__ . '/../../setup.php'));
	$setupPath = realpath(__DIR__ . '/../../setup.php');
	expect($setupPath)
	->not->toBeFalse('Failed to resolve setup.php path from ' . __DIR__);
	$source = file_get_contents($setupPath);
	expect($source)
	->not->toBeFalse('Failed to read setup.php at path: ' . $setupPath);

[Copilot]

These tests silently skip files when realpath() or file_get_contents() fails, which can lead to false-green results. Prefer failing with an explicit assertion/message when a target file is missing/unreadable so the compatibility gate remains meaningful over time.

[Copilot]

paths-ignore excludes all **/*.php, so CodeQL won’t run on the vast majority of changes in this PHP plugin. If the intent is to security-scan the plugin, remove the PHP ignore (and consider ignoring only vendor/ or generated paths instead).

[Copilot]

The CodeQL language matrix doesn’t include php, so even when the workflow runs it won’t analyze the primary language in this repository. Add PHP to the matrix (or switch to a single-language config) so CodeQL produces useful results for this codebase.

[TheWitness]

Closing this one. We can discuss on Sunday.