diff --git a/tests/Architecture/ActionContextCsrfPairingContractTest.php b/tests/Architecture/ActionContextCsrfPairingContractTest.php index ed23f2f..45594cf 100644 --- a/tests/Architecture/ActionContextCsrfPairingContractTest.php +++ b/tests/Architecture/ActionContextCsrfPairingContractTest.php @@ -9,9 +9,9 @@ use RecursiveIteratorIterator; /** * GR-SEC-001 extension: every page action that calls one of the - * action-context aggregators (actionEditContext, actionCreateContext, - * actionFragmentContext) AND handles POST data MUST also call - * actionRequireCsrf() before it accesses the request body. + * action-context aggregators (actionEditContext, actionCreateContext) + * AND handles POST data MUST also call actionRequireCsrf() before it + * accesses the request body. * * Closes plan-stage finding SEC-PLAN-004 from Run * 2026-04-25-action-context-helper. Replaces the obsolete @@ -39,7 +39,6 @@ class ActionContextCsrfPairingContractTest extends TestCase private const AGGREGATORS = [ 'actionEditContext', 'actionCreateContext', - 'actionFragmentContext', ]; /** @@ -106,8 +105,8 @@ class ActionContextCsrfPairingContractTest extends TestCase $isPostHandler = $this->hasAny($content, self::POST_PRESENCE_INDICATORS) || preg_match('/->body\(/', $content) === 1; - // Drawer-fragment allowlist: actionFragmentContext-only callers - // without any POST indicator are GET-only and don't need CSRF. + // GET-only allowlist: aggregator callers without any POST + // indicator are render-only and don't need CSRF. if (!$isPostHandler) { continue; } diff --git a/tests/Architecture/DetailDrawerFragmentContractTest.php b/tests/Architecture/DetailDrawerFragmentContractTest.php index 9b32a33..91727f7 100644 --- a/tests/Architecture/DetailDrawerFragmentContractTest.php +++ b/tests/Architecture/DetailDrawerFragmentContractTest.php @@ -192,10 +192,10 @@ class DetailDrawerFragmentContractTest extends TestCase * argument from a PHP source string. Returns null and records a violation * when no statically extractable call is found. * - * Also recognizes the actionEditContext / actionCreateContext / actionFragmentContext - * aggregator pattern: if the file calls one of those aggregators at top level, - * we look for an 'abilityKey' => SomePolicy::CONST entry inside the args array - * and treat it as the top-level ability. + * Also recognizes the actionEditContext / actionCreateContext aggregator + * pattern: if the file calls one of those aggregators at top level, we + * look for an 'abilityKey' => SomePolicy::CONST entry inside the args + * array and treat it as the top-level ability. */ private function extractTopLevelAbility(string $source, string $fileRel, array &$violations): ?string { @@ -224,11 +224,11 @@ class DetailDrawerFragmentContractTest extends TestCase $hasNestedMatch = true; } } - // actionEditContext / actionCreateContext / actionFragmentContext aggregator pattern. + // actionEditContext / actionCreateContext aggregator pattern. // The aggregator args use a [ ... ] array literal (not a { ... } block), // so brace-depth tracking does not bracket them; we track the array // opening with a separate "inside aggregator args" sticky flag instead. - if (!$insideTopLevelAggregator && $depth === 0 && preg_match('/actionEditContext\s*\(|actionCreateContext\s*\(|actionFragmentContext\s*\(/', $line)) { + if (!$insideTopLevelAggregator && $depth === 0 && preg_match('/actionEditContext\s*\(|actionCreateContext\s*\(/', $line)) { $insideTopLevelAggregator = true; } if ($insideTopLevelAggregator && !$hasTopLevelMatch && preg_match('/[\'"]abilityKey[\'"]\s*=>\s*([A-Za-z_\\\\][A-Za-z0-9_\\\\:]*)/', $line, $am)) {