From 01f5265effdd2c62323d519a93aff519cf0704c1 Mon Sep 17 00:00:00 2001 From: fs Date: Sun, 26 Apr 2026 17:47:36 +0200 Subject: [PATCH] test(architecture): drop stale actionFragmentContext mentions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cleanup follow-up to commit 9ec10f5, which removed the unused actionFragmentContext aggregator and its building block. Two architecture tests still mentioned the removed aggregator in their allowlists and recognizer regexes — patterns that now match an empty set, harmless but misleading. * ActionContextCsrfPairingContractTest: drop 'actionFragmentContext' from the AGGREGATORS constant, update the docblock to list only the two remaining aggregators, and rewrite the GET-only-allowlist comment to no longer reference the fragment-specific case (the guard itself stays — any future GET-only aggregator caller would still hit it). * DetailDrawerFragmentContractTest: drop the third alternative from the aggregator-recognizer regex inside extractTopLevelAbility, and trim two comments accordingly. The historical documentation in ActionContextHelperContractTest is deliberately kept — those comments explain to future readers why the test only freezes 5 building blocks and 2 aggregators (instead of the original 6/3) and why the CSRF-warning expectation is 2 instead of 3. That is contextual documentation, not stale references. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../ActionContextCsrfPairingContractTest.php | 11 +++++------ .../DetailDrawerFragmentContractTest.php | 12 ++++++------ 2 files changed, 11 insertions(+), 12 deletions(-) diff --git a/tests/Architecture/ActionContextCsrfPairingContractTest.php b/tests/Architecture/ActionContextCsrfPairingContractTest.php index ed23f2f..45594cf 100644 --- a/tests/Architecture/ActionContextCsrfPairingContractTest.php +++ b/tests/Architecture/ActionContextCsrfPairingContractTest.php @@ -9,9 +9,9 @@ use RecursiveIteratorIterator; /** * GR-SEC-001 extension: every page action that calls one of the - * action-context aggregators (actionEditContext, actionCreateContext, - * actionFragmentContext) AND handles POST data MUST also call - * actionRequireCsrf() before it accesses the request body. + * action-context aggregators (actionEditContext, actionCreateContext) + * AND handles POST data MUST also call actionRequireCsrf() before it + * accesses the request body. * * Closes plan-stage finding SEC-PLAN-004 from Run * 2026-04-25-action-context-helper. Replaces the obsolete @@ -39,7 +39,6 @@ class ActionContextCsrfPairingContractTest extends TestCase private const AGGREGATORS = [ 'actionEditContext', 'actionCreateContext', - 'actionFragmentContext', ]; /** @@ -106,8 +105,8 @@ class ActionContextCsrfPairingContractTest extends TestCase $isPostHandler = $this->hasAny($content, self::POST_PRESENCE_INDICATORS) || preg_match('/->body\(/', $content) === 1; - // Drawer-fragment allowlist: actionFragmentContext-only callers - // without any POST indicator are GET-only and don't need CSRF. + // GET-only allowlist: aggregator callers without any POST + // indicator are render-only and don't need CSRF. if (!$isPostHandler) { continue; } diff --git a/tests/Architecture/DetailDrawerFragmentContractTest.php b/tests/Architecture/DetailDrawerFragmentContractTest.php index 9b32a33..91727f7 100644 --- a/tests/Architecture/DetailDrawerFragmentContractTest.php +++ b/tests/Architecture/DetailDrawerFragmentContractTest.php @@ -192,10 +192,10 @@ class DetailDrawerFragmentContractTest extends TestCase * argument from a PHP source string. Returns null and records a violation * when no statically extractable call is found. * - * Also recognizes the actionEditContext / actionCreateContext / actionFragmentContext - * aggregator pattern: if the file calls one of those aggregators at top level, - * we look for an 'abilityKey' => SomePolicy::CONST entry inside the args array - * and treat it as the top-level ability. + * Also recognizes the actionEditContext / actionCreateContext aggregator + * pattern: if the file calls one of those aggregators at top level, we + * look for an 'abilityKey' => SomePolicy::CONST entry inside the args + * array and treat it as the top-level ability. */ private function extractTopLevelAbility(string $source, string $fileRel, array &$violations): ?string { @@ -224,11 +224,11 @@ class DetailDrawerFragmentContractTest extends TestCase $hasNestedMatch = true; } } - // actionEditContext / actionCreateContext / actionFragmentContext aggregator pattern. + // actionEditContext / actionCreateContext aggregator pattern. // The aggregator args use a [ ... ] array literal (not a { ... } block), // so brace-depth tracking does not bracket them; we track the array // opening with a separate "inside aggregator args" sticky flag instead. - if (!$insideTopLevelAggregator && $depth === 0 && preg_match('/actionEditContext\s*\(|actionCreateContext\s*\(|actionFragmentContext\s*\(/', $line)) { + if (!$insideTopLevelAggregator && $depth === 0 && preg_match('/actionEditContext\s*\(|actionCreateContext\s*\(/', $line)) { $insideTopLevelAggregator = true; } if ($insideTopLevelAggregator && !$hasTopLevelMatch && preg_match('/[\'"]abilityKey[\'"]\s*=>\s*([A-Za-z_\\\\][A-Za-z0-9_\\\\:]*)/', $line, $am)) {