quality-debt: PR #1354 review feedback (critical)

[superdav42]

Unactioned Review Feedback

Source PR: #1354
File: general
Reviewers: coderabbit
Findings: 1
Max severity: critical

---

CRITICAL: coderabbit (coderabbitai[bot])

Verification: kept as unverifiable (no stable snippet extracted)
Actionable comments posted: 1

🧹 Nitpick comments (2)

inc/ui/class-checkout-element.php (1)

536-540: 💤 Low value

sanitize_key() lowercases header names, which changes the intended casing.

sanitize_key() converts strings to lowercase and removes non-alphanumeric characters except dashes and underscores. This means 'Cache-Control' becomes 'cache-control', 'X-Accel-Expires' becomes 'x-accel-expires', etc. While HTTP/1.1 headers are case-insensitive, HTTP/2 requires lowercase headers. However, PHP's header() function typically handles this correctly regardless. The behavior is acceptable but worth noting for documentation.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@inc/ui/class-checkout-element.php` around lines 536 - 540, The code is
lowercasing header names by calling sanitize_key() before sending them; remove
sanitize_key() and send header names as provided (after trimming CR/LF), or
alternatively validate/whitelist header names without altering case to preserve
original casing; update the foreach block that iterates $headers (and the
header(...) call) to use the original $name (or a validated/whitelisted version)
instead of sanitize_key($name) while still sanitizing $value and preventing CRLF
injection.

tests/WP_Ultimo/UI/Checkout_Element_Test.php (1)

87-99: 💤 Low value

Source-string assertions are brittle but serve as regression guardrails.

This test reads the source file to verify cache-safety patterns exist. While unconventional, it effectively prevents accidental removal of critical no-cache mechanisms. The path dirname(__DIR__, 3) . '/inc/ui/class-checkout-element.php' resolves correctly from tests/WP_Ultimo/UI/ → project root.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/WP_Ultimo/UI/Checkout_Element_Test.php` around lines 87 - 99, The test
test_source_contains_live_checkout_cache_safeguards() intentionally reads the
source file to assert the presence of cache-safety tokens; keep this test but
add an inline explanation comment and ensure it uses the same path resolution
(dirname(__DIR__, 3) . '/inc/ui/class-checkout-element.php'), retains the phpcs
ignore, and preserves assertions for 'DONOTCACHEPAGE', 'nocache_headers()',
'wu_checkout_nocache_required', 'litespeed_control_set_nocache',
'X-Accel-Expires', 'CDN-Cache-Control', 'Surrogate-Control', and
'X-LiteSpeed-Cache-Control' so the regression guardrails remain in place.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@inc/ui/class-checkout-element.php`:
- Around line 866-873: The viewport auto-load branch currently only runs when
'IntersectionObserver' exists, leaving older browsers without a fallback; update
the block that checks "else if ('viewport' === trigger && 'IntersectionObserver'
in window)" to handle the else case by attaching a safe fallback that calls
loadCheckout() when the document becomes visible (e.g., on DOMContentLoaded or
on first scroll/resize) and then removes its listener(s); reference the trigger
variable, loadCheckout(), root and the IntersectionObserver usage so you add a
fallback path that triggers loadCheckout() once and cleans up listeners just
like the observer.disconnect() path.

---

Nitpick comments:
In `@inc/ui/class-checkout-element.php`:
- Around line 536-540: The code is lowercasing header names by calling
sanitize_key() before sending them; remove sanitize_key() and send header names
as provided (after trimming CR/LF), or alternatively validate/whitelist header
names without altering case to preserve original casing; update the foreach
block that iterates $headers (and the header(...) call) to use the original
$name (or a validated/whitelisted version) instead of sanitize_key($name) while
still sanitizing $value and preventing CRLF injection.

In `@tests/WP_Ultimo/UI/Checkout_Element_Test.php`:
- Around line 87-99: The test
test_source_contains_live_checkout_cache_safeguards() intentionally reads the
source file to assert the presence of cache-safety tokens; keep this test but
add an inline explanation comment and ensure it uses the same path resolution
(dirname(__DIR__, 3) . '/inc/ui/class-checkout-element.php'), retains the phpcs
ignore, and preserves assertions for 'DONOTCACHEPAGE', 'nocache_headers()',
'wu_checkout_nocache_required', 'litespeed_control_set_nocache',
'X-Accel-Expires', 'CDN-Cache-Control', 'Surrogate-Control', and
'X-LiteSpeed-Cache-Control' so the regression guardrails remain in place.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a43df532-2d4f-4b7c-a493-9ff3ea163d51

📥 Commits

Reviewing files that changed from the base of the PR and between 8cb56ab and 712ec84.

📒 Files selected for processing (2)

• inc/ui/class-checkout-element.php
• tests/WP_Ultimo/UI/Checkout_Element_Test.php

View comment

---

---

Auto-generated by quality-feedback-helper.sh scan-merged. Review each finding and either fix the code or dismiss with a reason.

---

aidevops.sh v3.20.41 automated scan.

[superdav42]

DISPATCH_CLAIM nonce=4cad0f40e836ce46ce2a227ef5b0e3b6 runner=superdav42 ts=2026-06-09T12:53:28Z max_age_s=1800 version=3.20.41 opencode_version=1.16.2

[superdav42]

Dispatching worker (deterministic).

• Worker PID: 1417679
• Model: openai/gpt-5.5
• Tier: standard
• Runner: superdav42
• aidevops: v3.20.41
• OpenCode: v1.16.2
• Issue: quality-debt: PR #1354 review feedback (critical) #1360

[superdav42]

CLAIM_RELEASED reason=worker_complete runner=superdav42 ts=2026-06-09T13:12:37Z aidevops_version=3.20.41 opencode_version=1.16.2