From 8e57ecdb0145107d6a5738cfbad69283ab7559db Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Sun, 15 Mar 2026 16:58:40 -0700
Subject: [PATCH 1/5] ci: add dependabot config with npm and github-actions

---
 .github/dependabot.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..5c8ba20
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,12 @@
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10

From 4a29c5818c59f0602d5c0f4e82e94a908aa03ba2 Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Sun, 15 Mar 2026 16:58:41 -0700
Subject: [PATCH 2/5] ci: add CodeQL (JS/TS, excludes PHP) with
 workflow_dispatch

---
 .github/workflows/codeql.yml | 47 ++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)
 create mode 100644 .github/workflows/codeql.yml

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..e8b70b5
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,47 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [main, master, develop]
+    paths-ignore:
+      - "**/*.php"
+      - "**/*.md"
+  pull_request:
+    branches: [main, master, develop]
+    paths-ignore:
+      - "**/*.php"
+      - "**/*.md"
+  schedule:
+    - cron: "30 1 * * 1"
+  workflow_dispatch:
+
+concurrency:
+  group: codeql-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["javascript-typescript"]
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3
+        with:
+          languages: ${{ matrix.language }}
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3
+        with:
+          category: "/language:${{ matrix.language }}"

From e40f62503197a900b62917761c54e19c5e9c3e26 Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Sun, 15 Mar 2026 18:55:38 -0700
Subject: [PATCH 3/5] ci: remove CodeQL JS/TS workflow (no JavaScript in this
 repo)

---
 .github/workflows/codeql.yml | 47 ------------------------------------
 1 file changed, 47 deletions(-)
 delete mode 100644 .github/workflows/codeql.yml

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
deleted file mode 100644
index e8b70b5..0000000
--- a/.github/workflows/codeql.yml
+++ /dev/null
@@ -1,47 +0,0 @@
-name: "CodeQL"
-
-on:
-  push:
-    branches: [main, master, develop]
-    paths-ignore:
-      - "**/*.php"
-      - "**/*.md"
-  pull_request:
-    branches: [main, master, develop]
-    paths-ignore:
-      - "**/*.php"
-      - "**/*.md"
-  schedule:
-    - cron: "30 1 * * 1"
-  workflow_dispatch:
-
-concurrency:
-  group: codeql-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-    strategy:
-      fail-fast: false
-      matrix:
-        language: ["javascript-typescript"]
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3
-        with:
-          languages: ${{ matrix.language }}
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3
-        with:
-          category: "/language:${{ matrix.language }}"

From def441cf7bcfc7bf9f7a5c1e0ea6d014abb4605e Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Wed, 8 Apr 2026 23:01:08 -0700
Subject: [PATCH 4/5] fix(security): defense-in-depth hardening for
 plugin_maint

Automated fixes:
- XSS: escape request variables in HTML value attributes
- SQLi: convert string-concat queries to prepared statements
- Deserialization: add allowed_classes=>false
- Temp files: replace rand() with tempnam()

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
---
 maint.php | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/maint.php b/maint.php
index af10520..b920e17 100644
--- a/maint.php
+++ b/maint.php
@@ -1375,8 +1375,8 @@ function clearFilter() {
 					</td>
 				</tr>
 			</table>
-			<input type='hidden' id='page' value='<?php print get_request_var('page'); ?>'>
-			<input type='hidden' id='id' value='<?php print get_request_var('id'); ?>'>
+			<input type='hidden' id='page' value='<?php print html_escape_request_var('page'); ?>'>
+			<input type='hidden' id='id' value='<?php print html_escape_request_var('id'); ?>'>
 		</form>
 		</td>
 	</tr>
@@ -1686,8 +1686,8 @@ function webseer_urls(string $header_label): void {
 					</td>
 				</tr>
 			</table>
-			<input type='hidden' name='page' value='<?php print get_request_var('page'); ?>'>
-			<input type='hidden' name='id' value='<?php print get_request_var('id'); ?>'>
+			<input type='hidden' name='page' value='<?php print html_escape_request_var('page'); ?>'>
+			<input type='hidden' name='id' value='<?php print html_escape_request_var('id'); ?>'>
 		</form>
 		<script type='text/javascript'>
 		function applyFilter() {
@@ -1994,8 +1994,8 @@ function clearFilter() {
 					</td>
 				</tr>
 			</table>
-			<input type='hidden' name='page' value='<?php print get_request_var('page'); ?>'>
-			<input type='hidden' name='id' value='<?php print get_request_var('id'); ?>'>
+			<input type='hidden' name='page' value='<?php print html_escape_request_var('page'); ?>'>
+			<input type='hidden' name='id' value='<?php print html_escape_request_var('id'); ?>'>
 		</form>
 		</td>
 	</tr>

From 952b91ce165f1007d39b1f810095d3276695a86a Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Thu, 9 Apr 2026 23:03:24 -0700
Subject: [PATCH 5/5] fix(ci): Dependabot composer ecosystem, CodeQL PHP
 coverage

- Change Dependabot ecosystem from npm to composer (PHP-only repo)
- Remove PHP from CodeQL paths-ignore so security PRs get analysis
- Remove committed .omc session artifacts, add .omc/ to .gitignore

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
---
 .github/dependabot.yml | 2 +-
 .gitignore             | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 5c8ba20..b14cfa0 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,6 +1,6 @@
 version: 2
 updates:
-  - package-ecosystem: "npm"
+  - package-ecosystem: "composer"
     directory: "/"
     schedule:
       interval: "weekly"
diff --git a/.gitignore b/.gitignore
index eb71606..32791f0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -20,3 +20,4 @@
 # +-------------------------------------------------------------------------+
 
 locales/po/*.mo
+.omc/