chore(test): unified Pest test infrastructure with HandOff support

[somethingwithproof]

Consolidated test foundation. This PR supersedes #7083 — the HandOff infrastructure, Integration suite, and infection config from #7083 have been folded onto feat/test-infra-foundation along with the Pest test foundation.

What this adds

Pest foundation (originally #7124)

• composer.json: Pest 2 (held at v2 because v3 transitively requires PHP 8.2, breaking the 8.1 matrix entry in Cacti Commit Audit), pest-plugin-drift, phpstan, php-cs-fixer, phplint, rector, xdebug-handler in require-dev.
• tests/Pest.php: bootstrap file.
• tests/Helpers/UnitStubs.php: shared stubs for unit tests.
• tests/Unit/{Utility,Rrd,Time}Test.php: seed unit tests (560 cases / 1202 assertions).
• tests/integration/OrbEnvironmentTest.php: orb sanity check.
• tests/tools/check_orb.sh: helper for orb integration.
• .gitignore: vendor and build artifact entries.
• phpstan-baseline.neon: 11 upstream-detected entries to keep Cacti Commit Audit green.

HandOff + mutation (originally #7083)

• composer.json: infection/infection ^0.27 in require-dev and infection/extension-installer: true in config.allow-plugins.
• infection.json5: baseline mutation config (Pest, MSI 70 / covered 80, 30s timeout, log under build/infection/). Per-feature filters live in the feature PRs.
• tests/HandOff/HandOffHelpers.php: shared helpers (cacti_handoff_stub_cacti_log, cacti_handoff_get_log_buffer, cacti_handoff_temp_file, cacti_handoff_make_zip).
• tests/HandOff/<Feature>HandOffTest.php (8 files): boundary-crossing suites for feat(security): Symfony Process and Mime helpers #7073 (CactiProcess), feat(mime): add CactiMime helpers and validate package_import uploads #7074 (CactiMime), feat(cli): add Symfony Console plumbing and migrate two pilot scripts #7075 (CLI), feat(validator): add settings constraint validation pilot #7077 (CactiSettings), fix(import): consolidate path hardening for import and package writes #6989 (import path), fix: auto-detect and strip trailing .0 padding in SNMP OID indexes #7032 (OID strip), feat(security): add cacti_dispatch helper for action table authorisation #7063 (cacti_dispatch), feat(htmx): vendored htmx 2.0.6 loader + tests (tranche A of filter pilot) #7066 (htmx loader). Each suite guards on file_exists() / function_exists() and registers a skipped test when the source feature is absent, so this PR is green on develop today and the suites activate as feature PRs land.
• tests/HandOff/RegressionGuardTest.php: regression guard.
• tests/integration/{CactiProcess,DbDump,Ping,SqlScripts}IntegrationTest.php: integration-level tests.
• phpunit.xml: registers Unit, Integration, and HandOff testsuites.
• docs/security/handoff-tests.md: explains the boundary-crossing assertion pattern.

Conflict resolutions during the merge

• composer.json — auto-merged; both branches contributed to require-dev.
• phpunit.xml — manual: kept Unit + Integration (lowercase dir from chore(test): unified Pest test infrastructure with HandOff support #7124) + added HandOff.
• tests/Integration/ from test: shared hand-off + mutation infrastructure for feature PRs #7083 renamed to tests/integration/ to match the existing repo convention; OrbEnvironmentTest.php and the four new integration tests now live together.
• phpstan-baseline.neon — identical contents on both branches; no conflict.

Verification

• php -l clean on every PHP file added or modified by the merge (14 files).
• CACTI_TEST_BOOTSTRAP=1 ./include/vendor/bin/pest tests/Unit — 560 passed, 1202 assertions, 2.09s.
• composer validate --strict passes locally.

What this does NOT change

• No CI gate on mutation. Mutation is operator-run locally before merging substantive changes; running it in CI on every PR would multiply the PHP matrix runtime with no caught-bug payoff at present coverage.
• 1.2.x branches are explicitly excluded — infection/infection transitively pulls Symfony components, and the project's policy is no Symfony on 1.2.x.

Follow-ups (each scoped to one concern, no file overlap)

• B: lib/CactiValidator.php helpers (feat(security): add CactiValidator helpers #7125)
• C: lib/CactiRequest.php, lib/CactiLogger.php, lib/CactiFilesystem.php (feat(lib): add CactiRequest, CactiLogger, CactiFilesystem wrappers #7126)
• D: database layer unit tests (test: add database layer unit tests via SQLite + MySQL-shaped PDO decorator #7127)
• E: PHP_TESTING DB sentinel gating in include/global.php (chore(test): gate test-only DB short-circuit behind CACTI_TEST_BOOTSTRAP env #7128)
• F: OAuth provider factory refactor (refactor(oauth): extract CactiOAuth provider factory #7129)

[Copilot]

Pull request overview

Introduces initial Pest-based testing scaffolding for Cacti, including PHPUnit suite wiring and seed unit/integration tests, plus a PSR-4 autoload entry intended to support new Cacti\-namespaced code under lib/.

Changes:

• Adds Pest bootstrap and expands PHPUnit configuration with an Integration testsuite.
• Adds seed unit tests for time/rrd/utility helpers and an Orb environment integration sanity test.
• Updates Composer configuration (dev test deps + PSR-4 autoload, and additional runtime dependencies).

Reviewed changes

Copilot reviewed 9 out of 11 changed files in this pull request and generated 13 comments.

Show a summary per file

File	Description
composer.json	Adds Pest dev deps and PSR-4 autoload for Cacti\\ → lib/ (also introduces additional runtime deps).
phpunit.xml	Adds Integration testsuite pointing at tests/integration.
tests/Pest.php	Pest bootstrap binding PHPUnit\Framework\TestCase for unit + integration directories.
tests/Helpers/UnitStubs.php	Introduces global function/constant stubs to support unit tests without full Cacti bootstrap.
tests/Unit/UtilityTest.php	Seed tests for cacti_sizeof/cacti_count.
tests/Unit/TimeTest.php	Seed tests for get_timespan, check_month_boundaries, shift_time.
tests/Unit/RrdTest.php	Seed tests for rrdtool_escape_string.
tests/integration/OrbEnvironmentTest.php	Integration test to validate Orb environment capabilities and basic CLI execution.
tests/tools/check_orb.sh	Adds a Docker compose smoke-test script for the dev environment.
.gitignore	Ignores local/security/test artifacts (e.g., test reports and scratch files).

[somethingwithproof]

Restructured to use flat lib/CactiX.php convention to align with #7088, #7073, #7077, #7075.

[somethingwithproof]

Queue note: treating this as the foundational test-infra PR. Intended order is #7128 first, then this PR, then #7127/#7129 rebased after this lands so they can drop duplicated test helper/baseline churn.