WP API Fixes

Author: PDowney

CHANGELOG.md

@@ -6,14 +6,17 @@
 
 - **Multisite Export Authorization**: Full-site export access now uses a shared permission helper. On multisite, exporter page access, export creation, secure download, and manual delete require a super admin or `manage_network_options`; single-site installs continue to require `manage_options`.
 - **Per-Export Private Storage**: Each export is now staged in a random private child directory under the configured private temp export base. The exporter rejects symlinked or unsafe pre-existing directories and enforces `0700` directory permissions.
-- **Private File Modes**: Sensitive export artifacts now use a private umask during export and explicit `0600` chmod verification after database dumps, compressed database payloads, file archives, manifests, final ZIPs, and protection files are created.
+- **Private File Modes**: Sensitive export artifacts now use a private umask during export and WordPress Filesystem-backed `0600` chmod verification after database dumps, compressed database payloads, file archives, manifests, final ZIPs, and protection files are created.
 - **WP-CLI Trust Boundary**: WP-CLI discovery now prefers trusted system paths (`/usr/local/bin/wp`, `/usr/bin/wp`). Alternate executables must be explicitly configured with `SSE_WP_CLI_PATH` or the `sse_wp_cli_path` filter and must pass ownership and writable-mode checks.
 - **Export Action Binding**: Generated download and delete actions include the private export directory identifier in their request data and nonce action so requests are tied to the generated export location.
 
 ### Architecture
 
-- **Private Export Cleanup**: Bulk cleanup now scans generated private export directories, scheduled/manual deletion can clean up empty private export directories, and failed exports remove their private staging directory.
-- **Private Storage Helpers**: Added shared helpers for multisite-aware capability checks, private export directory naming, generated directory validation, and private filesystem mode enforcement.
+- **Private Export Cleanup**: Bulk cleanup now scans generated private export directories with the WordPress Filesystem API, scheduled/manual deletion can clean up empty private export directories, and failed exports remove their private staging directory through the WordPress Filesystem API for VIP compatibility.
+- **WordPress API Coverage**: Replaced direct file metadata checks, generated artifact verification, export cleanup directory scans, and filename basename extraction with WordPress Filesystem API methods and native WordPress helpers where available.
+- **Private Storage Helpers**: Added shared helpers for multisite-aware capability checks, private export directory naming, generated directory validation, generated file verification, and private filesystem mode enforcement.
+- **VIPCS Tooling**: Added VIP Coding Standards as a Composer-managed dev dependency so the project PHPCS script can run the VIP ruleset reproducibly.
+- **Semver Test Prep**: Added a Composer-managed semantic versioning library for future version-related tests.
 
 ### Documentation
 

composer.json

@@ -26,7 +26,9 @@
     "php-stubs/wordpress-stubs": "^6.9",
     "szepeviktor/phpstan-wordpress": "^2.0",
     "phpstan/phpstan": "^2.1",
-    "phpcompatibility/phpcompatibility-wp": "^2.1"
+    "phpcompatibility/phpcompatibility-wp": "^2.1",
+    "automattic/vipwpcs": "^3.0.1",
+    "z4kn4fein/php-semver": "^3.0"
   },
   "scripts": {
     "phpcs": "phpcs --standard=phpcs.xml",

composer.lock

@@ -78,7 +78,6 @@
  * @see PharData - PHP PharData class
  * @see RecursiveIteratorIterator - PHP SPL iterator
  * @see RecursiveDirectoryIterator - PHP SPL directory iterator
- * @see DirectoryIterator - PHP SPL directory iterator for cleanup
  * @see SplFileInfo - PHP SPL file information class
  * @see RuntimeException - PHP runtime exception class
  * @see Exception - PHP base exception class

enginescript-site-exporter.php

@@ -123,7 +123,7 @@ function sse_render_exporter_notices(): void {
  * @return void
  */
 function sse_render_export_success_notice( array $zip_result ): void {
-	$export_dir_name       = basename( dirname( $zip_result['filepath'] ) );
+	$export_dir_name       = wp_basename( dirname( $zip_result['filepath'] ) );
 	$has_private_dir_param = sse_is_export_private_directory_name( $export_dir_name );
 	$download_args         = [
 		'action' => 'sse_secure_download',

includes/admin-page.php

@@ -236,7 +236,7 @@ function sse_create_compressed_database_file( string $source_path, string $targe
 	fclose( $source_handle ); // phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_operations_fclose -- Closing local file handle opened above.
 	gzclose( $target_handle );
 
-	if ( ! file_exists( $target_path ) || filesize( $target_path ) <= 0 ) { // phpcs:ignore WordPressVIPMinimum.Functions.RestrictedFunctions.file_exists_file_exists, WordPress.WP.AlternativeFunctions.file_system_operations_filesize -- Verifying generated local gzip payload.
+	if ( ! sse_filesystem_file_has_content( $target_path ) ) {
 		sse_cleanup_files( [ $target_path ] );
 		return new WP_Error( 'db_compress_verify_failed', __( 'Compressed database file was not created successfully.', 'enginescript-site-exporter' ) );
 	}
@@ -297,7 +297,7 @@ function sse_create_wordpress_files_archive( string $files_archive_path, string
 		);
 	}
 
-	if ( ! file_exists( $files_archive_path ) || filesize( $files_archive_path ) <= 0 ) { // phpcs:ignore WordPressVIPMinimum.Functions.RestrictedFunctions.file_exists_file_exists, WordPress.WP.AlternativeFunctions.file_system_operations_filesize -- Verifying generated local tar.gz payload.
+	if ( ! sse_filesystem_file_has_content( $files_archive_path ) ) {
 		return new WP_Error( 'files_archive_verify_failed', __( 'WordPress files archive was not created successfully.', 'enginescript-site-exporter' ) );
 	}
 
@@ -364,7 +364,7 @@ function sse_create_combined_engine_script_zip( array $bundle_paths ) {
 			sprintf(
 				/* translators: %s: filename */
 				__( 'Could not create ZIP file at %s', 'enginescript-site-exporter' ),
-				basename( $bundle_paths['combined_zip_path'] ) // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.system_calls_basename -- Safe usage: path is constructed from controlled export directory and sanitized filename.
+				wp_basename( $bundle_paths['combined_zip_path'] )
 			)
 		);
 	}
@@ -394,7 +394,7 @@ function sse_create_combined_engine_script_zip( array $bundle_paths ) {
 
 	$zip_close_status = $zip->close();
 
-	if ( ! $zip_close_status || ! file_exists( $bundle_paths['combined_zip_path'] ) ) { // phpcs:ignore WordPressVIPMinimum.Functions.RestrictedFunctions.file_exists_file_exists -- Verifying generated export archive.
+	if ( ! $zip_close_status || ! sse_filesystem_file_has_content( $bundle_paths['combined_zip_path'] ) ) {
 		sse_cleanup_files( [ $bundle_paths['combined_zip_path'] ] );
 		return new WP_Error( 'zip_finalize_failed', __( 'Failed to finalize or save the ZIP archive after processing files.', 'enginescript-site-exporter' ) );
 	}