fix(envlite): treat fetched salts as literal in Phase 7 render

api.wordpress.org/secret-key/1.1/salt/ returns random bytes that can
contain \`\$\` and \`\\\`. Passing those bytes as preg_replace's
replacement argument means sequences like \`\$1\`, \`\\1\`, or \`\$&\`
get interpreted as backreferences and silently corrupt the salts that
land in src/wp-config.php. Switch to preg_replace_callback so the
salts block is inserted verbatim regardless of what characters it
contains.

Pinned by a regression test that feeds backreference-shaped bytes
through the render path and asserts they survive verbatim.

Author: sirreal

tools/local-env/envlite.php

@@ -662,13 +662,22 @@ function envlite_phase7_render(string $sample, int $port, ?string $saltsBlock):
     $cfg = strtr($sample, $dbReplacements);
 
     // 2. Salt block: AUTH_KEY through NONCE_SALT, 8 contiguous define()s.
+    // The salts API returns random bytes that can include `$` and `\`; using
+    // them as preg_replace's replacement argument would let sequences like
+    // `$1` or `\1` be interpreted as backreferences and silently corrupt the
+    // saved salts. Use a callback so the block is inserted as a literal.
     if ($saltsBlock !== null) {
         $pattern = '/define\(\s*\'AUTH_KEY\'.*?define\(\s*\'NONCE_SALT\'\s*,\s*\'[^\']*\'\s*\);/s';
         $count = preg_match_all($pattern, $cfg, $m);
         if ($count !== 1) {
             throw new \RuntimeException("phase 7: expected exactly one salt block, found $count");
         }
-        $cfg = preg_replace($pattern, $saltsBlock, $cfg, 1);
+        $cfg = preg_replace_callback(
+            $pattern,
+            static function () use ($saltsBlock) { return $saltsBlock; },
+            $cfg,
+            1
+        );
     }
 
     // 3. Inject WP_HOME / WP_SITEURL before the marker.

tools/local-env/tests/test_phase7.php

@@ -42,3 +42,24 @@ function test_phase7_render_keeps_sample_salts_when_null_provided() {
     // 8 sample salt lines remain unchanged
     envlite_assert_eq(8, substr_count($out, "'put your unique phrase here'"));
 }
+
+function test_phase7_render_treats_salts_as_literal_not_backreferences() {
+    // The salts API returns random bytes; some include `$` and `\` which
+    // preg_replace's replacement argument would interpret as backreferences.
+    // The render path must insert the salts as a literal block.
+    $sample = file_get_contents(dirname(__DIR__, 3) . '/wp-config-sample.php');
+    $literalBlock =
+          "define( 'AUTH_KEY', 'a\$1b\\\\1c\$&d' );\n"
+        . "define( 'SECURE_AUTH_KEY', 'X' );\n"
+        . "define( 'LOGGED_IN_KEY', 'X' );\n"
+        . "define( 'NONCE_KEY', 'X' );\n"
+        . "define( 'AUTH_SALT', 'X' );\n"
+        . "define( 'SECURE_AUTH_SALT', 'X' );\n"
+        . "define( 'LOGGED_IN_SALT', 'X' );\n"
+        . "define( 'NONCE_SALT', 'X' );";
+    $out = envlite_phase7_render($sample, 8421, $literalBlock);
+    envlite_assert(
+        strpos($out, "define( 'AUTH_KEY', 'a\$1b\\\\1c\$&d' );") !== false,
+        'metacharacters in salts must survive verbatim'
+    );
+}