First setup for PHPUnit tests in ValidForm Builder — see #161.

952 tests, 1,751 assertions — every reachable line in classes/ValidFormBuilder/ is covered. The suite passes under randomized test order and runs in ~0.13s.

Test suite

• One test class per source class (33 files under tests/ValidFormBuilder/), unified structure: #[Test] attributes, ValidFormBuilder\Tests namespace, assertSame over assertEquals.
• HtmlAssertionsTrait — shared DOM-level assertion helper. Rendered HTML is parsed with DOMXPath and asserted structurally (element counts, hierarchy, attribute values) instead of brittle substring checks. Captures/restores libxml error state per test.
• Every class got a dedicated security pass alongside functional coverage: XSS payloads through values/labels/meta, request tampering, array-input edge cases.
• Tests that mutate $_REQUEST/$_POST/$_FILES/$_SESSION clean up in tearDown(), so a failing test can't leak state into the next one.
• Known bugs are pinned with characterization tests that carry explicit KNOWN BUG comments and issue references (e.g. Page constructor does not store $meta — getMeta() and getShortHeader() always return defaults #204 — Page never stores constructor meta; Area::getDynamicCount() returns string instead of int). These tests fail loudly when the underlying bug gets fixed, flagging the assertion to flip.

Source fixes (driven by the tests)

Security:

• XSS: GroupField, SelectOption, and SelectGroup now escape value/label with htmlspecialchars(..., ENT_QUOTES) before rendering. Regression-tested with script/attribute injection payloads.
• DoS: Validator::validate() returned via exit() when an array submission contained an invalid element — a crafted request could kill the response mid-render. Now returns false (Validator::validate() calls exit() on invalid array element — terminates entire PHP request #199).

Bug fixes:

• Validator: VFORM_BOOLEAN regex tightened from /^[on]*$/i (a character class accepting o, nooo, ono, …) to /^(on)?$/i — exactly the two values an HTML checkbox submits (VFORM_BOOLEAN regex /^[on]*$/i accepts arbitrary sequences of o/n characters #200).
• Collection::seek(): reversed loop condition meant the internal pointer never advanced past position 0.
• Collection::inCollection(): with $blnReturnKey, returned stale key() state instead of the matched key (PHP 7+ foreach no longer advances the internal pointer).
• Comparison: added the missing VFORM_COMPARISON_DOES_NOT_CONTAIN case; cast preg_match() result to bool as documented.
• Condition::addComparison(): new \ReflectionClass("Comparison") resolved against the global namespace (always fatal) — now Comparison::class; argument extraction used array_keys() where array_values() was intended.
• Base::__sanitizeCheckForJs(): keep the /u regex flag when the pattern uses \p{...} Unicode property escapes (required in JavaScript).

Unreachable code: two provably unreachable defensive branches (Base::addCondition() catch, Condition::addComparison() else) carry inline comments explaining why they cannot be reached and flagging them as candidates for deletion. They are the only uncovered lines in the coverage report.

Backwards-compatibility notes

• VFORM_BOOLEAN now rejects garbage values (o, nooo, true, 1) that previously validated. Standard checkbox submissions ("" / "on") are unaffected.
• Validator::validate() no longer terminates the request on invalid array elements; it returns false. Code relying on the old exit() behavior will now continue executing.

Tooling & CI

• phpunit.xml — PHPUnit 11.5 config; coverage source is the full classes/ directory, no exclusions.
• .github/workflows/php-unit.yml — runs the suite on PR, with line/method coverage gates at 70% (pcov on PHP 8.4).
• composer.json — adds phpunit/phpunit ^11.5 + phpdocumentor/shim to require-dev, ext-mbstring requirement, platform PHP 8.2.
• AGENTS.md / CLAUDE.md / README.md — document the test commands, Docker pcov coverage workflow, and testing conventions.

Known follow-up

ValidWizard::isSubmitted() does not validate the CSRF token, unlike its parent ValidForm::isSubmitted() — discovered and documented by the new tests (ValidWizardTest::isSubmittedReturnsTrueWhenDispatchKeyMatches). Tracked in #208.

Per-class checklist

The item is checked if a unit test is added.

• Area — closes Test for Area class #162
• Base — closes Test for Base class #163
• Button — closes Test for Button class #164
• Checkbox — closes Test for Checkbox class #165
• ClassDynamic — closes Test for ClassDynamic class #166
• Collection — closes Test for Collection class #167
• Comparison — closes Test for Comparison class #168
• Condition — closes Test for Condition class #169
• Element — closes Test for Element class #170
• Fieldset — closes Test for Fieldset class #171
• FieldValidator — closes Test for FieldValidator class #172
• File — closes Test for File class #173
• Group — closes Test for Group class #174
• GroupField — closes Test for GroupField class #175
• Hidden — closes Test for Hidden class #176
• MultiField — closes Test for MultiField class #177
• Navigation — closes Test for Navigation class #178
• Note — closes Test for Note class #179
• Page — closes Test for Page class #180
• Paragraph — closes Test for Paragraph class #181
• Password — closes Test for Password class #182
• Select — closes Test for Select class #183
• SelectGroup — closes Test for SelectGroup class #184
• SelectOption (covered by SelectTest and SelectOptionTest)
• StaticText — closes Test for StaticText class #185
• Text — closes Test for Text class #186
• Textarea — closes Test for Textarea class #187
• Validator — closes Test for Validator class #188
• ValidForm — closes Test for ValidForm class #189
• ValidWizard — closes Test for ValidWizard class #190