Code Review for PR #25 (Wave A)
Reviewer: Claude Code (2026-05-07)
Scope: class-hcqg-load-monitor.php, class-hcqg-priority-registry.php, tests/bootstrap.php, composer.json, phpunit.xml.dist, and associated tests
Fix Now
Fix Before Production
Fix Later (Test Infrastructure)
Noted (No Action Required)
- L6.
get_registry() rebuilds on every get_priority() call (no memoization). Minor perf concern; add static cache if it becomes measurable.
- L7.
time() in evaluate_level makes it non-deterministic. An optional $now parameter would improve testability.
- L8.
phpunit.xml.dist uses deprecated PHPUnit 9 attributes. Fine for now (pinned to ^9.6), remove when upgrading to PHPUnit 10.
- L12. Missing test edge cases: regex metacharacters in priority patterns, empty string hook name, catch-all
* pattern, evaluate_level with previous=critical + no signals, add_option vs update_option branching.
Code Review for PR #25 (Wave A)
Reviewer: Claude Code (2026-05-07)
Scope:
class-hcqg-load-monitor.php,class-hcqg-priority-registry.php,tests/bootstrap.php,composer.json,phpunit.xml.dist, and associated testsFix Now
class-hcqg-load-monitor.php:117—apcu_fetch('throttle_state')uses no namespace prefix. On shared hosting with shared APCu memory, multiple WordPress sites read/write each other's throttle state. Fix: prefix withself::CACHE_GROUP . ':'. (Fixed in e4dc882)Fix Before Production
get_thresholds()allows filter to inject unknown keys —class-hcqg-load-monitor.php:71—array_merge(DEFAULT_THRESHOLDS, $thresholds)permits uncontrolled array growth. Fix:array_merge(self::DEFAULT_THRESHOLDS, array_intersect_key($thresholds, self::DEFAULT_THRESHOLDS)). (Fixed in 146e0ed)composer.json:4— Type iswordpress-mupluginbut plugin lives inwp-content/plugins/andcomposer/installersis not required. Change towordpress-pluginor document the intended deployment target. (Fixed in 146e0ed)Fix Later (Test Infrastructure)
collect_metrics()/probe_*/run_mysqli_query()— The entire MySQL metrics subsystem that drives throttle decisions is untested. Add integration tests or at minimum testcollect_metrics()with a stubbed$wpdb->dbh.wp_cache_setstub drops TTL parameter —tests/bootstrap.php:163— Production code passes TTL as 4th arg; stub silently ignores it. Add$expire = 0to the stub signature.add_filter/add_actionstubs ignore priority andaccepted_args—tests/bootstrap.php:127,178— Add$priority = 10, $accepted_args = 1parameters for forward compatibility.add_optionandupdate_optionstubs have incomplete signatures —tests/bootstrap.php:140,149— Add missing$deprecated,$autoloadparameters.Noted (No Action Required)
get_registry()rebuilds on everyget_priority()call (no memoization). Minor perf concern; add static cache if it becomes measurable.time()inevaluate_levelmakes it non-deterministic. An optional$nowparameter would improve testability.phpunit.xml.distuses deprecated PHPUnit 9 attributes. Fine for now (pinned to^9.6), remove when upgrading to PHPUnit 10.*pattern,evaluate_levelwith previous=critical + no signals,add_optionvsupdate_optionbranching.