Cacti · somethingwithproof · Apr 17, 2026 · Apr 17, 2026 · Apr 17, 2026 · Apr 17, 2026
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,12 @@
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,47 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [main, master, develop, regression-audit]
+    paths-ignore:
+      - "**/*.php"
+      - "**/*.md"
+  pull_request:
+    branches: [main, master, develop, regression-audit]
+    paths-ignore:
+      - "**/*.php"
+      - "**/*.md"
+  schedule:
+    - cron: "30 1 * * 1"
+  workflow_dispatch:
+
+concurrency:
+  group: codeql-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["javascript-typescript", "python"]
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3
+        with:
+          languages: ${{ matrix.language }}
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3
+        with:
+          category: "/language:${{ matrix.language }}"
diff --git a/.github/workflows/phpstan.yml b/.github/workflows/phpstan.yml
@@ -0,0 +1,54 @@
+# +-------------------------------------------------------------------------+
+# | Copyright (C) 2004-2026 The Cacti Group                                 |
+# |                                                                         |
+# | This program is free software; you can redistribute it and/or           |
+# | modify it under the terms of the GNU General Public License             |
+# | as published by the Free Software Foundation; either version 2          |
+# | of the License, or (at your option) any later version.                  |
+# |                                                                         |
+# | This program is distributed in the hope that it will be useful,         |
+# | but WITHOUT ANY WARRANTY; without even the implied warranty of          |
+# | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the           |
+# | GNU General Public License for more details.                            |
+# +-------------------------------------------------------------------------+
+# | Cacti: The Complete RRDtool-based Graphing Solution                     |
+# +-------------------------------------------------------------------------+
+# | This code is designed, written, and maintained by the Cacti Group. See  |
+# | about.php and/or the AUTHORS file for specific developer information.   |
+# +-------------------------------------------------------------------------+
+# | http://www.cacti.net/                                                   |
+# +-------------------------------------------------------------------------+
+
+name: PHPStan Static Analysis
+
+on:
+  push:
+    branches: [ 1.2.x ]
+  pull_request:
+    branches: [ 1.2.x ]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: phpstan-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  phpstan:
+    runs-on: ubuntu-latest
+    name: PHPStan Level 5
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Install PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.1'
+          extensions: ldap, xml, curl, mbstring
+          tools: phpstan
+
+      - name: Run PHPStan
+        run: phpstan analyse --configuration=phpstan.neon --no-progress
diff --git a/.github/workflows/security-proof.yml b/.github/workflows/security-proof.yml
@@ -0,0 +1,80 @@
+name: Security Proof Guardrails
+
+on:
+  push:
+    branches: [develop, 1.2.x]
+  pull_request:
+    branches: [develop, 1.2.x]
+  workflow_dispatch:
+    inputs:
+      repo_name:
+        description: "Repository to query for advisory source data (owner/name)"
+        required: false
+        default: "Cacti/cacti"
+      branch_list:
+        description: "Space-separated branch list to evaluate"
+        required: false
+        default: "1.2.x develop"
+      strict_gate:
+        description: "Fail run when unresolved advisories remain"
+        required: false
+        default: "false"
+
+permissions:
+  contents: read
+
+concurrency:
+  group: security-proof-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  sink-inventory-guard:
+    name: sink and architectural hotspot guard
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Verify tracked sink baseline
+        run: scripts/security/verify_sink_inventory.sh
+
+      - name: Verify no new architectural hotspots
+        run: scripts/security/verify_architectural_hotspots.sh
+
+  advisory-proof-matrix:
+    name: private advisory proof matrix
+    if: github.event_name == 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Build proof matrix
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+          out_dir="security/proof-run/${GITHUB_RUN_ID}"
+          mkdir -p "${out_dir}"
+          scripts/security/build_private_advisory_matrix.sh \
+            "${{ inputs.repo_name }}" \
+            "${{ inputs.branch_list }}" \
+            "${out_dir}"
+          scripts/security/build_sink_inventory.sh > "${out_dir}/sink_inventory.current.tsv"
+          scripts/security/build_architectural_helper_report.sh --summary > "${out_dir}/architectural_helper.summary.tsv"
+          scripts/security/build_architectural_helper_report.sh --hotspots > "${out_dir}/architectural_helper.hotspots.tsv"
+
+      - name: Enforce closure gate
+        if: inputs.strict_gate == 'true'
+        run: |
+          set -euo pipefail
+          scripts/security/verify_private_advisory_matrix.sh "security/proof-run/${GITHUB_RUN_ID}/private_advisory_proof_matrix.tsv"
+
+      - name: Upload proof artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: private-advisory-proof-${{ github.run_id }}
+          path: security/proof-run/${{ github.run_id }}
+          if-no-files-found: error
diff --git a/.github/workflows/syntax.yml b/.github/workflows/syntax.yml
@@ -23,9 +23,9 @@ name: Cacti Commit Audit
 
 on:
   push:
-    branches: [ develop ]
+    branches: [ develop, 1.2.x ]
   pull_request:
-    branches: [ develop ]
+    branches: [ develop, 1.2.x ]
 
 permissions:
   contents: read
@@ -60,7 +60,7 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu-latest]
-        php: ['8.1', '8.2', '8.3', '8.4']
+        php: ${{ fromJSON((github.base_ref == '1.2.x' || github.ref_name == '1.2.x') && '["7.4","8.0","8.1","8.2","8.3","8.4"]' || '["8.1","8.2","8.3","8.4"]') }}
         experimental: [false]
 
     services:

diff --git a/.gitignore b/.gitignore
@@ -64,6 +64,8 @@ resource/**
 
 # Ignore Cacti script files/folders
 scripts/**
+!scripts/security/
+!scripts/security/*.sh
 
 # Ignore Custom Cacti theme folders
 include/themes/*/*
@@ -99,6 +101,12 @@ include/vendor/csrf/csrf-secret.php
 # Ignore visual studio code
 .vscode/**
 
+# Ignore local developer tooling state (Claude Code, oh-my-claudecode, git worktrees, local notes)
+.claude/
+.omc/
+.worktrees/
+notepad.md
+
 # Ignore vendor folders
 include/vendor/**
 vendor/**

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -3,21 +3,21 @@ repos:
     hooks:
       - id: lintcheck
         name: PHP Lint Checking
-        entry: sh tests/tools/pre-commit-check.sh lint
+        entry: composer run-script lint
         language: system
-        types: [php]
+        files: ^app/
         always_run: true
 
       - id: phpcsfixer
         name: PHP CS Fixer Validation
-        entry: sh tests/tools/pre-commit-check.sh phpcsfixer
+        entry: composer run-script phpcsfixer
         language: system
-        types: [php]
+        files: ^app/
         always_run: true
 
       - id: phpstan
         name: PHPStan Validation
-        entry: sh tests/tools/pre-commit-check.sh phpstan
+        entry: composer run-script phpstan
         language: system
-        types: [php]
+        files: ^app/
         always_run: true
diff --git a/CHANGELOG b/CHANGELOG
@@ -2,7 +2,6 @@ Cacti CHANGELOG
 
 1.3.0-dev
 -issue#6762: Harden lib/ping.php: apply cacti_escapeshellarg() to hostname in native ping and fping shell commands
--issue#6760: Harden link.php: apply sanitize_uri() to HTTP_REFERER before redirect
 -issue#6761: Harden auth_changepassword.php: apply sanitize_uri() to HTTP_REFERER in all redirect paths
 -issue: Fix loose $db_conn comparison in db_table_exists and db_column_exists
 -issue#6545: Add 30 and 60 second timeout options for Remote Agent and Poller settings