Add strict slug validation for plugin-tests and theme-tests commands

[Copilot]

When users pass plugin/theme names with invalid characters to scaffold plugin-tests or scaffold theme-tests, the generated bootstrap.php contains corrupted file paths like '/my-plugin/.php', causing PHP fatal errors on test execution.

Changes

• Strict Validation: Added regex validation in scaffold_plugin_theme_tests() to only allow alphanumeric characters (a-z, A-Z, 0-9), underscores (_), and dashes (-)
• Error handling: Shows clear error message instead of silently creating corrupted files
• Test coverage: Added Behat scenarios for both plugin-tests and theme-tests commands to verify rejection of invalid characters
• WordPress Compatibility: Aligned validation with WordPress naming conventions and other scaffold commands (like scaffold _s) to allow underscores

Example

// Before: wp scaffold plugin-tests my-plugin/
// Generated: require dirname( dirname( __FILE__ ) ) . '/my-plugin/.php';  ❌

// After: wp scaffold plugin-tests my-plugin/
// Error: Invalid plugin slug specified. The slug can only contain alphanumeric characters, underscores, and dashes.

The validation rejects:

• Slashes: my-plugin/ or my-plugin\
• Special characters: my@plugin, my.plugin
• Spaces: my plugin
• Parent directory references: ../plugin

The validation allows:

• Alphanumeric characters: MyPlugin, plugin123
• Dashes: my-plugin
• Underscores: my_plugin

The fix follows the existing pattern for invalid slug validation (. and ..) and implements the hard-error approach rather than silently transforming input.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Adding slashes at the end of plugin name on 'plugin-tests' subcomand generates corrupted bootstrap.php</issue_title>
<issue_description>Adding one or more slashes at the end of plugin name like for example:

%> wp-cli scaffold plugin-tests my-plugin/

runs right, but causes the creation of a corrupted bootstrap.php file that produces a PHP Fatal error on require() that file when launching tests.
(The usual message is like following: "PHP Fatal error: require(): Failed opening required '/path/to/my-plugin/.php' (include_path='.') in /path/to/my-plugin/tests/bootstrap.php on line 26.")

I'd like to send a PR in order to fix this for example by right trimming slashes to $slug before to send to mustache template.
</issue_description>

Comments on the Issue (you are @copilot in this section)

@danielbachhuber > I'd like to send a PR in order to fix this for example by right trimming slashes to `$slug` before to send to mustache template.

What do you think about hard-erroring instead? I'm not sure it makes sense to magically transform user input in this case; probably better to inform the user they've provided invalid input (as we've done in #26)</comment_new>
<comment_new>@danielbachhuber

So I'd like to send a PR very soon.

Sounds good! I'll defer to your judgement on what changes make sense.</comment_new>

• Fixes Adding slashes at the end of plugin name on 'plugin-tests' subcomand generates corrupted bootstrap.php #133

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

Pull request overview

This PR adds strict slug validation to the scaffold plugin-tests and scaffold theme-tests commands to prevent generating corrupted bootstrap.php files when users provide invalid characters like trailing slashes in plugin/theme names.

Key Changes:

• Added regex validation /^[a-zA-Z0-9-]+$/ to reject slugs with special characters
• Updated error messages from directory-based errors to character validation errors
• Added comprehensive test scenarios for slash, backslash, and underscore rejection

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.

File	Description
src/Scaffold_Command.php	Added regex validation to reject slugs containing characters other than alphanumerics and dashes
features/scaffold-plugin-tests.feature	Added test cases for rejecting slashes, backslashes, and underscores; updated error message expectations
features/scaffold-theme-tests.feature	Added test cases for rejecting slashes, backslashes, and underscores; updated error message expectations
features/scaffold-block.feature	Changed test command from I run to I try for invalid plugin slug scenario

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This test case validates that t12_child (with underscore) is rejected, but underscores are commonly used in WordPress theme directory names. This test enforces overly restrictive validation that would break compatibility with existing themes that use underscores in their slugs. The test should be removed or the validation logic should be updated to allow underscores.

[Copilot]

Fixed in commit e97b194. Removed this test case and updated validation to allow underscores.

[Copilot]

Inconsistency with other scaffold commands: The scaffold _s (underscores) command at line 369 uses the regex /^[a-z_]\w+$/i which explicitly allows underscores in theme slugs. The new validation for plugin-tests and theme-tests rejects underscores, creating an inconsistency where a user could scaffold a theme with underscores but then be unable to scaffold tests for it. The validation should be aligned with other scaffold commands to allow underscores.

Suggested change

	// Validate slug contains only alphanumeric characters and dashes.
	if ( ! preg_match( '/^[a-zA-Z0-9-]+$/', $slug ) ) {
	WP_CLI::error( "Invalid {$type} slug specified. The slug can only contain alphanumeric characters and dashes." );
	// Validate slug contains only alphanumeric characters, dashes, and underscores.
	if ( ! preg_match( '/^[a-zA-Z0-9_-]+$/', $slug ) ) {
	WP_CLI::error( "Invalid {$type} slug specified. The slug can only contain alphanumeric characters, dashes, and underscores." );

[Copilot]

Fixed in commit e97b194. Updated the regex to /^[a-zA-Z0-9_-]+$/ to allow underscores, making it consistent with the scaffold _s command validation. The error message now mentions "alphanumeric characters, underscores, and dashes".

[swissspidy]

@copilot address feedback