feat: TYPO3 v13+v14 modernization with task dialog, context zoom, and full test coverage

[CybotTM]

Summary

Major modernization of t3x-cowriter for TYPO3 v13 and v14: a task-based cowriter dialog, context-aware AI processing with "context zoom," clean prompt architecture, and a comprehensive testing pyramid — backed by a ddev demo environment for hands-on verification.

Task-based cowriter dialog

• Task selection dialog with predefined AI operations (improve, summarize, translate, structure, etc.)
• Ad-hoc rules for user-specified overrides per execution
• Runtime editor capability detection (CKEditor plugin introspection) so the LLM knows what formatting is available
• Seed data for 10 built-in cowriter tasks via ddev seed-cowriter-tasks

Context zoom

• Server-side context assembly: selection → text → element → record → page → reference pages
• Context zoom slider in the dialog UI for controlling how much surrounding content the LLM sees
• Reference page picker for cross-page context
• Separate system messages for scope constraints, reference context, and editor capabilities
• getContext preview endpoint for word count / summary before execution

Clean prompt architecture

• Task templates focus on WHAT (improve, summarize) — not HOW (no formatting prescriptions)
• System messages handle scope, available formatting, and surrounding context
• Ad-hoc rules injected as explicit overrides ("follow these exactly")
• Removed fragile regex hack that stripped formatting instructions at runtime

Testing

• 354 PHP unit tests + 122 JS tests, 100% coverage with mutation testing (Infection)
• Streaming E2E tests with Ollama integration
• Fuzz testing for edge cases (malformed JSON, XSS payloads, Unicode)

TYPO3 v13 + v14 compatibility

• Fix DI compilation for cache service on v14
• Fix backend route identifiers (ajax_ prefix)
• Resolve composer dependency conflicts for PHP 8.2–8.5
• Auto-activate cowriter RTE preset via page.tsconfig
• Adapt E2E tests to v14 iframe + dialog architecture

ddev demo environment

• Dual-site setup: v13 + v14 running side by side
• Demo page tree with RTE content for testing the cowriter plugin
• Auto-seeded Ollama LLM configuration
• seed-pages / seed-ollama / seed-cowriter-tasks commands
• Landing page with quick links to both backends

Upstream dependency fixes

• nr_vault v0.4.1: Fix XLF label keys + module parent v13 compatibility (#92)
• nr_llm v0.2.2: Fix module parent v13 compatibility (#74)

Test plan

• make up completes successfully (both v13 and v14 install)
• v14 backend: Vault module loads without 503, CKEditor shows cowriter button
• v13 backend: LLM + Vault modules visible, CKEditor shows cowriter button
• Cowriter dialog: select "Improve Text" on a paragraph → output stays paragraph-scoped
• Context zoom: slide to "page" scope → LLM sees surrounding content as reference
• Ad-hoc rules: add "use formal tone" → output respects the override
• Unit tests pass: composer ci:test:php:unit (354 tests)
• JS tests pass: npx vitest run (122 tests)
• CI pipeline green

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

License Issues

composer.json

Package	Version	License	Issue Type
netresearch/nr-llm	>= 0.3, < 0.4	Null	Unknown License

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/checkout	de0fac2e4500dabe0009e67214ff5f5447ce83dd	🟢 6	Details Check Score Reason Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/setup-node	6044e13b5dc448c55e2357c09f80417699197238	🟢 6.1	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 13 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 9 binaries present in source code CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 1 branch protection is not maximal on development and all release branches SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9
actions/codecov/codecov-action	ad3126e916f78f00edff4ed0317cf185271ccc2d	🟢 7	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Pinned-Dependencies ⚠️ 2 dependency not pinned by hash detected -- score normalized to 2 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy 🟢 10 security policy file detected SAST 🟢 9 SAST tool detected but not run on all commits CI-Tests 🟢 9 29 out of 30 merged PRs checked by a CI test -- score normalized to 9 Contributors 🟢 10 project has 13 contributing companies or organizations
actions/shivammathur/setup-php	44454db4f0199b8b9685a5d763dc37cbf79108e1	🟢 7	Details Check Score Reason Maintained 🟢 10 22 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Code-Review ⚠️ 0 Found 0/24 approved changesets -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions CII-Best-Practices 🟢 5 badge detected: Passing Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Packaging 🟢 10 packaging workflow detected SAST 🟢 7 SAST tool detected but not run on all commits
actions/step-security/harden-runner	a90bcbc6539c36a85cdfeb73f7e2f433735f215b	🟢 8	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches CI-Tests 🟢 10 10 out of 10 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 10 all changesets reviewed Contributors 🟢 6 project has 2 contributing companies or organizations -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Maintained 🟢 10 15 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 SAST 🟢 10 SAST tool is run on all commits Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Vulnerabilities ⚠️ 1 9 existing vulnerabilities detected
composer/infection/infection	>= 0.29, < 0.30	Unknown	Unknown
composer/netresearch/nr-llm	>= 0.3, < 0.4	Unknown	Unknown
npm/@playwright/test	^1.58.2	Unknown	Unknown

Scanned Files

• .github/workflows/testing.yml
• composer.json
• package.json

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly elevates the project's testing pyramid by introducing advanced testing methodologies and tightening existing configurations. The changes aim to enhance the overall stability, security, and maintainability of both PHP and JavaScript components by rigorously testing against a wider array of scenarios, including edge cases, malformed inputs, and potential injection vulnerabilities. This comprehensive approach ensures a higher degree of confidence in the codebase's resilience and correctness.

Highlights

• Enhanced JavaScript Test Coverage: Achieved 100% JavaScript line coverage, significantly increasing from 78.67%, by adding 16 new test cases.
• Comprehensive PHP Fuzz Testing: Introduced 91 new PHP fuzz tests for the CompleteRequest DTO to ensure robustness against adversarial and malformed inputs.
• Mutation Testing Integration: Integrated mutation testing infrastructure using infection ^0.29 to assess the quality and effectiveness of existing tests.
• Configured Codecov Flags: Added Codecov flags for php-unit, php-integration, php-e2e, and javascript to provide granular coverage reporting.
• Stricter PHPUnit Configuration: Set failOnWarning="true" across all PHPUnit configurations (E2E, Integration, Unit tests) to enforce stricter test outcomes.
• Extended CI Testing Workflow: Expanded the continuous integration workflow to include mutation testing, JavaScript coverage checks, and fuzz testing.

Changelog

• Build/phpunit/E2ETests.xml
  • Updated PHPUnit configuration to fail on warnings.
• Build/phpunit/FunctionalTests.xml
  • Removed coverage report configuration.
• Build/phpunit/IntegrationTests.xml
  • Updated PHPUnit configuration to fail on warnings.
• Build/phpunit/UnitTests.xml
  • Updated PHPUnit configuration to fail on warnings.
• Tests/JavaScript/AIService.test.js
  • Added a test case to verify onChunk is called for content in the final buffer flush.
• Tests/JavaScript/UrlLoader.test.js
  • Added a test case for DOMContentLoaded listener when the document is loading.
• Tests/JavaScript/cowriter.test.js
  • Added extensive test cases for the button execute handler, covering various scenarios like processing state, selection handling, AI service interaction, HTML sanitization, error handling, and edge cases for input.
• Tests/Unit/Domain/DTO/CompleteRequestFuzzTest.php
  • Added a new file containing comprehensive fuzz tests for the CompleteRequest DTO, covering null byte, control character, Unicode, injection attack, malformed JSON, boundary condition, type coercion, and randomized payload scenarios.
• codecov.yml
  • Added a new Codecov configuration file, defining precision, range, project/patch status, and flags for different PHP and JavaScript test types, along with ignore paths.
• composer.json
  • Added infection/infection as a development dependency.
  • Added infection/extension-installer to allowed Composer plugins.
  • Reordered some require-dev entries.
• infection.json5
  • Added a new file for Infection mutation testing configuration, specifying source directories, log paths, PHPUnit configuration, mutators, and minimum mutation score indicators.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/testing.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[codecov]

Codecov Report

❌ Patch coverage is 98.37703% with 13 lines in your changes missing coverage. Please review.
✅ Project coverage is 98.67%. Comparing base (6461395) to head (5c85b3f).
⚠️ Report is 41 commits behind head on main.

Files with missing lines	Patch %	Lines
Classes/Service/ContextAssemblyService.php	95.55%	6 Missing ⚠️
Classes/Controller/AjaxController.php	98.20%	3 Missing ⚠️
Classes/Domain/DTO/ExecuteTaskRequest.php	97.53%	2 Missing ⚠️
...urces/Public/JavaScript/Ckeditor/CowriterDialog.js	99.67%	1 Missing ⚠️
Resources/Public/JavaScript/Ckeditor/cowriter.js	97.50%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               main      #85      +/-   ##
============================================
+ Coverage     97.33%   98.67%   +1.34%     
- Complexity      127      229     +102     
============================================
  Files             7       14       +7     
  Lines           450     1282     +832     
  Branches          0      110     +110     
============================================
+ Hits            438     1265     +827     
- Misses           12       17       +5     

Flag	Coverage Δ
functional	0.00% <0.00%> (ø)
javascript	99.59% <99.48%> (?)
php-e2e	34.87% <24.69%> (?)
php-integration	12.82% <3.38%> (?)
php-unit	98.97% <98.06%> (?)
unit	98.97% <98.06%> (+0.76%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
Classes/Domain/DTO/CompleteRequest.php	100.00% <ø> (ø)
Classes/Domain/DTO/CompleteResponse.php	100.00% <100.00%> (ø)
Classes/Domain/DTO/ContextRequest.php	100.00% <100.00%> (ø)
Classes/EventListener/InjectAjaxUrlsListener.php	100.00% <100.00%> (+12.90%)	⬆️
Classes/Service/RateLimiterService.php	100.00% <100.00%> (ø)
Resources/Public/JavaScript/Ckeditor/AIService.js	100.00% <100.00%> (ø)
Resources/Public/JavaScript/Ckeditor/UrlLoader.js	100.00% <100.00%> (ø)
...urces/Public/JavaScript/Ckeditor/CowriterDialog.js	99.67% <99.67%> (ø)
Resources/Public/JavaScript/Ckeditor/cowriter.js	98.18% <97.50%> (ø)
Classes/Domain/DTO/ExecuteTaskRequest.php	97.53% <97.53%> (ø)
... and 2 more

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[gemini-code-assist]

Code Review

This pull request significantly enhances the testing pyramid by achieving 100% JavaScript test coverage, introducing fuzz tests for the CompleteRequest DTO, and integrating mutation testing, while also tightening PHPUnit configurations. No security vulnerabilities were identified. A key suggestion is to further harden the CompleteRequest DTO by implementing a length limit for model names, which would effectively complement the newly added fuzz tests.

[Copilot]

Pull request overview

This PR significantly expands the test coverage of the t3-cowriter TYPO3 extension. It adds 91 PHP "fuzz" tests (parametrized data-provider tests with adversarial inputs) for CompleteRequest, 16 new JavaScript tests for the cowriter.js button execute handler and UrlLoader/AIService edge cases, sets up mutation testing infrastructure via Infection, and adds a new "Extended Testing" GitHub Actions workflow. PHPUnit configs are also hardened with failOnWarning="true".

Changes:

• Added CompleteRequestFuzzTest.php with extensive adversarial/boundary tests for the DTO
• Added new JavaScript tests for cowriter.js execute handler, UrlLoader.js auto-init, and AIService.js buffer flush
• Added infrastructure: infection.json5, codecov.yml, and .github/workflows/testing.yml
• Enabled failOnWarning="true" in all PHPUnit configs; removed legacy <coverage> block from FunctionalTests.xml

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
Tests/Unit/Domain/DTO/CompleteRequestFuzzTest.php	91 parametrized fuzz/adversarial tests for CompleteRequest::fromRequest() and isValid()
Tests/JavaScript/cowriter.test.js	16 new tests for button execute handler including success, error, and edge-case paths
Tests/JavaScript/AIService.test.js	1 new test for final SSE buffer flush content delivery
Tests/JavaScript/UrlLoader.test.js	1 new test for DOMContentLoaded auto-initialization path
infection.json5	New Infection mutation testing configuration file
codecov.yml	New Codecov configuration with per-flag coverage tracking
.github/workflows/testing.yml	New workflow for mutation testing, JS coverage, and fuzz testing jobs
composer.json	Added infection/infection and its plugin to dev dependencies
Build/phpunit/UnitTests.xml	Changed failOnWarning from false to true
Build/phpunit/IntegrationTests.xml	Changed failOnWarning from false to true
Build/phpunit/E2ETests.xml	Changed failOnWarning from false to true
Build/phpunit/FunctionalTests.xml	Changed failOnWarning + removed <coverage> report block

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Warning

Large PR detected: 2826 lines changed across 25 files.
Consider splitting this PR into smaller, focused changes for easier review.

[github-actions]

Warning

Large PR detected: 2831 lines changed across 26 files.
Consider splitting this PR into smaller, focused changes for easier review.

[github-actions]

Warning

Large PR detected: 2909 lines changed across 31 files.
Consider splitting this PR into smaller, focused changes for easier review.

[github-actions]

Warning

Large PR detected: 2947 lines changed across 33 files.
Consider splitting this PR into smaller, focused changes for easier review.

[github-actions]

Warning

Large PR detected: 3443 lines changed across 38 files.
Consider splitting this PR into smaller, focused changes for easier review.

[github-actions]

Warning

Large PR detected: 3445 lines changed across 39 files.
Consider splitting this PR into smaller, focused changes for easier review.

[github-actions]

Warning

Large PR detected: 3458 lines changed across 39 files.
Consider splitting this PR into smaller, focused changes for easier review.

[github-actions]

Automated approval for solo maintainer project

This PR has passed all automated quality gates:

• ✅ Static analysis (PHPStan)
• ✅ Code style (PHP-CS-Fixer)
• ✅ Unit & functional tests
• ✅ Security scanning
• ✅ Dependency review

See SECURITY_CONTROLS.md for compensating controls documentation.

[github-actions]

Automated approval for solo maintainer project

This PR has passed all automated quality gates:

• ✅ Static analysis (PHPStan)
• ✅ Code style (PHP-CS-Fixer)
• ✅ Unit & functional tests
• ✅ Security scanning
• ✅ Dependency review

See SECURITY_CONTROLS.md for compensating controls documentation.

[github-actions]

Automated approval for solo maintainer project

This PR has passed all automated quality gates:

• ✅ Static analysis (PHPStan)
• ✅ Code style (PHP-CS-Fixer)
• ✅ Unit & functional tests
• ✅ Security scanning
• ✅ Dependency review

See SECURITY_CONTROLS.md for compensating controls documentation.

[github-actions]

Automated approval for solo maintainer project

This PR has passed all automated quality gates:

• ✅ Static analysis (PHPStan)
• ✅ Code style (PHP-CS-Fixer)
• ✅ Unit & functional tests
• ✅ Security scanning
• ✅ Dependency review

See SECURITY_CONTROLS.md for compensating controls documentation.

[Copilot]

Pull request overview

Copilot reviewed 79 out of 83 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Automated approval for solo maintainer project

This PR has passed all automated quality gates:

• ✅ Static analysis (PHPStan)
• ✅ Code style (PHP-CS-Fixer)
• ✅ Unit & functional tests
• ✅ Security scanning
• ✅ Dependency review

See SECURITY_CONTROLS.md for compensating controls documentation.

[github-actions]

Automated approval for solo maintainer project

This PR has passed all automated quality gates:

• ✅ Static analysis (PHPStan)
• ✅ Code style (PHP-CS-Fixer)
• ✅ Unit & functional tests
• ✅ Security scanning
• ✅ Dependency review

See SECURITY_CONTROLS.md for compensating controls documentation.

[Copilot]

Pull request overview

Copilot reviewed 80 out of 84 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Automated approval for solo maintainer project

This PR has passed all automated quality gates:

• ✅ Static analysis (PHPStan)
• ✅ Code style (PHP-CS-Fixer)
• ✅ Unit & functional tests
• ✅ Security scanning
• ✅ Dependency review

See SECURITY_CONTROLS.md for compensating controls documentation.