🔧 refactor: address code review suggestions for robustness and standards compliance

- Replace manual path extraction with dirname() for better reliability
- Add CSS value sanitization to prevent syntax issues from untrusted tokens
- Use str_contains() instead of strpos() for modern PHP 8.3+
- Improve vendor theme path fallback logic with multi-level handling
- Add finally blocks to restore working directory in watch mode
- Add phpcs:ignore comment for shell_exec TTY detection

Co-authored-by: dermatz <6103201+dermatz@users.noreply.github.com>

Author: Copilot

src/Service/EnvironmentService.php

@@ -35,6 +35,7 @@ public function isInteractiveTerminal(): bool
         }
 
         // Additional check: try to detect if running in a proper TTY
+        // phpcs:ignore Magento2.Security.InsecureFunction -- Safe static 'stty -g' usage for TTY detection with error redirection; no user input
         $sttyOutput = shell_exec('stty -g 2>/dev/null');
         return !empty($sttyOutput);
     }

src/Service/HyvaTokens/ConfigReader.php

@@ -119,7 +119,7 @@ public function getOutputPath(string $themePath): string
      */
     public function isVendorTheme(string $themePath): bool
     {
-        return strpos($themePath, '/vendor/') !== false;
+        return str_contains($themePath, '/vendor/');
     }
 
     /**
@@ -131,12 +131,32 @@ public function isVendorTheme(string $themePath): bool
     private function getVendorThemeOutputPath(string $themePath): string
     {
         // Extract theme identifier from path
-        // e.g., /path/to/vendor/hyva-themes/magento2-default-theme -> hyva-themes/magento2-default-theme
+        // e.g., /path/to/vendor/hyva-themes/magento2-default-theme
+        //   -> hyva-themes/magento2-default-theme
         preg_match('#/vendor/([^/]+/[^/]+)#', $themePath, $matches);
-        $themeIdentifier = $matches[1] ?? 'unknown';
+
+        if (isset($matches[1])) {
+            $themeIdentifier = $matches[1];
+        } else {
+            // Fallback: derive identifier from the last two path segments
+            $normalizedPath = str_replace('\\', '/', rtrim($themePath, '/'));
+            $pathSegments = explode('/', $normalizedPath);
+            $segmentCount = count($pathSegments);
+
+            if ($segmentCount >= 2) {
+                $themeIdentifier = $pathSegments[$segmentCount - 2]
+                    . '/' . $pathSegments[$segmentCount - 1];
+            } else {
+                // Ensure a unique, deterministic identifier as a last resort
+                $themeIdentifier = 'theme_' . md5($themePath);
+            }
+        }
 
         $varPath = $this->directoryList->getPath(DirectoryList::VAR_DIR);
-        return $varPath . '/view_preprocessed/hyva-tokens/' . $themeIdentifier . '/hyva-tokens.css';
+        return $varPath
+            . '/view_preprocessed/hyva-tokens/'
+            . $themeIdentifier
+            . '/hyva-tokens.css';
     }
 
     /**

src/Service/HyvaTokens/CssGenerator.php

@@ -29,14 +29,36 @@ public function generate(array $tokens, string $cssSelector): string
 
         foreach ($tokens as $name => $value) {
             $cssVarName = '--' . $name;
-            $css .= "    {$cssVarName}: {$value};\n";
+            // Sanitize value to prevent CSS syntax issues
+            $sanitizedValue = $this->sanitizeCssValue($value);
+            $css .= "    {$cssVarName}: {$sanitizedValue};\n";
         }
 
         $css .= "}\n";
 
         return $css;
     }
 
+    /**
+     * Sanitize CSS value to prevent syntax issues
+     *
+     * @param string $value
+     * @return string
+     */
+    private function sanitizeCssValue(string $value): string
+    {
+        // Remove newlines and control characters
+        $value = preg_replace('/[\r\n\t\x00-\x1F\x7F]/', '', $value);
+        
+        // Remove potentially problematic characters
+        // Allow: alphanumeric, spaces, parentheses, commas, periods, hyphens, underscores, 
+        // percent signs, hash symbols, and forward slashes
+        $sanitized = preg_replace('/[^\w\s(),.%#\/-]/', '', $value);
+        
+        // Trim whitespace
+        return trim($sanitized ?? '');
+    }
+
     /**
      * Write CSS to file
      *
@@ -47,10 +69,8 @@ public function generate(array $tokens, string $cssSelector): string
      */
     public function write(string $content, string $outputPath): bool
     {
-        // Ensure the directory exists by extracting parent directory path
-        $pathParts = explode('/', $outputPath);
-        array_pop($pathParts); // Remove filename
-        $directory = implode('/', $pathParts);
+        // Ensure the directory exists
+        $directory = \dirname($outputPath);
 
         if (!$this->fileDriver->isDirectory($directory)) {
             $this->fileDriver->createDirectory($directory, 0750);

src/Service/ThemeBuilder/HyvaThemes/Builder.php

@@ -245,9 +245,10 @@ public function watch(string $themePath, SymfonyStyle $io, OutputInterface $outp
             $this->shell->execute('npm run watch');
         } catch (\Exception $e) {
             $io->error('Failed to start watch mode: ' . $e->getMessage());
+            return false;
+        } finally {
             // phpcs:ignore MEQP1.Security.DiscouragedFunction -- chdir is necessary to restore original directory
             chdir($currentDir);
-            return false;
         }
 
         return true;

src/Service/ThemeBuilder/TailwindCSS/Builder.php

@@ -217,9 +217,10 @@ public function watch(string $themePath, SymfonyStyle $io, OutputInterface $outp
             $this->shell->execute('npm run watch');
         } catch (\Exception $e) {
             $io->error('Failed to start watch mode: ' . $e->getMessage());
+            return false;
+        } finally {
             // phpcs:ignore MEQP1.Security.DiscouragedFunction -- chdir is necessary to restore original directory
             chdir($currentDir);
-            return false;
         }
 
         return true;