fix[faustwp]: (#2311) clean up uploaded blockset zip when extraction fails

[latenighthackathon]

Summary

When unzip_uploaded_file() returns a WP_Error inside process_and_replace_blocks(), the moved-but-never-extracted .zip was left on disk at the predictable path wp-content/uploads/faustwp/blocks/. Repeated failures accumulate dead files.

This PR deletes the target file before returning the error so the upload slot stays clean. The endpoint is auth-gated by the x-faustwp-secret header, so this is hygiene-class rather than directly exploitable, but it's still incorrect cleanup behaviour.

Related Issue

Closes #2311

Split out from #2312 per @josephfusco's review feedback — the hash_equals() security hardening landed via #2312 (merged as 5d73ec86) so each change could be reviewed and reverted independently.

Confirm the issue (on canary)

sed -n '52,58p' plugins/faustwp/includes/blocks/functions.php
# Expected on canary (before fix):
#   $unzip_result = unzip_uploaded_file( $target_file, $dirs['target'] );
#   if ( is_wp_error( $unzip_result ) ) {
#       return $unzip_result;       ← no delete of $target_file
#   }

Confirm the fix (this branch)

sed -n '52,58p' plugins/faustwp/includes/blocks/functions.php
# Expected:
#   $unzip_result = unzip_uploaded_file( $target_file, $dirs['target'] );
#   if ( is_wp_error( $unzip_result ) ) {
#       $wp_filesystem->delete( $target_file );
#       return $unzip_result;
#   }

Run the test suite (corrected from earlier draft)

NOTE: there is no package.json in plugins/faustwp/. The plugin's scripts are Composer scripts, not npm scripts. The commands below mirror what CI runs (.github/workflows/unit-test-plugin.yml).

cd plugins/faustwp
composer install
composer phpcs -- includes/blocks/functions.php tests/unit/BlockFunctionTests.php

WP_VERSION=6.8 composer run docker:start
docker compose exec wordpress init-testing-environment.sh
docker compose exec -w /var/www/html/wp-content/plugins/faustwp wordpress \
  wp plugin install wp-graphql --activate --allow-root

# New unit tests for process_and_replace_blocks (the function the fix touches)
docker compose exec -w /var/www/html/wp-content/plugins/faustwp wordpress \
  ./vendor/bin/phpunit --filter=process_and_replace_blocks
# Expected: OK (2 tests, 6 assertions)

# Full suite (single-site + multisite), what CI runs
docker compose exec -w /var/www/html/wp-content/plugins/faustwp wordpress \
  composer test
# Expected: OK on both runs

The test_process_and_replace_blocks_cleans_up_on_unzip_failure test is the regression guard — verified to fail when the new $wp_filesystem->delete() line is reverted (Mockery reports delete should be called exactly 1 times but called 0 times), pass with it in place.

Checklist

• Targets canary
• Changeset added (@faustwp/wordpress-plugin patch)
• Regression test added (tests/unit/BlockFunctionTests.php) — covers both unzip-failure path and success path
• PHPCS clean on touched files
• PHPUnit green on single-site and multisite

[headless-platform-by-wp-engine]

Currently, we do not support the creation of preview deployments based on changes coming from forked repositories.
Learn more about preview environments in our documentation.

[changeset-bot]

🦋 Changeset detected

Latest commit: a0302a8

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@faustwp/wordpress-plugin	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[headless-platform-by-wp-engine]

Currently, we do not support the creation of preview deployments based on changes coming from forked repositories.
Learn more about preview environments in our documentation.