* fix: resolve plugin class loading reliability issues
* fix: address CodeRabbit XSS and accessibility findings from PR #18
- admin/js/admin-scripts.js: replace HTML string interpolation in showNotice
with DOM API construction and .text() to prevent XSS; whitelist type values
- admin/js/update-source-selector.js: replace .html(message) with .text(message)
in showMessage to prevent XSS from AJAX response content
- admin/templates/modal.php: add role=dialog, aria-modal=true, aria-labelledby
for screen reader semantics; replace <span> close control with <button> for
keyboard operability and proper ARIA role
- Replace tabs with spaces in test files
- Use require_once instead of require
- Add @return void to docblocks
- Define constants for repeated string literals
- Use WordPress spacing conventions
- Add use statements for cleaner class references
- Add yoast/phpunit-polyfills ^2.0 to composer.json for WordPress test suite compatibility
- Define WP_TESTS_PHPUNIT_POLYFILLS_PATH in bootstrap.php before loading WP test framework
- Update actions/cache to v4 (deprecated SHA references cause failures)
- Update actions/setup-java to v4
- Update codacy/codacy-analysis-cli-action to v4 tag (SHA ref not found)
- Update github/codeql-action/upload-sarif to v3
