|
2 | 2 | applyTo: '**' |
3 | 3 | --- |
4 | 4 |
|
5 | | -# WordPress Plugin Development Standards |
| 5 | +# Optimizations ACE MC — Development Standards |
6 | 6 |
|
7 | | -## 🎯 Core Principles |
| 7 | +## Environment |
8 | 8 |
|
9 | | -**Work Environment:** Remote GitHub Codespaces only. Never suggest local Terminal commands. |
| 9 | +- **Work in:** Remote GitHub Codespaces only. Never suggest local terminal commands. |
| 10 | +- **WordPress:** 6.5+ minimum |
| 11 | +- **PHP:** 8.1+ minimum (use typed properties, readonly, enums, union types, named arguments) |
| 12 | +- **WooCommerce:** 5.0+ (guaranteed active — no activation checks needed) |
| 13 | +- **WP Store Locator:** (guaranteed active — no activation checks needed) |
| 14 | +- **Standards:** Follow [WordPress Coding Standards](https://developer.wordpress.org/coding-standards/) for PHP, JS, CSS, HTML, and accessibility |
10 | 15 |
|
11 | | -**WordPress First:** Use WordPress APIs, hooks, and standards exclusively. Avoid non-WP frameworks. |
| 16 | +## Security |
12 | 17 |
|
13 | | -**Security Critical:** Sanitize all input, escape all output, use WordPress security functions. |
| 18 | +All security rules are **mandatory and non-negotiable**. |
14 | 19 |
|
15 | | -**Thorough Analysis:** Read complete files (minimum 1500 lines) for accurate code review. |
| 20 | +**Input:** Sanitize all user input — `sanitize_text_field()`, `sanitize_email()`, `wp_kses()`, `absint()`. Validate with `is_email()`, `wp_verify_nonce()`. Use `$wpdb->prepare()` for database queries — never raw SQL. |
16 | 21 |
|
17 | | -## 📋 Essential Requirements |
| 22 | +**Output:** Escape all dynamic output — `esc_html()`, `esc_attr()`, `esc_url()`, `esc_js()`. |
18 | 23 |
|
19 | | -### WordPress Compatibility |
| 24 | +**Authorization:** Check `current_user_can()` before sensitive operations. Use `wp_nonce_field()` / `wp_verify_nonce()` for forms and state-changing requests. |
20 | 25 |
|
21 | | -- **WordPress:** 6.5+ minimum |
22 | | -- **PHP:** 7.4+ minimum |
23 | | -- **WooCommerce:** 5.0+ (when applicable) |
24 | | -- Follow [WordPress Coding Standards](https://developer.wordpress.org/coding-standards/) for PHP, JS, CSS, HTML, and accessibility |
25 | | - |
26 | | -### Code Quality Standards |
27 | | - |
28 | | -1. **Security First:** Always sanitize input (`sanitize_*()`) and escape output (`esc_*()`) |
29 | | -2. **WordPress APIs:** Use WP functions instead of raw PHP/SQL |
30 | | -3. **Hook System:** Proper use of `add_action()` and `add_filter()` |
31 | | -4. **Internationalization:** Use `__()`, `_e()`, `esc_html__()` for all strings |
32 | | -5. **Performance:** Avoid N+1 queries, use WP caching, optimize database calls |
33 | | - |
34 | | -## 🔒 Security Requirements (Critical) |
35 | | - |
36 | | -**Input Handling:** |
37 | | -- Use `sanitize_text_field()`, `sanitize_email()`, `wp_kses()` for user input |
38 | | -- Validate with `is_email()`, `absint()`, `wp_verify_nonce()` for security |
39 | | -- Use prepared statements for database queries (`$wpdb->prepare()`) |
40 | | - |
41 | | -**Output Security:** |
42 | | -- Escape all output: `esc_html()`, `esc_attr()`, `esc_url()`, `esc_js()` |
43 | | -- Use `wp_nonce_field()` and `wp_verify_nonce()` for forms |
44 | | -- Check permissions with `current_user_can()` before sensitive operations |
45 | | - |
46 | | -**Vulnerability Prevention:** |
47 | | -- Prevent SQL injection, XSS, CSRF, Local File Inclusion (LFI), and path traversal |
48 | | -- Follow principle of least privilege |
49 | | -- Auto-identify and fix security issues when found |
50 | | - |
51 | | -## 📝 Documentation & Versioning |
52 | | - |
53 | | -**Changelog Management:** |
54 | | -- Always update CHANGELOG.md and readme.txt when making code changes |
55 | | -- **Sync both changelogs:** CHANGELOG.md and readme.txt changelog section |
56 | | -- Use "Unreleased" section for ongoing changes |
57 | | - |
58 | | -**Version Release Process (only when instructed):** |
59 | | -- Follow semantic versioning (MAJOR.MINOR.PATCH) |
60 | | -- Update version in: plugin header, README.md, readme.txt, CHANGELOG.md, GEMINI.md, and `.pot` language files, constants section, package.json, and composer.json |
61 | | -- Move "Unreleased" changes to new version section in both changelogs |
62 | | -- **Never auto-update versions** - wait for explicit instruction |
63 | | - |
64 | | -**Code Documentation:** |
65 | | -- Use PHPDoc with `@param`, `@return`, `@since` tags |
66 | | -- Write clear function/class descriptions |
67 | | -- Document security considerations and hooks used |
68 | | - |
69 | | -**Internationalization (i18n):** |
70 | | -- Update `.pot` language files when adding or modifying translatable strings |
71 | | -- Always use the correct text domain when dealing with translation functions |
| 26 | +**Prevention:** Guard against SQL injection, XSS, CSRF, LFI, and path traversal. Follow principle of least privilege. Flag and fix security issues immediately when found. |
| 27 | + |
| 28 | +## Code Standards |
| 29 | + |
| 30 | +- **WordPress APIs only:** Use WP functions instead of raw PHP equivalents. Prefer hooks (`add_action()`, `add_filter()`) over direct calls. |
| 31 | +- **PHP 8.1+:** Use typed properties, return type declarations, parameter types, `readonly` where appropriate, null coalescing, and short array syntax. |
| 32 | +- **PHPDoc:** Use `@param`, `@return`, `@since` tags on all functions and methods. |
| 33 | +- **Naming:** Functions: `snake_case`. Classes: `PascalCase_With_Underscores`. Constants: `UPPER_SNAKE_CASE`. Files: `lowercase-with-hyphens.php`. |
| 34 | +- **Performance:** Avoid N+1 queries. Use WordPress caching (`wp_cache_*()`, transients). Enqueue assets with `wp_enqueue_*()`. Focus on correctness first, then optimize. |
| 35 | +- **Error handling:** Use `WP_Error` for WordPress errors. Log errors without exposing sensitive data. Handle edge cases gracefully. |
| 36 | +- **Unused code:** Flag potentially unused code for review before removing — WordPress hooks can call code dynamically. |
| 37 | + |
| 38 | +## Internationalization |
| 39 | + |
| 40 | +- **Text domain:** `'optimizations-ace-mc'` |
72 | 41 | - Mark all user-facing strings with `__()`, `_e()`, `esc_html__()`, `esc_attr__()`, etc. |
| 42 | +- Update `.pot` language files when adding or modifying translatable strings |
| 43 | + |
| 44 | +## Documentation & Versioning |
| 45 | + |
| 46 | +**Changelogs:** |
| 47 | +- Update both CHANGELOG.md and readme.txt changelog section for every code change — keep them in sync |
| 48 | +- Use the "Unreleased" section for ongoing changes |
| 49 | + |
| 50 | +**Version releases (only when explicitly instructed):** |
| 51 | +- Semantic versioning: MAJOR.MINOR.PATCH |
| 52 | +- Update version in: plugin header, README.md, readme.txt, CHANGELOG.md, GEMINI.md, `.pot` files, constants, composer.json |
| 53 | +- Move "Unreleased" changes to the new version section |
| 54 | +- **Never auto-update versions** |
| 55 | + |
| 56 | +## CI/CD & Workflows |
| 57 | + |
| 58 | +- GitHub Actions workflows live in `.github/workflows/` |
| 59 | +- **Gemini AI integration:** Code review and issue analysis via Google Gemini API. Sanitize all user-controlled content (diffs, issue bodies) before passing to LLM prompts. |
| 60 | +- **Static analysis:** PHPStan (Level 5+), PHPCS (WordPress standards), PHPMD, Psalm |
| 61 | +- **Test matrix:** PHP 8.1, 8.2, 8.3, 8.4 × WordPress 6.5, latest, nightly |
| 62 | +- **Security:** Never expose API keys or tokens in logs. Use `${{ secrets.* }}` for credentials. Add timeouts to external API calls. Fail builds on critical security findings. |
| 63 | +- **Error handling in workflows:** Do not suppress tool failures with `|| echo`. Log full output and set appropriate exit codes. |
| 64 | + |
| 65 | +## Workflow Rules |
73 | 66 |
|
74 | | -## ⚡ Performance & Quality |
75 | | - |
76 | | -**Performance Optimization:** |
77 | | -- Use WordPress caching (`wp_cache_*()`, transients) |
78 | | -- Optimize database queries, avoid N+1 problems |
79 | | -- Proper asset enqueueing with `wp_enqueue_*()` functions |
80 | | -- Focus on correctness first, then optimize |
81 | | - |
82 | | -**Code Architecture:** |
83 | | -- Group by feature, not by type |
84 | | -- Use descriptive function/variable names |
85 | | -- Remove unused code automatically |
86 | | -- Follow feature-sliced design when applicable |
87 | | - |
88 | | -**Error Handling:** |
89 | | -- Use `WP_Error` for WordPress-specific errors |
90 | | -- Log errors without exposing sensitive data |
91 | | -- Handle edge cases gracefully |
92 | | -- Validate all function parameters |
93 | | - |
94 | | -## 🚀 Workflow & Automation |
95 | | - |
96 | | -**Task Execution:** |
97 | | -- Make changes directly to existing files (don't create duplicates) |
98 | | -- Proceed automatically unless action is destructive |
99 | | -- Auto-identify and fix bugs when possible |
100 | | -- Only ask confirmation for data loss/deletion scenarios |
101 | | - |
102 | | -**File Management:** |
103 | | -- Edit files in place (e.g., modify `admin.php` directly) |
104 | | -- Create new files only when truly necessary |
105 | | -- Avoid file duplication and unnecessary rewrites |
106 | | -- Maintain clean project structure |
107 | | - |
108 | | -**Communication:** |
109 | | -- Provide concise, actionable responses |
110 | | -- Use clear formatting for readability |
111 | | -- Never create change summaries as separate .md files |
112 | | -- Focus on specific changes made, not verbose explanations |
| 67 | +- Edit files in place. Create new files only when architecturally necessary. |
| 68 | +- Proceed automatically unless an action is destructive or irreversible. |
| 69 | +- Auto-identify and fix bugs. Ask confirmation only for data loss or deletion. |
| 70 | +- Provide concise, actionable responses. Never create separate summary .md files. |
0 commit comments