Audit and fix both README files

Author: noelsaw1

README.md

@@ -4,7 +4,8 @@
 
 [![CI](https://github.com/Hypercart-Dev-Tools/WP-Code-Check/actions/workflows/ci.yml/badge.svg)](https://github.com/Hypercart-Dev-Tools/WP-Code-Check/actions)
 [![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](LICENSE)
-[![Version](https://img.shields.io/badge/version-1.0.66-green.svg)](CHANGELOG.md)
+
+> **Versioning:** See `dist/README.md` for the current released version. The version in the dist README (and the main bash script header) is the canonical source of truth.
 
 ---
 
@@ -15,8 +16,8 @@ WordPress sites fail in production because of **performance antipatterns** that
 - 🔥 **Unbounded queries** (`posts_per_page => -1`) that fetch 50,000 posts and crash the server
 - 🐌 **N+1 query patterns** that turn 1 request into 1,000 database calls
 - 💥 **Missing capability checks** that let subscribers delete your entire site
-- 🔓 **Insecure deserialization** that opens remote code execution vulnerabilities
-- 🪲 **Debug code in production** (`var_dump`, `console.log`) that exposes sensitive data
+- 🔐 **Insecure deserialization** that opens remote code execution vulnerabilities
+- 🧲 **Debug code in production** (`var_dump`, `console.log`) that exposes sensitive data
 
 **WP Code Check catches these issues in seconds** — before they reach production.
 
@@ -71,7 +72,7 @@ cd WP-Code-Check
 
 ## Features
 
-### 🔍 **33 Performance & Security Checks**
+### 🔍 **30+ Performance & Security Checks**
 
 - **Critical**: Unbounded queries, insecure deserialization, localStorage sensitive data, client-side serialization, **direct database queries without $wpdb->prepare()**
 - **High**: Direct superglobal manipulation, **unsanitized superglobal read**, **admin functions without capability checks**, **WooCommerce N+1 patterns**, AJAX without nonce validation, unbounded SQL, expensive WP functions in polling
@@ -154,7 +155,7 @@ wp-code-check:
 
 ## Documentation
 
-- **[User Guide](dist/README.md)** - Complete command reference and examples
+- **[User Guide](dist/README.md)** - Complete command reference and examples (includes canonical version number)
 - **[Template Guide](dist/HOWTO-TEMPLATES.md)** - Project template system
 - **[Changelog](CHANGELOG.md)** - Version history and development progress
 - **[AI Agent Guide](AGENTS.md)** - WordPress development guidelines for AI assistants

dist/README.md

@@ -1,6 +1,7 @@
 # WP Code Check by Hypercart - Performance & Security Analyzer
 
-**Version:** 1.0.63
+> **Versioning:** The canonical version is defined in `dist/bin/check-performance.sh` (see `SCRIPT_VERSION` in the script header). This README reflects that version but should not be treated as the primary source of truth.
+
 © Copyright 2025 Hypercart (a DBA of Neochrome, Inc.)
 
 ---
@@ -22,7 +23,7 @@ You're building a WordPress plugin or theme. Everything works great in developme
 
 ### The Solution
 
-This toolkit **automatically detects 29 critical WordPress performance and security antipatterns** before they reach production.
+This toolkit **automatically detects 30+ critical WordPress performance and security antipatterns** before they reach production.
 
 **Think of it as:**
 - 🛡️ **ESLint/PHPStan for WordPress performance** - catches issues static analysis misses
@@ -380,7 +381,7 @@ wp-analyze ~/Sites/my-plugin --format json > results.json
 JSON structure:
 ```json
 {
-  "version": "1.0.46",
+  "version": "<SCRIPT_VERSION>",
   "timestamp": "2025-12-29T10:30:00Z",
   "paths_scanned": ["~/Sites/my-plugin"],
   "strict_mode": false,
@@ -401,16 +402,6 @@ JSON structure:
       "code": "'posts_per_page' => -1,",
       "message": "Unbounded posts_per_page can cause memory exhaustion"
     }
-  ],
-  "checks": [
-    {
-      "id": "unbounded-posts-per-page",
-      "name": "Unbounded posts_per_page",
-      "status": "failed",
-      "severity": "error",
-      "impact": "CRITICAL",
-      "finding_count": 2
-    }
   ]
 }
 ```
@@ -445,20 +436,20 @@ $data = file_get_contents( 'https://api.example.com/data' );
 
 | File | Purpose |
 |------|---------|
-| `bin/check-performance.sh` | Main analyzer - detects 28 antipatterns |
-| `tests/fixtures/*.php` | Test fixtures (antipatterns + clean code) |
-| `tests/run-fixture-tests.sh` | Validation test suite (9 tests) |
+| `dist/bin/check-performance.sh` | Main analyzer - detects 30+ antipatterns |
+| `dist/tests/fixtures/*.php` | Test fixtures (antipatterns + clean code) |
+| `dist/tests/run-fixture-tests.sh` | Validation test suite (number of tests may grow over time) |
 
 ### Integration Tools
 
 | File | Purpose |
 |------|---------|
-| `bin/post-to-slack.sh` | Post results to Slack webhook |
-| `bin/format-slack-message.sh` | Format JSON as Slack Block Kit |
-| `bin/test-slack-integration.sh` | Test Slack integration |
+| `dist/bin/post-to-slack.sh` | Post results to Slack webhook |
+| `dist/bin/format-slack-message.sh` | Format JSON as Slack Block Kit |
+| `dist/bin/test-slack-integration.sh` | Test Slack integration |
 | `setup-integration-security.sh` | Setup credential protection |
 
-See [PROJECT/DETAILS/INTEGRATIONS.md](../PROJECT/DETAILS/INTEGRATIONS.md) for integration guides.
+See the `PROJECT/` directory for detailed integration and architectural docs.
 
 ---