superdav-ai-agent/phpcs.xml at main · Ultimate-Multisite/superdav-ai-agent · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
<?xml version="1.0"?>
<ruleset name="Superdav AI Agent Coding Standards">
    <description>PHP_CodeSniffer ruleset for Superdav AI Agent WordPress plugin.</description>

    <!-- Scan these files -->
    <file>.</file>

    <!-- Exclude paths -->
    <exclude-pattern>*/vendor/*</exclude-pattern>
    <exclude-pattern>*/node_modules/*</exclude-pattern>
    <exclude-pattern>*/build/*</exclude-pattern>
    <exclude-pattern>*/tests/*</exclude-pattern>
    <exclude-pattern>*/bin/*</exclude-pattern>
    <exclude-pattern>*/.github/*</exclude-pattern>
    <exclude-pattern>*/compat/*</exclude-pattern>
    <!-- Compat polyfill files are copies of WP core files; they use WP core text domain style
         and WP-style class naming. Exclude them from plugin PHPCS rules. AiBridgeLoader.php and
         SdkLoader.php are PSR-4 and remain checked. -->
    <exclude-pattern>*/Compat/ai-client/*</exclude-pattern>
    <exclude-pattern>*/Compat/ai-client.php</exclude-pattern>
    <!-- wp-connectors-polyfill.php defines functions in the global namespace (WP convention).
         Excluded from plugin PHPCS rules for the same reason as ai-client polyfills. -->
    <exclude-pattern>*/Compat/wp-connectors-polyfill.php</exclude-pattern>
    <!-- lib/ contains bundled WP 7.0 SDK files and PSR-compliant third-party code
         that follows PSR-2/PSR-12 coding standards rather than WordPress coding standards. -->
    <exclude-pattern>*/lib/*</exclude-pattern>

    <!-- Arguments -->
    <arg name="extensions" value="php"/>
    <arg name="basepath" value="."/>
    <arg name="parallel" value="8"/>
    <arg value="ps"/>

    <!-- WordPress version -->
    <config name="minimum_supported_wp_version" value="6.9"/>

    <!-- Text domain -->
    <config name="text_domain" value="sd-ai-agent"/>

    <!-- Use WordPress Coding Standards -->
    <rule ref="WordPress">
        <!-- Allow PSR-4 class file naming (ClassName.php instead of class-classname.php) -->
        <exclude name="WordPress.Files.FileName.InvalidClassFileName"/>
        <exclude name="WordPress.Files.FileName.NotHyphenatedLowercase"/>

        <!-- Allow camelCase method names (PSR convention) -->
        <exclude name="WordPress.NamingConventions.ValidFunctionName.MethodNameInvalid"/>

        <!-- Allow short array syntax -->
        <exclude name="Universal.Arrays.DisallowShortArraySyntax"/>

        <!-- Allow direct database queries (plugin uses custom tables) -->
        <exclude name="WordPress.DB.DirectDatabaseQuery.DirectQuery"/>
        <exclude name="WordPress.DB.DirectDatabaseQuery.NoCaching"/>

        <!-- Allow short ternary (null coalescing style) - modern PHP -->
        <exclude name="Universal.Operators.DisallowShortTernary.Found"/>

        <!-- Allow non-Yoda conditions - more readable -->
        <exclude name="WordPress.PHP.YodaConditions.NotYoda"/>

        <!-- File header order is not critical -->
        <exclude name="PSR12.Files.FileHeader.IncorrectOrder"/>

        <!-- Allow empty catch blocks (intentional error suppression) -->
        <exclude name="Generic.CodeAnalysis.EmptyStatement.DetectedCatch"/>

        <!-- Allow unused function parameters (interface compliance) -->
        <exclude name="Generic.CodeAnalysis.UnusedFunctionParameter.Found"/>

        <!-- Relax commenting requirements for now -->
        <exclude name="Squiz.Commenting.FileComment.Missing"/>
        <exclude name="Squiz.Commenting.ClassComment.Missing"/>
        <exclude name="Squiz.Commenting.FunctionComment.Missing"/>
        <exclude name="Squiz.Commenting.FunctionComment.MissingParamTag"/>
        <exclude name="Squiz.Commenting.VariableComment.Missing"/>
        <exclude name="Generic.Commenting.DocComment.MissingShort"/>
        <exclude name="Squiz.Commenting.BlockComment.NoEmptyLineBefore"/>
        <exclude name="Squiz.Commenting.FunctionComment.ThrowsNotCapital"/>
        <exclude name="Squiz.Commenting.FunctionCommentThrowTag.Missing"/>
        <exclude name="Squiz.Commenting.FunctionComment.WrongStyle"/>
        <exclude name="Squiz.Commenting.InlineComment.InvalidEndChar"/>

        <!-- Allow commented out code during development -->
        <exclude name="Squiz.PHP.CommentedOutCode.Found"/>

        <!-- Allow 'class' as parameter name -->
        <exclude name="Universal.NamingConventions.NoReservedKeywordParameterNames.classFound"/>

        <!-- Allow multiple classes per file for compat layer -->
        <exclude name="Generic.Files.OneObjectStructurePerFile.MultipleFound"/>

        <!-- Allow property names from external APIs -->
        <exclude name="WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase"/>

        <!-- Allow flexible indentation in multi-line function call arguments -->
        <exclude name="PEAR.Functions.FunctionCallSignature.Indent"/>
    </rule>

    <!-- Enforce output escaping: all dynamic output must pass through an escaping function.
         Use esc_html(), esc_attr(), esc_url(), wp_kses_post(), etc. as appropriate.
         Inline phpcs:ignore is permitted only for false positives (e.g. ErrorException
         constructor arguments, which are not output). -->
    <rule ref="WordPress.Security.EscapeOutput"/>

    <!-- Enforce nonce verification: any handler that reads $_POST, $_GET, $_REQUEST, or
         $_COOKIE must verify a nonce via wp_verify_nonce(), check_admin_referer(), or
         check_ajax_referer() before accessing those values.
         REST API endpoints are exempt — WP_REST_Request enforces authentication and
         permission callbacks at the framework level. -->
    <rule ref="WordPress.Security.NonceVerification"/>

    <!-- Verify text domain usage -->
    <rule ref="WordPress.WP.I18n">
        <properties>
            <property name="text_domain" type="array">
                <element value="sd-ai-agent"/>
            </property>
        </properties>
    </rule>

    <!-- Check for PHP cross-version compatibility -->
    <rule ref="PHPCompatibilityWP"/>
    <config name="testVersion" value="8.2-"/>

    <!-- WooCommerce custom capabilities — registered by WooCommerce, not core WordPress.
         These are valid capabilities used in permission_callback() checks. -->
    <rule ref="WordPress.WP.Capabilities">
        <properties>
            <property name="custom_capabilities" type="array">
                <element value="manage_woocommerce"/>
                <element value="view_woocommerce_reports"/>
                <element value="edit_products"/>
                <element value="publish_products"/>
                <element value="read_products"/>
                <element value="delete_products"/>
            </property>
        </properties>
    </rule>

</ruleset>