Merge branch 'add-review-and-ai'

Author: shftlvch

.github/workflows/opencode-review.yml

@@ -0,0 +1,84 @@
+name: opencode-review
+
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened, ready_for_review]
+
+concurrency:
+  group: opencode-review-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  review:
+    if: github.event.pull_request.draft == false
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: write
+      issues: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Run OpenCode Review
+        uses: anomalyco/opencode/github@latest
+        timeout-minutes: 20
+        env:
+          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+        with:
+          model: openai/gpt-5.4
+          prompt: |
+            You are reviewing a pull request for the `wordpress-plugins` repository.
+            Focus on correctness, regressions, security, and repository-specific conventions.
+            Do not nitpick formatting or suggest broad rewrites that are unrelated to the diff.
+
+            ## Repo Context
+            - The repo contains two classic WordPress plugins:
+              - `anytrack-affiliate-link-manager/trunk`
+              - `anytrack-for-woocommerce/trunk`
+            - Plugins use WordPress.org SVN-style layout: `trunk/` for code, `assets/` for wp.org assets.
+            - Architecture is legacy WordPress PHP: procedural functions, small bootstrap classes, `include`-based module loading, hooks, AJAX actions, and direct use of WordPress/WooCommerce APIs.
+            - Admin UI is often assembled as concatenated HTML strings in PHP helper classes.
+            - JavaScript is plain jQuery enqueued via WordPress; there is no React, TypeScript, bundler, or modern frontend build.
+            - There is no Composer, PHPUnit, ESLint, or package-based build/test pipeline in this repo.
+
+            ## Repo Conventions To Enforce
+            - Prefer minimal changes that fit the current plugin architecture; avoid broad modernization unless the diff explicitly calls for it.
+            - Follow existing prefixes and naming:
+              - `anytrack_for_woocommerce_*` for WooCommerce plugin functions
+              - `aalm_*` for Affiliate Link Manager functions
+            - New modules should be wired through the plugin bootstrap include list rather than through autoloading.
+            - Prefer WordPress and WooCommerce APIs over raw PHP when an equivalent helper already exists.
+            - Match the touched file's existing formatting style; do not flag minor spacing or brace inconsistencies unless they cause a real bug.
+
+            ## Review Priorities
+            - Start with real behavioral regressions, data loss risks, access-control mistakes, security issues, and broken WordPress/WooCommerce hooks.
+            - Be especially careful in redirect logic, AJAX handlers, order hooks, settings save handlers, and admin delete flows.
+            - Check nonce validation, capability checks, sanitization of `$_POST` / `$_GET`, escaping of rendered output, and safe redirects.
+            - Watch for misuse of WooCommerce objects and getters, incorrect hook signatures, duplicate tracking, and changes that can fire on the wrong page or multiple times.
+            - Flag unsafe direct superglobal usage, missing `isset` guards, and broken assumptions around options, post meta, cookies, and request payloads.
+            - Do not suggest adding frameworks, dependency injection, namespaces, or type-heavy refactors unless the PR is already moving in that direction.
+
+            ## Testing Expectations
+            - There is no automated test suite in this repo, so do not require PHPUnit or JS tests that do not exist.
+            - Prefer validation suggestions that match the repo:
+              - `php -l` for changed PHP files
+              - narrow manual verification in a local WordPress or WooCommerce flow
+              - `bash generate-zips.sh` when packaging behavior is affected
+            - If the diff changes runtime behavior but lacks any realistic validation path, mention that as residual risk.
+
+            ## Review Output Format
+            - Report only actual findings from the diff. Do not praise the PR or restate the implementation.
+            - Order findings by severity and include file or symbol references plus concise reasoning and impact.
+            - Use this structure:
+            1. 🚨 **Critical** - Must fix before merge (security, data loss, breaking changes)
+            2. ⚠️ **Major** - Should be addressed (bugs, performance, best practices)
+            3. 💡 **Minor** - Suggestions for improvement, very short description is enough
+            - If there are no findings, say that explicitly and mention any residual risk or missing validation.
+            - Append each finding with: *Re-check this finding against the exact changed lines and fix it only if the issue is confirmed in the diff.*
+            - Only report actual issues from the diff. Do not invent findings about missing build, typecheck, or linter steps that this repo does not have.

.github/workflows/opencode.yml

@@ -0,0 +1,34 @@
+name: opencode
+
+on:
+  issue_comment:
+    types: [created]
+  pull_request_review_comment:
+    types: [created]
+
+jobs:
+  opencode:
+    if: |
+      contains(github.event.comment.body, ' /oc') ||
+      startsWith(github.event.comment.body, '/oc') ||
+      contains(github.event.comment.body, ' /opencode') ||
+      startsWith(github.event.comment.body, '/opencode')
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: read
+      issues: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
+      - name: Run opencode
+        uses: anomalyco/opencode/github@latest
+        timeout-minutes: 30
+        env:
+          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+        with:
+          model: openai/gpt-5.4

.vscode/settings.json

@@ -0,0 +1 @@
+{}

AGENTS.md

@@ -0,0 +1,168 @@
+# AGENTS.md
+
+This file gives coding agents a practical map of the `wordpress-plugins` repo.
+It reflects the current repository, not generic WordPress advice.
+
+## Scope
+
+- Repo root contains two WordPress plugins plus release helpers.
+- Main plugin paths:
+  - `anytrack-affiliate-link-manager/trunk`
+  - `anytrack-for-woocommerce/trunk`
+- Each plugin uses WordPress.org SVN-style layout: `trunk/` for code, `assets/` for wp.org assets.
+- There is no root package manager or PHP toolchain config: no `package.json`, `composer.json`, PHPUnit config, ESLint config, or PHPCS config in the repo.
+
+## Rule Files
+
+- No `.cursor/rules/` directory was found.
+- No `.cursorrules` file was found.
+- No `.github/copilot-instructions.md` file was found.
+- There are no repo-specific Cursor or Copilot rule files to merge into agent behavior.
+- `.github/workflows/opencode-review.yml` exists, but its prompt references an unrelated AnyTrack Nx monorepo; treat it as stale and not authoritative for this repo.
+
+## Repository Layout
+
+- `README.md` documents local development and release at a high level.
+- `generate-zips.sh` packages both plugins into `releases/`.
+- `release.sh <pluginName> <version>` publishes a plugin to WordPress SVN.
+- `scripts/copy-to-trafficker.sh` and `scripts/copy-from-trafficker.sh` sync code to/from a local DevKinsta WordPress install.
+- `svn/` is a temporary checkout target used by `release.sh`.
+
+## Architecture
+
+- Both plugins are classic procedural WordPress plugins with a small bootstrap class in the main plugin file.
+- Most behavior lives in `modules/*.php` files included from the plugin entrypoint.
+- WordPress hooks are the primary composition mechanism: `add_action`, `add_filter`, AJAX actions, and activation hooks.
+- Admin UI is largely rendered as concatenated HTML strings in PHP helper classes.
+- JavaScript is plain jQuery enqueued via `wp_register_script` / `wp_enqueue_script`.
+- There are no namespaces, Composer autoloading, dependency injection containers, or modern typed PHP patterns.
+
+## Build, Lint, And Test Commands
+
+There is no compile step, dependency install step, or formal build pipeline.
+
+- Package both plugins:
+  - `bash generate-zips.sh`
+- Release to WordPress SVN:
+  - `bash release.sh anytrack-for-woocommerce 1.5.7`
+  - `bash release.sh anytrack-affiliate-link-manager 1.5.5`
+- Sync repo -> local DevKinsta install:
+  - `bash scripts/copy-to-trafficker.sh`
+- Sync local DevKinsta install -> repo:
+  - `bash scripts/copy-from-trafficker.sh`
+
+There is no configured lint runner. Use syntax checks instead:
+
+- Lint one PHP file:
+  - `php -l anytrack-for-woocommerce/trunk/modules/hooks.php`
+- Lint all PHP files in one plugin:
+  - `rg --files anytrack-for-woocommerce/trunk -g '*.php' | xargs -I{} php -l "{}"`
+  - `rg --files anytrack-affiliate-link-manager/trunk -g '*.php' | xargs -I{} php -l "{}"`
+- Optional manual style check if `phpcs` happens to be installed globally:
+  - `phpcs --standard=WordPress anytrack-for-woocommerce/trunk`
+
+There is no automated test suite checked in:
+
+- No PHPUnit setup was found.
+- No WordPress test scaffold was found.
+- No JS unit test runner was found.
+
+## Single-Test Guidance
+
+There is no true "run one test" command in this repo.
+Closest equivalents:
+
+- Single-file syntax check:
+  - `php -l anytrack-affiliate-link-manager/trunk/modules/ajax.php`
+- Single behavior manual test in local WordPress:
+  - redirect flow: create or edit one `custom_redirect` item and visit the source URL
+  - WooCommerce flow: run one product view, add-to-cart, checkout, or thank-you scenario
+- Single plugin smoke test:
+  - activate only the touched plugin in a local WordPress instance and verify the affected admin/front flow
+- Packaging smoke test:
+  - `bash generate-zips.sh`
+
+## Local Development Expectations
+
+- The repo expects development against a real WordPress instance, not mocks.
+- DevKinsta paths are hardcoded in the sync scripts.
+- README mentions staging/production Kinsta sync as a possible workflow, but agents should avoid remote or destructive actions unless explicitly asked.
+- There is no repo-local cache or asset build to clear; changed plugin files take effect immediately in the target WordPress install.
+
+## PHP Style Guidelines
+
+- Follow the style already used in the file you touch; do not normalize the whole plugin.
+- New entry files should start with `<?php` and guard direct access with an `ABSPATH` check.
+- Keep one top-level responsibility per module file: hooks, AJAX handlers, settings, helper functions, scripts, CPT definitions.
+- Prefer WordPress APIs over raw PHP when an equivalent helper already exists.
+- Avoid introducing namespaces, traits, autoloaders, Composer-only patterns, or inconsistent scalar type hints / return types.
+
+## Includes, Naming, And Structure
+
+- There are no modern imports; plugin files are wired together with `include` from the main bootstrap file.
+- When adding a module, add it to the include list in the plugin entrypoint and keep paths relative to the plugin root.
+- Match existing prefixes:
+  - `anytrack_for_woocommerce_*` for WooCommerce plugin functions
+  - `aalm_*` for Affiliate Link Manager functions
+  - legacy class names like `aalmFormElementsClass` are normal here
+- Keep option keys and meta keys in snake_case, matching existing names such as `waap_options`, `source_url`, and `_anytrack_processed`.
+- Avoid generic global function names that could collide with WordPress or another plugin.
+
+## Formatting Conventions
+
+- Indentation is inconsistent across the repo; some files use tabs, some spaces.
+- Preserve the dominant indentation and brace style of the file you edit.
+- Keep array syntax aligned with the local file; both `[]` and `array()` exist.
+- Avoid broad formatting-only diffs.
+- Keep edits surgical; these plugins are heavily hook-driven and run in live WordPress flows.
+
+## Types And Data Handling
+
+- Expect loose arrays and scalar strings from WordPress APIs, `$_POST`, `$_GET`, options, post meta, cookies, and WooCommerce objects.
+- Guard optional values with `isset` before use.
+- Cast IDs and counters explicitly when needed with `(int)` or `intval()`.
+- Prefer simple arrays and booleans over introducing DTOs or new abstraction layers.
+- When building payloads, append keys incrementally in the same style as nearby code.
+
+## Error Handling And Security
+
+- Sanitize request data before saving or sending it.
+- Escape output when inserting dynamic values into HTML, attributes, or URLs.
+- For AJAX and forms, use `check_ajax_referer` or `wp_verify_nonce`.
+- For privileged admin actions, check capabilities with `current_user_can`.
+- Prefer early returns or `wp_die` for invalid state, failed auth, or bad input.
+- Use `is_wp_error` when inspecting WordPress HTTP results.
+- Preserve existing redirect semantics such as `wp_redirect(..., 302)` unless requirements change.
+- Be careful with superglobals: many handlers read `$_POST` and `$_GET` directly, so tighten validation rather than expanding unsafe access.
+
+## WordPress, WooCommerce, And JS Conventions
+
+- Prefer hook-based extensions over editing unrelated control flow.
+- Use `get_option`, `update_option`, `get_post_meta`, and `update_post_meta` for persistence.
+- For WooCommerce data, prefer getters such as `$order->get_total()` and `wc_get_product()`.
+- Keep plugin textdomain usage aligned with the plugin-local prefix already used in each file.
+- Reuse localized script globals already present in the repo, especially `aalm_local_data` and `wpafw_local_data`.
+- JavaScript should stay as plain jQuery wrapped in `jQuery(document).ready(function($){ ... })`.
+- Do not introduce React, TypeScript, ESM modules, bundlers, or new frontend dependencies unless explicitly requested.
+
+## HTML/Admin UI Conventions
+
+- Many admin screens are intentionally built by concatenating HTML strings in PHP classes.
+- Preserve that legacy approach unless the task explicitly calls for a UI rewrite.
+- Escape dynamic visible text and attribute values.
+- Reuse the existing Bootstrap-like utility classes already shipped with plugin assets instead of adding a new CSS framework.
+
+## Agent Working Rules
+
+- Before claiming a command exists, verify it from repository files.
+- Do not invent Composer, NPM, PHPUnit, ESLint, or CI workflows that are not present.
+- If asked to "run tests", explain that validation is manual/syntax-based unless you also add a test harness.
+- Avoid broad modernization; prefer minimal changes that fit the current plugin architecture.
+- Be especially careful in redirect, AJAX, order-hook, and admin-delete code paths; validate nonce, capabilities, sanitization, and redirect targets.
+
+## Good Final Verification Checklist
+
+- Run `php -l` on every changed PHP file.
+- If packaging changed, run `bash generate-zips.sh`.
+- If WordPress behavior changed, verify the exact affected admin/frontend flow in a local WordPress install.
+- If WooCommerce behavior changed, test the narrowest affected scenario: product view, add to cart, checkout, thank-you page, or order update.