// Review WPUF code changes and pull requests for coding standards, security, and architectural compliance. Use when reviewing PRs, performing code audits, or checking code quality.
Release a new version of WP User Frontend (free) to weDevsOfficial GitHub + wp.org via Appsero. One-command pipeline via `wpuf-release-free` alias. Trigger when user says "release wpuf", "ship wpuf X.Y.Z", "publish wpuf", "/wpuf-release", "wpuf-release-free".
Add or modify WPUF backend PHP code following project conventions. Use when creating new classes, methods, hooks, REST controllers, or modifying existing backend code.
Add or modify WPUF frontend code (jQuery, vanilla JS, Vue legacy, Tailwind). Use when creating components, modifying build configuration, or working with frontend assets.
| name | wpuf-code-review |
| description | Review WPUF code changes and pull requests for coding standards, security, and architectural compliance. Use when reviewing PRs, performing code audits, or checking code quality. |
Review code changes against WP User Frontend coding standards and project conventions. Consult the other wpuf-* skills for detailed standards.
Before reviewing code, perform these steps:
Determine review scope: Check if this is a targeted review (specific files) or a diff-based review.
git diff (or git diff --cached, git diff HEAD~1) to identify only the changed files and lines. Focus your review on the changed code, not the entire file.Find project configuration: Use Glob to search for PHPCS config files:
phpcs.xml.dist (project root)Run automated tools (when available):
composer phpcs if PHPCS is installed and configured.Diff awareness: When reviewing a diff, distinguish pre-existing issues from newly introduced ones. Flag pre-existing issues separately (e.g., "Pre-existing pattern propagated to new files").
Architecture & Structure:
WP_REST_Controller — REST controllers must extend WP_REST_Controller.wpuf/v1 as the REST namespace.permission_callback (never omit it).API::__construct() and stored in the container.Admin, Frontend, or WP_User_Frontend::instantiate()), not instantiated ad hoc.! class_exists( 'WP_User_Frontend_Pro' ).Naming & Conventions:
snake_case for methods, variables, and hooks (WordPress convention).WeDevs\Wpuf\{Domain}\{Class} pattern with matching file path.wp-user-frontend for free version strings. wpuf-pro for Pro strings. Never use wpuf alone.wpuf_ prefix on hooks — All apply_filters() and do_action() hook names must start with wpuf_ to avoid conflicts.Security:
permission_callback.===, !==). in_array() must pass true as third argument (enforced as error by PHPCS).$request params must be sanitized (sanitize_text_field(), absint(), etc.).wp_unslash() before sanitization — Superglobals ($_GET, $_POST, $_SERVER, $_REQUEST) must be unslashed before sanitizing: sanitize_text_field( wp_unslash( $_POST['field'] ) ).esc_html(), esc_attr(), esc_url(), wp_kses_post(), etc.). Escape late, sanitize early.$wpdb->prepare() — All dynamic SQL values must use prepared statements.wp_verify_nonce(), check_ajax_referer()).eval(), extract(), or direct file includes without proper path validation.Performance:
Documentation:
@since tag — Required for new public/protected methods and hooks. Use WPUF_SINCE placeholder.wpuf- prefix (e.g., wpuf-bg-primary, not bg-primary)..wpuf_packs, #wpuf-subscription-page, etc.). Using Tailwind outside these containers will lack reset styles.'wp-user-frontend', not 'wpuf'.sprintf() calls with placeholders need /* translators: */ comments..env for URLs, credentials, and API keys.composer phpcs on changed filesnpm run build completes without errorsEvery issue MUST include a file reference. Use the format file/path.php:LINE_NUMBER for each issue. If an issue spans multiple files, list each file path explicitly. Never use vague references like "all templates" — always name the files.
For each violation found:
[severity]: [Specific problem]
Location: file/path.php:42
Code: `the problematic code snippet`
Fix: [Brief explanation or correct code example]
When reviewing diffs, indicate if an issue is newly introduced or pre-existing:
[severity]: [Specific problem] (pre-existing)
Location: file/path.php:42
Note: This pattern existed before this PR but was propagated to new code.
Severity levels:
Correct — Does the change do what it's supposed to? Code 100% fulfilling the requirements? Secure — Would a nefarious party find some way to exploit this change? Everything sanitized/escaped appropriately? Readable — Will your future self be able to understand this change months down the road? Elegant — Does the change fit aesthetically within the overall style and architecture?