PHPCS ruleset for the Bread & Butter WordPress plugin. Emphasis on WordPress security sniffs — the escaping / sanitization / SQL-prep rules that stop regressions like the customEventShortCodeButton XSS (CVE-2026-4279). Stylistic rules (class/file naming, doc-comment requirements) are excluded because this codebase uses PSR-4 + camelCase, not WP core naming. ./src ./breadbutter-connect.php ./uninstall.php ./index.php */vendor/* */node_modules/* */build/* */assets/* */blocks/*/build/* */bitbucket-pipeline-scripts/* src/Base/Ajax\.php src/Pages/LoginAuthorize\.php src/Api/Callbacks/AdminCallbacks\.php src/Base/Ajax\.php src/Pages/LoginAuthorize\.php src/Api/Callbacks/AdminCallbacks\.php