Skip to content

Fix dynamic block render callbacks and PHP function names#11

Open
krugazul wants to merge 58 commits intodevelopfrom
feature/block-bindings
Open

Fix dynamic block render callbacks and PHP function names#11
krugazul wants to merge 58 commits intodevelopfrom
feature/block-bindings

Conversation

@krugazul
Copy link
Contributor

@krugazul krugazul commented Feb 2, 2026
edited by coderabbitai bot
Loading

Summary

Fixes dynamic block rendering for field display, collection, and slider blocks by properly configuring render callbacks and ensuring PHP files are copied during build.

Changes Made

1. Fixed PHP Function Names

  • Changed hyphens to underscores in all render callback function names (PHP doesn't allow hyphens)
  • Updated templates to use {{block_slug|snakeCase}} modifier for proper transformation
  • Fixed in: field-display, collection, and slider blocks

2. Block Registration Updates

  • Updated block.json files to reference function names directly instead of file:./render.php
  • Example: "render": "ma_plugin_render_digital_magazine_field_display"
  • Applied to all dynamic blocks (field-display, collection, slider)

3. Webpack Configuration

  • Added CopyWebpackPlugin to copy render.php files from src/blocks/ to build/blocks/
  • Previously, render.php files weren't being copied during build process
  • Now webpack automatically copies all render.php files to their respective block directories

4. Core Class Enhancements

  • Updated register_blocks() method to:
    • Explicitly require_once render.php files before registration
    • Read block.json and extract render callback function name
    • Pass render_callback argument to register_block_type()
  • Ensures WordPress properly calls PHP render functions on frontend

5. JavaScript Block Registration

  • Added save: () => null to field-display block registration
  • Explicitly marks blocks as dynamic (server-side rendered)
  • Prevents WordPress from saving static HTML content

Files Modified

Templates (block-plugin-scaffold)

  • src/blocks/{{block_slug}}-field-display/render.php
  • src/blocks/{{block_slug}}-field-display/block.json
  • src/blocks/{{block_slug}}-field-display/index.js
  • src/blocks/{{block_slug}}-collection/render.php
  • src/blocks/{{block_slug}}-collection/block.json
  • src/blocks/{{block_slug}}-slider/render.php
  • src/blocks/{{block_slug}}-slider/block.json
  • inc/class-core.php
  • webpack.config.js

Testing

✅ Render.php files now copied to build directory during npm run build
✅ PHP functions properly named with underscores
✅ Block.json correctly references function names
✅ Dynamic blocks use save: () => null
✅ Core class explicitly passes render_callback to WordPress

Breaking Changes

None - this is a bug fix for blocks that weren't rendering on frontend.

Related Issues

Fixes issue where dynamic block render callbacks weren't being called on frontend despite being properly defined.

Checklist

  • Code follows WordPress coding standards
  • Template variables use proper modifiers (snakeCase)
  • Webpack config includes PHP file copying
  • All dynamic blocks updated consistently
  • Core registration logic enhanced

Summary by CodeRabbit

  • New Features

    • JSON-driven SCF registration for post types, taxonomies, and field groups
    • New Field Display block to show post/meta fields with optional prefix, bolding, and icon
    • Paragraph editor enhancement to add/edit prefixes in the editor

  • Bug Fixes & Improvements

    • Example block templates removed; guidance to use patterns or custom implementations
    • Consolidated plugin config into per-post-type structure and added JSON validation
    • Updated dev/start steps and build scripts for local development

  • Documentation

    • Expanded JSON/SCF guides, examples, migration and validation docs

krugazul and others added 30 commits January 9, 2026 14:54
@krugazul
fix: correct namespace escaping in plugin initialization comments and…
1afb350 
… function
@krugazul
fix: remove unnecessary blank lines at the beginning of class files
f737c7f
@krugazul
refactor: standardize class names by removing namespace prefixes in m…
6c262e4 
…ultiple files
@krugazul
refactor: update constructor and class references to remove namespace…
092b423 
… prefixes in multiple files
@krugazul
fix: remove unnecessary namespace declaration and update schema path …
5dc226b 
…in multiple files
@krugazul
fix: ensure supports property is an array in post type registration a…
5951e75 
…nd improve variable replacement handling in generator script
@krugazul
refactor: remove unused HTML markup and improve structure in multiple…
18502c9 
… pattern files
@krugazul
refactor: remove unnecessary comments from block.json files for card,…
7ca7c1f 
… collection, featured, and slider blocks
@krugazul
fix: update post type slug and template references to use correct pla…
226cce6 
…ceholders
@krugazul
Refactor {{cpt1_slug}} Collection Block
6ec4c26 
- Removed old {{cpt1_slug}}-collection block files (editor.scss, index.js, render.php, style.css, style.scss, view.js).
- Created new {{cpt_slug}}-collection block files with updated structure and naming conventions.
- Implemented editor and frontend styles using BEM methodology for better maintainability.
- Added extensibility features for filtering and sorting collections via JavaScript events.
- Updated block.json to reflect new attributes and context usage.
- Enhanced accessibility features including focus states and ARIA attributes.
Initial plan
06169f0
@krugazul
feat: Implement JSON-based post type loading system (#8)
dda9c1e 
- Add JSON_Loader class for loading post type configurations from JSON files
- Update Post_Types, Taxonomies, and Fields classes to support JSON-driven registration
- Create JSON Schema validation for post type configurations
- Add validation script with AJV integration
- Create comprehensive documentation and usage examples
- Maintain 100% backward compatibility with hardcoded registrations
- Support mustache templating for generator compatibility

Closes #8
@krugazul
refactor: Remove hardcoded registration methods for fields, post type…
d939f30 
…s, and taxonomies
@krugazul
refactor: Consolidate JSON loading into Content_Model_Manager
8c27806 
- Create unified Content_Model_Manager class to handle all JSON-based registration
- Loads all JSON files and registers ALL post types, taxonomies, and fields
- Post_Types, Taxonomies, and Fields classes now only provide hardcoded fallback
- Maintains 100% backward compatibility when no JSON files present
- Cleaner architecture with single point of JSON configuration management
@krugazul
refactor: Remove hardcoded fallback registration
e7ade1e 
- Post_Types, Taxonomies, and Fields classes now only hold constants
- All registration handled exclusively by Content_Model_Manager via JSON
- Cleaner, simpler architecture without fallback complexity
- Fields class still displays SCF dependency notice
@krugazul
refactor: Migrate custom post types and taxonomies to JSON-based regi…
b466cd7 
…stration
@krugazul
Refactor SCF JSON Schema and Generation Logic
839ca0c 
- Updated the schema path in SCF_JSON_Validator to point to the new location in .github/schemas.
- Deleted the old SCF JSON schema file from scf-json/schema.
- Added a new SCF JSON schema file in .github/schemas with the same content.
- Enhanced the generate-plugin script to create SCF JSON field group files based on plugin configuration.
- Implemented logic to generate SCF field group JSON structure, including field definitions and location rules.
@krugazul
refactor: Enhance JSON loading system for post types and taxonomies
f765a98
@krugazul
refactor: Update JSON schema and post type configuration to include s…
46dbbb4 
…upports, has_archive, hierarchical, and rewrite properties
@krugazul
refactor: Remove block templates and associated references from the p…
fe4fbd3 
…lugin
@krugazul
refactor: Reorganize name_singular and name_plural properties in JSON…
15d0295 
… schema
@krugazul
refactor: Update JSON schema and example configuration to support new…
3616d95 
… post types structure
@krugazul
refactor: Remove unused JSON style and configuration files for blocks…
15c90f4 
… and sections
@krugazul
refactor: Enhance plugin generator with post-type JSON file generatio…
507ca9d 
…n and update agent tools
@krugazul
refactor: Update workspace configuration and remove defensive coding …
4455eba 
…checks for ACF functions
@krugazul
refactor: Rename plugin initialization function for consistency and c…
9e463da 
…larity
@krugazul
refactor: Update plugin directory constant to improve consistency acr…
1905b5b 
…oss files
@krugazul
refactor: Update plugin constant names for consistency and clarity
4de6911
@krugazul
Remove example field group JSON files and update test paths; add comp…
80c987a 
…rehensive SCF field examples documentation
@krugazul
feat: Implement taxonomy mapping for post types in Content_Model_Manager
bd92251
krugazul added 12 commits January 27, 2026 09:05
@krugazul
feat: Update block.json files for slider and collection blocks to sta…
f7e8274 
…ndardize titles and categories, and unify styles
@krugazul
feat: Update block names to use dasherized slugs in block.json files …
ed9a7bd 
…for slider and collection blocks
@krugazul
feat: Update block slug references to use dasherized format for colle…
2916c9d 
…ction and slider blocks
@krugazul
Refactor {{cpt_slug}}-collection block: Remove old implementation and…
fd207fa 
… add new structure

- Deleted existing README.md, block.json, edit.js, render.php, and style files for {{cpt_slug}}-collection block.
- Introduced new files for {{block_slug}}-collection block with updated structure and functionality.
- Implemented editor and frontend styles using BEM conventions.
- Added extensibility features for DOM events and custom collection registration.
- Updated block registration and attributes in block.json.
- Enhanced editor component with inspector controls for better user experience.
@krugazul
feat: Add dynamic block imports generation in src/index.js for improv…
8f1457d 
…ed plugin structure
@krugazul
feat: Ensure render functions for collection and slider blocks are de…
0d70ebc 
…fined only once
@krugazul
feat: Implement block bindings system for custom field display
061a0cf 
- Enhanced Block_Bindings class to support post meta retrieval with optional prefix.
- Added REST API routes for fetching available fields per post type.
- Created dedicated field display blocks for each post type with inspector controls.
- Introduced paragraph prefix functionality with editor controls and visual display.
- Updated Webpack configuration to dynamically include JS files.
- Added comprehensive documentation for block bindings implementation and usage.
- Created new styles for editor and frontend display of field values.
@krugazul
feat: Refactor plugin generation to output post types and taxonomies …
d40de24 
…as individual JSON files in scf-json/ using Secure Custom Fields (SCF)
@krugazul
feat: Update plugin to use SCF Local JSON for post type and taxonomy …
c57dfc5 
…registration, enhancing maintainability and version control
@krugazul
feat: Remove unused REST API route registration and simplify field se…
26e1e89 
…lection in the field display block
@krugazul
feat: Update block rendering to use dynamic render functions and impr…
0f1dff2 
…ove file structure
@krugazul
feat: Enhance block registration to support dynamic rendering via blo…
008a290 
…ck.json and update Webpack config to copy render files
@coderabbitai
Copy link

coderabbitai bot commented Feb 2, 2026
edited
Loading

Note

.coderabbit.yml has unrecognized properties

CodeRabbit is using all valid settings from your configuration. Unrecognized properties (listed below) have been ignored and may indicate typos or deprecated fields that can be removed.

⚠️ Parsing warnings (1) 
Validation error: Unrecognized key(s) in object: '$schema', 'path_filters', 'auto_review', 'path_instructions'
⚙️ Configuration instructions
  • Please see the configuration documentation for more information.
  • You can also validate your configuration using the online YAML validator.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json
📝 Walkthrough

Walkthrough

Generator and docs shifted to JSON-first content modeling: generator now emits SCF/SCF-JSON and per-post-type JSON, many PHP registration classes and block templates removed, new SCF loader/validator, content-model manager, block-bindings, field-display block, paragraph-prefix editor enhancement, schemas, and validation tooling added.

Changes

Cohort / File(s) Summary
SCF / JSON content model
scf-json/*, post-types/*, docs/group_example_taxonomy_fields.json, .github/schemas/plugin-config.schema.json, .github/schemas/post-types.schema.json, docs/JSON-POST-TYPES.md, docs/SCF-EXAMPLES.md		 Introduces SCF-local JSON outputs and new schemas; plugin-config restructured to per-post-type arrays; added SCF examples and JSON-driven registration docs.
Generator & normalization
scripts/generate-plugin.js, scripts/fixtures/plugin-config.example.json, scripts/dry-run/**		 Generator rewritten to normalize legacy configs, emit per-post-type JSON/SCF groups, produce SCF field groups and post-type JSON files, and adjust mustache replacements; legacy-to-new migration logic added.
Validation tooling
scripts/validate-post-types.js, package.json		 Adds AJV-based validator for post-types JSON and npm script validate:post-types; integrates validation into validate:all.
Core SCF integration
inc/class-core.php, inc/class-scf-json.php, inc/class-scf-json-validator.php, inc/class-json-loader.php, inc/class-content-model-manager.php		 Core wired to load JSON descriptors on init; SCF_JSON adds load/save path hooks for post types/taxonomies and validator integration; content model manager added.
Removed PHP registration classes & templates
inc/class-post-types.php, inc/class-taxonomies.php, inc/class-fields.php, inc/class-block-templates.php, templates/*, template-parts/*		 Deleted hardcoded PHP registration and block-template classes and many template/template-part files—registration is now JSON-driven.
New & refactored classes
inc/class-block-bindings.php, inc/class-block-styles.php, inc/class-patterns.php, inc/class-repeater-fields.php, inc/class-options.php		 Added/refactored classes (simplified names); Block_Styles refactored for multiple definition shapes; Block_Bindings implemented with new render API and post-meta retrieval.
Blocks added (field-display, paragraph prefix)
src/blocks/{{block_slug}}-field-display/*, src/js/blocks/paragraph-prefix.js, docs/BLOCK-BINDINGS.md, docs/BLOCK-BINDINGS-IMPLEMENTATION-SUMMARY.md		 Adds Field Display block (editor + guarded PHP render), paragraph-prefix editor enhancement, block-bindings docs and implementation.
Blocks removed or migrated
src/blocks/*-card/*, src/blocks/*-featured/*, src/blocks/*-slider/*, src/blocks/*-collection/*, src/blocks/{{cpt1_slug}}-*/*		 Removed card/featured/legacy per-CPT block scaffolding; collection/slider manifests and entries updated to slug-based forms or are produced by generator.
Patterns & templates changes
patterns/{{slug}}-*.php, patterns/*, templates/*		 Simplified/removed specific block templates and card pattern entries; patterns moved toward item/pattern usage and away from per-block template files.
Styles & presets removed
styles/* (palette, presets, block styles, sections, typography)		 Removed several style/preset JSON files and some block-style artifacts.
Build & tooling
webpack.config.js, multi-block-plugin-scaffold.code-workspace, .gitignore		 Webpack: dynamic JS entries and CopyWebpackPlugin to copy per-block render.php; workspace/workspace paths updated; duplicate .gitignore entry added.
Docs, prompts & workflow
.github/*, docs/GENERATE_PLUGIN.md, IMPLEMENTATION-SUMMARY.md, SCF-JSON-REGISTRATION-CHANGES.md, CHANGELOG.md, .github/prompts/*		 Docs and prompts updated to describe three-array config, SCF JSON outputs, migration guidance, removal of block templates from highlights, and updated generation/startup steps (npm install/run start).
Tests & fixtures
tests/fixtures/plugin-config.example.json, tests/php/test-scf-json-schema-validation.php, tests/php/test-plugin-main.php		 Fixtures and tests updated to use new post_types format and docs fixtures; removal of test asserting block-templates class.
Helper utilities & icons
inc/helper-functions.php, src/blocks/icons/source-icons/README.md		 Adds sanitized SVG icon loader helper and icon-library README.
Field-display pattern tooling
.github/skills/field-display-pattern-generator.skill.md, .github/skills/spec-to-config.skill.md		 New skills/docs describing generation of field-display patterns from scf-json and spec-to-config conversion guidance.

Sequence Diagram(s)

sequenceDiagram
    participant Dev as Developer
    participant Gen as Generator (scripts/generate-plugin.js)
    participant Schema as Schema/Validator (scripts/validate-post-types.js / .github/schemas)
    participant Files as SCF JSON (scf-json / post-types/)
    participant SCF as SCF_JSON (inc/class-scf-json.php)
    participant Core as Core (inc/class-core.php)
    participant Blocks as Block Bindings / Blocks (inc/class-block-bindings.php / src/blocks)

    Dev->>Gen: run generator with plugin-config.json
    Gen->>Schema: validate and normalize config
    Gen->>Files: emit post-type, taxonomy, and field-group JSON (scf-json/post-types/)
    Gen->>Files: emit patterns, block descriptors, and src block entries
    Schema->>Gen: report schema errors (fail/exit)
    Dev->>SCF: deploy plugin
    Core->>SCF: initialize on WP init, add load/save paths
    SCF->>Files: load JSON descriptors
    SCF-->>Core: provide loaded post types, taxonomies, fields
    Core->>Blocks: register bindings, enqueue editor assets
    Blocks->>Core: render field-display / paragraph-prefix at runtime via render callbacks
Loading

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120 minutes

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: fixing dynamic block render callbacks and PHP function names, which is the primary focus across multiple block files.
Docstring Coverage ✅ Passed Docstring coverage is 98.46% which is sufficient. The required threshold is 80.00%.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch feature/block-bindings

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@gemini-code-assist
Copy link

gemini-code-assist bot commented Feb 2, 2026

Summary of Changes

Hello @krugazul, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request delivers a significant architectural shift by transitioning the plugin scaffold to a JSON-driven content model system. It addresses critical rendering issues for dynamic blocks, ensuring their proper functionality and extensibility. The changes streamline development workflows by automating file copying and enhancing block registration, providing a more robust and flexible foundation for future plugin development.

Highlights

  • JSON-Driven Content Models: Introduced a new JSON-based system for defining and registering WordPress post types, taxonomies, and custom fields. This declarative approach uses JSON files in a dedicated post-types/ directory, enhancing maintainability and version control.
  • Dynamic Block Rendering Fixes: Resolved issues with dynamic block rendering by correctly configuring render callbacks, ensuring PHP function names use underscores instead of hyphens, and updating block.json files to directly reference these functions. This ensures field display, collection, and slider blocks render properly on the frontend.
  • Webpack Configuration for PHP Files: Enhanced the Webpack configuration with CopyWebpackPlugin to automatically copy render.php files from src/blocks/ to build/blocks/ during the build process, addressing a previous oversight where these essential files were not being included.
  • Core Block Registration Logic: Updated the register_blocks() method in the core class to explicitly require_once render.php files before registration and to pass the render_callback argument to register_block_type(), ensuring WordPress correctly invokes the PHP render functions.
  • JavaScript Block Registration for Dynamic Blocks: Added save: () => null to dynamic block registrations, explicitly marking them as server-side rendered and preventing WordPress from saving static HTML content for these blocks.
  • Block Bindings Enhancements: Implemented a comprehensive block bindings system allowing custom field values to be displayed in core blocks (like Paragraph) with optional prefix text. This includes new per-CPT field display blocks and a JavaScript filter for editor controls.
  • Refactored Plugin Generation Logic: The generate-plugin.js script has been significantly refactored to support the new multi-post-type JSON structure, dynamically generate per-CPT blocks, and create src/index.js with block imports, streamlining the plugin scaffolding process.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Feb 2, 2026
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 061a0cff45

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

src/blocks/{{block_slug}}-field-display/render.php Outdated
Comment on lines 21 to 25
function {{namespace}}_render_{{block_slug}}_field_display( $attributes, $content, $block ) {
// Get post ID from context or current post.
$post_id = isset( $block->context['postId'] ) ? (int) $block->context['postId'] : get_the_ID();

if ( ! $post_id ) {
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Return markup from render.php, not just a function

Because block.json sets "render": "file:./render.php", WordPress expects this file to return the rendered HTML directly. This file only declares {{namespace}}_render_{{block_slug}}_field_display() and never returns anything at file scope, so the render callback returns 1/empty and the block renders blank. Either change the render value to the function name and ensure it is loaded, or make render.php return the markup.

Useful? React with 👍 / 👎.

coderabbitai[bot]
coderabbitai bot requested changes Feb 2, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 15

Note

Due to the large number of review comments, Critical, Major severity comments were prioritized as inline comments.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (7)
inc/class-scf-json-validator.php (1)

10-11: ⚠️ Potential issue | 🟡 Minor

Duplicate @package directive in docblock.

The file header contains two @package directives:

  • @package example_plugin (Line 10)
  • @package {{namespace}} (Line 11)

Remove the hardcoded example_plugin line to maintain the scaffold's reusability.

Proposed fix 
- * `@package` example_plugin
  * `@package` {{namespace}}
.github/instructions/playwright-tests.instructions.md (1)

196-218: ⚠️ Potential issue | 🟡 Minor

Inconsistent block name references within test example.

The test example has mixed terminology:

  • Line 208: {{name}} Custom (search text)
  • Line 212: {{name}} Card (option name)
  • Line 216: {{name}} Card (document name)

For consistency, update all references to use the same naming pattern.

Proposed fix 
 		await test.step('Insert block', async () => {
-			await page.getByRole('option', { name: '{{name}} Card' }).click();
+			await page.getByRole('option', { name: '{{name}} Custom' }).click();
 		});

 		await test.step('Verify block inserted', async () => {
-			await expect(page.getByRole('document', { name: /{{name}} Card/ })).toBeVisible();
+			await expect(page.getByRole('document', { name: /{{name}} Custom/ })).toBeVisible();
 		});
docs/README.md (1)

83-83: ⚠️ Potential issue | 🟡 Minor

Malformed Markdown heading.

Line 83 shows -## Agent & Automation with a leading hyphen before the heading marker. This will render incorrectly in Markdown as a list item containing heading text rather than a proper section heading.

📝 Fix the heading format 
--## Agent & Automation
-
+## Agent & Automation
+
inc/class-repeater-fields.php (3)

5-10: ⚠️ Potential issue | 🟡 Minor

Package tag uses hardcoded value instead of placeholder.

The @package DocBlock tag uses a hardcoded example_plugin instead of the mustache placeholder, breaking scaffold reusability.

📝 Proposed fix 
 /**
  * Repeater and Flexible Content Fields using Secure Custom Fields.
  *
- * `@package` example_plugin
+ * `@package` {{textdomain}}
  * `@see` https://wordpress.org/plugins/secure-custom-fields/
  * `@since` 1.0.0
  */

As per coding guidelines: "Ensure all plugin class files use mustache-style placeholders."

91-101: ⚠️ Potential issue | 🟠 Major

Post type value is hardcoded.

The location rule uses hardcoded 'example-plugin' instead of the {{slug}} placeholder, which will cause the field group to target the wrong post type in generated plugins.

🐛 Proposed fix 
 				'location' => array(
 					array(
 						array(
 							'param'    => 'post_type',
 							'operator' => '==',
-							'value'    => 'example-plugin',
+							'value'    => '{{slug}}',
 						),
 					),
 				),

103-182: ⚠️ Potential issue | 🟠 Major

Entire second field group uses hardcoded values instead of placeholders.

The "Flexible Content Field Group for sections" (lines 103-182) uses hardcoded values throughout: group_example_plugin_sections, 'example-plugin' text domain, field_example_plugin_* keys, and 'example-plugin' post type. This breaks the scaffold's reusability.

All occurrences need to be replaced with mustache placeholders consistent with the first field group.

🐛 Key replacements needed 
 		acf_add_local_field_group(
 			array(
-				'key'      => 'group_example_plugin_sections',
-				'title'    => __( 'Item Sections', 'example-plugin' ),
+				'key'      => 'group_{{namespace}}_sections',
+				'title'    => __( 'Item Sections', '{{textdomain}}' ),
 				'fields'   => array(
 					array(
-						'key'          => 'field_example_plugin_sections',
-						'label'        => __( 'Content Sections', 'example-plugin' ),
-						'name'         => 'example_plugin_sections',
+						'key'          => 'field_{{namespace}}_sections',
+						'label'        => __( 'Content Sections', '{{textdomain}}' ),
+						'name'         => '{{namespace}}_sections',

Apply similar replacements to all keys, names, text domains, and the location post_type value throughout lines 103-182.

As per coding guidelines: "Always use {{variable}} format with double curly braces for mustache template placeholders."

src/blocks/{{block_slug}}-collection/edit.js (1)

39-46: ⚠️ Potential issue | 🟡 Minor

Consider adding _embed parameter to fetch featured media.

The code accesses post._embedded?.['wp:featuredmedia'] but the getEntityRecords call doesn't include the _embed parameter needed to populate this data.

🐛 Proposed fix to include embedded data 
 const posts = useSelect(
 	(select) => {
 		return select('core').getEntityRecords('postType', postType, {
 			per_page: postsToShow,
+			_embed: true,
 		});
 	},
 	[postType, postsToShow]
 );
🤖 Fix all issues with AI agents 
In @.github/schemas/plugin-config.schema.json:
- Around line 681-696: The "blocks" schema's default contains
["collection","slider"] but the "items.enum" only lists "collection", causing
the default to fail validation; update the "blocks" property's "items.enum" (the
enum under the "blocks" definition) to include "slider" as an allowed string (or
alternatively change the "default" to only use values present in the enum) so
the default passes validation—refer to the "blocks" property and its
"items.enum" entry to make the change.
- Around line 137-142: The schema's "post_types" definition has a conflicting
"default": [] and "minItems": 1 causing the default to fail validation; update
the "post_types" entry to make them consistent by either removing "minItems" or
supplying a non-empty default array (e.g., include one default post type string)
so the default satisfies the constraint; target the "post_types" schema object
and adjust the "minItems" or "default" property accordingly.

In `@inc/class-block-bindings.php`:
- Line 10: The class declaration uses Block_Bindings which lacks the required
PascalCase namespace prefix; rename the class to
{{namespace|pascalCase}}_Block_Bindings and update all internal references
accordingly (e.g., any instantiation, type hints, static calls, or class_exists
checks referencing Block_Bindings) to the new
{{namespace|pascalCase}}_Block_Bindings identifier so the class name follows the
project's PascalCase namespace convention.

In `@inc/class-content-model-manager.php`:
- Around line 381-382: Remove the file-level static initialization call
Content_Model_Manager::init() to avoid duplicate initialization because an
instance is already created via new Content_Model_Manager() in class-core.php;
locate and delete the standalone Content_Model_Manager::init(); invocation
(leaving the class and its init method intact) so initialization happens only
through the class constructor/normal instantiation.
- Around line 42-53: The class is being initialized twice because the init()
method is invoked both at file-include time and again from
Content_Model_Manager::__construct(), causing two add_action registrations that
call load_and_register(); remove the file-level/init-at-include-time invocation
so that the single initialization happens when Core instantiates the class (new
Content_Model_Manager()), or alternatively remove the call to self::init() from
__construct() so init() is only executed once—ensure only one of
Content_Model_Manager::__construct() or Content_Model_Manager::init() is invoked
and that load_and_register is registered exactly once.

In `@inc/class-json-loader.php`:
- Around line 44-49: The json path in load_configurations() is computed
incorrectly by using dirname( dirname( __DIR__ ) ) which climbs two directories;
update the calculation for $json_path inside the load_configurations() method to
use dirname( __DIR__ ) .'/post-types/' so the path resolves from the plugin root
when this file (inc/class-json-loader.php) is in the inc/ directory; ensure you
update the $json_path assignment (and any related path logic) accordingly.
- Around line 216-217: Remove the file-level side-effect call to
JSON_Loader::init() at the bottom of inc/class-json-loader.php and instead
invoke JSON_Loader::init() from the central bootstrap path (for example from the
Core class during initialization). Concretely: delete the standalone
JSON_Loader::init() call in the class file and add a call to JSON_Loader::init()
inside the Core initialization flow (e.g., Core::__construct or a dedicated
Core::init_json_loader() method) so the JSON_Loader class is only initialized
explicitly by the bootstrap/Core rather than on file include.

In `@inc/class-scf-json-validator.php`:
- Line 27: Rename the class declaration SCF_JSON_Validator to
{{namespace|pascalCase}}_SCF_JSON_Validator and update every reference to that
symbol (instantiations, class_exists checks, type hints, extends/implements,
docblocks and any static method calls) to use the new name; ensure the class
name in the declaration (class SCF_JSON_Validator) is replaced with class
{{namespace|pascalCase}}_SCF_JSON_Validator and run a project-wide
search/replace for SCF_JSON_Validator to avoid broken references.

In `@inc/class-scf-json.php`:
- Line 27: Rename the class SCF_JSON to include the project's PascalCase
namespace prefix (restore it to {{namespace|pascalCase}}_SCF_JSON) so it follows
the coding guidelines and avoids collisions; update the class declaration (class
SCF_JSON) and any references/instantiations or static usage of SCF_JSON
throughout the codebase to the new prefixed name
({{namespace|pascalCase}}_SCF_JSON) to ensure consistency.

In `@scripts/validate-post-types.js`:
- Around line 33-35: Update the schemaPath to point to the actual schema file by
changing schemaPath (and postTypesDir if used) to path.join(__dirname,
'../.github/schemas/post-types.schema.json') so the existence check for
"schema.json not found!" succeeds; then add file-based logging that writes
INFO/WARN/ERROR messages to a file named
logs/validate-post-types-{timestamp}.log (create logs dir if missing), using the
same logger used elsewhere or a simple fs append wrapper in this script, and
ensure validation output paths and functions (e.g., any validateSchema or main
validation routine) write appropriate INFO for successes, WARN for recoverable
issues, and ERROR for fatal validation failures to that log file.

In `@src/blocks/`{{block_slug}}-collection/block.json:
- Line 5: Replace the invalid custom category placeholder in each block.json by
setting the "category" field to the validated core-category placeholder: change
"category": "{{slug}}" to "category": "{{block_category}}" in the three files
(the {{block_slug}}-collection/block.json,
{{block_slug}}-field-display/block.json, and {{block_slug}}-slider/block.json)
so the category value is constrained to one of WordPress core categories (text,
media, design, widgets, theme, embed); ensure the placeholder {{block_category}}
is wired to only accept those core values where the block scaffolding injects
configuration.
- Around line 1-9: The block.json for the "{{slug}}/{{block_slug}}-collection"
block is missing required metadata and has invalid entries; add a top-level
"$schema" string and a numeric "version" field, trim the "keywords" array to at
most three relevant items (e.g., keep "collection", "{{cpt_slug}}", "query"),
and enable typography support by adding "supports": {"spacing": true,
"typography": true} (or merging into an existing supports object) so the block
adheres to schema validation and block.json conventions.

In `@src/blocks/`{{block_slug}}-field-display/editor.scss:
- Around line 7-18: Rename the CSS selectors to use the plugin namespace and BEM
element naming: change the wrapper selector from
.wp-block-{{slug}}-{{block_slug}}-field-display to
.wp-block-{{namespace}}-{{block_slug}}-field-display (replace {{slug}} with
{{namespace}}) and change the inner .field-display-value to a namespace-prefixed
BEM element like .{{namespace}}-field-display__value; update the corresponding
markup class names in index.js and render.php to match these new selectors so
the CSS and templates stay in sync.

In `@src/blocks/`{{block_slug}}-field-display/style.css:
- Around line 7-12: The block uses inconsistent wp-block prefix and a
non-namespaced inner class: update the selectors and markup to use the
namespace-prefixed BEM element for the inner field (replace occurrences of class
"field-display-value" with a namespaced BEM element, e.g.
"namespace-{{block_slug}}__field-display-value") and change the block wrapper
selector from ".wp-block-{{slug}}-{{block_slug}}-field-display" to the matching
namespace form (e.g. ".wp-block-{{namespace}}-{{block_slug}}-field-display");
update all references in render markup (class="field-display-value"), JS
(className="field-display-value") and CSS selectors (.field-display-value) to
the new namespaced BEM class so they remain consistent.

In `@src/blocks/`{{block_slug}}-slider/render.php:
- Around line 14-17: The current render returns a hardcoded wrapper so editor
settings (align, customClassName, spacing, color) are not applied; replace the
static wrapper with attributes from get_block_wrapper_attributes() by calling
get_block_wrapper_attributes() (e.g., $wrapper_attributes =
get_block_wrapper_attributes()) and using it on the block container instead of
the hardcoded class "wp-block-{{namespace}}-{{block_slug}}-slider", keeping the
inner content (esc_html__( 'Slider block output.', '{{textdomain}}' )) intact so
alignment, custom classes and inline styles from the editor are output on the
front end.
🟡 Minor comments (24)
src/blocks/{{block_slug}}-collection/README.md-8-8 (1)

8-8: ⚠️ Potential issue | 🟡 Minor

Align placeholder naming for consistency.

This line now uses {{cpt_slug}} while the title/heading still use {{CPT1 Collection}}. Consider standardizing the placeholder naming across the README to avoid confusion during scaffolding.

multi-block-plugin-scaffold.code-workspace-5-11 (1)

5-11: ⚠️ Potential issue | 🟡 Minor

Remove machine-specific paths from version-controlled workspace file.

These paths (../../../../../../medicalacademic/app/public/wp-content/plugins and /themes) are specific to a local development environment and will not exist for other contributors. The workspace file is already listed in .gitignore (lines 67-68), suggesting it should not be committed with these local paths.

Either:

  1. Remove these machine-specific folder entries before committing, or
  2. Ensure the workspace file remains untracked per the .gitignore entry
Proposed fix to remove local paths 
 	"folders": [
 		{
 			"path": "."
-		},
-		{
-			"path": "../../../../../../medicalacademic/app/public/wp-content/plugins"
-		},
-		{
-			"path": "../../../../../../medicalacademic/app/public/wp-content/themes"
 		}
 	],
src/blocks/{{block_slug}}-collection/style.scss-2-4 (1)

2-4: ⚠️ Potential issue | 🟡 Minor

Duplicate comment header.

Lines 2-4 contain a duplicate of the file header comment. Remove the duplication.

Proposed fix 
 // Frontend SCSS for {{block_slug}}-collection block
-// Accessible, responsive, and theme-friendly
-// Frontend SCSS for {{block_slug}}-collection block
 // Accessible, responsive, and theme-friendly
inc/class-block-bindings.php-157-163 (1)

157-163: ⚠️ Potential issue | 🟡 Minor

Add sanitize_callback to REST endpoint args.

The REST route registration includes validate_callback but is missing sanitize_callback. Per coding guidelines, REST endpoint registrations should include sanitization.

Proposed fix 
 'args' => array(
     'post_type' => array(
         'required'          => true,
         'validate_callback' => function ( $param ) {
             return is_string( $param ) && post_type_exists( $param );
         },
+        'sanitize_callback' => 'sanitize_key',
     ),
 ),
CHANGELOG.md-143-143 (1)

143-143: ⚠️ Potential issue | 🟡 Minor

Changelog entry placement may need adjustment.

The block template removal note is placed under [1.0.0] (the initial release section), but this change is part of the current PR. Consider moving this to the [Unreleased] section at the top of the file, or creating a new version section if this constitutes a breaking change.

📝 Move to Unreleased section

Move the block template removal documentation to line 10 under ## [Unreleased]:

## [Unreleased]

### Changed

- **Block templates removed** - Blocks should now be implemented as patterns or custom code. The scaffold focuses on providing robust CPT, taxonomy, and field generation.
scripts/generate-plugin.js-533-541 (1)

533-541: ⚠️ Potential issue | 🟡 Minor

Potential single-quote injection in array-to-PHP conversion.

When converting arrays to PHP-style quoted strings, single quotes within array values are not escaped. If a value contains a single quote (e.g., "it's"), the generated PHP code will have a syntax error.

🛡️ Proposed fix to escape single quotes 
 	// Handle arrays by converting to quoted, comma-separated strings for PHP
 	if (Array.isArray(value)) {
-		return value.map(item => `'${item}'`).join(', ');
+		return value.map(item => `'${String(item).replace(/'/g, "\\'")}'`).join(', ');
 	}
scripts/generate-plugin.js-959-1024 (1)

959-1024: ⚠️ Potential issue | 🟡 Minor

String replacement approach may cause unintended substitutions.

The sequential replace() calls on Lines 1007-1010 can cause cascading replacements if post type names contain substrings of each other. For example, if firstPostType.slug is "post" and postType.slug is "blog_post", the replacement could affect unintended parts of the content.

Consider using word-boundary-aware replacements or a single-pass replacement strategy to avoid this risk.

🔧 Suggested approach using word boundaries 
-				// Replace the first post type's slug with the current post type's slug
-				// Handle both underscore version (for variables) and dash version (for block names)
-				content = content.replace(new RegExp(firstCPTDasherized, 'g'), currentCPTDasherized);
-				content = content.replace(new RegExp(firstPostType.slug, 'g'), postType.slug);
-				content = content.replace(new RegExp(firstPostType.singular, 'g'), postType.singular);
-				content = content.replace(new RegExp(firstPostType.plural, 'g'), postType.plural);
+				// Replace the first post type's slug with the current post type's slug
+				// Use word boundaries to prevent partial matches
+				const escapeRegex = (str) => str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+				content = content.replace(new RegExp(`\\b${escapeRegex(firstCPTDasherized)}\\b`, 'g'), currentCPTDasherized);
+				content = content.replace(new RegExp(`\\b${escapeRegex(firstPostType.slug)}\\b`, 'g'), postType.slug);
+				content = content.replace(new RegExp(`\\b${escapeRegex(firstPostType.singular)}\\b`, 'g'), postType.singular);
+				content = content.replace(new RegExp(`\\b${escapeRegex(firstPostType.plural)}\\b`, 'g'), postType.plural);
docs/BLOCK-BINDINGS.md-102-109 (1)

102-109: ⚠️ Potential issue | 🟡 Minor

Add language specifier to fenced code block.

The code block at line 102 is missing a language specifier. Since this shows WordPress block markup, consider using html or text for proper syntax highlighting and to satisfy linting requirements.

📝 Proposed fix 
-```
+```html
 <!-- wp:{{slug}}/webinar-field-display {
   "fieldKey": "event_date",
   "prefix": "Date:",
   "prefixBold": true,
   "fallbackText": "Date TBA"
 } /-->
</details>

</blockquote></details>
<details>
<summary>docs/group_example_taxonomy_fields.json-1-10 (1)</summary><blockquote>

`1-10`: _⚠️ Potential issue_ | _🟡 Minor_

**Field keys should use namespace prefix for uniqueness.**

The field group and field keys use hardcoded prefixes (`group_example_`, `field_tax_`) instead of namespace placeholders. Per coding guidelines, ACF/SCF JSON files must use namespace-prefixed keys to ensure uniqueness across different generated plugins.


<details>
<summary>📝 Suggested namespace-prefixed keys</summary>

```diff
 {
-  "key": "group_example_taxonomy_fields",
+  "key": "group_{{namespace}}_taxonomy_fields",
   "title": "Example: Taxonomy Term Fields",
   "description": "Example field group demonstrating custom fields for taxonomy terms. Includes default fields (thumbnail, subtitle) plus additional custom fields.",
   "fields": [
     {
-      "key": "field_tax_thumbnail",
-      "name": "thumbnail_id",
+      "key": "field_{{namespace}}_tax_thumbnail",
+      "name": "{{namespace}}_thumbnail_id",

Apply similar changes to all field keys and names throughout the file.

As per coding guidelines: "ACF/SCF JSON field group files must use namespace-prefixed keys and names."

.github/skills/spec-to-config.skill.md-163-165 (1)

163-165: ⚠️ Potential issue | 🟡 Minor

Fix table separator spacing (MD060).

The separator row lacks spaces around pipes for the compact table style.

✅ Markdownlint-compliant spacing 
-|-----------|----------|-------|
+| --------- | -------- | ----- |
docs/JSON-POST-TYPES.md-1-5 (1)

1-5: ⚠️ Potential issue | 🟡 Minor

Add required frontmatter to this doc.

Docs under docs/ must include YAML frontmatter with title, description, category, type, audience, and date.

🧾 Example frontmatter 
+---
+title: "JSON-Based Post Type Loading System"
+description: "Guide to JSON-based post types, taxonomies, and fields."
+category: "architecture"
+type: "guide"
+audience: "developers"
+date: "2026-02-02"
+---
+
 # JSON-Based Post Type Loading System

As per coding guidelines: "docs/**/*.md: All markdown documentation files must include frontmatter with: title, description, category, type, audience, and date (YYYY-MM-DD format)."

docs/JSON-POST-TYPES.md-19-32 (1)

19-32: ⚠️ Potential issue | 🟡 Minor

Specify a language for the file-structure code fence.

markdownlint flags fenced blocks without a language specifier.

🔧 Suggested fix 
-```
+```text
 block-plugin-scaffold/
 ├── post-types/
 │   ├── README.md           # Documentation for JSON configurations
@@
-```
+```
src/blocks/{{block_slug}}-field-display/block.json-21-37 (1)

21-37: ⚠️ Potential issue | 🟡 Minor

Add anchor support for deep linking.

Enable anchor support so editors can link to this block instance.

🔗 Suggested addition 
 	"supports": {
 		"html": false,
+		"anchor": true,
 		"align": true,

As per coding guidelines: "Enable anchor support for deep linking capability in block.json."

src/blocks/{{block_slug}}-field-display/block.json-7-15 (1)

7-15: ⚠️ Potential issue | 🟡 Minor

Fix category and trim keywords to 3 items.

Line 7: category is set to "{{slug}}", a placeholder variable. It must be a core category: text, media, design, widgets, theme, or embed.

Lines 10-15: The keywords array contains 4 items; it should not exceed 3 per the coding guidelines.

Example adjustment 
-	"category": "{{slug}}",
+	"category": "widgets",
@@
-	"keywords": [
-		"field",
-		"meta",
-		"custom",
-		"{{cpt_slug}}"
-	],
+	"keywords": [
+		"field",
+		"meta",
+		"custom"
+	],
docs/SCF-EXAMPLES.md-7-7 (1)

7-7: ⚠️ Potential issue | 🟡 Minor

Inconsistent dates in frontmatter and footer.

The frontmatter date (line 7) shows 2026-01-26 while the footer (line 392) shows Last Updated: 2026-01-23. Consider aligning these for consistency.

Also applies to: 391-392

src/blocks/{{block_slug}}-field-display/render.php-52-55 (1)

52-55: ⚠️ Potential issue | 🟡 Minor

Handle nested arrays defensively.

If $field_value contains nested arrays, implode() will produce warnings. Consider flattening or filtering non-string values.

🛡️ Proposed fix 
 		// Handle array values.
 		if ( is_array( $field_value ) ) {
-			$field_value = implode( ', ', array_filter( $field_value ) );
+			$field_value = implode(
+				', ',
+				array_filter(
+					$field_value,
+					function ( $item ) {
+						return is_scalar( $item );
+					}
+				)
+			);
 		}
inc/class-core.php-83-84 (1)

83-84: ⚠️ Potential issue | 🟡 Minor

Use namespace placeholder in filter name.

The filter name is hardcoded as 'example-plugin_blocks_dir' which breaks scaffold reusability. It should use the namespace placeholder to ensure consistency across generated plugins.

🔧 Proposed fix 
 		$default_dir = {{namespace|upper}}_DIR . 'build/blocks/';
-		$blocks_dir = apply_filters( 'example-plugin_blocks_dir', $default_dir );
+		$blocks_dir = apply_filters( '{{slug}}_blocks_dir', $default_dir );

As per coding guidelines: "Ensure all plugin class files use mustache-style placeholders like {{namespace}}, {{slug}}, {{textdomain}}, {{name}} and do not hard-code values to keep the scaffold reusable."

src/js/blocks/paragraph-prefix.js-50-69 (1)

50-69: ⚠️ Potential issue | 🟡 Minor

Wrap user-facing strings with translation functions.

The label and help text strings should use WordPress i18n functions for localization support, consistent with the coding guidelines.

🌐 Proposed fix 
+const { __ } = wp.i18n;
+
 // Inside withInspectorControls:
 el(TextControl, {
-	label: 'Prefix Text',
+	label: __('Prefix Text', '{{textdomain}}'),
 	value: prefix,
 	onChange(value) {
 		props.setAttributes({
 			prefix: value,
 		});
 	},
-	help: 'Text to display before the field value (e.g., "Price:", "From:").',
+	help: __('Text to display before the field value (e.g., "Price:", "From:").', '{{textdomain}}'),
 }),
 el(CheckboxControl, {
-	label: 'Bold Prefix',
+	label: __('Bold Prefix', '{{textdomain}}'),
 	checked: prefixBold,
 	onChange(value) {
 		props.setAttributes({
 			prefixBold: value,
 		});
 	},
-	help: 'Make the prefix text bold.',
+	help: __('Make the prefix text bold.', '{{textdomain}}'),
 })
inc/class-block-styles.php-143-146 (1)

143-146: ⚠️ Potential issue | 🟡 Minor

Dynamic string in translation function prevents proper localization.

Using a variable ($label) as the first argument to __() prevents translation tools from extracting these strings. Translation extraction tools like WP-CLI's wp i18n make-pot cannot detect dynamic strings.

Consider one of these approaches:

  1. If labels come from JSON files, ensure those JSON files are processed by your translation workflow
  2. Use _x() with a static context if the set of possible values is known
  3. Document that style labels in JSON should use translation-ready keys that map to pre-translated strings
src/blocks/{{block_slug}}-collection/render.php-14-16 (1)

14-16: ⚠️ Potential issue | 🟡 Minor

Hardcoded "CPT1" text should use a template variable.

The comment on line 14 and the output string on line 16 contain hardcoded "CPT1" which appears to be a placeholder that should be templated (e.g., {{cpt_name}} or {{name}}).

docs/BLOCK-BINDINGS-IMPLEMENTATION-SUMMARY.md-1-6 (1)

1-6: ⚠️ Potential issue | 🟡 Minor

Missing required frontmatter.

Per coding guidelines, all markdown documentation files in docs/ must include frontmatter with: title, description, category, type, audience, and date (YYYY-MM-DD format).

📝 Suggested frontmatter 
+---
+title: Block Bindings Implementation Summary
+description: Summary of the block bindings system implementation for displaying custom field values with optional prefix text
+category: Development
+type: Reference
+audience: Developers
+date: 2026-01-28
+---
+
 # Block Bindings Implementation Summary
docs/BLOCK-BINDINGS-IMPLEMENTATION-SUMMARY.md-217-217 (1)

217-217: ⚠️ Potential issue | 🟡 Minor

Fix relative link path.

Since this file is in the docs/ directory, the link should use ./BLOCK-BINDINGS.md rather than docs/BLOCK-BINDINGS.md.

📝 Suggested fix 
-- [Block Bindings Guide](docs/BLOCK-BINDINGS.md) - Complete usage documentation
+- [Block Bindings Guide](./BLOCK-BINDINGS.md) - Complete usage documentation
docs/BLOCK-BINDINGS-IMPLEMENTATION-SUMMARY.md-186-187 (1)

186-187: ⚠️ Potential issue | 🟡 Minor

Typo in filename.

Line 186 lists edit or.scss which appears to be a typo for editor.scss.

📝 Suggested fix 
-4. `src/blocks/{{block_slug}}-field-display/edit or.scss`
+4. `src/blocks/{{block_slug}}-field-display/editor.scss`
src/blocks/{{block_slug}}-collection/block.json-8-8 (1)

8-8: ⚠️ Potential issue | 🟡 Minor

Trim keywords to max 3 items.

The keywords list has 9 items but should be limited to 3 for discoverability. Keep only the most essential keywords.

Proposed fix 
-  "keywords": ["collection", "list", "{{cpt_slug}}", "query", "posts", "extensible", "event", "filter", "sort"],
+  "keywords": ["collection", "{{cpt_slug}}", "query"],
🧹 Nitpick comments (33)
.gitignore (1)

67-68: Remove duplicate .gitignore entry.

The workspace file is listed twice. One entry is sufficient.

Proposed fix 
 tests/test-plugin-build/
 tests/test-theme-build/
 multi-block-plugin-scaffold.code-workspace
-multi-block-plugin-scaffold.code-workspace
.github/instructions/folder-structure.instructions.md (1)

191-193: Inconsistent block naming pattern within document.

The updated block location pattern src/blocks/{block-name}/ (Line 191) conflicts with the JavaScript Blocks section at Line 289 which still references src/blocks/{{slug}}-block-name/edit.js. This inconsistency could confuse developers.

Additionally, the coding guidelines specify that block implementations should be placed in src/blocks/{{slug}}-{block-name}/ with the namespace prefix. Consider either:

  1. Updating Line 289 to match the new convention, or
  2. Reverting to the prefixed pattern if consistency with existing guidelines is required.
src/blocks/{{block_slug}}-collection/style.scss (2)

66-68: Improve focus visibility for pagination buttons.

The focus outline on pagination buttons uses outline: 2px solid var(--wp--preset--color--primary) which may not provide sufficient contrast against the button's background of the same primary color. Consider adding outline-offset to ensure the focus indicator is visible.

Proposed fix 
       &:focus {
-        outline: 2px solid var(--wp--preset--color--primary, `#007cba`);
+        outline: 2px solid var(--wp--preset--color--foreground, `#333`);
+        outline-offset: 2px;
       }

25-25: Add reduced-motion preference for transitions.

The transition on .{{block_slug}}-collection__item should respect users who prefer reduced motion. As per coding guidelines, styles should "respect prefers-reduced-motion preference".

Proposed fix - add after the closing brace of the main block 
`@media` (prefers-reduced-motion: reduce) {
  .#{ $wp-block } {
    &__item {
      transition: none;
    }
  }
}
inc/class-block-bindings.php (1)

205-205: Add PHPCS ignore comment for file_get_contents.

For consistency with other file reads in the codebase (e.g., line 108 in class-scf-json-validator.php), add the PHPCS ignore comment.

Proposed fix 
-            $json_data = json_decode( file_get_contents( $file ), true );
+            $json_data = json_decode( file_get_contents( $file ), true ); // phpcs:ignore WordPress.WP.AlternativeFunctions.file_get_contents_file_get_contents
scripts/generate-plugin.js (1)

912-932: JSDoc missing @since and @return tags.

The new utility functions (generatePerCPTBlocks, generateSrcIndexFile, generatePostTypeJSONFiles, etc.) have JSDoc comments but are missing @since tags (required per coding guidelines) and @return tags where applicable. This applies to functions starting at lines 912, 1034, 1089, 1188, and 1407.

📝 Example fix for generatePerCPTBlocks 
 /**
  * Generate per-CPT blocks from {{cpt_slug}} templates
  * Duplicates block templates that contain {{cpt_slug}} for each registered post type
+ *
  * `@param` {string} outputDir - Output directory path
  * `@param` {Object} config - Plugin configuration
+ * `@return` {void}
+ * `@since` 1.2.0
  */
src/blocks/{{block_slug}}-collection/style.css (1)

6-11: Namespace the --collection-columns custom property.

Consider prefixing the custom property to avoid global collisions and align with the namespace conventions used elsewhere in the block.

♻️ Proposed tweak 
-  grid-template-columns: repeat(var(--collection-columns, 3), 1fr);
+  grid-template-columns: repeat(var(--{{namespace}}-collection-columns, 3), 1fr);

As per coding guidelines: CSS/SCSS root-level custom properties must use namespace prefix in the variable name (e.g., --{{namespace}}-primary-color, --{{namespace}}-spacing).

scripts/validate-post-types.js (1)

17-115: Add log file output for validation reports.

This script produces a validation report but only writes to stdout. Please log to logs/{source}-{type}-{timestamp}.log with ERROR/WARN/INFO/DEBUG levels to meet automation reporting standards.

As per coding guidelines: When generating reports via scripts or automation, log execution to logs/{source}-{type}-{timestamp}.log with log levels: ERROR, WARN, INFO, DEBUG.

src/blocks/{{block_slug}}-collection/index.js (1)

16-20: Consider adding explicit save: () => null for dynamic block clarity.

Based on the PR objectives, dynamic blocks should explicitly use save: () => null to prevent static HTML saving. While spreading metadata may include this from block.json, explicitly declaring it here improves clarity and ensures the block is treated as dynamic.

♻️ Suggested improvement 
 // Register the block
 registerBlockType(metadata.name, {
 	...metadata,
 	edit: Edit,
+	save: () => null,
 });
src/blocks/{{block_slug}}-field-display/style.scss (1)

8-14: Consider adding namespace prefix to inner element class.

The .field-display-value class lacks the namespace prefix required by coding guidelines. Per the guidelines, all element classes should use namespace prefix following BEM convention.

♻️ Suggested BEM-compliant naming 
 .wp-block-{{slug}}-{{block_slug}}-field-display {
-	.field-display-value {
+	&__value {
 		margin: 0;
 		
 		strong {
 			font-weight: 700;
 		}
 	}
 }

This produces .wp-block-{{slug}}-{{block_slug}}-field-display__value which follows BEM element naming with the block's namespace prefix.

As per coding guidelines: "CSS/SCSS selectors must follow BEM naming convention with namespace prefix."

src/blocks/{{block_slug}}-collection/editor.scss (2)

30-45: Avoid double-element BEM selectors for item sub-elements.

Nesting &__title, &__excerpt, and &__meta under &__item generates .block__item__title, which is off-pattern. Prefer &-title/&-excerpt/&-meta for .block__item-title, etc.

♻️ Suggested refactor 
-    &__title {
+    &-title {
       font-size: var(--wp--preset--font-size--large, 1.25rem);
       font-weight: bold;
       margin: 0 0 var(--wp--preset--spacing--10, 1rem) 0;
       color: var(--wp--preset--color--primary, `#007cba`);
     }
-    &__excerpt {
+    &-excerpt {
       color: var(--wp--preset--color--foreground, `#333`);
       font-size: var(--wp--preset--font-size--small, 1rem);
       margin-bottom: var(--wp--preset--spacing--10, 1rem);
     }
-    &__meta {
+    &-meta {
       color: var(--wp--preset--color--muted, `#888`);
       font-size: var(--wp--preset--font-size--tiny, 0.9rem);
       margin-top: auto;
     }

As per coding guidelines: "CSS/SCSS selectors must follow BEM naming convention with namespace prefix: blocks as .{{namespace}}-component, elements as .{{namespace}}-component__element, modifiers as .{{namespace}}-component--modifier."

20-23: Honor prefers-reduced-motion for transitions.

Add a reduced-motion override so the editor respects user motion preferences.

♿ Suggested addition 
 .#{ $wp-block } {
   display: grid;
   gap: var(--wp--preset--spacing--20, 1.5rem);
   min-height: 1px;
@@
   &__item {
     background: var(--wp--preset--color--base-2, `#fff`);
     border-radius: 6px;
     box-shadow: 0 1px 2px rgba(0,0,0,0.04);
     padding: var(--wp--preset--spacing--10, 1rem);
     outline: none;
     transition: box-shadow 0.2s, border 0.2s;
@@
   }
+
+  `@media` (prefers-reduced-motion: reduce) {
+    &__item {
+      transition: none;
+    }
+  }
 }

As per coding guidelines: "Ensure color contrast meets WCAG AA standard (4.5:1 for normal text, 3:1 for large text) and respect prefers-reduced-motion preference."

src/blocks/{{block_slug}}-slider/index.js (1)

15-19: Confirm dynamic block registers save: () => null.

Since this block renders server-side, explicitly setting save: () => null prevents static serialization and block validation warnings.

🧩 Suggested update 
 registerBlockType(metadata.name, {
 	...metadata,
 	edit: Edit,
+	save: () => null,
 });
src/blocks/{{block_slug}}-slider/render.php (1)

12-13: Add a full DocBlock for the render function.

The render callback should include a DocBlock with summary, @since, params, and return type.

📝 Suggested DocBlock 
 if ( ! function_exists( '{{namespace}}_render_{{block_slug}}_slider' ) ) {
+	/**
+	 * Renders the {{block_slug}} slider block.
+	 *
+	 * `@since` 1.0.0
+	 *
+	 * `@param` array    $attributes Block attributes.
+	 * `@param` string   $content    Block content.
+	 * `@param` WP_Block $block      Block instance.
+	 * `@return` string Rendered block markup.
+	 */
 	function {{namespace}}_render_{{block_slug}}_slider( $attributes, $content, $block ) {

As per coding guidelines: "Every function in WordPress PHP must be accompanied by a proper DocBlock with a short, imperative summary on the first line, @since tag indicating version introduced, @param tags for each parameter with type and description, and @return tag specifying return type and description."

src/blocks/{{block_slug}}-field-display/render.php (1)

74-89: Use get_block_wrapper_attributes() for block wrapper.

The coding guidelines recommend using get_block_wrapper_attributes() for dynamic block render callbacks. This ensures proper block wrapper attributes including alignment, custom classes, and anchor support.

♻️ Proposed refactor 
-		// Build wrapper classes.
-		$wrapper_classes = array( 'wp-block-{{slug}}-{{block_slug}}-field-display' );
-		if ( ! empty( $attributes['className'] ) ) {
-			$wrapper_classes[] = esc_attr( $attributes['className'] );
-		}
-		if ( ! empty( $attributes['align'] ) ) {
-			$wrapper_classes[] = 'align' . esc_attr( $attributes['align'] );
-		}
-
-		// Build output.
-		$output = sprintf(
-			'<div class="%s"><p class="field-display-value">%s%s</p></div>',
-			esc_attr( implode( ' ', $wrapper_classes ) ),
-			$prefix_html,
-			esc_html( $field_value )
-		);
+		// Build output using block wrapper attributes.
+		$wrapper_attributes = get_block_wrapper_attributes(
+			array(
+				'class' => 'wp-block-{{slug}}-{{block_slug}}-field-display',
+			)
+		);
+
+		$output = sprintf(
+			'<div %s><p class="field-display-value">%s%s</p></div>',
+			$wrapper_attributes,
+			$prefix_html,
+			esc_html( $field_value )
+		);
src/blocks/{{block_slug}}-field-display/index.js (2)

154-157: Add explicit save: () => null for dynamic block.

Per the PR objectives, dynamic blocks should explicitly use save: () => null to prevent static HTML saving. This makes the block's dynamic nature explicit and prevents potential issues with block validation.

♻️ Proposed fix 
 registerBlockType(metadata.name, {
 	...metadata,
 	edit: Edit,
+	save: () => null,
 });

64-69: Consider user-facing error feedback.

The catch block logs errors to the console but provides no UI feedback to editors. Consider adding a Notice or displaying an error message in the inspector panel when the API fails.

src/js/blocks/paragraph-prefix.js (1)

143-161: Consider cleaning up injected style elements.

Style elements are injected into the editor document but may accumulate if blocks are removed. While the unique ID prevents duplicates, consider cleaning up styles when blocks are deleted to prevent DOM bloat in long editing sessions.

.github/schemas/post-types.schema.json (1)

79-82: Consider adding enum for common field types.

The type property for fields accepts any string. Consider adding an enum of common field types to provide validation and editor autocomplete support. This would help catch typos and ensure consistency.

📝 Example enhancement 
 "type": {
   "type": "string",
-  "description": "Field type (text, textarea, number, email, etc.)"
+  "description": "Field type",
+  "enum": [
+    "text",
+    "textarea",
+    "number",
+    "email",
+    "url",
+    "password",
+    "wysiwyg",
+    "image",
+    "file",
+    "gallery",
+    "select",
+    "checkbox",
+    "radio",
+    "true_false",
+    "relationship",
+    "post_object",
+    "taxonomy",
+    "date_picker",
+    "color_picker",
+    "repeater",
+    "group"
+  ]
 }
src/blocks/{{block_slug}}-collection/render.php (1)

12-18: Missing get_block_wrapper_attributes() for proper block wrapper output.

Per coding guidelines, dynamic block render.php files should use get_block_wrapper_attributes() to ensure proper wrapper attributes (className, anchor, etc.) are applied.

♻️ Proposed fix to use block wrapper attributes 
 if ( ! function_exists( '{{namespace}}_render_{{cpt_slug}}_collection' ) ) {
 	function {{namespace}}_render_{{cpt_slug}}_collection( $attributes, $content, $block ) {
-		// Output markup for the CPT1 collection block.
-		return '<div class="wp-block-{{namespace}}-{{block_slug}}-collection">' .
+		$wrapper_attributes = get_block_wrapper_attributes();
+		// Output markup for the collection block.
+		return '<div ' . $wrapper_attributes . '>' .
 			'<p>' . esc_html__( 'CPT1 collection block output.', '{{textdomain}}' ) . '</p>' .
 		'</div>';
 	}
 }

As per coding guidelines: "Use get_block_wrapper_attributes() and wp_kses_post() for escaping in dynamic block render.php".

{{slug}}.php (1)

38-44: Inconsistent indentation in initialization function.

Lines 39-43 have inconsistent indentation mixing spaces and tabs with varying depths. WordPress PHP coding standards require tabs for indentation.

🔧 Proposed fix for consistent indentation 
 function {{namespace}}_init() {
-       global ${{namespace}};
-       if ( null === ${{namespace}} ) {
-	       ${{namespace}} = new \{{namespace}}\classes\Core();
-       }
-       return ${{namespace}};
+	global ${{namespace}};
+	if ( null === ${{namespace}} ) {
+		${{namespace}} = new \{{namespace}}\classes\Core();
+	}
+	return ${{namespace}};
 }
scripts/fixtures/plugin-config.example.json (1)

1-12: Consider adding _comment fields for documentation.

Per coding guidelines, example configuration files should "include helpful _comment fields... to explain complex sections and best practices." Adding comments would help users understand the configuration structure.

src/blocks/{{block_slug}}-collection/edit.js (1)

154-157: Consider using WordPress date formatting for consistency.

toLocaleDateString() without parameters uses the browser's locale, which may differ from WordPress site settings. Consider using @wordpress/date functions for consistent date formatting across the admin.

♻️ Proposed enhancement using WordPress date functions 
+import { dateI18n, getSettings } from '@wordpress/date';

// Then in the render:
-{new Date(post.date).toLocaleDateString()}
+{dateI18n(getSettings().formats.date, post.date)}
src/blocks/{{block_slug}}-slider/block.json (2)

1-5: Consider adding $schema for validation support.

Per coding guidelines, block.json files should set $schema to enable IDE validation and autocomplete.

♻️ Proposed addition of schema reference 
 {
+  "$schema": "https://schemas.wp.org/trunk/block.json",
   "apiVersion": 3,
   "name": "{{slug}}/{{block_slug}}-slider",

As per coding guidelines: 'Set $schema to "https://schemas.wp.org/trunk/block.json" in block.json files'.

50-53: Editor and frontend styles share the same file.

Both editorStyle and style reference ./index.css. This loads all styles in both contexts. If editor-specific styles exist, consider splitting into separate files to reduce frontend bundle size.

docs/GENERATE_PLUGIN.md (3)

1331-1339: Minor table formatting issue.

The table at line 1334 has inconsistent spacing around pipe characters, which triggers markdownlint warnings (MD060). Consider normalizing the spacing for consistency.

📝 Suggested fix 
-| Aspect | New Format | Legacy Format |
-|--------|-----------|---------------|
-| **Taxonomies** | Top-level array with `post_types` property | Embedded in each post type |
-| **Fields** | Top-level array with `post_type` + `field_group` | Embedded in each post type |
-| **References** | Post types reference taxonomies by slug | Taxonomies duplicated in each post type |
-| **Sharing** | Easy - one taxonomy, many post types | Hard - must duplicate taxonomy definition |
+| Aspect          | New Format                                       | Legacy Format                              |
+|-----------------|--------------------------------------------------|--------------------------------------------|
+| **Taxonomies**  | Top-level array with `post_types` property       | Embedded in each post type                 |
+| **Fields**      | Top-level array with `post_type` + `field_group` | Embedded in each post type                 |
+| **References**  | Post types reference taxonomies by slug          | Taxonomies duplicated in each post type    |
+| **Sharing**     | Easy - one taxonomy, many post types             | Hard - must duplicate taxonomy definition  |

1307-1308: Minor: Capitalize "GitHub" in referenced path.

LanguageTool flagged that "github" in the path reference should use the official capitalization "GitHub" when referring to the platform name in prose.

156-157: Clarify placeholder guidance for multi-entity support.

The guidance now correctly advises using specific placeholders like {{cpt_slug}}, {{cpt2_slug}}, etc. However, there's a slight contradiction: the text says "Do NOT use generic placeholders like {{slug}}, {{cpt_slug}}" but then lists {{cpt_slug}} as an example of a specific placeholder to use. Consider rewording for clarity.

📝 Suggested clarification 
-**WARNING:** When building plugins that support multiple custom post types (CPTs), taxonomies, or custom fields, you MUST use specific mustache placeholders for each entity. Do NOT use generic placeholders like `{{slug}}`, `{{cpt_slug}}`, or `{{taxonomy_slug}}` in your templates or code. Instead, use numbered or uniquely named placeholders for each entity, such as `{{cpt_slug}}`, `{{cpt2_slug}}`, `{{taxonomy1_slug}}`, `{{taxonomy2_slug}}`, `{{field1_name}}`, etc.
+**WARNING:** When building plugins that support multiple custom post types (CPTs), taxonomies, or custom fields, you MUST use specific, numbered mustache placeholders for each entity. Do NOT use ambiguous generic placeholders. Instead, use numbered placeholders for each entity, such as `{{cpt1_slug}}`, `{{cpt2_slug}}`, `{{taxonomy1_slug}}`, `{{taxonomy2_slug}}`, `{{field1_name}}`, etc.
docs/BLOCK-BINDINGS-IMPLEMENTATION-SUMMARY.md (1)

61-61: Add language specifier to code block.

The code block at line 61 lacks a language specifier, which triggers markdownlint warning MD040. Add a language identifier for syntax highlighting and linting compliance.

📝 Suggested fix 
-```
+```text
 ✅ 6 blocks generated (3 per post type):
IMPLEMENTATION-SUMMARY.md (1)

1-10: Consider moving to docs/ directory.

Per coding guidelines, documentation files should be placed in the docs/ directory. This implementation summary would be better located at docs/IMPLEMENTATION-SUMMARY.md with proper frontmatter. If this file is intentionally at root level for visibility (like README.md or CHANGELOG.md), consider adding a note explaining its purpose at the root.

inc/class-json-loader.php (1)

20-103: Potential code duplication with Content_Model_Manager.

This class has significant overlap with Content_Model_Manager which also implements load_configurations(), load_json_file(), get_configurations(), and get_configuration(). Consider consolidating these into a single class or having one delegate to the other to avoid maintenance burden.

.github/schemas/plugin-config.schema.json (1)

698-698: Consider keeping additionalProperties restrictive.

Changing additionalProperties from false to true allows arbitrary properties in the configuration. While this provides flexibility, it also means typos or invalid properties won't be caught by validation. Consider using "additionalProperties": false or at minimum documenting why additional properties are allowed.

src/blocks/{{block_slug}}-collection/block.json (1)

34-41: Consider enabling typography supports for consistency.

Guidelines ask for spacing and typography support; this keeps UI controls consistent across blocks.

♻️ Suggested tweak 
   "supports": {
     "html": false,
     "align": ["wide", "full"],
     "anchor": true,
     "customClassName": true,
     "spacing": { "margin": true, "padding": true },
-    "color": { "background": true, "text": true }
+    "color": { "background": true, "text": true },
+    "typography": { "fontSize": true, "lineHeight": true }
   },

.github/schemas/plugin-config.schema.json
Comment on lines +137 to 142
"post_types": {
"type": "array",
"description": "Features supported by the custom post type",
"default": [
"title",
"editor",
"thumbnail",
"excerpt",
"custom-fields",
"revisions"
],
"uniqueItems": true,
"description": "Custom post types to register for this plugin",
"default": [],
"minItems": 1,
"items": {
Copy link

@coderabbitai coderabbitai bot Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Inconsistent default and minItems for post_types.

The post_types array has "default": [] (empty array) but also "minItems": 1, which means the default value would fail validation. Either remove minItems or provide a non-empty default.

🐛 Proposed fix (Option 1: Remove minItems) 
 "post_types": {
     "type": "array",
     "description": "Custom post types to register for this plugin",
     "default": [],
-    "minItems": 1,
     "items": {
🐛 Proposed fix (Option 2: Remove default) 
 "post_types": {
     "type": "array",
     "description": "Custom post types to register for this plugin",
-    "default": [],
     "minItems": 1,
     "items": {
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
"post_types": {
"type": "array",
"description": "Features supported by the custom post type",
"default": [
"title",
"editor",
"thumbnail",
"excerpt",
"custom-fields",
"revisions"
],
"uniqueItems": true,
"description": "Custom post types to register for this plugin",
"default": [],
"minItems": 1,
"items": {
"post_types": {
"type": "array",
"description": "Custom post types to register for this plugin",
"default": [],
"items": {
Suggested change
"post_types": {
"type": "array",
"description": "Features supported by the custom post type",
"default": [
"title",
"editor",
"thumbnail",
"excerpt",
"custom-fields",
"revisions"
],
"uniqueItems": true,
"description": "Custom post types to register for this plugin",
"default": [],
"minItems": 1,
"items": {
"post_types": {
"type": "array",
"description": "Custom post types to register for this plugin",
"minItems": 1,
"items": {
🤖 Prompt for AI Agents 
In @.github/schemas/plugin-config.schema.json around lines 137 - 142, The
schema's "post_types" definition has a conflicting "default": [] and "minItems":
1 causing the default to fail validation; update the "post_types" entry to make
them consistent by either removing "minItems" or supplying a non-empty default
array (e.g., include one default post type string) so the default satisfies the
constraint; target the "post_types" schema object and adjust the "minItems" or
"default" property accordingly.

.github/schemas/plugin-config.schema.json
Comment on lines 681 to 696
"blocks": {
"type": "array",
"description": "Block types to generate for this plugin",
"default": [
"card",
"collection",
"slider",
"featured"
"slider"
],
"uniqueItems": true,
"items": {
"type": "string",
"enum": [
"card",
"collection",
"slider",
"single",
"featured",
"archive",
"search",
"filter"
"collection"
]
},
"minItems": 1
},
"templates": {
"type": "array",
"description": "Block templates to generate",
"default": [
"single",
"archive"
],
"uniqueItems": true,
"items": {
"type": "string",
"enum": [
"single",
"archive",
"search",
"taxonomy"
]
}
}
Copy link

@coderabbitai coderabbitai bot Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Blocks enum doesn't include all default values.

The blocks array has "default": ["collection", "slider"] but the enum at line 692-693 only includes "collection". This means the default value would fail schema validation.

🐛 Proposed fix 
 "blocks": {
     "type": "array",
     "description": "Block types to generate for this plugin",
     "default": [
         "collection",
         "slider"
     ],
     "uniqueItems": true,
     "items": {
         "type": "string",
         "enum": [
-            "collection"
+            "collection",
+            "slider"
         ]
     },
     "minItems": 1
 }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
"blocks": {
"type": "array",
"description": "Block types to generate for this plugin",
"default": [
"card",
"collection",
"slider",
"featured"
"slider"
],
"uniqueItems": true,
"items": {
"type": "string",
"enum": [
"card",
"collection",
"slider",
"single",
"featured",
"archive",
"search",
"filter"
"collection"
]
},
"minItems": 1
},
"templates": {
"type": "array",
"description": "Block templates to generate",
"default": [
"single",
"archive"
],
"uniqueItems": true,
"items": {
"type": "string",
"enum": [
"single",
"archive",
"search",
"taxonomy"
]
}
}
"blocks": {
"type": "array",
"description": "Block types to generate for this plugin",
"default": [
"collection",
"slider"
],
"uniqueItems": true,
"items": {
"type": "string",
"enum": [
"collection",
"slider"
]
},
"minItems": 1
}
🤖 Prompt for AI Agents 
In @.github/schemas/plugin-config.schema.json around lines 681 - 696, The
"blocks" schema's default contains ["collection","slider"] but the "items.enum"
only lists "collection", causing the default to fail validation; update the
"blocks" property's "items.enum" (the enum under the "blocks" definition) to
include "slider" as an allowed string (or alternatively change the "default" to
only use values present in the enum) so the default passes validation—refer to
the "blocks" property and its "items.enum" entry to make the change.

inc/class-block-bindings.php
* @since 6.5.0 Block Bindings API
*/
class {{namespace|pascalCase}}_Block_Bindings {
class Block_Bindings {
Copy link

@coderabbitai coderabbitai bot Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion | 🟠 Major

Class name missing namespace prefix.

Per coding guidelines, PHP classes must use the PascalCase namespace format. The class Block_Bindings should be renamed to {{namespace|pascalCase}}_Block_Bindings.

As per coding guidelines: "PHP classes must use PascalCase namespace format (e.g., {{namespace|pascalCase}}_Plugin)"

Proposed fix 
-class Block_Bindings {
+class {{namespace|pascalCase}}_Block_Bindings {
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
class Block_Bindings {
class {{namespace|pascalCase}}_Block_Bindings {
🤖 Prompt for AI Agents 
In `@inc/class-block-bindings.php` at line 10, The class declaration uses
Block_Bindings which lacks the required PascalCase namespace prefix; rename the
class to {{namespace|pascalCase}}_Block_Bindings and update all internal
references accordingly (e.g., any instantiation, type hints, static calls, or
class_exists checks referencing Block_Bindings) to the new
{{namespace|pascalCase}}_Block_Bindings identifier so the class name follows the
project's PascalCase namespace convention.

inc/class-content-model-manager.php Outdated
Comment on lines 42 to 53
public function __construct() {
self::init();
}

/**
* Initialize the content model manager.
*
* @since 1.0.0
*/
public static function init() {
add_action( 'init', array( __CLASS__, 'load_and_register' ), 10 );
}
Copy link

@coderabbitai coderabbitai bot Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Mixed static and instance patterns may cause double initialization.

The class has a constructor that calls static::init(), but init() at line 381-382 is also called at file include time. Additionally, per the relevant code snippet from inc/class-core.php, the Core class already instantiates this class with new Content_Model_Manager();.

This means:

  1. File is included → init() called → hook added
  2. Core instantiates → constructor calls init() again → duplicate hook added

The init action hook would fire load_and_register() twice.

🐛 Proposed fix 
 public function __construct() {
-    self::init();
+    // Initialization handled by static init() call or via add_action in this constructor
+    // Only add action if not already added
+    if ( ! has_action( 'init', array( __CLASS__, 'load_and_register' ) ) ) {
+        add_action( 'init', array( __CLASS__, 'load_and_register' ), 10 );
+    }
 }

 /**
  * Initialize the content model manager.
  *
  * `@since` 1.0.0
  */
 public static function init() {
-    add_action( 'init', array( __CLASS__, 'load_and_register' ), 10 );
+    if ( ! has_action( 'init', array( __CLASS__, 'load_and_register' ) ) ) {
+        add_action( 'init', array( __CLASS__, 'load_and_register' ), 10 );
+    }
 }

Or better, remove the file-level init() call entirely:

-// Initialize the content model manager
-Content_Model_Manager::init();
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
public function __construct() {
self::init();
}
/**
* Initialize the content model manager.
*
* @since 1.0.0
*/
public static function init() {
add_action( 'init', array( __CLASS__, 'load_and_register' ), 10 );
}
public function __construct() {
// Only add action if not already added
if ( ! has_action( 'init', array( __CLASS__, 'load_and_register' ) ) ) {
add_action( 'init', array( __CLASS__, 'load_and_register' ), 10 );
}
}
/**
* Initialize the content model manager.
*
* `@since` 1.0.0
*/
public static function init() {
if ( ! has_action( 'init', array( __CLASS__, 'load_and_register' ) ) ) {
add_action( 'init', array( __CLASS__, 'load_and_register' ), 10 );
}
}
🤖 Prompt for AI Agents 
In `@inc/class-content-model-manager.php` around lines 42 - 53, The class is being
initialized twice because the init() method is invoked both at file-include time
and again from Content_Model_Manager::__construct(), causing two add_action
registrations that call load_and_register(); remove the
file-level/init-at-include-time invocation so that the single initialization
happens when Core instantiates the class (new Content_Model_Manager()), or
alternatively remove the call to self::init() from __construct() so init() is
only executed once—ensure only one of Content_Model_Manager::__construct() or
Content_Model_Manager::init() is invoked and that load_and_register is
registered exactly once.

src/blocks/{{block_slug}}-collection/block.json
Comment on lines 1 to 9
{
"apiVersion": 3,
"name": "{{namespace}}/{{block_slug}}-collection",
"title": "{{Block Collection}}",
"category": "widgets",
"icon": "screenoptions",
"description": "A collection block for displaying multiple items.",
"keywords": ["collection", "list", "{{block_slug}}", "query", "posts"],
"name": "{{slug}}/{{block_slug}}-collection",
"title": "{{cpt_singular}} Collection",
"category": "{{slug}}",
"icon": "{{cpt_icon}}",
"description": "A collection block for displaying {{cpt_slug}} items. Extensible and supports custom collection registration and DOM events.",
"keywords": ["collection", "list", "{{cpt_slug}}", "query", "posts", "extensible", "event", "filter", "sort"],
"textdomain": "{{textdomain}}",
Copy link

@coderabbitai coderabbitai bot Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Search for the block.json file to verify the complete content
find . -path "*{{block_slug}}-collection/block.json" -o -path "*collection/block.json" | head -20

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 127

🏁 Script executed:

# Look for collection block.json files in the repository
fd "block.json" | grep -i collection | head -10

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 125

🏁 Script executed:

cat -n "src/blocks/{{block_slug}}-collection/block.json"

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 3388

Add $schema, version, correct the keywords array, and enable typography support.

The block.json is missing required metadata fields and has guideline violations:

  • Add $schema and version fields for schema validation and version tracking
  • Reduce keywords from 9 items to a maximum of 3 as per block.json conventions
  • Add typography support alongside the existing spacing configuration
Proposed fix 
 {
+  "$schema": "https://schemas.wp.org/trunk/block.json",
   "apiVersion": 3,
+  "version": "{{version}}",
   "name": "{{slug}}/{{block_slug}}-collection",
   "title": "{{cpt_singular}} Collection",
   "category": "{{slug}}",
   "icon": "{{cpt_icon}}",
   "description": "A collection block for displaying {{cpt_slug}} items. Extensible and supports custom collection registration and DOM events.",
-  "keywords": ["collection", "list", "{{cpt_slug}}", "query", "posts", "extensible", "event", "filter", "sort"],
+  "keywords": ["collection", "posts", "query"],
   "textdomain": "{{textdomain}}",
   ...
   "supports": {
     "html": false,
     "align": ["wide", "full"],
     "anchor": true,
     "customClassName": true,
     "spacing": { "margin": true, "padding": true },
+    "typography": { "fontSize": true, "lineHeight": true },
     "color": { "background": true, "text": true }
   },
🤖 Prompt for AI Agents 
In `@src/blocks/`{{block_slug}}-collection/block.json around lines 1 - 9, The
block.json for the "{{slug}}/{{block_slug}}-collection" block is missing
required metadata and has invalid entries; add a top-level "$schema" string and
a numeric "version" field, trim the "keywords" array to at most three relevant
items (e.g., keep "collection", "{{cpt_slug}}", "query"), and enable typography
support by adding "supports": {"spacing": true, "typography": true} (or merging
into an existing supports object) so the block adheres to schema validation and
block.json conventions.

src/blocks/{{block_slug}}-collection/block.json
"keywords": ["collection", "list", "{{block_slug}}", "query", "posts"],
"name": "{{slug}}/{{block_slug}}-collection",
"title": "{{cpt_singular}} Collection",
"category": "{{slug}}",
Copy link

@coderabbitai coderabbitai bot Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Find block.json files in the src/blocks directory
fd -t f "block\.json" src/blocks/

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 220

🏁 Script executed:

# Check the specific file content
cat -n src/blocks/*/block.json | grep -A 5 -B 5 "category"

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 1915

🏁 Script executed:

# Look for any documentation or configuration that defines block categories
fd -t f -e "md" -e "json" -e "php" | xargs grep -l "block_category\|blockCategory" 2>/dev/null | head -20

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 233

🏁 Script executed:

# Check the mustache variables registry to see what placeholders are available
cat scripts/mustache-variables-registry.json | head -100

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 2781

🏁 Script executed:

# Check if there's any documentation about block categories or the scaffold
cat -n README.md | grep -i "category\|block_category" | head -20

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 119

🏁 Script executed:

# Look at the core.php file to understand how placeholders are used
grep -A 5 -B 5 "slug\|block_category" inc/class-core.php | head -50

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 1130

🏁 Script executed:

# Search the mustache variables registry for block_category placeholder
jq '.variables | keys[] | select(contains("block"))' scripts/mustache-variables-registry.json

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 409

🏁 Script executed:

# Get more details from the registry to see all available variables
jq '.variables | keys | sort' scripts/mustache-variables-registry.json | head -50

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 1014

🏁 Script executed:

# Check the placeholders.js file to understand what placeholders are defined
cat scripts/utils/placeholders.js | grep -i "category\|block"

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 840

🏁 Script executed:

# Look at the register_block_category method more completely
cat -n inc/class-core.php | sed -n '180,220p'

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 60

🏁 Script executed:

# Check what block_category placeholder is defined as in the registry
jq '.variables.block_category' scripts/mustache-variables-registry.json

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 580

🏁 Script executed:

# Look for how block_category is documented in the codebase
rg "block_category" --type json --type md --type php -B 3 -A 3 | head -100

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 2745

🏁 Script executed:

# Check if there are any example or documentation files showing proper block category usage
fd -t f -e "example" -e "fixture" | xargs grep -l "category" 2>/dev/null | head -10

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 60

Use a WordPress core block category instead of custom category placeholder.

The category field must use one of the WordPress core categories: text, media, design, widgets, theme, or embed. The current {{slug}} placeholder is not a valid core category, even though the plugin registers it as a custom category elsewhere. For consistency with block.json standards and the stated coding guidelines, use the {{block_category}} placeholder which should be constrained to valid core category values.

Proposed fix 
-  "category": "{{slug}}",
+  "category": "{{block_category}}",

Note: This applies to all three block.json files in the scaffold ({{block_slug}}-collection, {{block_slug}}-field-display, and {{block_slug}}-slider).

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
"category": "{{slug}}",
"category": "{{block_category}}",
🤖 Prompt for AI Agents 
In `@src/blocks/`{{block_slug}}-collection/block.json at line 5, Replace the
invalid custom category placeholder in each block.json by setting the "category"
field to the validated core-category placeholder: change "category": "{{slug}}"
to "category": "{{block_category}}" in the three files (the
{{block_slug}}-collection/block.json, {{block_slug}}-field-display/block.json,
and {{block_slug}}-slider/block.json) so the category value is constrained to
one of WordPress core categories (text, media, design, widgets, theme, embed);
ensure the placeholder {{block_category}} is wired to only accept those core
values where the block scaffolding injects configuration.

src/blocks/{{block_slug}}-field-display/editor.scss Outdated
Comment on lines 7 to 18
.wp-block-{{slug}}-{{block_slug}}-field-display {
.field-display-value {
margin: 0;
padding: 0.5em;
background: #f0f0f0;
border-left: 3px solid var(--wp--preset--color--primary, #0073aa);
border-radius: 2px;

strong {
font-weight: 700;
}
}
Copy link

@coderabbitai coderabbitai bot Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

rg -n "field-display-value|field-display__value|wp-block-.*field-display" src -g '!**/build/**'

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 1413

🏁 Script executed:

# Check if there's any documentation or other blocks showing how to properly name inner element classes
rg -A2 -B2 "\{\{namespace\}\}.*__" src/blocks --max-count=5 -g '!**/build/**'

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 3567

🏁 Script executed:

# Verify if any blocks actually use {{slug}} pattern vs {{namespace}}
rg "wp-block-\{\{slug\}\}" src/blocks -c --no-heading

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 440

🏁 Script executed:

# Check if collection block also has the {{slug}} issue or if it's properly using {{namespace}}
rg "wp-block-" src/blocks/{{block_slug}}-collection/edit.js -A1 -B1 | head -30

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 1034

🏁 Script executed:

# Check what's in the collection style files - they showed {{namespace}} but markup shows {{slug}}
rg "wp-block-" src/blocks/{{block_slug}}-collection/style.scss -A1 -B1 | head -20

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 142

🏁 Script executed:

# Check if the $wp-block variable is actually used in collection styles
rg "\$wp-block" src/blocks/{{block_slug}}-collection/ -A3

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 60

🏁 Script executed:

# Check the actual markup in field-display block to see what classes it applies
cat -n src/blocks/{{block_slug}}-field-display/index.js | grep -A5 -B5 "className"

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 711

🏁 Script executed:

# Check render.php for field-display to see what it applies
cat -n src/blocks/{{block_slug}}-field-display/render.php | sed -n '75,86p'

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 627

Update selectors to use namespace prefix and follow BEM naming convention.

The wrapper class should use {{namespace}} instead of {{slug}}, and the inner class .field-display-value must be namespace-prefixed and follow BEM element notation.

🐛 Proposed fix 
-.wp-block-{{slug}}-{{block_slug}}-field-display {
-	.field-display-value {
+.wp-block-{{namespace}}-{{block_slug}}-field-display {
+	.{{namespace}}-field-display__value {
 		margin: 0;
 		padding: 0.5em;
 		background: `#f0f0f0`;
 		border-left: 3px solid var(--wp--preset--color--primary, `#0073aa`);
 		border-radius: 2px;
 		
 		strong {
 			font-weight: 700;
 		}
 	}
 }

Update corresponding markup in index.js (line 146) and render.php (line 85) to use the new class name.

Per coding guidelines: All CSS selectors must use namespace prefixes derived from the plugin namespace variable and follow BEM naming convention with namespace prefix.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
.wp-block-{{slug}}-{{block_slug}}-field-display {
.field-display-value {
margin: 0;
padding: 0.5em;
background: #f0f0f0;
border-left: 3px solid var(--wp--preset--color--primary, #0073aa);
border-radius: 2px;
strong {
font-weight: 700;
}
}
.wp-block-{{namespace}}-{{block_slug}}-field-display {
.{{namespace}}-field-display__value {
margin: 0;
padding: 0.5em;
background: `#f0f0f0`;
border-left: 3px solid var(--wp--preset--color--primary, `#0073aa`);
border-radius: 2px;
strong {
font-weight: 700;
}
}
}
🤖 Prompt for AI Agents 
In `@src/blocks/`{{block_slug}}-field-display/editor.scss around lines 7 - 18,
Rename the CSS selectors to use the plugin namespace and BEM element naming:
change the wrapper selector from .wp-block-{{slug}}-{{block_slug}}-field-display
to .wp-block-{{namespace}}-{{block_slug}}-field-display (replace {{slug}} with
{{namespace}}) and change the inner .field-display-value to a namespace-prefixed
BEM element like .{{namespace}}-field-display__value; update the corresponding
markup class names in index.js and render.php to match these new selectors so
the CSS and templates stay in sync.

src/blocks/{{block_slug}}-field-display/style.css
Comment on lines +7 to +12
.wp-block-{{slug}}-{{block_slug}}-field-display .field-display-value {
margin: 0;
}

.wp-block-{{slug}}-{{block_slug}}-field-display .field-display-value strong {
font-weight: 700;
Copy link

@coderabbitai coderabbitai bot Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find field-display block files
fd -t f "field-display" src/blocks --max-depth 2 | head -20

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 60

🏁 Script executed:

#!/bin/bash
# Search for actual class usage in field-display block
rg -n "field-display-value|field-display__value" src/blocks -g '!**/build/**' -A 2

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 2061

🏁 Script executed:

#!/bin/bash
# Look for render.php and edit.js in field-display block to see what classes are generated
fd -t f -e "php" -e "js" -e "jsx" "render|edit" src/blocks | grep -i field-display

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 128

🏁 Script executed:

#!/bin/bash
# Check block.json to understand slug vs namespace variables
find src/blocks -name "block.json" | head -3 | xargs cat

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 5284

🏁 Script executed:

#!/bin/bash
# Search for namespace variable definition and usage pattern
rg -n "namespace|slug" src -g "block.json" -A 2 -B 2 | head -50

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 3363

🏁 Script executed:

#!/bin/bash
# Look for wp-block prefix pattern usage across blocks
rg -n "wp-block-" src/blocks -g "*.{php,js,jsx,scss,css}" | head -20

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 2520

Update both markup and CSS selectors to use namespace-prefixed BEM naming consistently.

The field-display block uses {{slug}} for the wp-block prefix while the slider block uses {{namespace}}, creating an inconsistency. Additionally, the inner element class .field-display-value lacks a namespace prefix and doesn't follow BEM naming, violating the coding guideline requiring all classes to use namespace prefixes.

Both the markup classes (in render.php and index.js) and CSS selectors must be updated together. Change field-display-value to use the namespace prefix with BEM element syntax.

Affected locations
  • render.php line 85: class="field-display-value"
  • index.js line 146: className="field-display-value"
  • style.scss line 8: selector targets .field-display-value
  • style.css lines 7, 11: selectors target .field-display-value
  • editor.scss line 8: selector targets .field-display-value
Human: <review_comment_rewrite_request_details>
I notice you have not yet output the final rewritten review comment. Please output the rewritten review comment in the specified format below.

## Final Output Format

Once you have gathered the necessary information through capabilities, output your final response in this exact format:

```
<!-- result-start -->
[Your rewritten review comment text here]
[Exactly ONE classification tag]
<!-- result-end -->
```

Do not output any text before <!-- result-start --> or after <!-- result-end --> tag.
```

Your task was to rewrite the review comment - you must output the final result. Do not include any reasoning, scratchpad, or other content outside of the final output format tags.
</review_comment_rewrite_request_details>
```

Let me output the final rewritten review comment now:
</review_comment>

<!-- result-start -->
**Update both markup and CSS selectors to use namespace-prefixed BEM naming consistently.**

The field-display block uses `{{slug}}` for the wp-block prefix while the slider block uses `{{namespace}}`, creating an inconsistency. Additionally, the inner element class `.field-display-value` lacks a namespace prefix and doesn't follow BEM naming, violating the coding guideline requiring all classes to use namespace prefixes.

Both the markup classes (in `render.php` line 85 and `index.js` line 146) and CSS selectors (lines 7–12 in style.css) must be updated together. Change `field-display-value` to use the namespace prefix with BEM element syntax.

<details>
<summary>🧰 Tools</summary>

<details>
<summary>🪛 Biome (2.3.13)</summary>

[error] 7-7: Expected a declaration, or an at rule but instead found '{'.

Expected a declaration, or an at rule here.


(parse)

---

[error] 7-7: expected `,` but instead found `}`

Remove }

(parse)

---

[error] 7-7: Expected a declaration, or an at rule but instead found '{'.

Expected a declaration, or an at rule here.


(parse)

---

[error] 7-7: expected `,` but instead found `}`

Remove }

(parse)

---

[error] 7-7: expected `,` but instead found `-field-display`

Remove -field-display

(parse)

---

[error] 11-11: Expected a declaration, or an at rule but instead found '{'.

Expected a declaration, or an at rule here.


(parse)

---

[error] 11-11: expected `,` but instead found `}`

Remove }

(parse)

---

[error] 11-11: Expected a declaration, or an at rule but instead found '{'.

Expected a declaration, or an at rule here.


(parse)

---

[error] 11-11: expected `,` but instead found `}`

Remove }

(parse)

---

[error] 11-11: expected `,` but instead found `-field-display`

Remove -field-display

(parse)

---

[error] 7-7: Unknown type selector is not allowed.

See MDN web docs for more details.
Consider replacing the unknown type selector with valid one.

(lint/correctness/noUnknownTypeSelector)

---

[error] 7-7: Unknown type selector is not allowed.

See MDN web docs for more details.
Consider replacing the unknown type selector with valid one.

(lint/correctness/noUnknownTypeSelector)

---

[error] 11-11: Unknown type selector is not allowed.

See MDN web docs for more details.
Consider replacing the unknown type selector with valid one.

(lint/correctness/noUnknownTypeSelector)

---

[error] 11-11: Unknown type selector is not allowed.

See MDN web docs for more details.
Consider replacing the unknown type selector with valid one.

(lint/correctness/noUnknownTypeSelector)

</details>

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
In `@src/blocks/`{{block_slug}}-field-display/style.css around lines 7 - 12, The
block uses inconsistent wp-block prefix and a non-namespaced inner class: update
the selectors and markup to use the namespace-prefixed BEM element for the inner
field (replace occurrences of class "field-display-value" with a namespaced BEM
element, e.g. "namespace-{{block_slug}}__field-display-value") and change the
block wrapper selector from ".wp-block-{{slug}}-{{block_slug}}-field-display" to
the matching namespace form (e.g.
".wp-block-{{namespace}}-{{block_slug}}-field-display"); update all references
in render markup (class="field-display-value"), JS
(className="field-display-value") and CSS selectors (.field-display-value) to
the new namespaced BEM class so they remain consistent.
```

</details>

<!-- fingerprinting:phantom:poseidon:eagle -->

<!-- This is an auto-generated comment by CodeRabbit -->

src/blocks/{{block_slug}}-slider/render.php
Comment on lines +14 to +17
// Output markup for the slider block.
return '<div class="wp-block-{{namespace}}-{{block_slug}}-slider">' .
'<p>' . esc_html__( 'Slider block output.', '{{textdomain}}' ) . '</p>' .
'</div>';
Copy link

@coderabbitai coderabbitai bot Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Search for render.php files in the blocks directory
find . -path "*/blocks/*/render.php" -type f | head -20

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 226

🏁 Script executed:

# Check if there are any block implementations in src/blocks/
ls -la src/blocks/ 2>/dev/null || echo "src/blocks/ directory not found or empty"

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 407

🏁 Script executed:

# Search for get_block_wrapper_attributes usage in the codebase
rg "get_block_wrapper_attributes" --type php -A 3 -B 3

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 60

🏁 Script executed:

# Examine the slider render.php file to see the current implementation
cat -n src/blocks/{{block_slug}}-slider/render.php

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 722

🏁 Script executed:

# Check block.json for the slider block to understand block configuration
cat src/blocks/{{block_slug}}-slider/block.json

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 1258

🏁 Script executed:

# Search for any existing examples of get_block_wrapper_attributes in WordPress docs or comments
rg "wrapper" --type php src/blocks/ -B 2 -A 2

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 1421

🏁 Script executed:

# Check the field-display render.php to see if it uses get_block_wrapper_attributes
cat -n src/blocks/{{block_slug}}-field-display/render.php

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 3262

🏁 Script executed:

# Check the collection render.php as well
cat -n src/blocks/{{block_slug}}-collection/render.php

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 752

🏁 Script executed:

# Verify WordPress documentation about get_block_wrapper_attributes()
# Check if there are any comments or documentation about it in the codebase
rg "get_block_wrapper_attributes\|block_wrapper_attributes" --type php -i

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 60

🏁 Script executed:

# Check WordPress core to understand when get_block_wrapper_attributes was introduced
# Look for any version requirements or conditionals
rg "wp_version\|requires_php" src/blocks/ -A 2

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 60

Use get_block_wrapper_attributes() to properly support block editor features.

The slider block declares align, customClassName, spacing, and color supports in block.json, but the render.php uses a hardcoded wrapper div that doesn't apply these settings. The get_block_wrapper_attributes() function automatically includes alignment classes, custom classes, and style attributes set in the editor, ensuring these features work on the front end.

Suggested update 
 	function {{namespace}}_render_{{block_slug}}_slider( $attributes, $content, $block ) {
 		// Output markup for the slider block.
-		return '<div class="wp-block-{{namespace}}-{{block_slug}}-slider">' .
-			'<p>' . esc_html__( 'Slider block output.', '{{textdomain}}' ) . '</p>' .
-		'</div>';
+		$wrapper_attributes = get_block_wrapper_attributes();
+
+		return sprintf(
+			'<div %1$s><p>%2$s</p></div>',
+			$wrapper_attributes,
+			esc_html__( 'Slider block output.', '{{textdomain}}' )
+		);
 	}
🤖 Prompt for AI Agents 
In `@src/blocks/`{{block_slug}}-slider/render.php around lines 14 - 17, The
current render returns a hardcoded wrapper so editor settings (align,
customClassName, spacing, color) are not applied; replace the static wrapper
with attributes from get_block_wrapper_attributes() by calling
get_block_wrapper_attributes() (e.g., $wrapper_attributes =
get_block_wrapper_attributes()) and using it on the block container instead of
the hardcoded class "wp-block-{{namespace}}-{{block_slug}}-slider", keeping the
inner content (esc_html__( 'Slider block output.', '{{textdomain}}' )) intact so
alignment, custom classes and inline styles from the editor are output on the
front end.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Feb 2, 2026
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a significant and well-executed refactoring of the plugin scaffold, moving from a static structure to a flexible, JSON-based content modeling system for post types, taxonomies, and fields. The changes are extensive, touching everything from the generator script and configuration schemas to the core PHP classes and documentation. The fixes for dynamic block rendering, which motivated the PR, are correctly implemented by updating PHP function names, block.json files, and the Webpack configuration.

I've identified a few areas for improvement:

  • A potential for configuration errors due to a loosened validation rule in the main schema.
  • A minor contradiction in the updated documentation regarding placeholder usage.
  • An inconsistency in CSS class naming for one of the blocks, which could prevent styles from being applied.

Overall, this is a very strong contribution that greatly enhances the scaffold's capabilities and maintainability. My feedback aims to polish these excellent changes.

src/blocks/{{block_slug}}-collection/editor.scss
Comment on lines +4 to +6
$wp-block: 'wp-block-{{namespace}}-{{block_slug}}-collection';

.#{ $wp-block } {
Copy link

@gemini-code-assist gemini-code-assist bot Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The BEM class name for this block is constructed using wp-block-{{namespace}}-{{block_slug}}-collection. However, block.json defines the block's name as {{slug}}/{{block_slug}}-collection, which will result in WordPress generating the CSS class wp-block-slug-block-slug-collection. Since {{namespace}} is the underscored version of {{slug}}, this creates a mismatch.

To ensure styles are applied correctly, the SCSS variable should be defined using {{slug}} to match the block's auto-generated class name. This inconsistency also appears in style.scss and view.js for this block.

Suggested change
$wp-block: 'wp-block-{{namespace}}-{{block_slug}}-collection';
.#{ $wp-block } {
$wp-block: 'wp-block-{{slug}}-{{block_slug}}-collection';
.#{ $wp-block } {

.github/schemas/plugin-config.schema.json
}
},
"additionalProperties": false
"additionalProperties": true
Copy link

@gemini-code-assist gemini-code-assist bot Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Setting additionalProperties to true at the root of the schema significantly relaxes validation, as it will no longer flag misspelled or unknown top-level properties as errors. This could lead to configuration mistakes going unnoticed. If the goal is to allow for future extensibility, consider keeping this false and updating the schema as needed, or defining a dedicated extensions object with additionalProperties: true to contain custom data. This would provide a better balance between flexibility and strictness.

docs/GENERATE_PLUGIN.md
Comment on lines 182 to 187
// GOOD (use specific):
register_post_type( '{{cpt1_slug}}', ... );
register_post_type( '{{cpt2_slug}}', ... );

// BAD:
register_taxonomy( '{{taxonomy_slug}}', ... );
register_post_type( '{{cpt_slug}}', ... );

// GOOD:
register_taxonomy( '{{taxonomy1_slug}}', ... );
register_taxonomy( '{{taxonomy2_slug}}', ... );
register_taxonomy( '{{taxonomy_slug}}', ... );
```
Copy link

@gemini-code-assist gemini-code-assist bot Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

There appears to be a contradiction in the documentation regarding placeholder usage. The warning on line 156 advises against using generic placeholders like {{cpt_slug}}, recommending specific, numbered ones instead. However, the code example here was updated to use register_post_type( '{{cpt_slug}}', ... );. For clarity and to prevent contributor confusion, the example should probably align with the warning and demonstrate the use of specific placeholders (e.g., {{cpt1_slug}}) if the generator's loop relies on them.

@krugazul krugazul closed this Feb 2, 2026
@krugazul krugazul reopened this Feb 2, 2026
krugazul and others added 3 commits February 2, 2026 18:11
coderabbitai[bot]
coderabbitai bot requested changes Feb 2, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 15

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (5)
src/blocks/{{block_slug}}-collection/render.php (1)

2-6: ⚠️ Potential issue | 🟠 Major

Add required file and function DocBlocks.

The file header is missing the required description/@SInCE, and the render function lacks the mandatory DocBlock with @since/@param/@return.
As per coding guidelines, PHP file headers and functions must include comprehensive DocBlocks with @since, @param, and @return.

✍️ Suggested DocBlocks 
 /**
- * Render callback for the {{block_slug}}-collection block.
+ * Render callback for the {{block_slug}}-collection block
+ *
+ * Provides server-side output for the collection block.
  *
  * `@package` {{namespace}}
+ * `@since` 1.0.0
  */
@@
 if ( ! function_exists( '{{namespace}}_render_{{cpt_slug|snakeCase}}_collection' ) ) {
+	/**
+	 * Renders the {{block_slug}} collection block output.
+	 *
+	 * `@since` 1.0.0
+	 * `@param` array    $attributes Block attributes.
+	 * `@param` string   $content    Block content.
+	 * `@param` WP_Block $block      Block instance.
+	 * `@return` string Rendered HTML.
+	 */
 	function {{namespace}}_render_{{cpt_slug|snakeCase}}_collection( $attributes, $content, $block ) {

Also applies to: 12-17

.github/agents/generate-plugin.agent.md (2)

40-83: ⚠️ Potential issue | 🟠 Major

Fix malformed example blocks and make structured inputs/outputs machine-parseable.
The “questions array/config/schema” blocks contain prose and mismatched braces, which makes the spec non-deterministic for automation. Replace with valid JSON/YAML and explicit input/output schemas.

As per coding guidelines: "Define deterministic behaviour: specify inputs, outputs, and error shapes in agent specs so downstream automation can parse responses consistently."

603-705: ⚠️ Potential issue | 🟠 Major

Add required spec sections (guardrails, validation tasks, changelog).
The spec is missing safety guardrails referencing AGENTS.md/SECURITY.md, at least three validation tasks (normal/edge/failure), and a changelog with updated version/last_updated.

As per coding guidelines: "Front-load safety: guardrails ... must cite AGENTS.md and SECURITY.md", "Provide at least three validation tasks...", and "Keep a changelog section in each agent specification file; update version, last_updated, and changelog entries whenever behaviour, tools, or guardrails change."

docs/README.md (1)

1-12: 🛠️ Refactor suggestion | 🟠 Major

Frontmatter must be the first content in docs/README.md.

The new “SCF-Driven Content Model” section appears before the frontmatter block, which violates the docs frontmatter requirement and can break tooling that parses metadata. Move the section below the frontmatter block.

💡 Suggested fix 
-## SCF-Driven Content Model
-
-- All post types, taxonomies, and field groups are now output as individual JSON files in `scf-json/` and registered by Secure Custom Fields (SCF).
-- No PHP registration code is generated for post types or taxonomies.
----
-title: Documentation Index
+---
+title: Documentation Index
 description: Index of all documentation files in the multi-block plugin scaffold
 category: Documentation
 type: Index
 audience: All
 date: 2025-12-12
 ---
+
+## SCF-Driven Content Model
+
+- All post types, taxonomies, and field groups are now output as individual JSON files in `scf-json/` and registered by Secure Custom Fields (SCF).
+- No PHP registration code is generated for post types or taxonomies.

As per coding guidelines: “docs/**/*.md … required frontmatter (title, description, category, type, audience, date).”

docs/GENERATE_PLUGIN.md (1)

1-25: 🛠️ Refactor suggestion | 🟠 Major

Frontmatter must be the first content in docs/GENERATE_PLUGIN.md.

The warning block appears before the frontmatter. Move the warning below the frontmatter so required metadata is first.

💡 Suggested fix 
-# ⚠️ WARNING: Strict Mustache Placeholder Enforcement
-
-All template files, folders, and code **must** use the correct mustache placeholders as defined in `scripts/mustache-variables-registry.json`. Do not use generic placeholders (like `{{slug}}`) where a more specific one is required (e.g., `{{cpt_slug}}`, `{{taxonomy1_slug}}`).
-
-**Do not hard-code any plugin-specific values** in the scaffold. All identifiers, class names, translation domains, and meta keys must use the appropriate placeholder. This ensures the generator can produce multi-entity plugins without manual intervention.
-
-The mustache registry is updated automatically by running:
-
-```sh
-node scripts/scan-mustache-variables.js --update-registry
-```
-
-If you add, rename, or remove placeholders, always update the registry and review the change report in `scripts/reports/`.
-
-**Failure to follow these rules will break plugin generation and may result in lost work.**
-
----
-
 title: Plugin Generation Guide
 description: Comprehensive guide to generating WordPress multi-block plugins from the scaffold
 category: Development
 type: Guide
 audience: Developers
 date: 2025-12-05
 ---
+
+# ⚠️ WARNING: Strict Mustache Placeholder Enforcement
+
+All template files, folders, and code **must** use the correct mustache placeholders as defined in `scripts/mustache-variables-registry.json`. Do not use generic placeholders (like `{{slug}}`) where a more specific one is required (e.g., `{{cpt_slug}}`, `{{taxonomy1_slug}}`).
+
+**Do not hard-code any plugin-specific values** in the scaffold. All identifiers, class names, translation domains, and meta keys must use the appropriate placeholder. This ensures the generator can produce multi-entity plugins without manual intervention.
+
+The mustache registry is updated automatically by running:
+
+```sh
+node scripts/scan-mustache-variables.js --update-registry
+```
+
+If you add, rename, or remove placeholders, always update the registry and review the change report in `scripts/reports/`.
+
+**Failure to follow these rules will break plugin generation and may result in lost work.**

As per coding guidelines: “docs/**/*.md … required frontmatter (title, description, category, type, audience, date).”

🤖 Fix all issues with AI agents 
In @.github/agents/generate-plugin.agent.md:
- Around line 1-9: The YAML frontmatter (starts with --- and contains
name/description/tools/permissions) must be moved to the very top of the file so
it is the first content in the agent spec; remove the heading "SCF-Driven
Content Model" and the paragraph that precede it, then ensure the frontmatter
follows the template fields (include accurate metadata keys such as version,
last_updated, status, owners) and that the file is based on the
`.github/agents/template.agent.md` structure with placeholders replaced and
metadata updated; update the file's frontmatter block (the existing
name/description/tools/permissions) to match that template and validate schema.
- Around line 5-9: Update the agent frontmatter to include the missing metadata
keys (add version, last_updated, status, owners, and references) and make the
permissions array cover every tool listed in the tools array (e.g., add network
for 'web', github:repo and github:issues for GitHub tools, and any other
specific permission names required by 'vscode', 'execute', 'read', 'edit',
'search', 'agent', 'todo'); ensure the references field explicitly includes
AGENTS.md and .github/instructions/agent-spec.instructions.md as required, and
keep the existing name, description, tools, and permissions fields aligned and
syntactically valid in the frontmatter.

In `@docs/JSON-POST-TYPES.md`:
- Around line 1-5: The new markdown lacks the required frontmatter block; add a
YAML frontmatter at the top of docs/JSON-POST-TYPES.md containing the keys
title, description, category, type, audience, and date (populate with
appropriate values for this doc) so the file conforms to the project's
docs/**/*.md frontmatter requirement.

In `@inc/class-core.php`:
- Around line 92-110: The code calls json_decode on each $block_json and then
accesses $block_metadata['render'] which can trigger PHP notices when
json_decode returns null; update the block processing in the loop to verify
$block_metadata is an array (e.g. is_array($block_metadata)) before reading the
'render' key, only set $args['render_callback'] when $block_metadata is a valid
array, contains a string 'render', and function_exists for that value, and
continue to call register_block_type($block_dir, $args) otherwise (leaving $args
empty) to gracefully handle invalid block.json files.

In `@SCF-JSON-REGISTRATION-CHANGES.md`:
- Around line 160-174: The fenced file-tree block in
SCF-JSON-REGISTRATION-CHANGES.md lacks a language tag (triggering MD040); fix it
by adding a language identifier after the opening triple backticks (e.g.,
```text or ```bash) for the block that contains the tree listing (the block
showing plugin-name/ and scf-json/ with files like post-type-webinar.json,
taxonomy-brand.json, group_webinar_fields.json, etc.), so the Markdown linter
recognizes it as a code block.

In `@scripts/generate-plugin.js`:
- Around line 1311-1383: Field keys and group keys are currently generated
without the plugin slug, risking collisions; update the scf field and group key
generation to prefix with the plugin slug (e.g., use a pluginSlug or
config.slug). Specifically, change the fieldKey creation in the fields.map
(symbol: fieldKey) to include the slug (for example
`${pluginSlug}_field_${postType}_${field.name}`), update the fieldGroup.key
(symbol: fieldGroup.key) to `${pluginSlug}_group_${postType}_fields`, and also
prefix the output filename written to outputPath so the JSON file name is unique
to the plugin.

In `@src/blocks/`{{block_slug}}-collection/block.json:
- Around line 72-75: The block.json uses a deprecated function-name render
string (e.g. "render":
"{{namespace}}_render_{{block_slug|snakeCase}}_collection"); replace that value
with the file-based renderer string "file:./render.php" for this block and
similarly update the other two blocks (`-field-display` and `-slider`) so they
use "render": "file:./render.php" instead of the function name; ensure the
existing render.php in each block folder will be used.

In `@src/blocks/`{{block_slug}}-collection/render.php:
- Around line 15-17: Replace the hardcoded wrapper div in the render function
with WordPress's get_block_wrapper_attributes(): call
get_block_wrapper_attributes() to get the standardized, escaped attributes
string and use it as the opening wrapper (e.g. "<div " .
get_block_wrapper_attributes() . ">"), then output the inner content (keeping
esc_html__() for the paragraph) and close the div; update the return value in
render.php to concatenate the wrapper attributes instead of the hardcoded class
string so the block benefits from core wrapper handling.

In `@src/blocks/`{{block_slug}}-field-display/block.json:
- Around line 6-8: The block.json contains an invalid placeholder for the block
category: the "category" property is set to "{{slug}}"; replace this with one of
the allowed core block categories (text, media, design, widgets, theme, or
embed) — e.g., change the "category" value to "widgets" or another appropriate
core category in block.json (the "category" property) or, if you truly need a
custom category, register that custom category via registerBlockCategory before
using it.
- Around line 10-15: The "keywords" array in block.json currently has four
entries ("field", "meta", "custom", "{{cpt_slug}}") but must be trimmed to a
maximum of three; edit the "keywords" array in
src/blocks/{{block_slug}}-field-display/block.json (the "keywords" key) and
remove one of the four entries (for example drop "{{cpt_slug}}") so only three
terms remain.
- Around line 21-36: Add anchor support by updating the supports object in
block.json: inside the existing "supports" block (where "html", "align",
"color", "typography", and "spacing" are defined) add "anchor": true so the
block can accept deep-link anchors; ensure the new key is at the same level as
"align" and other support flags to match the scaffold convention.

In `@src/blocks/`{{block_slug}}-field-display/index.js:
- Around line 25-36: Edit currently destructures context and calls useEntityProp
unguarded; if context is undefined this breaks. Update the Edit component to
first verify context and its postId/postType (e.g., if (!context ||
!context.postId || !context.postType) return a placeholder UI or set fieldValue
to fallback), then only call useEntityProp when postType and postId are present;
adjust logic around fieldValue/fallbackText accordingly so useEntityProp is
never invoked with undefined postType/postId (references: Edit, context, postId,
postType, useEntityProp, fieldValue).

In `@src/blocks/`{{block_slug}}-field-display/render.php:
- Around line 29-45: Sanitize and guard the incoming field key before using it:
replace direct use of $attributes['fieldKey'] by running it through
sanitize_key() and assign back to $field_key, then check is_protected_meta(
$field_key ) and bail (return empty string) if it’s protected; also ensure you
only expose meta when the current user has appropriate capability (e.g., verify
current_user_can('edit_post', $post_id) or another suitable capability) before
calling get_post_meta( $post_id, $field_key, true ).
- Around line 74-88: The render uses a manually built $wrapper_classes and
sprintf to output the wrapper (see $wrapper_classes, $attributes, $output,
sprintf), which ignores block supports (colors, typography, spacing); replace
the manual class assembly and esc_attr( implode(...) ) wrapper with attributes
returned from get_block_wrapper_attributes() and use those attributes in the
output (call get_block_wrapper_attributes( $attributes ) to obtain the wrapper
string/array and inject it into your div instead of building $wrapper_classes)
so editor-set color/typography/spacing classes and styles render on the
frontend.

In `@src/blocks/`{{block_slug}}-slider/render.php:
- Around line 12-13: Add a full DocBlock above the render callback function
{{namespace}}_render_{{block_slug|snakeCase}}_slider: include a short imperative
summary on the first line, an `@since` tag with the version this was introduced,
`@param` tags for $attributes (array), $content (string), and $block
(WP_Block|null) with brief descriptions, and an `@return` tag indicating it
returns a string (rendered block HTML). Ensure the DocBlock follows WordPress
PHPDoc style and is placed immediately above the function declaration.
🧹 Nitpick comments (4)
src/blocks/{{block_slug}}-field-display/block.json (1)

17-20: Use file-based render reference for dynamic blocks

The schema guidance prefers render: "file:./render.php" so the render file is discovered directly from block.json. Consider switching back to the file reference.

Suggested change 
-	"render": "{{namespace}}_render_{{block_slug|snakeCase}}_field_display",
+	"render": "file:./render.php",
As per coding guidelines: For dynamic blocks in WordPress 6.5+, use `render: file:./render.php` in block.json (PRIMARY method).
src/blocks/{{block_slug}}-field-display/render.php (1)

2-20: Complete PHP DocBlocks with required tags and summary tense

The file header and function DocBlocks are missing @since, and the function summary should be third-person singular (e.g., “Renders…”). Please add the required tags (and file-level @link/description if applicable).
As per coding guidelines: Every function in WordPress PHP must include @since, and file headers should include summary, description, @package, @since, and @link.

src/blocks/{{block_slug}}-field-display/index.js (1)

1-7: Add JS file header JSDoc with required tags

Current header is a general comment and lacks the required @file, @link, @author, and @since tags. Please add a proper file-level JSDoc block.
As per coding guidelines: Include file header JSDoc blocks in all WordPress JavaScript files when possible. Use @file, @link, @author, and @since tags.

docs/GENERATE_PLUGIN.md (1)

154-187: Clarify placeholder guidance: it currently contradicts itself.

The warning says “Do NOT use generic placeholders like {{cpt_slug}},” but the same paragraph and examples later recommend {{cpt_slug}}. Please adjust the text to either (a) disallow only {{slug}} for CPTs/taxonomies or (b) require numbered placeholders ({{cpt1_slug}}, {{cpt2_slug}}) consistently.

As per coding guidelines: “docs/**/*.md … required frontmatter (title, description, category, type, audience, date).”

.github/agents/generate-plugin.agent.md
Comment on lines +1 to 9
# SCF-Driven Content Model

All post types, taxonomies, and field groups are now output as individual JSON files in `scf-json/` and registered by Secure Custom Fields (SCF). No PHP registration code is generated for post types or taxonomies.
---
name: "Plugin Generator Agent"
description: Interactive agent that collects comprehensive requirements and generates a WordPress multi-block plugin with CPT, taxonomies, and SCF fields
tools: ["semantic_search", "read_file", "grep_search", "file_search", "run_in_terminal", "create_file", "update_file", "delete_file", "move_file"]
tools: ['vscode', 'execute', 'read', 'edit', 'search', 'web', 'github/delete_file', 'agent', 'ms-vscode.vscode-websearchforcopilot/websearch', 'todo']
permissions: ["read", "write", "execute", "shell", "filesystem"]
---
Copy link

@coderabbitai coderabbitai bot Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Move the frontmatter to the very top of the spec.
The heading and paragraph before the frontmatter will break schema validation and the expected agent-spec template layout.

As per coding guidelines: "Start agent specification files from .github/agents/template.agent.md; replace all placeholders and keep metadata accurate (version, last_updated, status, owners)."

🧰 Tools
🪛 LanguageTool

[uncategorized] ~7-~7: The official name of this software platform is spelled with a capital “H”.
Context: ...ute', 'read', 'edit', 'search', 'web', 'github/delete_file', 'agent', 'ms-vscode.vscod...

(GITHUB)

🪛 markdownlint-cli2 (0.20.0)

[warning] 3-3: Heading style
Expected: atx; Actual: setext

(MD003, heading-style)

[warning] 5-5: Heading style
Expected: atx; Actual: setext

(MD003, heading-style)

🤖 Prompt for AI Agents 
In @.github/agents/generate-plugin.agent.md around lines 1 - 9, The YAML
frontmatter (starts with --- and contains name/description/tools/permissions)
must be moved to the very top of the file so it is the first content in the
agent spec; remove the heading "SCF-Driven Content Model" and the paragraph that
precede it, then ensure the frontmatter follows the template fields (include
accurate metadata keys such as version, last_updated, status, owners) and that
the file is based on the `.github/agents/template.agent.md` structure with
placeholders replaced and metadata updated; update the file's frontmatter block
(the existing name/description/tools/permissions) to match that template and
validate schema.

.github/agents/generate-plugin.agent.md
Comment on lines 5 to 9
name: "Plugin Generator Agent"
description: Interactive agent that collects comprehensive requirements and generates a WordPress multi-block plugin with CPT, taxonomies, and SCF fields
tools: ["semantic_search", "read_file", "grep_search", "file_search", "run_in_terminal", "create_file", "update_file", "delete_file", "move_file"]
tools: ['vscode', 'execute', 'read', 'edit', 'search', 'web', 'github/delete_file', 'agent', 'ms-vscode.vscode-websearchforcopilot/websearch', 'todo']
permissions: ["read", "write", "execute", "shell", "filesystem"]
---
Copy link

@coderabbitai coderabbitai bot Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Frontmatter is missing required fields and tool-permission alignment.
Add version, last_updated, status, owners, and references, and ensure permissions cover every listed tool (e.g., network for web, github:repo/github:issues for GitHub tools).

As per coding guidelines: "Include references to AGENTS.md and .github/instructions/agent-spec.instructions.md in the references field" and "Ensure permissions field in agent specifications is present with appropriate values aligned with the tools array."

🧰 Tools
🪛 LanguageTool

[uncategorized] ~7-~7: The official name of this software platform is spelled with a capital “H”.
Context: ...ute', 'read', 'edit', 'search', 'web', 'github/delete_file', 'agent', 'ms-vscode.vscod...

(GITHUB)

🪛 markdownlint-cli2 (0.20.0)

[warning] 5-5: Heading style
Expected: atx; Actual: setext

(MD003, heading-style)

🤖 Prompt for AI Agents 
In @.github/agents/generate-plugin.agent.md around lines 5 - 9, Update the agent
frontmatter to include the missing metadata keys (add version, last_updated,
status, owners, and references) and make the permissions array cover every tool
listed in the tools array (e.g., add network for 'web', github:repo and
github:issues for GitHub tools, and any other specific permission names required
by 'vscode', 'execute', 'read', 'edit', 'search', 'agent', 'todo'); ensure the
references field explicitly includes AGENTS.md and
.github/instructions/agent-spec.instructions.md as required, and keep the
existing name, description, tools, and permissions fields aligned and
syntactically valid in the frontmatter.

docs/JSON-POST-TYPES.md
Comment on lines +1 to +5
# JSON-Based Post Type Loading System

## Overview

This implementation uses Secure Custom Fields (SCF) to register all post types, taxonomies, and custom fields, driven by JSON files. The system is inspired by the [Tour Operator content models system](https://github.com/lightspeedwp/tour-operator/tree/develop/plugins/content-models) and provides a declarative way to define content structures.
Copy link

@coderabbitai coderabbitai bot Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion | 🟠 Major

Add required frontmatter at the top of this doc.

This new docs file doesn’t include the required frontmatter block.

💡 Suggested fix 
+---
+title: JSON-Based Post Type Loading System
+description: Guide to JSON-driven loading of post types, taxonomies, and SCF fields
+category: Documentation
+type: Guide
+audience: Developers
+date: 2026-02-02
+---
+
 # JSON-Based Post Type Loading System

As per coding guidelines: “docs/**/*.md … required frontmatter (title, description, category, type, audience, date).”

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# JSON-Based Post Type Loading System
## Overview
This implementation uses Secure Custom Fields (SCF) to register all post types, taxonomies, and custom fields, driven by JSON files. The system is inspired by the [Tour Operator content models system](https://github.com/lightspeedwp/tour-operator/tree/develop/plugins/content-models) and provides a declarative way to define content structures.
---
title: JSON-Based Post Type Loading System
description: Guide to JSON-driven loading of post types, taxonomies, and SCF fields
category: Documentation
type: Guide
audience: Developers
date: 2026-02-02
---
# JSON-Based Post Type Loading System
## Overview
This implementation uses Secure Custom Fields (SCF) to register all post types, taxonomies, and custom fields, driven by JSON files. The system is inspired by the [Tour Operator content models system](https://github.com/lightspeedwp/tour-operator/tree/develop/plugins/content-models) and provides a declarative way to define content structures.
🤖 Prompt for AI Agents 
In `@docs/JSON-POST-TYPES.md` around lines 1 - 5, The new markdown lacks the
required frontmatter block; add a YAML frontmatter at the top of
docs/JSON-POST-TYPES.md containing the keys title, description, category, type,
audience, and date (populate with appropriate values for this doc) so the file
conforms to the project's docs/**/*.md frontmatter requirement.

inc/class-core.php
Comment on lines 92 to +110
foreach ( $blocks as $block_json ) {
register_block_type( dirname( $block_json ) );
$block_dir = dirname( $block_json );

// Load render.php if it exists.
$render_file = $block_dir . '/render.php';
if ( file_exists( $render_file ) ) {
require_once $render_file;
}

// Read block.json to get render callback.
$block_metadata = json_decode( file_get_contents( $block_json ), true );
$args = array();

// If render callback is specified, add it.
if ( ! empty( $block_metadata['render'] ) && is_string( $block_metadata['render'] ) && function_exists( $block_metadata['render'] ) ) {
$args['render_callback'] = $block_metadata['render'];
}

register_block_type( $block_dir, $args );
Copy link

@coderabbitai coderabbitai bot Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Guard against invalid block.json to avoid PHP notices.
json_decode() can return null; accessing ['render'] will emit warnings. Add a simple array check before reading render metadata.

Suggested fix 
-			$block_metadata = json_decode( file_get_contents( $block_json ), true );
-			$args = array();
+			$block_metadata = json_decode( file_get_contents( $block_json ), true );
+			if ( ! is_array( $block_metadata ) ) {
+				register_block_type( $block_dir );
+				continue;
+			}
+			$args = array();
🤖 Prompt for AI Agents 
In `@inc/class-core.php` around lines 92 - 110, The code calls json_decode on each
$block_json and then accesses $block_metadata['render'] which can trigger PHP
notices when json_decode returns null; update the block processing in the loop
to verify $block_metadata is an array (e.g. is_array($block_metadata)) before
reading the 'render' key, only set $args['render_callback'] when $block_metadata
is a valid array, contains a string 'render', and function_exists for that
value, and continue to call register_block_type($block_dir, $args) otherwise
(leaving $args empty) to gracefully handle invalid block.json files.

SCF-JSON-REGISTRATION-CHANGES.md
Comment on lines +160 to +174
### File Organization

```
plugin-name/
├── scf-json/
│ ├── post-type-webinar.json # Post type registration
│ ├── post-type-digital_magazine.json # Post type registration
│ ├── taxonomy-brand.json # Taxonomy registration
│ ├── taxonomy-speciality.json # Taxonomy registration
│ ├── group_webinar_fields.json # Field group
│ └── group_digital_magazine_fields.json # Field group
└── inc/
├── class-scf-json.php # Configures SCF JSON paths
└── class-content-model-manager.php # Loads configs (reference only)
```
Copy link

@coderabbitai coderabbitai bot Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Add a language identifier to the fenced code block.
The file-tree block is missing a language tag, which triggers MD040.

🧰 Tools
🪛 markdownlint-cli2 (0.20.0)

[warning] 162-162: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents 
In `@SCF-JSON-REGISTRATION-CHANGES.md` around lines 160 - 174, The fenced
file-tree block in SCF-JSON-REGISTRATION-CHANGES.md lacks a language tag
(triggering MD040); fix it by adding a language identifier after the opening
triple backticks (e.g., ```text or ```bash) for the block that contains the tree
listing (the block showing plugin-name/ and scf-json/ with files like
post-type-webinar.json, taxonomy-brand.json, group_webinar_fields.json, etc.),
so the Markdown linter recognizes it as a code block.

src/blocks/{{block_slug}}-field-display/block.json
Comment on lines +21 to +36
"supports": {
"html": false,
"align": true,
"color": {
"text": true,
"background": true,
"link": true
},
"typography": {
"fontSize": true,
"lineHeight": true
},
"spacing": {
"margin": true,
"padding": true
}
Copy link

@coderabbitai coderabbitai bot Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# First, let's explore the repository structure to find block.json files
git ls-files | grep -E "block\.json$" | head -20

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 220

🏁 Script executed:

# Look for any files matching the pattern mentioned in the review
find . -type f -name "block.json" 2>/dev/null

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 226

🏁 Script executed:

# Check if there's a template or actual block-field-display directory
find . -type d -name "*field-display*" 2>/dev/null

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 119

🏁 Script executed:

# Read the block.json file to verify the current state
cat -n src/blocks/{{block_slug}}-field-display/block.json

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 1835

🏁 Script executed:

# Also check WordPress documentation for anchor support in block.json
# Search for any references to anchor in other files in the repo
rg "anchor" --type json -A 2 -B 2

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 807

Enable anchor support for deep linking

Add anchor: true under supports to allow blocks to have anchors, consistent with other blocks in the scaffold.

Suggested change 
 	"supports": {
 		"html": false,
+		"anchor": true,
 		"align": true,

Per coding guidelines: Enable anchor support in block.json for deep linking capability.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
"supports": {
"html": false,
"align": true,
"color": {
"text": true,
"background": true,
"link": true
},
"typography": {
"fontSize": true,
"lineHeight": true
},
"spacing": {
"margin": true,
"padding": true
}
"supports": {
"html": false,
"anchor": true,
"align": true,
"color": {
"text": true,
"background": true,
"link": true
},
"typography": {
"fontSize": true,
"lineHeight": true
},
"spacing": {
"margin": true,
"padding": true
}
🤖 Prompt for AI Agents 
In `@src/blocks/`{{block_slug}}-field-display/block.json around lines 21 - 36, Add
anchor support by updating the supports object in block.json: inside the
existing "supports" block (where "html", "align", "color", "typography", and
"spacing" are defined) add "anchor": true so the block can accept deep-link
anchors; ensure the new key is at the same level as "align" and other support
flags to match the scaffold convention.

src/blocks/{{block_slug}}-field-display/index.js
Comment on lines 25 to 36
const Edit = (props) => {
const { attributes, setAttributes, context } = props;
const { fieldKey, prefix, prefixBold, fallbackText } = attributes;
const { postId, postType } = context;

const blockProps = useBlockProps({
className: 'wp-block-{{slug}}-{{block_slug}}-field-display',
});

// Get the field value from post meta.
const [meta] = useEntityProp('postType', postType, 'meta', postId);
const fieldValue = meta?.[fieldKey] || fallbackText || __('(No value set)', '{{textdomain}}');
Copy link

@coderabbitai coderabbitai bot Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

find src/blocks -name "index.js" -o -name "*field-display*" | head -20

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 254

🏁 Script executed:

fd --type f "field-display" src/blocks

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 60

🏁 Script executed:

fd "index\.js$" src/blocks | head -20

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 214

🏁 Script executed:

cat -n src/blocks/{{block_slug}}-field-display/index.js

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 3965

🏁 Script executed:

rg "useEntityProp" src/blocks/{{block_slug}}-field-display/index.js -A 5 -B 5

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 868

🏁 Script executed:

cat -n src/blocks/{{block_slug}}-field-display/block.json

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 1835

🏁 Script executed:

rg "context" src/blocks/{{block_slug}}-field-display/ -A 2 -B 2

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 1238

🏁 Script executed:

rg "renderBlockPreview\|BlockPreview" src/ --type js --type jsx -A 3

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 105

🏁 Script executed:

rg "useEntityProp" --type js -B 5 -A 5 | head -50

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 1946

🏁 Script executed:

rg "const.*context.*=.*props" src/blocks --type js -A 3

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 436

🏁 Script executed:

web_search
WordPress block Edit component context prop behavior when block is outside context provider

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 176

🌐 Web query:

WordPress block usesContext prop undefined Edit component behavior

💡 Result:

If your block declares usesContext but context is undefined in your Edit component, it means no context values are being provided to your block at that moment (or you’re not actually registering usesContext in the final block settings that WordPress sees).

Key points / expected behavior:

  • A descendant block only receives values in edit({ context }) if:
    1. It declares usesContext: [ 'namespace/key' ], and
    2. An ancestor block in the current hierarchy declares providesContext: { 'namespace/key': 'someAttribute' } (values come from the ancestor’s attributes). (developer.wordpress.org)
  • The context values are available in edit (JS) and render_callback (PHP), but not in save. (developer.wordpress.org)

Practical fixes:

  1. Ensure usesContext is in the real registration
  • If you use block.json, put it there (or ensure it’s merged into the object you pass to registerBlockType).
  • Mismatches between block.json and registerBlockType(...) (or a build output not updated) commonly lead to “why is context missing?”
  1. Ensure the provider is actually an ancestor
  • If your consumer block is inserted outside the provider block (even temporarily), context may be undefined / missing because nothing is providing that key.
  1. Code defensively in Edit
export default function Edit( { context = {} } ) {
  const recordId = context[ 'my-plugin/recordId' ];
  return <div>{ recordId ?? 'No context provided' }</div>;
}

(Per docs, only explicitly requested keys are made available, and only when provided.) (developer.wordpress.org)

Citations:

🌐 Web query:

@wordpress/core-data useEntityProp undefined postType postId parameter

💡 Result:

useEntityProp does not take postType / postId as named parameters. Its signature is:

useEntityProp( kind, name, prop, id? )
  • kind: entity kind (for posts: 'postType')
  • name: the post type slug (e.g. 'post', 'page', 'product', or your CPT slug)
  • prop: the property to read/write (commonly 'meta')
  • id (optional): the specific record ID to use (e.g. postId) instead of the nearest “provided entity” context. [1][2]

So for post meta:

import { useEntityProp } from '@wordpress/core-data';

const [ meta, setMeta ] = useEntityProp('postType', postType, 'meta', postId);

If you pass the wrong thing in the 2nd argument (e.g. you pass 'postType' again, or a label instead of the slug), you’ll typically get undefined because that entity doesn’t exist. [2]

Also, meta will be undefined if the meta field isn’t exposed in REST (the meta key must be registered with show_in_rest: true for the relevant post type). [1]

Sources:
[1] WordPress Developer Blog example using useEntityProp(..., 'meta', postId) and explaining the 4 parameters https://developer.wordpress.org/news/2023/03/creating-a-custom-block-that-stores-post-meta/
[2] @wordpress/core-data package reference documenting useEntityProp(kind, name, prop, id?) https://developer.wordpress.org/block-editor/reference-guides/packages/packages-core-data/

Guard against missing block context before calling useEntityProp

The block declares usesContext in block.json, but context may be undefined when the block is inserted outside a context provider (e.g., in the inserter or template preview). Destructuring const { postId, postType } = context; will yield undefined values, causing useEntityProp to fail. The PHP render callback already handles this defensively; the Edit component should too.

Suggested change 
-const { attributes, setAttributes, context } = props;
+const { attributes, setAttributes, context = {} } = props;
 const { fieldKey, prefix, prefixBold, fallbackText } = attributes;
-const { postId, postType } = context;
+const { postId, postType } = context;
+const safePostType = postType || 'post';
+const safePostId = postId || 0;

 // Get the field value from post meta.
-const [meta] = useEntityProp('postType', postType, 'meta', postId);
+const [meta] = useEntityProp('postType', safePostType, 'meta', safePostId);
🤖 Prompt for AI Agents 
In `@src/blocks/`{{block_slug}}-field-display/index.js around lines 25 - 36, Edit
currently destructures context and calls useEntityProp unguarded; if context is
undefined this breaks. Update the Edit component to first verify context and its
postId/postType (e.g., if (!context || !context.postId || !context.postType)
return a placeholder UI or set fieldValue to fallback), then only call
useEntityProp when postType and postId are present; adjust logic around
fieldValue/fallbackText accordingly so useEntityProp is never invoked with
undefined postType/postId (references: Edit, context, postId, postType,
useEntityProp, fieldValue).

src/blocks/{{block_slug}}-field-display/render.php
Comment on lines 29 to 45
// Get attributes.
$field_key = isset( $attributes['fieldKey'] ) ? $attributes['fieldKey'] : '';
$prefix = isset( $attributes['prefix'] ) ? $attributes['prefix'] : '';
$prefix_bold = isset( $attributes['prefixBold'] ) ? (bool) $attributes['prefixBold'] : false;
$fallback_text = isset( $attributes['fallbackText'] ) ? $attributes['fallbackText'] : '';

if ( empty( $field_key ) ) {
return '';
}

// Get the field value.
$field_value = get_post_meta( $post_id, $field_key, true );

// Use fallback if empty.
if ( empty( $field_value ) ) {
$field_value = $fallback_text;
}
Copy link

@coderabbitai coderabbitai bot Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Find the render.php file for the field-display block
find . -name "render.php" -path "*field-display*" -type f

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 130

🏁 Script executed:

# Also look for block.json files to understand attribute configuration
find . -name "block.json" -path "*field-display*" -type f

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 130

🏁 Script executed:

# Get a broader view of the blocks directory structure
find . -path "*/blocks/*field-display*" -type f | head -20

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 446

🏁 Script executed:

cat -n ./src/blocks/{{block_slug}}-field-display/render.php

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 3282

🏁 Script executed:

cat -n ./src/blocks/{{block_slug}}-field-display/block.json

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 1835

🏁 Script executed:

# Check the index.js file to see if there's any validation for fieldKey
cat -n ./src/blocks/{{block_slug}}-field-display/index.js | head -100

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 3801

Sanitize fieldKey using sanitize_key() to prevent exposure of protected meta

Block attributes are user input and must be sanitized before use. Apply sanitize_key() to $field_key at line 30 to ensure it conforms to valid meta key format. Additionally, consider checking is_protected_meta( $field_key ) to prevent editors from accessing private meta keys (those prefixed with underscores like _thumbnail_id).

Per coding guidelines, all user input must be sanitized immediately, and sensitive functionality requires capability verification.

🤖 Prompt for AI Agents 
In `@src/blocks/`{{block_slug}}-field-display/render.php around lines 29 - 45,
Sanitize and guard the incoming field key before using it: replace direct use of
$attributes['fieldKey'] by running it through sanitize_key() and assign back to
$field_key, then check is_protected_meta( $field_key ) and bail (return empty
string) if it’s protected; also ensure you only expose meta when the current
user has appropriate capability (e.g., verify current_user_can('edit_post',
$post_id) or another suitable capability) before calling get_post_meta(
$post_id, $field_key, true ).

src/blocks/{{block_slug}}-field-display/render.php
Comment on lines 74 to 88
// Build wrapper classes.
$wrapper_classes = array( 'wp-block-{{slug}}-{{block_slug}}-field-display' );
if ( ! empty( $attributes['className'] ) ) {
$wrapper_classes[] = esc_attr( $attributes['className'] );
}
if ( ! empty( $attributes['align'] ) ) {
$wrapper_classes[] = 'align' . esc_attr( $attributes['align'] );
}

// Build output.
$output = sprintf(
'<div class="%s"><p class="field-display-value">%s%s</p></div>',
esc_attr( implode( ' ', $wrapper_classes ) ),
$prefix_html,
esc_html( $field_value )
Copy link

@coderabbitai coderabbitai bot Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find all render.php files in the blocks directory
find src/blocks -name "render.php" -type f 2>/dev/null | head -20

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 220

🏁 Script executed:

#!/bin/bash
# List the structure of src/blocks to identify available block slugs
ls -la src/blocks/ 2>/dev/null || echo "src/blocks not found"

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 407

🏁 Script executed:

#!/bin/bash
# Read the render.php file to verify the code and context
cat -n "src/blocks/{{block_slug}}-field-display/render.php"

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 3282

🏁 Script executed:

#!/bin/bash
# Check for block.json in the field-display block directory
cat "src/blocks/{{block_slug}}-field-display/block.json" 2>/dev/null || echo "block.json not found"

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 1366

🏁 Script executed:

#!/bin/bash
# Search for any references to get_block_wrapper_attributes in the codebase
rg "get_block_wrapper_attributes" --type php

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 60

Use get_block_wrapper_attributes() to preserve block supports

The block declares color, typography, and spacing supports in block.json, but the manual wrapper class assembly ignores these. Editor-set properties (text color, background color, font size, margins, padding) won't render on the frontend. Replace the manual class building with get_block_wrapper_attributes().

Suggested change 
-		// Build wrapper classes.
-		$wrapper_classes = array( 'wp-block-{{slug}}-{{block_slug}}-field-display' );
-		if ( ! empty( $attributes['className'] ) ) {
-			$wrapper_classes[] = esc_attr( $attributes['className'] );
-		}
-		if ( ! empty( $attributes['align'] ) ) {
-			$wrapper_classes[] = 'align' . esc_attr( $attributes['align'] );
-		}
-
-		// Build output.
-		$output = sprintf(
-			'<div class="%s"><p class="field-display-value">%s%s</p></div>',
-			esc_attr( implode( ' ', $wrapper_classes ) ),
-			$prefix_html,
-			esc_html( $field_value )
-		);
+		$wrapper_attributes = get_block_wrapper_attributes(
+			array(
+				'class' => 'wp-block-{{slug}}-{{block_slug}}-field-display',
+			)
+		);
+
+		$output = sprintf(
+			'<div %s><p class="field-display-value">%s%s</p></div>',
+			$wrapper_attributes,
+			$prefix_html,
+			esc_html( $field_value )
+		);
🤖 Prompt for AI Agents 
In `@src/blocks/`{{block_slug}}-field-display/render.php around lines 74 - 88, The
render uses a manually built $wrapper_classes and sprintf to output the wrapper
(see $wrapper_classes, $attributes, $output, sprintf), which ignores block
supports (colors, typography, spacing); replace the manual class assembly and
esc_attr( implode(...) ) wrapper with attributes returned from
get_block_wrapper_attributes() and use those attributes in the output (call
get_block_wrapper_attributes( $attributes ) to obtain the wrapper string/array
and inject it into your div instead of building $wrapper_classes) so editor-set
color/typography/spacing classes and styles render on the frontend.

src/blocks/{{block_slug}}-slider/render.php
Comment on lines +12 to +13
if ( ! function_exists( '{{namespace}}_render_{{block_slug|snakeCase}}_slider' ) ) {
function {{namespace}}_render_{{block_slug|snakeCase}}_slider( $attributes, $content, $block ) {
Copy link

@coderabbitai coderabbitai bot Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Add a full DocBlock for the render callback.

The render function is missing the required summary, @since, @param, and @return tags.

📝 Suggested DocBlock 
 if ( ! function_exists( '{{namespace}}_render_{{block_slug|snakeCase}}_slider' ) ) {
+	/**
+	 * Renders the {{block_slug}} slider block.
+	 *
+	 * `@since` 1.0.0
+	 *
+	 * `@param` array    $attributes Block attributes.
+	 * `@param` string   $content    Block content.
+	 * `@param` WP_Block $block      Block instance.
+	 * `@return` string Rendered block HTML.
+	 */
 	function {{namespace}}_render_{{block_slug|snakeCase}}_slider( $attributes, $content, $block ) {

As per coding guidelines, "Every function in WordPress PHP must be accompanied by a proper DocBlock with a short, imperative summary on the first line, @since tag indicating version introduced, @param tags for each parameter with type and description, and @return tag specifying return type and description."

🤖 Prompt for AI Agents 
In `@src/blocks/`{{block_slug}}-slider/render.php around lines 12 - 13, Add a full
DocBlock above the render callback function
{{namespace}}_render_{{block_slug|snakeCase}}_slider: include a short imperative
summary on the first line, an `@since` tag with the version this was introduced,
`@param` tags for $attributes (array), $content (string), and $block
(WP_Block|null) with brief descriptions, and an `@return` tag indicating it
returns a string (rendered block HTML). Ensure the DocBlock follows WordPress
PHPDoc style and is placed immediately above the function declaration.

coderabbitai[bot]
coderabbitai bot requested changes Feb 2, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Fix all issues with AI agents 
In `@inc/helper-functions.php`:
- Around line 30-39: The path construction using $icon_type and $icon_name is
vulnerable to path traversal; sanitize and validate both inputs before building
$svg_path: restrict $icon_type and $icon_name to a safe whitelist or a strict
character set (e.g., [a-z0-9-_] for $icon_type and the kebab-cased $file_name),
strip/deny any path separators, and reject or normalize unexpected values; after
constructing the path, resolve and verify the resolved path (realpath) is inside
the expected base directory (the {{constantPrefix}}_DIR ...
'src/blocks/icons/source-icons/' folder) and return '' if validation fails or
file is outside that directory.

In `@src/blocks/`{{block_slug}}-field-display/index.js:
- Around line 100-103: The icon type labels produced in the options mapping
(options={iconTypes.map(...)}) are currently capitalized programmatically but
not localized; update the mapping so each label is passed through the project's
i18n translation function (e.g., __ or wp.i18n.__ / the hook you use) instead of
raw string concatenation, and ensure the translation key uses the capitalized
form (or a consistent key) so users see translated labels; also add the
appropriate i18n import at the top of
src/blocks/{{block_slug}}-field-display/index.js if missing.

inc/helper-functions.php
Comment on lines 30 to 39
// Convert camelCase icon name to kebab-case file name.
$file_name = strtolower( preg_replace( '/([a-z])([A-Z])/', '$1-$2', $icon_name ) );

// Build the path to the SVG file.
$svg_path = {{constantPrefix}}_DIR . 'src/blocks/icons/source-icons/' . $icon_type . '/' . $file_name . '.svg';

// Check if the file exists.
if ( ! file_exists( $svg_path ) ) {
return '';
}
Copy link

@coderabbitai coderabbitai bot Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Potential path traversal vulnerability in file path construction.

Both $icon_type and $icon_name are used directly in the file path without sanitization. An attacker could potentially pass values like ../../ to escape the intended directory and read arbitrary files.

🛡️ Proposed fix to validate inputs 
 // Convert camelCase icon name to kebab-case file name.
 $file_name = strtolower( preg_replace( '/([a-z])([A-Z])/', '$1-$2', $icon_name ) );

+// Sanitize file name to prevent directory traversal.
+$file_name = sanitize_file_name( $file_name );
+
+// Validate icon type against allowed values.
+$allowed_types = array( 'outline', 'solid' );
+if ( ! in_array( $icon_type, $allowed_types, true ) ) {
+	$icon_type = 'outline';
+}
+
 // Build the path to the SVG file.
 $svg_path = {{constantPrefix}}_DIR . 'src/blocks/icons/source-icons/' . $icon_type . '/' . $file_name . '.svg';
🤖 Prompt for AI Agents 
In `@inc/helper-functions.php` around lines 30 - 39, The path construction using
$icon_type and $icon_name is vulnerable to path traversal; sanitize and validate
both inputs before building $svg_path: restrict $icon_type and $icon_name to a
safe whitelist or a strict character set (e.g., [a-z0-9-_] for $icon_type and
the kebab-cased $file_name), strip/deny any path separators, and reject or
normalize unexpected values; after constructing the path, resolve and verify the
resolved path (realpath) is inside the expected base directory (the
{{constantPrefix}}_DIR ... 'src/blocks/icons/source-icons/' folder) and return
'' if validation fails or file is outside that directory.

@krugazul
feat: Enhance plugin generation to include snake_case function names …
cf8d542 
…and copy plugin-config.json
@krugazul
Add new solid icons for various features
9692aae 
- Added number-of-units-icon.svg
- Added phone-icon.svg
- Added price-icon.svg
- Added quotation-icon.svg
- Added rating-icon.svg
- Added room-basis-icon.svg
- Added single-supplement-icon.svg
- Added special-interests-icon.svg
- Added spoken-languages-icon.svg
- Added travel-style-icon.svg
- Added user-icon.svg
- Added warning-icon.svg
@krugazul
feat: Simplify field display block styles and adjust rendering for co…
42e0ae7 
…nsistent spacing
coderabbitai[bot]
coderabbitai bot requested changes Feb 2, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🤖 Fix all issues with AI agents 
In `@scripts/generate-plugin.js`:
- Around line 932-1018: The replacement code in generate-plugin.js builds RegExp
from user-provided strings (firstPostType.singular, firstPostType.plural,
firstPostType.slug, and the dasherized/snake variants) without escaping regex
metacharacters; add an escape helper (e.g., escapeRegExp) near the file-level
functions used by this block and use it to wrap each pattern before constructing
RegExp instances in the loop that processes template files (the block using
templateFiles.forEach and the variables firstCPTDasherized, firstCPTSnakeCase,
firstPostType.slug, firstPostType.singular, firstPostType.plural); replace new
RegExp(X, 'g') with new RegExp(escapeRegExp(X), 'g') so literal strings are
matched safely.
- Around line 532-541: The array-item quoting in the result.replace callback
(inside the Array.isArray(value) branch) currently wraps items in single quotes
without escaping; update that branch to first convert each item to a string and
escape backslashes and single quotes (e.g., replace \ with \\ and ' with \')
before surrounding with single quotes so emitted PHP string literals are safe;
locate the replace callback that references config[varName] and modify the
Array.isArray(value) map transformation to perform this escaping for each item.

In `@src/blocks/`{{block_slug}}-field-display/index.js:
- Around line 79-100: meta[fieldKey] may be an object/array and is used directly
in rendering (via fieldValue and displayValue), which can break
React—coerce/normalize non-string values to a string when computing fieldValue:
read meta?.[fieldKey], if it's null/undefined use fallbackText/(No value set),
if it's a string use it, otherwise convert objects/arrays/other types to a
stable string (e.g. JSON.stringify or String()) before using in displayValue;
keep prefix/prefixBold logic unchanged so displayValue renders only string
content.

In `@src/blocks/icons/source-icons/README.md`:
- Around line 7-11: The fenced code block showing the directory tree for
"source-icons/" is missing a language identifier; update the triple-backtick
fence that wraps the lines beginning with "source-icons/" to include a language
hint (for example, change ``` to ```text) so the block becomes ```text ... ```
to satisfy markdownlint and tooling expectations.
🧹 Nitpick comments (1)
src/blocks/{{block_slug}}-field-display/render.php (1)

85-108: Move inline styles to CSS classes.

The inline style attributes make the markup harder to theme and override; prefer CSS classes in the block stylesheet.

♻️ Suggested change 
-		$output = sprintf(
-			'<div class="%s" style="flex-wrap: nowrap; gap: var(--wp--preset--spacing--20);">',
-			esc_attr( implode( ' ', $wrapper_classes ) )
-		);
+		$output = sprintf(
+			'<div class="%s field-display-wrapper">',
+			esc_attr( implode( ' ', $wrapper_classes ) )
+		);
...
-				$output .= sprintf(
-				'<div class="wp-block-group is-layout-flex" style="flex-wrap: nowrap;">%s</div>',
+				$output .= sprintf(
+				'<div class="wp-block-group is-layout-flex field-display-icon">%s</div>',
 					$svg_content // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- SVG content is sanitized in {{namespace|snakeCase}}_get_icon_svg().
 				);
...
-		$output .= sprintf(
-			'<div class="wp-block-group is-layout-flex" style="flex-wrap: nowrap;">
+		$output .= sprintf(
+			'<div class="wp-block-group is-layout-flex field-display-content">
 				<p class="field-display-value">%s%s</p>
 			</div>',
 			$prefix_html,
 			esc_html( $field_value )
 		);

Please add the corresponding CSS rules in the block stylesheet.
As per coding guidelines: "Avoid inline styles and JavaScript; separate structure (HTML), presentation (CSS), and behaviour (JavaScript)."

scripts/generate-plugin.js
Comment on lines 532 to +541
result = result.replace(/\{\{([a-z_]+)\}\}/gi, (match, varName) => {
const value = config[varName];
return value !== undefined ? String(value) : ''; // Return empty string for undefined
if (value === undefined) {
return ''; // Return empty string for undefined
}
// Handle arrays by converting to quoted, comma-separated strings for PHP
if (Array.isArray(value)) {
return value.map(item => `'${item}'`).join(', ');
}
return String(value);
Copy link

@coderabbitai coderabbitai bot Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

cd /tmp && head -c 100 /dev/null
# First, let's check the file structure and examine the specific lines
fd scripts/generate-plugin.js --type f

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 60

🏁 Script executed:

# Read the file to understand the context around lines 532-541
wc -l scripts/generate-plugin.js

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 109

🏁 Script executed:

# Read lines around the concern to understand the full context
sed -n '520,560p' scripts/generate-plugin.js

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 1203

🏁 Script executed:

# Also check how this function is called and what values are passed to it
rg -A 5 -B 5 'replaceMustacheVars' scripts/generate-plugin.js | head -100

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 3119

🏁 Script executed:

# Check what type of data structures are passed to understand if escaping is needed
rg -B 10 "Array\.isArray\(value\)" scripts/generate-plugin.js

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 431

🏁 Script executed:

# Find and read the schema file to understand what arrays are used
fd schema.json --type f

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 60

🏁 Script executed:

# Check the applyDefaults function to see how arrays are populated
sed -n '1,150p' scripts/generate-plugin.js | grep -A 30 "function applyDefaults"

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 60

🏁 Script executed:

# Search for any array definitions in the config or schema files
rg "Array|\\[" scripts/generate-plugin.js -A 2 -B 2 | head -80

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 2492

🏁 Script executed:

# Check what values are passed into config - look at initialization
grep -n "config\[" scripts/generate-plugin.js | head -20

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 152

🏁 Script executed:

# Check if there's a schema file
find . -name "schema.json" -o -name "schema*.json" | head -5

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 60

🏁 Script executed:

# Let's look at the full applyDefaults function to see what arrays are initialized
sed -n '200,350p' scripts/generate-plugin.js

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 4381

🏁 Script executed:

# Check how post_types, taxonomies, fields arrays are used
rg "post_types|taxonomies|fields" scripts/generate-plugin.js -A 2 | head -60

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 1821

🏁 Script executed:

# Look for actual config examples or where array values come from
rg "cpt_supports|blocks" scripts/generate-plugin.js -B 2 -A 2 | head -80

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 2943

🏁 Script executed:

# Check if there's any actual usage of the replaced mustache variables for arrays
rg "array_keys|implode|explode" scripts/generate-plugin.js

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 60

🏁 Script executed:

# Let's look for where the config comes from - likely user input
sed -n '1,100p' scripts/generate-plugin.js

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 2790

🏁 Script executed:

# Check if there's any path where user input with quotes could end up in an array value
# Look for where array items are created from user input
sed -n '270,380p' scripts/generate-plugin.js

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 3532

🏁 Script executed:

# Check the schema to see what types of values are allowed in arrays
cat .github/schemas/plugin-config.schema.json | jq '.properties | keys' 2>/dev/null | head -40

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 307

🏁 Script executed:

# Look at what the actual PHP output looks like - search for how these replaced values are used
rg "cpt_supports|post_types" --type php | head -20

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 60

🏁 Script executed:

# Check if there's any test or example data showing what arrays look like
fd "example*|test*|fixture*" --type f | grep -E "\.(json|js)$" | head -10

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 462

🏁 Script executed:

# Let's check the actual sanitization more carefully - does any sanitization path allow quotes?
sed -n '100,190p' scripts/generate-plugin.js

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 2608

🏁 Script executed:

# Check the schema to see validation constraints on array items
cat .github/schemas/plugin-config.schema.json | jq '.properties.post_types, .properties.supports' 2>/dev/null | head -100

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 2718

🏁 Script executed:

# Look for where sanitizeInput is actually called to understand if arrays are sanitized
rg "sanitizeInput" scripts/generate-plugin.js -B 2 -A 2

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 330

🏁 Script executed:

# Check if there are any example/test config files showing what array values look like
find . -name "*.json" -type f | xargs grep -l "cpt_supports\|supports" 2>/dev/null | head -5

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 302

🏁 Script executed:

# Let's look at what the actual PHP template files expect - search for how supports is used
fd "*.php" | xargs grep -l "supports" 2>/dev/null | head -5

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 362

🏁 Script executed:

# Check a PHP file to see how array values are actually used in templates
fd "plugin.php" | head -1 | xargs cat 2>/dev/null | head -100

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 60

🏁 Script executed:

# Let's see the actual template files to understand what {{cpt_supports}} is replaced with
find . -name "*.php" -o -name "*.json" | xargs grep -l "cpt_supports" 2>/dev/null | head -3

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 248

🏁 Script executed:

# Look at one of the SCF JSON templates to see how array placeholders are used
cat scf-json/group_{{slug}}_example.json | head -80

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 2645

🏁 Script executed:

# Search for actual usage of the supports array in templates
find . -type f \( -name "*.php" -o -name "*.js" \) | xargs grep "supports" 2>/dev/null | grep -E "(register_post_type|cpt_supports)" | head -10

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 514

🏁 Script executed:

# Check if there are any tests showing the expected output
find . -path "*/test*" -name "*.js" | xargs grep -l "replaceMustacheVars\|cpt_supports" 2>/dev/null

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 113

🏁 Script executed:

# Let's look at test files to understand the expected behavior
fd "test" --type f --extension js | head -5 | xargs ls -la

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 507

🏁 Script executed:

# Let's look at the test file to understand expected behavior
cat scripts/__tests__/generate-plugin.test.js | head -200

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 5315

🏁 Script executed:

# Also check the mustache variables registry to see what variables are expected
cat scripts/mustache-variables-registry.json | jq '.variables | keys'

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 3692

🏁 Script executed:

# Look for how cpt_supports is actually used in templates
rg "cpt_supports" . --type php --type json -A 2 -B 2

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 1578

🏁 Script executed:

# Find template files that actually use {{cpt_supports}}
rg "{{cpt_supports}}" . --type php --type json --type js

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 169

🏁 Script executed:

# Look at how cpt_supports is used in actual file content
rg -B 3 -A 3 "cpt_supports" src/ --type php --type json 2>/dev/null | head -80

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 60

🏁 Script executed:

# Check if there are any PHP files that show the register_post_type usage
find . -path "*/src/*" -name "*.php" | head -5 | xargs head -100

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 4674

🏁 Script executed:

# Let's check the test file to see what the expected output of replaceMustacheVars is for arrays
sed -n '200,400p' scripts/__tests__/generate-plugin.test.js

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 5538

🏁 Script executed:

# Find the replaceMustacheVars test specifically
rg -A 50 "describe\('replaceMustacheVars'" scripts/__tests__/generate-plugin.test.js

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 1800

🏁 Script executed:

# Look for tests of array handling
rg -B 3 -A 10 "Array\|array\|cpt_supports" scripts/__tests__/generate-plugin.test.js | head -100

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 60

🏁 Script executed:

# Let's see the complete test for replaceMustacheVars, especially if there are array tests
sed -n '/describe.*replaceMustacheVars/,/^describe/p' scripts/__tests__/generate-plugin.test.js | head -150

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 2264

🏁 Script executed:

# Check if there are any tests for arrays in the config
rg -A 5 "cpt_supports|post_types|taxonomies" scripts/__tests__/generate-plugin.test.js

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 654

🏁 Script executed:

# Let's check what the actual output format should be for arrays - look at usage in templates
find . -name "*.php" -o -name "*.js" | xargs grep -l "register_post_type" 2>/dev/null | head -3

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 60

🏁 Script executed:

# Look at actual plugin files to see how post types are registered
find src -name "*.php" | head -3 | xargs cat | grep -A 10 "register_post_type"

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 60

🏁 Script executed:

# Check the plugin main file or setup file to see how post type supports are used
find src -name "class-*.php" -o -name "*-setup.php" | head -1 | xargs cat | head -200

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 60

🏁 Script executed:

# Let me check what arrays could actually contain user input by tracing back through the code
# Look for where post_types.supports gets its values
sed -n '280,330p' scripts/generate-plugin.js

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 1867

🏁 Script executed:

# Check if any sanitization is applied to the post_types array items before they're stored in config
rg -B 10 -A 5 "post_types.*supports" scripts/generate-plugin.js | head -60

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 60

🏁 Script executed:

# See if the supports enum validation is enforced
cat .github/schemas/plugin-config.schema.json | jq '.properties.post_types.items.properties.supports'

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 570

🏁 Script executed:

# Let's test what happens with a value containing quotes - create a simple test
cat > /tmp/test_escape.js << 'EOF'
// Simulate the array replacement code
function replaceMustacheVarsArray(value) {
    if (Array.isArray(value)) {
        return value.map(item => `'${item}'`).join(', ');
    }
    return String(value);
}

// Test with normal values
console.log('Normal:', replaceMustacheVarsArray(['title', 'editor']));

// Test with problematic values
console.log('With quote:', replaceMustacheVarsArray(["my'value"]));
console.log('With backslash:', replaceMustacheVarsArray(["my\\value"]));

// Show the output and what it would look like in PHP
const result = replaceMustacheVarsArray(["my'value", "test"]);
console.log('PHP array would be: array(' + result + ')');
EOF
node /tmp/test_escape.js

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 199

🏁 Script executed:

# Check if there are other arrays in the config that DON'T have enum constraints
cat .github/schemas/plugin-config.schema.json | jq '.properties | to_entries[] | select(.value.type == "array") | {key: .key, itemType: .value.items.type, itemEnum: .value.items.enum}'

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 367

🏁 Script executed:

# Look specifically at post_types and fields to see their validation
cat .github/schemas/plugin-config.schema.json | jq '.properties.post_types.items.properties | keys'

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 202

🏁 Script executed:

# Check if fields or other post_type properties could have arbitrary string arrays
cat .github/schemas/plugin-config.schema.json | jq '.properties.post_types.items.properties.fields'

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 5055

🏁 Script executed:

# Let's verify what all arrays could be passed to replaceMustacheVars
# Check if there are any string arrays without enum constraints that could be user-provided
cat .github/schemas/plugin-config.schema.json | jq '.properties | to_entries[] | select(.value.type == "array" and .value.items.type == "string") | .key'

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 86

🏁 Script executed:

# Check what gets passed to replaceMustacheVars in the config
sed -n '700,800p' scripts/generate-plugin.js | grep -A 20 -B 5 "replaceMustacheVars"

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 725

🏁 Script executed:

# Let's check if the config ever directly uses string arrays outside of the enum-constrained supports field
rg "config\[" scripts/generate-plugin.js | grep -v "config\[varName\]" | head -20

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 60

🏁 Script executed:

# Most importantly, let's see if {{cpt_supports}} is actually used in any templates
find . -type f \( -name "*.php" -o -name "*.json" -o -name "*.js" \) -exec grep -l "cpt_supports" {} \; | xargs grep -B 2 -A 2 "cpt_supports" | head -80

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 4298

🏁 Script executed:

# Check if {{cpt_supports}} is actually used in any template files - search more broadly
find . -type f \( -name "*.php" -o -name "*.json" \) -exec grep -l "{{" {} \; | xargs grep "cpt_supports"

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 575

🏁 Script executed:

# Check where replaceMustacheVars output is actually written/used
rg "replaceMustacheVars.*config" scripts/generate-plugin.js -B 5 -A 10 | grep -E "(writeFileSync|template|config\[)" | head -40

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 212

🏁 Script executed:

# Verify that the schema validation actually prevents invalid values
cat > /tmp/test_validation.js << 'EOF'
const Ajv2020 = require('ajv/dist/2020');
const fs = require('fs');

const schemaContent = fs.readFileSync('.github/schemas/plugin-config.schema.json', 'utf8');
const schema = JSON.parse(schemaContent);

const ajv = new Ajv2020({ allErrors: true, strict: false });
const validate = ajv.compile(schema);

// Test with invalid supports value (contains quote)
const invalidConfig = {
  slug: 'test',
  name: 'Test',
  author: 'Test',
  cpt_supports: ["title'invalid"]
};

const valid = validate(invalidConfig);
console.log('Invalid config with quote in supports:', valid);
if (!valid) {
  console.log('Validation errors:', validate.errors);
}

// Test with valid supports values
const validConfig = {
  slug: 'test',
  name: 'Test',
  author: 'Test',
  cpt_supports: ["title", "editor"]
};

const valid2 = validate(validConfig);
console.log('\nValid config with standard supports:', valid2);
if (!valid2) {
  console.log('Validation errors:', validate.errors);
}
EOF
cd /repo && node /tmp/test_validation.js

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 134

🏁 Script executed:

# Test validation without changing directory
cat > /tmp/test_validation.js << 'EOF'
const Ajv2020 = require('ajv/dist/2020');
const fs = require('fs');
const path = require('path');

const schemaPath = path.join(process.cwd(), '.github/schemas/plugin-config.schema.json');
const schemaContent = fs.readFileSync(schemaPath, 'utf8');
const schema = JSON.parse(schemaContent);

const ajv = new Ajv2020({ allErrors: true, strict: false });
const validate = ajv.compile(schema);

// Test with invalid supports value (contains quote)
const invalidConfig = {
  slug: 'test',
  name: 'Test',
  author: 'Test',
  cpt_supports: ["title'invalid"]
};

const valid = validate(invalidConfig);
console.log('Invalid config with quote in supports:', valid);
if (!valid) {
  console.log('Validation errors:', validate.errors.map(e => e.message));
}

// Test with valid supports values
const validConfig = {
  slug: 'test',
  name: 'Test',
  author: 'Test',
  cpt_supports: ["title", "editor"]
};

const valid2 = validate(validConfig);
console.log('\nValid config with standard supports:', valid2);
if (!valid2) {
  console.log('Validation errors:', validate.errors.map(e => e.message));
}
EOF
node /tmp/test_validation.js

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 962

🏁 Script executed:

# Check if there are any templates that actually use {{cpt_supports}} as an array
find . -path ./node_modules -prune -o -type f -name "*.php" -o -name "*.json" | xargs grep -E "{{cpt_supports}}" 2>/dev/null || echo "No templates use {{cpt_supports}}"

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 111

🏁 Script executed:

# Check what variables are actually expected to be arrays in output
rg "{{.*}}" src/ --type php | grep -v "{{[a-z_]*}}" | head -20

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 159

🏁 Script executed:

# Let me verify the schema validation actually runs before replaceMustacheVars
rg -B 10 "replaceMustacheVars" scripts/generate-plugin.js | grep -E "(validateConfig|applyDefaults)" | head -10

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 112

🏁 Script executed:

# Check the main execution flow to confirm validation happens
sed -n '1600,1700p' scripts/generate-plugin.js

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 2692

🏁 Script executed:

# Let's trace the exact flow - find where the config is used in generatePlugin
rg -B 5 "generatePlugin\(" scripts/generate-plugin.js | head -30

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 424

🏁 Script executed:

# Let's see the actual main function execution
sed -n '1700,1800p' scripts/generate-plugin.js

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 2179

Escape array items before emitting quoted lists.

Line 538–540 wraps items in single quotes without escaping. While schema validation currently restricts cpt_supports to safe enum values (e.g., "title", "editor"), defensive escaping is good practice for any potential future schema changes or other array fields. The proposed fix is correct:

Proposed fix 
-		if (Array.isArray(value)) {
-			return value.map(item => `'${item}'`).join(', ');
-		}
+		if (Array.isArray(value)) {
+			return value
+				.map((item) => {
+					const escaped = String(item)
+						.replace(/\\/g, '\\\\')
+						.replace(/'/g, "\\'");
+					return `'${escaped}'`;
+				})
+				.join(', ');
+		}
🤖 Prompt for AI Agents 
In `@scripts/generate-plugin.js` around lines 532 - 541, The array-item quoting in
the result.replace callback (inside the Array.isArray(value) branch) currently
wraps items in single quotes without escaping; update that branch to first
convert each item to a string and escape backslashes and single quotes (e.g.,
replace \ with \\ and ' with \') before surrounding with single quotes so
emitted PHP string literals are safe; locate the replace callback that
references config[varName] and modify the Array.isArray(value) map
transformation to perform this escaping for each item.

scripts/generate-plugin.js
Comment on lines +932 to +1018
// After copying, the {{cpt_slug}} template will have been replaced with the FIRST post type's slug
// We need to find that block and duplicate it for remaining post types
const firstPostType = config.post_types[0];
if (!firstPostType) return;

// Look for blocks that match the first post type slug pattern (e.g., "cpd_article-collection")
const entries = fs.readdirSync(blocksDir, { withFileTypes: true });
const firstCPTBlocks = entries.filter(
(entry) => entry.isDirectory() && entry.name.startsWith(`${firstPostType.slug}-`)
);

if (firstCPTBlocks.length === 0) {
log('INFO', 'No per-CPT block templates found (expected blocks starting with first CPT slug)');
return;
}

log('INFO', `Found ${firstCPTBlocks.length} per-CPT block template(s) for first post type`, {
templates: firstCPTBlocks.map(t => t.name),
firstPostType: firstPostType.slug
});

// For each block template from the first post type
firstCPTBlocks.forEach((templateBlock) => {
const templatePath = path.join(blocksDir, templateBlock.name);

// Extract the block type suffix (e.g., "collection" from "cpd_article-collection")
const blockSuffix = templateBlock.name.replace(`${firstPostType.slug}-`, '');

// Generate a block for each REMAINING post type (skip first one as it already exists)
config.post_types.slice(1).forEach((postType, index) => {
// Create block-specific config with CPT variables
const blockConfig = {
...config,
cpt_slug: postType.slug,
cpt_name: postType.singular, // Display name for the post type
block_slug: postType.slug.replace(/_/g, '-'), // Dasherized version for block names
cpt_singular: postType.singular,
cpt_plural: postType.plural,
cpt_menu_icon: postType.menu_icon,
cpt_supports: postType.supports,
// Add indexed variables for multi-CPT support
[`cpt${index + 2}_slug`]: postType.slug, // +2 because we skipped first
[`cpt${index + 2}_singular`]: postType.singular,
[`cpt${index + 2}_plural`]: postType.plural,
};

// Create the block directory name for this post type
const blockDirName = `${postType.slug}-${blockSuffix}`;
const blockPath = path.join(blocksDir, blockDirName);

// Create the block directory
if (!fs.existsSync(blockPath)) {
fs.mkdirSync(blockPath, { recursive: true });
}

// Copy all files from template to new block directory
const templateFiles = fs.readdirSync(templatePath, { withFileTypes: true });
templateFiles.forEach((file) => {
const srcPath = path.join(templatePath, file.name);
const destName = replaceMustacheVars(file.name, blockConfig);
const destPath = path.join(blockPath, destName);

if (file.isDirectory()) {
// Recursively copy subdirectories
if (!fs.existsSync(destPath)) {
fs.mkdirSync(destPath, { recursive: true });
}
copyDirWithReplacement(srcPath, destPath, blockConfig, []);
} else {
// Copy and process file - replace first post type slug with current post type
let content = fs.readFileSync(srcPath, 'utf8');

// Create dasherized versions for block names
const firstCPTDasherized = firstPostType.slug.replace(/_/g, '-');
const currentCPTDasherized = postType.slug.replace(/_/g, '-');

// Create snake_case versions for function names
const firstCPTSnakeCase = firstPostType.slug.replace(/-/g, '_');
const currentCPTSnakeCase = postType.slug.replace(/-/g, '_');

// Replace the first post type's slug with the current post type's slug
// Handle both underscore version (for variables) and dash version (for block names)
content = content.replace(new RegExp(firstCPTDasherized, 'g'), currentCPTDasherized);
content = content.replace(new RegExp(firstCPTSnakeCase, 'g'), currentCPTSnakeCase);
content = content.replace(new RegExp(firstPostType.slug, 'g'), postType.slug);
content = content.replace(new RegExp(firstPostType.singular, 'g'), postType.singular);
content = content.replace(new RegExp(firstPostType.plural, 'g'), postType.plural);
Copy link

@coderabbitai coderabbitai bot Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's examine the specific lines mentioned in the review
cd scripts && sed -n '932,1018p' generate-plugin.js | head -100

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 4137

🏁 Script executed:

# Let's see the full file context around those lines
wc -l scripts/generate-plugin.js

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 109

🏁 Script executed:

# Get the full function and surrounding context
sed -n '900,1100p' scripts/generate-plugin.js

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 7258

🏁 Script executed:

# Let's find where post_types is populated and validated
grep -n "post_types" scripts/generate-plugin.js | head -30

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 1405

🏁 Script executed:

# Search for where post_types validation occurs
grep -n -B5 -A5 "post_types\[0\]" scripts/generate-plugin.js | head -50

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 1118

🏁 Script executed:

# Check the full workflow - look for the validation/processing of config
grep -n "config\.post_types\|postType\.slug\|postType\.singular\|postType\.plural" scripts/generate-plugin.js | head -40

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 2323

🏁 Script executed:

# Look at lines 304-390 to see how post_types are built and validated
sed -n '300,400p' scripts/generate-plugin.js

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 3215

🏁 Script executed:

# Check if there's any validation of slug patterns in config parsing
sed -n '100,350p' scripts/generate-plugin.js | grep -A10 -B10 "slug\|sanitize\|validate"

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 6347

🏁 Script executed:

# Look for where the input comes from and if it's sanitized
grep -n "processAnswers\|answers\|prompt\|input" scripts/generate-plugin.js | head -20

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 489

🏁 Script executed:

# Check how post_types are processed - are singular/plural sanitized?
sed -n '343,430p' scripts/generate-plugin.js

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 2479

🏁 Script executed:

# Look for where sanitizeInput is called on post_types properties
grep -n "sanitizeInput" scripts/generate-plugin.js

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 150

🏁 Script executed:

# Check the config validation/schema to see if singular/plural are validated
fd "schema" --type f

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 673

🏁 Script executed:

# Check the config schema definition
sed -n '1,100p' scripts/validation/config-schema.js

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 2247

🏁 Script executed:

# Look for post_types schema definition
grep -A30 "post_types" scripts/validation/config-schema.js | head -60

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 60

🏁 Script executed:

# Check if singular/plural are validated/sanitized in the schema or elsewhere
grep -B5 -A10 "singular\|plural" scripts/validation/config-schema.js | head -80

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 60

🏁 Script executed:

# Find and check the actual schema file
cat .github/schemas/plugin-config.schema.json | grep -A20 '"post_types"' | head -80

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 2576

🏁 Script executed:

# Check the schema file structure for post_types validation
python3 << 'EOF'
import json
with open('.github/schemas/plugin-config.schema.json', 'r') as f:
    schema = json.load(f)
    if 'properties' in schema and 'post_types' in schema['properties']:
        pt = schema['properties']['post_types']
        print("post_types schema:")
        print(json.dumps(pt, indent=2))
        if 'items' in pt:
            print("\n\npost_types.items schema:")
            print(json.dumps(pt['items'], indent=2))
EOF

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 21373

🏁 Script executed:

# Now let's see what happens when the regex uses a pattern with regex metacharacters
# Test: what if a post type slug contains regex special chars?
node << 'EOF'
// Simulate the vulnerable code
const firstPostType = { slug: 'test[article]' };
const postType = { slug: 'new[content]' };

// This is what the current code does (vulnerable)
try {
  const pattern = new RegExp(firstPostType.slug, 'g');
  console.log("Created RegExp from:", firstPostType.slug);
  console.log("Pattern:", pattern);
  let content = "test[article]-collection block";
  const result = content.replace(pattern, postType.slug);
  console.log("Result:", result);
} catch (e) {
  console.log("ERROR:", e.message);
}
EOF

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 177

🏁 Script executed:

# Test what happens with regex metacharacters in singular/plural
node << 'EOF'
// Test the vulnerability with singular/plural containing regex metacharacters

// Example 1: singular with parentheses
const singular1 = 'Tour (Basic)';
try {
  const pattern1 = new RegExp(singular1, 'g');
  console.log("Test 1 - singular with parentheses:");
  console.log("  Pattern:", singular1);
  console.log("  Created RegExp:", pattern1);
  let content = 'Tour (Basic) package Tour (Basic Plus)';
  const result = content.replace(pattern1, 'Event');
  console.log("  Content:", content);
  console.log("  Result:", result);
} catch (e) {
  console.log("  ERROR:", e.message);
}

// Example 2: singular with dot
console.log("\nTest 2 - singular with dot:");
const singular2 = 'Tour.';
try {
  const pattern2 = new RegExp(singular2, 'g');
  console.log("  Pattern:", singular2);
  console.log("  Created RegExp:", pattern2);
  let content = 'Tour. is the best Tour-';
  const result = content.replace(pattern2, 'Event');
  console.log("  Content:", content);
  console.log("  Result:", result);
} catch (e) {
  console.log("  ERROR:", e.message);
}

// Example 3: singular with asterisk
console.log("\nTest 3 - singular with asterisk (invalid regex):");
const singular3 = 'Tour*';
try {
  const pattern3 = new RegExp(singular3, 'g');
  console.log("  Pattern:", singular3);
  console.log("  Created RegExp:", pattern3);
} catch (e) {
  console.log("  ERROR:", e.message);
}

// Example 4: Properly escaped version
console.log("\nTest 4 - with escaping:");
const escapeRegExp = (str) => String(str).replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
const singular4 = 'Tour (Basic)';
const pattern4 = new RegExp(escapeRegExp(singular4), 'g');
console.log("  Original:", singular4);
console.log("  Escaped:", escapeRegExp(singular4));
let content4 = 'Tour (Basic) package Tour (Basic Plus)';
const result4 = content4.replace(pattern4, 'Event');
console.log("  Content:", content4);
console.log("  Result:", result4);
EOF

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 674

🏁 Script executed:

# Check if singular/plural are sanitized anywhere in the input processing
grep -n "sanitizeInput.*singular\|sanitizeInput.*plural" scripts/generate-plugin.js

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 60

🏁 Script executed:

# Verify the exact lines where the vulnerability exists in the current code
sed -n '1014,1018p' scripts/generate-plugin.js

Repository: lightspeedwp/block-plugin-scaffold

Length of output: 521

Escape regex metacharacters before building RegExp patterns.

Lines 1014–1018 build RegExp instances from user-provided singular and plural strings which are not validated for regex metacharacters. Although slug is restricted by schema validation to ^[a-z][a-z0-9_]{0,18}[a-z0-9]$, singular and plural fields accept any characters up to 50 chars with no pattern validation. Special regex characters like ., *, +, ?, ^, $, {, }, (, ), [, ], \, and | will be interpreted as regex operators, causing incorrect replacements or failed matches.

For example, a post type with singular name "Tour (2024)" will create a capturing group in the regex pattern instead of matching the literal string, resulting in the replacement failing silently. A dot character like "Tour." will match any character (not just dots), causing unintended matches.

Proposed fix 
 function generatePerCPTBlocks(outputDir, config) {
+	const escapeRegExp = (str) =>
+		String(str).replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
 	if (!config.post_types || config.post_types.length === 0) {
 		log('INFO', 'No post types defined, skipping per-CPT block generation');
 		return;
 	}

 	const blocksDir = path.join(outputDir, 'src', 'blocks');
@@ -1013,11 +1015,26 @@ function generatePerCPTBlocks(outputDir, config) {
 					// Replace the first post type's slug with the current post type's slug
 					// Handle both underscore version (for variables) and dash version (for block names)
-					content = content.replace(new RegExp(firstCPTDasherized, 'g'), currentCPTDasherized);
-					content = content.replace(new RegExp(firstCPTSnakeCase, 'g'), currentCPTSnakeCase);
-					content = content.replace(new RegExp(firstPostType.slug, 'g'), postType.slug);
-					content = content.replace(new RegExp(firstPostType.singular, 'g'), postType.singular);
-					content = content.replace(new RegExp(firstPostType.plural, 'g'), postType.plural);
+					content = content.replace(
+						new RegExp(escapeRegExp(firstCPTDasherized), 'g'),
+						currentCPTDasherized
+					);
+					content = content.replace(
+						new RegExp(escapeRegExp(firstCPTSnakeCase), 'g'),
+						currentCPTSnakeCase
+					);
+					content = content.replace(
+						new RegExp(escapeRegExp(firstPostType.slug), 'g'),
+						postType.slug
+					);
+					content = content.replace(
+						new RegExp(escapeRegExp(firstPostType.singular), 'g'),
+						postType.singular
+					);
+					content = content.replace(
+						new RegExp(escapeRegExp(firstPostType.plural), 'g'),
+						postType.plural
+					);
🤖 Prompt for AI Agents 
In `@scripts/generate-plugin.js` around lines 932 - 1018, The replacement code in
generate-plugin.js builds RegExp from user-provided strings
(firstPostType.singular, firstPostType.plural, firstPostType.slug, and the
dasherized/snake variants) without escaping regex metacharacters; add an escape
helper (e.g., escapeRegExp) near the file-level functions used by this block and
use it to wrap each pattern before constructing RegExp instances in the loop
that processes template files (the block using templateFiles.forEach and the
variables firstCPTDasherized, firstCPTSnakeCase, firstPostType.slug,
firstPostType.singular, firstPostType.plural); replace new RegExp(X, 'g') with
new RegExp(escapeRegExp(X), 'g') so literal strings are matched safely.

src/blocks/{{block_slug}}-field-display/index.js
Comment on lines +79 to +100
const [meta] = useEntityProp('postType', postType, 'meta', postId);
const fieldValue = meta?.[fieldKey] || fallbackText || __('(No value set)', '{{textdomain}}');

// Format display value with prefix.
const displayValue = () => {
let display = '';

if (prefix) {
const prefixText = prefix.trim();
const needsSpace = !/[\s\p{P}]$/u.test(prefixText);
const formattedPrefix = prefixText + (needsSpace ? ' ' : '');

if (prefixBold) {
display = <><strong>{formattedPrefix}</strong>{fieldValue}</>;
} else {
display = <>{formattedPrefix}{fieldValue}</>;
}
} else {
display = fieldValue;
}

return display;
Copy link

@coderabbitai coderabbitai bot Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Normalise non-string meta values before rendering.

Arrays and objects from meta[fieldKey] can render poorly (or throw) in React; normalise them to a string for a stable editor preview.

🛠️ Suggested change 
-	const [meta] = useEntityProp('postType', postType, 'meta', postId);
-	const fieldValue = meta?.[fieldKey] || fallbackText || __('(No value set)', '{{textdomain}}');
+	const [meta] = useEntityProp('postType', postType, 'meta', postId);
+	const rawValue = meta?.[fieldKey];
+	const normalisedValue = Array.isArray(rawValue)
+		? rawValue.filter(Boolean).join(', ')
+		: (rawValue && typeof rawValue === 'object')
+			? ''
+			: rawValue;
+	const fieldValue = normalisedValue || fallbackText || __('(No value set)', '{{textdomain}}');
🤖 Prompt for AI Agents 
In `@src/blocks/`{{block_slug}}-field-display/index.js around lines 79 - 100,
meta[fieldKey] may be an object/array and is used directly in rendering (via
fieldValue and displayValue), which can break React—coerce/normalize non-string
values to a string when computing fieldValue: read meta?.[fieldKey], if it's
null/undefined use fallbackText/(No value set), if it's a string use it,
otherwise convert objects/arrays/other types to a stable string (e.g.
JSON.stringify or String()) before using in displayValue; keep prefix/prefixBold
logic unchanged so displayValue renders only string content.

src/blocks/icons/source-icons/README.md
Comment on lines +7 to +11
```
source-icons/
├── outline/ # 23 outline-style icons
└── solid/ # 26 solid-style icons
```
Copy link

@coderabbitai coderabbitai bot Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Add a language identifier to the structure code fence.

Markdownlint flags the structure block as missing a language; please add a language hint (e.g., text) for consistency and tooling support.

✍️ Suggested change 
-```
+```text
 source-icons/
 ├── outline/    # 23 outline-style icons
 └── solid/      # 26 solid-style icons

</details>

As per coding guidelines: "Prefer fenced code blocks with language hints; avoid inline HTML unless necessary."

<!-- suggestion_start -->

<details>
<summary>📝 Committable suggestion</summary>

> ‼️ **IMPORTANT**
> Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

```suggestion
🧰 Tools
🪛 markdownlint-cli2 (0.20.0)

[warning] 7-7: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents 
In `@src/blocks/icons/source-icons/README.md` around lines 7 - 11, The fenced code
block showing the directory tree for "source-icons/" is missing a language
identifier; update the triple-backtick fence that wraps the lines beginning with
"source-icons/" to include a language hint (for example, change ``` to ```text)
so the block becomes ```text ... ``` to satisfy markdownlint and tooling
expectations.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@coderabbitai coderabbitai[bot] coderabbitai[bot] requested changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@krugazul