Add LightSpeed WordPress block plugin starter repo scaffold

.agents/README.md

@@ -0,0 +1,39 @@
+# .agents
+
+This folder contains portable agent-specific assets for {{PLUGIN_NAME}}.
+These assets are designed to be reusable across different AI systems and tools.
+
+---
+
+## Structure
+
+| Folder | Purpose |
+|---|---|
+| `skills/` | Portable, reusable agent skills — focused tasks agents can perform |
+| `agents/` | Agent persona definitions — describe specialist roles agents can adopt |
+
+---
+
+## Difference between `.github/` and `.agents/`
+
+| `.github/` | `.agents/` |
+|---|---|
+| GitHub-specific (Copilot, Actions, instructions) | Portable across AI systems |
+| Workflows, prompts, reports, tasks | Skills and personas |
+| Tied to GitHub platform features | Usable in any AI tool or agent framework |
+
+---
+
+## Usage
+
+- AI agents should read `AGENTS.md` first, then consult relevant skills and personas here.
+- Skills describe *how* to perform a specific task in this repo context.
+- Agents describe *who* the AI should act as for a given type of work.
+
+---
+
+## Adding skills and agents
+
+- Add new skills as folders under `.agents/skills/`, each with a `SKILL.md` file.
+- Add new agent personas as Markdown files under `.agents/agents/`.
+- Keep skills focused — one skill, one task type.

.agents/agents/README.md

@@ -0,0 +1,27 @@
+# .agents/agents
+
+This folder contains agent persona definitions for {{PLUGIN_NAME}}.
+
+---
+
+## What is an agent persona?
+
+An agent persona describes the role, expertise, and behaviour an AI agent should adopt for a specific type of work in this repository.
+Personas are not skills — they describe *who the agent is*, not *what it does*.
+
+---
+
+## Available agents
+
+| Agent | Description |
+|---|---|
+| `plugin-architect.md` | WordPress plugin architecture specialist |
+
+---
+
+## Adding new agents
+
+1. Create a file named `{role}.md` in this folder.
+2. Describe the agent's role, expertise, and working style.
+3. Reference specific skills from `.agents/skills/` where relevant.
+4. Add it to the table in this README.

.agents/agents/plugin-architect.md

@@ -0,0 +1,50 @@
+# Agent: Plugin Architect
+
+## Role
+
+You are a senior WordPress plugin architect at LightSpeed.
+You specialise in building maintainable, secure, accessible WordPress plugins — with a strong bias toward Gutenberg block development.
+
+---
+
+## Expertise
+
+- WordPress plugin architecture and best practices
+- Gutenberg block development (`block.json`, `@wordpress/scripts`, `register_block_type`)
+- PHP coding standards (WordPress Coding Standards, escaping, sanitisation)
+- JavaScript and React for the block editor
+- Accessibility (WCAG 2.1 AA, semantic HTML, ARIA)
+- Security (output escaping, input sanitisation, nonce verification, capability checks)
+- Performance (lean asset loading, no unnecessary dependencies)
+- LightSpeed plugin and theme scaffold conventions
+- AI-assisted development workflows
+
+---
+
+## Working style
+
+- Prefer small, precise diffs over large rewrites.
+- Keep the plugin lean — do not add dependencies or infrastructure that is not needed.
+- Follow WordPress core conventions before reaching for abstraction.
+- Always escape PHP output. Always sanitise PHP input. No exceptions.
+- Use `block.json` for block registration rather than bespoke PHP registration logic.
+- Reference `AGENTS.md` before making any changes to the repo.
+- Write reports to `.github/reports/` and tasks to `.github/tasks/`.
+- Do not modify unrelated files.
+- Explain your reasoning clearly when making architectural decisions.
+
+---
+
+## Available skills
+
+- [Block Plugin Audit](../skills/block-plugin-audit/SKILL.md)
+
+---
+
+## Guiding principles
+
+1. **WordPress-first** — use stable WordPress APIs before adding abstraction.
+2. **Security by default** — escape, sanitise, validate everywhere.
+3. **Accessible** — semantic HTML, ARIA, keyboard support in every block.
+4. **Lean** — every file, dependency, and line of code should earn its place.
+5. **Documented** — leave the repo in a better state than you found it.

.agents/skills/README.md

@@ -0,0 +1,46 @@
+# .agents/skills
+
+This folder contains portable, reusable agent skills for {{PLUGIN_NAME}}.
+
+---
+
+## What is a skill?
+
+A skill is a focused, self-contained description of how an AI agent should perform a specific task in this repository.
+Skills are not personas — they describe *what to do*, not *who to be*.
+
+---
+
+## Structure
+
+Each skill lives in its own folder:
+
+```
+skills/
+└── {skill-name}/
+    └── SKILL.md
+```
+
+The `SKILL.md` file describes:
+- What the skill does
+- When to use it
+- Step-by-step instructions
+- Expected inputs and outputs
+- Quality criteria
+
+---
+
+## Available skills
+
+| Skill | Description |
+|---|---|
+| `block-plugin-audit/` | Audit a WordPress block plugin for quality, security, and accessibility |
+
+---
+
+## Adding new skills
+
+1. Create a folder under `.agents/skills/` with a descriptive name.
+2. Add a `SKILL.md` file following the structure above.
+3. Add it to the table in this README.
+4. Reference it from `AGENTS.md` if it is commonly needed.

.agents/skills/block-plugin-audit/SKILL.md

@@ -0,0 +1,87 @@
+# SKILL: Block Plugin Audit
+
+Audit a WordPress block plugin for code quality, security, and accessibility.
+
+---
+
+## When to use this skill
+
+Use this skill when:
+- Reviewing a plugin before a release.
+- Onboarding onto an existing plugin codebase.
+- Requested to produce a plugin audit report.
+- Running the `audit-plugin.prompt.md` prompt.
+
+---
+
+## Inputs
+
+- The plugin repository root directory.
+- Optional: specific files or folders to focus on.
+
+---
+
+## Steps
+
+### 1. Review plugin structure
+
+- Confirm the main plugin file exists and has a valid WordPress plugin header.
+- Confirm `defined( 'ABSPATH' )` direct access protection is present.
+- Confirm plugin constants are defined correctly.
+- Confirm includes are loaded via `plugins_loaded`.
+- Confirm the text domain matches the plugin slug.
+
+### 2. PHP security review
+
+- Scan all PHP files for unescaped output.
+- Check for unsanitised `$_GET`, `$_POST`, `$_REQUEST`, `$_COOKIE` usage.
+- Check for missing nonce verification on form submissions.
+- Check for missing capability checks before privileged operations.
+- Check for unsafe database queries (missing `$wpdb->prepare()`).
+- Flag any use of `eval()`, `exec()`, `system()`, or `shell_exec()`.
+
+### 3. Block quality review (if blocks present)
+
+- Confirm each block has a valid `block.json`.
+- Confirm blocks are registered using `register_block_type()` with `block.json`.
+- Confirm PHP render callbacks escape all dynamic output.
+- Confirm block patterns use safe escaping.
+- Confirm `block.json` files have `$schema`, `name`, `title`, `category`, and `textdomain`.
+
+### 4. Translation review
+
+- Confirm all user-facing strings use translation functions.
+- Confirm the correct text domain is used in all translation function calls.
+
+### 5. Accessibility review
+
+- Review block edit and save components for:
+  - Semantic HTML elements
+  - ARIA attributes where needed
+  - Keyboard navigation support
+  - Sufficient colour contrast (flag for manual review)
+- Review frontend-rendered output for accessibility markers.
+
+### 6. General quality
+
+- Check for unreplaced `{{PLACEHOLDER}}` tokens.
+- Check that `CHANGELOG.md` is up to date.
+- Check for unused files or stale commented-out code.
+
+---
+
+## Outputs
+
+1. Write an audit report to `.github/reports/audit-YYYY-MM-DD.md`.
+2. Create or update `.github/tasks/task-list.md` with actionable tasks from findings.
+
+---
+
+## Quality criteria
+
+A passing audit has:
+- No unescaped output in PHP files.
+- No unsanitised input used directly.
+- Valid `block.json` for every registered block.
+- No unreplaced placeholder tokens.
+- `CHANGELOG.md` reflects the current state of the plugin.

.coderabbit.yml

@@ -0,0 +1,69 @@
+version: 2
+
+# Reviews are enabled and set to a draft-aware, plugin-focused review profile.
+reviews:
+  request_changes_workflow: false
+  high_level_summary: true
+  poem: false
+  review_status: true
+  collapse_walkthrough: false
+
+# Language and tone
+language: en-US
+tone_instructions: "Be direct and professional. Focus on practical WordPress plugin quality."
+
+# Path-level review instructions
+path_instructions:
+  - path: "{{PLUGIN_SLUG}}.php"
+    instructions: |
+      Review the main plugin bootstrap file.
+      Check for: valid plugin header with all required fields, direct access protection (ABSPATH check),
+      correct version constant, safe loading of includes, no business logic in the bootstrap.
+      Confirm text domain matches the plugin slug.
+
+  - path: "inc/**/*.php"
+    instructions: |
+      Review PHP include files.
+      Check for: correct escaping (esc_html__, esc_attr__, wp_kses_post, etc.),
+      sanitisation and validation of input, translation function usage, no direct database queries without $wpdb,
+      correct use of WordPress hooks and filters.
+
+  - path: "src/**/*.js"
+    instructions: |
+      Review JavaScript source files.
+      Check for: correct use of wp.element or vanilla JS, no jQuery dependency unless justified,
+      no hardcoded strings (use wp.i18n), accessibility-aware DOM interactions.
+
+  - path: "src/**/*.css"
+    instructions: |
+      Review CSS source files.
+      Check for: no use of !important unless justified, responsive-first approach,
+      use of CSS custom properties where appropriate, accessible colour contrast considerations.
+
+  - path: "blocks/**/block.json"
+    instructions: |
+      Review block registration JSON files.
+      Check for: valid schema reference, correct category and icon, editorScript/style/viewScript paths,
+      meaningful attributes, supports declarations, correct textdomain in titles and descriptions.
+
+  - path: "patterns/*.php"
+    instructions: |
+      Review block pattern PHP files.
+      Check for: correct escaping of any dynamic output, translation function usage,
+      pattern header comments (Title, Slug, Categories), clean markup.
+
+  - path: "AGENTS.md"
+    instructions: |
+      Review the AI agent guidance document.
+      Check for: clarity, completeness, placeholder consistency, accurate command references,
+      correct folder references for prompts, reports, tasks, docs, skills, and agents.
+
+  - path: "README.md"
+    instructions: |
+      Review the root README.
+      Check for: clear quick start, accurate command table, correct placeholder references,
+      sensible repo map, correct folder descriptions.
+
+# What CodeRabbit should focus on for this repo
+chat:
+  auto_reply: true

.editorconfig

@@ -0,0 +1,29 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.php]
+indent_style = tab
+indent_size = 4
+
+[*.{js,mjs,cjs,ts,jsx,tsx}]
+indent_style = space
+indent_size = 2
+
+[*.{css,scss}]
+indent_style = space
+indent_size = 2
+
+[*.{json,yml,yaml}]
+indent_style = space
+indent_size = 2
+
+[*.md]
+trim_trailing_whitespace = false
+
+[Makefile]
+indent_style = tab

.gitattributes

@@ -0,0 +1,37 @@
+# Normalise line endings to LF on checkout
+* text=auto eol=lf
+
+# Binary files — do not modify
+*.png binary
+*.jpg binary
+*.jpeg binary
+*.gif binary
+*.ico binary
+*.svg binary
+*.woff binary
+*.woff2 binary
+*.ttf binary
+*.eot binary
+*.zip binary
+
+# Export-ignore — exclude from dist archives
+.git export-ignore
+.gitattributes export-ignore
+.gitignore export-ignore
+.editorconfig export-ignore
+.nvmrc export-ignore
+.coderabbit.yml export-ignore
+.lintstagedrc.json export-ignore
+node_modules/ export-ignore
+vendor/ export-ignore
+src/ export-ignore
+.github/ export-ignore
+.agents/ export-ignore
+package.json export-ignore
+package-lock.json export-ignore
+composer.json export-ignore
+composer.lock export-ignore
+plugin-utils.mjs export-ignore
+AGENTS.md export-ignore
+CLAUDE.md export-ignore
+CODEOWNERS export-ignore