Development to Main

.github/workflows/README.md

@@ -127,6 +127,8 @@ If you're unsure whether to create a new workflow or modify `ci.yml`, ask yourse
 3. **Is this for other repos to consume?** → Create reusable workflow with `workflow_call`
 4. **Is this completely unrelated to CI?** → Maybe OK, but document why
 
+For WP Code Check's responsible disclosure and report publication policy, see `../../DISCLOSURE-POLICY.md`.
+
 ## History
 
 - **2025-12-31**: Consolidated 3 workflows into 1

.gitleaks.toml

@@ -0,0 +1,20 @@
+# Gitleaks configuration for WP Code Check
+# Excludes test fixtures containing fake secrets
+
+title = "WP Code Check - Gitleaks Configuration"
+
+# Exclude test files and fixtures from secret scanning
+[allowlist]
+description = "Allowlist for test fixtures with fake secrets"
+paths = [
+  '''dist/tests/.*''',
+  '''dist/tests/fixtures/.*''',
+  '''tests/.*''',
+]
+
+# Exclude specific patterns that are known to be test data
+regexes = [
+  '''sk_live_1234567890abcdef1234567890abcdef''',  # Fake Stripe key in test-js-pattern.js
+  '''ghp_1234567890abcdefghijklmnopqrstuvwxyz''',  # Fake GitHub token in test-js-pattern.js
+]
+

AGENTS.md

@@ -41,6 +41,50 @@ This project includes a **Project Templates** feature (alpha) that allows users
 
 ---
 
+### JSON to HTML Report Conversion
+
+This project includes a **standalone JSON-to-HTML converter** (`dist/bin/json-to-html.py`) that converts scan logs to beautiful HTML reports. This tool is designed for reliability and should be used when the main scanner's HTML generation stalls or fails.
+
+**When to use:**
+- The main scan completes but HTML report generation hangs or times out
+- You need to regenerate an HTML report from an existing JSON log
+- The user explicitly asks to convert a JSON log to HTML
+
+**Usage:**
+```bash
+python3 dist/bin/json-to-html.py <input.json> <output.html>
+```
+
+**Example:**
+```bash
+# Convert a specific JSON log to HTML
+python3 dist/bin/json-to-html.py dist/logs/2026-01-05-032317-UTC.json dist/reports/my-report.html
+
+# Find the latest JSON log and convert it
+latest_json=$(ls -t dist/logs/*.json | head -1)
+python3 dist/bin/json-to-html.py "$latest_json" dist/reports/latest-report.html
+```
+
+**Features:**
+- ✅ **Fast & Reliable** - Python-based, no bash subprocess issues
+- ✅ **Standalone** - Works independently of the main scanner
+- ✅ **Auto-opens** - Automatically opens the report in your browser (macOS/Linux)
+- ✅ **No Dependencies** - Uses only Python 3 standard library
+- ✅ **Detailed Output** - Shows progress and file size
+
+**Troubleshooting:**
+- If the script fails, check that Python 3 is installed: `python3 --version`
+- If the template is missing, ensure `dist/bin/templates/report-template.html` exists
+- If JSON is invalid, validate it with: `jq empty <file.json>`
+
+**Integration:**
+The main scanner (`check-performance.sh`) automatically calls this converter when using `--format json`. If you encounter issues with HTML generation during a scan, you can:
+1. Let the scan complete (JSON will be saved)
+2. Manually run the converter on the saved JSON log
+3. Report the issue so the integration can be improved
+
+---
+
 ## 🔐 Security
 
 - [ ] **Sanitize all inputs** using WordPress functions (`sanitize_text_field()`, `sanitize_email()`, `absint()`, etc.)

CONTRIBUTING.md

@@ -97,6 +97,39 @@ Expected output:
 - **Errors**: 6+ (depending on active checks)
 - **Warnings**: 4+
 
+### End-to-End Template Testing
+
+Use the keyword **"Run template [name] end to end"** to execute a complete scan and AI triage workflow with minimal human intervention.
+
+**What this does:**
+1. Loads the template configuration from `TEMPLATES/[name].txt`
+2. Executes the full performance scan (`check-performance.sh`)
+3. Generates JSON log with all findings
+4. Runs AI-assisted triage on the findings
+5. Converts JSON to HTML report with triage data embedded
+6. Opens the final report in your browser
+
+**Example:**
+```bash
+# User request: "Run template gravityforms end to end"
+# AI will execute:
+./dist/bin/run gravityforms --format json
+python3 dist/bin/ai-triage.py dist/logs/[latest].json
+python3 dist/bin/json-to-html.py dist/logs/[latest].json dist/reports/[output].html
+```
+
+**Benefits:**
+- ✅ Complete workflow in one command
+- ✅ AI triage automatically classifies findings
+- ✅ HTML report includes triage classifications and confidence levels
+- ✅ No manual JSON/HTML conversion needed
+- ✅ Ideal for testing new checks or validating fixes
+
+**Template Requirements:**
+- Template file must exist in `TEMPLATES/[name].txt`
+- Must contain `PROJECT_PATH` pointing to a valid WordPress plugin/theme directory
+- Optional: `FORMAT=json` to enable JSON output (required for triage)
+
 ---
 
 ## 📋 Commit Message Guidelines