chore: update configuration files for consistency and clarity; adjust .editorconfig, .gitattributes, .gitignore, .styleci.yml, and README.md.

[terabytesoftw]

Pull Request

• Breaking change (fix or feature that would cause existing functionality to change)
• Bugfix (non-breaking change that fixes an issue)
• CI/build configuration
• Documentation update
• New feature (non-breaking change that adds functionality)
• Refactoring (no functional changes)

[coderabbitai]

Warning

Rate limit exceeded

@terabytesoftw has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 33 minutes and 3 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: ce3c0c95-e8f9-4792-b926-7c96b855ffd5

📥 Commits

Reviewing files that changed from the base of the PR and between 52742c0 and f243d79.

📒 Files selected for processing (2)

• README.md
• scaffold-lock.json

📝 Walkthrough

Walkthrough

The PR implements a scaffolding system for distributing ECS and Rector configuration files through yii2-extensions/scaffold. A new scaffold.json defines how config files are copied and preserved, while scaffold-lock.json locks metadata. Project configuration and tooling files are updated to support this system.

Changes

Scaffolding System Implementation

Layer / File(s)	Summary
Scaffold Configuration scaffold.json, scaffold-lock.json	New files define scaffold behavior: src/config/ecs.php and src/config/rector.php are copied to project root with "preserve" mode; lock file pins file hashes and source metadata from php-forge/baseline provider.
Composer Dependencies composer.json	Adds php-forge/baseline and yii2-extensions/scaffold as dev-main dependencies; replaces prior copy/modes config with manifest: "scaffold.json", auto: false, and restricted allowed-packages; enables scaffold plugin.
Dotfile and Tool Configuration .editorconfig, .gitattributes, .gitignore, .styleci.yml, .ecrc, .prettierignore, .github/linters/*	Multiple configuration files updated: EditorConfig adds indent rules for SCSS/CSS/JSON; gitattributes expands export-ignore patterns; gitignore adds AI-agent and scaffold-lock entries with exception for tracked lockfile; StyleCI upgraded to 8.3; various linters configured to exclude scaffold artifacts; gitleaks allowlist syntax updated.
Documentation & Changelog README.md, CHANGELOG.md, docs/installation.md	README adds PHP 8.3+ system requirements and revised installation steps for php-forge/coding-standard:^0.3; rewrites scaffold distribution section with auto: false and reapply instructions; removes installation guide document. CHANGELOG documents breaking change that ECS/Rector wrappers are now scaffold-managed.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• php-forge/coding-standard#1: Complements this PR by providing the actual ECS/Rector configuration source files (config/ecs.php, config/rector.php) that are scaffolded into consumer projects.

Poem

🐰 A scaffold now guides our configs with care,
ECS and Rector distributed fair,
From baseline metadata, locked in place,
Wrapper files flutter—preserved with grace!
No hand-edits needed, the system flows true, ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description is a checklist template with only the 'Bugfix' option checked, but provides no meaningful explanation of what was actually changed or why.	Add a substantive description explaining the purpose and scope of the configuration updates beyond the checklist template.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main changes: configuration file updates for consistency and clarity, with specific files listed.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix_mini_3

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.gitattributes:
- Around line 27-29: Remove the redundant export-ignore entries: since
'/.github' is already listed, delete the individual '/.github/dependabot.yml'
and '/.github/workflows' lines so only '/.github                       
export-ignore' remains; update the .gitattributes to keep just the
directory-level entry ('/.github') and remove the two child-path entries
('/.github/dependabot.yml' and '/.github/workflows').

In @.gitignore:
- Line 62: The .gitignore currently contains a self-reference entry ".gitignore"
which should be removed; open the .gitignore file and delete the line that lists
".gitignore" so the repository and scaffolded copies won't be inadvertently
ignored (release exclusion is already handled by .gitattributes export-ignore),
leaving other ignore rules intact.
- Around line 5-6: The negation rule "!src/assets/package-lock.json" is
currently before the broader "package-lock.json" ignore rule so it gets
overridden; move the "!src/assets/package-lock.json" entry so it appears
immediately after the general "package-lock.json" pattern (i.e., place the
negation below the "package-lock.json" rule) so Git will un-ignore
src/assets/package-lock.json as intended.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7c858d50-6289-4b5f-a28a-1f220297b684

📥 Commits

Reviewing files that changed from the base of the PR and between 7110f8f and d671738.

📒 Files selected for processing (7)

• .editorconfig
• .gitattributes
• .github/linters/.codespellrc
• .gitignore
• .styleci.yml
• README.md
• composer.json

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: linter / Super Linter
• GitHub Check: easy-coding-standard / PHP 8.5-ubuntu-latest
• GitHub Check: linter / Super Linter

🔇 Additional comments (6)

.github/linters/.codespellrc (1)

2-2: Skip list expansion looks good.

This change appropriately reduces codespell noise from generated and third-party directories while preserving source-focused linting.

README.md (1)

215-215: LGTM! Semantic improvement.

The emoji change from 📚 (books) to 📥 (download/inbox tray) better represents the action-oriented nature of an installation guide. The new icon more clearly conveys "getting" or "installing" rather than just "reading documentation."

.styleci.yml (2)

4-4: version: 8.3 is valid but not the current StyleCI default.

7.4, 8.0, 8.1, 8.2, 8.3, and 8.4 are all allowed values for the StyleCI version field, so 8.3 is accepted. However, PHP version 8.4 is the current default version. If the intent is to target PHP 8.3 (matching composer.json's "php": ">=8.3"), this is intentional and fine.

---

4-4: StyleCI version: 8.3 is a valid configuration value and supported by StyleCI.

.editorconfig (1)

16-27: LGTM!

The new *.scss, *.css, package.json, and package-lock.json sections are consistent with the existing *.js, *.md, *.yaml, and *.yml overrides.

composer.json (1)

46-46: LGTM!

Using "append" mode for .editorconfig is consistent with the treatment of .gitignore and makes sense given the newly added per-glob sections that downstream consumers may want to extend.

[terabytesoftw]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bc5e9c1d22

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[terabytesoftw]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 950bd097a0

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/linters/.gitleaks.toml (1)

3-7: ⚠️ Potential issue | 🔴 Critical

Change [allowlist] to [[allowlists]] to use current Gitleaks syntax.

Gitleaks v8.25.0+ deprecated the [allowlist] syntax in favor of [[allowlists]]. Using the old singular-table form will cause the allowlist to be ignored, potentially triggering false positives in secret detection.

Change required:

- [allowlist]
+ [[allowlists]]
  description = "Allow test fixture data with dummy credentials"
  paths = [
      '''tests/support/data/.*\.php''',
  ]

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/linters/.gitleaks.toml around lines 3 - 7, Replace the deprecated
single-table header [allowlist] with the current multi-table header
[[allowlists]] so Gitleaks v8.25.0+ recognizes the rule; keep the existing keys
(description and paths array) under the new [[allowlists]] block (the same
entries shown for description and paths/'''tests/support/data/.*\.php''') so the
allowlist continues to work and avoid false positives.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@README.md`:
- Around line 179-180: Fix the run-on sentence in the README by inserting
appropriate punctuation between "independent" and "adopt" in the sentence "The
two packages are independent adopt either, both, or neither."; update it to
either "The two packages are independent; adopt either, both, or neither." or
"The two packages are independent—adopt either, both, or neither." to correct
the grammar and improve readability.

---

Outside diff comments:
In @.github/linters/.gitleaks.toml:
- Around line 3-7: Replace the deprecated single-table header [allowlist] with
the current multi-table header [[allowlists]] so Gitleaks v8.25.0+ recognizes
the rule; keep the existing keys (description and paths array) under the new
[[allowlists]] block (the same entries shown for description and
paths/'''tests/support/data/.*\.php''') so the allowlist continues to work and
avoid false positives.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 89ccf589-ce64-4474-b4eb-212976c9892c

📥 Commits

Reviewing files that changed from the base of the PR and between d671738 and 52742c0.

📒 Files selected for processing (14)

• .ecrc
• .gitattributes
• .github/linters/.editorconfig-checker.json
• .github/linters/.gitleaks.toml
• .gitignore
• .prettierignore
• CHANGELOG.md
• README.md
• composer.json
• docs/installation.md
• scaffold-lock.json
• scaffold.json
• src/config/ecs.php
• src/config/rector.php

💤 Files with no reviewable changes (1)

• docs/installation.md

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: linter / Super Linter
• GitHub Check: easy-coding-standard / PHP 8.5-ubuntu-latest
• GitHub Check: easy-coding-standard / PHP 8.5-ubuntu-latest
• GitHub Check: linter / Super Linter

🔇 Additional comments (9)

.gitignore (1)

30-31: package-lock.json exception ordering is now correct.

The unignore rule placement on Line 31 correctly overrides the broader ignore on Line 30.

.prettierignore (1)

20-21: Good exclusion for generated scaffold lockfile.

Ignoring scaffold-lock.json here is consistent with the “generated, not hand-edited” model.

.github/linters/.editorconfig-checker.json (1)

1-11: New editorconfig-checker exclusions look consistent.

This config aligns with existing generated/runtime/minified exclusions and should reduce false positives in CI.

scaffold.json (1)

2-9: Scaffold manifest is clear and internally consistent.

copy sources/destinations and preserve modes are aligned for both wrapper files.

.gitattributes (1)

25-39: Archive exclusion updates are coherent.

The expanded export-ignore list is consistent with the scaffold/config-only files being repository tooling artifacts rather than release payload.

composer.json (1)

13-23: ⚡ Quick win

[Rewritten review comment]
[Classification tag]

scaffold-lock.json (2)

18-18: ⚡ Quick win

The source path for .gitattributes is correct as-is.

The source path "metadata/gitattributes" matches the actual filename stored in the php-forge/baseline provider's metadata directory. No inconsistency exists; this is the correct path format for this entry.

			> Likely an incorrect or invalid review comment.

---

4-4: ⚖️ Poor tradeoff

Verify if php-forge/baseline has stable releases available.

The concern about using "dev-main" in a lockfile is valid in principle—branch references can change and affect reproducibility. However, this project explicitly declares "minimum-stability": "dev" in composer.json and uses "dev-main" for its own package alias ("dev-main": "0.3.x-dev"). Additionally, php-forge/baseline could not be verified to exist as a public repository or to have stable tagged releases. For development-focused projects with explicit dev-stability, using "dev-main" for development dependencies is acceptable. If php-forge/baseline has stable releases available, consider pinning to a tagged version; otherwise, the current approach aligns with the project's development status.

README.md (1)

18-18: ⚡ Quick win

No action needed. The PHP version requirement is correctly documented. The configuration files (ecs-81.php through ecs-84.php, etc.) are reusable templates for end-user projects with different minimum PHP versions, not requirements for the package itself. The README clearly states: "Pick the version that matches the minimum PHP your project supports." The package itself requires PHP 8.3+, while it provides configurations for users whose projects target PHP 8.1+.

			> Likely an incorrect or invalid review comment.

[terabytesoftw]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f243d793e6

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".