fix: resolve ShellCheck violations in shell scripts (#91)

- SC2155 (bin/localwp-setup.sh): declare local variables separately from
  command substitution assignments to avoid masking return values (13 fixes)
- SC2034 (bin/localwp-setup.sh): remove unused PLUGIN_TEXT_DOMAIN variable
- SC2162 (bin/localwp-setup.sh): add -r flag to read to avoid backslash mangling
- SC2154 (bin/setup-test-env.sh): add shellcheck disable for PHP variables in
  heredoc that ShellCheck incorrectly identifies as unassigned shell variables
- bin/setup-test-env.sh: remove self-modifying chmod +x $0 (unnecessary and
  bad practice; file permissions should be set once in version control)
- bin/setup-test-env.sh: change == to = in POSIX [ ] test expressions
- build.sh: add ./ prefix to directory glob copies for clarity
- build.sh: use subshell (cd build || exit 1; zip ...) instead of bare cd/cd..
  to avoid SC2103 and ensure working directory is always restored

Fixes part of #20 (shell script quality issues)

.agents/error-checking-feedback-loops.md

@@ -77,7 +77,7 @@ uses: actions/upload-artifact@v4
 
 **Solution**: Use port 80 for multisite environments:
 
-```yaml
+```bash
 npx @wp-playground/cli server --blueprint playground/multisite-blueprint.json --port 80 --login &
 ```
 
@@ -142,7 +142,7 @@ npm run test:playground:multisite
 2. **Analyze Output for Errors**:
 
    ```bash
-   cat test-output.log | grep -i 'error\|fail\|exception'
+   grep -i 'error\|fail\|exception' test-output.log
    ```
 
 3. **Parse Structured Test Results** (if available):
@@ -221,7 +221,7 @@ npm run lint:css
 2. **Analyze Output for Errors**:
 
    ```bash
-   cat phpcs-output.log | grep -i 'ERROR\|WARNING'
+   grep -i 'ERROR\|WARNING' phpcs-output.log
    ```
 
 3. **Automatically Fix Issues** (when possible):

.eslintrc.js

@@ -16,7 +16,7 @@ module.exports = {
     sourceType: 'module'
   },
   rules: {
-    'comma-dangle': ['error', 'never'],
+    'comma-dangle': ['error', 'always-multiline'],
     'no-console': 'warn',
     'no-unused-vars': 'warn'
   },

.github/workflows/code-quality.yml

@@ -20,7 +20,7 @@ jobs:
           clean: 'true'
 
       - name: Setup PHP
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2
         with:
           php-version: '8.1'
           extensions: mbstring, intl, zip
@@ -47,7 +47,7 @@ jobs:
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Setup PHP
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2
         with:
           php-version: '8.1'
           extensions: mbstring, intl, zip
@@ -68,7 +68,7 @@ jobs:
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Setup PHP
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2
         with:
           php-version: '8.1'
           extensions: mbstring, intl, zip
@@ -119,7 +119,7 @@ jobs:
   #
   #     - name: SonarCloud Scan
   #       if: steps.check_sonar_token.outputs.skip != 'true'
-  #       uses: SonarSource/sonarqube-scan-action@master
+  #       uses: SonarSource/sonarqube-scan-action@9598b8a83feef37de07f549027fab50ecffe6a6e # master
   #       env:
   #         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   #         SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
@@ -143,10 +143,8 @@ jobs:
 
       - name: Check if Codacy token is set
         id: check_codacy_token
-        env:
-          CODACY_PROJECT_TOKEN: ${{ secrets.CODACY_PROJECT_TOKEN }}
         run: |
-          if [ -z "$CODACY_PROJECT_TOKEN" ]; then
+          if [ -z "${{ secrets.CODACY_PROJECT_TOKEN }}" ]; then
             echo "CODACY_PROJECT_TOKEN is not set, running Codacy without upload"
             echo "skip_upload=true" >> $GITHUB_OUTPUT
           else
@@ -154,7 +152,7 @@ jobs:
           fi
 
       - name: Run Codacy Analysis CLI
-        uses: codacy/codacy-analysis-cli-action@v4
+        uses: codacy/codacy-analysis-cli-action@562ee3e92b8e92df8b67e0a5ff8aa8e261919c08 # v4
         with:
           project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
           verbose: true
@@ -169,7 +167,7 @@ jobs:
 
       - name: Upload SARIF results file
         if: steps.check_codacy_token.outputs.skip_upload != 'true'
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@603b797f8b14b413fe025cd935a91c16c4782713 # v3
         with:
           sarif_file: results.sarif
         continue-on-error: true

.github/workflows/phpunit.yml

@@ -42,7 +42,7 @@ jobs:
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Setup PHP
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2
         with:
           php-version: ${{ matrix.php }}
           extensions: dom, curl, libxml, mbstring, zip, pdo, mysql, pdo_mysql, bcmath, soap, intl, gd, exif, iconv

.github/workflows/playground-tests-fix.yml

@@ -36,7 +36,7 @@ jobs:
     - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     - name: Setup Node.js
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
       with:
         node-version: '20'
         cache: 'npm'
@@ -98,7 +98,7 @@ jobs:
 
     - name: Upload Cypress artifacts
       if: always()
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       with:
         name: cypress-playground-results
         path: |

.github/workflows/playground-tests.yml

@@ -40,7 +40,7 @@ jobs:
     - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     - name: Setup Node.js
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
       with:
         node-version: ${{ matrix.node-version }}
         cache: 'npm'
@@ -67,7 +67,7 @@ jobs:
     - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     - name: Setup Node.js
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
       with:
         node-version: '20'
         cache: 'npm'
@@ -142,7 +142,7 @@ jobs:
 
     - name: Upload Cypress artifacts
       if: always()
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       with:
         name: cypress-single-site-results
         path: |
@@ -163,7 +163,7 @@ jobs:
     - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     - name: Setup Node.js
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
       with:
         node-version: '20'
         cache: 'npm'
@@ -239,7 +239,7 @@ jobs:
 
     - name: Upload Cypress artifacts
       if: always()
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       with:
         name: cypress-multisite-results
         path: |
@@ -261,7 +261,7 @@ jobs:
     - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     - name: WordPress Performance Tests
-      uses: swissspidy/wp-performance-action@v2.0.3
+      uses: swissspidy/wp-performance-action@b7e3ffcf0fc4a48b62492e021e0ebeb51430ff11 # v2.0.3
       with:
         plugins: |
           ./

.github/workflows/release.yml

@@ -14,10 +14,10 @@ jobs:
       contents: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: Setup PHP
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2
         with:
           php-version: '7.4'
           extensions: mbstring, intl, zip
@@ -62,7 +62,7 @@ jobs:
 
       - name: Create Release
         id: create_release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
         with:
           files: wp-plugin-starter-template-for-ai-coding-${{ env.VERSION }}.zip
           name: v${{ env.VERSION }} - WordPress Plugin Starter Template

.github/workflows/sonarcloud.yml

@@ -39,10 +39,8 @@ jobs:
 
       - name: Check if SonarCloud token is set
         id: check_token
-        env:
-          SONARCLOUD_GITHUB: ${{ secrets.SONARCLOUD_GITHUB }}
         run: |
-          if [ -z "$SONARCLOUD_GITHUB" ]; then
+          if [ -z "${{ secrets.SONARCLOUD_GITHUB }}" ]; then
             echo "SONARCLOUD_GITHUB is not set, skipping SonarCloud analysis"
             echo "skip=true" >> $GITHUB_OUTPUT
           else
@@ -51,7 +49,7 @@ jobs:
 
       - name: SonarCloud Scan
         if: steps.check_token.outputs.skip != 'true'
-        uses: SonarSource/sonarqube-scan-action@master
+        uses: SonarSource/sonarqube-scan-action@9598b8a83feef37de07f549027fab50ecffe6a6e # master
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONARCLOUD_GITHUB }}

.github/workflows/sync-wiki.yml

@@ -15,7 +15,7 @@ jobs:
       contents: write
     steps:
       - name: Checkout source code
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: Configure Git
         run: |
@@ -27,10 +27,6 @@ jobs:
           git clone https://github.com/${{ github.repository }}.wiki.git wiki
 
       - name: Sync wiki content
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GITHUB_ACTOR: ${{ github.actor }}
-          GITHUB_REPOSITORY: ${{ github.repository }}
         run: |
           # Remove all files from wiki repository except .git
           find wiki -mindepth 1 -maxdepth 1 -not -name '.git' -exec rm -rf {} \;
@@ -54,4 +50,4 @@ jobs:
           git commit -m "Sync wiki from source repository"
 
           # Push changes
-          git push https://$GITHUB_ACTOR:$GITHUB_TOKEN@github.com/$GITHUB_REPOSITORY.wiki.git
+          git push https://${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.wiki.git

.github/workflows/tests.yml

@@ -17,12 +17,12 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           clean: 'true'
 
       - name: Setup PHP
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2
         with:
           php-version: ${{ matrix.php-versions }}
           extensions: mbstring, intl, zip
@@ -43,12 +43,12 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           clean: 'true'
 
       - name: Setup PHP
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2
         with:
           php-version: '7.4'
           extensions: mbstring, intl, zip

.github/workflows/wordpress-tests.yml

@@ -37,7 +37,7 @@ jobs:
     - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     - name: Setup Node.js
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
       with:
         node-version: ${{ matrix.node-version }}
         cache: 'npm'
@@ -73,7 +73,7 @@ jobs:
     - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     - name: Setup Node.js
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
       with:
         node-version: '20'
         cache: 'npm'
@@ -124,7 +124,7 @@ jobs:
 
     - name: Upload Cypress artifacts
       if: always()
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       with:
         name: cypress-results
         path: |

.wiki/Playground-Testing.md

@@ -102,7 +102,7 @@ In a WordPress multisite environment, there are two ways to activate plugins:
 1. **Network Activation**: Activates a plugin for all sites in the network
    * In the WordPress admin, go to Network Admin > Plugins
    * Click "Network Activate" under the plugin
-   * Or use WP-CLI: `wp plugin activate plugin-name --network`
+   * Or use WP-CLI: `wp plugin activate plugin-name --network` (for installed plugins), or `wp plugin install plugin-name --activate-network` (to install and activate)
 
 2. **Per-Site Activation**: Activates a plugin for a specific site
    * In the WordPress admin, go to the specific site's admin area

admin/css/admin-styles.css

@@ -124,6 +124,8 @@
 }
 
 /* Responsive Styles */
+
+/* 782px is the WordPress mobile admin breakpoint. */
 @media screen and (max-width: 782px) {
     .wpst-form-table th {
         width: 100%;

admin/js/admin-scripts.js

@@ -78,7 +78,7 @@
           data: {
             action: 'wpst_save_settings',
             nonce: wpstData.nonce,
-            formData: formData
+            formData: formData,
           },
           success: function (response) {
             if (response.success) {
@@ -93,8 +93,8 @@
           complete: function () {
             // Re-enable submit button and remove loading state.
             $submitButton.prop( 'disabled', false ).removeClass( 'loading' );
-          }
+          },
-        }
+        },
       );
     },
 
@@ -123,19 +123,19 @@
             300,
             function () {
               $( this ).remove();
-            }
+            },
           );
         },
-        5000
+        5000,
       );
-    }
+    },
   };
 
   // Initialize when document is ready.
   $( document ).ready(
     function () {
       WPSTAdmin.init();
-    }
+    },
   );
 
 })( jQuery );

admin/js/update-source-selector.js

@@ -48,7 +48,7 @@
           if ($( e.target ).hasClass( 'wpst-modal' )) {
             WPSTUpdateSourceSelector.closeModal();
           }
-        }
+        },
       );
 
       // Select source option.
@@ -116,7 +116,7 @@
           data: {
             action: 'wpst_set_update_source', // AJAX action hook.
             nonce: wpstModalData.nonce, // Security nonce.
-            source: this.selectedSource
+            source: this.selectedSource,
           },
           success: function (response) {
             if (response.success) {
@@ -127,7 +127,7 @@
                 function () {
                   WPSTUpdateSourceSelector.closeModal();
                 },
-                1500
+                1500,
               );
             } else {
               WPSTUpdateSourceSelector.showMessage( 'error', response.data.message );
@@ -139,8 +139,8 @@
           complete: function () {
             // Reset button state.
             $saveButton.prop( 'disabled', false ).text( wpstModalData.i18n.confirm );
-          }
+          },
-        }
+        },
       );
     },
 
@@ -153,26 +153,30 @@
     showMessage: function (type, message) {
       const $message = this.$modal.find( '.wpst-modal-message' );
 
-      // Set message as plain text to prevent XSS, then apply type class.
+      // Validate type against allow-list to prevent class injection vulnerabilities.
-      $message.text( message ).removeClass( 'success error' ).addClass( type ).show();
+      const allowedTypes = [ 'success', 'error' ];
+      const safeType = allowedTypes.includes( type ) ? type : 'error';
+
+      // Set message as plain text to prevent XSS, then apply validated type class.
+      $message.text( message ).removeClass( 'success error' ).addClass( safeType ).show();
 
       // Hide message after a delay for success messages.
-      if (type === 'success') {
+      if (safeType === 'success') {
         setTimeout(
           function () {
             $message.fadeOut( 300 );
           },
-          3000
+          3000,
         );
       }
-    }
+    },
   };
 
   // Initialize when document is ready.
   $( document ).ready(
     function () {
       WPSTUpdateSourceSelector.init();
-    }
+    },
   );
 
 })( jQuery );

bin/install-wp-tests.sh

@@ -117,6 +117,7 @@ install_test_suite() {
 	# set up testing suite if it doesn't yet exist
 	if [ ! -d "$WP_TESTS_DIR" ]; then
 		mkdir -p "$WP_TESTS_DIR"
+		rm -rf /tmp/wordpress-develop
 		if ! git clone --quiet --depth=1 --branch "$GIT_REF" https://github.com/WordPress/wordpress-develop.git /tmp/wordpress-develop; then
 			echo "Error: Failed to clone wordpress-develop at branch/tag $GIT_REF" >&2
 			exit 1

bin/localwp-setup.sh

@@ -28,7 +28,6 @@ set -e
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROJECT_DIR="$(dirname "$SCRIPT_DIR")"
 PLUGIN_SLUG="wp-plugin-starter-template"
-PLUGIN_TEXT_DOMAIN="wp-plugin-starter-template"
 
 # LocalWP paths (macOS)
 LOCAL_SITES_DIR="$HOME/Local Sites"
@@ -83,7 +82,8 @@ check_localwp() {
 		exit 1
 	fi
 
-    local version=$("$LOCAL_WP_CLI" --version 2>/dev/null || echo "unknown")
+	local version
+	version=$("$LOCAL_WP_CLI" --version 2>/dev/null || echo "unknown")
 	log_info "LocalWP WP-CLI version: $version"
 }
 
@@ -96,7 +96,8 @@ get_site_path() {
 # Get WordPress path within site
 get_wp_path() {
 	local site_name="$1"
-    local site_path=$(get_site_path "$site_name")
+	local site_path
+	site_path=$(get_site_path "$site_name")
 
 	# LocalWP uses app/public for WordPress files
 	echo "$site_path/app/public"
@@ -105,21 +106,24 @@ get_wp_path() {
 # Check if site exists
 site_exists() {
 	local site_name="$1"
-    local site_path=$(get_site_path "$site_name")
+	local site_path
+	site_path=$(get_site_path "$site_name")
 	[ -d "$site_path" ]
 }
 
 # Get plugin destination path
 get_plugin_path() {
 	local site_name="$1"
-    local wp_path=$(get_wp_path "$site_name")
+	local wp_path
+	wp_path=$(get_wp_path "$site_name")
 	echo "$wp_path/wp-content/plugins/$PLUGIN_SLUG"
 }
 
 # Sync plugin files to LocalWP site
 sync_plugin() {
 	local site_name="$1"
-    local plugin_dest=$(get_plugin_path "$site_name")
+	local plugin_dest
+	plugin_dest=$(get_plugin_path "$site_name")
 
 	if ! site_exists "$site_name"; then
 		log_error "Site '$site_name' does not exist"
@@ -181,7 +185,8 @@ create_site() {
 
 	check_localwp
 
-    local site_path=$(get_site_path "$site_name")
+	local site_path
+	site_path=$(get_site_path "$site_name")
 
 	if site_exists "$site_name"; then
 		log_warning "Site '$site_name' already exists at: $site_path"
@@ -230,7 +235,7 @@ create_site() {
 	echo ""
 
 	# Wait for user to create site
-    read -p "Press Enter after you've created the site in LocalWP..."
+	read -r -p "Press Enter after you've created the site in LocalWP..."
 
 	if site_exists "$site_name"; then
 		log_success "Site detected at: $site_path"
@@ -250,7 +255,8 @@ create_site() {
 # Install recommended plugins (matching Playground blueprint)
 install_recommended_plugins() {
 	local site_name="$1"
-    local wp_path=$(get_wp_path "$site_name")
+	local wp_path
+	wp_path=$(get_wp_path "$site_name")
 
 	log_info "Note: Install these plugins to match Playground environment:"
 	echo "  - Plugin Toggle (plugin-toggle)"
@@ -265,8 +271,10 @@ show_site_info() {
 	local domain="$2"
 	local multisite="$3"
 
-    local site_path=$(get_site_path "$site_name")
+	local site_path
-    local plugin_path=$(get_plugin_path "$site_name")
+	site_path=$(get_site_path "$site_name")
+	local plugin_path
+	plugin_path=$(get_plugin_path "$site_name")
 
 	echo ""
 	echo "============================================"
@@ -305,7 +313,8 @@ reset_site() {
 	echo
 
 	if [[ $REPLY =~ ^[Yy]$ ]]; then
-        local plugin_path=$(get_plugin_path "$site_name")
+		local plugin_path
+		plugin_path=$(get_plugin_path "$site_name")
 
 		log_info "Removing plugin files..."
 		rm -rf "$plugin_path"
@@ -345,14 +354,16 @@ show_info() {
 	echo "==============================="
 
 	for site_name in "$SINGLE_SITE_NAME" "$MULTISITE_NAME"; do
-        local site_path=$(get_site_path "$site_name")
+		local site_path
+		site_path=$(get_site_path "$site_name")
 
 		if site_exists "$site_name"; then
 			echo ""
 			echo "  ${GREEN}✓${NC} $site_name"
 			echo "    Path: $site_path"
 
-            local plugin_path=$(get_plugin_path "$site_name")
+			local plugin_path
+			plugin_path=$(get_plugin_path "$site_name")
 			if [ -d "$plugin_path" ]; then
 				echo "    Plugin: ${GREEN}Installed${NC}"
 			else
@@ -375,21 +386,21 @@ show_info() {
 
 # Main command handler
 case "${1:-}" in
-    create)
+create)
 	shift
 	create_site "$@"
 	;;
-    sync)
+sync)
 	sync_all
 	;;
-    reset)
+reset)
 	shift
 	reset_site "$@"
 	;;
-    info)
+info)
 	show_info
 	;;
-    *)
+*)
 	echo "LocalWP Integration Script"
 	echo ""
 	echo "Usage:"

bin/setup-test-env.sh

@@ -1,8 +1,5 @@
 #!/bin/bash
 
-# Make this script executable
-chmod +x "$0"
-
 # Check if environment type is provided
 if [ -z "$1" ]; then
 	echo "Usage: $0 [single|multisite|playground-single|playground-multisite]"
@@ -49,7 +46,7 @@ install_wp_playground() {
 	fi
 }
 
-if [ "$ENV_TYPE" == "single" ]; then
+if [ "$ENV_TYPE" = "single" ]; then
 	echo "Setting up single site environment..."
 
 	# Install wp-env if needed
@@ -83,7 +80,7 @@ if [ "$ENV_TYPE" == "single" ]; then
 	echo "Site: http://localhost:8888"
 	echo "Admin login: admin / password"
 
-elif [ "$ENV_TYPE" == "multisite" ]; then
+elif [ "$ENV_TYPE" = "multisite" ]; then
 	echo "Setting up multisite environment..."
 
 	# Install wp-env if needed
@@ -124,7 +121,7 @@ elif [ "$ENV_TYPE" == "multisite" ]; then
 	echo "Test site: http://localhost:8888/testsite"
 	echo "Admin login: admin / password"
 
-elif [ "$ENV_TYPE" == "playground-single" ]; then
+elif [ "$ENV_TYPE" = "playground-single" ]; then
 	echo "Setting up WordPress Playground single site environment..."
 
 	# Install wp-playground if needed
@@ -193,7 +190,7 @@ EOF
 	echo "Admin login: admin / password"
 	echo "Press Ctrl+C to stop the server when done."
 
-elif [ "$ENV_TYPE" == "playground-multisite" ]; then
+elif [ "$ENV_TYPE" = "playground-multisite" ]; then
 	echo "Setting up WordPress Playground multisite environment..."
 
 	# Install wp-playground if needed
@@ -205,6 +202,7 @@ elif [ "$ENV_TYPE" == "playground-multisite" ]; then
 	zip -r dist/plugin.zip . -x "node_modules/*" "dist/*" ".git/*"
 
 	# Update blueprint to use local plugin
+	# shellcheck disable=SC2154
 	cat >playground/multisite-blueprint.json <<EOF
 {
   "landingPage": "/wp-admin/network/",

build.sh

@@ -46,9 +46,9 @@ cp -R README.md LICENSE CHANGELOG.md readme.txt composer.json "$BUILD_DIR/"
 # Copy directories
 echo "Copying directories..."
 mkdir -p "$BUILD_DIR/admin" "$BUILD_DIR/includes" "$BUILD_DIR/languages" "$BUILD_DIR/assets"
-cp -R admin/* "$BUILD_DIR/admin/"
+cp -R ./admin/* "$BUILD_DIR/admin/"
-cp -R includes/* "$BUILD_DIR/includes/"
+cp -R ./includes/* "$BUILD_DIR/includes/"
-cp -R languages/* "$BUILD_DIR/languages/"
+cp -R ./languages/* "$BUILD_DIR/languages/"
 
 # Create assets directory structure
 mkdir -p "$BUILD_DIR/assets/banner" "$BUILD_DIR/assets/icon" "$BUILD_DIR/assets/screenshots"
@@ -73,9 +73,10 @@ fi
 
 # Create ZIP file.
 echo "Creating ZIP file..."
-cd build || exit 1
+(
-zip -r "../$ZIP_FILE" "$PLUGIN_SLUG" -x "*.DS_Store" -x "*.git*" -x "*.github*"
+	cd build || exit 1
-cd ..
+	zip -r "../$ZIP_FILE" "$PLUGIN_SLUG" -x "*.DS_Store" -x "*.git*" -x "*.github*"
+)
 
 # Check if ZIP file was created successfully
 if [ -f "$ZIP_FILE" ]; then
@@ -83,8 +84,8 @@ if [ -f "$ZIP_FILE" ]; then
 	echo "File path: $(pwd)/$ZIP_FILE"
 
 	# Deploy to local WordPress installation if environment variable is set
-	if [ -n "$WP_LOCAL_PLUGIN_DIR" ]; then
+	if [ -n "${WP_LOCAL_PLUGIN_DIR:-}" ]; then
-		printf '\nDeploying to local WordPress installation...\n'
+		echo ""
 		echo "Deploying to local WordPress installation..."
 
 		# Remove existing plugin directory.

cypress/e2e/playground-single-site.cy.js

@@ -20,8 +20,9 @@ describe('WordPress Playground Single Site Tests', () => {
     cy.get('body', { timeout: 15000 }).then(($body) => {
       // Verify the starter template plugin exists and is activated.
       if ($body.find('tr[data-slug="wp-plugin-starter-template-for-ai-coding"]').length) {
-        cy.get('tr[data-slug="wp-plugin-starter-template-for-ai-coding"]').should('exist');
+        cy.get('tr[data-slug="wp-plugin-starter-template-for-ai-coding"]').within(() => {
-        cy.get('tr[data-slug="wp-plugin-starter-template-for-ai-coding"] .deactivate a').should('exist');
+          cy.get('.deactivate a').should('exist');
+        });
       } else {
         cy.log('Starter template plugin not found by slug, skipping check');
       }

package.json

@@ -39,7 +39,7 @@
     "test:php": "composer run-script test",
     "lint": "composer run-script lint",
     "fix": "composer run-script fix",
-    "quality": "npm run lint && npm run lint:css && npm run test:php"
+    "quality": "npm run lint && npm run lint:js && npm run lint:css && npm run test:php"
   },
   "repository": {
     "type": "git",