Woo Guard

Name: Woo Guard
Author: amelnagdy

amelnagdy/guard-skills

Run an agent review on WooCommerce PHP changes for HPOS, CRUD APIs, checkout surface (Blocks vs legacy), and money-handling mistakes.

Overview

Woo Guard is an agent skill most often used in Ship (also Build backend integrations) that reviews WooCommerce code for HPOS, checkout surface, and money-handling issues after changes.

Install

npx skills add https://github.com/amelnagdy/guard-skills --skill woo-guard

What is this skill?

Post-change guardrail: invoke after WooCommerce code is written or modified
Covers HPOS, CRUD patterns, checkout hooks, and payment or money handling
Explicit Blocks (Store API) vs legacy shortcode checkout hook surfaces—wrong surface fails silently
Server-side `woocommerce_checkout_process` validation called out as the real gate beyond JS UX
Gateway and webhook callback review for payment integrity
Two distinct checkout surfaces: Blocks Store API vs legacy shortcode hooks

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 1 installs on skills.sh; 474 GitHub stars; trending (+100% hot-view momentum).

What problem does it solve?

AI-generated WooCommerce extensions often hook the wrong checkout, skip server-side validation, or mishandle orders and payments in ways that only break in production.

Who is it for?

Indie devs and agents maintaining WooCommerce plugins or store customizations who want a commerce-specific review pass.

Skip if: Non-Woo PHP projects, greenfield theme design with no checkout logic, or teams that only need generic WordPress coding standards.

When should I use this skill?

Use after WooCommerce code is written or changed to review HPOS, CRUD, checkout, and money-handling issues.

What do I get? / Deliverables

You get a focused review list covering HPOS, CRUD, Blocks vs legacy checkout, and money paths so you fix silent failures before customers pay.

Issue list grouped by HPOS, CRUD, checkout surface, and money handling
Notes on silent hook mismatches between Blocks and legacy checkout

Recommended Skills

Improve Codebase Architecturemattpocock/skills

Improve Codebase Architecture is an agent skill that teaches how to deepen a cluster of shallow modules without breaking…226k installs·121k stars

Zoom Outmattpocock/skills

Lightweight meta-prompt skill that tells the agent to zoom out and deliver a domain-aligned overview of modules and call…181k installs·121k stars

Caveman Reviewjuliusbrussee/caveman

Formats code review as single actionable lines: location, problem, fix, with minimal noise.139k installs·70k stars

Requesting Code Reviewobra/superpowers

Requesting Code Review is an agent skill from the Superpowers collection that gives solo and indie builders a copy-ready…119k installs·221k stars

Receiving Code Reviewobra/superpowers

Superpowers methodology for agents receiving code review: prioritize technical correctness over social comfort, verify e…96.2k installs·221k stars

Request Refactor Planmattpocock/skills

request-refactor-plan is a structured agent workflow for solo and small-team maintainers who want refactors filed as act…30.5k installs·121k stars

Journey fit

Spans multiple journey phases - primary shelf plus alternate fits below.

Primary fit

Ship review is the canonical shelf because the skill is invoked after code exists to catch commerce regressions before release. Review subphase matches post-write guardrails rather than greenfield scaffolding or marketing work.

Also useful

BuildBackend, data & payments

Where it fits

Example use

BuildIntegrations & version control

After adding a custom checkout field extension, verify Store API vs legacy hooks before merging.

Example use

BuildBackend, data & payments

Audit CRUD order updates for HPOS compatibility when migrating off post-meta storage.

Example use

ShipCode review

Pre-release pass on gateway webhook handlers and server-side VAT validation.

Example use

ShipSecurity

Catch unsafe money rounding or trust in client-only checkout validation before go-live.

How it compares

Commerce-specific checker after codegen—not a WooCommerce MCP and not a substitute for PCI scope review with your payment provider.

Common Questions / FAQ

Who is woo-guard for?

Solo builders and agents shipping WooCommerce plugins or checkout customizations who need HPOS- and payment-aware code review.

When should I use woo-guard?

After any WooCommerce code change in Ship review, and during Build backend work when integrating gateways, coupons, or checkout fields.

Is woo-guard safe to install?

It is read-oriented review guidance; still review Security Audits on this page and never paste live gateway secrets into the agent session.

SKILL.md

READMESKILL.md - Woo Guard

interface:
  display_name: "Woo Guard"
  short_description: "WooCommerce code guardrails for AI agents"
  default_prompt: "Use $woo-guard after WooCommerce code is written or changed to review it for HPOS, CRUD, checkout, and money-handling issues."


# Woo Guard — Checkout and Money Reference

## Contents

- Two checkouts, two hook surfaces
- Server-side validation
- Cart and session context guards
- Money handling
- Gateway and webhook callbacks

## Two checkouts, two hook surfaces

Modern stores run the Blocks checkout (Store API); legacy stores run the shortcode checkout (`woocommerce_checkout_*` hooks, `wp_ajax` fragments). The hook surfaces do not overlap:

- Legacy-only: `woocommerce_checkout_fields`, `woocommerce_checkout_process`, `woocommerce_after_order_notes`.
- Blocks: Store API extensions (`ExtendSchema`), additional-fields API, server-side endpoint validation.

An extension claiming general compatibility wires both or declares which one it supports (see compatibility declaration in [hpos-and-crud.md](hpos-and-crud.md)). AI-generated checkout code overwhelmingly targets the legacy surface only — on a Blocks store it simply never runs: a hook on the wrong surface fails silently, no error, no behavior.

## Server-side validation

```php
/**
 * Reject checkout when the VAT number is malformed.
 *
 * JS validation on the field is UX; this hook is the actual gate.
 */
add_action( 'woocommerce_checkout_process', function () {
	$vat = isset( $_POST['ncs_vat'] ) ? sanitize_text_field( wp_unslash( $_POST['ncs_vat'] ) ) : '';

	if ( '' !== $vat && ! ncs_vat_is_valid( $vat ) ) {
		wc_add_notice( __( 'Please enter a valid VAT number.', 'ncs-checkout' ), 'error' );
	}
} );
```

For Blocks, the equivalent lives in the Store API additional-fields/extension schema callbacks. Either way: the server decides, every field is unslashed then sanitized with the type-correct function, and error messages go through `wc_add_notice()`/schema errors — never `die()`.

## Cart and session context guards

`WC()->cart`, `WC()->session`, and `WC()->customer` are initialized for front-end requests — they are null in REST, cron, CLI, webhooks, and most admin requests:

```php
if ( function_exists( 'WC' ) && WC()->cart instanceof WC_Cart ) {
	$count = WC()->cart->get_cart_contents_count();
}
```

Code that touches the cart inside an API callback or scheduled job is a fatal error wearing a demo-store disguise. Flag it in review even when "it worked locally."

## Money handling

- Storage and arithmetic inputs: `wc_format_decimal( $value )` — normalizes locale decimals and precision.
- Display: `wc_price( $amount )` — currency symbol, position, separators, all from store settings. Hardcoded `'$' . $amount` fails on the other 150 currencies.
- Totals and tax: use order/cart getters (`get_total()`, `get_subtotal()`, `WC_Tax` methods) — they apply the store's rounding mode. Re-deriving totals with raw float math produces penny drift that accountants will find.
- Comparisons: compare formatted decimals or integer minor units; never `==` on floats.
- Refund/discount logic: negative amounts have meaning — test the zero and partial cases explicitly (test-guard says hi).

## Gateway and webhook callbacks

- Verify webhook signatures/secrets before touching any order; fail closed with the provider's expected status code.
- Look up orders from gateway references via `wc_get_orders( array( 'transaction_id' => … ) )` or stored CRUD meta — not custom SQL.
- Callbacks run unauthenticated by design: capability checks don't apply, signature verification is the authentication, and every input is still unslashed and sanitized before use.
- Idempotency: providers retry. Processing the same payment event twice must not complete an order twice.


# Woo Guard — HPOS and CRUD Reference

## Contents

- Why HPOS breaks legacy code
- Order access patterns
- Order meta done right
- Products, stock, and lookup tables
- Status transitions
- Declaring compatibility
- Violation ta

What is this skill?

Post-change guardrail: invoke after WooCommerce code is written or modified

Covers HPOS, CRUD patterns, checkout hooks, and payment or money handling

Explicit Blocks (Store API) vs legacy shortcode checkout hook surfaces—wrong surface fails silently

Server-side `woocommerce_checkout_process` validation called out as the real gate beyond JS UX

Gateway and webhook callback review for payment integrity

Two distinct checkout surfaces: Blocks Store API vs legacy shortcode hooks

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 1 installs on skills.sh; 474 GitHub stars; trending (+100% hot-view momentum).

Journey fit

Spans multiple journey phases - primary shelf plus alternate fits below.

Primary fit

Also useful

BuildBackend, data & payments

Where it fits

Example use

BuildIntegrations & version control

After adding a custom checkout field extension, verify Store API vs legacy hooks before merging.

Example use

BuildBackend, data & payments

Audit CRUD order updates for HPOS compatibility when migrating off post-meta storage.

Example use

ShipCode review

Pre-release pass on gateway webhook handlers and server-side VAT validation.

Example use

ShipSecurity

Catch unsafe money rounding or trust in client-only checkout validation before go-live.

SKILL.md

READMESKILL.md - Woo Guard

interface:
  display_name: "Woo Guard"
  short_description: "WooCommerce code guardrails for AI agents"
  default_prompt: "Use $woo-guard after WooCommerce code is written or changed to review it for HPOS, CRUD, checkout, and money-handling issues."


# Woo Guard — Checkout and Money Reference

## Contents

- Two checkouts, two hook surfaces
- Server-side validation
- Cart and session context guards
- Money handling
- Gateway and webhook callbacks

## Two checkouts, two hook surfaces

Modern stores run the Blocks checkout (Store API); legacy stores run the shortcode checkout (`woocommerce_checkout_*` hooks, `wp_ajax` fragments). The hook surfaces do not overlap:

- Legacy-only: `woocommerce_checkout_fields`, `woocommerce_checkout_process`, `woocommerce_after_order_notes`.
- Blocks: Store API extensions (`ExtendSchema`), additional-fields API, server-side endpoint validation.

An extension claiming general compatibility wires both or declares which one it supports (see compatibility declaration in [hpos-and-crud.md](hpos-and-crud.md)). AI-generated checkout code overwhelmingly targets the legacy surface only — on a Blocks store it simply never runs: a hook on the wrong surface fails silently, no error, no behavior.

## Server-side validation

```php
/**
 * Reject checkout when the VAT number is malformed.
 *
 * JS validation on the field is UX; this hook is the actual gate.
 */
add_action( 'woocommerce_checkout_process', function () {
	$vat = isset( $_POST['ncs_vat'] ) ? sanitize_text_field( wp_unslash( $_POST['ncs_vat'] ) ) : '';

	if ( '' !== $vat && ! ncs_vat_is_valid( $vat ) ) {
		wc_add_notice( __( 'Please enter a valid VAT number.', 'ncs-checkout' ), 'error' );
	}
} );
```

For Blocks, the equivalent lives in the Store API additional-fields/extension schema callbacks. Either way: the server decides, every field is unslashed then sanitized with the type-correct function, and error messages go through `wc_add_notice()`/schema errors — never `die()`.

## Cart and session context guards

`WC()->cart`, `WC()->session`, and `WC()->customer` are initialized for front-end requests — they are null in REST, cron, CLI, webhooks, and most admin requests:

```php
if ( function_exists( 'WC' ) && WC()->cart instanceof WC_Cart ) {
	$count = WC()->cart->get_cart_contents_count();
}
```

Code that touches the cart inside an API callback or scheduled job is a fatal error wearing a demo-store disguise. Flag it in review even when "it worked locally."

## Money handling

- Storage and arithmetic inputs: `wc_format_decimal( $value )` — normalizes locale decimals and precision.
- Display: `wc_price( $amount )` — currency symbol, position, separators, all from store settings. Hardcoded `'$' . $amount` fails on the other 150 currencies.
- Totals and tax: use order/cart getters (`get_total()`, `get_subtotal()`, `WC_Tax` methods) — they apply the store's rounding mode. Re-deriving totals with raw float math produces penny drift that accountants will find.
- Comparisons: compare formatted decimals or integer minor units; never `==` on floats.
- Refund/discount logic: negative amounts have meaning — test the zero and partial cases explicitly (test-guard says hi).

## Gateway and webhook callbacks

- Verify webhook signatures/secrets before touching any order; fail closed with the provider's expected status code.
- Look up orders from gateway references via `wc_get_orders( array( 'transaction_id' => … ) )` or stored CRUD meta — not custom SQL.
- Callbacks run unauthenticated by design: capability checks don't apply, signature verification is the authentication, and every input is still unslashed and sanitized before use.
- Idempotency: providers retry. Processing the same payment event twice must not complete an order twice.


# Woo Guard — HPOS and CRUD Reference

## Contents

- Why HPOS breaks legacy code
- Order access patterns
- Order meta done right
- Products, stock, and lookup tables
- Status transitions
- Declaring compatibility
- Violation ta

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Where it fits

Who is woo-guard for?

When should I use woo-guard?

Is woo-guard safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Where it fits

Who is woo-guard for?

When should I use woo-guard?

Is woo-guard safe to install?

SKILL.md