feat: add php rule pack

rules/php/coding-style.md

@@ -0,0 +1,35 @@
+---
+paths:
+  - "**/*.php"
+  - "**/composer.json"
+---
+# PHP Coding Style
+
+> This file extends [common/coding-style.md](../common/coding-style.md) with PHP specific content.
+
+## Standards
+
+- Follow **PSR-12** formatting and naming conventions.
+- Prefer `declare(strict_types=1);` in application code.
+- Use scalar type hints, return types, and typed properties everywhere new code permits.
+
+## Immutability
+
+- Prefer immutable DTOs and value objects for data crossing service boundaries.
+- Use `readonly` properties or immutable constructors for request/response payloads where possible.
+- Keep arrays for simple maps; promote business-critical structures into explicit classes.
+
+## Formatting
+
+- Use **PHP-CS-Fixer** or **Laravel Pint** for formatting.
+- Use **PHPStan** or **Psalm** for static analysis.
+- Keep Composer scripts checked in so the same commands run locally and in CI.
+
+## Error Handling
+
+- Throw exceptions for exceptional states; avoid returning `false`/`null` as hidden error channels in new code.
+- Convert framework/request input into validated DTOs before it reaches domain logic.
+
+## Reference
+
+See skill: `backend-patterns` for broader service/repository layering guidance.

rules/php/hooks.md

@@ -0,0 +1,24 @@
+---
+paths:
+  - "**/*.php"
+  - "**/composer.json"
+  - "**/phpstan.neon"
+  - "**/phpstan.neon.dist"
+  - "**/psalm.xml"
+---
+# PHP Hooks
+
+> This file extends [common/hooks.md](../common/hooks.md) with PHP specific content.
+
+## PostToolUse Hooks
+
+Configure in `~/.claude/settings.json`:
+
+- **Pint / PHP-CS-Fixer**: Auto-format edited `.php` files.
+- **PHPStan / Psalm**: Run static analysis after PHP edits in typed codebases.
+- **PHPUnit / Pest**: Run targeted tests for touched files or modules when edits affect behavior.
+
+## Warnings
+
+- Warn on `var_dump`, `dd`, `dump`, or `die()` left in edited files.
+- Warn when edited PHP files add raw SQL or disable CSRF/session protections.

rules/php/patterns.md

@@ -0,0 +1,32 @@
+---
+paths:
+  - "**/*.php"
+  - "**/composer.json"
+---
+# PHP Patterns
+
+> This file extends [common/patterns.md](../common/patterns.md) with PHP specific content.
+
+## Thin Controllers, Explicit Services
+
+- Keep controllers focused on transport: auth, validation, serialization, status codes.
+- Move business rules into application/domain services that are easy to test without HTTP bootstrapping.
+
+## DTOs and Value Objects
+
+- Replace shape-heavy associative arrays with DTOs for requests, commands, and external API payloads.
+- Use value objects for money, identifiers, date ranges, and other constrained concepts.
+
+## Dependency Injection
+
+- Depend on interfaces or narrow service contracts, not framework globals.
+- Pass collaborators through constructors so services are testable without service-locator lookups.
+
+## Boundaries
+
+- Isolate ORM models from domain decisions when the model layer is doing more than persistence.
+- Wrap third-party SDKs behind small adapters so the rest of the codebase depends on your contract, not theirs.
+
+## Reference
+
+See skill: `api-design` for endpoint conventions and response-shape guidance.

rules/php/security.md

@@ -0,0 +1,33 @@
+---
+paths:
+  - "**/*.php"
+  - "**/composer.lock"
+  - "**/composer.json"
+---
+# PHP Security
+
+> This file extends [common/security.md](../common/security.md) with PHP specific content.
+
+## Input and Output
+
+- Validate request input at the framework boundary (`FormRequest`, Symfony Validator, or explicit DTO validation).
+- Escape output in templates by default; treat raw HTML rendering as an exception that must be justified.
+- Never trust query params, cookies, headers, or uploaded file metadata without validation.
+
+## Database Safety
+
+- Use prepared statements (`PDO`, Doctrine, Eloquent query builder) for all dynamic queries.
+- Avoid string-building SQL in controllers/views.
+- Scope ORM mass-assignment carefully and whitelist writable fields.
+
+## Secrets and Dependencies
+
+- Load secrets from environment variables or a secret manager, never from committed config files.
+- Run `composer audit` in CI and review new package maintainer trust before adding dependencies.
+- Pin major versions deliberately and remove abandoned packages quickly.
+
+## Auth and Session Safety
+
+- Use `password_hash()` / `password_verify()` for password storage.
+- Regenerate session identifiers after authentication and privilege changes.
+- Enforce CSRF protection on state-changing web requests.

rules/php/testing.md

@@ -0,0 +1,34 @@
+---
+paths:
+  - "**/*.php"
+  - "**/phpunit.xml"
+  - "**/phpunit.xml.dist"
+  - "**/composer.json"
+---
+# PHP Testing
+
+> This file extends [common/testing.md](../common/testing.md) with PHP specific content.
+
+## Framework
+
+Use **PHPUnit** as the default test framework. **Pest** is also acceptable when the project already uses it.
+
+## Coverage
+
+```bash
+vendor/bin/phpunit --coverage-text
+# or
+vendor/bin/pest --coverage
+```
+
+Prefer **pcov** or **Xdebug** in CI, and keep coverage thresholds in CI rather than as tribal knowledge.
+
+## Test Organization
+
+- Separate fast unit tests from framework/database integration tests.
+- Use factory/builders for fixtures instead of large hand-written arrays.
+- Keep HTTP/controller tests focused on transport and validation; move business rules into service-level tests.
+
+## Reference
+
+See skill: `tdd-workflow` for the repo-wide RED -> GREEN -> REFACTOR loop.