# BW AI Schema Pro — security-scan allowlist
# Format: <label> <relative-path>:<lineno>
# Each entry must be justified with a comment on the preceding line.

# Audit note (2026-05-06): the security-scan reports ~140 advisory warnings of
# `[raw $_GET/POST]` across this plugin. They were comprehensively reviewed on
# 2026-05-06 and found to be 99.3% false positives — every state-changing handler
# uses the standard nonce + capability + autosave guard at the top of the function,
# then sanitizes every read; AJAX endpoints double-gate; output is consistently
# escaped; only one direct $wpdb call exists and it uses prepare(). The single
# real gap (a `?skip_setup=1` flag without cap check) was fixed and is recorded
# in CHANGELOG.md under [Unreleased]. The 140 warnings are NOT suppressed in this
# allowlist on purpose — line numbers shift with edits and a stale allowlist
# would be worse than noisy advisory warnings. See docs/SESSION-LOG.md
# 2026-05-06 audit entry for the full review.

# Autoloader uses require with a variable path. Path is constructed from a class name
# (which PHP itself controls — not user input) prefixed with `class-` and a constant
# base directory (BW_SCHEMA_PLUGIN_DIR). file_exists() check bounds the call.
require $var bw-ai-schema-pro.php:68
require $var bw-ai-schema-pro.php:75
