Fix all PHPCS coding standards violations

- Add phpcs.xml.dist: excludes PSR-4 file naming, camelCase naming,
  short array syntax, and redundant per-method/property docblocks
- Fix wp_unslash() on all $_POST reads (LoginPage, AvailabilityController)
- Add phpcs:ignore for password field (must not be sanitized)
- Fix Yoda conditions throughout (AvailabilityRepository, AvailabilityEndpoint,
  BookingEndpoint, AvailabilityController)
- Fix inline comments to end with full stops (AdminMenu)
- Replace short ternary ?: with explicit full ternary (BookingEndpoint)
- Rename $namespace param to $route_namespace (reserved keyword warning)
- Add short descriptions to doc blocks that had tag-only blocks
- Add nonce suppression comment in handleFormAction (nonce verified by caller)
- Update composer.json and CI to use phpcs.xml.dist

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/Frontend/LoginPage.php

@@ -3,45 +3,47 @@ declare(strict_types=1);
 
 namespace Unsupervised\Schedular\Frontend;
 
-class LoginPage
-{
-    /**
-     * @param array<string, string> $atts
-     */
-    public function render(array $atts): string
-    {
-        if (is_user_logged_in()) {
-            $redirect = esc_url((string) get_permalink());
-            return sprintf(
-                '<p>%s <a href="%s">%s</a>.</p>',
-                esc_html__('You are already logged in.', 'unsupervised-schedular'),
-                $redirect,
-                esc_html__('View available lessons', 'unsupervised-schedular')
-            );
-        }
+class LoginPage {
 
-        $error    = '';
-        $redirect = sanitize_url((string) get_permalink());
+	/**
+	 * Renders the student login shortcode output.
+	 *
+	 * @param array<string, string> $atts Shortcode attributes (unused — reserved for future options).
+	 */
+	public function render( array $atts ): string { // phpcs:ignore Generic.CodeAnalysis.UnusedFunctionParameter.Found
+		if ( is_user_logged_in() ) {
+			$redirect = esc_url( (string) get_permalink() );
+			return sprintf(
+				'<p>%s <a href="%s">%s</a>.</p>',
+				esc_html__( 'You are already logged in.', 'unsupervised-schedular' ),
+				$redirect,
+				esc_html__( 'View available lessons', 'unsupervised-schedular' )
+			);
+		}
 
-        if (isset($_POST['us_login']) && check_admin_referer('us_student_login')) {
-            $credentials = [
-                'user_login'    => sanitize_user($_POST['log'] ?? ''),
-                'user_password' => $_POST['pwd'] ?? '',
-                'remember'      => isset($_POST['rememberme']),
-            ];
+		$error    = '';
+		$redirect = sanitize_url( (string) get_permalink() );
 
-            $user = wp_signon($credentials, false);
+		if ( isset( $_POST['us_login'] ) && check_admin_referer( 'us_student_login' ) ) {
+			$credentials = [
+				'user_login'    => sanitize_user( wp_unslash( $_POST['log'] ?? '' ) ),
+				// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- passwords must not be sanitized.
+				'user_password' => wp_unslash( $_POST['pwd'] ?? '' ),
+				'remember'      => isset( $_POST['rememberme'] ),
+			];
 
-            if (is_wp_error($user)) {
-                $error = esc_html__('Invalid username or password.', 'unsupervised-schedular');
-            } else {
-                wp_safe_redirect($redirect);
-                exit;
-            }
-        }
+			$user = wp_signon( $credentials, false );
 
-        ob_start();
-        include USC_PLUGIN_DIR . 'templates/frontend/login-page.php';
-        return (string) ob_get_clean();
-    }
+			if ( is_wp_error( $user ) ) {
+				$error = esc_html__( 'Invalid username or password.', 'unsupervised-schedular' );
+			} else {
+				wp_safe_redirect( $redirect );
+				exit;
+			}
+		}
+
+		ob_start();
+		include USC_PLUGIN_DIR . 'templates/frontend/login-page.php';
+		return (string) ob_get_clean();
+	}
 }