If you've ever asked Claude Code, Cursor, or Copilot to "add a function" to a PHP project, you've seen the output: untyped properties, mysql_query("SELECT * FROM users WHERE email = '$email'") , md5($password . SALT) for hashing, global $db everywhere, extract($_POST) because it's "convenient", and @file_get_contents($url) to silence the error you needed to see. It's PHP 5 with a <?php header. The training data is half a decade of Stack Overflow answers from before strict types existed, before password_hash() was a function, before PSR-4 was a thing, and before anyone considered eval($_POST['code']) a problem. Drop a CLAUDE.md at the root of your repo and the AI reads it before every task. Here are the five rules that fix the worst patterns — the full pack has 13. Rule 1: declare(strict_types=1); at the top of every PHP file PHP's default coercion is the source of an enormous class of "works in dev, breaks in prod" bugs.…