NXP Easy Forms (WP)

Security Hardening
- Added ABSPATH direct-access guards to all 69 PHP files in app/
- Replaced all `error_log()` calls with hook-based debug logger (`nxp_easy_forms_debug_log` action)
- Escaped all frontend-facing exception messages with `esc_html__()` or `sanitize_text_field()`
- Sanitized all `$_SERVER`, `$_GET`, and `$_COOKIE` superglobal reads with `sanitize_text_field(wp_unslash())`
- Added PHPCS ignore annotations with rationale for legitimate nonce-free `$_GET` reads (admin screen checks, signed-token flows)

Database
- Hardened all SQL queries with `%i` identifier placeholders for table names

Internationalization
- Added `/- translators: */` comments to all `sprintf()` calls containing translatable strings
- Fixed unordered placeholders to use positional format (`%1$d`, `%2$d`)

Filesystem
- Replaced `unlink()` calls with `wp_delete_file()` in Export_Controller
- Added PHPCS ignore annotations for legitimate filesystem operations (fopen, fwrite, fputcsv, fclose, filesize, readfile)

Plugin Bootstrap
- Removed manual `load_textdomain()` call (WordPress handles this automatically for directory-hosted plugins)
- Fixed `Tested up to` header to use major.minor format (6.9)

**Bug Fixes**
- Fixed "Send test email" button doing nothing when "Use global Recipient email" is enabled
- Fixed additional Plugin Check output-escaping issues for admin page header icon URLs (Forms list, Settings, and Form Builder pages)
- Fixed translators comment placement for placeholder-based error strings in form repository save/duplicate operations