Add sniff to detect direct access to AI Connector API keys and give error

[ishitaj34]

What?

Closes #1342

Adds a new AIConnectorAPIKeySniff to detect direct access to WordPress AI Connector API key options.

Why?

WordPress AI Connector API keys are managed by site owners and are intended to be used through the WordPress AI Client. Plugins should not read these keys directly from the options table.

How?

• Added a new AIConnectorAPIKeySniff file.
• Registered the sniff in PluginCheck/ruleset.xml.
• Added suggested regex-based detection for option names matching:

/^connectors_ai_[a-z0-9_]+_api_key$/i

• Added support for:

  • get_option()
  • get_site_option()
  • get_network_option()
  • get_options()

• Added unit tests covering all supported functions.

Testing Instructions

• Check out branch.
• Navigate to the phpcs-sniffs directory.
• Run:

composer check-cs

• Run:

composer run-tests

• Verify that following examples are reported:

get_option( 'connectors_ai_openai_api_key' );
get_site_option( 'connectors_ai_anthropic_api_key' );
get_network_option( null, 'connectors_ai_grok_api_key' );

get_options(
	array(
		'connectors_ai_openai_api_key',
	)
);

• Verify that non-matching options are not reported:

get_option( 'siteurl' );
get_site_option( 'blogname' );
get_network_option( null, 'admin_email' );

AI Usage Disclosure

• This PR was created without the help of AI tools
• This PR includes AI-assisted code or content

If AI tools were used, please describe how they were used:

• AI assistance: Yes
• Tool(s): ChatGPT
• Used for: Discussion of implementation approaches, edge cases, test scenarios, and PR documentation. All code, tests, and final changes were reviewed, validated, and edited by author.

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: ishitaj34 <ishitaj34@git.wordpress.org>
Co-authored-by: davidperezgar <davidperez@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.