Integrate AI Security Module and Enhance WordPress Core with AI Providers

.github/pull_request_template.md

@@ -1,36 +1,39 @@
-<!--
-Hi there! Thanks for contributing to WordPress!
+# Pull Request Template
 
-Pull Requests in this GitHub repository **must** be linked to a ticket in the WordPress Core Trac instance (https://core.trac.wordpress.org), and are only used for code review. **No pull requests will be merged on GitHub.**
+## Description
 
-See the WordPress Handbook page on using PRs for Code Review more information: https://make.wordpress.org/core/handbook/contribute/git/github-pull-requests-for-code-review/
+Please describe your changes and why they're needed.
 
-If this is your first time contributing, you may also find reviewing these guides first to be helpful:
-- FAQs for New Contributors: https://make.wordpress.org/core/handbook/tutorials/faq-for-new-contributors/
-- Contributing with Code Guide: https://make.wordpress.org/core/handbook/contribute/
-- WordPress Coding Standards: https://make.wordpress.org/core/handbook/best-practices/coding-standards/
-- Inline Documentation Standards: https://make.wordpress.org/core/handbook/best-practices/inline-documentation-standards/
-- Browser Support Policies: https://make.wordpress.org/core/handbook/best-practices/browser-support/
-- Proper spelling and grammar related best practices: https://make.wordpress.org/core/handbook/best-practices/spelling/
-- ✨ If you are using AI tools, you must adhere to the AI Guidelines: https://make.wordpress.org/ai/handbook/ai-guidelines/
--->
+## Type of Change
 
-<!-- Insert a description of your changes here -->
+- [ ] Bug fix (non-breaking change)
+- [ ] New feature (non-breaking change)
+- [ ] Breaking change (fix or feature that would cause issues)
+- [ ] Documentation update
+- [ ] Code quality improvement
+- [ ] Security enhancement
 
-Trac ticket: <!-- insert a link to the WordPress Trac ticket here -->
+## Testing
 
-## Use of AI Tools
+Please describe how you tested your changes:
 
-<!--
-You are free to use artificial intelligence (AI) tooling to contribute, but you must disclose what tooling you are using and to what extent a pull request has been authored by AI. It is your responsibility to review and take responsibility for what AI generates. See the WordPress AI Guidelines: <https://make.wordpress.org/ai/handbook/ai-guidelines/>.
+- [ ] Unit tests pass
+- [ ] PHPStan passes
+- [ ] PHP CS Fixer passes (or deviations are documented)
+- [ ] Manual testing completed
 
-Example disclosure:
+## Checklist
 
-AI assistance: Yes
-Tool(s): GitHub Copilot, ChatGPT
-Model(s): GPT-5.1
-Used for: Initial code skeleton and test suggestions; final implementation and tests were reviewed and edited by me.
--->
+- [ ] My code follows the project's coding standards
+- [ ] I have performed a self-review of my code
+- [ ] I have commented my code where necessary
+- [ ] I have updated documentation as needed
+- [ ] My changes generate no new warnings
+
+## Related Issues
+
+Closes #
 
 ---
-**This Pull Request is for code review only. Please keep all other discussion in the Trac ticket. Do not merge this Pull Request. See [GitHub Pull Requests for Code Review](https://make.wordpress.org/core/handbook/contribute/git/github-pull-requests-for-code-review/) in the Core Handbook for more details.**
+
+**Note:** This is our own fork. We don't require WordPress Trac tickets — just describe your changes here!

.github/workflows/php-code-quality.yml

@@ -0,0 +1,50 @@
+name: PHP Code Quality
+
+on:
+  push:
+    branches: [trunk, main]
+  pull_request:
+    branches: [trunk]
+
+jobs:
+  phpstan:
+    name: PHPStan Static Analysis
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.2'
+          tools: composer
+
+      - name: Install dependencies
+        run: composer install --no-interaction
+
+      - name: Run PHPStan
+        run: vendor/bin/phpstan analyze --error-format=github
+        continue-on-error: true
+
+  php-cs-fixer:
+    name: PHP CS Fixer
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.2'
+          tools: composer
+
+      - name: Install dependencies
+        run: composer install --no-interaction
+
+      - name: Run PHP CS Fixer (dry-run)
+        run: vendor/bin/php-cs-fixer fix --dry-run --diff --format=github
+        continue-on-error: true

.github/workflows/promote-to-production.yml

@@ -0,0 +1,119 @@
+name: Promote to Production
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+    branches: [main]
+
+jobs:
+  validate:
+    name: Validate PR for Production
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.2'
+          tools: composer
+
+      - name: Install dependencies
+        run: composer install --no-interaction
+
+      - name: Run PHPStan
+        id: phpstan
+        run: vendor/bin/phpstan analyze --error-format=github --no-progress
+        continue-on-error: true
+
+      - name: Run PHP CS Fixer (dry-run)
+        id: cs-fixer
+        run: vendor/bin/php-cs-fixer fix --dry-run --diff --format=github
+        continue-on-error: true
+
+      - name: Check for required files
+        id: files
+        run: |
+          echo "Checking for required documentation..."
+          if [ -f "docs/SYNC-WORKFLOW.md" ] && [ -f "docs/BRANCH-STRATEGY.md" ]; then
+            echo "✅ Documentation present"
+          else
+            echo "⚠️ Some documentation may be missing"
+          fi
+
+          echo "Checking branch status..."
+          git log main..trunk --oneline > /tmp/commits.txt
+          COMMITS=$(wc -l < /tmp/commits.txt)
+          echo "Commits to promote: $COMMITS"
+          echo "commits_count=$COMMITS" >> $GITHUB_OUTPUT
+
+      - name: Show commit summary
+        run: |
+          echo "=== Commits since last production release ==="
+          git log main..trunk --oneline
+
+  check-changes:
+    name: Check for security changes
+    runs-on: ubuntu-latest
+    needs: validate
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Check for security-related file changes
+        run: |
+          SECURITY_PATTERNS="security|ai-client|firewall|protect|scan"
+          CHANGES=$(git diff main..trunk --name-only | grep -iE "$SECURITY_PATTERNS" || true)
+
+          if [ -n "$CHANGES" ]; then
+            echo "=== Security-related changes detected ==="
+            echo "$CHANGES"
+            echo "security_changes=1" >> $GITHUB_OUTPUT
+          else
+            echo "No security-related file changes detected"
+            echo "security_changes=0" >> $GITHUB_OUTPUT
+          fi
+
+  label-pr:
+    name: Label PR
+    runs-on: ubuntu-latest
+    needs: [validate, check-changes]
+    if: github.event_name == 'pull_request'
+
+    steps:
+      - name: Add promotion label
+        run: |
+          gh pr edit ${{ github.event.pull_request.number }} --add-label "promote-to-production" 2>/dev/null || true
+
+          # Add security label if security changes detected
+          if [ "${{ needs.check-changes.outputs.security_changes }}" == "1" ]; then
+            gh pr edit ${{ github.event.pull_request.number }} --add-label "security" 2>/dev/null || true
+            echo "Added security label"
+          fi
+
+  summary:
+    name: Promotion Summary
+    runs-on: ubuntu-latest
+    needs: [validate, check-changes]
+    if: always()
+
+    steps:
+      - name: Create summary
+        run: |
+          echo "## Production Promotion Summary" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### Validation Results" >> $GITHUB_STEP_SUMMARY
+          echo "- PHPStan: ${{ steps.phpstan.outcome }}" >> $GITHUB_STEP_SUMMARY
+          echo "- PHP CS Fixer: ${{ steps.cs-fixer.outcome }}" >> $GITHUB_STEP_SUMMARY
+          echo "- Files check: ${{ steps.files.outcome }}" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### Changes Summary" >> $$GITHUB_STEP_SUMMARY
+          echo "- Commits to promote: ${{ needs.validate.outputs.commits_count }}" >> $GITHUB_STEP_SUMMARY
+          echo "- Security changes: ${{ needs.check-changes.outputs.security_changes }}" >> $GITHUB_STEP_SUMMARY

.github/workflows/security.yml

@@ -0,0 +1,46 @@
+name: Security Scan
+
+on:
+  push:
+    branches: [trunk]
+  schedule:
+    # Run weekly on Sunday
+    - cron: '0 0 * * 0'
+
+jobs:
+  dependency-check:
+    name: Check for vulnerable dependencies
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.2'
+
+      - name: Install Composer
+        run: composer install --no-interaction --prefer-dist
+
+      - name: Run security audit
+        run: |
+          composer audit --no-interaction || true
+        continue-on-error: true
+
+  php-lint:
+    name: PHP Syntax Check
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Find PHP files
+        run: |
+          find src/wp-includes src/wp-admin -name "*.php" -type f | head -50
+
+      - name: Lint PHP files
+        run: |
+          find src/wp-includes src/wp-admin -name "*.php" -type f -exec php -l {} \; 2>&1 | grep -v "No syntax errors" || true

.github/workflows/upstream-sync.yml

@@ -0,0 +1,46 @@
+name: Upstream Sync Check
+
+on:
+  schedule:
+    # Run every 3 hours
+    - cron: '0 */3 * * *'
+  workflow_dispatch:
+
+jobs:
+  sync-check:
+    name: Check upstream sync status
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Add upstream remote
+        run: |
+          git remote add upstream https://github.com/WordPress/wordpress-develop.git
+          git fetch upstream
+
+      - name: Check sync status
+        id: sync
+        run: |
+          LOCAL=$(git rev-parse HEAD)
+          UPSTREAM=$(git rev-parse upstream/trunk)
+
+          if [ "$LOCAL" = "$UPSTREAM" ]; then
+            echo "status=in_sync" >> $GITHUB_OUTPUT
+            echo "✅ In sync with upstream ($LOCAL)"
+          else
+            COMMITS=$(git rev-list --count HEAD..upstream/trunk)
+            echo "status=behind" >> $GITHUB_OUTPUT
+            echo "commits_behind=$COMMITS" >> $GITHUB_OUTPUT
+            echo "⚠️ Behind upstream by $COMMITS commit(s)"
+            git log --oneline HEAD..upstream/trunk
+          fi
+
+      - name: Show upstream commits
+        if: steps.sync.outputs.status == 'behind'
+        run: |
+          echo "=== Recent upstream commits ==="
+          git log --oneline upstream/trunk -10

.gitignore

@@ -23,7 +23,6 @@ wp-tests-config.php
 /gutenberg
 /tests/phpunit/build
 /wp-cli.local.yml
-/phpstan.neon
 /*.tsbuildinfo
 /jsdoc
 /composer.lock
@@ -117,3 +116,10 @@ wp-tests-config.php
 
 # Visual regression test diffs
 tests/visual-regression/specs/__snapshots__
+
+# Local project docs (not committed)
+docs/implementation-plan.md
+docs/knowledge-base.md
+
+# Code quality tools
+.php-cs-fixer.cache