[Feature] Implement plugin permissions management system

[HILAYTRIVEDI]

What?

Closes #342

Why?

The plugin-level permissions and provider routing feature introduced three new production classes (Permissions_Manager, Plugin_Registry) and extended AI_Service, Settings_Page, Settings_Registration, bootstrap.php, and helpers.php with no test coverage. Without tests, regressions in access control logic e.g. the global toggle blocking all access, the opt-in default, provider preference filtering would go undetected.

---

What changed?

Production code

• includes/Permissions/Permissions_Manager.php (new) Singleton that gates plugin AI access (plugin_has_access()), stores and retrieves per-plugin provider routing preferences (get_plugin_provider_preferences()), and sanitizes plugin IDs for use as option-name suffixes (sanitize_option_key()). Fires the wpai_register_plugins action on initialize().

• includes/Permissions/Plugin_Registry.php (new) In-memory registry for plugins that declare themselves as AI consumers via wpai_register_plugins. Exposes register_plugin() (no-op on duplicate), get_all_plugins(), get_plugin(), and has_plugin().

• includes/Services/AI_Service.php Added create_textgen_prompt_for_plugin(): performs an access check via Permissions_Manager, then builds a prompt scoped to the plugin's provider preferences (falls back to global if none configured).

• includes/Settings/Settings_Page.php Added render_plugin_permissions_section(): renders an admin UI card with per-plugin access toggles and provider routing text inputs. Section is hidden when no plugins are registered; inputs are disabled when the global AI toggle is off.

• includes/Settings/Settings_Registration.php Added register_plugin_permission_settings() (registers wpai_plugin_access_* and wpai_plugin_providers_* options per plugin) and sanitize_provider_preferences()
  (sanitizes comma-separated provider slug lists via sanitize_key()).

• includes/bootstrap.php Calls Permissions_Manager::get_instance()->initialize() during plugin load so registrations via wpai_register_plugins are processed in time.

• includes/helpers.php Added the public helper plugin_has_ai_access( $plugin_id ) as a thin wrapper around Permissions_Manager::plugin_has_access().

Tests

Added two new integration test files and extended the existing AI_ServiceTest:

• tests/Integration/Includes/Permissions/Plugin_RegistryTest.php 11 tests covering register_plugin() (data storage, name/description defaults, duplicate no-op, XSS sanitization via sanitize_text_field/sanitize_textarea_field), get_all_plugins(), get_plugin(), and has_plugin().

• tests/Integration/Includes/Permissions/Permissions_ManagerTest.php 17 tests covering the singleton (get_instance()), initialize() idempotency and action firing, plugin_has_access() (global toggle off, unregistered plugin, not granted, granted, filter override, filter receives correct plugin ID), get_plugin_provider_preferences() (empty default, stored slugs, whitespace trimming, empty segment pruning, filter override), and sanitize_option_key() (lowercasing, special-character replacement, valid-character preservation).

• tests/Integration/Includes/Services/AI_ServiceTest.php 5 new tests for create_textgen_prompt_for_plugin() covering all denial paths (unregistered plugin, global AI disabled, access not granted) and the success paths (access granted with prompt string, access granted with null prompt).

• All tests follow the project's WP_UnitTestCase conventions: WordPress update_option/delete_option for state, @covers tags, @since 1.0.0 aligned with the production code, and action/filter hooks cleaned up after each assertion to ensure determinism.

---

Testing Instructions

1. Ensure the WordPress test environment is configured (WP_TESTS_DIR or equivalent).
2. Run the PHP integration test suite:

   composer test
   

3. Confirm all new tests in tests/Integration/Includes/Permissions/ pass with no
   failures or warnings.
4. Confirm no regressions in tests/Integration/Includes/Services/AI_ServiceTest.php.

---

Use of AI Tools

AI assistance: Yes
Tool(s): Claude Code
Used for: Initial test scaffolding (method names, assertion structure,
setUp/tearDown shape). Final tests were reviewed line-by-line, corrected for hook
cleanup (leaked add_action callbacks replaced with stored references +
remove_action), docblock style aligned to project conventions (Tests that…
descriptions, @covers, third-person setUp/tearDown descriptions), and verified
against all production source files before submission.

---

Testing Instructions for Keyboard

N/A no UI changes.

Screenshots or screencast

N/A test-only change.

[codecov]

Codecov Report

❌ Patch coverage is 32.77778% with 121 lines in your changes missing coverage. Please review.
✅ Project coverage is 56.60%. Comparing base (32c5e2d) to head (c7fa77a).

Files with missing lines	Patch %	Lines
includes/Settings/Settings_Page.php	0.00%	77 Missing ⚠️
includes/Settings/Settings_Registration.php	0.00%	30 Missing ⚠️
includes/Services/AI_Service.php	52.17%	11 Missing ⚠️
includes/bootstrap.php	0.00%	2 Missing ⚠️
includes/helpers.php	0.00%	1 Missing ⚠️

Additional details and impacted files

@@              Coverage Diff              @@
##             develop     #343      +/-   ##
=============================================
- Coverage      57.85%   56.60%   -1.25%     
- Complexity       615      652      +37     
=============================================
  Files             46       48       +2     
  Lines           3165     3339     +174     
=============================================
+ Hits            1831     1890      +59     
- Misses          1334     1449     +115     

Flag	Coverage Δ
unit	56.60% <32.77%> (-1.25%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.