Add AI Provider check to recommend the WordPress AI Client (#1341)#1343
Add AI Provider check to recommend the WordPress AI Client (#1341)#1343developeritsme wants to merge 1 commit into
Conversation
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message. To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
Adds a new static check (ai_provider) that warns when a plugin integrates directly with a third-party AI provider API (OpenAI, Anthropic, Google Gemini, Grok, Mistral, Cohere, Groq, Perplexity, DeepSeek, OpenRouter) instead of using the WordPress AI Client and Connectors infrastructure introduced in WordPress 7.0. Detection is implemented as a tokenized PHPCS sniff (PluginCheck.CodeAnalysis.AIProvider) that only inspects string literals and requires an explicit http(s) scheme before a known provider host, so mentions in comments, docblocks or unrelated URLs are not flagged. The check reports a warning (not an error), matching the recommendation-only intent. Includes the sniff, the AI_Provider_Check class registered under the general category, sniff unit tests with positive and negative cases, a check-level PHPUnit test with test data, and a docs/checks.md entry. Closes WordPress#1341
developeritsme
force-pushed
the
feat/ai-provider-check
branch
from
125d80f to
4d7534d
Compare
| if ( preg_match( $this->pattern, $string_content, $matches ) ) { | ||
| $error = 'Plugin appears to integrate directly with a third-party AI provider (%s). Since WordPress 7.0, consider using the WordPress AI Client and Connectors infrastructure (wp_ai_client_prompt()) where it fits your use case, so the site owner can configure their preferred provider once without the plugin managing provider credentials directly.'; |
There was a problem hiding this comment.
Could we make this warning string translation-ready?
There was a problem hiding this comment.
Thanks for the review! I gave this a try, but wrapping the message in __( ..., 'plugin-check' ) actually fatals with Call to undefined function __(). The PluginCheck sniffs run under standalone PHP_CodeSniffer (both the sniff unit-test harness and any direct phpcs --standard=PluginCheck run) where WordPress isn't loaded, so the i18n functions don't exist. That's why none of the existing sniffs use WP i18n in their messages; they need to stay WordPress-independent.
The message is still esc_html()'d when surfaced to results in Abstract_PHP_CodeSniffer_Check. If translating sniff output is wanted, it'd be cleaner to handle it project-wide at the layer that consumes the PHPCS report (where WP is available) rather than inside the sniffs. Happy to open a follow-up for that if maintainers are interested.
2 participants
What?
Closes #1341
Adds a new static check (
ai_provider) that warns when a plugin integrates directly with a third-party AI provider API instead of using the WordPress AI Client and Connectors infrastructure introduced in WordPress 7.0.Why?
WordPress 7.0 provides a standard abstraction (
wp_ai_client_prompt()) so site owners can configure an AI provider once and plugins can send prompts through whichever compatible provider is configured, without duplicating provider setup screens, API key fields, or credential storage. Direct provider integrations are not invalid, but the check helps authors discover and adopt the recommended path. As requested in the issue, this is a recommendation (warning), not a hard failure.How?
PluginCheck.CodeAnalysis.AIProviderthat inspects only string-literal tokens and requires an explicithttp(s)scheme before a known provider host. This means mentions inside comments/docblocks, bare hostnames without a scheme, and unrelated URLs are intentionally not flagged, keeping false positives low.api.openai.com,api.anthropic.com,generativelanguage.googleapis.com,api.x.ai,api.mistral.ai,api.cohere.ai,api.cohere.com,api.groq.com,api.perplexity.ai,api.deepseek.com,openrouter.ai.AI_Provider_Check(Abstract_PHP_CodeSniffer_Check) registered under thegeneralcategory inDefault_Check_Repository, mirroringOffloading_Files_Check.warning(DirectIntegration), not an error.docs/checks.md.A note on category: per the AGENTS.md definitions (
CATEGORY_PLUGIN_REPO= directory requirements,CATEGORY_GENERAL= best practices), this recommendation is placed undergeneral. Happy to move it if maintainers preferplugin_repo.Testing Instructions
cd phpcs-sniffs && composer installcomposer run-tests(or filter:vendor/bin/phpunit --filter AIProvider ./vendor/squizlabs/php_codesniffer/tests/AllTests.php --no-coverage).vendor/bin/phpcs --standard=PluginCheck --sniffs=PluginCheck.CodeAnalysis.AIProvider tests/phpunit/testdata/plugins/test-plugin-ai-provider-check-with-errors/load.phpExpected: warnings on the two real integration lines only; the bare host and unrelated URL are not flagged.
wp_remote_post( 'https://api.openai.com/v1/chat/completions', ... ):wp plugin check <slug> --checks=ai_providerAI Usage Disclosure
If AI tools were used, please describe how they were used:
Implemented with the assistance of Claude Code (Anthropic). The author reviewed and verified all changes, including running the sniff unit tests and PHPCS linting locally.