Add AI Provider check to recommend the WordPress AI Client (#1341)

docs/checks.md

@@ -36,3 +36,4 @@
 | enqueued_styles_scope | performance | Checks whether any stylesheets are loaded on all pages, which is usually not desirable and can lead to performance issues. | [Learn more](https://developer.wordpress.org/plugins/) |
 | enqueued_scripts_scope | performance | Checks whether any scripts are loaded on all pages, which is usually not desirable and can lead to performance issues. | [Learn more](https://developer.wordpress.org/plugins/) |
 | non_blocking_scripts | performance | Checks whether scripts and styles are enqueued using a recommended loading strategy. | [Learn more](https://developer.wordpress.org/plugins/) |
+| ai_provider | general | Recommends the WordPress AI Client when a plugin integrates directly with a third-party AI provider. | [Learn more](https://developer.wordpress.org/plugins/) |

includes/Checker/Checks/General/AI_Provider_Check.php

@@ -0,0 +1,88 @@
+<?php
+/**
+ * Class AI_Provider_Check.
+ *
+ * @package plugin-check
+ */
+
+namespace WordPress\Plugin_Check\Checker\Checks\General;
+
+use WordPress\Plugin_Check\Checker\Check_Categories;
+use WordPress\Plugin_Check\Checker\Check_Result;
+use WordPress\Plugin_Check\Checker\Checks\Abstract_PHP_CodeSniffer_Check;
+use WordPress\Plugin_Check\Traits\Amend_Check_Result;
+use WordPress\Plugin_Check\Traits\Stable_Check;
+
+/**
+ * Check to detect direct integrations with third-party AI providers.
+ *
+ * @since 2.1.0
+ */
+class AI_Provider_Check extends Abstract_PHP_CodeSniffer_Check {
+
+	use Amend_Check_Result;
+	use Stable_Check;
+
+	/**
+	 * Bitwise flags to control check behavior.
+	 *
+	 * @since 2.1.0
+	 * @var int
+	 */
+	protected $flags = 0;
+
+	/**
+	 * Gets the categories for the check.
+	 *
+	 * Every check must have at least one category.
+	 *
+	 * @since 2.1.0
+	 *
+	 * @return array The categories for the check.
+	 */
+	public function get_categories() {
+		return array( Check_Categories::CATEGORY_GENERAL );
+	}
+
+	/**
+	 * Returns an associative array of arguments to pass to PHPCS.
+	 *
+	 * @since 2.1.0
+	 *
+	 * @param Check_Result $result The check result to amend, including the plugin context to check.
+	 * @return array An associative array of PHPCS CLI arguments.
+	 */
+	protected function get_args( Check_Result $result ) {
+		return array(
+			'extensions' => 'php',
+			'standard'   => 'PluginCheck',
+			'sniffs'     => 'PluginCheck.CodeAnalysis.AIProvider',
+		);
+	}
+
+	/**
+	 * Gets the description for the check.
+	 *
+	 * Every check must have a short description explaining what the check does.
+	 *
+	 * @since 2.1.0
+	 *
+	 * @return string Description.
+	 */
+	public function get_description(): string {
+		return __( 'Recommends the WordPress AI Client when a plugin integrates directly with a third-party AI provider.', 'plugin-check' );
+	}
+
+	/**
+	 * Gets the documentation URL for the check.
+	 *
+	 * Every check must have a URL with further information about the check.
+	 *
+	 * @since 2.1.0
+	 *
+	 * @return string The documentation URL.
+	 */
+	public function get_documentation_url(): string {
+		return __( 'https://developer.wordpress.org/plugins/', 'plugin-check' );
+	}
+}

includes/Checker/Default_Check_Repository.php

@@ -103,6 +103,7 @@ private function register_default_checks() {
 				'direct_file_access'         => new Checks\Plugin_Repo\Direct_File_Access_Check(),
 				'external_admin_menu_links'  => new Checks\Plugin_Repo\External_Admin_Menu_Links_Check(),
 				'wp_functions_compatibility' => new Checks\Plugin_Repo\WP_Functions_Compatibility_Check(),
+				'ai_provider'                => new Checks\General\AI_Provider_Check(),
 			)
 		);
 

phpcs-sniffs/PluginCheck/Sniffs/CodeAnalysis/AIProviderSniff.php

@@ -0,0 +1,116 @@
+<?php
+/**
+ * AIProviderSniff
+ *
+ * @package PluginCheck
+ */
+
+namespace PluginCheckCS\PluginCheck\Sniffs\CodeAnalysis;
+
+use PHPCSUtils\Utils\TextStrings;
+use WordPressCS\WordPress\Sniff;
+
+/**
+ * Detects direct integrations with third-party AI providers.
+ *
+ * Since WordPress 7.0, plugins are encouraged to use the WordPress AI Client
+ * and Connectors infrastructure (`wp_ai_client_prompt()`) instead of calling
+ * provider APIs directly, so the site owner can configure their preferred
+ * provider once and plugins can avoid managing provider credentials.
+ *
+ * @link https://make.wordpress.org/core/2025/01/15/ai-building-blocks/
+ *
+ * @since 2.1.0
+ */
+final class AIProviderSniff extends Sniff {
+
+	/**
+	 * List of known third-party AI provider API hosts to detect.
+	 *
+	 * Only full API hostnames are listed to keep matching precise and avoid
+	 * flagging unrelated usage of a provider's marketing or documentation site.
+	 *
+	 * @since 2.1.0
+	 *
+	 * @var array<string>
+	 */
+	protected $ai_provider_hosts = array(
+		'api.openai.com',
+		'api.anthropic.com',
+		'generativelanguage.googleapis.com',
+		'api.x.ai',
+		'api.mistral.ai',
+		'api.cohere.ai',
+		'api.cohere.com',
+		'api.groq.com',
+		'api.perplexity.ai',
+		'api.deepseek.com',
+		'openrouter.ai',
+	);
+
+	/**
+	 * Compiled regex pattern for detecting AI provider hosts.
+	 *
+	 * @since 2.1.0
+	 *
+	 * @var string|null
+	 */
+	private $pattern = null;
+
+	/**
+	 * Returns an array of tokens this test wants to listen for.
+	 *
+	 * Only string literals are inspected; mentions inside comments or docblocks
+	 * are intentionally ignored, as they do not represent a direct integration.
+	 *
+	 * @since 2.1.0
+	 *
+	 * @return array<int|string>
+	 */
+	public function register() {
+		return array(
+			T_CONSTANT_ENCAPSED_STRING,
+			T_DOUBLE_QUOTED_STRING,
+			T_HEREDOC,
+			T_NOWDOC,
+		);
+	}
+
+	/**
+	 * Processes this test, when one of its tokens is encountered.
+	 *
+	 * @since 2.1.0
+	 *
+	 * @param int $stackPtr The position of the current token in the stack.
+	 * @return void
+	 */
+	public function process_token( $stackPtr ) {
+		$content    = $this->tokens[ $stackPtr ]['content'];
+		$token_code = $this->tokens[ $stackPtr ]['code'];
+
+		// Heredoc/nowdoc bodies are used as-is; quoted strings have their quotes removed.
+		if ( T_HEREDOC === $token_code || T_NOWDOC === $token_code ) {
+			$string_content = $content;
+		} else {
+			$string_content = TextStrings::stripQuotes( $content );
+		}
+
+		// Compile the regex pattern on first use.
+		if ( null === $this->pattern ) {
+			$escaped_hosts = array_map(
+				'preg_quote',
+				$this->ai_provider_hosts,
+				array_fill( 0, count( $this->ai_provider_hosts ), '/' )
+			);
+
+			// Require an explicit scheme directly before the host to avoid matching
+			// unrelated text and to target actual request URLs.
+			$this->pattern = '/https?:\/\/(' . implode( '|', $escaped_hosts ) . ')\b/i';
+		}
+
+		if ( preg_match( $this->pattern, $string_content, $matches ) ) {
+			$error = 'Plugin appears to integrate directly with a third-party AI provider (%s). Since WordPress 7.0, consider using the WordPress AI Client and Connectors infrastructure (wp_ai_client_prompt()) where it fits your use case, so the site owner can configure their preferred provider once without the plugin managing provider credentials directly.';
+			$this->phpcsFile->addWarning( $error, $stackPtr, 'DirectIntegration', array( $matches[1] ) );
+		}
+	}
+}

phpcs-sniffs/PluginCheck/Tests/CodeAnalysis/AIProviderUnitTest.inc

@@ -0,0 +1,75 @@
+<?php
+
+/* testOpenAiInSingleQuotedString */
+$response = wp_remote_post( 'https://api.openai.com/v1/chat/completions', $args );
+
+/* testAnthropicInSingleQuotedString */
+$response = wp_remote_post( 'https://api.anthropic.com/v1/messages', $args );
+
+/* testGeminiInDoubleQuotedString */
+$endpoint = "https://generativelanguage.googleapis.com/v1beta/models/gemini-pro:generateContent";
+
+/* testGrokInSingleQuotedString */
+$endpoint = 'https://api.x.ai/v1/chat/completions';
+
+/* testMistralInSingleQuotedString */
+$endpoint = 'https://api.mistral.ai/v1/chat/completions';
+
+/* testCohereAiInSingleQuotedString */
+$endpoint = 'https://api.cohere.ai/v1/generate';
+
+/* testCohereComInSingleQuotedString */
+$endpoint = 'https://api.cohere.com/v2/chat';
+
+/* testGroqInSingleQuotedString */
+$endpoint = 'https://api.groq.com/openai/v1/chat/completions';
+
+/* testPerplexityInSingleQuotedString */
+$endpoint = 'https://api.perplexity.ai/chat/completions';
+
+/* testDeepSeekInSingleQuotedString */
+$endpoint = 'https://api.deepseek.com/chat/completions';
+
+/* testOpenRouterInSingleQuotedString */
+$endpoint = 'https://openrouter.ai/api/v1/chat/completions';
+
+/* testHttpSchemeIsMatched */
+$endpoint = 'http://api.openai.com/v1/models';
+
+/* testProviderInHeredoc */
+$body = <<<EOD
+POST https://api.openai.com/v1/embeddings
+EOD;
+
+/* testProviderInNowdoc */
+$body = <<<'NOWDOC'
+See https://api.anthropic.com/v1/messages
+NOWDOC;
+
+/*
+ * Negative cases below: these must NOT be flagged.
+ */
+
+/* testProviderMentionedInComment */
+// We deliberately avoid https://api.openai.com and use the WordPress AI Client instead.
+
+/* testProviderInDocComment */
+/**
+ * Historically this called https://api.anthropic.com directly.
+ *
+ * @link https://api.x.ai
+ */
+function legacy_notes() {
+}
+
+/* testBareHostWithoutSchemeNotMatched */
+$host = 'api.openai.com';
+
+/* testUnrelatedGoogleApiNotMatched */
+$endpoint = 'https://www.googleapis.com/oauth2/v3/userinfo';
+
+/* testUnrelatedUrlNotMatched */
+$endpoint = 'https://example.com/v1/chat/completions';
+
+/* testWordPressAiClientUsageNotMatched */
+$text = wp_ai_client_prompt( 'Summarize this post.' )->generate_text();

phpcs-sniffs/PluginCheck/Tests/CodeAnalysis/AIProviderUnitTest.php

@@ -0,0 +1,70 @@
+<?php
+/**
+ * Unit tests for AIProviderSniff.
+ *
+ * @package PluginCheck
+ */
+
+namespace PluginCheckCS\PluginCheck\Tests\CodeAnalysis;
+
+use PHP_CodeSniffer\Sniffs\Sniff;
+use PluginCheckCS\PluginCheck\Sniffs\CodeAnalysis\AIProviderSniff;
+use PluginCheckCS\PluginCheck\Tests\AbstractSniffUnitTest;
+
+/**
+ * Unit tests for AIProviderSniff.
+ */
+final class AIProviderUnitTest extends AbstractSniffUnitTest {
+
+	/**
+	 * Returns the lines where errors should occur.
+	 *
+	 * @return array<int, int> Key is the line number and value is the number of expected errors.
+	 */
+	public function getErrorList() {
+		return array();
+	}
+
+	/**
+	 * Returns the lines where warnings should occur.
+	 *
+	 * @return array<int, int> Key is the line number and value is the number of expected warnings.
+	 */
+	public function getWarningList() {
+		return array(
+			4  => 1, // Case: testOpenAiInSingleQuotedString.
+			7  => 1, // Case: testAnthropicInSingleQuotedString.
+			10 => 1, // Case: testGeminiInDoubleQuotedString.
+			13 => 1, // Case: testGrokInSingleQuotedString.
+			16 => 1, // Case: testMistralInSingleQuotedString.
+			19 => 1, // Case: testCohereAiInSingleQuotedString.
+			22 => 1, // Case: testCohereComInSingleQuotedString.
+			25 => 1, // Case: testGroqInSingleQuotedString.
+			28 => 1, // Case: testPerplexityInSingleQuotedString.
+			31 => 1, // Case: testDeepSeekInSingleQuotedString.
+			34 => 1, // Case: testOpenRouterInSingleQuotedString.
+			37 => 1, // Case: testHttpSchemeIsMatched.
+			41 => 1, // Case: testProviderInHeredoc.
+			46 => 1, // Case: testProviderInNowdoc.
+		);
+	}
+
+	/**
+	 * Returns the fully qualified class name (FQCN) of the sniff.
+	 *
+	 * @return string The fully qualified class name of the sniff.
+	 */
+	protected function get_sniff_fqcn() {
+		return AIProviderSniff::class;
+	}
+
+	/**
+	 * Sets the parameters for the sniff.
+	 *
+	 * @throws \RuntimeException If unable to set the ruleset parameters required for the test.
+	 *
+	 * @param Sniff $sniff The sniff being tested.
+	 */
+	public function set_sniff_parameters( Sniff $sniff ) {
+	}
+}

phpcs-sniffs/PluginCheck/ruleset.xml

@@ -3,6 +3,7 @@
 
 	<description>Plugin Check Sniffs</description>
 
+	<rule ref="PluginCheck.CodeAnalysis.AIProvider" />
 	<rule ref="PluginCheck.CodeAnalysis.DiscouragedFunctions" />
 	<rule ref="PluginCheck.CodeAnalysis.EnqueuedResourceOffloading" />
 	<rule ref="PluginCheck.CodeAnalysis.Heredoc" />