feat: add settings import/export functionality

[coderGtm]

What?

Closes #191

This PR implements the ability to export and import non-sensitive AI configuration settings and introduces a dedicated AI section in WordPress Site Health.

Why?

Allowing users to move AI configurations between environments (e.g., staging to production, multi-site etc.) improves the developer experience. By excluding sensitive credentials from the export, we ensure security while maintaining portability. The Site Health integration provides administrators with a quick overview of the plugin's status and credential health.

How?

• REST API: Created includes/REST/Settings_IO_Controller.php to handle GET /ai/v1/settings/export and POST /ai/v1/settings/import.
• Security: Implemented SENSITIVE_PATTERNS filtering to ensure API keys, tokens, and secrets are never exported or overwritten during import.
• Site Health: Added includes/Admin/Site_Health.php to provide debug information (version, enabled features, credential status) and a status test for connectivity.
• UI/UX:
  • Added "Export settings" and "Import settings" to the AI settings menu in routes/ai-home/stage.tsx.
  • Implemented a confirmation modal for imports.
• Tests: Added comprehensive integration tests in tests/Integration/Includes/REST/Settings_IO_ControllerTest.php and tests/Integration/Includes/Admin/Site_HealthTest.php.

Use of AI Tools

AI assistance: Yes
Tool(s): GitHub Copilot
Model(s): Claude Sonnet 4.6, GPT-4o
Used for: Authoring the codebase exploration, UI components, and the integration test suite.

Testing Instructions

1. Navigate to AI Settings.
2. Open the kebab menu (three vertical dots) in the top right.
3. Click Export settings. A JSON file containing your current toggles and developer configurations (but no API keys) should download.
4. Toggle several features to different states.
5. Click Import settings in the menu and select the previously downloaded file.
6. Confirm the prompt "This will overwrite existing AI settings."
7. Verification: The UI should update immediately to reflect the imported settings without a page refresh.
8. Navigate to Tools > Site Health.
9. In the Status tab, verify the "AI Plugin" test results.
10. In the Info tab, verify the "AI Plugin" section contains correct metadata about your setup.

Screenshots or screencast

Menu Items:

Confirmation prompt before completing import:

Changelog Entry

Added - Import/Export functionality for non-sensitive AI settings.
Added - AI-specific Site Health integration and status tests.

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: coderGtm <gautam23@git.wordpress.org>
Co-authored-by: dkotter <dkotter@git.wordpress.org>
Co-authored-by: jeffpaul <jeffpaul@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

[coderGtm]

The failing JavaScript quality check is due to a conflict between eslint and typescript. While eslint prefers dot notation, typescript complains about it (TS4111). Should I suppress the eslint error?

[dkotter]

The failing JavaScript quality check is due to a conflict between eslint and typescript. While eslint prefers dot notation, typescript complains about it (TS4111). Should I suppress the eslint error?

We do have a number of these that we already ignore with inline statements so I think that's fine

[dkotter]

Overall this looks really good, left a few comments. In addition, an E2E test here would be nice to verify the import/export options are available

[dkotter]

So this isn't entirely accurate. The has_ai_credentials function will tell us if a Provider has credentials set but doesn't tell us if the credentials are valid. We do have a new is_connector_configured function that we could use here instead

[dkotter]

So this file is already really large so if we can extract out any of these new functions into individual component or hook files, that would be great

[dkotter]

Worth adding just key to this list?

[dkotter]

Also risk here if there's a setting named author, I think that gets matched due to auth

[dkotter]

Slight risk here since we don't run any sort of validation or sanitization

[dkotter]

And would be nice to capture this in a test, ensuring if someone passes in data that is the wrong type (i.e. we expect a boolean for a certain field and someone passes in string) that the data is either sanitized properly or rejected

[dkotter]

Does this need to load everywhere or could we scope this to the admin only?

[coderGtm]

Thanks @dkotter for reviewing this. I will work on the feedback over the days and request a review again.