feat: global IP/CIDR/UA whitelist bypassing all restrictions

- class-itk-whitelist.php: static class with 5min transient cache,
  supports exact IP, CIDR notation, and ua: prefix for UA substrings
- config/whitelist.conf: editable config file (template with examples)
- whitelist check added to bot-blocker, WAF, protection (4 methods),
  and honeypot validator — matched requests skip all ITK enforcement
- admin: whitelist.conf added to Config Files editor tab

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

includes/class-itk-admin.php

@@ -285,6 +285,7 @@ class ITK_Admin {
             'referrers'  => ITK_PATH . 'config/referrers.conf',
             'networks'   => ITK_PATH . 'config/networks.conf',
             'allowed-ips'=> ITK_PATH . 'config/allowed-ips.conf',
+            'whitelist'  => ITK_PATH . 'config/whitelist.conf',
         ];
 
         if (!isset($allowed[$file])) wp_send_json_error('invalid file');
@@ -299,6 +300,7 @@ class ITK_Admin {
         delete_transient('itk_referrers_list');
         delete_transient('itk_networks_list');
         delete_transient('itk_goodbots_list');
+        ITK_Whitelist::invalidate_cache();
 
         wp_send_json_success();
     }
@@ -1395,6 +1397,7 @@ class ITK_Admin {
             'referrers'   => ['Bad Referrers',   'config/referrers.conf',  'One domain substring per line.'],
             'networks'    => ['Bad Networks',    'config/networks.conf',   'One IP or CIDR range per line (e.g. 1.2.3.0/24).'],
             'allowed-ips' => ['Allowed IPs',     'config/allowed-ips.conf','IPs/CIDRs allowed to access wp-login.php (one per line).'],
+            'whitelist'   => ['Whitelist',       'config/whitelist.conf',  'IPs, CIDRs, or UA substrings (ua:...) that bypass all restrictions. One per line.'],
         ];
 
         $active_file = sanitize_key($_GET['file'] ?? 'badbots');