feat: global IP/CIDR/UA whitelist bypassing all restrictions

- class-itk-whitelist.php: static class with 5min transient cache,
  supports exact IP, CIDR notation, and ua: prefix for UA substrings
- config/whitelist.conf: editable config file (template with examples)
- whitelist check added to bot-blocker, WAF, protection (4 methods),
  and honeypot validator — matched requests skip all ITK enforcement
- admin: whitelist.conf added to Config Files editor tab

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

includes/class-itk-protection.php

@@ -37,6 +37,7 @@ class ITK_Protection {
     /* ── wp-login protection ──────────────────────────────────── */
 
     public function protect_wp_login(): void {
+        if (ITK_Whitelist::allowed()) return;
         $options = get_option('itk_security', []);
         if (empty($options['protect_wp_login'])) return;
 
@@ -80,6 +81,7 @@ class ITK_Protection {
     /* ── Sensitive file blocking ──────────────────────────────── */
 
     public function block_sensitive_files(): void {
+        if (ITK_Whitelist::allowed()) return;
         $options = get_option('itk_security', []);
         $uri     = $_SERVER['REQUEST_URI'] ?? '';
 
@@ -120,6 +122,7 @@ class ITK_Protection {
     /* ── Malicious query blocking ─────────────────────────────── */
 
     public function block_malicious_queries(): void {
+        if (ITK_Whitelist::allowed()) return;
         $options = get_option('itk_security', []);
         if (empty($options['block_malicious_queries'])) return;
 
@@ -154,6 +157,7 @@ class ITK_Protection {
     /* ── Author scan blocking ─────────────────────────────────── */
 
     public function block_author_scans(): void {
+        if (ITK_Whitelist::allowed()) return;
         $options = get_option('itk_security', []);
         if (empty($options['block_author_scans'])) return;