Add support for application passwords via env vars and wp-cli.yml config

[Copilot]

• Explore repository and understand current auth implementation
• Update Runner.php to support application password credentials from:
  • http_user / http_password keys in wp-cli.yml (lowest priority)
  • WP_REST_CLI_AUTH_USER / WP_REST_CLI_AUTH_PASSWORD environment variables (medium priority)
  • URL embedding --http=user:pass@example.com (highest priority, existing behavior)
• Fix parse_url scheme normalization: URL-embedded credentials now work correctly even when --http has no http:// or https:// prefix
• Extract auth resolution into Runner::resolve_auth() — pure static helper, no HTTP requests needed, fully unit-testable
• Add tests/Runner_Resolve_Auth_Test.php with 10 unit tests covering all priority cases and edge cases
• Resolve merge conflicts with origin/main (PHPStan refactor): incorporate assert() calls, route validation, type annotations, RestCommand rename, wp_installing() usage — keeping our resolve_auth() in place of main's old parse_url block
• Run existing tests — all 16 tests pass (lint, phpcs, phpunit)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Add support for application passwords</issue_title>
<issue_description>## Feature Request

• Yes, I reviewed the contribution guidelines.

Describe your use case and the problem you are facing

Application passwords as a REST API authentication as added back in WordPress 5.6. This allow for authenticated requests by passing username and application password. It would be great if RESTful command fully support this.

Currently it is possible to use application password by passing username and password in the command like this.

wp rest --http=http://admin:"X9yS 9YYn pbaU 5H8A kJNO DEfe"@www.example.com post create --content=wibble --title=wibble

However, this is not espcially secure. As the password is written in plan text in the command.

Describe the solution you'd like

There are a number of ways this could be implemented,

• New paramters.

wp rest --http=https://www.example.com --application_user=admin --application_password=password

• Use envoriment variables
  Username and password could be read in via envoriment variables.

• Via wp-cli.yml
  Username and password could be read in via wp-cli.yml

It would also be nice, if this command supported, application registion as well. But this is a nice to have.
</issue_description>

Comments on the Issue (you are @copilot in this section)

@danielbachhuber I'm open to a PR on this, and I don't have a strong opinion on the implementation at this point. I'd look at authentication for other CLI tools for inspiration.

Feel free to submit a pull request, if you'd like. Here is some guidance on our pull request best practices.</comment_new>

• Fixes Add support for application passwords #141

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[codecov]

Codecov Report

❌ Patch coverage is 96.15385% with 1 line in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
inc/Runner.php	96.15%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!

[swissspidy]

@copilot resolve the merge conflicts in this pull request

[Copilot]

@copilot resolve the merge conflicts in this pull request

Resolved in commit 7ccab08. The merge conflict in inc/Runner.php was between our resolve_auth() call and main's PHPStan refactor that added assert(), route validation, type annotations, and RestCommand rename. The resolution keeps all of main's improvements while substituting our resolve_auth() for main's old parse_url block. All 16 tests pass.