Add developer lifecycle hooks

[erseco]

Summary

• Adds lifecycle actions for ELPX extraction, metadata persistence, REST saves, styles, and static editor installation.
• Adds presentation filters for shortcode attributes, preview URLs, and final shortcode output, plus a metadata-enrichment filter and a style-registry filter.
• Adds defensive validation around every filter's return value (required internal keys are always restored from trusted values).
• Documents the new developer hooks in docs/HOOKS.md and a "Developer hooks" section in the README.

All hook names are prefixed with exelearning_ and carry complete docblocks with @since 1.0.0.

Hooks added

Area	Hooks
ELPX extraction	exelearning_before_elpx_extract, exelearning_after_elpx_extract
Metadata	exelearning_elpx_metadata (filter), exelearning_after_elpx_metadata_saved
REST save	exelearning_before_elpx_save, exelearning_after_elpx_save
Shortcode	exelearning_shortcode_atts, exelearning_preview_url, exelearning_shortcode_output (filters)
Styles	exelearning_after_style_installed, exelearning_after_style_deleted, exelearning_after_style_enabled_changed, exelearning_style_registry_entry (filter)
Static editor	exelearning_before_editor_install, exelearning_after_editor_install, exelearning_editor_install_failed

Security

The new hooks do not allow bypassing validation, archive safety checks, capability checks, nonce checks, path-traversal protections, CSP headers, checksum/digest verification, or trusted-directory restrictions. They are limited to observation and presentation/metadata enrichment:

• No filters were added for skipping validation, changing trusted directories, or supplying arbitrary editor download URLs.
• exelearning_elpx_metadata and exelearning_style_registry_entry discard non-array returns and restore required internal keys, so a callback can enrich but never drop or forge the extraction hash or style integrity fields.
• Shortcode attribute values are re-sanitized after exelearning_shortcode_atts; the preview URL stays behind the content proxy and is escaped at output time.
• Existing default behavior is unchanged when no callbacks are registered.

Testing

• Added tests/unit/DeveloperHooksTest.php (13 tests, 39 assertions) covering: the metadata filter (enrichment, non-array handling, required-key protection, real-flow persistence), the metadata-saved action, the shortcode atts/output filters (including re-sanitization of unsafe values), the style install/delete/enable actions and registry filter, and the editor install before/failed actions.
• make test FILTER=DeveloperHooks → OK (13 tests, 39 assertions).
• make lint → clean (WordPress Coding Standards).
• Full make test → all pass except the pre-existing StaticEditorInstallerTest::test_is_editor_installed_returns_false_when_missing, which fails only because dist/static/ is built in this local environment (confirmed it fails identically on a clean tree without these changes; it is unrelated to this PR).

Closes #44

[github-actions]

Test in WordPress Playground

Test the plugin with the code from this branch:

⚠️ The embedded eXeLearning editor is not included in this preview. You can install it from Settings > eXeLearning using the "Download & Install Editor" button. All other plugin features (ELP upload, shortcode, Gutenberg block, preview) work normally.