Update/mcp actor

[eoigal]

Related to https://linear.app/a8c/issue/AI-890/add-user-facing-activity-log-for-mcp-tool-executions

Proposed changes:

• Enriches sync actor from X-WPCOM-MCP header by decoding base64 JSON, sanitizing client name/version, and marking is_mcp_agent when either is present.

Other information:

• Have you written new tests for your changes, if applicable?
• Have you checked the E2E test CI results, and verified that your changes do not break them?
• Have you tested your changes on WordPress.com, if applicable (if so, you'll see a generated comment below with a script to run)?

Jetpack product discussion

Does this pull request change what data or activity we track or use?

Testing instructions:

• Test on simple with 204134-ghe-Automattic/wpcom

Changelog

• Generate changelog entries for this PR (using AI).

[github-actions]

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

• To test on WoA, go to the Plugins menu on a WoA dev site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin (Jetpack or WordPress.com Site Helper), and enable the update/mcp-actor branch.
• To test on Simple, run the following command on your sandbox:

bin/jetpack-downloader test jetpack update/mcp-actor

bin/jetpack-downloader test jetpack-mu-wpcom-plugin update/mcp-actor

Interested in more tips and information?

• In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
• Read more about our development workflow here: PCYsg-eg0-p2
• Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

[github-actions]

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

• ✅ Include a description of your PR changes.
  
• ✅ Add a "[Status]" label (In Progress, Needs Review, ...).
  
• ✅ Add testing instructions.
  
• ✅ Specify whether this PR includes any changes to data or privacy.
  
• ✅ Add changelog entries to affected projects
  

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

---

Follow this PR Review Process:

1. Ensure all required checks appearing at the bottom of this PR are passing.
2. Make sure to test your changes on all platforms that it applies to. You're responsible for the quality of the code you ship.
3. You can use GitHub's Reviewers functionality to request a review.
4. When it's reviewed and merged, you will be pinged in Slack to deploy the changes to WordPress.com simple once the build is done.

If you have questions about anything, reach out in #jetpack-developers for guidance!

[Copilot]

Pull request overview

This PR extends Jetpack Sync’s actor metadata to include MCP client details from a request header, so Sync events can be attributed to MCP-based clients when present.

Changes:

• Parse HTTP_X_WPCOM_MCP (base64 JSON) and add mcp_client_name, mcp_client_version, and is_mcp_agent to the actor payload.
• Add a Sync package changelog entry describing the new actor metadata.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
projects/packages/sync/src/class-listener.php	Adds MCP header decoding and populates MCP-related fields on the Sync actor.
projects/packages/sync/changelog/update-mcp-actor	Adds a changelog entry for the MCP actor metadata change.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[jp-launch-control]

Code Coverage Summary

Coverage changed in 1 file.

File	Coverage	Δ%	Δ Uncovered
projects/packages/sync/src/class-listener.php	32/176 (18.18%)	-1.57%	14 💔

Full summary · PHP report · JS report

_{Coverage check overridden by I don't care about code coverage for this PR Use this label to ignore the check for insufficient code coveage. .}

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sergeymitr]

Works well 👍

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

HTTP_X_WPCOM_MCP is fully user-controlled and currently gets preg_match/base64_decode/json_decode applied without any explicit size limit. Even with typical web server header limits, this can still be abused to increase CPU/memory usage during sync-triggering requests. Consider adding a conservative max length check on the raw header (and/or decoded JSON) before attempting regex/decode, and bail out early if it exceeds that limit.

[Copilot]

sanitize_text_field() removes unsafe characters but doesn’t enforce a maximum length. Since these values are added to every actor payload, a long mcp_client_name/mcp_client_version could bloat sync data and activity logs. Consider truncating these sanitized strings to a reasonable max length before assigning them into $actor.