Wpcomsh fatal-error: emit a transportable plugin/version/core/php signature

[taipeicoder]

Proposed changes

• Add wpcom_build_fatal_error_signature() / wpcom_decode_fatal_error_signature() to jetpack-mu-wpcom (src/common/fatal-error-signature.php) — a shared helper that produces a base64url-encoded JSON token over {kind, slug, version, wp, php}, fully reversible so consumers can group on the decoded parts. Sized for reuse by other mu-plugins (e.g. Plugin Conflicts Guardian: Pre-flight activation gate #48261's activation-probe failure path) so they can correlate on the same encoded token.
• Wire wpcomsh's fatal-error screen to log the signature to logstash via WPCOMSH_Log::unsafe_direct_log(). Telemetry runs independent of viewer (admin or anonymous) so dashboards aren't biased toward admin-only sites.
• Two-layer dedup so a persistent fatal doesn't emit one record + one outbound HTTP per visitor:
  • Coarse file-path gate (anonymous viewers only): skips plugin identification entirely on duplicate hits — wp_cache_add( 'wpcomsh_fatal_file:' . sha256($error['file']), …, 5 min ). Identification (glob + get_plugin_data) only runs on the first anonymous request per file/5-min, then no-ops the rest.
  • Fine signature gate (all viewers): skips the WPCOMSH_Log file load + outbound HTTP — wp_cache_add( 'wpcomsh_fatal_sig:' . sha256($signature), …, 5 min ). Belt-and-suspenders for the case where the file-path gate doesn't catch (e.g. same plugin loading from multiple paths).
• Log the decoded parts (kind, slug, extension_version, wp_version, php_version) as separate fields alongside the encoded signature, so dashboards can term-aggregate without a base64+JSON decode step.
• Defensive class_exists( 'WPCOMSH_Log', false ) + on-demand require_once from WPCOMSH__PLUGIN_DIR_PATH . '/jetpack_vendor/automattic/jetpack-mu-wpcom/...' (the wpcomsh convention used by lib/tonesque.php and lib/class.color.php), gated on defined( 'WPCOMSH__PLUGIN_DIR_PATH' ) for the bootstrap window before constants.php is loaded.
• The fatal-error screen and recovery email UI are unchanged — the signature is purely server-side telemetry.

Related product discussion/links

• The shared helper is sized for reuse by the in-flight Plugin Conflicts Guardian work in Plugin Conflicts Guardian: Pre-flight activation gate #48261, which can call wpcom_build_fatal_error_signature() directly from its activation-probe failure path. The encoded signature field stays in the wpcomsh logstash payload so cross-system consumers can join on the same opaque token.

Does this pull request change what data or activity we track or use?

Yes. On the first fatal per (site, signature, 5-min) where wpcomsh can identify the offending extension, a new logstash record is queued via the existing WPCOMSH_Log pipeline.

Signature contents (the new fields this PR adds to the logstash record):

• extra.signature — base64url-encoded JSON token. Decoded JSON contains:
  • kind — plugin, muplugin, or theme
  • slug — extension slug, lowercased and trimmed
  • version — extension version string
  • wp — $wp_version
  • php — PHP_MAJOR_VERSION.PHP_MINOR_VERSION.PHP_RELEASE_VERSION (normalized so distro suffixes don't fragment grouping)
• extra.kind, extra.slug, extra.extension_version, extra.wp_version, extra.php_version — the same parts emitted as separate fields for term-aggregation.

Logstash record envelope (added by WPCOMSH_Log::send_to_api(), applies to every wpcomsh telemetry record):

• Top-level siteurl — the result of get_site_url(). Consistent with the existing safeguard / woa / marketplace / atomic-storage telemetry baseline; no new exposure beyond that baseline.

What we deliberately do not include: error message, stack trace, file paths, user id, request URI.

Coverage caveat: wpcomsh_fatal_identify_plugin() only resolves directory-based plugins/themes (e.g. wp-content/plugins/akismet/akismet.php). Single-file extensions (e.g. wp-content/mu-plugins/foo.php) aren't identified and therefore produce no signature record. Pre-existing limitation of the identification helper, not introduced by this PR.

Testing instructions

• On an Atomic test site, trigger a fatal from a directory-based plugin or mu-plugin (e.g. drop wp-content/mu-plugins/boom/boom.php containing trigger_error( 'boom', E_USER_ERROR ) on init).
• Confirm the WordPress.com fatal-error screen still renders the same way for admins and anonymous viewers.
• In Kibana (log2logstash index, filter tags:atomic_wpcomsh_errors AND extra.messages.message:"wpcomsh_fatal_signature", or just free-text "wpcomsh_fatal_signature"), confirm a record arrives shortly after the request. The wpcom receiver wraps it: top-level message is [remote_error] [blog: …] [transfer: …], our payload sits at extra.messages[0].message with the decoded parts under extra.messages[0].extra.* (signature, kind, slug, extension_version, wp_version, php_version).
• Verify dedup: hit the failing site multiple times in quick succession (anonymous + logged-in admin). Confirm only one logstash record is emitted per signature within the 5-minute TTL window.
• Decode the signature locally to verify the round-trip:

  var_dump( wpcom_decode_fatal_error_signature( '<token from logstash>' ) );

  Verify the decoded parts match the offending plugin and the site's WP / PHP versions, and agree with the separate extra.* fields.
• Trigger a fatal with no identifiable file path (e.g. an out-of-memory in core) and confirm no wpcomsh_fatal_signature record is emitted.

[github-actions]

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

• To test on WoA, go to the Plugins menu on a WoA dev site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin (WordPress.com Site Helper), and enable the add/wpcom-fatal-error-signature branch.
• To test on Simple, run the following command on your sandbox:

bin/jetpack-downloader test jetpack-mu-wpcom-plugin add/wpcom-fatal-error-signature

Interested in more tips and information?

• In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
• Read more about our development workflow here: PCYsg-eg0-p2
• Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

[github-actions]

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

• ✅ Include a description of your PR changes.
  
• ✅ Add a "[Status]" label (In Progress, Needs Review, ...).
  
• ✅ Add testing instructions.
  
• ✅ Specify whether this PR includes any changes to data or privacy.
  
• ✅ Add changelog entries to affected projects
  

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

---

Follow this PR Review Process:

1. Ensure all required checks appearing at the bottom of this PR are passing.
2. Make sure to test your changes on all platforms that it applies to. You're responsible for the quality of the code you ship.
3. You can use GitHub's Reviewers functionality to request a review.
4. When it's reviewed and merged, you will be pinged in Slack to deploy the changes to WordPress.com simple once the build is done.

If you have questions about anything, reach out in #jetpack-developers for guidance!

---

Wpcomsh plugin:

• Next scheduled release: Atomic deploys happen twice daily on weekdays (p9o2xV-2EN-p2)

If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack.

[jp-launch-control]

Code Coverage Summary

Coverage changed in 1 file.

File	Coverage	Δ%	Δ Uncovered
projects/packages/jetpack-mu-wpcom/src/class-jetpack-mu-wpcom.php	2/352 (0.57%)	-0.00%	1 ❤️‍🩹

1 file is newly checked for coverage.

File	Coverage
projects/packages/jetpack-mu-wpcom/src/common/fatal-error-signature.php	0/52 (0.00%) 💔

Full summary · PHP report

_{Coverage check overridden by I don't care about code coverage for this PR Use this label to ignore the check for insufficient code coveage. .}