WAF: register WP Abilities API reads

[enejb]

Summary

Registers two read-only abilities for the Jetpack WAF (Web Application Firewall) package via the Automattic\Jetpack\WP_Abilities\Registrar base class:

• jetpack-waf/get-mode — returns { mode, automatic_rules_active, automatic_rules_last_update, brute_force_protection_active, ip_allow_list_count, ip_block_list_count }. mode is one of disabled, silent, or normal.
• jetpack-waf/get-rules-status — returns { jetpack_waf_automatic_rules_last_updated_timestamp, jetpack_waf_last_updated_timestamp, standalone_mode, rules_file_present, rules_file_size }.

Both are read-only / idempotent / non-destructive, gated on current_user_can( 'manage_options' ) to match the existing WAF REST controller cap.

Cross-consumer wiring

WAF is consumed by both the Jetpack plugin and the Jetpack Protect plugin, so registration lives in a new projects/packages/waf/actions.php (added to composer.json autoload.files). It hooks plugins_loaded at priority 20 and checks the package-wide jetpack_wp_abilities_enabled gate filter (default false) before calling Waf_Abilities::init(). Net effect: when a host plugin opts in, the abilities fire on both Jetpack and Protect installs without duplicating bootstrap code.

References plan §4.2 (cross-consumer wiring via package actions.php) and §4.5 (read-only WAF surface; writes deferred to a follow-up).

Test plan

• composer phpunit from projects/packages/waf/ — all 274 tests pass (48 integration including 17 new abilities tests, 226 unit).
• In a running WP with add_filter( 'jetpack_wp_abilities_enabled', '__return_true' ), confirm /wp-json/wp-abilities/v1/abilities lists both jetpack-waf/get-mode and jetpack-waf/get-rules-status.
• On a Protect-only install (no Jetpack plugin), confirm the abilities still register (proves the cross-consumer wiring path).
• Manually exercise both abilities on a site with the WAF module disabled and with it enabled in each mode (silent, normal).

[github-actions]

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

• To test on WoA, go to the Plugins menu on a WoA dev site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin (Jetpack), and enable the add/ship-waf-abilities branch.
• To test on Simple, run the following command on your sandbox:

bin/jetpack-downloader test jetpack add/ship-waf-abilities

Interested in more tips and information?

• In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
• Read more about our development workflow here: PCYsg-eg0-p2
• Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

[github-actions]

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

• ✅ Include a description of your PR changes.
  
• 🔴 Add a "[Status]" label (In Progress, Needs Review, ...).
  
• 🔴 Add testing instructions.
  
• 🔴 Specify whether this PR includes any changes to data or privacy.
  
• ✅ Add changelog entries to affected projects
  

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

---

🔴 Action required: Please include detailed testing steps, explaining how to test your change, like so:

## Testing instructions:

* Go to '..'
*

---

🔴 Action required: We would recommend that you add a section to the PR description to specify whether this PR includes any changes to data or privacy, like so:

## Does this pull request change what data or activity we track or use?

My PR adds *x* and *y*.

---

Follow this PR Review Process:

1. Ensure all required checks appearing at the bottom of this PR are passing.
2. Make sure to test your changes on all platforms that it applies to. You're responsible for the quality of the code you ship.
3. You can use GitHub's Reviewers functionality to request a review.
4. When it's reviewed and merged, you will be pinged in Slack to deploy the changes to WordPress.com simple once the build is done.

If you have questions about anything, reach out in #jetpack-developers for guidance!

[jp-launch-control]

Code Coverage Summary

1 file is newly checked for coverage.

File	Coverage
projects/packages/waf/src/abilities/class-waf-abilities.php	117/118 (99.15%) 💚

Full summary · PHP report · JS report