Unify site provisioning + capability detection into one per-site source

[jkmassel]

Description

Refactors getting-a-site-ready into a single source of truth: one per-site, single-flight pipeline that provisions application-password credentials, recovers the REST root, recovers the XML-RPC endpoint, and detects editor capabilities. This is PR 1 of #22942.

ℹ️ Rebased on trunk, which now carries #22943 (the release/26.8 → trunk backmerge with #22926's REST fix) and #22947 (single-writer SiteModel columns — the #22905 persistence-layer fix). This PR is the new architecture plus the removal of #22926's interim coordination layer (CredentialsChangedNotifier); each stage reads its columns fresh and relies on #22947's exclusions so a concurrent write can't clobber them mid-run.

Provisioning used to be spread across the connectivity banner, the editor preloader, and the application-password card — each triggering its slice of the work, racing the others (a process-global CredentialsChangedNotifier + a getSelectedSite() re-read tried to referee), and mutating its own SiteModel. Two structural problems get fixed:

1. The first-login race — the capability probe could run before the credential was minted. Now auth is awaited first, and the probe is a downstream stage, so the race is impossible, not mitigated.
2. Stale-model writes (Recovered wpApiRestUrl doesn't survive across launches on Atomic sites #22905) — flows held a SiteModel, mutated a field, and wrote the whole row back, clobbering concurrent changes. Now no model is held across stages; each stage reads fresh and writes only its own column, and Make wpApiRestUrl, xmlRpcUrl, and app-password creds single-writer #22947 (landed) excludes those columns from the generic full-row update so nothing else can clobber them either.

SiteProvisioningSource

A @Singleton exposing a per-site StateFlow<SiteReadiness>; single-flight per SiteModel.id (which also subsumes the card's old 409-safety guard — two concurrent mints destroy the winner's creds). Each stage takes a siteLocalId, reads the SiteModel fresh via getSiteByLocalId, and writes back only the column it changed:

ensureAuth(id)                       -> SiteAuthState        (validate / mint; persists creds)
  +- if Provisioned, in parallel:
       |- recoverRestUrl(id) -> detectCapabilities(id)      -> SiteReadiness   (persistApiRootUrl)
       +- recoverXmlRpc(id)                                  (self-hosted)     (persistXmlRpcUrl)

The REST-capability chain and XML-RPC recovery are independent post-auth probes, so they run in parallel — and because each reads fresh and writes only its own column, the two branches can't clobber each other. (detectCapabilities itself still fans out into the route ∥ theme probes.)

Entry points: stateFor (reactive), await (one-shot, preloader), invalidate (PTR / retry), clear (sign-out).

Consumers render slices of one state

SiteReadiness	Connectivity banner	Application-password card	Preloader
NeedsAuth(Provisioning)	hidden	hidden	wait
NeedsAuth(Unprovisionable)	hidden	auth prompt	wait
Unreachable	show	hidden¹	proceed
Ready	hidden	hidden¹	use caps

¹ a true self-hosted site whose XML-RPC endpoint the pipeline couldn't recover still gets the XML-RPC-disabled card — the card now just reads the (pipeline-recovered) xmlRpcUrl fresh.

• ApplicationPasswordViewModelSlice is now a pure renderer — validate/mint and XML-RPC rediscovery moved into the pipeline; its dependency list drops to four.
• Removes CredentialsChangedNotifier + its wiring (the event bus and getSelectedSite() staleness race, Unify editor capability detection into a single per-site state #22942's defect Implementing WordPress.com Notifications Activities #2).
• Banner / preloader subscribe to / await the source. Sign-out calls source.clear().

XML-RPC recovery

SiteXmlRpcUrlRecoverer (new, mirroring SiteApiRestUrlRecoverer) discovers + authenticates a self-hosted site's XML-RPC endpoint and persists it via #22947's SiteSqlUtils.updateXmlRpcUrl — no FluxC changes here; that writer landed with #22947. Recovery is best-effort: a discovery/verify failure is contained and surfaces as the XML-RPC-disabled card (retried next run), never escaping to cancel the pipeline.

Out of scope (follow-up)

• Richer terminal-vs-transient mint semantics and the Allow headless application-password creation on Atomic sites #22884 private-host card.

A RELEASE-NOTES.txt entry (26.9) notes the reliability rework.

Testing instructions

Unit tests:

• ./gradlew :WordPress:testJetpackDebugUnitTest across SiteProvisioningSourceTest, SiteXmlRpcUrlRecovererTest, ApplicationPasswordViewModelSliceTest, SiteConnectivityBannerViewModelSliceTest, GutenbergEditorPreloaderTest, ApplicationPasswordLoginHelperTest, EditorSettingsRepositoryTest.

Private Atomic site (first login — the banner race):

1. Sign out, sign into a WP.com account with a private Atomic site that has an application password.
2. Open My Site, let it settle — do not pull to refresh.

• The "Unable to connect to your site" banner does not flash; capabilities settle on their own.

3. Pull to refresh; create a new post.

• No banner; the editor opens correctly.

Application-password card (the mint move):

1. A self-hosted site that supports application passwords but has none stored.

• The "authenticate" card appears; tapping it starts the authorization flow.

2. A site whose stored application password was revoked server-side.

• The re-authentication card appears.

3. A self-hosted site with XML-RPC genuinely disabled.

• The XML-RPC disabled card appears (and stays hidden where XML-RPC is reachable — the pipeline recovers it).

Regression checks:

1. Public Atomic site, then a WP.com Simple site — open My Site, pull to refresh.

• No banner; capability detection still completes.

Sign-out:

1. Sign out, then sign back in.

• No crash; provisioning + detection run fresh.

[dangermattic]

	1 Warning
⚠️	This PR is larger than 300 lines of changes. Please consider splitting it into smaller PRs for easier and faster reviews.

	1 Message
📖	This PR is still a Draft: some checks will be skipped.

Generated by 🚫 Danger

[wpmobilebot]

📲 You can test the changes from this Pull Request in WordPress Android by scanning the QR code below to install the corresponding build.

	App Name	WordPress Android
	Build Type	Debug
	Version	pr22944-3f20dc4
	Build Number	1493
	Application ID	org.wordpress.android.prealpha
	Commit	3f20dc4
	Installation URL	61ulpl5lf8de8

Automatticians: You can use our internal self-serve MC tool to give yourself access to those builds if needed.

[wpmobilebot]

📲 You can test the changes from this Pull Request in Jetpack Android by scanning the QR code below to install the corresponding build.

	App Name	Jetpack Android
	Build Type	Debug
	Version	pr22944-3f20dc4
	Build Number	1493
	Application ID	com.jetpack.android.prealpha
	Commit	3f20dc4
	Installation URL	5vf6bfl4d1qpo

Automatticians: You can use our internal self-serve MC tool to give yourself access to those builds if needed.

[codecov]

Codecov Report

❌ Patch coverage is 82.60870% with 28 lines in your changes missing coverage. Please review.
✅ Project coverage is 37.32%. Comparing base (1ba5e7a) to head (3f20dc4).
⚠️ Report is 1 commits behind head on trunk.

Files with missing lines	Patch %	Lines
...ess/android/repositories/SiteProvisioningSource.kt	87.77%	0 Missing and 11 partials ⚠️
...ationpassword/ApplicationPasswordViewModelSlice.kt	54.54%	3 Missing and 7 partials ⚠️
.../main/java/org/wordpress/android/AppInitializer.kt	0.00%	2 Missing ⚠️
...nnectivity/SiteConnectivityBannerViewModelSlice.kt	80.00%	0 Missing and 2 partials ⚠️
...press/android/ui/posts/GutenbergEditorPreloader.kt	71.42%	1 Missing and 1 partial ⚠️
...s/android/repositories/EditorSettingsRepository.kt	0.00%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##            trunk   #22944      +/-   ##
==========================================
+ Coverage   37.28%   37.32%   +0.03%     
==========================================
  Files        2330     2331       +1     
  Lines      125701   125760      +59     
  Branches    17122    17143      +21     
==========================================
+ Hits        46872    46936      +64     
+ Misses      75032    75018      -14     
- Partials     3797     3806       +9     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[wpmobilebot]

🤖 Build Failure Analysis

This build has failures. Claude has analyzed them - check the build annotations for details.