Make wpApiRestUrl, xmlRpcUrl, and app-password creds single-writer

[jkmassel]

Description

Fixes #22905. The REST API root (wpApiRestUrl) is discovered/healed out of band — never
carried by the general site-sync responses — yet every full-row insertOrUpdateSite UPDATE
rewrote it. When the in-memory SiteModel came from a source that doesn't carry it (/me/sites,
/sites/<id>, the RN bridge, cookie-nonce auth), the write stamped a stale null over the good
value, so on Atomic sites the recovered URL was wiped on every app foreground.

Two adjacent columns share that write path and are folded in here. The application-password
credentials weren't actually leaking — the same copy-forward shielded them (it was gated on
them) — but it had to be torn out for the wpApiRestUrl fix, so they take the same exclusion as a
TOCTOU-free replacement. xmlRpcUrl is a third case: the WP.com sync reliably carries it, so
rather than exclude it we preserve it on absence — only a partial writer that omits it (the WPAPI
fetch) can null it. See #3.

Root cause

SiteSqlUtils.insertOrUpdateSite updates via WellSql.update().put(model, UpdateAllExceptId(...)),
which writes every column except _id. Per-handler preservation existed for some columns
but was gated on encrypted AP creds being present — which Atomic sites don't have — so it
didn't fire for them, and it was TOCTOU-fragile regardless.

Fix

Two mechanisms, matched to how each column is sourced:

• Excluded from the generic mapper — WP_API_REST_URL and the app-password credential columns.
  These are never carried by a site-sync response, so the full-row UPDATE skips them entirely (via a new
  UpdateAllExceptId skip-list) and a targeted single-column writer is their sole writer on an
  existing row. INSERT is untouched. Every caller that legitimately set one is rerouted to the targeted
  writer; redundant writes are removed.
• Preserved on absence — XMLRPC_URL. The WP.com sync does carry it, so the full-row UPDATE still
  writes it (that's how a changed endpoint lands); it just keeps the stored value when the inbound model
  carries none, so a partial writer can't null it.

Column-by-column:

1. WP_API_REST_URL

• updateWpApiRestUrl (the heal writer from Populate missing wpApiRestUrl during editor preload #22903) becomes the sole writer; clearWpApiRestUrl
  for sign-out.
• Rerouted the discover/persist callers: updateApplicationPassword, CookieNonceAuthenticator,
  ReactNativeStore, and fetchSiteWPAPIFromApplicationPassword (URL-keyed, since the freshly
  fetched site has no local id).

2. Application-password credentials

Hardening, not a clobber fix — the gated copy-forward already shielded these (see Root cause), so
they weren't leaking; the exclusion is a robust, TOCTOU-free replacement once that copy-forward goes.

• API_REST_USERNAME, API_REST_PASSWORD and their two IV columns, excluded as a set — the
  IVs are required to decrypt the ciphertext, so persisting the values without them breaks reads.
• New updateApplicationPasswordCredentials (encrypts) / clearApplicationPasswordCredentials,
  wired into updateApplicationPassword, removeApplicationPassword (full sign-out — also clears
  wpApiRestUrl), clearApplicationPasswordColumns (rotation — intentionally preserves
  wpApiRestUrl), and the WPAPI app-password fetch.
• createOrUpdateSites persists creds via the targeted writer too: insertOrUpdateSite gained an
  insertOrUpdateSiteReturningId variant so the handler can target the exact written row. This
  fixes app-password login of an existing XML-RPC site, where the exclusion would otherwise
  drop the creds.

3. XMLRPC_URL — preserved, not excluded

Unlike the other two, the WP.com REST sync reliably returns meta.links.xmlrpc (verified against
/me/sites), so excluding the column would silently drop a changed endpoint (e.g. a domain migration)
on an existing row. Instead, insertOrUpdateSite preserves it on absence — copying the stored value
forward only when the inbound model has none — so the WPAPI fetch (which builds a model with a null
xmlRpcUrl) can't clobber a stored/rediscovered value.

• updateXmlRpcUrl / SiteStore.persistXmlRpcUrl remain for the single-column rediscovery heal — one
  targeted write instead of an ~100-column full-row updateSite.
• attemptXmlRpcRediscovery (the My Site app-password card) persists the rediscovered endpoint through
  that writer.

Cleanup enabled by the migration

• Removed the 404 no-op wpApiRestUrl writes in CookieNonceAuthenticator / ReactNativeStore
  (and RN's now-orphaned persistSiteSafely / sitePersistanceFunction) — they reset the column
  in memory to drive rediscovery and never needed to persist.
• Removed the moot gated credential/wpApiRestUrl copy-forward blocks in updateSite /
  createOrUpdateSites.
• Collapsed updateApplicationPassword / removeApplicationPassword / clearApplicationPasswordColumns
  to their targeted writers — the in-memory mutations and self-insertOrUpdateSite they used to
  do persisted nothing once the columns were excluded.

Defensive hardening (unrelated to the clobber)

• decryptAPIRestCredentials now also short-circuits when an IV column is blank (not just when the
  ciphertext is empty), so a malformed ciphertext-without-IV row reads as "no credentials" instead
  of throwing on decrypt(ciphertext, ""). Cheap, and on the same read path.

Out of scope / follow-ups

• Unify site provisioning + capability detection into one per-site source #22944 rebases on this PR — it has a duplicate updateXmlRpcUrl (provided here) and its own
  rework of attemptXmlRpcRediscovery; both reconcile against this.

Testing instructions

Automated

1. Run ./gradlew :libs:fluxc:testDebugUnitTest

• Green (bar a pre-existing timezone-dependent StatsUtilsTest flake unrelated to this change).
  SiteSqlUtilsTest covers each column family — a stale full-row update preserves the protected
  column while still updating the others, and for xmlRpcUrl that a carried value still overwrites
  (the migration case) — plus the targeted writers and the blank-IV decrypt guard.

2. Run ./gradlew :WordPress:testJetpackDebugUnitTest --tests "*ApplicationPasswordViewModelSliceTest"

• Green — XML-RPC rediscovery now verifies the targeted persistXmlRpcUrl write.

Manual — Atomic site (the original repro)

1. Sign in with an Atomic site (e.g. *.jurassic.ninja) and open it so wpApiRestUrl is
   discovered/healed.
2. Background/foreground a few times (triggers FETCH_SITE/FETCH_SITES), then kill and relaunch.

• WP_API_REST_URL survives — no longer reset to NULL across launches.

Manual — self-hosted application-password site

1. Add an application password to a self-hosted site, then load My Site a few times.

• Credentials persist; no false "Unable to connect to your site" banner.

2. If the site's XML-RPC was disabled and is re-enabled, confirm the card's rediscovery persists.

• xmlRpcUrl is repopulated and survives a relaunch.

3. Remove the application password.

• Credentials and wpApiRestUrl are cleared.

Appendix: site-type × column handling

How each site type's three out-of-band columns are persisted, and what this PR changes (Δ).

Mechanisms: 🔒 excluded — the full-row sync UPDATE skips the column; only a dedicated targeted writer persists it (never carried by a sync, so a full-row write could only zero it). 🛡️ preserve-on-absence — the full-row UPDATE writes the column when the inbound model carries a value, but keeps the stored value when it doesn't. Targeted writers: updateWpApiRestUrl / updateXmlRpcUrl / updateApplicationPasswordCredentials (+ clear* and URL-keyed *ForWPAPISite variants).

Site type	wpApiRestUrl	xmlRpcUrl	App-password creds
WP.com Simple (isWPCom && !atomic)	Getter always synthesizes public-api.wordpress.com/wp/v2/sites/<id> on read, so the stored column is moot (mapper writes the synthetic value on INSERT; 🔒 only stops UPDATEs rewriting it). No change.	From meta.links.xmlrpc; 🛡️ written on sync, but unused (Simple sites don't speak XML-RPC). No meaningful change.	Not carried in normal use — WP.com bearer token; the Jetpack-tunnel mint only works for Atomic/Jetpack sites. No change.
WP.com Atomic / Jetpack-via-REST (isUsingWpComRestApi, non-simple)	Real REST root discovered/healed out of band. Δ Was wiped to NULL on every app foreground (#22905); now 🔒 excluded → preserved, healed via updateWpApiRestUrl.	From meta.links.xmlrpc; 🛡️ written on sync (incl. a migrated endpoint).	Minted by the My-Site card (Jetpack tunnel). Δ Was zeroed by credential-less /me/sites syncs; now 🔒 excluded → preserved via updateApplicationPasswordCredentials.
Self-hosted — application password (ORIGIN_WPAPI)	Set at fetch. 🔒 excluded → persisted by URL-keyed updateWpApiRestUrlForWPAPISite (fresh model has no local id yet).	fetchWPAPISite leaves it null. Δ 🛡️ preserve-on-absence keeps a rediscovered value — a re-fetch would otherwise clobber it; healed via persistXmlRpcUrl (rediscovery card, gated !isUsingWpComRestApi).	Set at fetch. 🔒 excluded → URL-keyed updateApplicationPasswordCredentialsForWPAPISite.
Self-hosted — XML-RPC (ORIGIN_XMLRPC)	Set via app-password discovery (apiRootUrl) when present. 🔒 excluded → written on the stamped row by updateWpApiRestUrl.	Identity column — carried by the model → 🛡️ written normally.	App-password login: Δ now persisted on the exact written row via insertOrUpdateSiteReturningId + updateApplicationPasswordCredentials (the existing-site half of the #22905 fix; the full-row write alone dropped them).

Notes

• The clobber bug only ever bit columns a sync doesn't carry — wpApiRestUrl and creds on Atomic / Jetpack-via-REST / self-hosted sites. WP.com Simple was never affected (synthetic getter), and xmlRpcUrl was never the real problem (the WP.com sync reliably returns meta.links.xmlrpc).
• xmlRpcUrl was de-escalated from excluded to preserve-on-absence during review: excluding it would have silently dropped a migrated endpoint for WP.com sites, and the only real non-WP.com clobber (the ORIGIN_WPAPI re-fetch) is covered by preserve-on-absence.
• Clear paths (action-driven): full sign-out clears creds and wpApiRestUrl; credential rotation clears creds but preserves wpApiRestUrl (reused across rotations).

[dangermattic]

	2 Warnings
⚠️	This PR is larger than 300 lines of changes. Please consider splitting it into smaller PRs for easier and faster reviews.
⚠️	PR is not assigned to a milestone.

Generated by 🚫 Danger

[wpmobilebot]

📲 You can test the changes from this Pull Request in WordPress Android by scanning the QR code below to install the corresponding build.

	App Name	WordPress Android
	Build Type	Debug
	Version	pr22947-fb89734
	Build Number	1493
	Application ID	org.wordpress.android.prealpha
	Commit	fb89734
	Installation URL	1edrangp9kgqo

Automatticians: You can use our internal self-serve MC tool to give yourself access to those builds if needed.

[wpmobilebot]

📲 You can test the changes from this Pull Request in Jetpack Android by scanning the QR code below to install the corresponding build.

	App Name	Jetpack Android
	Build Type	Debug
	Version	pr22947-fb89734
	Build Number	1493
	Application ID	com.jetpack.android.prealpha
	Commit	fb89734
	Installation URL	5imsqk1sk00t0

Automatticians: You can use our internal self-serve MC tool to give yourself access to those builds if needed.

[wpmobilebot]

🤖 Build Failure Analysis

This build has failures. Claude has analyzed them - check the build annotations for details.

[codecov]

Codecov Report

❌ Patch coverage is 88.00000% with 12 lines in your changes missing coverage. Please review.
✅ Project coverage is 37.28%. Comparing base (a88923a) to head (fb89734).
⚠️ Report is 1 commits behind head on trunk.

Files with missing lines	Patch %	Lines
...ava/org/wordpress/android/fluxc/store/SiteStore.kt	80.55%	1 Missing and 6 partials ⚠️
...uxc/network/rest/wpapi/CookieNonceAuthenticator.kt	0.00%	3 Missing ⚠️
...ordpress/android/fluxc/persistence/SiteSqlUtils.kt	96.07%	0 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##            trunk   #22947      +/-   ##
==========================================
+ Coverage   37.22%   37.28%   +0.06%     
==========================================
  Files        2330     2330              
  Lines      125667   125701      +34     
  Branches    17115    17122       +7     
==========================================
+ Hits        46777    46872      +95     
+ Misses      75104    75032      -72     
- Partials     3786     3797      +11     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[oguzkocer]

Looks good

I've tested the race condition I reported here and it worked great.