Allow headless application-password creation on Atomic sites

[jkmassel]

Description

Fixes #22884.

Problem

ApplicationPasswordsManager.getApplicationCredentials returned NotSupported for any site.isWPCom site. The guard was correct for Simple sites but blocked Atomic sites, which are also isWPCom-flagged and do support REST application-password creation. The user-visible symptom: Atomic users were shown the "Authenticate using Application Password" card on My Site and had to authorize through a Chrome Custom Tab even though the app could mint the credential on their behalf.

What changed

Two commits:

1. Relax the guard (ApplicationPasswordsManager.kt:45): site.isWPCom → site.isWPComSimpleSite. Atomic sites now fall through to the existing origin == ORIGIN_WPCOM_REST branches and use JetpackApplicationPasswordsRestClient — the same path Jetpack-WPCom-REST sites use today, routed through the WP.com proxy.

2. Auto-mint before showing the card (ApplicationPasswordViewModelSlice.buildApplicationPasswordDiscovery): before the card is rendered, attempt headless creation via a new SiteStore.createApplicationPassword(site). On Created/Existing we persist credentials onto the SiteModel (so siteHasBadCredentials flips false) and skip the card. On NotSupported/Failure we fall back to today's discovery + Custom Tab card.

The new SiteStore.createApplicationPassword mirrors the existing deleteApplicationPassword shape and is the public entry point — ApplicationPasswordsManager itself stays internal to fluxc.

Site type coverage

Site type	Today	After this PR
Atomic, no app pwd	Card → Chrome Custom Tab	Headless mint, card hidden
Jetpack-WPCom-REST, no app pwd	Card → Chrome Custom Tab	Headless mint, card hidden
Simple WPCom	No card (discovery returns empty)	No card (NotSupported short-circuit, then discovery returns empty)
Self-hosted with creds	Validate path (unchanged)	Validate path (unchanged)
Self-hosted without creds	Card → Chrome Custom Tab	Mint fails (Failure), card shown as today

Tests

FluxC manager:

• given a simple WPCom site, when we ask for a password, then return NotSupported
• given an Atomic site, when we ask for a password, then create it via the Jetpack client

ViewModel slice:

• given headless mint succeeds, then hide card and skip discovery
• given headless mint returns NotSupported, then fall back to discovery
• Existing tests updated to stub the new mint call.

What we explored

• Routing Atomic to the direct host with WP.com bearer auth (per the issue's "verify" list). Not needed — the existing Jetpack tunnel goes through public-api.wordpress.com, which already handles Atomic. Direct-host calls on Atomic are the Editor fails to load on Atomic sites when theme-styles capability over-reports availability #22879 follow-up.
• Setting wpApiRestUrl from a fresh wpLoginClient.apiDiscovery against the Atomic URL during auto-mint. Deferred — the card-hide condition only checks apiRestUsernamePlain/Password, and the Editor fails to load on Atomic sites when theme-styles capability over-reports availability #22879 follow-up will need to set wpApiRestUrl anyway when it routes auth-aware calls to the direct host.

Testing instructions

Atomic happy path:

1. Sign in to Jetpack debug with a WP.com account that owns an Atomic site (no pre-existing application password for this app on that site).
2. Open the Atomic site on the My Site screen.

• Verify the "Authenticate using Application Password" card does not appear.
• Verify an application password named android-jetpack-client-<device> (or the WordPress equivalent) exists in the site's wp-admin → Users → Profile → Application Passwords.
• Filter logcat for A_P: and confirm Hiding card for <url> - headless mint succeeded.
• Re-open the site: confirm subsequent runs short-circuit on the existing-credentials check (the first early return) without making another mint call.

Simple WPCom regression:

1. Open a Simple WPCom site on My Site.

• Verify no card appears. Logcat shows the mint NotSupported then bad discovery fallback.

Self-hosted regression:

1. Self-hosted site with an existing app password.

• Card still hidden via the existing validation path (unchanged).

2. Self-hosted site without an app password.

• Card appears as today; tapping it still launches the Chrome Custom Tab authorize flow.

Related

• Allow headless application-password creation on Atomic sites #22884 — original issue.
• Editor fails to load on Atomic sites when theme-styles capability over-reports availability #22879 — editor capability detection on Atomic-no-app sites. With headless app-password creation, the editor can consistently use the direct host with auth on Atomic sites and capability detection could go back to a single code path. Separate follow-up.

[dangermattic]

	1 Error
🚫	Please add tests for class OnApplicationPasswordCreateError (or add unit-tests-exemption label to ignore this).

	1 Message
📖	This PR is still a Draft: some checks will be skipped.

Generated by 🚫 Danger

[wpmobilebot]

📲 You can test the changes from this Pull Request in WordPress Android by scanning the QR code below to install the corresponding build.

	App Name	WordPress Android
	Build Type	Debug
	Version	pr22885-5d3d994
	Build Number	1488
	Application ID	org.wordpress.android.prealpha
	Commit	5d3d994
	Installation URL	6cqqjtsen13mg

Automatticians: You can use our internal self-serve MC tool to give yourself access to those builds if needed.

[wpmobilebot]

📲 You can test the changes from this Pull Request in Jetpack Android by scanning the QR code below to install the corresponding build.

	App Name	Jetpack Android
	Build Type	Debug
	Version	pr22885-5d3d994
	Build Number	1488
	Application ID	com.jetpack.android.prealpha
	Commit	5d3d994
	Installation URL	0l4vk5cavcvj8

Automatticians: You can use our internal self-serve MC tool to give yourself access to those builds if needed.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 37.32%. Comparing base (d0a7db5) to head (147fc9c).

Additional details and impacted files

@@           Coverage Diff           @@
##            trunk   #22885   +/-   ##
=======================================
  Coverage   37.31%   37.32%           
=======================================
  Files        2319     2319           
  Lines      124559   124559           
  Branches    16921    16921           
=======================================
+ Hits        46484    46489    +5     
+ Misses      74319    74315    -4     
+ Partials     3756     3755    -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.