Suggest mode: REST permissions and PHP coverage for note suggestions

[adamsilverstein]

Overview

One of three replacement PRs for the now-closed #77407. This slice is the REST/PHP backend for the Suggest-mode lifecycle.

Tracking issue: #73411.

What's in this PR

• REST permission override — lib/compat/wordpress-6.9/class-gutenberg-rest-comment-controller-6-9.php overrides update_item_permissions_check so a user with edit_post on the parent can update note comments — but only for suggestion-lifecycle fields (status limited to approved/hold, plus meta._wp_suggestion_status). Any other field falls back to core's edit_comment check.
• Meta auth_callbacks — _wp_suggestion and _wp_suggestion_status both authorize on edit_post against the parent.
• Payload size cap — 64 KB ceiling on the serialized _wp_suggestion payload, enforced at the controller before sanitize fires (matching the client-side pre-flight cap).
• PHPUnit coverage — class-wp-rest-comments-controller-gutenberg-test.php: meta round-trip, editor-can-apply, contributor-cannot-apply, restricted-field pass-through, payload-size truncation.

Pure backend. No JS, no UI. Safe to merge ahead of the rest of the stack.

Test plan

npm run wp-env run cli -- --env-cwd='wp-content/plugins/gutenberg' vendor/bin/phpunit --filter=WP_Test_REST_Comments_Controller_Gutenberg
vendor/bin/phpcs lib/compat/wordpress-6.9/class-gutenberg-rest-comment-controller-6-9.php lib/compat/wordpress-6.9/block-comments.php

Manual:

1. Editor on a post they can edit_post: PATCH /wp/v2/comments/<id> with { status: 'approved', meta: { _wp_suggestion_status: 'applied' } } — succeeds.
2. Contributor: same PATCH — 403.
3. PATCH with { content: 'rewritten' } — falls back to core edit_comment.
4. PATCH with { status: 'spam' } — falls back to core edit_comment.
5. Submit a _wp_suggestion meta payload > 64 KB — 400.

Replaces part of #77407.

---

🗺️ PR Stack Navigation

#	PR	Phase
1	#77403 Intent scaffolding	Edit / Suggest / View mode
2	#77404 Overlay capture	In-memory suggestion overlay
3	#77405 Provider + Accept/Reject	_wp_suggestion meta, provider, sidebar actions
4	#77406 Summary + docs + attribute tests	Add/Delete/Formatting summary, architecture stub, conflict scoping
5a	#78351 REST permissions and PHP coverage ← this PR	Permissions, payload cap, PHP tests
5b	#78352 Summary + attribute conflict + docs	Renderer, per-attribute staleness, architecture docs
5c	#78353 Surface Apply/Reject in the collaboration sidebar	Icon buttons + e2e + sidebar wiring
6	#78308 Auto-save subsystem	Background debounced save (replaces commit-bar)

📋 Tracking issue: #73411

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: adamsilverstein <adamsilverstein@git.wordpress.org>
Co-authored-by: ciampo <mciampini@git.wordpress.org>
Co-authored-by: retrofox <retrofox@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

[github-actions]

Flaky tests detected in e5403ae.
Some tests passed with failed attempts. The failures may not be related to this commit but are still reported for visibility. See the documentation for more information.

🔍 Workflow run URL: https://github.com/WordPress/gutenberg/actions/runs/28144766166
📝 Reported issues:

• [Flaky Test] should update the HTML only for the latest navigation #78835 in /test/e2e/specs/interactivity/router-navigate.spec.ts

[github-actions]

Size Change: +255 B (0%)

Total Size: 7.51 MB

📦 View Changed

Filename	Size	Change
build/scripts/components/index.min.js	264 kB	+255 B (+0.1%)

_{compressed-size-action}