GH#1255: feat: disable tenant-side gateway manager in sovereign mode

[superdav42]

Summary

Added early-return guards to process_gateway_confirmations() and ajax_check_payment_status() methods when WU_MT_SOVEREIGN_TENANT is defined. This prevents gateway confirmation processing and payment status polling on tenant sites in sovereign mode, as checkout and payment handling occur on the main site.

Files Changed

inc/managers/class-gateway-manager.php

Runtime Testing

• Risk level: Low (agent prompts / infrastructure scripts)
• Verification: PHPCS validation passed. Verified both guards are in place and maybe_process_webhooks() retains its is_main_site() gate.

Resolves #1255

---

aidevops.sh v3.17.27 plugin for OpenCode v1.15.7 with claude-haiku-4-5 spent 1m and 1,573 tokens on this as a headless worker.

Summary by CodeRabbit

Bug Fixes

• Payment gateway confirmation and payment status polling operations have been updated to skip processing in certain deployment configurations. The system now bypasses these functions when operating in specific operational modes. This affects how the system communicates with payment gateways and changes the API call patterns.

[superdav42]

Completion Summary

• What: Added early-return guards to process_gateway_confirmations() and ajax_check_payment_status() methods when WU_MT_SOVEREIGN_TENANT is defined. This prevents gateway confirmation processing and payment status polling on tenant sites in sovereign mode, as checkout and payment handling occur on the main site.
• Issue: ADR-001 Phase 3.5 PR-5 — Disable tenant-side Gateway_Manager confirmations + status AJAX #1255
• Files changed: inc/managers/class-gateway-manager.php
• Testing: PHPCS validation passed. Verified both guards are in place and maybe_process_webhooks() retains its is_main_site() gate.
• Key decisions: none

---

aidevops.sh v3.17.27 plugin for OpenCode v1.15.7 with claude-haiku-4-5 spent 1m and 1,573 tokens on this as a headless worker.

[coderabbitai]

Warning

Rate limit exceeded

@superdav42 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 17 minutes and 29 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3ae61c8f-7061-4c7f-ae33-9247d581e8ea

📥 Commits

Reviewing files that changed from the base of the PR and between 72e6e2b and 52edb06.

📒 Files selected for processing (1)

• inc/managers/class-gateway-manager.php

📝 Walkthrough

Walkthrough

This PR adds early-exit guards to two payment-related methods in Gateway_Manager to prevent them from executing in sovereign tenant mode. When WU_MT_SOVEREIGN_TENANT is defined and truthy, both process_gateway_confirmations() and ajax_check_payment_status() return immediately, delegating all payment handling to the main site where checkout and gateway flows actually occur.

Changes

Sovereign Tenant Gateway Bypass

Layer / File(s)	Summary
Early-exit guards for gateway operations inc/managers/class-gateway-manager.php	process_gateway_confirmations() and ajax_check_payment_status() now include guards that return immediately when WU_MT_SOVEREIGN_TENANT is defined and truthy, preventing confirmation processing and status polling in sovereign contexts.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

Suggested labels

origin:interactive

Poem

🐰 Tenants in sovereign lands now skip the gate,
Payment flows return before it's too late.
Early guards protect the main site's domain,
Where confirmations and checks remain. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: disabling tenant-side gateway manager in sovereign mode, which matches the PR's core objective and file modifications.
Linked Issues check	✅ Passed	The PR fully implements all coding requirements from issue #1255: early-return guards added to process_gateway_confirmations() and ajax_check_payment_status() when WU_MT_SOVEREIGN_TENANT is defined, and maybe_process_webhooks() correctly retains its is_main_site() gate.
Out of Scope Changes check	✅ Passed	All changes are directly aligned with issue #1255 requirements; only inc/managers/class-gateway-manager.php was modified with the two specified early-return guards, with no extraneous modifications.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/auto-20260522-063744-gh1255

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔨 Build Complete - Ready for Testing!

📦 Download Build Artifact (Recommended)

Download the zip build, upload to WordPress and test:

• Build: ultimate-multisite
• ⬇️ Download from GitHub Actions
• ⬇️ Download without Github Account (nightly.link)

🌐 Test in WordPress Playground (Very Experimental)

Click the link below to instantly test this PR in your browser - no installation needed!
Playground support for multisite is very limitied, hopefully it will get better in the future.

🚀 Launch in Playground

Login credentials: admin / password

[coderabbitai]

🧹 Nitpick comments (1)

inc/managers/class-gateway-manager.php (1)

622-626: ⚡ Quick win

Consider moving the sovereign tenant guard after the nonce check.

While the early return prevents any sensitive operation from executing, checking the nonce before returning maintains consistent AJAX security practices and prevents potential issues if code is modified later.

🔒 Suggested defensive ordering

 	public function ajax_check_payment_status(): void {

-		if ( defined( 'WU_MT_SOVEREIGN_TENANT' ) && WU_MT_SOVEREIGN_TENANT ) {
-			return;
-		}
-
 		check_ajax_referer('wu_payment_status_poll', 'nonce');
+
+		if ( defined( 'WU_MT_SOVEREIGN_TENANT' ) && WU_MT_SOVEREIGN_TENANT ) {
+			return;
+		}

 		$payment_hash = wu_request('payment_hash');

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@inc/managers/class-gateway-manager.php` around lines 622 - 626, Move the
sovereign-tenant early return so the AJAX nonce is validated first: in the
method containing check_ajax_referer and the WU_MT_SOVEREIGN_TENANT guard, call
check_ajax_referer('wu_payment_status_poll', 'nonce') before evaluating
defined('WU_MT_SOVEREIGN_TENANT') && WU_MT_SOVEREIGN_TENANT, then keep the
return behavior unchanged; this ensures the AJAX nonce check
(check_ajax_referer) always runs for that endpoint while preserving the existing
sovereign tenant short-circuit via the same guard symbol.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@inc/managers/class-gateway-manager.php`:
- Around line 622-626: Move the sovereign-tenant early return so the AJAX nonce
is validated first: in the method containing check_ajax_referer and the
WU_MT_SOVEREIGN_TENANT guard, call check_ajax_referer('wu_payment_status_poll',
'nonce') before evaluating defined('WU_MT_SOVEREIGN_TENANT') &&
WU_MT_SOVEREIGN_TENANT, then keep the return behavior unchanged; this ensures
the AJAX nonce check (check_ajax_referer) always runs for that endpoint while
preserving the existing sovereign tenant short-circuit via the same guard
symbol.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d0e6c1ad-eee3-4878-a2ae-fa405f62092b

📥 Commits

Reviewing files that changed from the base of the PR and between 769b690 and 72e6e2b.

📒 Files selected for processing (1)

• inc/managers/class-gateway-manager.php

[github-actions]

Performance Test Results

Performance test results for d44d9c1 are in 🛎️!

Note: the numbers in parentheses show the difference to the previous (baseline) test run. Differences below 2% or 0.5 in absolute values are not shown.

URL: /

Run	DB Queries	Memory	Before Template	Template	WP Total	LCP	TTFB	LCP - TTFB
0	41	37.87 MB	918.00 ms (-40.00 ms / -4% )	151.00 ms (-7.50 ms / -5% )	1070.50 ms (-28.50 ms / -3% )	2022.00 ms (-64.00 ms / -3% )	1948.15 ms (-67.10 ms / -3% )	77.15 ms
1	56	49.13 MB	967.00 ms	142.00 ms (-3.00 ms / -2% )	1108.50 ms	2122.00 ms	2047.35 ms	73.70 ms

[github-actions]

🔨 Build Complete - Ready for Testing!

📦 Download Build Artifact (Recommended)

Download the zip build, upload to WordPress and test:

• Build: ultimate-multisite
• ⬇️ Download from GitHub Actions
• ⬇️ Download without Github Account (nightly.link)

🌐 Test in WordPress Playground (Very Experimental)

Click the link below to instantly test this PR in your browser - no installation needed!
Playground support for multisite is very limitied, hopefully it will get better in the future.

🚀 Launch in Playground

Login credentials: admin / password