feat(c2pa-monitor): L5 wire add_attachment and integration tests

- capture_for_attachment, sidecar, Record persistence
- C2pa_MonitorTest; README: full flow, DIF schema cross-links, out of scope

Made-with: Cursor

Author: lnispel

includes/Experiments/C2pa_Monitor/C2pa_Monitor.php

@@ -23,7 +23,9 @@
 /**
  * C2PA Monitor experiment class.
  *
- * Layer 1: experiment metadata and registration only; no capture hook.
+ * Hooks into add_attachment and captures a structured `_wpai_monitor_record`
+ * for every uploaded image. The capture is read-only, fail-open, and never
+ * blocks the upload pipeline.
  *
  * @since 0.7.0
  */
@@ -78,7 +80,142 @@ protected function load_metadata(): array {
 	 * {@inheritDoc}
 	 */
 	public function register(): void {
-		// Intake hook is registered in a later layer.
+		add_action( 'add_attachment', array( $this, 'capture_for_attachment' ), 20, 1 );
+	}
+
+	/**
+	 * Captures C2PA presence and raw manifest for a freshly created attachment.
+	 *
+	 * Wrapped in a fail-open boundary: issues are recorded in the `errors`
+	 * array inside the persisted postmeta (when this experiment applies to the
+	 * attachment) alongside whatever partial data was collected. This handler
+	 * never throws, never returns an error, and never blocks the upload.
+	 * Unsupported MIME types are left untouched: no postmeta is written.
+	 *
+	 * @since 0.7.0
+	 *
+	 * @param int $attachment_id The newly created attachment ID.
+	 * @return void
+	 */
+	public function capture_for_attachment( int $attachment_id ): void {
+		$started_at     = microtime( true );
+		$should_persist = true;
+		$errors         = array();
+		$source         = array(
+			'attachment_id'          => $attachment_id,
+			'original_path_relative' => '',
+			'size_bytes'             => 0,
+			'mime'                   => '',
+		);
+		$c2pa           = array(
+			'present' => false,
+			'format'  => null,
+		);
+
+		try {
+			$mime           = (string) get_post_mime_type( $attachment_id );
+			$source['mime'] = $mime;
+
+			if ( ! self::is_supported_mime( $mime ) ) {
+				$should_persist = false;
+				return;
+			}
+
+			$path = self::get_original_path( $attachment_id );
+			if ( '' === $path || ! is_readable( $path ) ) {
+				$errors[] = array(
+					'stage'   => 'resolve_path',
+					'message' => 'Attachment file is not readable.',
+				);
+				return;
+			}
+
+			$size = filesize( $path );
+			if ( false === $size ) {
+				$errors[] = array(
+					'stage'   => 'stat',
+					'message' => 'filesize() returned false.',
+				);
+				return;
+			}
+
+			$source['size_bytes']             = (int) $size;
+			$source['original_path_relative'] = self::relative_to_uploads( $path );
+
+			if ( $size > self::MAX_SCAN_BYTES ) {
+				$errors[] = array(
+					'stage'   => 'size_cap',
+					'message' => sprintf( 'File exceeds MAX_SCAN_BYTES (%d).', self::MAX_SCAN_BYTES ),
+				);
+				return;
+			}
+
+			$detector       = new Format_Detector();
+			$format         = $detector->detect_format( $path );
+			$c2pa['format'] = $format;
+
+			if ( null === $format ) {
+				return;
+			}
+
+			$location = $detector->find_manifest_location( $path, $format );
+			if ( null === $location ) {
+				return;
+			}
+
+			$reader   = new Manifest_Reader();
+			$manifest = $reader->read( $path, $location );
+			if ( null === $manifest ) {
+				$errors[] = array(
+					'stage'   => 'read_manifest',
+					'message' => 'Manifest_Reader returned null.',
+				);
+				return;
+			}
+
+			$writer = new Sidecar_Writer();
+			$rel    = $writer->write( $attachment_id, $manifest );
+
+			$c2pa = array(
+				'present'               => true,
+				'format'                => $manifest->format,
+				'container'             => $manifest->container,
+				'manifest_sha256'       => $manifest->sha256,
+				'manifest_length'       => $manifest->bytes_length,
+				'sidecar_path_relative' => $rel,
+				'decoded'               => null,
+			);
+		} catch ( \RuntimeException $e ) {
+			$errors[] = array(
+				'stage'   => 'sidecar_write',
+				'message' => $e->getMessage(),
+			);
+		} catch ( \Throwable $e ) {
+			$errors[] = array(
+				'stage'   => 'unexpected',
+				'message' => $e->getMessage(),
+			);
+		} finally {
+			if ( $should_persist ) {
+				$duration_ms = (int) round( ( microtime( true ) - $started_at ) * 1000 );
+				Record::store(
+					$attachment_id,
+					array(
+						'schema_version' => self::SCHEMA_VERSION,
+						'captured_at'    => gmdate( 'Y-m-d\TH:i:s\Z' ),
+						'duration_ms'    => $duration_ms,
+						'source'         => $source,
+						'traditional'    => array(
+							'exif' => array(),
+							'iptc' => array(),
+							'xmp'  => array(),
+						),
+						'c2pa'           => $c2pa,
+						'errors'         => $errors,
+					)
+				);
+			}
+		}
 	}
 
 	/**
@@ -96,4 +233,50 @@ public static function is_supported_mime( string $mime ): bool {
 			true
 		);
 	}
+
+	/**
+	 * Resolves the absolute path to the original uploaded file.
+	 *
+	 * Falls back to get_attached_file() when wp_get_original_image_path() does
+	 * not return a usable path (non-image attachments, edited media, etc.).
+	 *
+	 * @since 0.7.0
+	 *
+	 * @param int $attachment_id Attachment ID.
+	 * @return string Absolute filesystem path, or empty string when unresolved.
+	 */
+	private static function get_original_path( int $attachment_id ): string {
+		if ( function_exists( 'wp_get_original_image_path' ) ) {
+			$path = wp_get_original_image_path( $attachment_id );
+			if ( is_string( $path ) && '' !== $path ) {
+				return $path;
+			}
+		}
+
+		$path = get_attached_file( $attachment_id );
+		return is_string( $path ) ? $path : '';
+	}
+
+	/**
+	 * Returns the path relative to the uploads basedir, or the absolute path
+	 * if it lives outside uploads.
+	 *
+	 * @since 0.7.0
+	 *
+	 * @param string $absolute Absolute path.
+	 * @return string Relative path or original absolute path.
+	 */
+	private static function relative_to_uploads( string $absolute ): string {
+		$uploads = wp_upload_dir( null, false );
+		if ( ! is_array( $uploads ) || empty( $uploads['basedir'] ) ) {
+			return $absolute;
+		}
+
+		$basedir = trailingslashit( (string) $uploads['basedir'] );
+		if ( 0 === strpos( $absolute, $basedir ) ) {
+			return substr( $absolute, strlen( $basedir ) );
+		}
+
+		return $absolute;
+	}
 }

includes/Experiments/C2pa_Monitor/README.md

@@ -1,13 +1,35 @@
 # C2PA Monitor
 
-Read-only experiment for [C2PA Content Credentials](https://c2pa.org/) in uploaded
-images. Layers land incrementally on the integration branch; this README grows with
-each layer.
+Read-only experiment that detects [C2PA Content Credentials](https://c2pa.org/) in
+freshly uploaded images and captures the raw manifest store before WordPress's
+image processing pipeline destroys it.
 
 ## Status
 
-Experimental. Scaffolding, record format, and parsing are delivered in separate
-iterations. See the integration branch commit messages for the layer map.
+Experimental. No UI, no cryptographic verification, no JUMBF / CBOR decoding in
+this pass; richer claim summaries and UI are deferred. The feature was
+assembled in reviewable layers on the integration branch (register → record →
+detection → reader/sidecar → hook).
+
+## What it does
+
+On every successful image upload (`add_attachment` priority 20):
+
+1. Resolve the original on-disk file via `wp_get_original_image_path()`.
+2. Sniff magic bytes for JPEG, PNG, or WebP. Other MIME types are skipped.
+3. Walk the container looking for the C2PA storage segment:
+	- JPEG: contiguous `APP11` (0xFFEB) markers carrying a JUMBF payload tagged
+		with the literal `c2pa` (or `jumb`) byte sequence.
+	- PNG: a `caBX` chunk.
+	- WebP: a top-level RIFF chunk of type `C2PA`.
+4. If found, stream the raw manifest bytes once, computing SHA-256 in flight,
+	and persist the bytes to a sidecar file under `wp-content/uploads/ai-c2pa/`.
+5. Write a structured `_wpai_monitor_record` postmeta entry pointing at the
+	sidecar.
+
+The handler is wrapped in a `try / catch ( Throwable )` boundary and writes a
+record on every supported MIME type even if every stage fails. The upload
+itself never blocks.
 
 ## Postmeta record
 
@@ -19,37 +41,44 @@ repository
 ([`wpai-monitor-record/schema.json`](https://raw.githubusercontent.com/decentralized-identity/credential-schemas/main/community-schemas/WordPress/schemas/wpai-monitor-record/schema.json)),
 extending
 [`media-provenance-capture`](https://raw.githubusercontent.com/decentralized-identity/credential-schemas/main/community-schemas/OpenVerifiable/schemas/media-provenance-capture/schema.json)
-(CMS-agnostic base). Open a DIF pull request in parallel; Layer 2+ PRs in this
-repo reference that schema PR.
-
-For human-readable shape while iterating:
+(CMS-agnostic base). Cross-link the DIF pull request in PR descriptions.
 
 ```jsonc
-// $schema (optional) — for validators once the DIF files are on main
 {
-  "schema_version": 1,
-  "captured_at": "2026-04-22T19:30:00Z",
-  "duration_ms": 47,
-  "source": {
-    "attachment_id": 1234,
-    "original_path_relative": "2026/04/photo.jpg",
-    "size_bytes": 2841093,
-    "mime": "image/jpeg"
-  },
-  "traditional": { "exif": {}, "iptc": {}, "xmp": {} },
-  "c2pa": {
-    "present": true,
-    "format": "jpeg",
-    "container": "APP11/JUMBF",
-    "manifest_sha256": "ab12...",
-    "manifest_length": 184213,
-    "sidecar_path_relative": "ai-c2pa/1234.jpeg.c2pa",
-    "decoded": null
-  },
-  "errors": []
+	"schema_version": 1,
+	"captured_at": "2026-04-22T19:30:00Z",
+	"duration_ms": 47,
+	"source": {
+		"attachment_id": 1234,
+		"original_path_relative": "2026/04/photo.jpg",
+		"size_bytes": 2841093,
+		"mime": "image/jpeg"
+	},
+	"traditional": {
+		"exif": {},
+		"iptc": {},
+		"xmp": {}
+	},
+	"c2pa": {
+		"present": true,
+		"format": "jpeg",
+		"container": "APP11/JUMBF",
+		"manifest_sha256": "ab12...",
+		"manifest_length": 184213,
+		"sidecar_path_relative": "ai-c2pa/1234.jpeg.c2pa",
+		"decoded": null
+	},
+	"errors": []
 }
 ```
 
+When no manifest is found, `c2pa` collapses to
+`{ "present": false, "format": <detected or null> }` and no sidecar is written.
+
+`c2pa.decoded` is reserved for a follow-up (claim generator, `digitalSourceType`,
+action history). `traditional.*` are reserved for a future pass that promotes
+WordPress's existing EXIF / IPTC / XMP extraction into the same record.
+
 ## Sidecar layout
 
 ```
@@ -63,7 +92,7 @@ wp-content/uploads/ai-c2pa/
 
 ```nginx
 location ^~ /wp-content/uploads/ai-c2pa/ {
-    deny all;
+	deny all;
 }
 ```
 
@@ -79,6 +108,17 @@ meta. Sidecars are reversible, cheap, and mirror how core treats
 `wp_get_original_image_path()` (data lives next to the image, the database
 holds a reference).
 
+## Constraints
+
+- **Read-only** — never mutates images, manifests, or core attachment fields.
+- **Fail-open** — every error path writes a record and returns; the upload
+	always succeeds.
+- **No external dependencies** — no Composer additions, no outbound HTTP, no
+	shell-outs. Pure PHP byte parsing.
+- **Bounded scan** — files larger than `C2pa_Monitor::MAX_SCAN_BYTES` (64 MiB) are
+	skipped; individual manifest payloads are capped at
+	`Manifest_Reader::MAX_MANIFEST_BYTES` (16 MiB).
+
 ## Test fixtures
 
 Synthetic fixtures are generated at runtime by
@@ -87,12 +127,11 @@ just well-formed enough at the container level to drive the detector and are
 **not** valid signed C2PA assets. Generating them at runtime keeps binary
 blobs out of the repo and avoids any third-party fixture licensing.
 
-## Constraints
+## Out of scope (this release)
 
-- **Read-only** — never mutates images, manifests, or core attachment fields.
-- **Fail-open** — every error path should write a record and return; the upload
-  must not block.
-- **No external dependencies** — no Composer additions, no outbound HTTP, no
-  shell-outs for the capture path. Pure PHP byte parsing.
-- **Bounded scan** — files larger than `C2pa_Monitor::MAX_SCAN_BYTES` (64 MiB)
-  are skipped; individual manifest payloads are capped in `Manifest_Reader`.
+- JUMBF box reader and CBOR decoder.
+- Populating `c2pa.decoded` with claim generator / digital source type / action
+	history.
+- Admin UI, media library badge, icon overlay.
+- Cryptographic verification of manifests.
+- Preserving manifests through WordPress's GD / Imagick subsize pipeline.