WAF: Skip HTTP rule evaluation when REQUEST_METHOD is absent (fixes CLI cron 403)

[agent-sandbox-automattic]

What

Waf_Runner::run() already skips rule evaluation when PHP_SAPI === 'cli', but some server-side cron setups run wp-cron.php via a PHP wrapper (e.g. /usr/bin/php-wrapper) that doesn't report the SAPI as 'cli'. In those environments there is still no HTTP context, so $_SERVER['REQUEST_METHOD'] is empty — but the existing guard never fires and WAF rule 911100 ("Method is not allowed by policy") evaluates the empty request method against the allowed-methods list and issues a 403.

How

Add || empty( $_SERVER['REQUEST_METHOD'] ) to the existing early-return check in Waf_Runner::run():

// Before
if ( PHP_SAPI === 'cli' ) {
    return;
}

// After
if ( PHP_SAPI === 'cli' || empty( $_SERVER['REQUEST_METHOD'] ) ) {
    return;
}

This is the second form suggested in the issue description. It is more robust than checking PHP_SAPI alone because it catches all non-HTTP execution contexts regardless of how the PHP binary was invoked.

A new unit test (testRunSkipsRulesWhenRequestMethodIsAbsent) creates a minimal rules file in a temp directory and verifies it is never included when REQUEST_METHOD is absent.

Testing

• jp test php packages/waf

Checklist

• Changelog entry added (projects/packages/waf/changelog/)
• Unit test added
• Generate changelog entries for this PR (using AI) — not needed, entry already present

---

Linear: PROTECT-174

This PR was auto-generated by Agent Sandbox. Please review carefully before merging.

[github-actions]

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

• To test on WoA, go to the Plugins menu on a WoA dev site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin (Jetpack), and enable the ai/agent/protect-174-1780927365 branch.
• To test on Simple, run the following command on your sandbox:

bin/jetpack-downloader test jetpack ai/agent/protect-174-1780927365

Interested in more tips and information?

• In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
• Read more about our development workflow here: PCYsg-eg0-p2
• Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

[github-actions]

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

• ✅ Include a description of your PR changes.
  
• ✅ Add a "[Status]" label (In Progress, Needs Review, ...).
  
• 🔴 Add testing instructions.
  
• 🔴 Specify whether this PR includes any changes to data or privacy.
  
• ✅ Add changelog entries to affected projects
  

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

---

🔴 Action required: Please include detailed testing steps, explaining how to test your change, like so:

## Testing instructions:

* Go to '..'
*

---

🔴 Action required: We would recommend that you add a section to the PR description to specify whether this PR includes any changes to data or privacy, like so:

## Does this pull request change what data or activity we track or use?

My PR adds *x* and *y*.

---

Follow this PR Review Process:

1. Ensure all required checks appearing at the bottom of this PR are passing.
2. Make sure to test your changes on all platforms that it applies to. You're responsible for the quality of the code you ship.
3. You can use GitHub's Reviewers functionality to request a review.
4. When it's reviewed and merged, you will be pinged in Slack to deploy the changes to WordPress.com simple once the build is done.

If you have questions about anything, reach out in #jetpack-developers for guidance!

[jp-launch-control]

Code Coverage Summary

Cannot generate coverage summary while tests are failing. 🤐

Please fix the tests, or re-run the Code coverage job if it was something being flaky.

Full summary · PHP report · JS report

[ArSn]

Some PHPUnit tests are failing now between PHP 7.4 and 8.1:

[packages/waf] Time: 00:00.989, Memory: 8.00 MB
[packages/waf] 
[packages/waf] There was 1 error:
[packages/waf] 
[packages/waf] 1) WafRunnerTest::testRunSkipsRulesWhenRequestMethodIsAbsent
[packages/waf] Constant JETPACK_WAF_MODE already defined
[packages/waf] 
[packages/waf] /home/runner/work/jetpack/jetpack/projects/packages/waf/tests/php/unit/WafRunnerTest.php:81
[packages/waf] 
[packages/waf] ERRORS!
[packages/waf] Tests: 227, Assertions: 857, Errors: 1.

[agent-sandbox-automattic]

Agent Sandbox PR state — pushed

_{Managed by the Agent Sandbox pipeline — do not edit manually.}

{
    "status": "idle",
    "active_run_id": null,
    "last_run_outcome": "pushed",
    "last_run_at": "2026-06-08T15:12:53Z",
    "responded_through_at": "2026-06-08T14:59:43Z",
    "revision_count": 3,
    "linear_issue_link": null
}

[ArSn]

Error: /home/runner/work/jetpack/jetpack/projects/packages/waf/tests/php/unit/WafRunnerTest.php:67:7: error - Expected 1 spaces after opening parenthesis; 0 found (PEAR.Functions.FunctionCallSignature.SpaceAfterOpenBracket)
Error: /home/runner/work/jetpack/jetpack/projects/packages/waf/tests/php/unit/WafRunnerTest.php:67:32: error - Expected 1 spaces before closing parenthesis; 0 found (PEAR.Functions.FunctionCallSignature.SpaceBeforeCloseBracket)
Script phpcs -p -s handling the phpcs:lint event returned with error code 2
Script @phpcs:lint --filter=tools/class-jetpack-phpcs-exclude-filter.php was called via phpcs:lint:required
Error: Process completed with exit code 2.

[ArSn]

Now the Protect e2e tests do not work anymore, I am guessing we now need to set the request method in the request if we're using a headless / pseudo browser:

  ✓  1 [environment check] › ../../../../../tools/e2e-commons/setup-specs/env-check.setup.ts:33:1 › verify environment readiness @Protect (4.4s)
  ✓  2 [global authentication] › ../../../../../tools/e2e-commons/setup-specs/auth.setup.ts:4:1 › authenticate users @Protect (7.9s)
2026-06-08 14:56:00 error: Page error: "SyntaxError: Unexpected token '<'"
2026-06-08 14:56:19 error: Page error: "SyntaxError: Unexpected token '<'"
2026-06-08 14:56:19 error: Page error: "SyntaxError: Unexpected token '<'"
2026-06-08 14:56:28 error: Page error: "SyntaxError: Unexpected token '<'"
2026-06-08 14:56:28 error: Page error: "SyntaxError: Unexpected token '<'"
  ✘  3 [jetpack protect e2e] › specs/start.test.ts:61:2 › Jetpack Protect Plugin › Jetpack Protect firewall page (39.4s)
2026-06-08 14:56:40 error: Page error: "SyntaxError: Unexpected token '<'"
2026-06-08 14:56:53 error: Page error: "SyntaxError: Unexpected token '<'"
2026-06-08 14:56:53 error: Page error: "SyntaxError: Unexpected token '<'"
2026-06-08 14:57:00 error: Page error: "SyntaxError: Unexpected token '<'"
2026-06-08 14:57:00 error: Page error: "SyntaxError: Unexpected token '<'"
  ✘  4 [jetpack protect e2e] › specs/start.test.ts:61:2 › Jetpack Protect Plugin › Jetpack Protect firewall page (retry #1) (30.9s)
Error:   1) [jetpack protect e2e] › specs/start.test.ts:61:2 › Jetpack Protect Plugin › Jetpack Protect firewall page › Navigate to firewall page 

[ArSn]

Closing in favor of #49465