wp-agentic-writer/docs/architecture/PLUGIN_AUDIT_RETRACE_FIFTEENTH_PASS_2026-05-26.md

WP Agentic Writer Fifteenth Retrace Audit

Audit date: 2026-05-26
Baseline retraced: docs/architecture/PLUGIN_AUDIT_RETRACE_FOURTEENTH_PASS_2026-05-26.md
Scope: fifteenth pass after fourteenth-retrace implementation, covering retry-chat provider metadata, live editor readiness, model preset ownership, syntax verification, and remaining audit-chain debt.
Status: COMPLETE / RETRACED
Completion marker: 2026-05-26
Follow-up retrace: docs/architecture/PLUGIN_AUDIT_RETRACE_SIXTEENTH_PASS_2026-05-26.md

This fifteenth-pass report has been implemented and retraced. Keep this document as historical evidence only; use the sixteenth-pass report for current remaining work.

Executive Summary

The fourteenth-pass implementation closed the last concrete provider metadata gap from the previous report:

• Retry chat stream completion now calls applyProviderMetadata(data) at assets/js/sidebar.js:1186-1189.
• The full-contract cost hook state remains clean: static scan finds only the central helper hook and the keyword suggester full-contract hook.
• The legacy chat migration P0 remains fixed: no direct new WP_Agentic_Writer_Context_Service references were found.
• PHP and JavaScript syntax checks pass.

No new P0 or P1 blocker was found.

At this point, the audit chain is no longer finding major static implementation defects in the chat/context/provider/cost/model paths. The main remaining release gate is live WordPress editor/browser verification. Two small cleanup opportunities remain: duplicated model preset fallback/legacy maps, and a duplicate frontend applyProviderMetadata() call in one normal generation branch.

Verification Performed

• PHP syntax check across plugin PHP files: passed.
• node -c assets/js/sidebar.js: passed.
• node -c assets/js/settings-v2.js: passed.
• node -c assets/js/sidebar-utils.js: passed.
• Static retrace of fourteenth-pass findings against current code.
• Static scan for short-form wp_aw_after_api_request calls.
• Static scan for direct new WP_Agentic_Writer_Context_Service.
• Static scan for provider metadata completion branches.
• Static scan for live browser verification evidence.
• No live WordPress editor/browser workflow was run in this pass.

Fourteenth-Pass Status Trace

Fourteenth-pass item	Current status	Evidence
Retry chat applies provider metadata	Fixed	assets/js/sidebar.js:1186-1189 calls applyProviderMetadata(data) on retry-chat completion.
Live editor/browser verification	Still open	No new browser verification note or evidence was found.
Curated preset duplication	Improved, still partial	Settings V2 now localizes get_model_presets() from PHP, but JS fallback and legacy settings still duplicate preset maps.

Remaining Findings

P2: Live WordPress Editor Browser Verification Is Now The Main Gate

Static checks are clean enough that the next confidence jump needs a live editor pass.

Required browser verification:

• Legacy _wpaw_chat_history migrates through /conversation/{post_id} without fatal error.
• Sidebar chat persists after editor reload.
• Retry chat updates the provider/fallback badge.
• Provider badge updates after chat, clarity, planning, generation, block refinement, chat refinement, meta, keyword, intent, and improvement actions.
• Cost log rows include provider/session/status for the same actions.
• Model setting changes affect generated requests.
• Unauthorized REST access remains denied.

Impact:

• Without this pass, the audit chain can prove static contract cleanup, but not editor UI behavior, persistence, REST permission behavior, or visual state updates inside WordPress.

Recommended fix:

• Run the plugin in a live WordPress editor and save a short verification note with exact workflows checked, post IDs used, and any screenshots/log notes.
• If automated browser coverage is possible, capture at least sidebar load/reload, legacy migration, provider badge change, and cost log attribution.

P3: Curated Model Presets Are Centralized For Settings V2, But Fallback/Legacy Duplicates Remain

Settings V2 now has a PHP source for curated presets:

• includes/class-settings-v2.php:136-162 defines get_model_presets().
• includes/class-settings-v2.php:100-113 localizes those presets into wpawSettingsV2.
• assets/js/settings-v2.js:32-35 uses wpawSettingsV2?.presets.

Remaining duplication:

• assets/js/settings-v2.js:35-60 still contains a hard-coded fallback preset map if localization is missing.
• includes/class-settings.php:1025-1055 still contains a legacy inline preset map.
• wp-agentic-writer.php:100-104 can still instantiate the legacy settings class when Settings V2 is not selected.

Impact:

• This is no longer a high-risk active Settings V2 defect, but preset updates can still drift across fallback/legacy code.

Recommended fix:

• For Settings V2, either remove the hard-coded JS fallback or make it an empty/no-op fallback with an admin notice if localization is missing.
• For legacy settings, either read the V2 preset source or formally mark legacy preset parity as manually maintained.

P3: Duplicate Provider Metadata Call In Normal Generation Branch

One stream completion branch now calls applyProviderMetadata(data) twice:

• assets/js/sidebar.js:1039-1045 calls it before and after cost update.

Impact:

• This is harmless, but it creates audit noise and unnecessary React state churn.

Recommended fix:

• Keep one call in that completion branch.

Closed In This Pass

• Retry-chat provider metadata application is fixed.
• No direct context-service construction was found.
• No short-form cost hook calls were found.
• Syntax checks passed for PHP and key JavaScript files.

Priority Queue

1. P2: Run live WordPress editor/browser verification and record evidence.
2. P3: Decide ownership for JS fallback and legacy model preset duplication.
3. P3: Remove duplicate applyProviderMetadata(data) call in the normal generation completion branch.

Completion Criteria For Next Pass

The next retrace can mark this pass complete when:

• Live editor verification evidence exists for migration, persistence, provider badge updates, cost attribution, model settings, retry chat, and auth denial.
• Preset duplication is centralized or explicitly accepted as manually maintained legacy/fallback behavior.
• The duplicate provider metadata call is removed or intentionally left with a comment.