Protect Meets Core: add components to scan package

[nateweller]

Proposed changes:

• Pulls out the components from Protect Meets Core: Project Branch #40191 and adds them to the @automattic/jetpack-scan project.
• Includes some enhancements and fixes primarily for component storybooks.
• After this is merged, the add/protect/core branch can be rebased, and any modifications in the components package removed.

Other information:

• Have you written new tests for your changes, if applicable?
• Have you checked the E2E test CI results, and verified that your changes do not break them?
• Have you tested your changes on WordPress.com, if applicable (if so, you'll see a generated comment below with a script to run)?

Jetpack product discussion

peb6dq-31T-p2

Does this pull request change what data or activity we track or use?

No

Testing instructions:

• Review the new "Scan" section in Storybook: cd projects/js-packages/storybook && pnpm storybook:dev to run locally.
• Smoke test the Jetpack Protect plugin, validate the threat severity badge renders appropriately on the client side.

[github-actions]

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

• ✅ Include a description of your PR changes.
  
• 🔴 Add a "[Status]" label (In Progress, Needs Review, ...).
  
• ✅ Add a "[Type]" label (Bug, Enhancement, Janitorial, Task).
  
• ✅ Add testing instructions.
  
• ✅ Specify whether this PR includes any changes to data or privacy.
  
• ✅ Add changelog entries to affected projects
  

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

---

Follow this PR Review Process:

1. Ensure all required checks appearing at the bottom of this PR are passing.
2. Make sure to test your changes on all platforms that it applies to. You're responsible for the quality of the code you ship.
3. You can use GitHub's Reviewers functionality to request a review.
4. When it's reviewed and merged, you will be pinged in Slack to deploy the changes to WordPress.com simple once the build is done.

If you have questions about anything, reach out in #jetpack-developers for guidance!

---

Protect plugin:

• Next scheduled release: April 1, 2025

If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack.

[jp-launch-control]

Code Coverage Summary

Coverage changed in 5 files.

File	Coverage	Δ%	Δ Uncovered
projects/js-packages/scan/src/components/threat-severity-badge/index.tsx	4/4 (100.00%)	0.00%	0 💚
projects/js-packages/scan/src/components/threats-data-views/constants.ts	23/23 (100.00%)	0.00%	0 💚
projects/js-packages/scan/src/components/threat-fixer-button/index.tsx	16/25 (64.00%)	5.67%	-1 💚
projects/js-packages/scan/src/components/threats-data-views/index.tsx	46/82 (56.10%)	-1.21%	-2 💚
projects/js-packages/scan/src/utils/index.ts	0/0 (—%)	66.18%	-45 💚

21 files are newly checked for coverage. Only the first 5 are listed here.

File	Coverage
projects/js-packages/scan/src/components/scan-report/index.tsx	0/37 (0.00%) 💔
projects/js-packages/scan/src/components/threat-modals/cancel-button.tsx	0/4 (0.00%) 💔
projects/js-packages/scan/src/components/threat-modals/connection-needed.tsx	0/9 (0.00%) 💔
projects/js-packages/scan/src/components/threat-modals/details-modal/actions.tsx	0/17 (0.00%) 💔
projects/js-packages/scan/src/components/threat-modals/fixer-modal/bulk.tsx	0/16 (0.00%) 💔

Full summary · PHP report · JS report

_{If appropriate, add one of these labels to override the failing coverage check: Covered by non-unit tests Use to ignore the Code coverage requirement check when E2Es or other non-unit tests cover the code Coverage tests to be added later Use to ignore the Code coverage requirement check when tests will be added in a follow-up PR I don't care about code coverage for this PR Use this label to ignore the check for insufficient code coveage.}

[dkmyta]

Really nicely done! A few minor things:

• The Loading, Stale, and Error stories for the ThreatFixerButton do not appear to be working.
• For the ThreatsDataViews Historic story, I noticed we offer a Stop ignoring item in the action drop down, will this immediately trigger an un-ignore without confirmation or should it open an un-ignore confirmation modal?
• The ThreatsDataViews Additional Connections Needed story currently does not show any prompts for connections when triggering an action.
• The ThreatsDataViews User Connection Needed story currently shows the credentials prompt when triggering an action.
• I think this might be correct but I will mention it anyway, for all of the ThreatsDataViews connection related stories we don't show the connection prompts for ignore/unignore, my memory is failing me here, do we not currently do that or need that for these actions?
• The ThreatsDataViews Free Results story does not currently render the upgrade prompt in the modal.

Some non-blocking nit-picks:

• For the ThreatsDataViews, is there any way to improve the transition between modal states? Looks like currently the modal closes, we quickly flash the table, then a new one opens with the new content, rather than modal remaining open and the content changing without a transition.
• For the ThreatsDataViews Historic story I initially found the Stop ignoring button content slightly confusing for the un-ignored threats modal - as if it was currently in the process of ignoring and I could stop that. I don't love Un-ignore either but it is the clear opposite action of Ignore.

[nateweller]

@dkmyta I've updated the ThreatsDataViews story to use storybook args to allow for testing various component props together:

Additionally fixed the fixer button stories, and adjusted stop vs un ignore verbiage 👍

[dkmyta]

ThreatsDataViews stories are much better using the storybook args, nice work!

I haven't exhaustively tested all the various combinations but there seems to be at least one outstanding issue with this configuration:

Data Type : Current Threat
Jetpack Plan : Scan
Jetpack Connection : Custom
Site Credentials : Connected
Refer to Codeable : false

Clicking an update action causes Error: Cannot read properties of null (reading 'connected')

I am not sure of the use-case of this Custom connection type, and it might not be a possible combination in the wild, but we should ensure stories aren't erroring out in any case, and/or remove any options that aren't currently possible.

Previously we had a custom modal state for when there were both connections missing. Is that no longer a thing? I have no problem with the individual/consecutive connection modals, just want to make sure I am not missing something I should be seeing.

A few items from my previous notes we should also confirm on:

• Should Un-ignore (from modal or actions dropdown) immediately trigger an un-ignore action or should it open a un-ignore confirmation modal like the ignore action?
• Ignore actions prompt for connections, should un-ignore actions?
  • Note: Seems like only a site connection is prompted currently
  • Question: If only fixers require connections, maybe both ignore/un-ignore can be free of this? Either way, we should keep them consistent IMO
• I suspect improving modal transitions is not an easy fix, just wanted to get your opinions in case you missed it initially