@adsim/wordpress-mcp-server 1.0.0 → 3.0.0

package/index.js

@@ -0,0 +1,1367 @@
+#!/usr/bin/env node
+
+/**
+ * WordPress MCP Server v2.2.0 — Enterprise Edition
+ *
+ * SAFETY MODEL:
+ * This MCP server is designed for safe operation: default non-destructive
+ * behavior, configurable restrictions (read-only, draft-only, disable-delete),
+ * structured audit logging, and multi-target site management. All destructive
+ * actions require explicit opt-in and can be disabled globally.
+ *
+ * Built by AdSim SRL — https://adsim.be
+ */
+
+import { Server } from '@modelcontextprotocol/sdk/server/index.js';
+import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
+import {
+  CallToolRequestSchema,
+  ListToolsRequestSchema,
+} from '@modelcontextprotocol/sdk/types.js';
+import fetch from 'node-fetch';
+import { readFileSync, existsSync } from 'fs';
+import { resolve } from 'path';
+import { HttpTransportManager } from './src/transport/http.js';
+
+// ============================================================
+// CONFIGURATION
+// ============================================================
+
+const VERSION = '2.2.0';
+const VERBOSE = process.env.WP_MCP_VERBOSE === 'true' || process.argv.includes('--verbose');
+const MAX_RETRIES = parseInt(process.env.WP_MCP_MAX_RETRIES || '3', 10);
+const TIMEOUT_MS = parseInt(process.env.WP_MCP_TIMEOUT || '30000', 10);
+const RETRY_BASE_DELAY_MS = 1000;
+
+// ============================================================
+// ENTERPRISE CONTROLS
+// ============================================================
+
+const READ_ONLY = process.env.WP_READ_ONLY === 'true';
+const DRAFT_ONLY = process.env.WP_DRAFT_ONLY === 'true';
+const DISABLE_DELETE = process.env.WP_DISABLE_DELETE === 'true';
+const DISABLE_PLUGIN_MANAGEMENT = process.env.WP_DISABLE_PLUGIN_MANAGEMENT === 'true';
+const MAX_CALLS_PER_MINUTE = parseInt(process.env.WP_MAX_CALLS_PER_MINUTE || '0', 10); // 0 = unlimited
+const ALLOWED_TYPES = process.env.WP_ALLOWED_TYPES ? process.env.WP_ALLOWED_TYPES.split(',').map(s => s.trim()) : null; // null = all
+const ALLOWED_STATUSES = process.env.WP_ALLOWED_STATUSES ? process.env.WP_ALLOWED_STATUSES.split(',').map(s => s.trim()) : null;
+const AUDIT_LOG = process.env.WP_AUDIT_LOG !== 'off'; // on by default
+
+// Rate limiter state
+const rateLimiter = { calls: [], windowMs: 60000 };
+
+function checkRateLimit() {
+  if (MAX_CALLS_PER_MINUTE <= 0) return;
+  const now = Date.now();
+  rateLimiter.calls = rateLimiter.calls.filter(t => now - t < rateLimiter.windowMs);
+  if (rateLimiter.calls.length >= MAX_CALLS_PER_MINUTE) {
+    throw new Error(`Rate limit exceeded: ${MAX_CALLS_PER_MINUTE} calls/minute. Try again in a few seconds.`);
+  }
+  rateLimiter.calls.push(now);
+}
+
+function enforceReadOnly(toolName) {
+  const writeTools = ['wp_create_post', 'wp_update_post', 'wp_delete_post', 'wp_create_page', 'wp_update_page', 'wp_upload_media', 'wp_create_comment', 'wp_create_taxonomy_term', 'wp_update_seo_meta', 'wp_activate_plugin', 'wp_deactivate_plugin', 'wp_restore_revision', 'wp_delete_revision'];
+  if (process.env.WP_READ_ONLY === 'true' && writeTools.includes(toolName)) {
+    throw new Error(`Blocked: Server is in READ-ONLY mode (WP_READ_ONLY=true). Tool "${toolName}" is not allowed.`);
+  }
+}
+
+function enforceDeleteDisabled(toolName) {
+  const deleteTools = ['wp_delete_post', 'wp_delete_revision'];
+  if (process.env.WP_DISABLE_DELETE === 'true' && deleteTools.includes(toolName)) {
+    throw new Error(`Blocked: Destructive actions are disabled (WP_DISABLE_DELETE=true). Tool "${toolName}" is not allowed.`);
+  }
+}
+
+function enforcePluginManagement(toolName) {
+  const pluginWriteTools = ['wp_activate_plugin', 'wp_deactivate_plugin'];
+  if (process.env.WP_DISABLE_PLUGIN_MANAGEMENT === 'true' && pluginWriteTools.includes(toolName)) {
+    throw new Error(`Blocked: Plugin management is disabled (WP_DISABLE_PLUGIN_MANAGEMENT=true). Tool "${toolName}" is not allowed.`);
+  }
+}
+
+function enforceDraftOnly(status) {
+  if (process.env.WP_DRAFT_ONLY === 'true' && status && status !== 'draft' && status !== 'pending') {
+    throw new Error(`Blocked: Server is in DRAFT-ONLY mode (WP_DRAFT_ONLY=true). Only "draft" and "pending" statuses are allowed, got "${status}".`);
+  }
+}
+
+function enforceAllowedTypes(postType) {
+  if (ALLOWED_TYPES && postType && !ALLOWED_TYPES.includes(postType)) {
+    throw new Error(`Blocked: Post type "${postType}" is not in the allowed list (WP_ALLOWED_TYPES=${ALLOWED_TYPES.join(',')}). Allowed: ${ALLOWED_TYPES.join(', ')}.`);
+  }
+}
+
+function enforceAllowedStatuses(status) {
+  if (ALLOWED_STATUSES && status && !ALLOWED_STATUSES.includes(status)) {
+    throw new Error(`Blocked: Status "${status}" is not allowed (WP_ALLOWED_STATUSES=${ALLOWED_STATUSES.join(',')}). Allowed: ${ALLOWED_STATUSES.join(', ')}.`);
+  }
+}
+
+// ============================================================
+// LOGGER & AUDIT
+// ============================================================
+
+const log = {
+  info: (msg, data) => console.error(`[INFO] ${msg}${data ? ' ' + JSON.stringify(data) : ''}`),
+  debug: (msg, data) => { if (VERBOSE) console.error(`[DEBUG] ${msg}${data ? ' ' + JSON.stringify(data) : ''}`); },
+  warn: (msg, data) => console.error(`[WARN] ${msg}${data ? ' ' + JSON.stringify(data) : ''}`),
+  error: (msg, data) => console.error(`[ERROR] ${msg}${data ? ' ' + JSON.stringify(data) : ''}`)
+};
+
+function auditLog(entry) {
+  if (!AUDIT_LOG) return;
+  const record = {
+    timestamp: new Date().toISOString(),
+    tool: entry.tool,
+    target: entry.target || null,
+    target_type: entry.target_type || null,
+    action: entry.action || null,
+    status: entry.status, // success | error | blocked
+    latency_ms: entry.latency_ms,
+    site: entry.site || currentTarget?.name || 'default',
+    params: entry.params || {},
+    error: entry.error || null
+  };
+  console.error(`[AUDIT] ${JSON.stringify(record)}`);
+}
+
+// Sanitize params for audit (remove content/body to keep logs small)
+function sanitizeParams(args) {
+  const safe = { ...args };
+  if (safe.content && safe.content.length > 100) safe.content = `[${safe.content.length} chars]`;
+  if (safe.body) safe.body = '[binary]';
+  return safe;
+}
+
+// ============================================================
+// MULTI-TARGET SUPPORT
+// ============================================================
+
+let targets = {};
+let currentTarget = null;
+
+function loadTargets() {
+  // Method 1: WP_TARGETS_JSON env var
+  if (process.env.WP_TARGETS_JSON) {
+    try {
+      targets = JSON.parse(process.env.WP_TARGETS_JSON);
+      const keys = Object.keys(targets);
+      if (keys.length > 0) {
+        currentTarget = { name: keys[0], ...targets[keys[0]] };
+        log.info(`Multi-target: ${keys.length} sites loaded. Active: ${keys[0]}`);
+        return true;
+      }
+    } catch (e) {
+      log.warn(`Invalid WP_TARGETS_JSON: ${e.message}`);
+    }
+  }
+
+  // Method 2: WP_TARGETS_FILE path to JSON file
+  if (process.env.WP_TARGETS_FILE && existsSync(process.env.WP_TARGETS_FILE)) {
+    try {
+      const content = readFileSync(process.env.WP_TARGETS_FILE, 'utf-8');
+      targets = JSON.parse(content);
+      const keys = Object.keys(targets);
+      if (keys.length > 0) {
+        currentTarget = { name: keys[0], ...targets[keys[0]] };
+        log.info(`Multi-target from file: ${keys.length} sites. Active: ${keys[0]}`);
+        return true;
+      }
+    } catch (e) {
+      log.warn(`Failed to load targets file: ${e.message}`);
+    }
+  }
+
+  return false;
+}
+
+function getActiveAuth() {
+  if (currentTarget?.url) {
+    return {
+      url: currentTarget.url.replace(/\/+$/, ''),
+      auth: Buffer.from(`${currentTarget.username}:${currentTarget.password}`).toString('base64')
+    };
+  }
+  return { url: WP_API_URL, auth: defaultAuth };
+}
+
+// ============================================================
+// DOTENV SUPPORT
+// ============================================================
+
+function loadEnvFile() {
+  const envPaths = [resolve(process.cwd(), '.env'), resolve(new URL('.', import.meta.url).pathname, '.env')];
+  for (const envPath of envPaths) {
+    if (existsSync(envPath)) {
+      try {
+        const content = readFileSync(envPath, 'utf-8');
+        for (const line of content.split('\n')) {
+          const trimmed = line.trim();
+          if (!trimmed || trimmed.startsWith('#')) continue;
+          const match = trimmed.match(/^([^=]+)=\s*(.*)$/);
+          if (match) {
+            const key = match[1].trim();
+            let value = match[2].trim();
+            if ((value.startsWith('"') && value.endsWith('"')) || (value.startsWith("'") && value.endsWith("'"))) value = value.slice(1, -1);
+            if (!process.env[key]) process.env[key] = value;
+          }
+        }
+        log.info(`Loaded .env from ${envPath}`);
+        return;
+      } catch (err) { log.warn(`.env error: ${err.message}`); }
+    }
+  }
+}
+
+loadEnvFile();
+
+// ============================================================
+// WORDPRESS CONFIGURATION
+// ============================================================
+
+const WP_API_URL = process.env.WP_API_URL?.replace(/\/+$/, '') || '';
+const WP_API_USERNAME = process.env.WP_API_USERNAME || '';
+const WP_API_PASSWORD = process.env.WP_API_PASSWORD || '';
+
+// Load multi-target (may override default)
+const isMultiTarget = loadTargets();
+
+// Validate default config if not multi-target
+if (!isMultiTarget) {
+  const missing = [];
+  if (!WP_API_URL) missing.push('WP_API_URL');
+  if (!WP_API_USERNAME) missing.push('WP_API_USERNAME');
+  if (!WP_API_PASSWORD) missing.push('WP_API_PASSWORD');
+  if (missing.length > 0) { log.error(`Missing: ${missing.join(', ')}`); if (process.env.NODE_ENV !== 'test') process.exit(1); }
+
+  try {
+    const url = new URL(WP_API_URL);
+    if (url.protocol !== 'https:' && !WP_API_URL.includes('localhost') && !WP_API_URL.includes('127.0.0.1'))
+      log.warn('WP_API_URL not HTTPS. Insecure for production.');
+  } catch { log.error(`Invalid WP_API_URL: "${WP_API_URL}".`); process.exit(1); }
+}
+
+const defaultAuth = WP_API_USERNAME && WP_API_PASSWORD
+  ? Buffer.from(`${WP_API_USERNAME}:${WP_API_PASSWORD}`).toString('base64')
+  : '';
+
+// ============================================================
+// INPUT VALIDATION
+// ============================================================
+
+function validateInput(args, rules) {
+  const errors = [];
+  for (const [field, rule] of Object.entries(rules)) {
+    const value = args[field];
+    if (rule.required && (value === undefined || value === null || value === '')) { errors.push(`"${field}" is required`); continue; }
+    if (value === undefined || value === null) continue;
+    if (rule.type === 'number') {
+      if (typeof value !== 'number' || isNaN(value)) errors.push(`"${field}" must be a number`);
+      else { if (rule.min !== undefined && value < rule.min) errors.push(`"${field}" >= ${rule.min}`); if (rule.max !== undefined && value > rule.max) errors.push(`"${field}" <= ${rule.max}`); }
+    }
+    if (rule.type === 'string' && typeof value !== 'string') errors.push(`"${field}" must be a string`);
+    else if (rule.type === 'string' && rule.enum && !rule.enum.includes(value)) errors.push(`"${field}" must be: ${rule.enum.join(', ')}`);
+    if (rule.type === 'array' && !Array.isArray(value)) errors.push(`"${field}" must be an array`);
+  }
+  if (errors.length > 0) throw new Error(`Validation:\n${errors.map(e => `  - ${e}`).join('\n')}`);
+}
+
+// ============================================================
+// API CALLER WITH RETRY, TIMEOUT & AUDIT
+// ============================================================
+
+function sleep(ms) { return new Promise(r => setTimeout(r, ms)); }
+
+async function wpApiCall(endpoint, options = {}) {
+  const { url: baseUrl, auth: activeAuth } = getActiveAuth();
+  const basePath = options.basePath || '/wp-json/wp/v2';
+  const url = `${baseUrl}${basePath}${endpoint}`;
+  const method = options.method || 'GET';
+  const headers = {
+    'Authorization': `Basic ${activeAuth}`,
+    'User-Agent': `WordPress-MCP-Server/${VERSION}`,
+    ...options.headers
+  };
+  if (!options.isMultipart) headers['Content-Type'] = 'application/json';
+
+  let lastError;
+  for (let attempt = 1; attempt <= MAX_RETRIES; attempt++) {
+    const controller = new AbortController();
+    const tid = setTimeout(() => controller.abort(), TIMEOUT_MS);
+    try {
+      log.debug(`${method} ${endpoint} (${attempt}/${MAX_RETRIES})`);
+      const t0 = Date.now();
+      const fetchOpts = { method, headers, signal: controller.signal };
+      if (options.body) fetchOpts.body = options.body;
+      const response = await fetch(url, fetchOpts);
+      clearTimeout(tid);
+      log.debug(`${response.status} in ${Date.now() - t0}ms`);
+
+      if (!response.ok) {
+        const errorText = await response.text();
+        const sc = response.status;
+        if (sc >= 400 && sc < 500 && sc !== 429) {
+          const hints = { 400: 'Bad Request', 401: 'Unauthorized', 403: 'Forbidden', 404: 'Not Found', 405: 'Method Not Allowed' };
+          throw new Error(`WP API ${sc}: ${hints[sc] || ''}\n${errorText}`);
+        }
+        lastError = new Error(`WP API ${sc}: ${errorText}`);
+        if (sc === 429) { await sleep(parseInt(response.headers.get('retry-after') || '5', 10) * 1000); continue; }
+        if (attempt < MAX_RETRIES) { await sleep(RETRY_BASE_DELAY_MS * Math.pow(2, attempt - 1)); continue; }
+        throw lastError;
+      }
+      const ct = response.headers.get('content-type');
+      if (!ct || !ct.includes('application/json')) return { success: true, status: response.status };
+      return await response.json();
+    } catch (error) {
+      clearTimeout(tid);
+      if (error.name === 'AbortError') lastError = new Error(`Timeout ${TIMEOUT_MS}ms`);
+      else if (error.message.includes('WP API 4')) throw error;
+      else lastError = error;
+      if (attempt < MAX_RETRIES) await sleep(RETRY_BASE_DELAY_MS * Math.pow(2, attempt - 1));
+    }
+  }
+  throw lastError || new Error(`Failed after ${MAX_RETRIES} attempts`);
+}
+
+// ============================================================
+// HEALTH CHECK
+// ============================================================
+
+async function healthCheck() {
+  log.info(`WordPress MCP Server v${VERSION} starting...`);
+  const { url: baseUrl, auth: activeAuth } = getActiveAuth();
+  log.info(`Target: ${baseUrl}`);
+
+  // Log enterprise controls
+  if (READ_ONLY) log.info('Mode: READ-ONLY (write operations blocked)');
+  if (DRAFT_ONLY) log.info('Mode: DRAFT-ONLY (only draft/pending statuses allowed)');
+  if (DISABLE_DELETE) log.info('Mode: DELETE DISABLED');
+  if (DISABLE_PLUGIN_MANAGEMENT) log.info('Mode: PLUGIN MANAGEMENT DISABLED');
+  if (ALLOWED_TYPES) log.info(`Allowed types: ${ALLOWED_TYPES.join(', ')}`);
+  if (ALLOWED_STATUSES) log.info(`Allowed statuses: ${ALLOWED_STATUSES.join(', ')}`);
+  if (MAX_CALLS_PER_MINUTE > 0) log.info(`Rate limit: ${MAX_CALLS_PER_MINUTE} calls/min`);
+  if (isMultiTarget) log.info(`Multi-target: ${Object.keys(targets).length} sites configured`);
+  log.info(`Audit log: ${AUDIT_LOG ? 'ON' : 'OFF'}`);
+
+  try {
+    const ctrl = new AbortController();
+    const tid = setTimeout(() => ctrl.abort(), 10000);
+    const resp = await fetch(`${baseUrl}/wp-json`, { headers: { 'User-Agent': `WordPress-MCP-Server/${VERSION}` }, signal: ctrl.signal });
+    clearTimeout(tid);
+    if (!resp.ok) { log.warn(`REST API: ${resp.status}`); return; }
+    const info = await resp.json();
+    log.info(`Connected: ${info.name || 'WordPress'}`);
+    const authResp = await fetch(`${baseUrl}/wp-json/wp/v2/users/me`, { headers: { 'Authorization': `Basic ${activeAuth}`, 'User-Agent': `WordPress-MCP-Server/${VERSION}` } });
+    if (authResp.ok) { const u = await authResp.json(); log.info(`Auth: ${u.name} — ${u.roles?.[0]}`); }
+    else log.warn(`Auth failed: ${authResp.status}`);
+  } catch (e) { log.warn(`Health check: ${e.message}`); }
+}
+
+// ============================================================
+// MCP SERVER
+// ============================================================
+
+const server = new Server(
+  { name: 'wordpress-mcp', version: VERSION },
+  { capabilities: { tools: {} } }
+);
+
+// ============================================================
+// CONSTANTS & HELPERS
+// ============================================================
+
+const STATUSES = ['publish', 'draft', 'pending', 'private', 'future', 'trash'];
+const ORDERBY = ['date', 'relevance', 'id', 'title', 'slug', 'modified', 'author'];
+const ORDERS = ['asc', 'desc'];
+const MEDIA_TYPES = ['image', 'video', 'audio', 'application'];
+const COMMENT_STATUSES = ['approved', 'hold', 'spam', 'trash'];
+const TOOLS_COUNT = 35;
+
+function json(data) { return { content: [{ type: 'text', text: JSON.stringify(data, null, 2) }] }; }
+function strip(html) { return (html || '').replace(/<[^>]*>/g, '').trim(); }
+
+// ============================================================
+// TOOL DEFINITIONS (35 tools)
+// ============================================================
+
+const TOOLS_DEFINITIONS = [
+      // ── POSTS (6) ──
+      { name: 'wp_list_posts', description: 'List posts with filtering and search.', inputSchema: { type: 'object', properties: { per_page: { type: 'number', default: 10 }, page: { type: 'number', default: 1 }, status: { type: 'string', default: 'publish' }, orderby: { type: 'string', default: 'date' }, order: { type: 'string', default: 'desc' }, categories: { type: 'string' }, tags: { type: 'string' }, search: { type: 'string' }, author: { type: 'number' } }}},
+      { name: 'wp_get_post', description: 'Get post by ID with full content and meta.', inputSchema: { type: 'object', properties: { id: { type: 'number' } }, required: ['id'] }},
+      { name: 'wp_create_post', description: 'Create a post (default: draft).', inputSchema: { type: 'object', properties: { title: { type: 'string' }, content: { type: 'string' }, status: { type: 'string', default: 'draft' }, excerpt: { type: 'string' }, categories: { type: 'array', items: { type: 'number' } }, tags: { type: 'array', items: { type: 'number' } }, slug: { type: 'string' }, featured_media: { type: 'number' }, meta: { type: 'object' }, author: { type: 'number' } }, required: ['title', 'content'] }},
+      { name: 'wp_update_post', description: 'Update a post.', inputSchema: { type: 'object', properties: { id: { type: 'number' }, title: { type: 'string' }, content: { type: 'string' }, status: { type: 'string' }, excerpt: { type: 'string' }, categories: { type: 'array', items: { type: 'number' } }, tags: { type: 'array', items: { type: 'number' } }, slug: { type: 'string' }, featured_media: { type: 'number' }, meta: { type: 'object' }, author: { type: 'number' } }, required: ['id'] }},
+      { name: 'wp_delete_post', description: 'Delete a post (trash or permanent).', inputSchema: { type: 'object', properties: { id: { type: 'number' }, force: { type: 'boolean', default: false } }, required: ['id'] }},
+      { name: 'wp_search', description: 'Full-text search across all content.', inputSchema: { type: 'object', properties: { search: { type: 'string' }, per_page: { type: 'number', default: 10 }, type: { type: 'string', default: '' } }, required: ['search'] }},
+
+      // ── PAGES (4) ──
+      { name: 'wp_list_pages', description: 'List pages with hierarchy.', inputSchema: { type: 'object', properties: { per_page: { type: 'number', default: 10 }, page: { type: 'number', default: 1 }, status: { type: 'string', default: 'publish' }, parent: { type: 'number' }, orderby: { type: 'string', default: 'menu_order' }, order: { type: 'string', default: 'asc' }, search: { type: 'string' } }}},
+      { name: 'wp_get_page', description: 'Get page by ID with content and template.', inputSchema: { type: 'object', properties: { id: { type: 'number' } }, required: ['id'] }},
+      { name: 'wp_create_page', description: 'Create a page (default: draft).', inputSchema: { type: 'object', properties: { title: { type: 'string' }, content: { type: 'string' }, status: { type: 'string', default: 'draft' }, parent: { type: 'number', default: 0 }, template: { type: 'string' }, menu_order: { type: 'number', default: 0 }, excerpt: { type: 'string' }, slug: { type: 'string' }, featured_media: { type: 'number' }, meta: { type: 'object' } }, required: ['title', 'content'] }},
+      { name: 'wp_update_page', description: 'Update a page.', inputSchema: { type: 'object', properties: { id: { type: 'number' }, title: { type: 'string' }, content: { type: 'string' }, status: { type: 'string' }, parent: { type: 'number' }, template: { type: 'string' }, menu_order: { type: 'number' }, excerpt: { type: 'string' }, slug: { type: 'string' }, featured_media: { type: 'number' }, meta: { type: 'object' } }, required: ['id'] }},
+
+      // ── MEDIA (3) ──
+      { name: 'wp_list_media', description: 'List media files.', inputSchema: { type: 'object', properties: { per_page: { type: 'number', default: 10 }, page: { type: 'number', default: 1 }, media_type: { type: 'string' }, search: { type: 'string' }, orderby: { type: 'string', default: 'date' }, order: { type: 'string', default: 'desc' } }}},
+      { name: 'wp_get_media', description: 'Get media details with all sizes.', inputSchema: { type: 'object', properties: { id: { type: 'number' } }, required: ['id'] }},
+      { name: 'wp_upload_media', description: 'Upload media from URL.', inputSchema: { type: 'object', properties: { url: { type: 'string' }, filename: { type: 'string' }, title: { type: 'string' }, alt_text: { type: 'string' }, caption: { type: 'string' }, description: { type: 'string' }, post_id: { type: 'number' } }, required: ['url'] }},
+
+      // ── TAXONOMIES (3) ──
+      { name: 'wp_list_categories', description: 'List categories with hierarchy and post count.', inputSchema: { type: 'object', properties: { per_page: { type: 'number', default: 100 }, page: { type: 'number', default: 1 }, parent: { type: 'number' }, search: { type: 'string' }, orderby: { type: 'string', default: 'name' }, hide_empty: { type: 'boolean', default: false } }}},
+      { name: 'wp_list_tags', description: 'List tags with post count.', inputSchema: { type: 'object', properties: { per_page: { type: 'number', default: 100 }, page: { type: 'number', default: 1 }, search: { type: 'string' }, orderby: { type: 'string', default: 'name' }, hide_empty: { type: 'boolean', default: false } }}},
+      { name: 'wp_create_taxonomy_term', description: 'Create a category or tag.', inputSchema: { type: 'object', properties: { taxonomy: { type: 'string' }, name: { type: 'string' }, slug: { type: 'string' }, description: { type: 'string' }, parent: { type: 'number' } }, required: ['taxonomy', 'name'] }},
+
+      // ── COMMENTS (2) ──
+      { name: 'wp_list_comments', description: 'List comments with filters.', inputSchema: { type: 'object', properties: { per_page: { type: 'number', default: 10 }, page: { type: 'number', default: 1 }, post: { type: 'number' }, status: { type: 'string' }, orderby: { type: 'string', default: 'date_gmt' }, order: { type: 'string', default: 'desc' }, search: { type: 'string' } }}},
+      { name: 'wp_create_comment', description: 'Create a comment or reply.', inputSchema: { type: 'object', properties: { post: { type: 'number' }, content: { type: 'string' }, parent: { type: 'number', default: 0 }, author_name: { type: 'string' }, author_email: { type: 'string' }, status: { type: 'string', default: 'approved' } }, required: ['post', 'content'] }},
+
+      // ── CUSTOM POST TYPES (2) ──
+      { name: 'wp_list_post_types', description: 'Discover all registered post types (CPT).', inputSchema: { type: 'object', properties: {} }},
+      { name: 'wp_list_custom_posts', description: 'List posts from any custom post type.', inputSchema: { type: 'object', properties: { post_type: { type: 'string' }, per_page: { type: 'number', default: 10 }, page: { type: 'number', default: 1 }, status: { type: 'string', default: 'publish' }, orderby: { type: 'string', default: 'date' }, order: { type: 'string', default: 'desc' }, search: { type: 'string' } }, required: ['post_type'] }},
+
+      // ── USERS (1) ──
+      { name: 'wp_list_users', description: 'List users with roles.', inputSchema: { type: 'object', properties: { per_page: { type: 'number', default: 10 }, page: { type: 'number', default: 1 }, roles: { type: 'string' }, search: { type: 'string' }, orderby: { type: 'string', default: 'name' } }}},
+
+      // ── MULTI-TARGET (1) ──
+      { name: 'wp_set_target', description: 'Switch active WordPress site (multi-target mode). Use wp_list_targets to see available sites.',
+        inputSchema: { type: 'object', properties: { site: { type: 'string', description: 'Site key from targets config' } }, required: ['site'] }},
+
+      // ── SITE INFO (1) ──
+      { name: 'wp_site_info', description: 'Get site info, current user, post types, enterprise controls, and available targets.',
+        inputSchema: { type: 'object', properties: {} }},
+
+      // ── SEO METADATA (3) ──
+      { name: 'wp_get_seo_meta', description: 'Get SEO metadata (title, description, focus keyword, robots, canonical, og) for a post or page. Auto-detects Yoast SEO, RankMath, SEOPress, or All in One SEO.',
+        inputSchema: { type: 'object', properties: { id: { type: 'number', description: 'Post or page ID' }, post_type: { type: 'string', default: 'post', description: 'post or page' } }, required: ['id'] }},
+      { name: 'wp_update_seo_meta', description: 'Update SEO metadata (title, description, focus keyword) for a post or page. Auto-detects installed SEO plugin.',
+        inputSchema: { type: 'object', properties: { id: { type: 'number', description: 'Post or page ID' }, post_type: { type: 'string', default: 'post', description: 'post or page' }, title: { type: 'string', description: 'SEO title' }, description: { type: 'string', description: 'Meta description' }, focus_keyword: { type: 'string', description: 'Focus keyword' }, canonical_url: { type: 'string', description: 'Canonical URL' }, robots_noindex: { type: 'boolean', description: 'Set noindex' }, robots_nofollow: { type: 'boolean', description: 'Set nofollow' } }, required: ['id'] }},
+      { name: 'wp_audit_seo', description: 'Audit SEO metadata across multiple posts/pages. Returns missing titles, descriptions, keywords, and quality scores.',
+        inputSchema: { type: 'object', properties: { post_type: { type: 'string', default: 'post', description: 'post or page' }, per_page: { type: 'number', default: 20, description: 'Number of posts to audit (max 100)' }, status: { type: 'string', default: 'publish' }, orderby: { type: 'string', default: 'date' }, order: { type: 'string', default: 'desc' } }}},
+
+      // ── PLUGINS (3) ──
+      { name: 'wp_list_plugins', description: 'List WordPress plugins with status filtering. Requires Administrator role (activate_plugins capability). Returns plugin name, version, status, author, and description.',
+        inputSchema: { type: 'object', properties: { search: { type: 'string', description: 'Filter plugins by search term' }, status: { type: 'string', enum: ['active', 'inactive', 'all'], default: 'all', description: 'Filter by plugin status (active, inactive, all)' }, per_page: { type: 'number', default: 20, description: 'Number of plugins to return (1-100)' } }}},
+      { name: 'wp_activate_plugin', description: 'Activate a WordPress plugin. Requires Administrator role (activate_plugins capability). Blocked by WP_READ_ONLY and WP_DISABLE_PLUGIN_MANAGEMENT.',
+        inputSchema: { type: 'object', properties: { plugin: { type: 'string', description: 'Plugin slug/file (e.g. "akismet/akismet.php"). Use wp_list_plugins to find the correct value.' } }, required: ['plugin'] }},
+      { name: 'wp_deactivate_plugin', description: 'Deactivate a WordPress plugin. Requires Administrator role (activate_plugins capability). Blocked by WP_READ_ONLY and WP_DISABLE_PLUGIN_MANAGEMENT.',
+        inputSchema: { type: 'object', properties: { plugin: { type: 'string', description: 'Plugin slug/file (e.g. "akismet/akismet.php"). Use wp_list_plugins to find the correct value.' } }, required: ['plugin'] }},
+
+      // ── THEMES (2) ──
+      { name: 'wp_list_themes', description: 'List installed WordPress themes with status filtering. Requires switch_themes capability (Administrator or Editor role).',
+        inputSchema: { type: 'object', properties: { status: { type: 'string', enum: ['active', 'inactive', 'all'], default: 'all', description: 'Filter by theme status' }, per_page: { type: 'number', default: 20, description: 'Number of themes to return (1-100)' } }}},
+      { name: 'wp_get_theme', description: 'Get details of a specific WordPress theme by stylesheet slug. Requires switch_themes capability.',
+        inputSchema: { type: 'object', properties: { stylesheet: { type: 'string', description: 'Theme stylesheet slug (e.g. "twentytwentyfour"). Use wp_list_themes to find the correct value.' } }, required: ['stylesheet'] }},
+
+      // ── REVISIONS (4) ──
+      { name: 'wp_list_revisions', description: 'List revisions of a post or page. Returns metadata without content (use wp_get_revision for full content).',
+        inputSchema: { type: 'object', properties: { post_id: { type: 'number', description: 'Post or page ID' }, post_type: { type: 'string', enum: ['post', 'page'], default: 'post', description: 'Post type' }, per_page: { type: 'number', default: 10, description: 'Number of revisions to return (1-100)' } }, required: ['post_id'] }},
+      { name: 'wp_get_revision', description: 'Get a specific revision with full content.',
+        inputSchema: { type: 'object', properties: { post_id: { type: 'number', description: 'Post or page ID' }, revision_id: { type: 'number', description: 'Revision ID' }, post_type: { type: 'string', enum: ['post', 'page'], default: 'post', description: 'Post type' } }, required: ['post_id', 'revision_id'] }},
+      { name: 'wp_restore_revision', description: 'Restore a post or page to a previous revision. Copies revision content back to the post. Blocked by WP_READ_ONLY.',
+        inputSchema: { type: 'object', properties: { post_id: { type: 'number', description: 'Post or page ID' }, revision_id: { type: 'number', description: 'Revision ID to restore' }, post_type: { type: 'string', enum: ['post', 'page'], default: 'post', description: 'Post type' } }, required: ['post_id', 'revision_id'] }},
+  { name: 'wp_delete_revision', description: 'Permanently delete a revision. This action cannot be undone. Blocked by WP_READ_ONLY and WP_DISABLE_DELETE.',
+    inputSchema: { type: 'object', properties: { post_id: { type: 'number', description: 'Post or page ID' }, revision_id: { type: 'number', description: 'Revision ID to delete' }, post_type: { type: 'string', enum: ['post', 'page'], default: 'post', description: 'Post type' } }, required: ['post_id', 'revision_id'] }}
+];
+
+function registerHandlers(s) {
+  s.setRequestHandler(ListToolsRequestSchema, async () => ({ tools: TOOLS_DEFINITIONS }));
+  s.setRequestHandler(CallToolRequestSchema, handleToolCall);
+}
+
+registerHandlers(server);
+
+// ============================================================
+// TOOL EXECUTION (27 tools)
+// ============================================================
+
+export async function handleToolCall(request) {
+  const { name, arguments: args = {} } = request.params;
+  const t0 = Date.now();
+
+  // Enterprise controls: rate limit & read-only check
+  try {
+    checkRateLimit();
+    enforceReadOnly(name);
+    enforceDeleteDisabled(name);
+    enforcePluginManagement(name);
+  } catch (error) {
+    auditLog({ tool: name, status: 'blocked', latency_ms: Date.now() - t0, params: sanitizeParams(args), error: error.message });
+    return { content: [{ type: 'text', text: `Error: ${error.message}` }], isError: true };
+  }
+
+  log.debug(`Tool: ${name}`, args);
+
+  try {
+    let result;
+
+    switch (name) {
+
+      // ── POSTS ──
+
+      case 'wp_list_posts': {
+        validateInput(args, { per_page: { type: 'number', min: 1, max: 100 }, page: { type: 'number', min: 1 }, status: { type: 'string', enum: STATUSES }, orderby: { type: 'string', enum: ORDERBY }, order: { type: 'string', enum: ORDERS } });
+        const { per_page = 10, page = 1, status = 'publish', orderby = 'date', order = 'desc', categories, tags, search, author } = args;
+        let ep = `/posts?per_page=${per_page}&page=${page}&status=${status}&orderby=${orderby}&order=${order}`;
+        if (categories) ep += `&categories=${categories}`; if (tags) ep += `&tags=${tags}`;
+        if (search) ep += `&search=${encodeURIComponent(search)}`; if (author) ep += `&author=${author}`;
+        const posts = await wpApiCall(ep);
+        result = json({ total: posts.length, page, posts: posts.map(p => ({ id: p.id, title: p.title.rendered, status: p.status, date: p.date, modified: p.modified, link: p.link, author: p.author, categories: p.categories, tags: p.tags, excerpt: strip(p.excerpt.rendered).substring(0, 200) })) });
+        auditLog({ tool: name, action: 'list', status: 'success', latency_ms: Date.now() - t0, params: sanitizeParams(args) });
+        break;
+      }
+
+      case 'wp_get_post': {
+        validateInput(args, { id: { type: 'number', required: true, min: 1 } });
+        const p = await wpApiCall(`/posts/${args.id}`);
+        result = json({ id: p.id, title: p.title.rendered, content: p.content.rendered, excerpt: p.excerpt.rendered, status: p.status, date: p.date, modified: p.modified, link: p.link, slug: p.slug, categories: p.categories, tags: p.tags, author: p.author, featured_media: p.featured_media, comment_status: p.comment_status, meta: p.meta || {} });
+        auditLog({ tool: name, target: args.id, target_type: 'post', action: 'read', status: 'success', latency_ms: Date.now() - t0 });
+        break;
+      }
+
+      case 'wp_create_post': {
+        validateInput(args, { title: { type: 'string', required: true }, content: { type: 'string', required: true }, status: { type: 'string', enum: STATUSES.filter(s => s !== 'trash') } });
+        enforceDraftOnly(args.status); enforceAllowedStatuses(args.status); enforceAllowedTypes('post');
+        const { title, content, status = 'draft', excerpt, categories, tags, slug, featured_media, meta, author } = args;
+        const data = { title, content, status };
+        if (excerpt) data.excerpt = excerpt; if (categories) data.categories = categories; if (tags) data.tags = tags;
+        if (slug) data.slug = slug; if (featured_media) data.featured_media = featured_media; if (meta) data.meta = meta; if (author) data.author = author;
+        const np = await wpApiCall('/posts', { method: 'POST', body: JSON.stringify(data) });
+        result = json({ success: true, message: 'Post created', post: { id: np.id, title: np.title.rendered, status: np.status, link: np.link, slug: np.slug } });
+        auditLog({ tool: name, target: np.id, target_type: 'post', action: 'create', status: 'success', latency_ms: Date.now() - t0, params: { title, status } });
+        break;
+      }
+
+      case 'wp_update_post': {
+        validateInput(args, { id: { type: 'number', required: true, min: 1 }, status: { type: 'string', enum: STATUSES } });
+        if (args.status) { enforceDraftOnly(args.status); enforceAllowedStatuses(args.status); }
+        const { id, ...upd } = args;
+        const up = await wpApiCall(`/posts/${id}`, { method: 'POST', body: JSON.stringify(upd) });
+        result = json({ success: true, message: `Post ${id} updated`, post: { id: up.id, title: up.title.rendered, status: up.status, link: up.link, modified: up.modified } });
+        auditLog({ tool: name, target: id, target_type: 'post', action: 'update', status: 'success', latency_ms: Date.now() - t0, params: sanitizeParams(upd) });
+        break;
+      }
+
+      case 'wp_delete_post': {
+        validateInput(args, { id: { type: 'number', required: true, min: 1 } });
+        const { id, force = false } = args;
+        const dp = await wpApiCall(`/posts/${id}${force ? '?force=true' : ''}`, { method: 'DELETE' });
+        result = json({ success: true, message: force ? `Post ${id} permanently deleted` : `Post ${id} trashed`, post: { id: dp.id, title: dp.title?.rendered || dp.previous?.title?.rendered, status: force ? 'deleted' : 'trash' } });
+        auditLog({ tool: name, target: id, target_type: 'post', action: force ? 'permanent_delete' : 'trash', status: 'success', latency_ms: Date.now() - t0 });
+        break;
+      }
+
+      case 'wp_search': {
+        validateInput(args, { search: { type: 'string', required: true }, per_page: { type: 'number', min: 1, max: 100 } });
+        const { search, per_page = 10, type } = args;
+        let ep = `/search?search=${encodeURIComponent(search)}&per_page=${per_page}`;
+        if (type) ep += `&type=${type}`;
+        const r = await wpApiCall(ep);
+        result = json({ query: search, total: r.length, results: r.map(x => ({ id: x.id, title: x.title, url: x.url, type: x.type, subtype: x.subtype })) });
+        auditLog({ tool: name, action: 'search', status: 'success', latency_ms: Date.now() - t0, params: { search, type } });
+        break;
+      }
+
+      // ── PAGES ──
+
+      case 'wp_list_pages': {
+        validateInput(args, { per_page: { type: 'number', min: 1, max: 100 }, page: { type: 'number', min: 1 }, status: { type: 'string', enum: STATUSES }, order: { type: 'string', enum: ORDERS } });
+        const { per_page = 10, page = 1, status = 'publish', parent, orderby = 'menu_order', order = 'asc', search } = args;
+        let ep = `/pages?per_page=${per_page}&page=${page}&status=${status}&orderby=${orderby}&order=${order}`;
+        if (parent !== undefined) ep += `&parent=${parent}`; if (search) ep += `&search=${encodeURIComponent(search)}`;
+        const pgs = await wpApiCall(ep);
+        result = json({ total: pgs.length, page, pages: pgs.map(p => ({ id: p.id, title: p.title.rendered, status: p.status, date: p.date, link: p.link, parent: p.parent, menu_order: p.menu_order, template: p.template, excerpt: strip(p.excerpt.rendered).substring(0, 200) })) });
+        auditLog({ tool: name, action: 'list', status: 'success', latency_ms: Date.now() - t0 });
+        break;
+      }
+
+      case 'wp_get_page': {
+        validateInput(args, { id: { type: 'number', required: true, min: 1 } });
+        const pg = await wpApiCall(`/pages/${args.id}`);
+        result = json({ id: pg.id, title: pg.title.rendered, content: pg.content.rendered, excerpt: pg.excerpt.rendered, status: pg.status, date: pg.date, modified: pg.modified, link: pg.link, slug: pg.slug, parent: pg.parent, menu_order: pg.menu_order, template: pg.template, author: pg.author, featured_media: pg.featured_media, meta: pg.meta || {} });
+        auditLog({ tool: name, target: args.id, target_type: 'page', action: 'read', status: 'success', latency_ms: Date.now() - t0 });
+        break;
+      }
+
+      case 'wp_create_page': {
+        validateInput(args, { title: { type: 'string', required: true }, content: { type: 'string', required: true }, status: { type: 'string', enum: STATUSES.filter(s => s !== 'trash') } });
+        enforceDraftOnly(args.status); enforceAllowedStatuses(args.status); enforceAllowedTypes('page');
+        const { title, content, status = 'draft', parent = 0, template, menu_order = 0, excerpt, slug, featured_media, meta } = args;
+        const data = { title, content, status, parent, menu_order };
+        if (template) data.template = template; if (excerpt) data.excerpt = excerpt; if (slug) data.slug = slug;
+        if (featured_media) data.featured_media = featured_media; if (meta) data.meta = meta;
+        const np = await wpApiCall('/pages', { method: 'POST', body: JSON.stringify(data) });
+        result = json({ success: true, message: 'Page created', page: { id: np.id, title: np.title.rendered, status: np.status, link: np.link, parent: np.parent } });
+        auditLog({ tool: name, target: np.id, target_type: 'page', action: 'create', status: 'success', latency_ms: Date.now() - t0, params: { title, status } });
+        break;
+      }
+
+      case 'wp_update_page': {
+        validateInput(args, { id: { type: 'number', required: true, min: 1 }, status: { type: 'string', enum: STATUSES } });
+        if (args.status) { enforceDraftOnly(args.status); enforceAllowedStatuses(args.status); }
+        const { id, ...upd } = args;
+        const up = await wpApiCall(`/pages/${id}`, { method: 'POST', body: JSON.stringify(upd) });
+        result = json({ success: true, message: `Page ${id} updated`, page: { id: up.id, title: up.title.rendered, status: up.status, link: up.link, modified: up.modified } });
+        auditLog({ tool: name, target: id, target_type: 'page', action: 'update', status: 'success', latency_ms: Date.now() - t0, params: sanitizeParams(upd) });
+        break;
+      }
+
+      // ── MEDIA ──
+
+      case 'wp_list_media': {
+        validateInput(args, { per_page: { type: 'number', min: 1, max: 100 }, page: { type: 'number', min: 1 }, media_type: { type: 'string', enum: MEDIA_TYPES }, order: { type: 'string', enum: ORDERS } });
+        const { per_page = 10, page = 1, media_type, search, orderby = 'date', order = 'desc' } = args;
+        let ep = `/media?per_page=${per_page}&page=${page}&orderby=${orderby}&order=${order}`;
+        if (media_type) ep += `&media_type=${media_type}`; if (search) ep += `&search=${encodeURIComponent(search)}`;
+        const media = await wpApiCall(ep);
+        result = json({ total: media.length, page, media: media.map(m => ({ id: m.id, title: m.title.rendered, date: m.date, mime_type: m.mime_type, source_url: m.source_url, alt_text: m.alt_text, width: m.media_details?.width, height: m.media_details?.height })) });
+        auditLog({ tool: name, action: 'list', status: 'success', latency_ms: Date.now() - t0 });
+        break;
+      }
+
+      case 'wp_get_media': {
+        validateInput(args, { id: { type: 'number', required: true, min: 1 } });
+        const m = await wpApiCall(`/media/${args.id}`);
+        const sizes = m.media_details?.sizes || {};
+        result = json({ id: m.id, title: m.title.rendered, date: m.date, mime_type: m.mime_type, source_url: m.source_url, alt_text: m.alt_text, caption: strip(m.caption?.rendered), width: m.media_details?.width, height: m.media_details?.height, file: m.media_details?.file, sizes: Object.fromEntries(Object.entries(sizes).map(([k, v]) => [k, { url: v.source_url, width: v.width, height: v.height }])) });
+        auditLog({ tool: name, target: args.id, target_type: 'media', action: 'read', status: 'success', latency_ms: Date.now() - t0 });
+        break;
+      }
+
+      case 'wp_upload_media': {
+        validateInput(args, { url: { type: 'string', required: true } });
+        const { url: fileUrl, filename, title, alt_text, caption, description, post_id } = args;
+        const dlResp = await fetch(fileUrl, { timeout: TIMEOUT_MS });
+        if (!dlResp.ok) throw new Error(`Download failed: ${dlResp.status}`);
+        const fileBuffer = await dlResp.buffer();
+        const contentType = dlResp.headers.get('content-type') || 'application/octet-stream';
+        const fname = filename || fileUrl.split('/').pop().split('?')[0] || 'upload';
+        let ep = '/media'; if (post_id) ep += `?post=${post_id}`;
+        const uploaded = await wpApiCall(ep, { method: 'POST', body: fileBuffer, isMultipart: true, headers: { 'Content-Type': contentType, 'Content-Disposition': `attachment; filename="${fname}"` } });
+        if (title || alt_text || caption || description) {
+          const md = {}; if (title) md.title = title; if (alt_text) md.alt_text = alt_text; if (caption) md.caption = caption; if (description) md.description = description;
+          await wpApiCall(`/media/${uploaded.id}`, { method: 'POST', body: JSON.stringify(md) });
+        }
+        result = json({ success: true, message: `Uploaded: ${fname}`, media: { id: uploaded.id, source_url: uploaded.source_url, mime_type: uploaded.mime_type } });
+        auditLog({ tool: name, target: uploaded.id, target_type: 'media', action: 'upload', status: 'success', latency_ms: Date.now() - t0, params: { filename: fname } });
+        break;
+      }
+
+      // ── TAXONOMIES ──
+
+      case 'wp_list_categories': {
+        const { per_page = 100, page = 1, parent, search, orderby = 'name', hide_empty = false } = args;
+        let ep = `/categories?per_page=${per_page}&page=${page}&orderby=${orderby}&hide_empty=${hide_empty}`;
+        if (parent !== undefined) ep += `&parent=${parent}`; if (search) ep += `&search=${encodeURIComponent(search)}`;
+        const cats = await wpApiCall(ep);
+        result = json({ total: cats.length, categories: cats.map(c => ({ id: c.id, name: c.name, slug: c.slug, description: c.description, parent: c.parent, count: c.count })) });
+        auditLog({ tool: name, action: 'list', status: 'success', latency_ms: Date.now() - t0 });
+        break;
+      }
+
+      case 'wp_list_tags': {
+        const { per_page = 100, page = 1, search, orderby = 'name', hide_empty = false } = args;
+        let ep = `/tags?per_page=${per_page}&page=${page}&orderby=${orderby}&hide_empty=${hide_empty}`;
+        if (search) ep += `&search=${encodeURIComponent(search)}`;
+        const tags = await wpApiCall(ep);
+        result = json({ total: tags.length, tags: tags.map(t => ({ id: t.id, name: t.name, slug: t.slug, count: t.count })) });
+        auditLog({ tool: name, action: 'list', status: 'success', latency_ms: Date.now() - t0 });
+        break;
+      }
+
+      case 'wp_create_taxonomy_term': {
+        validateInput(args, { taxonomy: { type: 'string', required: true, enum: ['category', 'tag'] }, name: { type: 'string', required: true } });
+        const { taxonomy, name: tName, slug, description, parent } = args;
+        const ep = taxonomy === 'category' ? '/categories' : '/tags';
+        const data = { name: tName }; if (slug) data.slug = slug; if (description) data.description = description;
+        if (parent && taxonomy === 'category') data.parent = parent;
+        const t = await wpApiCall(ep, { method: 'POST', body: JSON.stringify(data) });
+        result = json({ success: true, message: `${taxonomy} "${tName}" created`, term: { id: t.id, name: t.name, slug: t.slug } });
+        auditLog({ tool: name, target: t.id, target_type: taxonomy, action: 'create', status: 'success', latency_ms: Date.now() - t0, params: { name: tName } });
+        break;
+      }
+
+      // ── COMMENTS ──
+
+      case 'wp_list_comments': {
+        const { per_page = 10, page = 1, post, status, orderby = 'date_gmt', order = 'desc', search } = args;
+        let ep = `/comments?per_page=${per_page}&page=${page}&orderby=${orderby}&order=${order}`;
+        if (post) ep += `&post=${post}`; if (status) ep += `&status=${status}`; if (search) ep += `&search=${encodeURIComponent(search)}`;
+        const comments = await wpApiCall(ep);
+        result = json({ total: comments.length, page, comments: comments.map(c => ({ id: c.id, post: c.post, parent: c.parent, author_name: c.author_name, date: c.date, status: c.status, content: strip(c.content.rendered).substring(0, 300), link: c.link })) });
+        auditLog({ tool: name, action: 'list', status: 'success', latency_ms: Date.now() - t0 });
+        break;
+      }
+
+      case 'wp_create_comment': {
+        validateInput(args, { post: { type: 'number', required: true }, content: { type: 'string', required: true } });
+        const { post, content, parent = 0, author_name, author_email, status = 'approved' } = args;
+        const data = { post, content, parent, status };
+        if (author_name) data.author_name = author_name; if (author_email) data.author_email = author_email;
+        const c = await wpApiCall('/comments', { method: 'POST', body: JSON.stringify(data) });
+        result = json({ success: true, message: 'Comment created', comment: { id: c.id, post: c.post, status: c.status, content: strip(c.content.rendered).substring(0, 200) } });
+        auditLog({ tool: name, target: c.id, target_type: 'comment', action: 'create', status: 'success', latency_ms: Date.now() - t0, params: { post } });
+        break;
+      }
+
+      // ── CUSTOM POST TYPES ──
+
+      case 'wp_list_post_types': {
+        const types = await wpApiCall('/types');
+        result = json({ total: Object.keys(types).length, post_types: Object.values(types).map(t => ({ slug: t.slug, name: t.name, description: t.description, hierarchical: t.hierarchical, rest_base: t.rest_base })) });
+        auditLog({ tool: name, action: 'list', status: 'success', latency_ms: Date.now() - t0 });
+        break;
+      }
+
+      case 'wp_list_custom_posts': {
+        validateInput(args, { post_type: { type: 'string', required: true }, per_page: { type: 'number', min: 1, max: 100 }, page: { type: 'number', min: 1 }, order: { type: 'string', enum: ORDERS } });
+        enforceAllowedTypes(args.post_type);
+        const { post_type, per_page = 10, page = 1, status = 'publish', orderby = 'date', order = 'desc', search } = args;
+        const types = await wpApiCall('/types');
+        const typeInfo = Object.values(types).find(t => t.slug === post_type || t.rest_base === post_type);
+        if (!typeInfo) throw new Error(`Post type "${post_type}" not found.`);
+        const restBase = typeInfo.rest_base || post_type;
+        let ep = `/${restBase}?per_page=${per_page}&page=${page}&status=${status}&orderby=${orderby}&order=${order}`;
+        if (search) ep += `&search=${encodeURIComponent(search)}`;
+        const posts = await wpApiCall(ep);
+        result = json({ post_type, total: posts.length, page, posts: posts.map(p => ({ id: p.id, title: p.title?.rendered || p.title, status: p.status, date: p.date, link: p.link, slug: p.slug, type: p.type, meta: p.meta || {} })) });
+        auditLog({ tool: name, action: 'list', status: 'success', latency_ms: Date.now() - t0, params: { post_type } });
+        break;
+      }
+
+      // ── USERS ──
+
+      case 'wp_list_users': {
+        const { per_page = 10, page = 1, roles, search, orderby = 'name' } = args;
+        let ep = `/users?per_page=${per_page}&page=${page}&orderby=${orderby}`;
+        if (roles) ep += `&roles=${roles}`; if (search) ep += `&search=${encodeURIComponent(search)}`;
+        const users = await wpApiCall(ep);
+        result = json({ total: users.length, users: users.map(u => ({ id: u.id, name: u.name, slug: u.slug, link: u.link, roles: u.roles, avatar: u.avatar_urls?.['96'] })) });
+        auditLog({ tool: name, action: 'list', status: 'success', latency_ms: Date.now() - t0 });
+        break;
+      }
+
+      // ── MULTI-TARGET ──
+
+      case 'wp_set_target': {
+        validateInput(args, { site: { type: 'string', required: true } });
+        const { site } = args;
+        if (!targets[site]) {
+          const available = Object.keys(targets);
+          throw new Error(`Site "${site}" not found. Available: ${available.length > 0 ? available.join(', ') : 'none (configure WP_TARGETS_JSON or WP_TARGETS_FILE)'}`);
+        }
+        const prev = currentTarget?.name || 'default';
+        currentTarget = { name: site, ...targets[site] };
+        log.info(`Target switched: ${prev} → ${site} (${currentTarget.url})`);
+        result = json({ success: true, message: `Active site: ${site}`, previous: prev, current: { name: site, url: currentTarget.url } });
+        auditLog({ tool: name, action: 'switch_target', status: 'success', latency_ms: Date.now() - t0, params: { from: prev, to: site } });
+        break;
+      }
+
+      // ── SITE INFO ──
+
+      case 'wp_site_info': {
+        const { url: baseUrl, auth: activeAuth } = getActiveAuth();
+        const ctrl = new AbortController();
+        const tid = setTimeout(() => ctrl.abort(), TIMEOUT_MS);
+        const resp = await fetch(`${baseUrl}/wp-json`, { headers: { 'Authorization': `Basic ${activeAuth}`, 'User-Agent': `WordPress-MCP-Server/${VERSION}` }, signal: ctrl.signal });
+        clearTimeout(tid);
+        const si = await resp.json();
+        const uResp = await fetch(`${baseUrl}/wp-json/wp/v2/users/me`, { headers: { 'Authorization': `Basic ${activeAuth}`, 'User-Agent': `WordPress-MCP-Server/${VERSION}` } });
+        const u = uResp.ok ? await uResp.json() : null;
+        let postTypes = [];
+        try { const t = await wpApiCall('/types'); postTypes = Object.values(t).map(x => ({ slug: x.slug, name: x.name, rest_base: x.rest_base })); } catch {}
+
+        result = json({
+          site: { name: si.name, description: si.description, url: si.url || baseUrl, gmt_offset: si.gmt_offset, timezone_string: si.timezone_string },
+          current_user: u ? { id: u.id, name: u.name, slug: u.slug, roles: u.roles } : null,
+          post_types: postTypes,
+          enterprise_controls: {
+            read_only: process.env.WP_READ_ONLY === 'true', draft_only: process.env.WP_DRAFT_ONLY === 'true', delete_disabled: process.env.WP_DISABLE_DELETE === 'true', plugin_management_disabled: process.env.WP_DISABLE_PLUGIN_MANAGEMENT === 'true',
+            rate_limit: MAX_CALLS_PER_MINUTE > 0 ? `${MAX_CALLS_PER_MINUTE}/min` : 'unlimited',
+            allowed_types: ALLOWED_TYPES || 'all', allowed_statuses: ALLOWED_STATUSES || 'all',
+            audit_log: AUDIT_LOG
+          },
+          multi_target: {
+            enabled: isMultiTarget, active_site: currentTarget?.name || 'default',
+            available_sites: Object.keys(targets)
+          },
+          server: { mcp_version: VERSION, tools_count: TOOLS_COUNT }
+        });
+        auditLog({ tool: name, action: 'info', status: 'success', latency_ms: Date.now() - t0 });
+        break;
+      }
+
+      // ── SEO METADATA ──
+
+      case 'wp_get_seo_meta': {
+        validateInput(args, { id: { type: 'number', required: true, min: 1 } });
+        const { id, post_type = 'post' } = args;
+        const ep = post_type === 'page' ? `/pages/${id}` : `/posts/${id}`;
+        const p = await wpApiCall(ep);
+        const meta = p.meta || {};
+        const yoastHead = p.yoast_head_json || null;
+
+        // Auto-detect SEO plugin and extract metadata
+        const seo = { plugin: 'none', title: null, description: null, focus_keyword: null, canonical: null, robots: { noindex: false, nofollow: false }, og_title: null, og_description: null, og_image: null, schema: null };
+
+        // Yoast SEO (most common)
+        if (meta._yoast_wpseo_title || meta._yoast_wpseo_metadesc || yoastHead) {
+          seo.plugin = 'yoast';
+          seo.title = meta._yoast_wpseo_title || yoastHead?.title || null;
+          seo.description = meta._yoast_wpseo_metadesc || yoastHead?.description || null;
+          seo.focus_keyword = meta._yoast_wpseo_focuskw || null;
+          seo.canonical = meta._yoast_wpseo_canonical || yoastHead?.canonical || null;
+          seo.robots.noindex = meta._yoast_wpseo_meta_robots_noindex === '1' || yoastHead?.robots?.index === 'noindex';
+          seo.robots.nofollow = meta._yoast_wpseo_meta_robots_nofollow === '1' || yoastHead?.robots?.follow === 'nofollow';
+          if (yoastHead?.og_title) seo.og_title = yoastHead.og_title;
+          if (yoastHead?.og_description) seo.og_description = yoastHead.og_description;
+          if (yoastHead?.og_image?.[0]?.url) seo.og_image = yoastHead.og_image[0].url;
+          if (yoastHead?.schema) seo.schema = yoastHead.schema;
+        }
+        // RankMath
+        else if (meta.rank_math_title || meta.rank_math_description) {
+          seo.plugin = 'rankmath';
+          seo.title = meta.rank_math_title || null;
+          seo.description = meta.rank_math_description || null;
+          seo.focus_keyword = meta.rank_math_focus_keyword || null;
+          seo.canonical = meta.rank_math_canonical_url || null;
+          const robots = meta.rank_math_robots || [];
+          seo.robots.noindex = Array.isArray(robots) ? robots.includes('noindex') : false;
+          seo.robots.nofollow = Array.isArray(robots) ? robots.includes('nofollow') : false;
+          seo.og_title = meta.rank_math_facebook_title || null;
+          seo.og_description = meta.rank_math_facebook_description || null;
+          seo.og_image = meta.rank_math_facebook_image || null;
+        }
+        // SEOPress
+        else if (meta._seopress_titles_title || meta._seopress_titles_desc) {
+          seo.plugin = 'seopress';
+          seo.title = meta._seopress_titles_title || null;
+          seo.description = meta._seopress_titles_desc || null;
+          seo.focus_keyword = meta._seopress_analysis_target_kw || null;
+          seo.canonical = meta._seopress_robots_canonical || null;
+          seo.robots.noindex = meta._seopress_robots_index === 'yes';
+          seo.robots.nofollow = meta._seopress_robots_follow === 'yes';
+          seo.og_title = meta._seopress_social_fb_title || null;
+          seo.og_description = meta._seopress_social_fb_desc || null;
+          seo.og_image = meta._seopress_social_fb_img || null;
+        }
+        // All in One SEO
+        else if (meta._aioseo_title || meta._aioseo_description) {
+          seo.plugin = 'aioseo';
+          seo.title = meta._aioseo_title || null;
+          seo.description = meta._aioseo_description || null;
+          seo.focus_keyword = meta._aioseo_keywords || null;
+          seo.canonical = meta._aioseo_canonical_url || null;
+          seo.robots.noindex = meta._aioseo_noindex === '1';
+          seo.robots.nofollow = meta._aioseo_nofollow === '1';
+          seo.og_title = meta._aioseo_og_title || null;
+          seo.og_description = meta._aioseo_og_description || null;
+          seo.og_image = meta._aioseo_og_image || null;
+        }
+
+        // Fallback: check raw meta keys for any SEO data
+        if (seo.plugin === 'none') {
+          const seoKeys = Object.keys(meta).filter(k => k.includes('seo') || k.includes('yoast') || k.includes('rank_math') || k.includes('aioseo') || k.includes('seopress'));
+          if (seoKeys.length > 0) {
+            seo.plugin = 'unknown';
+            seo.raw_keys = seoKeys;
+          }
+        }
+
+        result = json({
+          id: p.id, title: strip(p.title.rendered), slug: p.slug, link: p.link, status: p.status,
+          seo, all_meta_keys: Object.keys(meta)
+        });
+        auditLog({ tool: name, target: id, target_type: post_type, action: 'read_seo', status: 'success', latency_ms: Date.now() - t0 });
+        break;
+      }
+
+      case 'wp_update_seo_meta': {
+        validateInput(args, { id: { type: 'number', required: true, min: 1 } });
+        const { id, post_type = 'post', title, description, focus_keyword, canonical_url, robots_noindex, robots_nofollow } = args;
+
+        // First, detect which SEO plugin is installed by reading current meta
+        const readEp = post_type === 'page' ? `/pages/${id}` : `/posts/${id}`;
+        const current = await wpApiCall(readEp);
+        const currentMeta = current.meta || {};
+        const yh = current.yoast_head_json || null;
+
+        let plugin = 'none';
+        if (currentMeta._yoast_wpseo_title !== undefined || currentMeta._yoast_wpseo_metadesc !== undefined || yh) plugin = 'yoast';
+        else if (currentMeta.rank_math_title !== undefined || currentMeta.rank_math_description !== undefined) plugin = 'rankmath';
+        else if (currentMeta._seopress_titles_title !== undefined) plugin = 'seopress';
+        else if (currentMeta._aioseo_title !== undefined) plugin = 'aioseo';
+
+        if (plugin === 'none') {
+          // Try to detect by checking if Yoast REST fields exist
+          if (yh) plugin = 'yoast';
+          else throw new Error('No SEO plugin detected. Install Yoast SEO, RankMath, SEOPress, or All in One SEO to manage SEO metadata.');
+        }
+
+        const metaUpdate = {};
+        const updated = [];
+
+        if (plugin === 'yoast') {
+          if (title !== undefined) { metaUpdate._yoast_wpseo_title = title; updated.push('title'); }
+          if (description !== undefined) { metaUpdate._yoast_wpseo_metadesc = description; updated.push('description'); }
+          if (focus_keyword !== undefined) { metaUpdate._yoast_wpseo_focuskw = focus_keyword; updated.push('focus_keyword'); }
+          if (canonical_url !== undefined) { metaUpdate._yoast_wpseo_canonical = canonical_url; updated.push('canonical'); }
+          if (robots_noindex !== undefined) { metaUpdate._yoast_wpseo_meta_robots_noindex = robots_noindex ? '1' : '0'; updated.push('noindex'); }
+          if (robots_nofollow !== undefined) { metaUpdate._yoast_wpseo_meta_robots_nofollow = robots_nofollow ? '1' : '0'; updated.push('nofollow'); }
+        } else if (plugin === 'rankmath') {
+          if (title !== undefined) { metaUpdate.rank_math_title = title; updated.push('title'); }
+          if (description !== undefined) { metaUpdate.rank_math_description = description; updated.push('description'); }
+          if (focus_keyword !== undefined) { metaUpdate.rank_math_focus_keyword = focus_keyword; updated.push('focus_keyword'); }
+          if (canonical_url !== undefined) { metaUpdate.rank_math_canonical_url = canonical_url; updated.push('canonical'); }
+        } else if (plugin === 'seopress') {
+          if (title !== undefined) { metaUpdate._seopress_titles_title = title; updated.push('title'); }
+          if (description !== undefined) { metaUpdate._seopress_titles_desc = description; updated.push('description'); }
+          if (focus_keyword !== undefined) { metaUpdate._seopress_analysis_target_kw = focus_keyword; updated.push('focus_keyword'); }
+          if (canonical_url !== undefined) { metaUpdate._seopress_robots_canonical = canonical_url; updated.push('canonical'); }
+          if (robots_noindex !== undefined) { metaUpdate._seopress_robots_index = robots_noindex ? 'yes' : ''; updated.push('noindex'); }
+          if (robots_nofollow !== undefined) { metaUpdate._seopress_robots_follow = robots_nofollow ? 'yes' : ''; updated.push('nofollow'); }
+        } else if (plugin === 'aioseo') {
+          if (title !== undefined) { metaUpdate._aioseo_title = title; updated.push('title'); }
+          if (description !== undefined) { metaUpdate._aioseo_description = description; updated.push('description'); }
+          if (focus_keyword !== undefined) { metaUpdate._aioseo_keywords = focus_keyword; updated.push('focus_keyword'); }
+          if (canonical_url !== undefined) { metaUpdate._aioseo_canonical_url = canonical_url; updated.push('canonical'); }
+          if (robots_noindex !== undefined) { metaUpdate._aioseo_noindex = robots_noindex ? '1' : '0'; updated.push('noindex'); }
+          if (robots_nofollow !== undefined) { metaUpdate._aioseo_nofollow = robots_nofollow ? '1' : '0'; updated.push('nofollow'); }
+        }
+
+        if (updated.length === 0) throw new Error('No SEO fields provided. Specify at least one of: title, description, focus_keyword, canonical_url, robots_noindex, robots_nofollow.');
+
+        const writeEp = post_type === 'page' ? `/pages/${id}` : `/posts/${id}`;
+        await wpApiCall(writeEp, { method: 'POST', body: JSON.stringify({ meta: metaUpdate }) });
+
+        result = json({ success: true, message: `SEO meta updated for ${post_type} ${id}`, plugin, fields_updated: updated, meta_written: metaUpdate });
+        auditLog({ tool: name, target: id, target_type: post_type, action: 'update_seo', status: 'success', latency_ms: Date.now() - t0, params: { plugin, fields: updated } });
+        break;
+      }
+
+      case 'wp_audit_seo': {
+        const { post_type = 'post', per_page = 20, status = 'publish', orderby = 'date', order = 'desc' } = args;
+        const ep_base = post_type === 'page' ? '/pages' : '/posts';
+        const posts = await wpApiCall(`${ep_base}?per_page=${Math.min(per_page, 100)}&status=${status}&orderby=${orderby}&order=${order}`);
+
+        let seoPlugin = 'none';
+        const audit = [];
+        let totalScore = 0;
+
+        for (const p of posts) {
+          const meta = p.meta || {};
+          const yh = p.yoast_head_json || null;
+          const postTitle = strip(p.title?.rendered || '');
+          const item = { id: p.id, title: postTitle, slug: p.slug, link: p.link, seo_title: null, seo_description: null, focus_keyword: null, issues: [], score: 100 };
+
+          // Detect plugin on first post
+          if (seoPlugin === 'none') {
+            if (meta._yoast_wpseo_title !== undefined || meta._yoast_wpseo_metadesc !== undefined || yh) seoPlugin = 'yoast';
+            else if (meta.rank_math_title !== undefined) seoPlugin = 'rankmath';
+            else if (meta._seopress_titles_title !== undefined) seoPlugin = 'seopress';
+            else if (meta._aioseo_title !== undefined) seoPlugin = 'aioseo';
+          }
+
+          // Extract SEO fields based on detected plugin
+          if (seoPlugin === 'yoast') {
+            item.seo_title = meta._yoast_wpseo_title || yh?.title || null;
+            item.seo_description = meta._yoast_wpseo_metadesc || yh?.description || null;
+            item.focus_keyword = meta._yoast_wpseo_focuskw || null;
+          } else if (seoPlugin === 'rankmath') {
+            item.seo_title = meta.rank_math_title || null;
+            item.seo_description = meta.rank_math_description || null;
+            item.focus_keyword = meta.rank_math_focus_keyword || null;
+          } else if (seoPlugin === 'seopress') {
+            item.seo_title = meta._seopress_titles_title || null;
+            item.seo_description = meta._seopress_titles_desc || null;
+            item.focus_keyword = meta._seopress_analysis_target_kw || null;
+          } else if (seoPlugin === 'aioseo') {
+            item.seo_title = meta._aioseo_title || null;
+            item.seo_description = meta._aioseo_description || null;
+            item.focus_keyword = meta._aioseo_keywords || null;
+          }
+
+          // Quality checks
+          if (!item.seo_title) { item.issues.push('missing_seo_title'); item.score -= 30; }
+          else if (item.seo_title.length < 30) { item.issues.push('seo_title_too_short'); item.score -= 10; }
+          else if (item.seo_title.length > 60) { item.issues.push('seo_title_too_long'); item.score -= 10; }
+
+          if (!item.seo_description) { item.issues.push('missing_meta_description'); item.score -= 30; }
+          else if (item.seo_description.length < 120) { item.issues.push('meta_description_too_short'); item.score -= 10; }
+          else if (item.seo_description.length > 160) { item.issues.push('meta_description_too_long'); item.score -= 10; }
+
+          if (!item.focus_keyword) { item.issues.push('missing_focus_keyword'); item.score -= 20; }
+
+          if (item.seo_title && item.focus_keyword && !item.seo_title.toLowerCase().includes(item.focus_keyword.toLowerCase())) {
+            item.issues.push('keyword_not_in_title'); item.score -= 10;
+          }
+
+          if (item.score < 0) item.score = 0;
+          totalScore += item.score;
+          audit.push(item);
+        }
+
+        const avgScore = audit.length > 0 ? Math.round(totalScore / audit.length) : 0;
+        const summary = {
+          total_audited: audit.length,
+          seo_plugin: seoPlugin,
+          average_score: avgScore,
+          issues_breakdown: {
+            missing_seo_title: audit.filter(a => a.issues.includes('missing_seo_title')).length,
+            missing_meta_description: audit.filter(a => a.issues.includes('missing_meta_description')).length,
+            missing_focus_keyword: audit.filter(a => a.issues.includes('missing_focus_keyword')).length,
+            title_length_issues: audit.filter(a => a.issues.includes('seo_title_too_short') || a.issues.includes('seo_title_too_long')).length,
+            description_length_issues: audit.filter(a => a.issues.includes('meta_description_too_short') || a.issues.includes('meta_description_too_long')).length,
+            keyword_not_in_title: audit.filter(a => a.issues.includes('keyword_not_in_title')).length
+          }
+        };
+
+        result = json({ summary, posts: audit });
+        auditLog({ tool: name, action: 'audit_seo', status: 'success', latency_ms: Date.now() - t0, params: { post_type, count: audit.length, avg_score: avgScore } });
+        break;
+      }
+
+      // ── PLUGINS ──
+
+      case 'wp_list_plugins': {
+        validateInput(args, {
+          search: { type: 'string' },
+          status: { type: 'string', enum: ['active', 'inactive', 'all'] },
+          per_page: { type: 'number', min: 1, max: 100 }
+        });
+        const { search, status = 'all', per_page = 20 } = args;
+        let ep = `/plugins?per_page=${per_page}&context=edit`;
+        if (search) ep += `&search=${encodeURIComponent(search)}`;
+        if (status && status !== 'all') ep += `&status=${status}`;
+
+        try {
+          const plugins = await wpApiCall(ep);
+          const mapped = plugins.map(p => ({
+            plugin: p.plugin,
+            name: p.name,
+            version: p.version,
+            status: p.status,
+            author: p.author?.rendered ?? p.author ?? '',
+            description: p.description?.rendered ? strip(p.description.rendered) : '',
+            plugin_uri: p.plugin_uri ?? '',
+            requires_wp: p.requires_wp ?? '',
+            requires_php: p.requires_php ?? '',
+            network_only: p.network_only ?? false,
+            textdomain: p.textdomain ?? ''
+          }));
+          const activeCount = mapped.filter(p => p.status === 'active').length;
+          const inactiveCount = mapped.filter(p => p.status === 'inactive').length;
+          result = json({ total: mapped.length, active: activeCount, inactive: inactiveCount, plugins: mapped });
+          auditLog({ tool: name, action: 'list', target_type: 'plugin', status: 'success', latency_ms: Date.now() - t0, params: { search, status, per_page } });
+        } catch (pluginError) {
+          const is403 = pluginError.message && (pluginError.message.includes('403') || pluginError.message.includes('Forbidden'));
+          auditLog({ tool: name, action: 'list', target_type: 'plugin', status: 'error', latency_ms: Date.now() - t0, error: is403 ? 'Insufficient permissions' : pluginError.message, params: { search, status } });
+          if (is403) {
+            return { content: [{ type: 'text', text: 'Error: Access denied. wp_list_plugins requires Administrator role with activate_plugins capability. The current WordPress user does not have sufficient permissions to access the /wp/v2/plugins endpoint.' }], isError: true };
+          }
+          throw pluginError;
+        }
+        break;
+      }
+
+      // ── PLUGINS (write) ──
+
+      case 'wp_activate_plugin': {
+        validateInput(args, { plugin: { type: 'string', required: true } });
+        const { plugin } = args;
+        const encodedPlugin = encodeURIComponent(plugin);
+        try {
+          const p = await wpApiCall(`/plugins/${encodedPlugin}`, { method: 'POST', body: JSON.stringify({ status: 'active' }) });
+          result = json({ success: true, message: `Plugin activated: ${p.name || plugin}`, plugin: { plugin: p.plugin, name: p.name, version: p.version, status: p.status } });
+          auditLog({ tool: name, action: 'activate', target: plugin, target_type: 'plugin', status: 'success', latency_ms: Date.now() - t0 });
+        } catch (pluginError) {
+          const is403 = pluginError.message && (pluginError.message.includes('403') || pluginError.message.includes('Forbidden'));
+          const is404 = pluginError.message && (pluginError.message.includes('404') || pluginError.message.includes('Not Found'));
+          auditLog({ tool: name, action: 'activate', target: plugin, target_type: 'plugin', status: 'error', latency_ms: Date.now() - t0, error: is403 ? 'Insufficient permissions' : pluginError.message });
+          if (is403) return { content: [{ type: 'text', text: 'Error: Access denied. wp_activate_plugin requires Administrator role with activate_plugins capability.' }], isError: true };
+          if (is404) return { content: [{ type: 'text', text: 'Error: Plugin not found. Use wp_list_plugins to get the correct plugin slug.' }], isError: true };
+          throw pluginError;
+        }
+        break;
+      }
+
+      case 'wp_deactivate_plugin': {
+        validateInput(args, { plugin: { type: 'string', required: true } });
+        const { plugin } = args;
+        const encodedPlugin = encodeURIComponent(plugin);
+        try {
+          const p = await wpApiCall(`/plugins/${encodedPlugin}`, { method: 'POST', body: JSON.stringify({ status: 'inactive' }) });
+          result = json({ success: true, message: `Plugin deactivated: ${p.name || plugin}`, plugin: { plugin: p.plugin, name: p.name, version: p.version, status: p.status } });
+          auditLog({ tool: name, action: 'deactivate', target: plugin, target_type: 'plugin', status: 'success', latency_ms: Date.now() - t0 });
+        } catch (pluginError) {
+          const is403 = pluginError.message && (pluginError.message.includes('403') || pluginError.message.includes('Forbidden'));
+          const is404 = pluginError.message && (pluginError.message.includes('404') || pluginError.message.includes('Not Found'));
+          auditLog({ tool: name, action: 'deactivate', target: plugin, target_type: 'plugin', status: 'error', latency_ms: Date.now() - t0, error: is403 ? 'Insufficient permissions' : pluginError.message });
+          if (is403) return { content: [{ type: 'text', text: 'Error: Access denied. wp_deactivate_plugin requires Administrator role with activate_plugins capability.' }], isError: true };
+          if (is404) return { content: [{ type: 'text', text: 'Error: Plugin not found. Use wp_list_plugins to get the correct plugin slug.' }], isError: true };
+          throw pluginError;
+        }
+        break;
+      }
+
+      // ── THEMES ──
+
+      case 'wp_list_themes': {
+        validateInput(args, {
+          status: { type: 'string', enum: ['active', 'inactive', 'all'] },
+          per_page: { type: 'number', min: 1, max: 100 }
+        });
+        const { status = 'all', per_page = 20 } = args;
+        let ep = `/themes?per_page=${per_page}&context=edit`;
+        if (status && status !== 'all') ep += `&status=${status}`;
+        try {
+          const themes = await wpApiCall(ep);
+          const mapped = themes.map(t => ({
+            stylesheet: t.stylesheet,
+            template: t.template,
+            name: t.name?.rendered ?? t.name ?? '',
+            description: t.description?.rendered ? strip(t.description.rendered) : '',
+            status: t.status,
+            version: t.version ?? '',
+            author: t.author?.rendered ?? t.author ?? '',
+            author_uri: t.author_uri ?? '',
+            theme_uri: t.theme_uri ?? '',
+            requires_wp: t.requires_wp ?? '',
+            requires_php: t.requires_php ?? '',
+            tags: t.tags?.rendered ?? t.tags ?? []
+          }));
+          const activeTheme = mapped.find(t => t.status === 'active');
+          result = json({ total: mapped.length, active_theme: activeTheme ? activeTheme.name : null, themes: mapped });
+          auditLog({ tool: name, action: 'list', target_type: 'theme', status: 'success', latency_ms: Date.now() - t0, params: { status, per_page } });
+        } catch (themeError) {
+          const is403 = themeError.message && (themeError.message.includes('403') || themeError.message.includes('Forbidden'));
+          auditLog({ tool: name, action: 'list', target_type: 'theme', status: 'error', latency_ms: Date.now() - t0, error: is403 ? 'Insufficient permissions' : themeError.message, params: { status } });
+          if (is403) return { content: [{ type: 'text', text: 'Error: Access denied. wp_list_themes requires switch_themes capability (Administrator or Editor role).' }], isError: true };
+          throw themeError;
+        }
+        break;
+      }
+
+      case 'wp_get_theme': {
+        validateInput(args, { stylesheet: { type: 'string', required: true } });
+        const { stylesheet } = args;
+        try {
+          const t = await wpApiCall(`/themes/${encodeURIComponent(stylesheet)}?context=edit`);
+          result = json({
+            stylesheet: t.stylesheet,
+            template: t.template,
+            name: t.name?.rendered ?? t.name ?? '',
+            description: t.description?.rendered ? strip(t.description.rendered) : '',
+            status: t.status,
+            version: t.version ?? '',
+            author: t.author?.rendered ?? t.author ?? '',
+            author_uri: t.author_uri ?? '',
+            theme_uri: t.theme_uri ?? '',
+            requires_wp: t.requires_wp ?? '',
+            requires_php: t.requires_php ?? '',
+            tags: t.tags?.rendered ?? t.tags ?? []
+          });
+          auditLog({ tool: name, target: stylesheet, target_type: 'theme', action: 'read', status: 'success', latency_ms: Date.now() - t0 });
+        } catch (themeError) {
+          const is403 = themeError.message && (themeError.message.includes('403') || themeError.message.includes('Forbidden'));
+          const is404 = themeError.message && (themeError.message.includes('404') || themeError.message.includes('Not Found'));
+          auditLog({ tool: name, target: stylesheet, target_type: 'theme', action: 'read', status: 'error', latency_ms: Date.now() - t0, error: themeError.message });
+          if (is404) return { content: [{ type: 'text', text: 'Error: Theme not found. Use wp_list_themes to get the correct stylesheet slug.' }], isError: true };
+          if (is403) return { content: [{ type: 'text', text: 'Error: Access denied. wp_get_theme requires switch_themes capability (Administrator or Editor role).' }], isError: true };
+          throw themeError;
+        }
+        break;
+      }
+
+      // ── REVISIONS ──
+
+      case 'wp_list_revisions': {
+        validateInput(args, {
+          post_id: { type: 'number', required: true, min: 1 },
+          post_type: { type: 'string', enum: ['post', 'page'] },
+          per_page: { type: 'number', min: 1, max: 100 }
+        });
+        const { post_id, post_type = 'post', per_page = 10 } = args;
+        const base = post_type === 'page' ? 'pages' : 'posts';
+        try {
+          const revisions = await wpApiCall(`/${base}/${post_id}/revisions?per_page=${per_page}&context=edit`);
+          result = json({
+            total: revisions.length,
+            post_id,
+            post_type,
+            note: 'Use wp_get_revision to read content of a specific revision',
+            revisions: revisions.map(r => ({
+              id: r.id,
+              parent: r.parent,
+              date: r.date,
+              date_gmt: r.date_gmt,
+              modified: r.modified,
+              modified_gmt: r.modified_gmt,
+              author: r.author,
+              title: r.title?.rendered ?? '',
+              excerpt: r.excerpt?.rendered ? strip(r.excerpt.rendered) : '',
+              slug: r.slug
+            }))
+          });
+          auditLog({ tool: name, action: 'list', target: post_id, target_type: 'revision', status: 'success', latency_ms: Date.now() - t0, params: { post_type, per_page } });
+        } catch (revError) {
+          const is404 = revError.message && (revError.message.includes('404') || revError.message.includes('Not Found'));
+          auditLog({ tool: name, action: 'list', target: post_id, target_type: 'revision', status: 'error', latency_ms: Date.now() - t0, error: revError.message });
+          if (is404) return { content: [{ type: 'text', text: 'Error: Post not found or no revisions available. Revisions require autosave to be enabled.' }], isError: true };
+          throw revError;
+        }
+        break;
+      }
+
+      case 'wp_get_revision': {
+        validateInput(args, {
+          post_id: { type: 'number', required: true, min: 1 },
+          revision_id: { type: 'number', required: true, min: 1 },
+          post_type: { type: 'string', enum: ['post', 'page'] }
+        });
+        const { post_id, revision_id, post_type = 'post' } = args;
+        const base = post_type === 'page' ? 'pages' : 'posts';
+        try {
+          const r = await wpApiCall(`/${base}/${post_id}/revisions/${revision_id}?context=edit`);
+          result = json({
+            id: r.id,
+            parent: r.parent,
+            date: r.date,
+            author: r.author,
+            title: r.title?.rendered ?? '',
+            content: r.content?.rendered ?? '',
+            excerpt: r.excerpt?.rendered ?? ''
+          });
+          auditLog({ tool: name, action: 'read', target: revision_id, target_type: 'revision', status: 'success', latency_ms: Date.now() - t0, params: { post_id, post_type } });
+        } catch (revError) {
+          const is404 = revError.message && (revError.message.includes('404') || revError.message.includes('Not Found'));
+          auditLog({ tool: name, action: 'read', target: revision_id, target_type: 'revision', status: 'error', latency_ms: Date.now() - t0, error: revError.message });
+          if (is404) return { content: [{ type: 'text', text: 'Error: Revision not found. Use wp_list_revisions to get valid revision IDs for this post.' }], isError: true };
+          throw revError;
+        }
+        break;
+      }
+
+      case 'wp_restore_revision': {
+        validateInput(args, {
+          post_id: { type: 'number', required: true, min: 1 },
+          revision_id: { type: 'number', required: true, min: 1 },
+          post_type: { type: 'string', enum: ['post', 'page'] }
+        });
+        const { post_id, revision_id, post_type = 'post' } = args;
+        const base = post_type === 'page' ? 'pages' : 'posts';
+
+        // Step 1: Read the revision
+        let revData;
+        try {
+          revData = await wpApiCall(`/${base}/${post_id}/revisions/${revision_id}?context=edit`);
+          auditLog({ tool: name, action: 'read', target: revision_id, target_type: 'revision', status: 'success', latency_ms: Date.now() - t0, params: { post_id, post_type } });
+        } catch (readError) {
+          const is404 = readError.message && (readError.message.includes('404') || readError.message.includes('Not Found'));
+          auditLog({ tool: name, action: 'read', target: revision_id, target_type: 'revision', status: 'error', latency_ms: Date.now() - t0, error: readError.message });
+          if (is404) return { content: [{ type: 'text', text: 'Error: Revision not found. Use wp_list_revisions to get valid revision IDs.' }], isError: true };
+          throw readError;
+        }
+
+        // Step 2: Update the post with revision content
+        const revTitle = revData.title?.raw ?? revData.title?.rendered ?? '';
+        const revContent = revData.content?.raw ?? revData.content?.rendered ?? '';
+        try {
+          await wpApiCall(`/${base}/${post_id}`, { method: 'POST', body: JSON.stringify({ title: revTitle, content: revContent }) });
+          result = json({ restored: true, post_id, revision_id, post_type, title: revTitle, note: `Post content restored from revision ${revision_id}` });
+          auditLog({ tool: name, action: 'restore', target: post_id, target_type: post_type, status: 'success', latency_ms: Date.now() - t0, params: { revision_id } });
+        } catch (writeError) {
+          auditLog({ tool: name, action: 'restore', target: post_id, target_type: post_type, status: 'error', latency_ms: Date.now() - t0, error: writeError.message, params: { revision_id } });
+          throw writeError;
+        }
+        break;
+      }
+
+      case 'wp_delete_revision': {
+        validateInput(args, {
+          post_id: { type: 'number', required: true, min: 1 },
+          revision_id: { type: 'number', required: true, min: 1 },
+          post_type: { type: 'string', enum: ['post', 'page'] }
+        });
+        const { post_id, revision_id, post_type = 'post' } = args;
+        const base = post_type === 'page' ? 'pages' : 'posts';
+        try {
+          await wpApiCall(`/${base}/${post_id}/revisions/${revision_id}?force=true`, { method: 'DELETE' });
+          result = json({ deleted: true, revision_id, post_id, post_type });
+          auditLog({ tool: name, action: 'permanent_delete', target: revision_id, target_type: 'revision', status: 'success', latency_ms: Date.now() - t0, params: { post_id, post_type } });
+        } catch (delError) {
+          const is403 = delError.message && (delError.message.includes('403') || delError.message.includes('Forbidden'));
+          const is404 = delError.message && (delError.message.includes('404') || delError.message.includes('Not Found'));
+          auditLog({ tool: name, action: 'permanent_delete', target: revision_id, target_type: 'revision', status: 'error', latency_ms: Date.now() - t0, error: delError.message, params: { post_id } });
+          if (is404) return { content: [{ type: 'text', text: 'Error: Revision not found. Use wp_list_revisions to get valid revision IDs.' }], isError: true };
+          if (is403) return { content: [{ type: 'text', text: 'Error: Insufficient permissions to delete revisions (delete_posts capability required).' }], isError: true };
+          throw delError;
+        }
+        break;
+      }
+
+      default:
+        throw new Error(`Unknown tool: "${name}".`);
+    }
+
+    log.debug(`${name} done in ${Date.now() - t0}ms`);
+    return result;
+
+  } catch (error) {
+    const ms = Date.now() - t0;
+    log.error(`${name} failed (${ms}ms): ${error.message}`);
+    auditLog({ tool: name, target: args.id || null, status: 'error', latency_ms: ms, params: sanitizeParams(args), error: error.message });
+    return { content: [{ type: 'text', text: `Error: ${error.message}` }], isError: true };
+  }
+}
+
+// ============================================================
+// MCP SERVER FACTORY (for HTTP multi-session)
+// ============================================================
+
+export function createMcpServer() {
+  const s = new Server(
+    { name: 'wordpress-mcp', version: VERSION },
+    { capabilities: { tools: {} } }
+  );
+  registerHandlers(s);
+  return s;
+}
+
+// ============================================================
+// START
+// ============================================================
+
+async function main() {
+  await healthCheck();
+
+  const transportMode = (process.env.MCP_TRANSPORT || 'stdio').toLowerCase();
+
+  if (transportMode === 'http') {
+    const manager = new HttpTransportManager();
+    const port = parseInt(process.env.MCP_HTTP_PORT || '3000', 10);
+    const host = process.env.MCP_HTTP_HOST || '0.0.0.0';
+    const authToken = process.env.MCP_AUTH_TOKEN || null;
+    const allowedOrigins = process.env.MCP_ALLOWED_ORIGINS
+      ? process.env.MCP_ALLOWED_ORIGINS.split(',').map(s => s.trim()).filter(Boolean)
+      : [];
+    const sessionTimeoutMs = parseInt(process.env.MCP_SESSION_TIMEOUT_MS || '1800000', 10);
+
+    const httpServer = manager.createServer(createMcpServer, {
+      port, host, authToken, allowedOrigins, sessionTimeoutMs,
+    });
+
+    httpServer.listen(port, host, () => {
+      log.info(`WordPress MCP Server (HTTP) ready — ${TOOLS_COUNT} tools on ${host}:${port}`);
+    });
+  } else {
+    const transport = new StdioServerTransport();
+    await server.connect(transport);
+    log.info(`WordPress MCP Server ready — ${TOOLS_COUNT} tools`);
+  }
+}
+
+if (process.env.NODE_ENV !== 'test') {
+  main().catch((error) => { log.error(`Fatal: ${error.message}`); process.exit(1); });
+}
+
+export { server };