@adsim/wordpress-mcp-server 1.0.0 → 3.0.0

package/tests/unit/governance.test.js

@@ -0,0 +1,260 @@
+import { vi, describe, it, expect, beforeEach, afterEach, beforeAll, afterAll } from 'vitest';
+
+vi.mock('node-fetch', () => ({ default: vi.fn() }));
+
+import fetch from 'node-fetch';
+import { handleToolCall } from '../../index.js';
+import { mockSuccess, mockError, getAuditLogs, makeRequest, parseResult } from '../helpers/mockWpRequest.js';
+
+function call(name, args = {}) {
+  return handleToolCall(makeRequest(name, args));
+}
+
+// ────────────────────────────────────────────────────────────
+// 1. WP_READ_ONLY blocks ALL 13 write tools
+// ────────────────────────────────────────────────────────────
+
+describe('WP_READ_ONLY=true', () => {
+  let consoleSpy;
+
+  beforeAll(() => {
+    process.env.WP_READ_ONLY = 'true';
+  });
+  afterAll(() => {
+    delete process.env.WP_READ_ONLY;
+  });
+  beforeEach(() => {
+    fetch.mockReset();
+    consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
+  });
+  afterEach(() => {
+    consoleSpy.mockRestore();
+  });
+
+  const writeTools = [
+    { name: 'wp_create_post', args: { title: 'T', content: 'C' } },
+    { name: 'wp_update_post', args: { id: 1, title: 'T' } },
+    { name: 'wp_delete_post', args: { id: 1 } },
+    { name: 'wp_create_page', args: { title: 'T', content: 'C' } },
+    { name: 'wp_update_page', args: { id: 1, title: 'T' } },
+    { name: 'wp_upload_media', args: { url: 'https://example.com/img.png' } },
+    { name: 'wp_create_comment', args: { post: 1, content: 'C' } },
+    { name: 'wp_create_taxonomy_term', args: { taxonomy: 'category', name: 'T' } },
+    { name: 'wp_update_seo_meta', args: { id: 1, title: 'SEO title' } },
+    { name: 'wp_activate_plugin', args: { plugin: 'test/test.php' } },
+    { name: 'wp_deactivate_plugin', args: { plugin: 'test/test.php' } },
+    { name: 'wp_restore_revision', args: { post_id: 1, revision_id: 2 } },
+    { name: 'wp_delete_revision', args: { post_id: 1, revision_id: 2 } },
+  ];
+
+  it.each(writeTools)('blocks $name', async ({ name: toolName, args }) => {
+    const result = await call(toolName, args);
+
+    expect(result.isError).toBe(true);
+    expect(result.content[0].text).toContain('READ-ONLY');
+
+    const logs = getAuditLogs(consoleSpy);
+    const entry = logs.find(l => l.tool === toolName);
+    expect(entry).toBeDefined();
+    expect(entry.status).toBe('blocked');
+  });
+
+  it('does NOT block fetch (no network calls made)', () => {
+    expect(fetch).not.toHaveBeenCalled();
+  });
+});
+
+// ────────────────────────────────────────────────────────────
+// 2. WP_DRAFT_ONLY blocks publish status on create/update post
+// ────────────────────────────────────────────────────────────
+
+describe('WP_DRAFT_ONLY=true', () => {
+  let consoleSpy;
+
+  beforeAll(() => {
+    process.env.WP_DRAFT_ONLY = 'true';
+  });
+  afterAll(() => {
+    delete process.env.WP_DRAFT_ONLY;
+  });
+  beforeEach(() => {
+    fetch.mockReset();
+    consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
+  });
+  afterEach(() => {
+    consoleSpy.mockRestore();
+  });
+
+  it('blocks wp_create_post with status:publish', async () => {
+    const result = await call('wp_create_post', { title: 'T', content: 'C', status: 'publish' });
+
+    expect(result.isError).toBe(true);
+    expect(result.content[0].text).toContain('DRAFT-ONLY');
+  });
+
+  it('blocks wp_update_post with status:publish', async () => {
+    const result = await call('wp_update_post', { id: 1, status: 'publish' });
+
+    expect(result.isError).toBe(true);
+    expect(result.content[0].text).toContain('DRAFT-ONLY');
+  });
+
+  it('allows wp_create_post with status:draft', async () => {
+    fetch.mockResolvedValue(mockSuccess({ id: 2, title: { rendered: 'T' }, status: 'draft', link: 'https://test.example.com/?p=2', slug: 'test' }));
+    const result = await call('wp_create_post', { title: 'T', content: 'C', status: 'draft' });
+
+    expect(result.isError).toBeUndefined();
+    const data = parseResult(result);
+    expect(data.success).toBe(true);
+  });
+});
+
+// ────────────────────────────────────────────────────────────
+// 3. WP_DISABLE_DELETE blocks delete tools
+// ────────────────────────────────────────────────────────────
+
+describe('WP_DISABLE_DELETE=true', () => {
+  let consoleSpy;
+
+  beforeAll(() => {
+    process.env.WP_DISABLE_DELETE = 'true';
+  });
+  afterAll(() => {
+    delete process.env.WP_DISABLE_DELETE;
+  });
+  beforeEach(() => {
+    fetch.mockReset();
+    consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
+  });
+  afterEach(() => {
+    consoleSpy.mockRestore();
+  });
+
+  it('blocks wp_delete_post', async () => {
+    const result = await call('wp_delete_post', { id: 1 });
+
+    expect(result.isError).toBe(true);
+    expect(result.content[0].text).toContain('WP_DISABLE_DELETE');
+
+    const logs = getAuditLogs(consoleSpy);
+    const entry = logs.find(l => l.tool === 'wp_delete_post');
+    expect(entry).toBeDefined();
+    expect(entry.status).toBe('blocked');
+  });
+
+  it('blocks wp_delete_revision', async () => {
+    const result = await call('wp_delete_revision', { post_id: 1, revision_id: 2 });
+
+    expect(result.isError).toBe(true);
+    expect(result.content[0].text).toContain('WP_DISABLE_DELETE');
+
+    const logs = getAuditLogs(consoleSpy);
+    const entry = logs.find(l => l.tool === 'wp_delete_revision');
+    expect(entry).toBeDefined();
+    expect(entry.status).toBe('blocked');
+  });
+});
+
+// ────────────────────────────────────────────────────────────
+// 4. WP_DISABLE_PLUGIN_MANAGEMENT blocks plugin write tools
+// ────────────────────────────────────────────────────────────
+
+describe('WP_DISABLE_PLUGIN_MANAGEMENT=true', () => {
+  let consoleSpy;
+
+  beforeAll(() => {
+    process.env.WP_DISABLE_PLUGIN_MANAGEMENT = 'true';
+  });
+  afterAll(() => {
+    delete process.env.WP_DISABLE_PLUGIN_MANAGEMENT;
+  });
+  beforeEach(() => {
+    fetch.mockReset();
+    consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
+  });
+  afterEach(() => {
+    consoleSpy.mockRestore();
+  });
+
+  it('blocks wp_activate_plugin', async () => {
+    const result = await call('wp_activate_plugin', { plugin: 'test/test.php' });
+
+    expect(result.isError).toBe(true);
+    expect(result.content[0].text).toContain('WP_DISABLE_PLUGIN_MANAGEMENT');
+
+    const logs = getAuditLogs(consoleSpy);
+    const entry = logs.find(l => l.tool === 'wp_activate_plugin');
+    expect(entry).toBeDefined();
+    expect(entry.status).toBe('blocked');
+  });
+
+  it('blocks wp_deactivate_plugin', async () => {
+    const result = await call('wp_deactivate_plugin', { plugin: 'test/test.php' });
+
+    expect(result.isError).toBe(true);
+    expect(result.content[0].text).toContain('WP_DISABLE_PLUGIN_MANAGEMENT');
+
+    const logs = getAuditLogs(consoleSpy);
+    const entry = logs.find(l => l.tool === 'wp_deactivate_plugin');
+    expect(entry).toBeDefined();
+    expect(entry.status).toBe('blocked');
+  });
+
+  it('does NOT block wp_list_plugins', async () => {
+    fetch.mockResolvedValue(mockSuccess([
+      {
+        plugin: 'test/test.php',
+        name: 'Test',
+        version: '1.0',
+        status: 'active',
+        author: 'Test',
+        description: { rendered: 'desc' }
+      }
+    ]));
+
+    const result = await call('wp_list_plugins', {});
+
+    expect(result.isError).toBeUndefined();
+    const data = parseResult(result);
+    expect(data.total).toBe(1);
+    expect(data.plugins[0].name).toBe('Test');
+  });
+});
+
+// ────────────────────────────────────────────────────────────
+// 5. Governance flag combinations
+// ────────────────────────────────────────────────────────────
+
+describe('Governance flag combinations', () => {
+  let consoleSpy;
+
+  beforeEach(() => {
+    fetch.mockReset();
+    consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
+  });
+  afterEach(() => {
+    delete process.env.WP_READ_ONLY;
+    delete process.env.WP_DISABLE_PLUGIN_MANAGEMENT;
+    consoleSpy.mockRestore();
+  });
+
+  it('WP_DISABLE_PLUGIN_MANAGEMENT=true + WP_READ_ONLY=false still blocks wp_activate_plugin', async () => {
+    process.env.WP_DISABLE_PLUGIN_MANAGEMENT = 'true';
+    process.env.WP_READ_ONLY = 'false';
+
+    const result = await call('wp_activate_plugin', { plugin: 'test/test.php' });
+
+    expect(result.isError).toBe(true);
+    expect(result.content[0].text).toContain('WP_DISABLE_PLUGIN_MANAGEMENT');
+  });
+
+  it('WP_READ_ONLY=true + WP_DISABLE_PLUGIN_MANAGEMENT=false still blocks wp_activate_plugin (via readOnly)', async () => {
+    process.env.WP_READ_ONLY = 'true';
+    process.env.WP_DISABLE_PLUGIN_MANAGEMENT = 'false';
+
+    const result = await call('wp_activate_plugin', { plugin: 'test/test.php' });
+
+    expect(result.isError).toBe(true);
+    expect(result.content[0].text).toContain('READ-ONLY');
+  });
+});

package/tests/unit/tools/comments.test.js

@@ -0,0 +1,170 @@
+import { vi, describe, it, expect, beforeEach, afterEach } from 'vitest';
+
+vi.mock('node-fetch', () => ({ default: vi.fn() }));
+
+import fetch from 'node-fetch';
+import { handleToolCall } from '../../../index.js';
+import { mockSuccess, mockError, getAuditLogs, makeRequest, parseResult } from '../../helpers/mockWpRequest.js';
+
+function call(name, args = {}) {
+  return handleToolCall(makeRequest(name, args));
+}
+
+// ────────────────────────────────────────────────────────────
+// wp_list_comments
+// ────────────────────────────────────────────────────────────
+
+describe('wp_list_comments', () => {
+  let consoleSpy;
+  beforeEach(() => { fetch.mockReset(); consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {}); });
+  afterEach(() => { consoleSpy.mockRestore(); });
+
+  it('returns formatted comment list on success', async () => {
+    fetch.mockResolvedValue(mockSuccess([
+      { id: 1, post: 1, parent: 0, author_name: 'John', date: '2024-01-01', status: 'approved', content: { rendered: '<p>Great post!</p>' }, link: 'https://test.example.com/post-1#comment-1' }
+    ]));
+
+    const result = await call('wp_list_comments');
+    const data = parseResult(result);
+
+    expect(data.total).toBe(1);
+    expect(data.page).toBe(1);
+    expect(data.comments).toHaveLength(1);
+    expect(data.comments[0].id).toBe(1);
+    expect(data.comments[0].post).toBe(1);
+    expect(data.comments[0].parent).toBe(0);
+    expect(data.comments[0].author_name).toBe('John');
+    expect(data.comments[0].date).toBe('2024-01-01');
+    expect(data.comments[0].status).toBe('approved');
+    expect(data.comments[0].content).toBe('Great post!');
+    expect(data.comments[0].link).toBe('https://test.example.com/post-1#comment-1');
+  });
+
+  it('returns error on 403', async () => {
+    fetch.mockResolvedValue(mockError(403));
+
+    const result = await call('wp_list_comments');
+
+    expect(result.isError).toBe(true);
+  });
+
+  it('returns error on 404', async () => {
+    fetch.mockResolvedValue(mockError(404));
+
+    const result = await call('wp_list_comments');
+
+    expect(result.isError).toBe(true);
+  });
+
+  it('logs audit entry with status success', async () => {
+    fetch.mockResolvedValue(mockSuccess([
+      { id: 1, post: 1, parent: 0, author_name: 'John', date: '2024-01-01', status: 'approved', content: { rendered: '<p>Great post!</p>' }, link: 'https://test.example.com/post-1#comment-1' }
+    ]));
+
+    await call('wp_list_comments');
+    const logs = getAuditLogs(consoleSpy);
+    const entry = logs.find(l => l.tool === 'wp_list_comments');
+
+    expect(entry).toBeDefined();
+    expect(entry.status).toBe('success');
+  });
+
+  it('passes post filter parameter correctly', async () => {
+    fetch.mockResolvedValue(mockSuccess([
+      { id: 1, post: 5, parent: 0, author_name: 'Jane', date: '2024-02-01', status: 'approved', content: { rendered: '<p>Filtered</p>' }, link: 'https://test.example.com/post-5#comment-1' }
+    ]));
+
+    const result = await call('wp_list_comments', { post: 5 });
+    const data = parseResult(result);
+
+    expect(data.total).toBe(1);
+    expect(data.comments[0].post).toBe(5);
+  });
+});
+
+// ────────────────────────────────────────────────────────────
+// wp_create_comment
+// ────────────────────────────────────────────────────────────
+
+describe('wp_create_comment', () => {
+  let consoleSpy;
+  beforeEach(() => { fetch.mockReset(); consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {}); });
+  afterEach(() => { consoleSpy.mockRestore(); });
+
+  it('creates a comment on success', async () => {
+    fetch.mockResolvedValue(mockSuccess({
+      id: 2, post: 1, status: 'approved', content: { rendered: '<p>Nice article</p>' }
+    }));
+
+    const result = await call('wp_create_comment', { post: 1, content: 'Nice article' });
+    const data = parseResult(result);
+
+    expect(data.success).toBe(true);
+    expect(data.message).toBe('Comment created');
+    expect(data.comment.id).toBe(2);
+    expect(data.comment.post).toBe(1);
+    expect(data.comment.status).toBe('approved');
+    expect(data.comment.content).toBe('Nice article');
+  });
+
+  it('is blocked in READ-ONLY mode (governance)', async () => {
+    process.env.WP_READ_ONLY = 'true';
+
+    const result = await call('wp_create_comment', { post: 1, content: 'Blocked comment' });
+
+    expect(result.isError).toBe(true);
+    expect(result.content[0].text).toContain('READ-ONLY');
+
+    delete process.env.WP_READ_ONLY;
+  });
+
+  it('returns error on 403', async () => {
+    fetch.mockResolvedValue(mockError(403));
+
+    const result = await call('wp_create_comment', { post: 1, content: 'Forbidden' });
+
+    expect(result.isError).toBe(true);
+  });
+
+  it('returns error on 404', async () => {
+    fetch.mockResolvedValue(mockError(404));
+
+    const result = await call('wp_create_comment', { post: 999, content: 'Missing post' });
+
+    expect(result.isError).toBe(true);
+  });
+
+  it('logs audit entry with status success on create', async () => {
+    fetch.mockResolvedValue(mockSuccess({
+      id: 2, post: 1, status: 'approved', content: { rendered: '<p>Nice article</p>' }
+    }));
+
+    await call('wp_create_comment', { post: 1, content: 'Nice article' });
+    const logs = getAuditLogs(consoleSpy);
+    const entry = logs.find(l => l.tool === 'wp_create_comment');
+
+    expect(entry).toBeDefined();
+    expect(entry.status).toBe('success');
+    expect(entry.target).toBe(2);
+  });
+
+  it('logs audit entry with status blocked in READ-ONLY mode', async () => {
+    process.env.WP_READ_ONLY = 'true';
+
+    await call('wp_create_comment', { post: 1, content: 'Blocked' });
+    const logs = getAuditLogs(consoleSpy);
+    const entry = logs.find(l => l.tool === 'wp_create_comment');
+
+    expect(entry).toBeDefined();
+    expect(entry.status).toBe('blocked');
+
+    delete process.env.WP_READ_ONLY;
+  });
+
+  it('requires post and content fields', async () => {
+    const result = await call('wp_create_comment', {});
+
+    expect(result.isError).toBe(true);
+    expect(result.content[0].text).toContain('post');
+  });
+});