@adsim/wordpress-mcp-server 3.0.0 → 4.4.0

package/tests/unit/tools/perTargetControls.test.js

@@ -0,0 +1,228 @@
+import { vi, describe, it, expect, beforeEach, afterEach } from 'vitest';
+
+vi.mock('node-fetch', () => ({ default: vi.fn() }));
+
+import fetch from 'node-fetch';
+import { handleToolCall, getActiveControls, getControlSources, _testSetTarget } from '../../../index.js';
+import { mockSuccess, getAuditLogs, makeRequest, parseResult } from '../../helpers/mockWpRequest.js';
+
+function call(name, args = {}) {
+  return handleToolCall(makeRequest(name, args));
+}
+
+const ENV_KEYS = ['WP_READ_ONLY', 'WP_DRAFT_ONLY', 'WP_DISABLE_DELETE', 'WP_DISABLE_PLUGIN_MANAGEMENT', 'WP_REQUIRE_APPROVAL', 'WP_CONFIRM_DESTRUCTIVE', 'WP_MAX_CALLS_PER_MINUTE'];
+const savedEnv = {};
+
+function clearGovEnv() {
+  for (const k of ENV_KEYS) {
+    savedEnv[k] = process.env[k];
+    delete process.env[k];
+  }
+}
+
+function restoreGovEnv() {
+  for (const k of ENV_KEYS) {
+    if (savedEnv[k] === undefined) delete process.env[k];
+    else process.env[k] = savedEnv[k];
+  }
+}
+
+// ────────────────────────────────────────────────────────────
+// getActiveControls — unit tests
+// ────────────────────────────────────────────────────────────
+
+describe('getActiveControls', () => {
+  let consoleSpy;
+  beforeEach(() => { fetch.mockReset(); consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {}); clearGovEnv(); });
+  afterEach(() => { consoleSpy.mockRestore(); restoreGovEnv(); _testSetTarget(null); });
+
+  it('returns global env vars when target has no controls', () => {
+    process.env.WP_READ_ONLY = 'true';
+    process.env.WP_DISABLE_DELETE = 'true';
+    _testSetTarget('prod', { url: 'https://prod.example.com', username: 'u', password: 'p' });
+
+    const c = getActiveControls();
+
+    expect(c.read_only).toBe(true);
+    expect(c.disable_delete).toBe(true);
+    expect(c.draft_only).toBe(false);
+    expect(c.require_approval).toBe(false);
+    expect(c.confirm_destructive).toBe(false);
+    expect(c.disable_plugin_management).toBe(false);
+  });
+
+  it('target read_only:true + global false → blocked (OR strict)', () => {
+    _testSetTarget('prod', { url: 'https://prod.example.com', username: 'u', password: 'p', controls: { read_only: true } });
+
+    const c = getActiveControls();
+
+    expect(c.read_only).toBe(true);
+  });
+
+  it('global read_only:true + target false → blocked (OR strict)', () => {
+    process.env.WP_READ_ONLY = 'true';
+    _testSetTarget('prod', { url: 'https://prod.example.com', username: 'u', password: 'p', controls: { read_only: false } });
+
+    const c = getActiveControls();
+
+    expect(c.read_only).toBe(true);
+  });
+
+  it('both global and target true → blocked (OR strict)', () => {
+    process.env.WP_READ_ONLY = 'true';
+    _testSetTarget('prod', { url: 'https://prod.example.com', username: 'u', password: 'p', controls: { read_only: true } });
+
+    const c = getActiveControls();
+    const s = getControlSources();
+
+    expect(c.read_only).toBe(true);
+    expect(s.read_only_source).toBe('both');
+  });
+
+  it('max_calls_per_minute: MIN of global and target', () => {
+    process.env.WP_MAX_CALLS_PER_MINUTE = '30';
+    _testSetTarget('prod', { url: 'https://prod.example.com', username: 'u', password: 'p', controls: { max_calls_per_minute: 10 } });
+
+    const c = getActiveControls();
+
+    expect(c.max_calls_per_minute).toBe(10);
+  });
+
+  it('max_calls_per_minute: global unlimited + target=20 → 20', () => {
+    // global is 0 (unlimited) by default
+    _testSetTarget('prod', { url: 'https://prod.example.com', username: 'u', password: 'p', controls: { max_calls_per_minute: 20 } });
+
+    const c = getActiveControls();
+    const s = getControlSources();
+
+    expect(c.max_calls_per_minute).toBe(20);
+    expect(s.max_calls_per_minute_source).toBe('target');
+  });
+});
+
+// ────────────────────────────────────────────────────────────
+// Governance functions use getActiveControls — integration
+// ────────────────────────────────────────────────────────────
+
+describe('Per-target governance integration', () => {
+  let consoleSpy;
+  beforeEach(() => { fetch.mockReset(); consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {}); clearGovEnv(); });
+  afterEach(() => { consoleSpy.mockRestore(); restoreGovEnv(); _testSetTarget(null); });
+
+  it('target read_only blocks write tools via enforceReadOnly', async () => {
+    _testSetTarget('prod', { url: 'https://prod.example.com', username: 'u', password: 'p', controls: { read_only: true } });
+
+    const result = await call('wp_create_post', { title: 'T', content: 'C' });
+
+    expect(result.isError).toBe(true);
+    expect(result.content[0].text).toContain('READ-ONLY');
+
+    const logs = getAuditLogs(consoleSpy);
+    const entry = logs.find(l => l.tool === 'wp_create_post');
+    expect(entry).toBeDefined();
+    expect(entry.status).toBe('blocked');
+  });
+
+  it('target draft_only blocks publish via enforceDraftOnly', async () => {
+    _testSetTarget('staging', { url: 'https://staging.example.com', username: 'u', password: 'p', controls: { draft_only: true } });
+
+    const result = await call('wp_create_post', { title: 'T', content: 'C', status: 'publish' });
+
+    expect(result.isError).toBe(true);
+    expect(result.content[0].text).toContain('DRAFT-ONLY');
+
+    const logs = getAuditLogs(consoleSpy);
+    const entry = logs.find(l => l.tool === 'wp_create_post');
+    expect(entry).toBeDefined();
+    expect(entry.status).toBe('error');
+  });
+});
+
+// ────────────────────────────────────────────────────────────
+// wp_site_info — per-target controls
+// ────────────────────────────────────────────────────────────
+
+describe('wp_site_info with per-target controls', () => {
+  let consoleSpy;
+  beforeEach(() => { fetch.mockReset(); consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {}); clearGovEnv(); });
+  afterEach(() => { consoleSpy.mockRestore(); restoreGovEnv(); _testSetTarget(null); });
+
+  const siteInfoResponse = { name: 'Test', description: 'T', url: 'https://test.example.com', gmt_offset: 1, timezone_string: 'UTC' };
+  const userMeResponse = { id: 1, name: 'Admin', slug: 'admin', roles: ['administrator'] };
+  const postTypesResponse = { post: { slug: 'post', name: 'Posts', rest_base: 'posts' } };
+
+  it('enterprise_controls reflects target controls', async () => {
+    _testSetTarget('prod', { url: 'https://test.example.com', username: 'testuser', password: 'testpass', controls: { disable_delete: true, confirm_destructive: true } });
+    mockSuccess(siteInfoResponse);
+    mockSuccess(userMeResponse);
+    mockSuccess(postTypesResponse);
+
+    const res = await call('wp_site_info');
+    const data = parseResult(res);
+
+    expect(data.enterprise_controls.delete_disabled).toBe(true);
+    expect(data.enterprise_controls.confirm_destructive).toBe(true);
+    expect(data.enterprise_controls.read_only).toBe(false);
+  });
+
+  it('controls_source indicates "target" when restriction comes from target', async () => {
+    _testSetTarget('prod', { url: 'https://test.example.com', username: 'testuser', password: 'testpass', controls: { disable_delete: true } });
+    mockSuccess(siteInfoResponse);
+    mockSuccess(userMeResponse);
+    mockSuccess(postTypesResponse);
+
+    const res = await call('wp_site_info');
+    const data = parseResult(res);
+
+    expect(data.enterprise_controls.disable_delete_source).toBe('target');
+    expect(data.enterprise_controls.read_only_source).toBe('none');
+  });
+});
+
+// ────────────────────────────────────────────────────────────
+// wp_set_target — audit log and controls persistence
+// ────────────────────────────────────────────────────────────
+
+describe('wp_set_target with per-target controls', () => {
+  let consoleSpy;
+  beforeEach(() => { fetch.mockReset(); consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {}); clearGovEnv(); });
+  afterEach(() => { consoleSpy.mockRestore(); restoreGovEnv(); _testSetTarget(null); });
+
+  it('audit log contains effective_controls after switch', async () => {
+    // Pre-populate two targets via _testSetTarget for the first, then manually set second
+    _testSetTarget('staging', { url: 'https://staging.example.com', username: 'u', password: 'p', controls: { draft_only: true, disable_delete: true } });
+
+    // Now call wp_set_target to switch to staging (already current, but validates the flow)
+    const result = await call('wp_set_target', { site: 'staging' });
+    const data = parseResult(result);
+
+    expect(data.success).toBe(true);
+    expect(data.effective_controls).toBeDefined();
+    expect(data.effective_controls.draft_only).toBe(true);
+    expect(data.effective_controls.disable_delete).toBe(true);
+    expect(data.effective_controls.read_only).toBe(false);
+
+    const logs = getAuditLogs(consoleSpy);
+    const entry = logs.find(l => l.tool === 'wp_set_target' && l.status === 'success');
+    expect(entry).toBeDefined();
+    expect(entry.effective_controls).toBeDefined();
+    expect(entry.effective_controls.draft_only).toBe(true);
+  });
+
+  it('per-target controls survive a wp_set_target switch', async () => {
+    // Set up two targets
+    _testSetTarget('dev', { url: 'https://dev.example.com', username: 'u', password: 'p' });
+    _testSetTarget('prod', { url: 'https://prod.example.com', username: 'u', password: 'p', controls: { read_only: true } });
+    // Current is now 'prod'. Switch to prod explicitly to test persistence.
+
+    const result = await call('wp_set_target', { site: 'prod' });
+    const data = parseResult(result);
+
+    expect(data.effective_controls.read_only).toBe(true);
+
+    // Verify the control actually blocks writes
+    const writeResult = await call('wp_create_post', { title: 'T', content: 'C' });
+    expect(writeResult.isError).toBe(true);
+    expect(writeResult.content[0].text).toContain('READ-ONLY');
+  });
+});

package/tests/unit/tools/site.test.js

@@ -72,10 +72,15 @@ describe('wp_site_info', () => {
     expect(typeof data.enterprise_controls.draft_only).toBe('boolean');
     expect(typeof data.enterprise_controls.delete_disabled).toBe('boolean');
     expect(typeof data.enterprise_controls.plugin_management_disabled).toBe('boolean');
+    expect(typeof data.enterprise_controls.confirm_destructive).toBe('boolean');
+
+    // Control sources
+    expect(data.enterprise_controls.read_only_source).toBeDefined();
+    expect(['global', 'target', 'both', 'none']).toContain(data.enterprise_controls.read_only_source);
 
     // Server info
     expect(data.server.mcp_version).toBeDefined();
-    expect(data.server.tools_count).toBe(35);
+    expect(data.server.tools_count).toBe(79);
   });
 
   it('SUCCESS — enterprise_controls reflect WP_READ_ONLY env var', async () => {

package/tests/unit/tools/woocommerce.test.js

@@ -0,0 +1,344 @@
+import { vi, describe, it, expect, beforeEach, afterEach } from 'vitest';
+
+vi.mock('node-fetch', () => ({ default: vi.fn() }));
+
+import fetch from 'node-fetch';
+import { handleToolCall, _testSetTarget } from '../../../index.js';
+import { mockSuccess, mockError, getAuditLogs, makeRequest, parseResult } from '../../helpers/mockWpRequest.js';
+
+function call(name, args = {}) {
+  return handleToolCall(makeRequest(name, args));
+}
+
+let consoleSpy;
+beforeEach(() => {
+  fetch.mockReset();
+  consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
+  process.env.WC_CONSUMER_KEY = 'ck_test';
+  process.env.WC_CONSUMER_SECRET = 'cs_test';
+});
+afterEach(() => {
+  consoleSpy.mockRestore();
+  _testSetTarget(null);
+  delete process.env.WC_CONSUMER_KEY;
+  delete process.env.WC_CONSUMER_SECRET;
+});
+
+// =========================================================================
+// Mock data
+// =========================================================================
+
+const product1 = {
+  id: 101, name: 'T-Shirt', slug: 't-shirt', status: 'publish',
+  price: '19.99', regular_price: '24.99', sale_price: '19.99',
+  stock_status: 'instock', stock_quantity: 50,
+  categories: [{ id: 5, name: 'Clothing' }],
+  images: [{ src: 'https://shop.example.com/img/tshirt.jpg' }],
+  permalink: 'https://shop.example.com/product/t-shirt',
+  type: 'simple', variations: []
+};
+
+const product2 = {
+  id: 102, name: 'Hoodie', slug: 'hoodie', status: 'publish',
+  price: '49.99', regular_price: '49.99', sale_price: '',
+  stock_status: 'instock', stock_quantity: 20,
+  categories: [{ id: 5, name: 'Clothing' }],
+  images: [{ src: 'https://shop.example.com/img/hoodie.jpg' }],
+  permalink: 'https://shop.example.com/product/hoodie',
+  type: 'variable', variations: [201, 202]
+};
+
+const order1 = {
+  id: 500, number: '500', status: 'processing',
+  date_created: '2026-02-01T10:00:00',
+  customer_id: 10,
+  billing: { first_name: 'John', last_name: 'Doe', email: 'john@example.com' },
+  total: '69.98', currency: 'EUR',
+  line_items: [{ name: 'T-Shirt', quantity: 2, total: '39.98' }, { name: 'Hoodie', quantity: 1, total: '49.99' }],
+  shipping: {}, payment_method: 'stripe', transaction_id: 'txn_123', meta_data: []
+};
+
+const customer1 = {
+  id: 10, first_name: 'John', last_name: 'Doe', email: 'john@example.com',
+  date_created: '2025-06-15T08:00:00', orders_count: 5, total_spent: '350.00', username: 'johndoe'
+};
+
+// =========================================================================
+// wc_list_products
+// =========================================================================
+
+describe('wc_list_products', () => {
+  it('SUCCESS — returns product list', async () => {
+    _testSetTarget('shop', { url: 'https://shop.example.com', username: 'u', password: 'p' });
+    mockSuccess([product1, product2]);
+
+    const res = await call('wc_list_products');
+    const data = parseResult(res);
+
+    expect(data.total).toBe(2);
+    expect(data.products[0].id).toBe(101);
+    expect(data.products[0].name).toBe('T-Shirt');
+    expect(data.products[0].price).toBe('19.99');
+    expect(data.products[0].categories[0].name).toBe('Clothing');
+    expect(data.products[0].image).toBe('https://shop.example.com/img/tshirt.jpg');
+
+    const logs = getAuditLogs();
+    const entry = logs.find(l => l.tool === 'wc_list_products');
+    expect(entry).toBeDefined();
+    expect(entry.status).toBe('success');
+  });
+
+  it('BLOCKED — WP_READ_ONLY prevents access', async () => {
+    const original = process.env.WP_READ_ONLY;
+    process.env.WP_READ_ONLY = 'true';
+    try {
+      const res = await call('wc_list_products');
+      expect(res.isError).toBe(true);
+      expect(res.content[0].text).toContain('READ-ONLY');
+    } finally {
+      if (original === undefined) delete process.env.WP_READ_ONLY;
+      else process.env.WP_READ_ONLY = original;
+    }
+  });
+
+  it('ERROR — WC credentials missing', async () => {
+    delete process.env.WC_CONSUMER_KEY;
+    delete process.env.WC_CONSUMER_SECRET;
+    _testSetTarget('shop', { url: 'https://shop.example.com', username: 'u', password: 'p' });
+
+    const res = await call('wc_list_products');
+    expect(res.isError).toBe(true);
+    expect(res.content[0].text).toContain('WC_CONSUMER_KEY');
+  });
+});
+
+// =========================================================================
+// wc_get_product
+// =========================================================================
+
+describe('wc_get_product', () => {
+  it('SUCCESS — returns full product details', async () => {
+    _testSetTarget('shop', { url: 'https://shop.example.com', username: 'u', password: 'p' });
+    mockSuccess(product1);
+
+    const res = await call('wc_get_product', { id: 101 });
+    const data = parseResult(res);
+
+    expect(data.id).toBe(101);
+    expect(data.name).toBe('T-Shirt');
+    expect(data.price).toBe('19.99');
+  });
+
+  it('SUCCESS — variable product includes variations_detail', async () => {
+    _testSetTarget('shop', { url: 'https://shop.example.com', username: 'u', password: 'p' });
+    mockSuccess(product2); // variable product with variations [201, 202]
+    mockSuccess([
+      { id: 201, sku: 'hoodie-s', price: '49.99', regular_price: '49.99', sale_price: '', stock_status: 'instock', stock_quantity: 10, attributes: [{ name: 'Size', option: 'S' }] },
+      { id: 202, sku: 'hoodie-l', price: '49.99', regular_price: '49.99', sale_price: '', stock_status: 'instock', stock_quantity: 10, attributes: [{ name: 'Size', option: 'L' }] }
+    ]);
+
+    const res = await call('wc_get_product', { id: 102 });
+    const data = parseResult(res);
+
+    expect(data.id).toBe(102);
+    expect(data.type).toBe('variable');
+    expect(data.variations_detail).toHaveLength(2);
+    expect(data.variations_detail[0].sku).toBe('hoodie-s');
+    expect(data.variations_detail[1].attributes[0].option).toBe('L');
+  });
+
+  it('ERROR — product not found (404)', async () => {
+    _testSetTarget('shop', { url: 'https://shop.example.com', username: 'u', password: 'p' });
+    mockError(404, '{"code":"woocommerce_rest_product_invalid_id","message":"Invalid ID."}');
+
+    const res = await call('wc_get_product', { id: 999 });
+    expect(res.isError).toBe(true);
+    expect(res.content[0].text).toContain('404');
+  });
+});
+
+// =========================================================================
+// wc_list_orders
+// =========================================================================
+
+describe('wc_list_orders', () => {
+  it('SUCCESS — returns order list', async () => {
+    _testSetTarget('shop', { url: 'https://shop.example.com', username: 'u', password: 'p' });
+    mockSuccess([order1]);
+
+    const res = await call('wc_list_orders');
+    const data = parseResult(res);
+
+    expect(data.total).toBe(1);
+    expect(data.orders[0].id).toBe(500);
+    expect(data.orders[0].status).toBe('processing');
+    expect(data.orders[0].billing_name).toBe('John Doe');
+    expect(data.orders[0].billing_email).toBe('john@example.com');
+    expect(data.orders[0].total).toBe('69.98');
+    expect(data.orders[0].line_items).toHaveLength(2);
+  });
+
+  it('BLOCKED — WP_READ_ONLY prevents access', async () => {
+    const original = process.env.WP_READ_ONLY;
+    process.env.WP_READ_ONLY = 'true';
+    try {
+      const res = await call('wc_list_orders');
+      expect(res.isError).toBe(true);
+      expect(res.content[0].text).toContain('READ-ONLY');
+    } finally {
+      if (original === undefined) delete process.env.WP_READ_ONLY;
+      else process.env.WP_READ_ONLY = original;
+    }
+  });
+
+  it('SUCCESS — filter by status', async () => {
+    _testSetTarget('shop', { url: 'https://shop.example.com', username: 'u', password: 'p' });
+    mockSuccess([order1]);
+
+    const res = await call('wc_list_orders', { status: 'processing' });
+    const data = parseResult(res);
+    expect(data.orders[0].status).toBe('processing');
+
+    // Verify the fetch URL contained the status param
+    const fetchUrl = fetch.mock.calls[0][0];
+    expect(fetchUrl).toContain('status=processing');
+  });
+});
+
+// =========================================================================
+// wc_get_order
+// =========================================================================
+
+describe('wc_get_order', () => {
+  it('SUCCESS — returns full order details', async () => {
+    _testSetTarget('shop', { url: 'https://shop.example.com', username: 'u', password: 'p' });
+    mockSuccess(order1);
+
+    const res = await call('wc_get_order', { id: 500 });
+    const data = parseResult(res);
+
+    expect(data.id).toBe(500);
+    expect(data.billing.first_name).toBe('John');
+    expect(data.payment_method).toBe('stripe');
+    expect(data.line_items).toHaveLength(2);
+  });
+
+  it('ERROR — order not found (404)', async () => {
+    _testSetTarget('shop', { url: 'https://shop.example.com', username: 'u', password: 'p' });
+    mockError(404, '{"code":"woocommerce_rest_shop_order_invalid_id","message":"Invalid ID."}');
+
+    const res = await call('wc_get_order', { id: 999 });
+    expect(res.isError).toBe(true);
+    expect(res.content[0].text).toContain('404');
+  });
+});
+
+// =========================================================================
+// wc_list_customers
+// =========================================================================
+
+describe('wc_list_customers', () => {
+  it('SUCCESS — returns customer list', async () => {
+    _testSetTarget('shop', { url: 'https://shop.example.com', username: 'u', password: 'p' });
+    mockSuccess([customer1]);
+
+    const res = await call('wc_list_customers');
+    const data = parseResult(res);
+
+    expect(data.total).toBe(1);
+    expect(data.customers[0].id).toBe(10);
+    expect(data.customers[0].first_name).toBe('John');
+    expect(data.customers[0].email).toBe('john@example.com');
+    expect(data.customers[0].orders_count).toBe(5);
+    expect(data.customers[0].total_spent).toBe('350.00');
+  });
+
+  it('BLOCKED — WP_READ_ONLY prevents access', async () => {
+    const original = process.env.WP_READ_ONLY;
+    process.env.WP_READ_ONLY = 'true';
+    try {
+      const res = await call('wc_list_customers');
+      expect(res.isError).toBe(true);
+      expect(res.content[0].text).toContain('READ-ONLY');
+    } finally {
+      if (original === undefined) delete process.env.WP_READ_ONLY;
+      else process.env.WP_READ_ONLY = original;
+    }
+  });
+});
+
+// =========================================================================
+// wc_price_guardrail
+// =========================================================================
+
+describe('wc_price_guardrail', () => {
+  it('SAFE — price change within default threshold (20%)', async () => {
+    _testSetTarget('shop', { url: 'https://shop.example.com', username: 'u', password: 'p' });
+    mockSuccess({ id: 101, name: 'T-Shirt', price: '100.00' });
+
+    const res = await call('wc_price_guardrail', { product_id: 101, new_price: 110 });
+    const data = parseResult(res);
+
+    expect(data.safe).toBe(true);
+    expect(data.current_price).toBe(100);
+    expect(data.new_price).toBe(110);
+    expect(data.change_percent).toBe(10);
+    expect(data.message).toContain('within threshold');
+
+    const logs = getAuditLogs();
+    const entry = logs.find(l => l.tool === 'wc_price_guardrail');
+    expect(entry).toBeDefined();
+    expect(entry.action).toBe('price_check');
+  });
+
+  it('UNSAFE — price change exceeds threshold', async () => {
+    _testSetTarget('shop', { url: 'https://shop.example.com', username: 'u', password: 'p' });
+    mockSuccess({ id: 101, name: 'T-Shirt', price: '100.00' });
+
+    const res = await call('wc_price_guardrail', { product_id: 101, new_price: 150 });
+    const data = parseResult(res);
+
+    expect(data.safe).toBe(false);
+    expect(data.change_percent).toBe(50);
+    expect(data.requires_confirmation).toBe(true);
+    expect(data.message).toContain('exceeds threshold');
+  });
+
+  it('CUSTOM THRESHOLD — respects threshold_percent param', async () => {
+    _testSetTarget('shop', { url: 'https://shop.example.com', username: 'u', password: 'p' });
+    mockSuccess({ id: 101, name: 'T-Shirt', price: '100.00' });
+
+    const res = await call('wc_price_guardrail', { product_id: 101, new_price: 108, threshold_percent: 5 });
+    const data = parseResult(res);
+
+    expect(data.safe).toBe(false);
+    expect(data.change_percent).toBe(8);
+    expect(data.message).toContain('5%');
+  });
+
+  it('ERROR — product not found', async () => {
+    _testSetTarget('shop', { url: 'https://shop.example.com', username: 'u', password: 'p' });
+    mockError(404, '{"code":"woocommerce_rest_product_invalid_id","message":"Invalid ID."}');
+
+    const res = await call('wc_price_guardrail', { product_id: 999, new_price: 50 });
+    expect(res.isError).toBe(true);
+    expect(res.content[0].text).toContain('404');
+  });
+
+  it('NOT blocked by WP_READ_ONLY (analysis only)', async () => {
+    const original = process.env.WP_READ_ONLY;
+    process.env.WP_READ_ONLY = 'true';
+    try {
+      _testSetTarget('shop', { url: 'https://shop.example.com', username: 'u', password: 'p' });
+      mockSuccess({ id: 101, name: 'T-Shirt', price: '100.00' });
+
+      const res = await call('wc_price_guardrail', { product_id: 101, new_price: 110 });
+      expect(res.isError).toBeUndefined();
+      const data = parseResult(res);
+      expect(data.safe).toBe(true);
+    } finally {
+      if (original === undefined) delete process.env.WP_READ_ONLY;
+      else process.env.WP_READ_ONLY = original;
+    }
+  });
+});