npm - @adsim/wordpress-mcp-server - Versions diffs - 3.1.0 → 4.4.0 - Mend

@adsim/wordpress-mcp-server 3.1.0 → 4.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (31) hide show

package/README.md +543 -176
package/dxt/manifest.json +86 -9
package/index.js +3156 -36
package/package.json +1 -1
package/src/confirmationToken.js +64 -0
package/src/contentAnalyzer.js +476 -0
package/src/htmlParser.js +80 -0
package/src/linkUtils.js +158 -0
package/src/utils/contentCompressor.js +116 -0
package/src/woocommerceClient.js +88 -0
package/tests/unit/contentAnalyzer.test.js +397 -0
package/tests/unit/tools/analyzeEeatSignals.test.js +192 -0
package/tests/unit/tools/approval.test.js +251 -0
package/tests/unit/tools/auditCanonicals.test.js +149 -0
package/tests/unit/tools/auditHeadingStructure.test.js +150 -0
package/tests/unit/tools/auditMediaSeo.test.js +123 -0
package/tests/unit/tools/auditOutboundLinks.test.js +175 -0
package/tests/unit/tools/auditTaxonomies.test.js +173 -0
package/tests/unit/tools/contentCompressor.test.js +320 -0
package/tests/unit/tools/contentIntelligence.test.js +2168 -0
package/tests/unit/tools/destructive.test.js +246 -0
package/tests/unit/tools/findBrokenInternalLinks.test.js +222 -0
package/tests/unit/tools/findKeywordCannibalization.test.js +183 -0
package/tests/unit/tools/findOrphanPages.test.js +145 -0
package/tests/unit/tools/findThinContent.test.js +145 -0
package/tests/unit/tools/internalLinks.test.js +283 -0
package/tests/unit/tools/perTargetControls.test.js +228 -0
package/tests/unit/tools/site.test.js +6 -1
package/tests/unit/tools/woocommerce.test.js +344 -0
package/tests/unit/tools/woocommerceIntelligence.test.js +341 -0
package/tests/unit/tools/woocommerceWrite.test.js +323 -0

package/README.md CHANGED Viewed

@@ -1,33 +1,35 @@
 # WordPress MCP Server
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
-[![Node.js](https://img.shields.io/badge/Node.js-18%2B-green)](https://nodejs.org/)
-[![MCP SDK](https://img.shields.io/badge/MCP_SDK-1.8%2B-blue)](https://modelcontextprotocol.io/)
-[![Tests](https://img.shields.io/badge/Tests-171%20passed-brightgreen)]()
+[![Node.js](https://img.shields.io/badge/Node.js-%3E%3D18-green.svg)](https://nodejs.org/)
+[![MCP SDK](https://img.shields.io/badge/MCP-SDK-blue.svg)](https://github.com/anthropics/mcp)
+[![Tests](https://img.shields.io/badge/tests-613%20passing-brightgreen.svg)](https://github.com/GeorgesAdSim/wordpress-mcp-server/actions)
+[![npm](https://img.shields.io/npm/v/@adsim/wordpress-mcp-server.svg)](https://www.npmjs.com/package/@adsim/wordpress-mcp-server)
-Enterprise Governance · Audit Trail · Multi-Site · Plugin-Free
+**Enterprise Governance · Audit Trail · Multi-Site · Plugin-Free**
 The enterprise governance layer for Claude-to-WordPress integrations — secure, auditable, and multi-site.
-**v2.2.0 Enterprise · 35 tools · 171 Vitest tests · GitHub Actions CI · SEO metadata · Plugin & theme management · Revision control · Execution controls · JSON audit trail · Multi-site targeting**
+**v4.4.0 Enterprise** · 79 tools · 613 Vitest tests · GitHub Actions CI · HTTP Streamable transport · MCPB bundle · SEO metadata · SEO audit suite · Content intelligence · Plugin & theme management · Revision control · Editorial approval workflow · Destructive confirmation · Internal link analysis · WooCommerce (read + intelligence + write) · Execution controls · JSON audit trail · Multi-site targeting
 ---
 ## Architecture
 ```
 ┌─────────────────────────┐
 │     Claude Client       │  Claude Desktop · Claude Code · Any MCP client
 └────────────┬────────────┘
-             │ MCP Protocol (stdio)
+             │ MCP Protocol (stdio or HTTP Streamable)
 ┌────────────▼────────────┐
 │  WordPress MCP Server   │  Node.js · Standalone · No WordPress plugin
 ├─────────────────────────┤
 │  Execution Controls     │  Read-only · Draft-only · Plugin mgmt · Type/status allowlists
 ├─────────────────────────┤
-│  Audit Logging          │  JSON on stderr · 35 instrumentation points
+│  Audit Logging          │  JSON on stderr · 79 instrumentation points
 ├─────────────────────────┤
 │  Rate Limiting          │  Client-side · Configurable per-minute cap
+├─────────────────────────┤
+│  HTTP Transport         │  Bearer auth · Session management · Origin validation
 └────────────┬────────────┘
              │ HTTPS + WordPress Application Password (Basic Auth over TLS)
 ┌────────────▼────────────┐
@@ -37,7 +39,7 @@ The enterprise governance layer for Claude-to-WordPress integrations — secure,
 ## Why This Server
-Most WordPress MCP servers focus on what you *can* do. This one focuses on what you *should be allowed* to do — and who can verify it happened.
+Most WordPress MCP servers focus on what you can do. This one focuses on what you **should be allowed to do** — and who can verify it happened.
 In regulated environments — financial services, healthcare, legal, government — AI-powered content operations need guardrails. This server provides them out of the box: read-only mode for monitoring, draft-only mode for review workflows, structured audit logs for compliance, and multi-site management for agencies operating across client portfolios.
@@ -56,7 +58,7 @@ This server is designed for safe operation in production environments:
 ## Data Retention
-The server does not store or persist WordPress content. All processing is stateless — content flows through the server and is never cached, written to disk, or retained in memory beyond the scope of a single tool invocation. Audit logs are emitted to stderr in real-time and can be disabled (WP_AUDIT_LOG=off) or redirected to any logging pipeline based on deployment requirements. Zero data retention by design.
+The server does not store or persist WordPress content. All processing is stateless — content flows through the server and is never cached, written to disk, or retained in memory beyond the scope of a single tool invocation. Audit logs are emitted to stderr in real-time and can be disabled (`WP_AUDIT_LOG=off`) or redirected to any logging pipeline based on deployment requirements. Zero data retention by design.
 ---
@@ -68,9 +70,18 @@ The server does not store or persist WordPress content. All processing is statel
 - WordPress site with REST API enabled (default since WP 4.7)
 - WordPress Application Password (WP 5.6+)
 - HTTPS endpoint (required for production)
+- WooCommerce 3.5+ (optional, for WooCommerce tools)
+### Install from npm (recommended)
+```bash
+# Run directly — no install needed
+npx -y @adsim/wordpress-mcp-server
-### Install
+# Or install globally
+npm install -g @adsim/wordpress-mcp-server
+```
+### Install from GitHub
 ```bash
 git clone https://github.com/GeorgesAdSim/wordpress-mcp-server.git
 cd wordpress-mcp-server
@@ -80,11 +91,14 @@ npm install
 ### Configure
 Create a `.env` file:
-```bash
+```env
 WP_API_URL=https://yoursite.com
 WP_API_USERNAME=your-username
 WP_API_PASSWORD=xxxx xxxx xxxx xxxx xxxx xxxx
+# Optional: WooCommerce (generate at WooCommerce → Settings → Advanced → REST API)
+WC_CONSUMER_KEY=ck_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+WC_CONSUMER_SECRET=cs_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 ```
 To generate an Application Password: WordPress Admin → Users → Profile → Application Passwords → Add New.
@@ -93,15 +107,14 @@ To generate an Application Password: WordPress Admin → Users → Profile → A
 Add to `claude_desktop_config.json`:
-**macOS:** `~/Library/Application Support/Claude/claude_desktop_config.json`
-**Windows:** `%APPDATA%\Claude\claude_desktop_config.json`
+- macOS: `~/Library/Application Support/Claude/claude_desktop_config.json`
+- Windows: `%APPDATA%\Claude\claude_desktop_config.json`
 ```json
 {
   "mcpServers": {
     "wordpress": {
-      "command": "node",
-      "args": ["/path/to/wordpress-mcp-server/index.js"],
+      "command": "npx",
+      "args": ["-y", "@adsim/wordpress-mcp-server"],
       "env": {
         "WP_API_URL": "https://yoursite.com",
         "WP_API_USERNAME": "your-username",
@@ -113,139 +126,319 @@ Add to `claude_desktop_config.json`:
 ```
 ### Connect to Claude Code
 ```bash
 claude mcp add wordpress \
   -e WP_API_URL=https://yoursite.com \
   -e WP_API_USERNAME=your-username \
   -e WP_API_PASSWORD="xxxx xxxx xxxx xxxx xxxx xxxx" \
-  -- node /path/to/wordpress-mcp-server/index.js
+  -- npx -y @adsim/wordpress-mcp-server
+```
+---
+## HTTP Streamable Transport
+> **New in v3.0.0** — Run the server over HTTP instead of (or alongside) stdio, following the MCP spec 2025-03-26.
+### Start in HTTP mode
+```bash
+MCP_TRANSPORT=http \
+MCP_HTTP_PORT=3000 \
+MCP_AUTH_TOKEN=your-secret-token \
+WP_API_URL=https://yoursite.com \
+WP_API_USERNAME=your-username \
+WP_API_PASSWORD="xxxx xxxx xxxx xxxx" \
+npx -y @adsim/wordpress-mcp-server
+```
+### Dual mode (stdio + HTTP simultaneously)
+```bash
+MCP_TRANSPORT=http \
+MCP_DUAL_MODE=true \
+MCP_AUTH_TOKEN=your-secret-token \
+npx -y @adsim/wordpress-mcp-server
+```
+### HTTP environment variables
+| Variable | Default | Description |
+|---|---|---|
+| `MCP_TRANSPORT` | `stdio` | Set to `http` to enable HTTP Streamable transport |
+| `MCP_HTTP_PORT` | `3000` | HTTP server port |
+| `MCP_HTTP_HOST` | `127.0.0.1` | Bind address |
+| `MCP_AUTH_TOKEN` | _(none)_ | Bearer token for authentication (required in HTTP mode) |
+| `MCP_ALLOWED_ORIGINS` | _(none)_ | Comma-separated allowed origins (anti-DNS-rebinding) |
+| `MCP_SESSION_TIMEOUT_MS` | `3600000` | Session TTL in milliseconds (1 hour) |
+| `MCP_DUAL_MODE` | `false` | Run stdio and HTTP transports simultaneously |
+### Health check
+```bash
+curl http://localhost:3000/health
+# → { "status": "ok", "version": "4.4.0", "transport": "http" }
+```
+### Connect an MCP client via HTTP
+```json
+{
+  "mcpServers": {
+    "wordpress-http": {
+      "url": "http://localhost:3000/mcp",
+      "headers": {
+        "Authorization": "Bearer your-secret-token"
+      }
+    }
+  }
+}
+```
+---
+## MCPB Bundle — Claude Desktop One-Click Install
+> **New in v3.1.0** — Package the server as a `.mcpb` bundle for Claude Desktop distribution.
+The bundle stores WordPress credentials securely in the OS keychain (`sensitive: true`) — no manual JSON editing required.
+### Build the bundle
+```bash
+npm run build:mcpb
+# → wordpress-mcp-server.mcpb
 ```
+### Install in Claude Desktop
+Double-click `wordpress-mcp-server.mcpb` — Claude Desktop will prompt for:
+- WordPress Site URL
+- WordPress Username
+- WordPress Application Password _(stored in OS keychain)_
 ---
-## Available Tools (35)
+## Available Tools (79)
 ### Content Management
 | Tool | Description |
-|------|-------------|
-| wp_list_posts | List posts with pagination, filtering by status/category/tag/author, and search |
-| wp_get_post | Get a post by ID with full content, meta fields, and taxonomy info |
-| wp_create_post | Create a post (defaults to draft). Supports HTML, categories, tags, featured image, meta |
-| wp_update_post | Update any post field. Only provided fields are modified |
-| wp_delete_post | Move to trash by default. Permanent deletion requires force=true |
-| wp_search | Full-text search across all content types |
-| wp_list_pages | List pages with hierarchy (parent/child), templates, and menu order |
-| wp_get_page | Get page content, template, and hierarchy info |
-| wp_create_page | Create a page with parent, template, and menu_order support |
-| wp_update_page | Update any page field |
+|---|---|
+| `wp_list_posts` | List posts with pagination, filtering by status/category/tag/author, and search |
+| `wp_get_post` | Get a post by ID with full content, meta fields, and taxonomy info |
+| `wp_create_post` | Create a post (defaults to draft). Supports HTML, categories, tags, featured image, meta |
+| `wp_update_post` | Update any post field. Only provided fields are modified |
+| `wp_delete_post` | Move to trash by default. Permanent deletion requires `force=true`. Returns confirmation token when `WP_CONFIRM_DESTRUCTIVE=true` |
+| `wp_search` | Full-text search across all content types |
+| `wp_list_pages` | List pages with hierarchy (parent/child), templates, and menu order |
+| `wp_get_page` | Get page content, template, and hierarchy info |
+| `wp_create_page` | Create a page with parent, template, and menu_order support |
+| `wp_update_page` | Update any page field |
 ### Media Library
 | Tool | Description |
-|------|-------------|
-| wp_list_media | Browse media with type filtering (image/video/audio/document) |
-| wp_get_media | Get URL, dimensions, alt text, caption, and all available sizes |
-| wp_upload_media | Upload a file from a public URL to the WordPress media library |
+|---|---|
+| `wp_list_media` | Browse media with type filtering (image/video/audio/document) |
+| `wp_get_media` | Get URL, dimensions, alt text, caption, and all available sizes |
+| `wp_upload_media` | Upload a file from a public URL to the WordPress media library |
 ### Taxonomies & Structure
 | Tool | Description |
-|------|-------------|
-| wp_list_categories | List categories with hierarchy, post count, and descriptions |
-| wp_list_tags | List tags with post count |
-| wp_create_taxonomy_term | Create a new category or tag |
-| wp_list_post_types | Discover all registered post types (including custom ones) |
-| wp_list_custom_posts | List content from any custom post type (products, portfolio, events) |
+|---|---|
+| `wp_list_categories` | List categories with hierarchy, post count, and descriptions |
+| `wp_list_tags` | List tags with post count |
+| `wp_create_taxonomy_term` | Create a new category or tag |
+| `wp_list_post_types` | Discover all registered post types (including custom ones) |
+| `wp_list_custom_posts` | List content from any custom post type (products, portfolio, events) |
 ### Engagement
 | Tool | Description |
-|------|-------------|
-| wp_list_comments | List comments with filtering by post, status, and author |
-| wp_create_comment | Create a comment or reply on any post |
-| wp_list_users | List users with roles (read-only) |
+|---|---|
+| `wp_list_comments` | List comments with filtering by post, status, and author |
+| `wp_create_comment` | Create a comment or reply on any post |
+| `wp_list_users` | List users with roles (read-only) |
 ### SEO Metadata
 | Tool | Description |
-|------|-------------|
-| wp_get_seo_meta | Read SEO title, description, focus keyword, canonical, robots, Open Graph. Auto-detects Yoast, RankMath, SEOPress, All in One SEO |
-| wp_update_seo_meta | Update SEO metadata with automatic plugin detection |
-| wp_audit_seo | Bulk audit SEO across posts/pages with quality scoring (0-100), missing fields detection, and length checks |
+|---|---|
+| `wp_get_seo_meta` | Read SEO title, description, focus keyword, canonical, robots, Open Graph. Auto-detects Yoast, RankMath, SEOPress, All in One SEO |
+| `wp_update_seo_meta` | Update SEO metadata with automatic plugin detection |
+| `wp_audit_seo` | Bulk audit SEO across posts/pages with quality scoring (0-100), missing fields detection, and length checks |
 SEO metadata updates are subject to the same enterprise controls and execution policies as all other write operations.
+### SEO Audit Suite
+> **New in v4.0–v4.2** — Deep technical SEO analysis without requiring any WordPress plugin.
+| Tool | Description |
+|---|---|
+| `wp_audit_media_seo` | Audit media library for missing alt text, short alt text, and unoptimized filenames. Returns per-image scores and prioritized fix list |
+| `wp_find_orphan_pages` | Identify posts with no internal links pointing to them, sorted by word count. Configurable minimum word threshold and exclusion list |
+| `wp_audit_heading_structure` | Analyze H1/H2/H3 hierarchy in post content. Detects H1 in body, heading level skips, empty headings, focus keyword absent from H2 |
+| `wp_find_thin_content` | Surface posts below a configurable word count threshold. Scores content quality by word count, heading density, and paragraph structure |
+| `wp_audit_canonicals` | Validate canonical URLs across posts and pages. Detects missing canonicals, self-referencing mismatches, and cross-domain canonicals. Auto-detects RankMath/Yoast/SEOPress/AIOSEO |
+| `wp_analyze_eeat_signals` | Score E-E-A-T signals per post: author bio presence, publication/update dates, outbound citations, word count, structured data markers. Returns a 0-100 score with a breakdown by dimension |
+| `wp_find_broken_internal_links` | Check all internal links in a post via HEAD requests. Returns broken (4xx/5xx), redirected (3xx), and slow links. Configurable batch size and timeout |
+| `wp_find_keyword_cannibalization` | Detect posts sharing the same RankMath/Yoast/SEOPress/AIOSEO focus keyword. Groups conflicts by keyword and flags the weakest post by word count |
+| `wp_audit_taxonomies` | Identify taxonomy bloat: unused categories/tags, near-duplicate terms via Levenshtein distance, single-post terms, and over-tagged posts |
+| `wp_audit_outbound_links` | Analyze external link profile per post. Detects links to low-authority domains, missing rel="nofollow" on sponsored links, and broken external URLs |
+All SEO audit tools are read-only and always allowed regardless of governance flags.
+### Content Intelligence
+> **New in v4.4.0** — Deep content analysis and editorial intelligence without any WordPress plugin.
+| Tool | Description |
+|---|---|
+| `wp_get_content_brief` | Editorial brief aggregator: SEO + structure + links in 1 call |
+| `wp_extract_post_outline` | H1-H6 outline extraction with category-level pattern analysis |
+| `wp_audit_readability` | Bulk Flesch-Kincaid FR scoring with transition word and passive voice analysis |
+| `wp_audit_update_frequency` | Outdated content detection cross-referenced with SEO scores |
+| `wp_build_link_map` | Internal link matrix with simplified PageRank scoring (0-100) |
+| `wp_audit_anchor_texts` | Anchor text diversity audit: generic, over-optimized, image link detection |
+| `wp_audit_schema_markup` | JSON-LD schema.org detection and validation (Article, FAQ, HowTo, LocalBusiness) |
+| `wp_audit_content_structure` | Editorial structure scoring (0-100): intro, conclusion, FAQ, TOC, lists, images |
+| `wp_find_duplicate_content` | TF-IDF cosine similarity for near-duplicate detection with union-find clustering |
+| `wp_find_content_gaps` | Taxonomy under-representation analysis (categories + tags) |
+| `wp_extract_faq_blocks` | FAQ inventory: JSON-LD, Gutenberg blocks, HTML patterns |
+| `wp_audit_cta_presence` | CTA detection (6 types) with scoring 0-100 |
+| `wp_extract_entities` | Regex/heuristic named entity extraction (brands, locations, persons, organizations) |
+| `wp_get_publishing_velocity` | Publication cadence by author/category with trend detection |
+| `wp_compare_revisions_diff` | Textual diff between revisions with amplitude scoring |
+| `wp_list_posts_by_word_count` | Posts sorted by length with 6-tier segmentation |
+All Content Intelligence tools are read-only and always allowed regardless of governance flags.
 ### Plugins
 | Tool | Description |
-|------|-------------|
-| wp_list_plugins | List installed plugins with status, version, author. Requires Administrator (activate_plugins capability) |
-| wp_activate_plugin | Activate a plugin. Blocked by `WP_READ_ONLY` and `WP_DISABLE_PLUGIN_MANAGEMENT` |
-| wp_deactivate_plugin | Deactivate a plugin. Blocked by `WP_READ_ONLY` and `WP_DISABLE_PLUGIN_MANAGEMENT` |
+|---|---|
+| `wp_list_plugins` | List installed plugins with status, version, author. Requires Administrator (`activate_plugins` capability) |
+| `wp_activate_plugin` | Activate a plugin. Blocked by `WP_READ_ONLY` and `WP_DISABLE_PLUGIN_MANAGEMENT` |
+| `wp_deactivate_plugin` | Deactivate a plugin. Blocked by `WP_READ_ONLY` and `WP_DISABLE_PLUGIN_MANAGEMENT` |
 ### Themes
 | Tool | Description |
-|------|-------------|
-| wp_list_themes | List installed themes with active theme detection. Requires `switch_themes` capability |
-| wp_get_theme | Get theme details by stylesheet slug |
+|---|---|
+| `wp_list_themes` | List installed themes with active theme detection. Requires `switch_themes` capability |
+| `wp_get_theme` | Get theme details by stylesheet slug |
 ### Revisions
 | Tool | Description |
-|------|-------------|
-| wp_list_revisions | List revisions of a post or page (metadata only) |
-| wp_get_revision | Get a specific revision with full content |
-| wp_restore_revision | Restore a post to a previous revision (plugin-free 2-step approach) |
-| wp_delete_revision | Permanently delete a revision. Blocked by `WP_READ_ONLY` and `WP_DISABLE_DELETE` |
+|---|---|
+| `wp_list_revisions` | List revisions of a post or page (metadata only) |
+| `wp_get_revision` | Get a specific revision with full content |
+| `wp_restore_revision` | Restore a post to a previous revision (plugin-free 2-step approach) |
+| `wp_delete_revision` | Permanently delete a revision. Blocked by `WP_READ_ONLY`, `WP_DISABLE_DELETE`, and `WP_CONFIRM_DESTRUCTIVE` |
+### Editorial Workflow
+> **New in v3.2.0** — Approval workflow for regulated content operations.
+| Tool | Description |
+|---|---|
+| `wp_submit_for_review` | Transition a draft post to pending status (author action). Blocked by `WP_READ_ONLY` |
+| `wp_approve_post` | Transition a pending post to publish (editor/admin action). Blocked by `WP_READ_ONLY` and `WP_DRAFT_ONLY` |
+| `wp_reject_post` | Return a pending post to draft with a mandatory rejection reason (editor/admin action). Blocked by `WP_READ_ONLY` |
+The approval workflow is enforced by `WP_REQUIRE_APPROVAL=true`, which blocks direct publish via `wp_update_post` and forces the draft → pending → publish path.
+### Internal Link Intelligence
+> **New in v3.3.0** — Audit and improve internal linking without auto-insertion.
+| Tool | Description |
+|---|---|
+| `wp_analyze_links` | Audit all internal and external links in a post. HEAD request verification per link (broken/warning/unknown). Configurable max checks and timeout |
+| `wp_suggest_internal_links` | Semantic link suggestions scored by category match (+3), freshness (+3/2/1), SEO focus keyword match (+2), title match (+2). Excludes already-linked posts |
+Pre-flight linking workflow: `wp_suggest_internal_links` → user validates → `wp_update_post` (never auto-insert).
+### WooCommerce
+> **New in v3.4.0–v3.6.0** — Full WooCommerce integration with read, intelligence, and write operations.
+Requires `WC_CONSUMER_KEY` and `WC_CONSUMER_SECRET` environment variables. Generate API keys at WooCommerce → Settings → Advanced → REST API.
+| Tool | Description |
+|---|---|
+| `wc_list_products` | List products with filtering by status, category, search, and sorting by price/popularity |
+| `wc_get_product` | Get a product by ID with full details. Includes variations summary for variable products |
+| `wc_list_orders` | List orders with filtering by status, customer, and date |
+| `wc_get_order` | Get an order by ID with line items, shipping, billing, and payment details |
+| `wc_list_customers` | List customers with search and role filtering |
+| `wc_get_customer` | Get a customer by ID with full profile, order history summary, and lifetime value |
+| `wc_list_coupons` | List coupons with filtering by type, expiry status, and usage |
+| `wc_get_coupon` | Get a coupon by ID with full discount rules and usage statistics |
+| `wc_sales_report` | Generate sales summary for a date range: revenue, orders, average order value, top products |
+| `wc_top_products` | Rank products by revenue, quantity sold, or order count for a given period |
+| `wc_price_guardrail` | Analyze a price change for safety (read-only). Returns safe/unsafe based on configurable threshold percentage |
+| `wc_update_product` | Update product fields (title, description, price, stock, status). Blocked by `WP_READ_ONLY` and subject to `wc_price_guardrail` thresholds |
+| `wc_update_order_status` | Transition order status (e.g., processing → completed). Blocked by `WP_READ_ONLY` |
+All WooCommerce write tools are blocked by `WP_READ_ONLY`. `wc_price_guardrail` is always allowed — it never modifies data.
 ### Operations
 | Tool | Description |
-|------|-------------|
-| wp_set_target | Switch active WordPress site in multi-target mode |
-| wp_site_info | Site info, current user, post types, enterprise controls, and available targets |
+|---|---|
+| `wp_set_target` | Switch active WordPress site in multi-target mode |
+| `wp_site_info` | Site info, current user, post types, enterprise controls, and available targets |
 ---
 ## Enterprise Controls
-Configure execution policy via environment variables. All restrictions are enforced before any API call is made — including SEO metadata and plugin operations.
+Configure execution policy via environment variables. All restrictions are enforced before any API call is made — including SEO metadata, plugin operations, and WooCommerce writes.
 | Control | Default | Effect |
-|---------|---------|--------|
-| WP_READ_ONLY | false | Blocks all write operations (create, update, delete, upload, SEO updates, plugin management) |
-| WP_DRAFT_ONLY | false | Restricts to draft and pending statuses only |
-| WP_DISABLE_DELETE | false | Blocks all delete operations (posts + revisions) |
-| WP_DISABLE_PLUGIN_MANAGEMENT | false | Blocks plugin activate/deactivate (list still allowed) |
-| WP_ALLOWED_TYPES | all | Restricts to specific post types (e.g., post,page) |
-| WP_ALLOWED_STATUSES | all | Restricts to specific statuses (e.g., draft,pending) |
-| WP_MAX_CALLS_PER_MINUTE | unlimited | Client-side rate limiting |
-| WP_AUDIT_LOG | on | Structured JSON audit trail |
+|---|---|---|
+| `WP_READ_ONLY` | `false` | Blocks all write operations (create, update, delete, upload, SEO updates, plugin management, WooCommerce writes) |
+| `WP_DRAFT_ONLY` | `false` | Restricts to draft and pending statuses only |
+| `WP_DISABLE_DELETE` | `false` | Blocks all delete operations (posts + revisions) |
+| `WP_DISABLE_PLUGIN_MANAGEMENT` | `false` | Blocks plugin activate/deactivate (list still allowed) |
+| `WP_REQUIRE_APPROVAL` | `false` | Blocks direct publish via `wp_update_post`. Forces draft → pending → publish approval workflow |
+| `WP_CONFIRM_DESTRUCTIVE` | `false` | Requires a token confirmation before `wp_delete_post` and `wp_delete_revision` execute |
+| `WP_ALLOWED_TYPES` | `all` | Restricts to specific post types (e.g., `post,page`) |
+| `WP_ALLOWED_STATUSES` | `all` | Restricts to specific statuses (e.g., `draft,pending`) |
+| `WP_MAX_CALLS_PER_MINUTE` | unlimited | Client-side rate limiting |
+| `WP_AUDIT_LOG` | `on` | Structured JSON audit trail |
+### Destructive confirmation flow
+When `WP_CONFIRM_DESTRUCTIVE=true`, `wp_delete_post` and `wp_delete_revision` return a stateless confirmation token on the first call instead of executing. The token is valid for 60 seconds (SHA-256, zero persistence). Pass the token back on a second call to confirm execution.
+Governance priority order: `WP_READ_ONLY` → `WP_DISABLE_DELETE` → `WP_CONFIRM_DESTRUCTIVE`
 ### Deployment profiles
 **Agency content production** — writers can create and edit, but never publish or delete:
-```bash
+```env
 WP_DRAFT_ONLY=true
 WP_DISABLE_DELETE=true
 WP_ALLOWED_STATUSES=draft,pending
 WP_MAX_CALLS_PER_MINUTE=30
 ```
-**Compliance monitoring** — read-only access for auditing existing content:
+**Editorial review workflow** — forces human approval before publication:
+```env
+WP_REQUIRE_APPROVAL=true
+WP_DISABLE_DELETE=true
+WP_AUDIT_LOG=on
+```
-```bash
+**Compliance monitoring** — read-only access for auditing existing content:
+```env
 WP_READ_ONLY=true
 WP_AUDIT_LOG=on
 ```
 **Regulated publishing** — restrict to specific content types in a controlled environment:
-```bash
+```env
 WP_ALLOWED_TYPES=post
 WP_ALLOWED_STATUSES=draft,pending,publish
 WP_DISABLE_DELETE=true
@@ -253,12 +446,18 @@ WP_AUDIT_LOG=on
 ```
 **Locked infrastructure** — content operations allowed, but no plugin/theme changes:
-```bash
+```env
 WP_DISABLE_PLUGIN_MANAGEMENT=true
 WP_DISABLE_DELETE=true
 ```
+**E-commerce safe mode** — WooCommerce read and intelligence, no writes:
+```env
+WP_READ_ONLY=true
+WC_CONSUMER_KEY=ck_xxx
+WC_CONSUMER_SECRET=cs_xxx
+```
 Blocked actions return a clear error message explaining which control prevented execution, and are logged in the audit trail with status `blocked`.
 ---
@@ -269,17 +468,17 @@ The SEO tools auto-detect which SEO plugin is installed on your WordPress site a
 Supported plugins:
-- **Yoast SEO** — _yoast_wpseo_title, _yoast_wpseo_metadesc, _yoast_wpseo_focuskw, plus yoast_head_json REST API extension
-- **RankMath** — rank_math_title, rank_math_description, rank_math_focus_keyword
-- **SEOPress** — _seopress_titles_title, _seopress_titles_desc, _seopress_analysis_target_kw
-- **All in One SEO** — _aioseo_title, _aioseo_description, _aioseo_keywords
+- **Yoast SEO** — `_yoast_wpseo_title`, `_yoast_wpseo_metadesc`, `_yoast_wpseo_focuskw`, plus `yoast_head_json` REST API extension
+- **RankMath** — `rank_math_title`, `rank_math_description`, `rank_math_focus_keyword`
+- **SEOPress** — `_seopress_titles_title`, `_seopress_titles_desc`, `_seopress_analysis_target_kw`
+- **All in One SEO** — `_aioseo_title`, `_aioseo_description`, `_aioseo_keywords`
 ### SEO Audit Scoring
 `wp_audit_seo` scores each post on a 100-point scale:
 | Check | Penalty |
-|-------|---------|
+|---|---|
 | Missing SEO title | -30 |
 | SEO title too short (< 30 chars) or too long (> 60 chars) | -10 |
 | Missing meta description | -30 |
@@ -289,14 +488,13 @@ Supported plugins:
 ### Exposing SEO Meta Fields (Required)
-Most SEO plugins store their data in WordPress post meta fields that are **not exposed via the REST API by default**. Without this step, `wp_get_seo_meta` and `wp_audit_seo` will return empty results even though your SEO data exists in the database.
+Most SEO plugins store their data in WordPress post meta fields that are not exposed via the REST API by default. Without this step, `wp_get_seo_meta` and `wp_audit_seo` will return empty results even though your SEO data exists in the database.
 Add the following code to your theme's `functions.php` (Appearance → Theme File Editor → functions.php) or — preferably — create a custom mini-plugin (see below).
-> **Warning:** When pasting code into functions.php, make sure the file starts with exactly `<?php` — no extra characters before it. A stray character (like `<<?php`) will break the WordPress REST API by injecting invalid output before JSON responses, causing `Unexpected token '<'` errors in MCP.
+> ⚠️ **Important:** When pasting code into `functions.php`, make sure the file starts with exactly `<?php` — no extra characters before it. A stray character (like `<<?php`) will break the WordPress REST API by injecting invalid output before JSON responses, causing `Unexpected token '<'` errors in MCP.
 **RankMath:**
 ```php
 add_action( 'init', function() {
     $fields = array(
@@ -325,7 +523,6 @@ add_action( 'init', function() {
 ```
 **Yoast SEO:**
 ```php
 add_action( 'init', function() {
     $fields = array(
@@ -355,7 +552,6 @@ add_action( 'init', function() {
 ```
 **SEOPress:**
 ```php
 add_action( 'init', function() {
     $fields = array(
@@ -384,7 +580,6 @@ add_action( 'init', function() {
 ```
 **All in One SEO:**
 ```php
 add_action( 'init', function() {
     $fields = array(
@@ -412,12 +607,11 @@ add_action( 'init', function() {
 ### Alternative: MCP SEO Bridge Plugin (Recommended)
-> **Note:** Core content operations require no WordPress plugin. SEO metadata tools may require exposing meta fields via the REST API using either a theme snippet or this optional micro-plugin.
+> Note: Core content operations require no WordPress plugin. SEO metadata tools may require exposing meta fields via the REST API using either a theme snippet or this optional micro-plugin.
 Instead of modifying your theme's `functions.php` (which gets overwritten on theme updates), create a standalone micro-plugin.
 Create the file `wp-content/plugins/mcp-seo-bridge.php`:
 ```php
 <?php
 /**
@@ -431,7 +625,6 @@ Create the file `wp-content/plugins/mcp-seo-bridge.php`:
 if ( ! defined( 'ABSPATH' ) ) exit;
 add_action( 'init', function() {
-    // Auto-detect SEO plugin and register appropriate fields
     $fields = array();
     if ( defined( 'RANK_MATH_VERSION' ) ) {
@@ -479,30 +672,51 @@ Activate it from WordPress Admin → Plugins. This approach auto-detects your SE
 ### Verifying SEO Fields Are Exposed
 After adding the code, verify the fields are accessible:
 ```bash
 curl -s -u "username:application-password" \
   "https://yoursite.com/wp-json/wp/v2/posts?per_page=1" | python3 -m json.tool | grep -E "rank_math|yoast|seopress|aioseo"
 ```
-If you see your SEO fields in the meta object, the configuration is working.
+If you see your SEO fields in the `meta` object, the configuration is working.
 ### Troubleshooting SEO Fields
 | Symptom | Cause | Fix |
-|---------|-------|-----|
-| wp_audit_seo returns empty SEO data | Meta fields not exposed via REST API | Add register_post_meta() code above |
-| Unexpected token '<' on all MCP calls | Stray character before `<?php` in functions.php | Remove any characters before `<?php` |
+|---|---|---|
+| `wp_audit_seo` returns empty SEO data | Meta fields not exposed via REST API | Add `register_post_meta()` code above |
+| `Unexpected token '<'` on all MCP calls | Stray character before `<?php` in `functions.php` | Remove any characters before `<?php` |
 | SEO fields visible but all null | SEO plugin not yet configured on those posts | Set titles/descriptions in RankMath/Yoast editor |
 | No SEO plugin detected | Plugin constant not matched | Verify your SEO plugin is active |
-| Fields lost after theme update | Code was in functions.php | Use the MCP SEO Bridge plugin instead |
+| Fields lost after theme update | Code was in `functions.php` | Use the MCP SEO Bridge plugin instead |
 ---
-## Testing
+## WooCommerce Setup
-171 unit tests covering all 35 tools — zero network calls, fully mocked.
+### Generate API Keys
+Go to WooCommerce → Settings → Advanced → REST API → Add key.
+Set permissions to **Read/Write** if you plan to use `wc_update_product` or `wc_update_order_status`. Set to **Read** for a read-only WooCommerce integration.
+```env
+WC_CONSUMER_KEY=ck_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+WC_CONSUMER_SECRET=cs_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+```
+### Price Guardrail
+`wc_price_guardrail` analyzes proposed price changes before any write operation. It returns `safe` or `unsafe` based on a configurable threshold (default 20%). Claude should call this tool before `wc_update_product` when modifying prices.
+```env
+WC_PRICE_GUARDRAIL_THRESHOLD=20   # percentage — changes above this require explicit override
+```
+`wc_price_guardrail` is always allowed regardless of `WP_READ_ONLY`. It never modifies data.
+---
+## Testing
+613 unit tests covering all 79 tools — zero network calls, fully mocked.
 ```bash
 npm test              # run all tests (vitest)
 npm run test:watch    # watch mode
@@ -510,20 +724,37 @@ npm run test:coverage # coverage report
 ```
 | Test file | Scope | Tests |
-|-----------|-------|-------|
-| governance.test.js | 4 governance flags + combinations | 24 |
-| posts.test.js | list, get, create, update, delete, search | 18 |
-| pages.test.js | list, get, create, update | 12 |
-| media.test.js | list, get, upload | 14 |
-| taxonomies.test.js | categories, tags, create term | 16 |
-| comments.test.js | list, create | 12 |
-| users.test.js | list | 7 |
-| search.test.js | search, post types, custom posts | 10 |
-| seo.test.js | get, update, audit | 12 |
-| plugins.test.js | list, activate, deactivate | 16 |
-| themes.test.js | list, get | 8 |
-| revisions.test.js | list, get, restore, delete | 17 |
-| site.test.js | site info, set target | 5 |
+|---|---|---|
+| `governance.test.js` | All governance flags + combinations including `WP_REQUIRE_APPROVAL` and `WP_CONFIRM_DESTRUCTIVE` | 30 |
+| `posts.test.js` | list, get, create, update, delete, search | 18 |
+| `pages.test.js` | list, get, create, update | 12 |
+| `media.test.js` | list, get, upload | 14 |
+| `taxonomies.test.js` | categories, tags, create term | 16 |
+| `comments.test.js` | list, create | 12 |
+| `users.test.js` | list | 7 |
+| `search.test.js` | search, post types, custom posts | 10 |
+| `seo.test.js` | get, update, audit | 12 |
+| `plugins.test.js` | list, activate, deactivate | 16 |
+| `themes.test.js` | list, get | 8 |
+| `revisions.test.js` | list, get, restore, delete | 17 |
+| `editorial.test.js` | submit_for_review, approve, reject | 15 |
+| `links.test.js` | analyze_links, suggest_internal_links | 16 |
+| `woocommerce.test.js` | products, orders, customers, coupons, reports, write, guardrail | 40 |
+| `auditMediaSeo.test.js` | media alt text audit, filename scoring | 12 |
+| `findOrphanPages.test.js` | inbound link detection, exclusion list | 10 |
+| `auditHeadingStructure.test.js` | H1/H2/H3 hierarchy, level skips, keyword detection | 12 |
+| `findThinContent.test.js` | word count threshold, heading density | 10 |
+| `auditCanonicals.test.js` | canonical validation, mismatch detection, multi-plugin | 12 |
+| `analyzeEeatSignals.test.js` | E-E-A-T scoring, author bio, citations, structured data | 12 |
+| `findBrokenInternalLinks.test.js` | HEAD request batching, 4xx/3xx detection | 12 |
+| `findKeywordCannibalization.test.js` | focus keyword conflicts, multi-plugin detection | 10 |
+| `auditTaxonomies.test.js` | Levenshtein duplicates, unused terms, over-tagging | 12 |
+| `auditOutboundLinks.test.js` | external link profile, nofollow detection | 10 |
+| `contentAnalyzer.test.js` | readability, TF-IDF, cosine similarity, entities, text diff | 44 |
+| `contentIntelligence.test.js` | 16 content intelligence tools: brief, outline, readability, update frequency, link map, anchor texts, schema, structure, duplicates, gaps, FAQ, CTA, entities, velocity, revisions diff, word count | 125 |
+| `site.test.js` | site info, set target | 5 |
+| `transport/http.test.js` | HTTP transport, Bearer auth, sessions | 10 |
+| `dxt/manifest.test.js` | MCPB manifest validation, 79 tools declared | 10 |
 Each test verifies: success response shape, governance blocking (write tools), HTTP error handling (403/404), and audit log entries.
@@ -532,10 +763,9 @@ Each test verifies: success response shape, governance blocking (write tools), H
 ## Structured Audit Log
 Every tool invocation is recorded as a JSON event on stderr — ready for ingestion into Datadog, Splunk, CloudWatch, Langfuse, ELK, or any JSON-compatible pipeline.
 ```json
 {
-  "timestamp": "2026-02-16T18:42:00.000Z",
+  "timestamp": "2026-02-19T18:42:00.000Z",
   "tool": "wp_create_post",
   "target": 1234,
   "target_type": "post",
@@ -548,20 +778,20 @@ Every tool invocation is recorded as a JSON event on stderr — ready for ingest
 }
 ```
-35 instrumentation points across all tools. Three status types: `success`, `error`, `blocked`.
+79 instrumentation points across all tools. Three status types: `success`, `error`, `blocked`.
 | Field | Description |
-|-------|-------------|
-| timestamp | ISO 8601 |
-| tool | Tool name invoked |
-| target | Resource ID when applicable |
-| target_type | Resource type (post, page, media, comment, category, tag, plugin, theme, revision) |
-| action | Operation: list, read, create, update, trash, permanent_delete, upload, search, switch_target, read_seo, update_seo, audit_seo, activate, deactivate, restore |
-| status | success, error, or blocked |
-| latency_ms | Execution time |
-| site | Active target name |
-| params | Sanitized parameters (content fields truncated) |
-| error | Error detail or null |
+|---|---|
+| `timestamp` | ISO 8601 |
+| `tool` | Tool name invoked |
+| `target` | Resource ID when applicable |
+| `target_type` | Resource type (post, page, media, comment, category, tag, plugin, theme, revision, product, order, customer, coupon) |
+| `action` | Operation: list, read, create, update, trash, permanent_delete, upload, search, switch_target, read_seo, update_seo, audit_seo, activate, deactivate, restore, submit_review, approve, reject, analyze_links, suggest_links, guardrail, audit_media_seo, find_orphans, audit_headings, find_thin_content, audit_canonicals, analyze_eeat, find_broken_links, find_cannibalization, audit_taxonomies, audit_outbound_links, content_brief, extract_outline, audit_readability, audit_update_frequency, build_link_map, audit_anchor_texts, audit_schema, audit_content_structure, find_duplicates, find_content_gaps, extract_faq, audit_cta, extract_entities, publishing_velocity, compare_revisions, list_by_word_count |
+| `status` | `success`, `error`, or `blocked` |
+| `latency_ms` | Execution time |
+| `site` | Active target name |
+| `params` | Sanitized parameters (content fields truncated) |
+| `error` | Error detail or null |
 ---
@@ -570,17 +800,14 @@ Every tool invocation is recorded as a JSON event on stderr — ready for ingest
 Manage multiple WordPress sites from a single server instance. Designed for agencies and multi-brand organizations.
 **Inline configuration:**
 ```bash
 WP_TARGETS_JSON='{"production":{"url":"https://mysite.com","username":"admin","password":"xxxx"},"staging":{"url":"https://staging.mysite.com","username":"editor","password":"xxxx"}}'
 ```
 **File-based configuration:**
 ```bash
 WP_TARGETS_FILE=/path/to/targets.json
 ```
 ```json
 {
   "production": {
@@ -610,46 +837,55 @@ Switch targets during a session with `wp_set_target`. All available sites and th
 The server performs a health check on startup: REST API connectivity, user authentication, and role verification. During operation: automatic retry with exponential backoff (configurable, default 3 attempts), request timeout (default 30s), rate limit handling (respects 429 + retry-after), and contextual error messages with diagnosis guidance.
 | Setting | Default | Description |
-|---------|---------|-------------|
-| WP_MCP_VERBOSE | false | Debug-level logging |
-| WP_MCP_TIMEOUT | 30000 | Request timeout (ms) |
-| WP_MCP_MAX_RETRIES | 3 | Max retry attempts |
+|---|---|---|
+| `WP_MCP_VERBOSE` | `false` | Debug-level logging |
+| `WP_MCP_TIMEOUT` | `30000` | Request timeout (ms) |
+| `WP_MCP_MAX_RETRIES` | `3` | Max retry attempts |
 ---
 ## Security
-- **HTTPS required** in production. HTTP only for localhost
-- **Application Passwords only** — never use WordPress login credentials
-- **Credentials never logged** — audit trail sanitizes all sensitive data
-- **No credentials in code** — .env or environment variables only
-- **Instant revocation** — Application Passwords can be revoked from WordPress admin
-- **Traceable requests** — custom User-Agent: WordPress-MCP-Server/2.2.0
+- HTTPS required in production. HTTP only for localhost
+- Application Passwords only — never use WordPress login credentials
+- Credentials never logged — audit trail sanitizes all sensitive data
+- No credentials in code — `.env` or environment variables only
+- Instant revocation — Application Passwords can be revoked from WordPress admin
+- Traceable requests — custom `User-Agent: WordPress-MCP-Server/4.4.0`
+- Bearer token auth in HTTP mode — timing-safe comparison, no token in logs
+- Origin validation in HTTP mode — anti-DNS-rebinding protection
 ---
 ## Troubleshooting
 | Issue | Solution |
-|-------|----------|
-| 401 Unauthorized | Verify username and Application Password |
-| 403 Forbidden | Check WordPress user role and capabilities |
-| 404 Not Found | Verify WP_API_URL and REST API availability |
-| Unexpected token '<' | Stray character before `<?php` in functions.php — see [SEO Troubleshooting](#troubleshooting-seo-fields) |
-| Blocked: READ-ONLY mode | Disable WP_READ_ONLY to allow writes |
-| Blocked: DRAFT-ONLY mode | Only draft/pending allowed. Check WP_DRAFT_ONLY |
-| Blocked: PLUGIN MANAGEMENT | Disable WP_DISABLE_PLUGIN_MANAGEMENT to allow activate/deactivate |
-| Rate limit exceeded | Adjust WP_MAX_CALLS_PER_MINUTE |
-| Timeout | Increase WP_MCP_TIMEOUT or check server |
-| Site not found | Verify site key in WP_TARGETS_JSON or file |
+|---|---|
+| `401 Unauthorized` | Verify username and Application Password |
+| `403 Forbidden` | Check WordPress user role and capabilities |
+| `404 Not Found` | Verify `WP_API_URL` and REST API availability |
+| `Unexpected token '<'` | Stray character before `<?php` in `functions.php` — see SEO Troubleshooting |
+| `Blocked: READ-ONLY mode` | Disable `WP_READ_ONLY` to allow writes |
+| `Blocked: DRAFT-ONLY mode` | Only draft/pending allowed. Check `WP_DRAFT_ONLY` |
+| `Blocked: PLUGIN MANAGEMENT` | Disable `WP_DISABLE_PLUGIN_MANAGEMENT` to allow activate/deactivate |
+| `Blocked: APPROVAL REQUIRED` | `WP_REQUIRE_APPROVAL=true` — use `wp_submit_for_review` then `wp_approve_post` |
+| Confirmation token required | `WP_CONFIRM_DESTRUCTIVE=true` — pass the returned token on a second call within 60s |
+| `401 Unauthorized (HTTP mode)` | Set `MCP_AUTH_TOKEN` and pass `Authorization: Bearer <token>` |
+| `403 Forbidden (HTTP mode)` | Check `MCP_ALLOWED_ORIGINS` includes your client origin |
+| WooCommerce 401 | Verify `WC_CONSUMER_KEY` and `WC_CONSUMER_SECRET` |
+| WooCommerce 403 | API key needs Read/Write permissions for write tools |
+| Rate limit exceeded | Adjust `WP_MAX_CALLS_PER_MINUTE` |
+| Timeout | Increase `WP_MCP_TIMEOUT` or check server |
+| Site not found | Verify site key in `WP_TARGETS_JSON` or file |
 | No SEO plugin detected | Install Yoast, RankMath, SEOPress, or AIOSEO |
-| SEO meta fields empty | Add register_post_meta() code or install MCP SEO Bridge plugin — see [Exposing SEO Meta Fields](#exposing-seo-meta-fields-required) |
+| SEO meta fields empty | Add `register_post_meta()` code or install MCP SEO Bridge plugin — see Exposing SEO Meta Fields |
+| `wp_find_broken_internal_links` slow | Reduce `batchSize` parameter or increase `timeoutMs` |
+| `wp_audit_outbound_links` empty | External HEAD requests blocked by your server firewall |
 | Server not starting | Check Node.js 18+ is installed: `node --version` |
 ---
 ## Development
 ```bash
 # Clone the repository
 git clone https://github.com/GeorgesAdSim/wordpress-mcp-server.git
@@ -661,15 +897,25 @@ npm install
 # Run tests
 npm test
-# Run locally
+# Run locally (stdio)
 WP_API_URL="https://your-site.com" \
 WP_API_USERNAME="user" \
 WP_API_PASSWORD="xxxx xxxx xxxx xxxx" \
 node index.js
+# Run locally (HTTP)
+MCP_TRANSPORT=http \
+MCP_AUTH_TOKEN=dev-token \
+WP_API_URL="https://your-site.com" \
+WP_API_USERNAME="user" \
+WP_API_PASSWORD="xxxx xxxx xxxx xxxx" \
+node index.js
+# Build MCPB bundle
+npm run build:mcpb
 ```
 ### Testing with MCP Inspector
 ```bash
 npx @modelcontextprotocol/inspector node index.js
 ```
@@ -678,15 +924,137 @@ npx @modelcontextprotocol/inspector node index.js
 ## Changelog
+### v4.4.0 (2026-02-21) — Content Intelligence
+16 new read-only analysis tools for deep content intelligence without any WordPress plugin.
+**Foundations:**
+- `src/contentAnalyzer.js` — shared analysis engine: readability (Flesch-Kincaid FR), TF-IDF, cosine similarity, entity extraction, text diff, content structure detection
+- `wp_get_content_brief` — editorial brief aggregator (SEO + structure + links in 1 call)
+- `wp_extract_post_outline` — H1-H6 outline extraction with category-level pattern analysis
+**SEO Advanced:**
+- `wp_audit_readability` — bulk Flesch-Kincaid FR scoring with transition word and passive voice analysis
+- `wp_audit_update_frequency` — outdated content detection cross-referenced with SEO scores
+- `wp_build_link_map` — internal link matrix with simplified PageRank scoring (0-100)
+**Technical Quality:**
+- `wp_audit_anchor_texts` — anchor text diversity audit: generic, over-optimized, image link detection
+- `wp_audit_schema_markup` — JSON-LD schema.org detection and validation (Article, FAQ, HowTo, LocalBusiness)
+- `wp_audit_content_structure` — editorial structure scoring (0-100): intro, conclusion, FAQ, TOC, lists, images
+**Intelligence Advanced:**
+- `wp_find_duplicate_content` — TF-IDF cosine similarity for near-duplicate detection with union-find clustering
+- `wp_find_content_gaps` — taxonomy under-representation analysis (categories + tags)
+- `wp_extract_faq_blocks` — FAQ inventory: JSON-LD, Gutenberg blocks, HTML patterns
+- `wp_audit_cta_presence` — CTA detection (6 types) with scoring 0-100
+- `wp_extract_entities` — regex/heuristic named entity extraction (brands, locations, persons, organizations)
+- `wp_get_publishing_velocity` — publication cadence by author/category with trend detection
+- `wp_compare_revisions_diff` — textual diff between revisions with amplitude scoring
+- `wp_list_posts_by_word_count` — posts sorted by length with 6-tier segmentation
+All Content Intelligence tools are read-only and always allowed regardless of governance flags.
+613 Vitest unit tests · 79 tools
+### v4.2.0 (2026-02-19) — SEO Audit Suite (Sprint 3)
+- `wp_find_broken_internal_links` — HEAD request link checker with configurable batch size and timeout. Returns broken (4xx/5xx), redirected (3xx), and slow links
+- `wp_find_keyword_cannibalization` — detect posts sharing the same focus keyword. Auto-detects RankMath/Yoast/SEOPress/AIOSEO. Groups conflicts by keyword, flags weakest post by word count
+- `wp_audit_taxonomies` — taxonomy bloat detection: unused terms, near-duplicate detection via Levenshtein distance, single-post terms, over-tagged posts
+- `wp_audit_outbound_links` — external link profile per post: low-authority domains, missing rel="nofollow", broken external URLs
+- `src/htmlParser.js` — shared HTML parsing service (parseImagesFromHtml, extractHeadings, extractInternalLinks, countWords)
+- 400 Vitest unit tests · 63 tools
+### v4.1.0 (2026-02-19) — SEO Audit Suite (Sprint 2)
+- `wp_find_thin_content` — surface posts below configurable word count threshold. Scores content quality by word count, heading density, and paragraph structure
+- `wp_audit_canonicals` — validate canonical URLs across posts and pages. Detects missing canonicals, self-referencing mismatches, cross-domain canonicals. Auto-detects RankMath/Yoast/SEOPress/AIOSEO
+- `wp_analyze_eeat_signals` — E-E-A-T scoring per post (0-100): author bio presence, publication/update dates, outbound citations, word count, structured data markers
+- 368 Vitest unit tests · 59 tools
+### v4.0.0 (2026-02-19) — SEO Audit Suite (Sprint 1)
+- `wp_audit_media_seo` — audit media library for missing alt text, short alt text, unoptimized filenames. Returns per-image scores and prioritized fix list
+- `wp_find_orphan_pages` — identify posts with no internal links pointing to them, sorted by word count. Configurable minimum word threshold and exclusion list
+- `wp_audit_heading_structure` — analyze H1/H2/H3 hierarchy in post content. Detects H1 in body, heading level skips, empty headings, focus keyword absent from H2
+- All 10 SEO audit tools are read-only and always allowed regardless of governance flags
+- 340 Vitest unit tests · 56 tools
+### v3.6.0 (2026-02-19) — WooCommerce Write
+- `wc_update_product` — update product fields (title, description, price, stock, status). Integrated with `wc_price_guardrail` threshold enforcement
+- `wc_update_order_status` — transition order status (e.g., processing → completed)
+- `WC_PRICE_GUARDRAIL_THRESHOLD` — configurable price change safety threshold (default 20%)
+- All WooCommerce write tools blocked by `WP_READ_ONLY`
+- 305 Vitest unit tests · 53 tools
+### v3.5.0 (2026-02-19) — WooCommerce Intelligence
+- `wc_get_customer` — customer profile with order history summary and lifetime value
+- `wc_list_coupons` / `wc_get_coupon` — coupon management with discount rules and usage stats
+- `wc_sales_report` — revenue, orders, and average order value for a date range
+- `wc_top_products` — ranking by revenue, quantity sold, or order count
+- 287 Vitest unit tests · 50 tools
+### v3.4.0 (2026-02-19) — WooCommerce Core
+- `wc_list_products` / `wc_get_product` — product catalog with variation support
+- `wc_list_orders` / `wc_get_order` — order management with full line item detail
+- `wc_list_customers` — customer list with search and role filtering
+- `wc_price_guardrail` — read-only price change safety analysis
+- Requires `WC_CONSUMER_KEY` and `WC_CONSUMER_SECRET`
+- 271 Vitest unit tests · 46 tools
+### v3.3.0 (2026-02-19) — Internal Link Intelligence
+- `wp_analyze_links` — audit all internal/external links in a post. HEAD request verification per link (broken/warning/unknown). Max 20 checks, configurable timeout
+- `wp_suggest_internal_links` — semantic link suggestions scored by category match (+3), freshness (+3/2/1), SEO focus keyword match (+2), title match (+2). Excludes already-linked posts
+- `src/linkUtils.js` — 6 shared utilities: extractInternalLinks, extractExternalLinks, checkLinkStatus, extractFocusKeyword (auto-detects RankMath/Yoast/SEOPress/AIOSEO), calculateRelevanceScore, suggestAnchorText
+- Pre-flight linking workflow: suggest → user validates → `wp_update_post` (never auto-insert)
+- 253 Vitest unit tests · 40 tools
+### v3.2.0 (2026-02-19) — Governance Workflows
+- Editorial approval workflow: `wp_submit_for_review` (draft → pending), `wp_approve_post` (pending → publish), `wp_reject_post` (pending → draft + mandatory reason)
+- New governance flag: `WP_REQUIRE_APPROVAL` — blocks direct publish, forces approval workflow
+- Two-step confirmation for destructive operations: `wp_delete_post` and `wp_delete_revision` return a stateless token (60s TTL, SHA-256) when `WP_CONFIRM_DESTRUCTIVE=true`
+- New governance flag: `WP_CONFIRM_DESTRUCTIVE` — requires explicit token confirmation before any delete
+- `src/confirmationToken.js` — stateless token system, zero persistence
+- Governance priority: `WP_READ_ONLY` → `WP_DISABLE_DELETE` → `WP_CONFIRM_DESTRUCTIVE`
+- 225 Vitest unit tests · 38 tools
+### v3.1.0 (2026-02-19) — MCPB Bundle
+- `dxt/manifest.json` — MCPB v0.3 spec, 35 tools declared
+- WordPress credentials stored in OS keychain (`sensitive: true`)
+- `npm run build:mcpb` — build script for `.mcpb` distribution
+- 10 new manifest validation tests (201 total)
+- Published to npm: `npx -y @adsim/wordpress-mcp-server@3.1.0`
+### v3.0.0 (2026-02-19) — HTTP Streamable Transport
+- HTTP Streamable transport (MCP spec 2025-03-26) via `MCP_TRANSPORT=http`
+- Bearer token authentication with timing-safe comparison (`MCP_AUTH_TOKEN`)
+- Session management via `Mcp-Session-Id` header (UUID v4)
+- Origin header validation (anti-DNS-rebinding)
+- Health endpoint `GET /health`
+- Dual mode `MCP_DUAL_MODE=true` — stdio + HTTP simultaneously
+- Graceful shutdown SIGTERM/SIGINT across both transports
+- 10 new HTTP/auth unit tests (191 total)
+- Published to npm: `@adsim/wordpress-mcp-server`
 ### v2.2.0 (2026-02-19) — Enterprise Edition
-- **9 new tools**: plugins (list/activate/deactivate), themes (list/get), revisions (list/get/restore/delete)
-- **New governance flag**: `WP_DISABLE_PLUGIN_MANAGEMENT`
-- **171 Vitest unit tests** covering all 35 tools (governance, success, 403/404, audit logs)
-- **GitHub Actions CI** workflow
+- 9 new tools: plugins (list/activate/deactivate), themes (list/get), revisions (list/get/restore/delete)
+- New governance flag: `WP_DISABLE_PLUGIN_MANAGEMENT`
+- 171 Vitest unit tests covering all 35 tools (governance, success, 403/404, audit logs)
+- GitHub Actions CI workflow
 - Governance functions read env at call time for testability
 - Exported `handleToolCall` for direct testing
 ### v2.1.0 (2026-02-16)
 - Enterprise governance controls (read-only, draft-only, type/status allowlists)
 - Structured JSON audit trail (27 instrumentation points)
 - Multi-target site management
@@ -695,26 +1063,25 @@ npx @modelcontextprotocol/inspector node index.js
 - Health checks, retry with backoff, rate limiting
 ### v1.0.0 (2025-10-17)
 - Initial release — JavaScript, 5 tools (list, get, create, update, search posts)
 ---
 ## Roadmap
-### v2.3 — Governance Workflows
-- Approval workflow: draft → human review → publish
-- Confirmation step for destructive actions
-- Per-target enterprise controls
+### v4.5 — GSC Integration
+- `wp_get_gsc_performance` — Google Search Console API (clicks, impressions, position, CTR per URL)
+- `wp_find_quick_win_keywords` — surface keywords ranking positions 11–20 for targeted updates
+- `wp_seo_content_decay` — cross-reference GSC traffic loss with content age to prioritize refresh candidates
-### v2.4 — Extended Integrations
-- OAuth 2.0 / JWT authentication
-- WooCommerce support (products, orders)
-- Media management (bulk, transforms)
+### v4.6 — Redirect Intelligence
+- `wp_create_redirect` — create 301 redirects via Redirection plugin or RankMath/Yoast Redirects. Auto-triggered governance hook when `wp_update_post` changes a slug
+- `wp_list_404_errors` — surface recent 404s from Redirection plugin log
-### v2.5 — Distribution
-- npm: `npx @adsim/wordpress-mcp-server`
+### v4.7 — OAuth & Registry
+- OAuth 2.0 / JWT authentication
 - MCP Registry submission
-- TypeScript rewrite
 ---