@adsim/wordpress-mcp-server 3.1.0 → 4.4.0

package/tests/unit/tools/destructive.test.js

@@ -0,0 +1,246 @@
+import { vi, describe, it, expect, beforeEach, afterEach } from 'vitest';
+
+vi.mock('node-fetch', () => ({ default: vi.fn() }));
+
+import fetch from 'node-fetch';
+import { handleToolCall } from '../../../index.js';
+import { generateToken, validateToken } from '../../../src/confirmationToken.js';
+import { mockSuccess, getAuditLogs, makeRequest, parseResult } from '../../helpers/mockWpRequest.js';
+
+function call(name, args = {}) {
+  return handleToolCall(makeRequest(name, args));
+}
+
+// ────────────────────────────────────────────────────────────
+// Token unit tests
+// ────────────────────────────────────────────────────────────
+
+describe('generateToken', () => {
+  it('returns correct format mcp_{action}_{postId}_{timestamp}_{hash4}', () => {
+    const token = generateToken(42, 'trash');
+    const parts = token.split('_');
+
+    expect(token).toMatch(/^mcp_trash_42_\d+_[a-f0-9]{4}$/);
+    expect(parts[0]).toBe('mcp');
+    expect(parts[1]).toBe('trash');
+    expect(parts[2]).toBe('42');
+    expect(parts[3]).toMatch(/^\d+$/);
+    expect(parts[4]).toMatch(/^[a-f0-9]{4}$/);
+  });
+});
+
+describe('validateToken', () => {
+  it('accepts a valid token', () => {
+    const token = generateToken(10, 'trash');
+    const result = validateToken(token, 10, 'trash');
+
+    expect(result.valid).toBe(true);
+    expect(result.reason).toBeUndefined();
+  });
+
+  it('rejects an expired token', () => {
+    // Generate token, then mock Date.now to be 120s later
+    const token = generateToken(10, 'trash');
+    const originalNow = Date.now;
+    Date.now = () => originalNow() + 120_000; // 120s later
+    try {
+      const result = validateToken(token, 10, 'trash', 60);
+
+      expect(result.valid).toBe(false);
+      expect(result.reason).toBe('Token expired');
+    } finally {
+      Date.now = originalNow;
+    }
+  });
+
+  it('rejects a token with wrong postId', () => {
+    const token = generateToken(10, 'trash');
+    const result = validateToken(token, 999, 'trash');
+
+    expect(result.valid).toBe(false);
+    expect(result.reason).toBe('Token does not match post or action');
+  });
+
+  it('rejects a token with wrong action', () => {
+    const token = generateToken(10, 'trash');
+    const result = validateToken(token, 10, 'permanent_delete');
+
+    expect(result.valid).toBe(false);
+    expect(result.reason).toBe('Token does not match post or action');
+  });
+
+  it('rejects a token with altered hash', () => {
+    const token = generateToken(10, 'trash');
+    // Flip last character of hash
+    const altered = token.slice(0, -1) + (token.at(-1) === 'a' ? 'b' : 'a');
+    const result = validateToken(altered, 10, 'trash');
+
+    expect(result.valid).toBe(false);
+    expect(result.reason).toBe('Invalid token hash');
+  });
+});
+
+// ────────────────────────────────────────────────────────────
+// wp_delete_post — two-step confirmation
+// ────────────────────────────────────────────────────────────
+
+describe('wp_delete_post with WP_CONFIRM_DESTRUCTIVE=true', () => {
+  let consoleSpy;
+  beforeEach(() => {
+    fetch.mockReset();
+    consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
+    process.env.WP_CONFIRM_DESTRUCTIVE = 'true';
+  });
+  afterEach(() => {
+    consoleSpy.mockRestore();
+    delete process.env.WP_CONFIRM_DESTRUCTIVE;
+  });
+
+  it('returns confirmation_required when no token provided', async () => {
+    mockSuccess({ id: 5, title: { rendered: 'My Post' }, status: 'publish', meta: {} });
+
+    const result = await call('wp_delete_post', { id: 5 });
+    const data = parseResult(result);
+
+    expect(result.isError).toBeUndefined();
+    expect(data.status).toBe('confirmation_required');
+    expect(data.post_id).toBe(5);
+    expect(data.post_title).toBe('My Post');
+    expect(data.action).toBe('trash');
+    expect(data.confirmation_token).toMatch(/^mcp_trash_5_\d+_[a-f0-9]{4}$/);
+    expect(data.expires_in).toBe(60);
+    expect(data.message).toContain('trashed');
+
+    const logs = getAuditLogs(consoleSpy);
+    const entry = logs.find(l => l.tool === 'wp_delete_post');
+    expect(entry).toBeDefined();
+    expect(entry.action).toBe('delete_requested');
+    expect(entry.status).toBe('pending');
+    expect(entry.target).toBe(5);
+  });
+
+  it('executes delete when valid token provided', async () => {
+    const token = generateToken(5, 'trash');
+    mockSuccess({ id: 5, title: { rendered: 'My Post' }, status: 'trash' });
+
+    const result = await call('wp_delete_post', { id: 5, confirmation_token: token });
+    const data = parseResult(result);
+
+    expect(data.success).toBe(true);
+    expect(data.post.id).toBe(5);
+    expect(data.post.status).toBe('trash');
+
+    const logs = getAuditLogs(consoleSpy);
+    const entry = logs.find(l => l.tool === 'wp_delete_post');
+    expect(entry).toBeDefined();
+    expect(entry.action).toBe('trash');
+    expect(entry.status).toBe('success');
+  });
+
+  it('returns error when token is expired', async () => {
+    const token = generateToken(5, 'trash');
+    const originalNow = Date.now;
+    Date.now = () => originalNow() + 120_000;
+    try {
+      const result = await call('wp_delete_post', { id: 5, confirmation_token: token });
+
+      expect(result.isError).toBe(true);
+      expect(result.content[0].text).toContain('Invalid or expired confirmation token');
+
+      const logs = getAuditLogs(consoleSpy);
+      const entry = logs.find(l => l.tool === 'wp_delete_post');
+      expect(entry).toBeDefined();
+      expect(entry.action).toBe('trash');
+      expect(entry.status).toBe('error');
+    } finally {
+      Date.now = originalNow;
+    }
+  });
+});
+
+describe('wp_delete_post with WP_CONFIRM_DESTRUCTIVE=false (default)', () => {
+  let consoleSpy;
+  beforeEach(() => { fetch.mockReset(); consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {}); });
+  afterEach(() => { consoleSpy.mockRestore(); });
+
+  it('deletes directly without confirmation', async () => {
+    mockSuccess({ id: 5, title: { rendered: 'My Post' }, status: 'trash' });
+
+    const result = await call('wp_delete_post', { id: 5 });
+    const data = parseResult(result);
+
+    expect(data.success).toBe(true);
+    expect(data.post.id).toBe(5);
+    expect(data.post.status).toBe('trash');
+
+    const logs = getAuditLogs(consoleSpy);
+    const entry = logs.find(l => l.tool === 'wp_delete_post');
+    expect(entry).toBeDefined();
+    expect(entry.action).toBe('trash');
+    expect(entry.status).toBe('success');
+  });
+});
+
+describe('wp_delete_post — governance priority', () => {
+  let consoleSpy;
+  beforeEach(() => { fetch.mockReset(); consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {}); });
+  afterEach(() => {
+    consoleSpy.mockRestore();
+    delete process.env.WP_DISABLE_DELETE;
+    delete process.env.WP_CONFIRM_DESTRUCTIVE;
+  });
+
+  it('WP_DISABLE_DELETE blocks before confirmation flow', async () => {
+    process.env.WP_DISABLE_DELETE = 'true';
+    process.env.WP_CONFIRM_DESTRUCTIVE = 'true';
+
+    const result = await call('wp_delete_post', { id: 5 });
+
+    expect(result.isError).toBe(true);
+    expect(result.content[0].text).toContain('WP_DISABLE_DELETE');
+
+    const logs = getAuditLogs(consoleSpy);
+    const entry = logs.find(l => l.tool === 'wp_delete_post');
+    expect(entry).toBeDefined();
+    expect(entry.status).toBe('blocked');
+  });
+});
+
+// ────────────────────────────────────────────────────────────
+// wp_delete_revision — two-step confirmation
+// ────────────────────────────────────────────────────────────
+
+describe('wp_delete_revision with WP_CONFIRM_DESTRUCTIVE=true', () => {
+  let consoleSpy;
+  beforeEach(() => {
+    fetch.mockReset();
+    consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
+    process.env.WP_CONFIRM_DESTRUCTIVE = 'true';
+  });
+  afterEach(() => {
+    consoleSpy.mockRestore();
+    delete process.env.WP_CONFIRM_DESTRUCTIVE;
+  });
+
+  it('returns confirmation_required when no token provided', async () => {
+    const result = await call('wp_delete_revision', { post_id: 1, revision_id: 42 });
+    const data = parseResult(result);
+
+    expect(result.isError).toBeUndefined();
+    expect(data.status).toBe('confirmation_required');
+    expect(data.revision_id).toBe(42);
+    expect(data.post_id).toBe(1);
+    expect(data.action).toBe('delete_revision');
+    expect(data.confirmation_token).toMatch(/^mcp_delete_revision_42_\d+_[a-f0-9]{4}$/);
+    expect(data.expires_in).toBe(60);
+    expect(data.message).toContain('Revision #42');
+    expect(data.message).toContain('post #1');
+
+    const logs = getAuditLogs(consoleSpy);
+    const entry = logs.find(l => l.tool === 'wp_delete_revision');
+    expect(entry).toBeDefined();
+    expect(entry.action).toBe('delete_requested');
+    expect(entry.status).toBe('pending');
+    expect(entry.target).toBe(42);
+  });
+});

package/tests/unit/tools/findBrokenInternalLinks.test.js

@@ -0,0 +1,222 @@
+import { vi, describe, it, expect, beforeEach, afterEach } from 'vitest';
+
+vi.mock('node-fetch', () => ({ default: vi.fn() }));
+
+import fetch from 'node-fetch';
+import { handleToolCall, _testSetTarget } from '../../../index.js';
+import { mockSuccess, mockError, getAuditLogs, makeRequest, parseResult } from '../../helpers/mockWpRequest.js';
+
+function call(name, args = {}) {
+  return handleToolCall(makeRequest(name, args));
+}
+
+let consoleSpy;
+beforeEach(() => { fetch.mockReset(); consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {}); });
+afterEach(() => { consoleSpy.mockRestore(); _testSetTarget(null); });
+
+// =========================================================================
+// Helpers
+// =========================================================================
+
+function makePost(id, content, link) {
+  return {
+    id, title: { rendered: `Post ${id}` },
+    link: link || `https://mysite.example.com/post-${id}/`,
+    content: { rendered: content }
+  };
+}
+
+function mockHeadResponse(status) {
+  return fetch.mockImplementationOnce(() => Promise.resolve({ status, ok: status < 400 }));
+}
+
+function mockHeadTimeout() {
+  return fetch.mockImplementationOnce(() => {
+    const err = new Error('aborted');
+    err.name = 'AbortError';
+    return Promise.reject(err);
+  });
+}
+
+function mockHeadNetworkError() {
+  return fetch.mockImplementationOnce(() => Promise.reject(new Error('ECONNREFUSED')));
+}
+
+// =========================================================================
+// wp_find_broken_internal_links
+// =========================================================================
+
+describe('wp_find_broken_internal_links', () => {
+  it('SUCCESS — no broken links', async () => {
+    _testSetTarget('test', { url: 'https://mysite.example.com', username: 'u', password: 'p' });
+    const html = '<p>Read <a href="https://mysite.example.com/other/">more</a></p>';
+    mockSuccess([makePost(1, html)]);
+    mockHeadResponse(200);
+
+    const res = await call('wp_find_broken_internal_links');
+    const data = parseResult(res);
+
+    expect(data.broken_links).toHaveLength(0);
+    expect(data.total_broken).toBe(0);
+    expect(data.total_posts_scanned).toBe(1);
+    expect(data.total_links_checked).toBe(1);
+  });
+
+  it('ISSUE — 404 detected as not_found', async () => {
+    _testSetTarget('test', { url: 'https://mysite.example.com', username: 'u', password: 'p' });
+    const html = '<p>See <a href="https://mysite.example.com/dead-page/">dead</a></p>';
+    mockSuccess([makePost(1, html)]);
+    mockHeadResponse(404);
+
+    const res = await call('wp_find_broken_internal_links');
+    const data = parseResult(res);
+
+    expect(data.total_broken).toBe(1);
+    expect(data.broken_links[0].issue_type).toBe('not_found');
+    expect(data.broken_links[0].status_code).toBe(404);
+  });
+
+  it('ISSUE — 301 detected as redirect', async () => {
+    _testSetTarget('test', { url: 'https://mysite.example.com', username: 'u', password: 'p' });
+    const html = '<p>See <a href="https://mysite.example.com/old-slug/">old</a></p>';
+    mockSuccess([makePost(1, html)]);
+    mockHeadResponse(301);
+
+    const res = await call('wp_find_broken_internal_links');
+    const data = parseResult(res);
+
+    expect(data.total_redirects).toBe(1);
+    expect(data.broken_links[0].issue_type).toBe('redirect');
+    expect(data.broken_links[0].status_code).toBe(301);
+  });
+
+  it('ISSUE — 302 detected as redirect', async () => {
+    _testSetTarget('test', { url: 'https://mysite.example.com', username: 'u', password: 'p' });
+    const html = '<p>See <a href="https://mysite.example.com/temp/">temp</a></p>';
+    mockSuccess([makePost(1, html)]);
+    mockHeadResponse(302);
+
+    const res = await call('wp_find_broken_internal_links');
+    const data = parseResult(res);
+
+    expect(data.total_redirects).toBe(1);
+    expect(data.broken_links[0].issue_type).toBe('redirect');
+  });
+
+  it('PARAM — include_redirects: false excludes redirects', async () => {
+    _testSetTarget('test', { url: 'https://mysite.example.com', username: 'u', password: 'p' });
+    const html = '<p>See <a href="https://mysite.example.com/moved/">moved</a></p>';
+    mockSuccess([makePost(1, html)]);
+    mockHeadResponse(301);
+
+    const res = await call('wp_find_broken_internal_links', { include_redirects: false });
+    const data = parseResult(res);
+
+    expect(data.total_redirects).toBe(1);
+    expect(data.broken_links).toHaveLength(0);
+  });
+
+  it('ISSUE — timeout detected', async () => {
+    _testSetTarget('test', { url: 'https://mysite.example.com', username: 'u', password: 'p' });
+    const html = '<p>See <a href="https://mysite.example.com/slow/">slow</a></p>';
+    mockSuccess([makePost(1, html)]);
+    mockHeadTimeout();
+
+    const res = await call('wp_find_broken_internal_links');
+    const data = parseResult(res);
+
+    expect(data.total_timeouts).toBe(1);
+    expect(data.broken_links[0].issue_type).toBe('timeout');
+  });
+
+  it('ISSUE — network error classified', async () => {
+    _testSetTarget('test', { url: 'https://mysite.example.com', username: 'u', password: 'p' });
+    const html = '<p>See <a href="https://mysite.example.com/down/">down</a></p>';
+    mockSuccess([makePost(1, html)]);
+    mockHeadNetworkError();
+
+    const res = await call('wp_find_broken_internal_links');
+    const data = parseResult(res);
+
+    expect(data.total_broken).toBe(1);
+    expect(data.broken_links[0].issue_type).toBe('network_error');
+  });
+
+  it('DEDUP — same URL in 2 posts triggers only 1 HEAD request', async () => {
+    _testSetTarget('test', { url: 'https://mysite.example.com', username: 'u', password: 'p' });
+    const sharedLink = 'https://mysite.example.com/shared/';
+    const html1 = `<p>See <a href="${sharedLink}">link</a></p>`;
+    const html2 = `<p>Also <a href="${sharedLink}">link</a></p>`;
+    mockSuccess([makePost(1, html1), makePost(2, html2)]);
+    mockHeadResponse(404);
+
+    const res = await call('wp_find_broken_internal_links');
+    const data = parseResult(res);
+
+    // 1 unique URL → 1 HEAD request (after the initial wpApiCall mock)
+    expect(data.total_links_checked).toBe(1);
+    // But broken_links has 2 entries (one per source post)
+    expect(data.broken_links).toHaveLength(2);
+  });
+
+  it('BATCH — batch_size=2 on 4 links creates correct batches', async () => {
+    _testSetTarget('test', { url: 'https://mysite.example.com', username: 'u', password: 'p' });
+    const html = `<p>
+      <a href="https://mysite.example.com/a/">a</a>
+      <a href="https://mysite.example.com/b/">b</a>
+      <a href="https://mysite.example.com/c/">c</a>
+      <a href="https://mysite.example.com/d/">d</a>
+    </p>`;
+    mockSuccess([makePost(1, html)]);
+    // 4 HEAD requests, all 200
+    mockHeadResponse(200);
+    mockHeadResponse(200);
+    mockHeadResponse(200);
+    mockHeadResponse(200);
+
+    const res = await call('wp_find_broken_internal_links', { batch_size: 2, delay_ms: 0 });
+    const data = parseResult(res);
+
+    expect(data.total_links_checked).toBe(4);
+    expect(data.broken_links).toHaveLength(0);
+  });
+
+  it('ANCHOR — anchor text extracted correctly', async () => {
+    _testSetTarget('test', { url: 'https://mysite.example.com', username: 'u', password: 'p' });
+    const html = '<p>Read our <a href="https://mysite.example.com/guide/">complete guide</a> now.</p>';
+    mockSuccess([makePost(1, html)]);
+    mockHeadResponse(404);
+
+    const res = await call('wp_find_broken_internal_links');
+    const data = parseResult(res);
+
+    expect(data.broken_links[0].anchor_text).toBe('complete guide');
+  });
+
+  it('AUDIT — logs success entry', async () => {
+    _testSetTarget('test', { url: 'https://mysite.example.com', username: 'u', password: 'p' });
+    mockSuccess([makePost(1, '<p>No links here.</p>')]);
+
+    await call('wp_find_broken_internal_links');
+
+    const logs = getAuditLogs();
+    const entry = logs.find(l => l.tool === 'wp_find_broken_internal_links');
+    expect(entry).toBeDefined();
+    expect(entry.status).toBe('success');
+    expect(entry.action).toBe('audit_seo');
+    expect(entry.params.total_links_checked).toBeDefined();
+  });
+
+  it('ERROR — logs error on API failure', async () => {
+    _testSetTarget('test', { url: 'https://mysite.example.com', username: 'u', password: 'p' });
+    mockError(403, '{"code":"rest_forbidden","message":"Forbidden"}');
+
+    const res = await call('wp_find_broken_internal_links');
+    expect(res.isError).toBe(true);
+
+    const logs = getAuditLogs();
+    const entry = logs.find(l => l.tool === 'wp_find_broken_internal_links');
+    expect(entry).toBeDefined();
+    expect(entry.status).toBe('error');
+  });
+});

package/tests/unit/tools/findKeywordCannibalization.test.js

@@ -0,0 +1,183 @@
+import { vi, describe, it, expect, beforeEach, afterEach } from 'vitest';
+
+vi.mock('node-fetch', () => ({ default: vi.fn() }));
+
+import fetch from 'node-fetch';
+import { handleToolCall, _testSetTarget } from '../../../index.js';
+import { mockSuccess, mockError, getAuditLogs, makeRequest, parseResult } from '../../helpers/mockWpRequest.js';
+
+function call(name, args = {}) {
+  return handleToolCall(makeRequest(name, args));
+}
+
+let consoleSpy;
+beforeEach(() => { fetch.mockReset(); consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {}); });
+afterEach(() => { consoleSpy.mockRestore(); _testSetTarget(null); });
+
+// =========================================================================
+// Helpers
+// =========================================================================
+
+const recentDate = '2025-12-01T10:00:00';
+const oldDate = '2023-01-15T10:00:00';
+
+function makePostWithKw(id, keyword, date = recentDate) {
+  return {
+    id, title: { rendered: `Post ${id}` },
+    link: `https://mysite.example.com/post-${id}/`,
+    date,
+    meta: keyword ? { rank_math_focus_keyword: keyword } : {}
+  };
+}
+
+// =========================================================================
+// wp_find_keyword_cannibalization
+// =========================================================================
+
+describe('wp_find_keyword_cannibalization', () => {
+  it('SUCCESS — no cannibalization (all unique keywords)', async () => {
+    _testSetTarget('test', { url: 'https://mysite.example.com', username: 'u', password: 'p' });
+    mockSuccess([
+      makePostWithKw(1, 'seo tips'),
+      makePostWithKw(2, 'wordpress security'),
+      makePostWithKw(3, 'content marketing')
+    ]);
+
+    const res = await call('wp_find_keyword_cannibalization');
+    const data = parseResult(res);
+
+    expect(data.total_groups).toBe(0);
+    expect(data.cannibalization_groups).toHaveLength(0);
+    expect(data.posts_with_keyword).toBe(3);
+  });
+
+  it('ISSUE — exact group detected (2 articles same keyword)', async () => {
+    _testSetTarget('test', { url: 'https://mysite.example.com', username: 'u', password: 'p' });
+    mockSuccess([
+      makePostWithKw(1, 'seo tips'),
+      makePostWithKw(2, 'seo tips'),
+      makePostWithKw(3, 'other keyword')
+    ]);
+
+    const res = await call('wp_find_keyword_cannibalization');
+    const data = parseResult(res);
+
+    expect(data.total_groups).toBe(1);
+    expect(data.cannibalization_groups[0].articles_count).toBe(2);
+    expect(data.articles_affected).toBe(2);
+  });
+
+  it('MODE — normalized groups variants together', async () => {
+    _testSetTarget('test', { url: 'https://mysite.example.com', username: 'u', password: 'p' });
+    mockSuccess([
+      makePostWithKw(1, 'SEO Tips'),
+      makePostWithKw(2, 'seo-tips'),
+      makePostWithKw(3, 'Séo Tips')
+    ]);
+
+    const res = await call('wp_find_keyword_cannibalization', { similarity_mode: 'normalized' });
+    const data = parseResult(res);
+
+    expect(data.total_groups).toBe(1);
+    expect(data.cannibalization_groups[0].articles_count).toBe(3);
+    expect(data.cannibalization_groups[0].variants.length).toBeGreaterThanOrEqual(1);
+  });
+
+  it('MODE — exact does NOT group variants', async () => {
+    _testSetTarget('test', { url: 'https://mysite.example.com', username: 'u', password: 'p' });
+    mockSuccess([
+      makePostWithKw(1, 'SEO Tips'),
+      makePostWithKw(2, 'seo tips'),
+      makePostWithKw(3, 'SEO Tips')
+    ]);
+
+    const res = await call('wp_find_keyword_cannibalization', { similarity_mode: 'exact' });
+    const data = parseResult(res);
+
+    // 'SEO Tips' (2 articles) is one group, 'seo tips' is alone
+    expect(data.total_groups).toBe(1);
+    expect(data.cannibalization_groups[0].articles_count).toBe(2);
+  });
+
+  it('SUCCESS — articles without keyword are ignored', async () => {
+    _testSetTarget('test', { url: 'https://mysite.example.com', username: 'u', password: 'p' });
+    mockSuccess([
+      makePostWithKw(1, 'seo tips'),
+      makePostWithKw(2, null),
+      makePostWithKw(3, '')
+    ]);
+
+    const res = await call('wp_find_keyword_cannibalization');
+    const data = parseResult(res);
+
+    expect(data.posts_with_keyword).toBe(1);
+    expect(data.posts_without_keyword).toBe(2);
+    expect(data.total_groups).toBe(0);
+  });
+
+  it('ACTION — consolidate_301 when dates differ greatly', async () => {
+    _testSetTarget('test', { url: 'https://mysite.example.com', username: 'u', password: 'p' });
+    mockSuccess([
+      makePostWithKw(1, 'seo tips', oldDate),
+      makePostWithKw(2, 'seo tips', recentDate)
+    ]);
+
+    const res = await call('wp_find_keyword_cannibalization');
+    const data = parseResult(res);
+
+    expect(data.cannibalization_groups[0].recommended_action).toBe('consolidate_301');
+  });
+
+  it('ACTION — differentiate when 2 articles with close dates', async () => {
+    _testSetTarget('test', { url: 'https://mysite.example.com', username: 'u', password: 'p' });
+    mockSuccess([
+      makePostWithKw(1, 'seo tips', '2025-11-01T10:00:00'),
+      makePostWithKw(2, 'seo tips', '2025-12-01T10:00:00')
+    ]);
+
+    const res = await call('wp_find_keyword_cannibalization');
+    const data = parseResult(res);
+
+    expect(data.cannibalization_groups[0].recommended_action).toBe('differentiate');
+  });
+
+  it('ACTION — merge when 3+ articles', async () => {
+    _testSetTarget('test', { url: 'https://mysite.example.com', username: 'u', password: 'p' });
+    mockSuccess([
+      makePostWithKw(1, 'seo tips'),
+      makePostWithKw(2, 'seo tips'),
+      makePostWithKw(3, 'seo tips')
+    ]);
+
+    const res = await call('wp_find_keyword_cannibalization');
+    const data = parseResult(res);
+
+    expect(data.cannibalization_groups[0].recommended_action).toBe('merge');
+  });
+
+  it('AUDIT — logs success entry', async () => {
+    _testSetTarget('test', { url: 'https://mysite.example.com', username: 'u', password: 'p' });
+    mockSuccess([makePostWithKw(1, 'seo tips')]);
+
+    await call('wp_find_keyword_cannibalization');
+
+    const logs = getAuditLogs();
+    const entry = logs.find(l => l.tool === 'wp_find_keyword_cannibalization');
+    expect(entry).toBeDefined();
+    expect(entry.status).toBe('success');
+    expect(entry.action).toBe('audit_seo');
+  });
+
+  it('ERROR — logs error on API failure', async () => {
+    _testSetTarget('test', { url: 'https://mysite.example.com', username: 'u', password: 'p' });
+    mockError(403, '{"code":"rest_forbidden","message":"Forbidden"}');
+
+    const res = await call('wp_find_keyword_cannibalization');
+    expect(res.isError).toBe(true);
+
+    const logs = getAuditLogs();
+    const entry = logs.find(l => l.tool === 'wp_find_keyword_cannibalization');
+    expect(entry).toBeDefined();
+    expect(entry.status).toBe('error');
+  });
+});