@adsim/wordpress-mcp-server 4.5.1 → 4.6.0

package/README.md

@@ -3,14 +3,14 @@
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 [![Node.js](https://img.shields.io/badge/Node.js-%3E%3D18-green.svg)](https://nodejs.org/)
 [![MCP SDK](https://img.shields.io/badge/MCP-SDK-blue.svg)](https://github.com/anthropics/mcp)
-[![Tests](https://img.shields.io/badge/tests-713%20passing-brightgreen.svg)](https://github.com/GeorgesAdSim/wordpress-mcp-server/actions)
+[![Tests](https://img.shields.io/badge/tests-767%20passing-brightgreen.svg)](https://github.com/GeorgesAdSim/wordpress-mcp-server/actions)
 [![npm](https://img.shields.io/npm/v/@adsim/wordpress-mcp-server.svg)](https://www.npmjs.com/package/@adsim/wordpress-mcp-server)
 
 **Enterprise Governance · Audit Trail · Multi-Site · Plugin-Free**
 
 The enterprise governance layer for Claude-to-WordPress integrations — secure, auditable, and multi-site.
 
-**v4.5.1 Enterprise** · 85 tools · 713 Vitest tests · GitHub Actions CI · HTTP Streamable transport · MCPB bundle · SEO metadata · SEO audit suite · Content intelligence · Plugin intelligence · Plugin & theme management · Revision control · Editorial approval workflow · Destructive confirmation · Internal link analysis · WooCommerce (read + intelligence + write) · Execution controls · JSON audit trail · Multi-site targeting
+**v4.6.0 Enterprise** · 92 tools · 767 Vitest tests · GitHub Actions CI · HTTP Streamable transport · MCPB bundle · SEO metadata · SEO audit suite · Content intelligence · Plugin intelligence · Plugin layer (ACF, Elementor) · Plugin & theme management · Revision control · Editorial approval workflow · Destructive confirmation · Internal link analysis · WooCommerce (read + intelligence + write) · Execution controls · JSON audit trail · Multi-site targeting
 
 ---
 
@@ -174,7 +174,7 @@ npx -y @adsim/wordpress-mcp-server
 ### Health check
 ```bash
 curl http://localhost:3000/health
-# → { "status": "ok", "version": "4.4.0", "transport": "http" }
+# → { "status": "ok", "version": "4.6.0", "transport": "http" }
 ```
 
 ### Connect an MCP client via HTTP
@@ -214,7 +214,7 @@ Double-click `wordpress-mcp-server.mcpb` — Claude Desktop will prompt for:
 
 ---
 
-## Available Tools (79)
+## Available Tools (92)
 
 ### Content Management
 
@@ -311,6 +311,33 @@ All SEO audit tools are read-only and always allowed regardless of governance fl
 
 All Content Intelligence tools are read-only and always allowed regardless of governance flags.
 
+### Plugin Intelligence Layer
+
+> New in v4.6.0 — Extensible adapter architecture for third-party WordPress plugins. Adapters activate only when the plugin is detected via REST API namespace discovery.
+
+Disable all plugin tools: `WP_DISABLE_PLUGIN_LAYERS=true`
+
+**ACF (Advanced Custom Fields)**
+
+| Tool | Description |
+|---|---|
+| `acf_get_fields` | Get ACF custom fields for a post/page with key filtering and raw/compact/summary modes |
+| `acf_list_field_groups` | List all configured ACF field groups |
+| `acf_get_field_group` | Get full detail of an ACF field group by ID |
+| `acf_update_fields` | Update ACF custom fields for a post/page. Write — blocked by `WP_READ_ONLY` |
+
+Requires ACF Pro or ACF Free with REST API enabled (`/acf/v3` namespace).
+
+**Elementor**
+
+| Tool | Description |
+|---|---|
+| `elementor_list_templates` | List Elementor templates (page, section, block, popup) with type filtering |
+| `elementor_get_template` | Get full Elementor template content and elements. Context-guarded at 50k chars |
+| `elementor_get_page_data` | Get Elementor editor data for a post/page: widgets used, elements count |
+
+Requires Elementor Free or Pro (`/elementor/v1` namespace).
+
 ### Plugins
 
 | Tool | Description |
@@ -387,7 +414,7 @@ All WooCommerce write tools are blocked by `WP_READ_ONLY`. `wc_price_guardrail`
 | Tool | Description |
 |---|---|
 | `wp_set_target` | Switch active WordPress site in multi-target mode |
-| `wp_site_info` | Site info, current user, post types, enterprise controls, and available targets |
+| `wp_site_info` | Site info, current user, post types, enterprise controls, available targets, and `plugin_layer` (detected plugins, tools count) |
 
 ---
 
@@ -716,7 +743,7 @@ WC_PRICE_GUARDRAIL_THRESHOLD=20   # percentage — changes above this require ex
 
 ## Testing
 
-713 unit tests covering all 85 tools — zero network calls, fully mocked.
+767 unit tests covering all 92 tools — zero network calls, fully mocked.
 ```bash
 npm test              # run all tests (vitest)
 npm run test:watch    # watch mode
@@ -756,9 +783,17 @@ npm run test:coverage # coverage report
 | `transport/http.test.js` | HTTP transport, Bearer auth, sessions | 10 |
 | `pluginDetector.test.js` | SEO plugin detection, rendered head, HTML head parsing | 13 |
 | `pluginIntelligence.test.js` | 6 plugin intelligence tools: rendered head, rendered SEO audit, pillar content, schema plugins, SEO score, Twitter meta | 48 |
-| `dxt/manifest.test.js` | MCPB manifest validation, 85 tools declared | 10 |
+| `dxt/manifest.test.js` | MCPB manifest validation, 86 tools declared | 10 |
 | `dynamicFiltering.test.js` | WooCommerce/editorial/plugin-intelligence filtering, combined counts, callable when filtered | 9 |
 | `outputCompression.test.js` | mode=full/summary/ids_only for 10 listing tools (pages, media, comments, categories, tags, users, custom posts, plugins, themes, revisions) | 30 |
+| `siteOptions.test.js` | wp_get_site_options: all options, key filtering, 403, audit log, not blocked by WP_READ_ONLY | 5 |
+| `plugins/registry.test.js` | PluginRegistry: ACF/Elementor detection, empty namespaces, WP_DISABLE_PLUGIN_LAYERS, getSummary | 6 |
+| `plugins/contextGuard.test.js` | applyContextGuard: under threshold, truncation, raw bypass, stderr log | 4 |
+| `plugins/iPluginAdapter.test.js` | validateAdapter: complete adapter, missing id, missing getTools | 3 |
+| `plugins/acf/acfAdapter.test.js` | ACF read tools: get fields, filter, contextGuard, 404, list groups, get group, audit log | 10 |
+| `plugins/acf/acfAdapter.write.test.js` | ACF write: update fields, WP_READ_ONLY blocking, validation, 404/403, audit log | 8 |
+| `plugins/elementor/elementorAdapter.test.js` | Elementor adapter: list/get templates, page data, contextGuard, validation, namespace detection, audit log | 10 |
+| `pluginLayer.test.js` | Plugin Layer integration: listTools, callTool routing, wp_site_info, WP_DISABLE_PLUGIN_LAYERS, no collisions | 8 |
 
 Each test verifies: success response shape, governance blocking (write tools), HTTP error handling (403/404), and audit log entries.
 
@@ -855,7 +890,7 @@ The server performs a health check on startup: REST API connectivity, user authe
 - Credentials never logged — audit trail sanitizes all sensitive data
 - No credentials in code — `.env` or environment variables only
 - Instant revocation — Application Passwords can be revoked from WordPress admin
-- Traceable requests — custom `User-Agent: WordPress-MCP-Server/4.4.0`
+- Traceable requests — custom `User-Agent: WordPress-MCP-Server/4.6.0`
 - Bearer token auth in HTTP mode — timing-safe comparison, no token in logs
 - Origin validation in HTTP mode — anti-DNS-rebinding protection
 
@@ -928,6 +963,29 @@ npx @modelcontextprotocol/inspector node index.js
 
 ## Changelog
 
+### v4.6.0 (2026-02-22) — Plugin Intelligence Layer
+
+Extensible adapter architecture for third-party WordPress plugins. Adapters activate only when their plugin is detected via REST API namespace discovery — zero overhead when plugins are absent.
+
+**Architecture:**
+- `src/plugins/registry.js` — PluginRegistry with automatic plugin detection via REST namespaces. `WP_DISABLE_PLUGIN_LAYERS=true` disables all plugin tools
+- `src/plugins/contextGuard.js` — LLM context overflow protection: automatic truncation at 50k chars with truncation metadata
+- `src/plugins/IPluginAdapter.js` — Adapter contract interface: id, namespace, riskLevel, contextConfig, getTools, handleTool
+- `wp_site_info` now reports `plugin_layer` (detected plugins, available tools count)
+
+**ACF Adapter:**
+- `acf_get_fields` — ACF custom fields with key filtering, raw/compact/summary modes
+- `acf_list_field_groups` — all configured field groups
+- `acf_get_field_group` — field group detail by ID
+- `acf_update_fields` — update custom fields. Blocked by `WP_READ_ONLY`. riskLevel: "medium"
+
+**Elementor Adapter (read-only):**
+- `elementor_list_templates` — templates with type filter (page/section/block/popup)
+- `elementor_get_template` — full template content, context-guarded at 50k chars
+- `elementor_get_page_data` — widgets used, elements count, Elementor status per post
+
+767 Vitest unit tests · 92 tools
+
 ### v4.5.1 (2026-02-21) — Context Optimization
 
 LLM context reduction across all 85 tools — zero breaking changes.
@@ -1114,16 +1172,16 @@ All Content Intelligence tools are read-only and always allowed regardless of go
 
 ## Roadmap
 
-### v4.5 — GSC Integration
+### v4.7 — GSC Integration
 - `wp_get_gsc_performance` — Google Search Console API (clicks, impressions, position, CTR per URL)
 - `wp_find_quick_win_keywords` — surface keywords ranking positions 11–20 for targeted updates
 - `wp_seo_content_decay` — cross-reference GSC traffic loss with content age to prioritize refresh candidates
 
-### v4.6 — Redirect Intelligence
+### v4.8 — Redirect Intelligence
 - `wp_create_redirect` — create 301 redirects via Redirection plugin or RankMath/Yoast Redirects. Auto-triggered governance hook when `wp_update_post` changes a slug
 - `wp_list_404_errors` — surface recent 404s from Redirection plugin log
 
-### v4.7 — OAuth & Registry
+### v4.9 — OAuth & Registry
 - OAuth 2.0 / JWT authentication
 - MCP Registry submission
 

package/dxt/manifest.json

@@ -2,9 +2,9 @@
   "manifest_version": "0.3",
   "name": "wordpress-mcp-server",
   "display_name": "WordPress MCP Server",
-  "version": "4.5.1",
-  "description": "Manage your WordPress site from Claude Desktop — posts, pages, media, SEO audits, content intelligence, plugin intelligence, plugins, themes, revisions, WooCommerce, content compression, and more. 85 tools, no WordPress plugin required.",
-  "long_description": "A full-featured MCP server for WordPress REST API integration. Manage posts, pages, media, categories, tags, comments, users, SEO metadata, plugins, themes, revisions, and WooCommerce products/orders/customers through 85 tools — all from Claude Desktop.\n\nNo WordPress plugin required. Uses the built-in WordPress REST API with Application Passwords for secure authentication.\n\nFeatures:\n- Content management: create, read, update, delete posts and pages\n- Content compression: field filtering, content_format (html/text/links_only), list modes (full/summary/ids_only) for LLM context optimization\n- Content intelligence: readability scoring, duplicate detection, entity extraction, publishing velocity, revision diff, content structure analysis, FAQ extraction, CTA detection, link mapping, anchor text audit, schema markup validation\n- Plugin intelligence: SEO plugin detection (RankMath/Yoast/SEOPress), rendered head analysis, schema validation from plugin fields, SEO score reading, Twitter Card meta, pillar content management\n- Editorial approval workflow: submit for review, approve, reject\n- Media library: list, get details, upload from URL\n- Taxonomy: categories, tags, custom post types\n- SEO: auto-detects Yoast, RankMath, SEOPress, or All in One SEO\n- SEO audit suite: media alt text, orphan pages, heading structure, thin content, canonicals, E-E-A-T signals, broken links, keyword cannibalization, taxonomy bloat, outbound links\n- Plugins & themes: list, activate, deactivate\n- Revisions: list, view, restore, delete\n- WooCommerce read: products, orders, customers, price guardrail\n- WooCommerce intelligence: inventory alerts, order analytics, product SEO audit, product link suggestions\n- WooCommerce write: update products (with price guardrail), stock management, order status transitions\n- Enterprise controls: read-only mode, draft-only, disable-delete, require-approval (global and per-target)\n- Multi-site: target multiple WordPress installations with per-target controls",
+  "version": "4.6.0",
+  "description": "Manage your WordPress site from Claude Desktop — posts, pages, media, SEO audits, content intelligence, plugin intelligence, plugin layer (ACF, Elementor), plugins, themes, revisions, WooCommerce, content compression, and more. 92 tools, no WordPress plugin required.",
+  "long_description": "A full-featured MCP server for WordPress REST API integration. Manage posts, pages, media, categories, tags, comments, users, SEO metadata, plugins, themes, revisions, and WooCommerce products/orders/customers through 92 tools — all from Claude Desktop.\n\nNo WordPress plugin required. Uses the built-in WordPress REST API with Application Passwords for secure authentication.\n\nFeatures:\n- Content management: create, read, update, delete posts and pages\n- Content compression: field filtering, content_format (html/text/links_only), list modes (full/summary/ids_only) for LLM context optimization\n- Content intelligence: readability scoring, duplicate detection, entity extraction, publishing velocity, revision diff, content structure analysis, FAQ extraction, CTA detection, link mapping, anchor text audit, schema markup validation\n- Plugin intelligence: SEO plugin detection (RankMath/Yoast/SEOPress), rendered head analysis, schema validation from plugin fields, SEO score reading, Twitter Card meta, pillar content management\n- Plugin layer: extensible adapter architecture for third-party plugins (ACF, Elementor). Adapters activate only when plugin detected via REST namespace discovery\n- Editorial approval workflow: submit for review, approve, reject\n- Media library: list, get details, upload from URL\n- Taxonomy: categories, tags, custom post types\n- SEO: auto-detects Yoast, RankMath, SEOPress, or All in One SEO\n- SEO audit suite: media alt text, orphan pages, heading structure, thin content, canonicals, E-E-A-T signals, broken links, keyword cannibalization, taxonomy bloat, outbound links\n- Plugins & themes: list, activate, deactivate\n- Revisions: list, view, restore, delete\n- WooCommerce read: products, orders, customers, price guardrail\n- WooCommerce intelligence: inventory alerts, order analytics, product SEO audit, product link suggestions\n- WooCommerce write: update products (with price guardrail), stock management, order status transitions\n- Enterprise controls: read-only mode, draft-only, disable-delete, require-approval (global and per-target)\n- Multi-site: target multiple WordPress installations with per-target controls",
   "author": {
     "name": "AdSim",
     "email": "georges@adsim.be",
@@ -59,7 +59,7 @@
     { "name": "wp_list_custom_posts", "description": "List posts from any custom post type" },
     { "name": "wp_list_users", "description": "List users with roles" },
     { "name": "wp_set_target", "description": "Switch active WordPress site (multi-target mode)" },
-    { "name": "wp_site_info", "description": "Get site info, current user, post types, and enterprise controls" },
+    { "name": "wp_site_info", "description": "Get site info, current user, post types, enterprise controls, and plugin_layer (detected plugins, tools count)" },
     { "name": "wp_get_seo_meta", "description": "Get SEO metadata for a post or page" },
     { "name": "wp_update_seo_meta", "description": "Update SEO metadata for a post or page" },
     { "name": "wp_audit_seo", "description": "Audit SEO metadata across multiple posts/pages" },
@@ -118,7 +118,15 @@
     { "name": "wp_get_pillar_content", "description": "Read or set RankMath pillar/cornerstone content flag. Write mode blocked by WP_READ_ONLY" },
     { "name": "wp_audit_schema_plugins", "description": "Audit JSON-LD schemas from SEO plugin native fields (rank_math_schema or Yoast head)" },
     { "name": "wp_get_seo_score", "description": "Read RankMath native SEO score (0-100) with bulk mode distribution stats" },
-    { "name": "wp_get_twitter_meta", "description": "Read or write Twitter Card meta (title, description, image) from RankMath, Yoast, or SEOPress" }
+    { "name": "wp_get_twitter_meta", "description": "Read or write Twitter Card meta (title, description, image) from RankMath, Yoast, or SEOPress" },
+    { "name": "wp_get_site_options", "description": "Read WordPress site settings (title, tagline, language, timezone) via /wp/v2/settings. Requires manage_options" },
+    { "name": "acf_get_fields", "description": "Get ACF custom fields for a post/page with key filtering and raw/compact/summary modes. Requires ACF plugin" },
+    { "name": "acf_list_field_groups", "description": "List all configured ACF field groups. Requires ACF plugin" },
+    { "name": "acf_get_field_group", "description": "Get full detail of an ACF field group by ID. Requires ACF plugin" },
+    { "name": "acf_update_fields", "description": "Update ACF custom fields for a post/page. Write — blocked by WP_READ_ONLY. Requires ACF plugin" },
+    { "name": "elementor_list_templates", "description": "List Elementor templates (page, section, block, popup) with type filtering. Requires Elementor" },
+    { "name": "elementor_get_template", "description": "Get full Elementor template content and elements. Context-guarded at 50k chars. Requires Elementor" },
+    { "name": "elementor_get_page_data", "description": "Get Elementor editor data for a post/page: widgets used, elements count. Requires Elementor" }
   ],
   "keywords": [
     "wordpress",
@@ -136,7 +144,10 @@
     "ecommerce",
     "content-compression",
     "content-intelligence",
-    "plugin-intelligence"
+    "plugin-intelligence",
+    "plugin-layer",
+    "acf",
+    "elementor"
   ],
   "license": "MIT",
   "user_config": {

package/index.js

@@ -29,12 +29,14 @@ import { parseImagesFromHtml, extractHeadings, extractInternalLinks as extractIn
 import { summarizePost, applyContentFormat } from './src/utils/contentCompressor.js';
 import { calculateReadabilityScore, extractHeadingsOutline, detectContentSections, extractTransitionWords, countPassiveSentences, buildTFIDFVectors, computeCosineSimilarity, findDuplicatePairs, extractEntities, computeTextDiff } from './src/contentAnalyzer.js';
 import { detectSeoPlugin, getRenderedHead, parseRenderedHead } from './src/pluginDetector.js';
+import { PluginRegistry } from './src/plugins/registry.js';
+import { acfAdapter } from './src/plugins/adapters/acf/acfAdapter.js';
 
 // ============================================================
 // CONFIGURATION
 // ============================================================
 
-const VERSION = '3.2.0';
+const VERSION = '4.6.0';
 const VERBOSE = process.env.WP_MCP_VERBOSE === 'true' || process.argv.includes('--verbose');
 const MAX_RETRIES = parseInt(process.env.WP_MCP_MAX_RETRIES || '3', 10);
 const TIMEOUT_MS = parseInt(process.env.WP_MCP_TIMEOUT || '30000', 10);
@@ -418,6 +420,28 @@ async function healthCheck() {
   } catch (e) { log.warn(`Health check: ${e.message}`); }
 }
 
+// ============================================================
+// PLUGIN LAYER
+// ============================================================
+
+const pluginRegistry = new PluginRegistry();
+
+const PLUGIN_ADAPTERS = [acfAdapter];
+
+async function initializePluginLayer() {
+  try {
+    await pluginRegistry.initialize(wpApiCall);
+    for (const adapter of PLUGIN_ADAPTERS) {
+      if (pluginRegistry.isActive(adapter.id)) {
+        pluginRegistry.registerTools(adapter.id, adapter.getTools());
+      }
+    }
+    log.info(JSON.stringify({ event: 'plugin_layer_initialized', summary: pluginRegistry.getSummary() }));
+  } catch (e) {
+    log.warn(`Plugin layer init failed (continuing without plugins): ${e.message}`);
+  }
+}
+
 // ============================================================
 // MCP SERVER
 // ============================================================
@@ -436,7 +460,7 @@ const ORDERBY = ['date', 'relevance', 'id', 'title', 'slug', 'modified', 'author
 const ORDERS = ['asc', 'desc'];
 const MEDIA_TYPES = ['image', 'video', 'audio', 'application'];
 const COMMENT_STATUSES = ['approved', 'hold', 'spam', 'trash'];
-const TOOLS_COUNT = 85;
+const TOOLS_COUNT = 86;
 
 function json(data) { return { content: [{ type: 'text', text: JSON.stringify(data, null, 2) }] }; }
 function strip(html) { return (html || '').replace(/<[^>]*>/g, '').trim(); }
@@ -493,9 +517,11 @@ const TOOLS_DEFINITIONS = [
       { name: 'wp_set_target', description: 'Use to switch active WordPress site in multi-target mode. Write.',
         inputSchema: { type: 'object', properties: { site: { type: 'string', description: 'Site key from targets config' } }, required: ['site'] }},
 
-      // ── SITE INFO (1) ──
+      // ── SITE INFO (2) ──
       { name: 'wp_site_info', description: 'Use first to discover site config, user, post types, governance flags, and available targets. Read-only.',
         inputSchema: { type: 'object', properties: {} }},
+      { name: 'wp_get_site_options', description: 'Use to read WordPress site settings (title, tagline, language, timezone, etc.) via /wp/v2/settings. Requires manage_options. Read-only.',
+        inputSchema: { type: 'object', properties: { keys: { type: 'array', items: { type: 'string' }, description: 'Return only these option keys (returns all if omitted)' } }}},
 
       // ── SEO METADATA (3) ──
       { name: 'wp_get_seo_meta', description: 'Use to read SEO title, description, focus keyword, canonical, robots, OG for one post. Auto-detects Yoast/RankMath/SEOPress/AIOSEO. Read-only. Hint: prefer this over wp_get_post for SEO-only workflows.',
@@ -655,13 +681,15 @@ const TOOLS_DEFINITIONS = [
 function getFilteredTools(allTools = TOOLS_DEFINITIONS) {
   const pluginIntelTools = ['wp_get_rendered_head', 'wp_audit_rendered_seo', 'wp_get_pillar_content', 'wp_audit_schema_plugins', 'wp_get_seo_score', 'wp_get_twitter_meta'];
   const editorialTools = ['wp_submit_for_review', 'wp_approve_post', 'wp_reject_post'];
-  return allTools.filter(tool => {
+  const coreFiltered = allTools.filter(tool => {
     const n = tool.name;
     if (n.startsWith('wc_') && !process.env.WC_CONSUMER_KEY) return false;
     if (editorialTools.includes(n) && process.env.WP_REQUIRE_APPROVAL !== 'true') return false;
     if (pluginIntelTools.includes(n) && process.env.WP_ENABLE_PLUGIN_INTELLIGENCE !== 'true') return false;
     return true;
   });
+  const pluginTools = pluginRegistry.getAvailableTools();
+  return [...coreFiltered, ...pluginTools];
 }
 
 function registerHandlers(s) {
@@ -692,6 +720,21 @@ export async function handleToolCall(request) {
 
   log.debug(`Tool: ${name}`, args);
 
+  // Plugin Layer routing — check adapters before core switch
+  const pluginTool = pluginRegistry.getAvailableTools().find(t => t.name === name);
+  if (pluginTool && pluginTool.handler) {
+    try {
+      const pluginResult = await pluginTool.handler(args, wpApiCall);
+      log.debug(`${name} done in ${Date.now() - t0}ms`);
+      return pluginResult;
+    } catch (error) {
+      const ms = Date.now() - t0;
+      log.error(`${name} failed (${ms}ms): ${error.message}`);
+      auditLog({ tool: name, target: args.id || null, status: 'error', latency_ms: ms, params: sanitizeParams(args), error: error.message });
+      return { content: [{ type: 'text', text: `Error: ${error.message}` }], isError: true };
+    }
+  }
+
   try {
     let result;
 
@@ -1097,12 +1140,29 @@ export async function handleToolCall(request) {
             if (process.env.WP_REQUIRE_APPROVAL !== 'true') groups.push('editorial');
             if (process.env.WP_ENABLE_PLUGIN_INTELLIGENCE !== 'true') groups.push('plugin_intelligence');
             return { mcp_version: VERSION, tools_total: TOOLS_COUNT, tools_exposed: exposed, filtered_out: groups };
-          })()
+          })(),
+          plugin_layer: pluginRegistry.getSummary()
         });
         auditLog({ tool: name, action: 'info', status: 'success', latency_ms: Date.now() - t0 });
         break;
       }
 
+      case 'wp_get_site_options': {
+        validateInput(args, { keys: { type: 'array' } });
+        const { keys } = args;
+        const settings = await wpApiCall('/settings');
+        let data = settings;
+        if (keys && keys.length > 0) {
+          data = {};
+          for (const k of keys) {
+            if (k in settings) data[k] = settings[k];
+          }
+        }
+        result = json(data);
+        auditLog({ tool: name, action: 'read_options', status: 'success', latency_ms: Date.now() - t0, params: { keys_requested: keys?.length || 'all', keys_returned: Object.keys(data).length } });
+        break;
+      }
+
       // ── SEO METADATA ──
 
       case 'wp_get_seo_meta': {
@@ -5023,6 +5083,7 @@ export function createMcpServer() {
 
 async function main() {
   await healthCheck();
+  await initializePluginLayer();
 
   const transportMode = (process.env.MCP_TRANSPORT || 'stdio').toLowerCase();
 
@@ -5054,4 +5115,4 @@ if (process.env.NODE_ENV !== 'test') {
   main().catch((error) => { log.error(`Fatal: ${error.message}`); process.exit(1); });
 }
 
-export { server, getActiveControls, getControlSources, _testSetTarget, getFilteredTools };
+export { server, getActiveControls, getControlSources, _testSetTarget, getFilteredTools, pluginRegistry, initializePluginLayer };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adsim/wordpress-mcp-server",
-  "version": "4.5.1",
+  "version": "4.6.0",
   "description": "A Model Context Protocol (MCP) server for WordPress REST API integration. Manage posts, search content, and interact with your WordPress site through any MCP-compatible client.",
   "type": "module",
   "main": "index.js",

package/src/plugins/IPluginAdapter.js

@@ -0,0 +1,95 @@
+/**
+ * Plugin Adapter Interface — contract every adapter must implement.
+ *
+ * @typedef {Object} IPluginAdapter
+ * @property {string} id
+ *   Unique identifier for the plugin (e.g. "acf", "elementor", "astra").
+ *
+ * @property {string} namespace
+ *   REST API namespace used for detection (e.g. "acf/v3", "elementor/v1").
+ *
+ * @property {"low"|"medium"|"high"|"critical"} riskLevel
+ *   Global risk level for audit logging.
+ *   - low:      read-only operations, zero side-effects
+ *   - medium:   modifies a single targeted resource
+ *   - high:     cascading modifications across multiple resources
+ *   - critical: site-wide visual / structural impact
+ *
+ * @property {Object} contextConfig
+ *   Context-size guardrails for this adapter.
+ * @property {number}   contextConfig.maxChars
+ *   Maximum serialised response size in characters (default 30 000).
+ * @property {string}   contextConfig.defaultMode
+ *   Default response mode if the caller omits it (typically "compact").
+ * @property {string[]} contextConfig.supportedModes
+ *   Modes the adapter's tools accept (e.g. ["raw", "compact", "summary", "ids_only"]).
+ *
+ * @property {Function} getTools
+ *   Returns an array of MCP tool definition objects
+ *   ({ name, description, inputSchema, handler }).
+ */
+
+const VALID_RISK_LEVELS = ['low', 'medium', 'high', 'critical'];
+
+const REQUIRED_FIELDS = [
+  { key: 'id', type: 'string' },
+  { key: 'namespace', type: 'string' },
+  { key: 'riskLevel', type: 'string', enum: VALID_RISK_LEVELS },
+  { key: 'contextConfig', type: 'object' },
+  { key: 'getTools', type: 'function' },
+];
+
+/**
+ * Validate that an adapter object satisfies the IPluginAdapter contract.
+ *
+ * @param {object} adapter  Adapter object to validate
+ * @returns {{ valid: boolean, errors: string[] }}
+ */
+export function validateAdapter(adapter) {
+  const errors = [];
+
+  if (!adapter || typeof adapter !== 'object') {
+    return { valid: false, errors: ['adapter must be a non-null object'] };
+  }
+
+  for (const field of REQUIRED_FIELDS) {
+    const value = adapter[field.key];
+
+    if (value === undefined || value === null) {
+      errors.push(`missing required field: "${field.key}"`);
+      continue;
+    }
+
+    if (field.type === 'function') {
+      if (typeof value !== 'function') {
+        errors.push(`"${field.key}" must be a function, got ${typeof value}`);
+      }
+    } else if (field.type === 'object') {
+      if (typeof value !== 'object' || Array.isArray(value)) {
+        errors.push(`"${field.key}" must be a plain object`);
+      }
+    } else if (typeof value !== field.type) {
+      errors.push(`"${field.key}" must be a ${field.type}, got ${typeof value}`);
+    }
+
+    if (field.enum && !field.enum.includes(value)) {
+      errors.push(`"${field.key}" must be one of: ${field.enum.join(', ')}; got "${value}"`);
+    }
+  }
+
+  // contextConfig sub-fields
+  if (adapter.contextConfig && typeof adapter.contextConfig === 'object') {
+    const cc = adapter.contextConfig;
+    if (cc.maxChars !== undefined && typeof cc.maxChars !== 'number') {
+      errors.push('"contextConfig.maxChars" must be a number');
+    }
+    if (cc.defaultMode !== undefined && typeof cc.defaultMode !== 'string') {
+      errors.push('"contextConfig.defaultMode" must be a string');
+    }
+    if (cc.supportedModes !== undefined && !Array.isArray(cc.supportedModes)) {
+      errors.push('"contextConfig.supportedModes" must be an array');
+    }
+  }
+
+  return { valid: errors.length === 0, errors };
+}

package/src/plugins/adapters/acf/acfAdapter.js

@@ -0,0 +1,181 @@
+/**
+ * ACF (Advanced Custom Fields) Adapter — read + write.
+ *
+ * Provides 4 tools for ACF data via the ACF REST API (acf/v3):
+ *   - acf_get_fields        Read custom fields for a post or page
+ *   - acf_list_field_groups  List registered field groups
+ *   - acf_get_field_group    Get full details of a field group by ID
+ *   - acf_update_fields      Update custom fields (write — blocked by WP_READ_ONLY)
+ *
+ * Read tools are riskLevel "low". The write tool checks WP_READ_ONLY before
+ * making any API call. All responses pass through contextGuard.
+ */
+
+import { applyContextGuard } from '../../contextGuard.js';
+
+// ── Helpers ─────────────────────────────────────────────────────────────
+
+function json(data) {
+  return { content: [{ type: 'text', text: JSON.stringify(data, null, 2) }] };
+}
+
+function auditLog(entry) {
+  console.error(`[AUDIT] ${JSON.stringify({ timestamp: new Date().toISOString(), ...entry })}`);
+}
+
+// ── Tool handlers ───────────────────────────────────────────────────────
+
+/**
+ * @param {object} args
+ * @param {Function} apiRequest  wpApiCall-compatible: (endpoint, options?) => JSON
+ */
+async function handleGetFields(args, apiRequest) {
+  const t0 = Date.now();
+  const { id, post_type = 'posts', fields, mode = 'compact' } = args;
+
+  const data = await apiRequest(`/${post_type}/${id}`, { basePath: '/wp-json/acf/v3' });
+
+  let acfData = data?.acf ?? data ?? {};
+
+  // Filter to requested keys
+  if (fields && fields.length > 0) {
+    const filtered = {};
+    for (const k of fields) {
+      if (k in acfData) filtered[k] = acfData[k];
+    }
+    acfData = filtered;
+  }
+
+  const guarded = applyContextGuard(
+    { id, post_type, fields_count: Object.keys(acfData).length, acf: acfData },
+    { toolName: 'acf_get_fields', mode, maxChars: 30000 }
+  );
+
+  auditLog({ tool: 'acf_get_fields', action: 'read_acf_fields', target: id, status: 'success', latency_ms: Date.now() - t0 });
+  return json(guarded);
+}
+
+async function handleListFieldGroups(args, apiRequest) {
+  const t0 = Date.now();
+
+  const groups = await apiRequest('/field-groups', { basePath: '/wp-json/acf/v3' });
+  const list = Array.isArray(groups) ? groups : [];
+
+  const summary = list.map(g => ({
+    id: g.id,
+    title: g.title?.rendered ?? g.title ?? '',
+    fields: (g.fields ?? []).map(f => f.name ?? f.key ?? f.label ?? ''),
+    location: g.location ?? [],
+  }));
+
+  auditLog({ tool: 'acf_list_field_groups', action: 'list_field_groups', status: 'success', latency_ms: Date.now() - t0, params: { count: summary.length } });
+  return json({ total: summary.length, field_groups: summary });
+}
+
+async function handleGetFieldGroup(args, apiRequest) {
+  const t0 = Date.now();
+  const { id } = args;
+
+  const group = await apiRequest(`/field-groups/${id}`, { basePath: '/wp-json/acf/v3' });
+
+  auditLog({ tool: 'acf_get_field_group', action: 'read_field_group', target: id, status: 'success', latency_ms: Date.now() - t0 });
+  return json(group);
+}
+
+async function handleUpdateFields(args, apiRequest) {
+  const t0 = Date.now();
+  const { id, post_type = 'posts', fields } = args;
+
+  // Validate id is a positive integer
+  if (typeof id !== 'number' || !Number.isInteger(id) || id <= 0) {
+    throw new Error('Validation error: "id" must be a positive integer');
+  }
+
+  // Validate fields is a non-empty object
+  if (!fields || typeof fields !== 'object' || Array.isArray(fields) || Object.keys(fields).length === 0) {
+    throw new Error('Validation error: "fields" must be a non-empty object of key/value pairs');
+  }
+
+  // Governance: WP_READ_ONLY check
+  if (process.env.WP_READ_ONLY === 'true') {
+    auditLog({ tool: 'acf_update_fields', action: 'update_acf_fields', target: id, status: 'blocked', latency_ms: Date.now() - t0 });
+    return json({ error: 'Blocked: READ-ONLY mode' });
+  }
+
+  const data = await apiRequest(`/${post_type}/${id}`, {
+    basePath: '/wp-json/acf/v3',
+    method: 'POST',
+    body: { fields },
+  });
+
+  const updatedFields = data?.acf ?? data ?? {};
+
+  auditLog({ tool: 'acf_update_fields', action: 'update_acf_fields', target: id, status: 'success', latency_ms: Date.now() - t0 });
+  return json({ id, post_type, updated_fields: updatedFields });
+}
+
+// ── Tool definitions (MCP format) ───────────────────────────────────────
+
+const TOOLS = [
+  {
+    name: 'acf_get_fields',
+    description: 'Use to read ACF custom fields for a post or page. Read-only.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        id: { type: 'number' },
+        post_type: { type: 'string', enum: ['posts', 'pages'], default: 'posts' },
+        fields: { type: 'array', items: { type: 'string' }, description: 'Return only these field keys (returns all if omitted)' },
+        mode: { type: 'string', enum: ['raw', 'compact', 'summary'], default: 'compact' },
+      },
+      required: ['id'],
+    },
+    handler: handleGetFields,
+  },
+  {
+    name: 'acf_list_field_groups',
+    description: 'Use to list ACF field groups registered on the site. Read-only.',
+    inputSchema: { type: 'object', properties: {} },
+    handler: handleListFieldGroups,
+  },
+  {
+    name: 'acf_get_field_group',
+    description: 'Use to get full details of an ACF field group by ID. Read-only.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        id: { type: 'number' },
+      },
+      required: ['id'],
+    },
+    handler: handleGetFieldGroup,
+  },
+  {
+    name: 'acf_update_fields',
+    description: 'Use to update ACF custom fields for a post or page. Write — blocked by WP_READ_ONLY.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        id: { type: 'number' },
+        post_type: { type: 'string', enum: ['posts', 'pages'], default: 'posts' },
+        fields: { type: 'object', additionalProperties: true, description: 'Key/value pairs of ACF fields to update' },
+      },
+      required: ['id', 'fields'],
+    },
+    handler: handleUpdateFields,
+  },
+];
+
+// ── Adapter export ──────────────────────────────────────────────────────
+
+export const acfAdapter = {
+  id: 'acf',
+  namespace: 'acf/v3',
+  riskLevel: 'medium',
+  contextConfig: {
+    maxChars: 30000,
+    defaultMode: 'compact',
+    supportedModes: ['raw', 'compact', 'summary', 'ids_only'],
+  },
+  getTools: () => TOOLS,
+};