@adsim/wordpress-mcp-server 4.5.1 → 5.1.0

package/src/tools/taxonomy.js

@@ -0,0 +1,115 @@
+// src/tools/taxonomy.js — taxonomy tools (5)
+// Definitions + handlers (v5.0.0 refactor Step B+C)
+
+import { json, buildPaginationMeta } from '../shared/utils.js';
+import { validateInput } from '../shared/governance.js';
+import { rt } from '../shared/context.js';
+
+export const definitions = [
+  { name: 'wp_list_categories', _category: 'taxonomy', description: 'Use to list categories with hierarchy, post count, and descriptions. Read-only. Hint: use mode=\'summary\' for listings, \'ids_only\' for batch ops.', inputSchema: { type: 'object', properties: { per_page: { type: 'number', default: 100 }, page: { type: 'number', default: 1 }, parent: { type: 'number' }, search: { type: 'string' }, orderby: { type: 'string', default: 'name' }, hide_empty: { type: 'boolean', default: false }, mode: { type: 'string', enum: ['full', 'summary', 'ids_only'], default: 'full', description: 'full=all fields, summary=key fields only, ids_only=flat ID array' } }}},
+  { name: 'wp_list_tags', _category: 'taxonomy', description: 'Use to list tags with post count. Read-only. Hint: use mode=\'summary\' for listings, \'ids_only\' for batch ops.', inputSchema: { type: 'object', properties: { per_page: { type: 'number', default: 100 }, page: { type: 'number', default: 1 }, search: { type: 'string' }, orderby: { type: 'string', default: 'name' }, hide_empty: { type: 'boolean', default: false }, mode: { type: 'string', enum: ['full', 'summary', 'ids_only'], default: 'full', description: 'full=all fields, summary=key fields only, ids_only=flat ID array' } }}},
+  { name: 'wp_create_taxonomy_term', _category: 'taxonomy', description: 'Use to create a new category or tag. Write — blocked by WP_READ_ONLY.', inputSchema: { type: 'object', properties: { taxonomy: { type: 'string' }, name: { type: 'string' }, slug: { type: 'string' }, description: { type: 'string' }, parent: { type: 'number' } }, required: ['taxonomy', 'name'] }},
+  { name: 'wp_list_post_types', _category: 'taxonomy', description: 'Use to discover all registered post types including custom ones (products, portfolio, events). Read-only.', inputSchema: { type: 'object', properties: {} }},
+  { name: 'wp_list_custom_posts', _category: 'taxonomy', description: 'Use to list any custom post type (products, portfolio, events). Requires post_type slug. Read-only. Hint: use mode=\'summary\' for listings, \'ids_only\' for batch ops.', inputSchema: { type: 'object', properties: { post_type: { type: 'string' }, per_page: { type: 'number', default: 10 }, page: { type: 'number', default: 1 }, status: { type: 'string', default: 'publish' }, orderby: { type: 'string', default: 'date' }, order: { type: 'string', default: 'desc' }, search: { type: 'string' }, mode: { type: 'string', enum: ['full', 'summary', 'ids_only'], default: 'full', description: 'full=all fields, summary=key fields only, ids_only=flat ID array' } }, required: ['post_type'] }}
+];
+
+export const handlers = {};
+
+handlers['wp_list_categories'] = async (args) => {
+  const t0 = Date.now();
+  let result;
+  const { wpApiCall, auditLog, name } = rt;
+  const { per_page = 100, page = 1, parent, search, orderby = 'name', hide_empty = false, mode = 'full' } = args;
+  let ep = `/categories?per_page=${per_page}&page=${page}&orderby=${orderby}&hide_empty=${hide_empty}`;
+  if (parent !== undefined) ep += `&parent=${parent}`; if (search) ep += `&search=${encodeURIComponent(search)}`;
+  const cats = await wpApiCall(ep);
+  const catPg = cats._wpTotal !== undefined ? buildPaginationMeta(cats._wpTotal, page, per_page) : undefined;
+  if (mode === 'ids_only') {
+    result = json({ total: cats.length, mode: 'ids_only', ids: cats.map(c => c.id), ...(catPg && { pagination: catPg }) });
+    auditLog({ tool: name, action: 'list', status: 'success', latency_ms: Date.now() - t0 });
+    return result;
+  }
+  if (mode === 'summary') {
+    result = json({ total: cats.length, mode: 'summary', categories: cats.map(c => ({ id: c.id, name: c.name, slug: c.slug, count: c.count, parent: c.parent })), ...(catPg && { pagination: catPg }) });
+    auditLog({ tool: name, action: 'list', status: 'success', latency_ms: Date.now() - t0 });
+    return result;
+  }
+  result = json({ total: cats.length, categories: cats.map(c => ({ id: c.id, name: c.name, slug: c.slug, description: c.description, parent: c.parent, count: c.count })), ...(catPg && { pagination: catPg }) });
+  auditLog({ tool: name, action: 'list', status: 'success', latency_ms: Date.now() - t0 });
+  return result;
+};
+handlers['wp_list_tags'] = async (args) => {
+  const t0 = Date.now();
+  let result;
+  const { wpApiCall, auditLog, name } = rt;
+  const { per_page = 100, page = 1, search, orderby = 'name', hide_empty = false, mode = 'full' } = args;
+  let ep = `/tags?per_page=${per_page}&page=${page}&orderby=${orderby}&hide_empty=${hide_empty}`;
+  if (search) ep += `&search=${encodeURIComponent(search)}`;
+  const tags = await wpApiCall(ep);
+  const tagPg = tags._wpTotal !== undefined ? buildPaginationMeta(tags._wpTotal, page, per_page) : undefined;
+  if (mode === 'ids_only') {
+    result = json({ total: tags.length, mode: 'ids_only', ids: tags.map(t => t.id), ...(tagPg && { pagination: tagPg }) });
+    auditLog({ tool: name, action: 'list', status: 'success', latency_ms: Date.now() - t0 });
+    return result;
+  }
+  if (mode === 'summary') {
+    result = json({ total: tags.length, mode: 'summary', tags: tags.map(t => ({ id: t.id, name: t.name, slug: t.slug, count: t.count })), ...(tagPg && { pagination: tagPg }) });
+    auditLog({ tool: name, action: 'list', status: 'success', latency_ms: Date.now() - t0 });
+    return result;
+  }
+  result = json({ total: tags.length, tags: tags.map(t => ({ id: t.id, name: t.name, slug: t.slug, count: t.count })), ...(tagPg && { pagination: tagPg }) });
+  auditLog({ tool: name, action: 'list', status: 'success', latency_ms: Date.now() - t0 });
+  return result;
+};
+handlers['wp_create_taxonomy_term'] = async (args) => {
+  const t0 = Date.now();
+  let result;
+  const { wpApiCall, auditLog, name } = rt;
+  validateInput(args, { taxonomy: { type: 'string', required: true, enum: ['category', 'tag'] }, name: { type: 'string', required: true } });
+  const { taxonomy, name: tName, slug, description, parent } = args;
+  const ep = taxonomy === 'category' ? '/categories' : '/tags';
+  const data = { name: tName }; if (slug) data.slug = slug; if (description) data.description = description;
+  if (parent && taxonomy === 'category') data.parent = parent;
+  const t = await wpApiCall(ep, { method: 'POST', body: JSON.stringify(data) });
+  result = json({ success: true, message: `${taxonomy} "${tName}" created`, term: { id: t.id, name: t.name, slug: t.slug } });
+  auditLog({ tool: name, target: t.id, target_type: taxonomy, action: 'create', status: 'success', latency_ms: Date.now() - t0, params: { name: tName } });
+  return result;
+};
+handlers['wp_list_post_types'] = async (args) => {
+  const t0 = Date.now();
+  let result;
+  const { wpApiCall, auditLog, name } = rt;
+  const types = await wpApiCall('/types');
+  result = json({ total: Object.keys(types).length, post_types: Object.values(types).map(t => ({ slug: t.slug, name: t.name, description: t.description, hierarchical: t.hierarchical, rest_base: t.rest_base })) });
+  auditLog({ tool: name, action: 'list', status: 'success', latency_ms: Date.now() - t0 });
+  return result;
+};
+handlers['wp_list_custom_posts'] = async (args) => {
+  const t0 = Date.now();
+  let result;
+  const { wpApiCall, auditLog, name, enforceAllowedTypes, ORDERS } = rt;
+  validateInput(args, { post_type: { type: 'string', required: true }, per_page: { type: 'number', min: 1, max: 100 }, page: { type: 'number', min: 1 }, order: { type: 'string', enum: ORDERS }, mode: { type: 'string', enum: ['full', 'summary', 'ids_only'] } });
+  enforceAllowedTypes(args.post_type);
+  const { post_type, per_page = 10, page = 1, status = 'publish', orderby = 'date', order = 'desc', search, mode = 'full' } = args;
+  const types = await wpApiCall('/types');
+  const typeInfo = Object.values(types).find(t => t.slug === post_type || t.rest_base === post_type);
+  if (!typeInfo) throw new Error(`Post type "${post_type}" not found.`);
+  const restBase = typeInfo.rest_base || post_type;
+  let ep = `/${restBase}?per_page=${per_page}&page=${page}&status=${status}&orderby=${orderby}&order=${order}`;
+  if (search) ep += `&search=${encodeURIComponent(search)}`;
+  const posts = await wpApiCall(ep);
+  const cpPg = posts._wpTotal !== undefined ? buildPaginationMeta(posts._wpTotal, page, per_page) : undefined;
+  if (mode === 'ids_only') {
+    result = json({ post_type, total: posts.length, page, mode: 'ids_only', ids: posts.map(p => p.id), ...(cpPg && { pagination: cpPg }) });
+    auditLog({ tool: name, action: 'list', status: 'success', latency_ms: Date.now() - t0, params: { post_type } });
+    return result;
+  }
+  if (mode === 'summary') {
+    result = json({ post_type, total: posts.length, page, mode: 'summary', posts: posts.map(p => ({ id: p.id, title: p.title?.rendered || p.title, slug: p.slug, date: p.date, status: p.status, link: p.link })), ...(cpPg && { pagination: cpPg }) });
+    auditLog({ tool: name, action: 'list', status: 'success', latency_ms: Date.now() - t0, params: { post_type } });
+    return result;
+  }
+  result = json({ post_type, total: posts.length, page, posts: posts.map(p => ({ id: p.id, title: p.title?.rendered || p.title, status: p.status, date: p.date, link: p.link, slug: p.slug, type: p.type, meta: p.meta || {} })), ...(cpPg && { pagination: cpPg }) });
+  auditLog({ tool: name, action: 'list', status: 'success', latency_ms: Date.now() - t0, params: { post_type } });
+  return result;
+};

package/src/tools/users.js

@@ -0,0 +1,188 @@
+// src/tools/users.js — users tools (10)
+// Definitions + handlers (v5.0.0 refactor Step B+C)
+
+import { json, buildPaginationMeta } from '../shared/utils.js';
+import { validateInput } from '../shared/governance.js';
+import { rt } from '../shared/context.js';
+
+export const definitions = [
+  { name: 'wp_list_users', _category: 'users', description: 'Use to list site users with roles. Read-only. Hint: use mode=\'summary\' for listings, \'ids_only\' for batch ops.', inputSchema: { type: 'object', properties: { per_page: { type: 'number', default: 10 }, page: { type: 'number', default: 1 }, roles: { type: 'string' }, search: { type: 'string' }, orderby: { type: 'string', default: 'name' }, mode: { type: 'string', enum: ['full', 'summary', 'ids_only'], default: 'full', description: 'full=all fields, summary=key fields only, ids_only=flat ID array' } }}},
+  { name: 'wp_get_user', _category: 'users', description: 'Use to get a user profile by ID. Returns login, email, role, meta, registration date. Read-only. Requires list_users capability.',
+        inputSchema: { type: 'object', properties: { id: { type: 'number', description: 'User ID' }, context: { type: 'string', enum: ['view', 'edit'], description: 'edit returns email and meta (requires edit_users)' } }, required: ['id'] }},
+  { name: 'wp_create_user', _category: 'users', description: 'Use to create a new WordPress user. Requires create_users capability. Write — blocked by WP_READ_ONLY. Requires confirm=true to prevent accidental creation.',
+        inputSchema: { type: 'object', properties: { username: { type: 'string' }, email: { type: 'string' }, password: { type: 'string' }, role: { type: 'string', description: 'Role slug (subscriber, contributor, author, editor, administrator)' }, first_name: { type: 'string' }, last_name: { type: 'string' }, url: { type: 'string' }, description: { type: 'string', description: 'User bio' }, meta: { type: 'object', description: 'Custom user meta' }, confirm: { type: 'boolean', description: 'Must be true to execute. Safety guard against accidental creation.' } }, required: ['username', 'email', 'password', 'confirm'] }},
+  { name: 'wp_update_user', _category: 'users', description: 'Use to update a user profile. Only provided fields are modified. Write — blocked by WP_READ_ONLY.',
+        inputSchema: { type: 'object', properties: { id: { type: 'number' }, email: { type: 'string' }, display_name: { type: 'string' }, first_name: { type: 'string' }, last_name: { type: 'string' }, role: { type: 'string' }, url: { type: 'string' }, description: { type: 'string', description: 'User bio' }, meta: { type: 'object' }, nickname: { type: 'string' }, locale: { type: 'string' } }, required: ['id'] }},
+  { name: 'wp_delete_user', _category: 'users', description: 'Use to delete a user permanently. Requires delete_users capability. Destructive — blocked by WP_READ_ONLY, WP_DISABLE_DELETE. Requires confirm=true and reassign to prevent data loss.',
+        inputSchema: { type: 'object', properties: { id: { type: 'number' }, reassign: { type: 'number', description: 'User ID to reassign posts to (required)' }, confirm: { type: 'boolean', description: 'Must be true to execute. Safety guard against accidental deletion.' } }, required: ['id', 'reassign', 'confirm'] }},
+  { name: 'wp_list_user_roles', _category: 'users', description: 'Use to list all available WordPress user roles with their capabilities. Read-only.',
+        inputSchema: { type: 'object', properties: {} }},
+  { name: 'wp_get_user_capabilities', _category: 'users', description: 'Use to get the capabilities of a specific user (can_publish, manage_options, etc.). Read-only.',
+        inputSchema: { type: 'object', properties: { id: { type: 'number', description: 'User ID' } }, required: ['id'] }},
+  { name: 'wp_reset_user_password', _category: 'users', description: 'Use to trigger a password reset email for a user. Write — blocked by WP_READ_ONLY. Requires edit_users capability.',
+        inputSchema: { type: 'object', properties: { id: { type: 'number', description: 'User ID' } }, required: ['id'] }},
+  { name: 'wp_list_user_application_passwords', _category: 'users', description: 'Use to list application passwords for a user. Returns name, UUID, created date, last used. Read-only.',
+        inputSchema: { type: 'object', properties: { id: { type: 'number', description: 'User ID' } }, required: ['id'] }},
+  { name: 'wp_revoke_application_password', _category: 'users', description: 'Use to revoke (delete) an application password by UUID. Destructive — blocked by WP_READ_ONLY.',
+        inputSchema: { type: 'object', properties: { id: { type: 'number', description: 'User ID' }, uuid: { type: 'string', description: 'Application password UUID' } }, required: ['id', 'uuid'] }}
+];
+
+export const handlers = {};
+
+handlers['wp_list_users'] = async (args) => {
+  const t0 = Date.now();
+  let result;
+  const { wpApiCall, auditLog, name } = rt;
+  const { per_page = 10, page = 1, roles, search, orderby = 'name', mode = 'full' } = args;
+  let ep = `/users?per_page=${per_page}&page=${page}&orderby=${orderby}`;
+  if (roles) ep += `&roles=${roles}`; if (search) ep += `&search=${encodeURIComponent(search)}`;
+  const users = await wpApiCall(ep);
+  const usrPg = users._wpTotal !== undefined ? buildPaginationMeta(users._wpTotal, page, per_page) : undefined;
+  if (mode === 'ids_only') {
+    result = json({ total: users.length, mode: 'ids_only', ids: users.map(u => u.id), ...(usrPg && { pagination: usrPg }) });
+    auditLog({ tool: name, action: 'list', status: 'success', latency_ms: Date.now() - t0 });
+    return result;
+  }
+  if (mode === 'summary') {
+    result = json({ total: users.length, mode: 'summary', users: users.map(u => ({ id: u.id, name: u.name, slug: u.slug, roles: u.roles || [] })), ...(usrPg && { pagination: usrPg }) });
+    auditLog({ tool: name, action: 'list', status: 'success', latency_ms: Date.now() - t0 });
+    return result;
+  }
+  result = json({ total: users.length, users: users.map(u => ({ id: u.id, name: u.name, slug: u.slug, link: u.link, roles: u.roles, avatar: u.avatar_urls?.['96'] })), ...(usrPg && { pagination: usrPg }) });
+  auditLog({ tool: name, action: 'list', status: 'success', latency_ms: Date.now() - t0 });
+  return result;
+};
+handlers['wp_get_user'] = async (args) => {
+  const t0 = Date.now();
+  let result;
+  const { wpApiCall, auditLog, name } = rt;
+  validateInput(args, { id: { type: 'number', required: true, min: 1 }, context: { type: 'string', enum: ['view', 'edit'] } });
+  const { id, context = 'edit' } = args;
+  const u = await wpApiCall(`/users/${id}?context=${context}`);
+  result = json({ id: u.id, username: u.username || u.slug, name: u.name, slug: u.slug, email: u.email || null, roles: u.roles || [], first_name: u.first_name || '', last_name: u.last_name || '', url: u.url || '', description: u.description || '', link: u.link, registered_date: u.registered_date || null, locale: u.locale || '', nickname: u.nickname || '', avatar: u.avatar_urls?.['96'] || null, meta: u.meta || {} });
+  auditLog({ tool: name, target: id, target_type: 'user', action: 'read', status: 'success', latency_ms: Date.now() - t0 });
+  return result;
+};
+handlers['wp_create_user'] = async (args) => {
+  const t0 = Date.now();
+  let result;
+  const { wpApiCall, auditLog, name } = rt;
+  validateInput(args, { username: { type: 'string', required: true }, email: { type: 'string', required: true }, password: { type: 'string', required: true }, confirm: { type: 'boolean', required: true } });
+  if (args.confirm !== true) {
+    result = json({ error: 'Safety guard: set confirm=true to create a user. This prevents accidental user creation.' });
+    auditLog({ tool: name, action: 'create', status: 'blocked', latency_ms: Date.now() - t0, params: { username: args.username }, error: 'confirm not set' });
+    return { content: [{ type: 'text', text: 'Error: Safety guard: set confirm=true to create a user.' }], isError: true };
+  }
+  const { username, email, password, role = 'subscriber', first_name, last_name, url: userUrl, description: bio, meta: userMeta } = args;
+  const userData = { username, email, password, roles: [role] };
+  if (first_name) userData.first_name = first_name;
+  if (last_name) userData.last_name = last_name;
+  if (userUrl) userData.url = userUrl;
+  if (bio) userData.description = bio;
+  if (userMeta) userData.meta = userMeta;
+  const nu = await wpApiCall('/users', { method: 'POST', body: JSON.stringify(userData) });
+  result = json({ success: true, message: `User "${username}" created`, user: { id: nu.id, username: nu.username || nu.slug, email: nu.email, roles: nu.roles, name: nu.name } });
+  auditLog({ tool: name, target: nu.id, target_type: 'user', action: 'create', status: 'success', latency_ms: Date.now() - t0, params: { username, email, role } });
+  return result;
+};
+handlers['wp_update_user'] = async (args) => {
+  const t0 = Date.now();
+  let result;
+  const { wpApiCall, auditLog, sanitizeParams, name } = rt;
+  validateInput(args, { id: { type: 'number', required: true, min: 1 } });
+  const { id, ...userUpdates } = args;
+  const updateData = {};
+  if (userUpdates.email) updateData.email = userUpdates.email;
+  if (userUpdates.display_name) updateData.name = userUpdates.display_name;
+  if (userUpdates.first_name) updateData.first_name = userUpdates.first_name;
+  if (userUpdates.last_name) updateData.last_name = userUpdates.last_name;
+  if (userUpdates.role) updateData.roles = [userUpdates.role];
+  if (userUpdates.url) updateData.url = userUpdates.url;
+  if (userUpdates.description) updateData.description = userUpdates.description;
+  if (userUpdates.nickname) updateData.nickname = userUpdates.nickname;
+  if (userUpdates.locale) updateData.locale = userUpdates.locale;
+  if (userUpdates.meta) updateData.meta = userUpdates.meta;
+  const uu = await wpApiCall(`/users/${id}`, { method: 'POST', body: JSON.stringify(updateData) });
+  result = json({ success: true, message: `User ${id} updated`, user: { id: uu.id, name: uu.name, email: uu.email, roles: uu.roles, slug: uu.slug } });
+  auditLog({ tool: name, target: id, target_type: 'user', action: 'update', status: 'success', latency_ms: Date.now() - t0, params: sanitizeParams(updateData) });
+  return result;
+};
+handlers['wp_delete_user'] = async (args) => {
+  const t0 = Date.now();
+  let result;
+  const { wpApiCall, auditLog, name } = rt;
+  validateInput(args, { id: { type: 'number', required: true, min: 1 }, reassign: { type: 'number', required: true, min: 1 }, confirm: { type: 'boolean', required: true } });
+  if (args.confirm !== true) {
+    return { content: [{ type: 'text', text: 'Error: Safety guard: set confirm=true and reassign=<user_id> to delete a user. This permanently removes the account.' }], isError: true };
+  }
+  const { id, reassign } = args;
+  await wpApiCall(`/users/${id}?force=true&reassign=${reassign}`, { method: 'DELETE' });
+  result = json({ success: true, message: `User ${id} permanently deleted, content reassigned to user ${reassign}` });
+  auditLog({ tool: name, target: id, target_type: 'user', action: 'delete', status: 'success', latency_ms: Date.now() - t0, params: { id, reassign } });
+  return result;
+};
+handlers['wp_list_user_roles'] = async (args) => {
+  const t0 = Date.now();
+  let result;
+  const { wpApiCall, auditLog, name } = rt;
+  const rolesData = await wpApiCall('/roles', { basePath: '/wp-json/wp/v2/users' });
+  // WP REST doesn't have a /roles endpoint natively; fall back to reading from site info
+  if (Array.isArray(rolesData)) {
+    result = json({ total: rolesData.length, roles: rolesData.map(r => ({ slug: r.slug || r.name, name: r.name, capabilities: r.capabilities || {} })) });
+  } else if (rolesData && typeof rolesData === 'object') {
+    const rolesList = Object.entries(rolesData).map(([slug, data]) => ({ slug, name: data.name || slug, capabilities: data.capabilities || {} }));
+    result = json({ total: rolesList.length, roles: rolesList });
+  } else {
+    result = json({ total: 0, roles: [], note: 'Roles endpoint not available. Use wp_site_info or check WP version.' });
+  }
+  auditLog({ tool: name, action: 'list', status: 'success', latency_ms: Date.now() - t0 });
+  return result;
+};
+handlers['wp_get_user_capabilities'] = async (args) => {
+  const t0 = Date.now();
+  let result;
+  const { wpApiCall, auditLog, name } = rt;
+  validateInput(args, { id: { type: 'number', required: true, min: 1 } });
+  const capUser = await wpApiCall(`/users/${args.id}?context=edit`);
+  const caps = capUser.capabilities || {};
+  const activeCaps = Object.entries(caps).filter(([, v]) => v === true).map(([k]) => k);
+  result = json({ id: capUser.id, name: capUser.name, roles: capUser.roles || [], capabilities_count: activeCaps.length, capabilities: activeCaps });
+  auditLog({ tool: name, target: args.id, target_type: 'user', action: 'read', status: 'success', latency_ms: Date.now() - t0 });
+  return result;
+};
+handlers['wp_reset_user_password'] = async (args) => {
+  const t0 = Date.now();
+  let result;
+  const { wpApiCall, auditLog, name } = rt;
+  validateInput(args, { id: { type: 'number', required: true, min: 1 } });
+  // WP REST API: POST /users/{id} with an empty password field doesn't reset.
+  // Use the mcp-diagnostics companion endpoint, or generate a reset URL.
+  // Standard approach: read user email, then trigger via custom endpoint.
+  const resetUser = await wpApiCall(`/users/${args.id}?context=edit`);
+  await wpApiCall(`/password-reset`, { basePath: '/wp-json/mcp-diagnostics/v1', method: 'POST', body: JSON.stringify({ user_id: args.id }) });
+  result = json({ success: true, message: `Password reset email sent to user ${args.id}`, user: { id: resetUser.id, name: resetUser.name, email: resetUser.email ? resetUser.email.replace(/(.{2}).*(@.*)/, '$1***$2') : 'hidden' } });
+  auditLog({ tool: name, target: args.id, target_type: 'user', action: 'password_reset', status: 'success', latency_ms: Date.now() - t0 });
+  return result;
+};
+handlers['wp_list_user_application_passwords'] = async (args) => {
+  const t0 = Date.now();
+  let result;
+  const { wpApiCall, auditLog, name } = rt;
+  validateInput(args, { id: { type: 'number', required: true, min: 1 } });
+  const appPasswords = await wpApiCall(`/users/${args.id}/application-passwords`);
+  const passwords = Array.isArray(appPasswords) ? appPasswords : [];
+  result = json({ user_id: args.id, total: passwords.length, application_passwords: passwords.map(ap => ({ uuid: ap.uuid, name: ap.name, created: ap.created, last_used: ap.last_used || null, last_ip: ap.last_ip || null })) });
+  auditLog({ tool: name, target: args.id, target_type: 'user', action: 'list_app_passwords', status: 'success', latency_ms: Date.now() - t0 });
+  return result;
+};
+handlers['wp_revoke_application_password'] = async (args) => {
+  const t0 = Date.now();
+  let result;
+  const { wpApiCall, auditLog, name } = rt;
+  validateInput(args, { id: { type: 'number', required: true, min: 1 }, uuid: { type: 'string', required: true } });
+  const { id, uuid } = args;
+  await wpApiCall(`/users/${id}/application-passwords/${encodeURIComponent(uuid)}`, { method: 'DELETE' });
+  result = json({ success: true, message: `Application password ${uuid} revoked for user ${id}` });
+  auditLog({ tool: name, target: id, target_type: 'user', action: 'revoke_app_password', status: 'success', latency_ms: Date.now() - t0, params: { uuid } });
+  return result;
+};