@adsim/wordpress-mcp-server 4.5.1 → 5.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (61) hide show
  1. package/.env.example +18 -0
  2. package/README.md +857 -447
  3. package/companion/mcp-diagnostics.php +1184 -0
  4. package/dxt/manifest.json +718 -90
  5. package/index.js +188 -4747
  6. package/package.json +14 -6
  7. package/src/data/plugin-performance-data.json +59 -0
  8. package/src/plugins/IPluginAdapter.js +95 -0
  9. package/src/plugins/adapters/acf/acfAdapter.js +181 -0
  10. package/src/plugins/adapters/elementor/elementorAdapter.js +176 -0
  11. package/src/plugins/contextGuard.js +57 -0
  12. package/src/plugins/registry.js +94 -0
  13. package/src/shared/api.js +79 -0
  14. package/src/shared/audit.js +39 -0
  15. package/src/shared/context.js +15 -0
  16. package/src/shared/governance.js +98 -0
  17. package/src/shared/utils.js +148 -0
  18. package/src/tools/comments.js +50 -0
  19. package/src/tools/content.js +353 -0
  20. package/src/tools/core.js +114 -0
  21. package/src/tools/editorial.js +634 -0
  22. package/src/tools/fse.js +370 -0
  23. package/src/tools/health.js +160 -0
  24. package/src/tools/index.js +96 -0
  25. package/src/tools/intelligence.js +2082 -0
  26. package/src/tools/links.js +118 -0
  27. package/src/tools/media.js +71 -0
  28. package/src/tools/performance.js +219 -0
  29. package/src/tools/plugins.js +368 -0
  30. package/src/tools/schema.js +417 -0
  31. package/src/tools/security.js +590 -0
  32. package/src/tools/seo.js +1633 -0
  33. package/src/tools/taxonomy.js +115 -0
  34. package/src/tools/users.js +188 -0
  35. package/src/tools/woocommerce.js +1008 -0
  36. package/src/tools/workflow.js +409 -0
  37. package/src/transport/http.js +39 -0
  38. package/tests/unit/helpers/pagination.test.js +43 -0
  39. package/tests/unit/pluginLayer.test.js +151 -0
  40. package/tests/unit/plugins/acf/acfAdapter.test.js +205 -0
  41. package/tests/unit/plugins/acf/acfAdapter.write.test.js +157 -0
  42. package/tests/unit/plugins/contextGuard.test.js +51 -0
  43. package/tests/unit/plugins/elementor/elementorAdapter.test.js +206 -0
  44. package/tests/unit/plugins/iPluginAdapter.test.js +34 -0
  45. package/tests/unit/plugins/registry.test.js +84 -0
  46. package/tests/unit/tools/bulkUpdate.test.js +188 -0
  47. package/tests/unit/tools/diagnostics.test.js +397 -0
  48. package/tests/unit/tools/dynamicFiltering.test.js +100 -8
  49. package/tests/unit/tools/editorialIntelligence.test.js +817 -0
  50. package/tests/unit/tools/fse.test.js +548 -0
  51. package/tests/unit/tools/multilingual.test.js +653 -0
  52. package/tests/unit/tools/performance.test.js +351 -0
  53. package/tests/unit/tools/runWorkflow.test.js +150 -0
  54. package/tests/unit/tools/schema.test.js +477 -0
  55. package/tests/unit/tools/security.test.js +695 -0
  56. package/tests/unit/tools/site.test.js +1 -1
  57. package/tests/unit/tools/siteOptions.test.js +101 -0
  58. package/tests/unit/tools/users.crud.test.js +399 -0
  59. package/tests/unit/tools/validateBlocks.test.js +186 -0
  60. package/tests/unit/tools/visualStaging.test.js +271 -0
  61. package/tests/unit/tools/woocommerce.advanced.test.js +679 -0
package/README.md CHANGED
@@ -3,38 +3,80 @@
3
3
  [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
4
4
  [![Node.js](https://img.shields.io/badge/Node.js-%3E%3D18-green.svg)](https://nodejs.org/)
5
5
  [![MCP SDK](https://img.shields.io/badge/MCP-SDK-blue.svg)](https://github.com/anthropics/mcp)
6
- [![Tests](https://img.shields.io/badge/tests-713%20passing-brightgreen.svg)](https://github.com/GeorgesAdSim/wordpress-mcp-server/actions)
6
+ [![Tests](https://img.shields.io/badge/tests-1076%20passing-brightgreen.svg)](https://github.com/GeorgesAdSim/wordpress-mcp-server/actions)
7
7
  [![npm](https://img.shields.io/npm/v/@adsim/wordpress-mcp-server.svg)](https://www.npmjs.com/package/@adsim/wordpress-mcp-server)
8
8
 
9
9
  **Enterprise Governance · Audit Trail · Multi-Site · Plugin-Free**
10
10
 
11
11
  The enterprise governance layer for Claude-to-WordPress integrations — secure, auditable, and multi-site.
12
12
 
13
- **v4.5.1 Enterprise** · 85 tools · 713 Vitest tests · GitHub Actions CI · HTTP Streamable transport · MCPB bundle · SEO metadata · SEO audit suite · Content intelligence · Plugin intelligence · Plugin & theme management · Revision control · Editorial approval workflow · Destructive confirmation · Internal link analysis · WooCommerce (read + intelligence + write) · Execution controls · JSON audit trail · Multi-site targeting
13
+ **v5.1.0 Enterprise** · 175 tools · ~1101 Vitest tests · GitHub Actions CI
14
+
15
+ ---
16
+
17
+ ## Table of Contents
18
+
19
+ - [Architecture](#architecture)
20
+ - [Why This Server](#why-this-server)
21
+ - [Safety Model](#safety-model)
22
+ - [Data Retention](#data-retention)
23
+ - [Quick Start](#quick-start)
24
+ - [HTTP Streamable Transport](#http-streamable-transport)
25
+ - [MCPB Bundle](#mcpb-bundle--claude-desktop-one-click-install)
26
+ - [Available Tools (175)](#available-tools-175)
27
+ - [Enterprise Controls](#enterprise-controls)
28
+ - [MU-Plugin Companion](#mu-plugin-companion)
29
+ - [SEO Metadata](#seo-metadata)
30
+ - [WooCommerce Setup](#woocommerce-setup)
31
+ - [Testing](#testing)
32
+ - [Structured Audit Log](#structured-audit-log)
33
+ - [Multi-Target](#multi-target)
34
+ - [Health & Reliability](#health--reliability)
35
+ - [Security](#security)
36
+ - [Troubleshooting](#troubleshooting)
37
+ - [Development](#development)
38
+ - [Changelog](#changelog)
39
+ - [Roadmap](#roadmap)
40
+ - [Contributing](#contributing)
41
+ - [License](#license)
42
+ - [Credits](#credits)
14
43
 
15
44
  ---
16
45
 
17
46
  ## Architecture
47
+
18
48
  ```
19
- ┌─────────────────────────┐
20
- Claude Client │ Claude Desktop · Claude Code · Any MCP client
21
- └────────────┬────────────┘
22
- │ MCP Protocol (stdio or HTTP Streamable)
23
- ┌────────────▼────────────┐
24
- WordPress MCP Server │ Node.js · Standalone · No WordPress plugin
25
- ├─────────────────────────┤
26
- Execution Controls Read-only · Draft-only · Plugin mgmt · Type/status allowlists
27
- ├─────────────────────────┤
28
- Audit Logging JSON on stderr · 79 instrumentation points
29
- ├─────────────────────────┤
30
- Rate Limiting Client-side · Configurable per-minute cap
31
- ├─────────────────────────┤
32
- HTTP Transport Bearer auth · Session management · Origin validation
33
- └────────────┬────────────┘
34
- HTTPS + WordPress Application Password (Basic Auth over TLS)
35
- ┌────────────▼────────────┐
36
- WordPress REST API Single site or multi-target
37
- └─────────────────────────┘
49
+ ┌─────────────────────────────┐
50
+ Claude Client │ Claude Desktop · Claude Code · Any MCP client
51
+ └──────────────┬──────────────┘
52
+ │ MCP Protocol (stdio or HTTP Streamable)
53
+ ┌──────────────▼──────────────┐
54
+ WordPress MCP Server │ Node.js · Standalone · No WordPress plugin
55
+ ├─────────────────────────────┤
56
+ index.js (~498 lines) Orchestration only: MCP transport, enterprise controls, dispatch
57
+ ├─────────────────────────────┤
58
+ src/tools/ (18 modules) 175 tool definitions + handlers by category
59
+ ├─────────────────────────────┤
60
+ src/shared/ utils · api · audit · governance · context
61
+ ├─────────────────────────────┤
62
+ src/plugins/ PluginRegistry · ACF · auto-detected via REST namespaces
63
+ ├─────────────────────────────┤
64
+ WP_TOOL_CATEGORIES Filter │ Load only the categories you need (~4-9k tokens vs ~20k)
65
+ ├─────────────────────────────┤
66
+ Execution Controls Read-only · Draft-only · Plugin mgmt · Type/status allowlists
67
+ ├─────────────────────────────┤
68
+ │ Audit Logging │ JSON on stderr · 79+ instrumentation points
69
+ ├─────────────────────────────┤
70
+ │ Rate Limiting │ Client-side · Configurable per-minute cap
71
+ ├─────────────────────────────┤
72
+ │ HTTP Transport │ Bearer auth · Session management · Origin validation
73
+ └──────────────┬──────────────┘
74
+ │ HTTPS + WordPress Application Password (Basic Auth over TLS)
75
+ ┌──────────────▼──────────────┐
76
+ │ WordPress REST API │ Single site or multi-target
77
+ ├─────────────────────────────┤
78
+ │ MCP Diagnostics mu-plugin │ Optional · Debug log · Cron · Schema · Security endpoints
79
+ └─────────────────────────────┘
38
80
  ```
39
81
 
40
82
  ## Why This Server
@@ -45,6 +87,8 @@ In regulated environments — financial services, healthcare, legal, government
45
87
 
46
88
  No composer, no PHP build, no WordPress admin plugin. Point it at any WordPress site with an Application Password, configure your execution policy, and connect your Claude client.
47
89
 
90
+ With 173 tools across 18 categories and `WP_TOOL_CATEGORIES`, agencies can load only the tools they need per deployment — reducing the ListTools context from ~20,000 tokens to as low as ~4,000 tokens, saving cost and improving response quality.
91
+
48
92
  ## Safety Model
49
93
 
50
94
  This server is designed for safe operation in production environments:
@@ -99,6 +143,10 @@ WP_API_PASSWORD=xxxx xxxx xxxx xxxx xxxx xxxx
99
143
  # Optional: WooCommerce (generate at WooCommerce → Settings → Advanced → REST API)
100
144
  WC_CONSUMER_KEY=ck_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
101
145
  WC_CONSUMER_SECRET=cs_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
146
+
147
+ # Context optimization (optional)
148
+ WP_TOOL_CATEGORIES=seo,content,schema # Load specific categories only
149
+ WP_COMPACT_JSON=true # Compact JSON output (default)
102
150
  ```
103
151
 
104
152
  To generate an Application Password: WordPress Admin → Users → Profile → Application Passwords → Add New.
@@ -161,20 +209,20 @@ npx -y @adsim/wordpress-mcp-server
161
209
 
162
210
  ### HTTP environment variables
163
211
 
164
- | Variable | Default | Description |
165
- |---|---|---|
166
- | `MCP_TRANSPORT` | `stdio` | Set to `http` to enable HTTP Streamable transport |
167
- | `MCP_HTTP_PORT` | `3000` | HTTP server port |
168
- | `MCP_HTTP_HOST` | `127.0.0.1` | Bind address |
169
- | `MCP_AUTH_TOKEN` | _(none)_ | Bearer token for authentication (required in HTTP mode) |
170
- | `MCP_ALLOWED_ORIGINS` | _(none)_ | Comma-separated allowed origins (anti-DNS-rebinding) |
171
- | `MCP_SESSION_TIMEOUT_MS` | `3600000` | Session TTL in milliseconds (1 hour) |
172
- | `MCP_DUAL_MODE` | `false` | Run stdio and HTTP transports simultaneously |
212
+ | Variable | Default | Description |
213
+ |-----------------------|-------------|------------------------------------------------------|
214
+ | `MCP_TRANSPORT` | `stdio` | Set to `http` to enable HTTP Streamable transport |
215
+ | `MCP_HTTP_PORT` | `3000` | HTTP server port |
216
+ | `MCP_HTTP_HOST` | `127.0.0.1` | Bind address |
217
+ | `MCP_AUTH_TOKEN` | _(none)_ | Bearer token for authentication (required in HTTP mode) |
218
+ | `MCP_ALLOWED_ORIGINS` | _(none)_ | Comma-separated allowed origins (anti-DNS-rebinding) |
219
+ | `MCP_SESSION_TIMEOUT_MS` | `3600000` | Session TTL in milliseconds (1 hour) |
220
+ | `MCP_DUAL_MODE` | `false` | Run stdio and HTTP transports simultaneously |
173
221
 
174
222
  ### Health check
175
223
  ```bash
176
224
  curl http://localhost:3000/health
177
- # → { "status": "ok", "version": "4.4.0", "transport": "http" }
225
+ # → { "status": "ok", "version": "4.14.0", "transport": "http" }
178
226
  ```
179
227
 
180
228
  ### Connect an MCP client via HTTP
@@ -214,199 +262,393 @@ Double-click `wordpress-mcp-server.mcpb` — Claude Desktop will prompt for:
214
262
 
215
263
  ---
216
264
 
217
- ## Available Tools (79)
218
-
219
- ### Content Management
220
-
221
- | Tool | Description |
222
- |---|---|
223
- | `wp_list_posts` | List posts with pagination, filtering by status/category/tag/author, and search |
224
- | `wp_get_post` | Get a post by ID with full content, meta fields, and taxonomy info |
225
- | `wp_create_post` | Create a post (defaults to draft). Supports HTML, categories, tags, featured image, meta |
226
- | `wp_update_post` | Update any post field. Only provided fields are modified |
227
- | `wp_delete_post` | Move to trash by default. Permanent deletion requires `force=true`. Returns confirmation token when `WP_CONFIRM_DESTRUCTIVE=true` |
228
- | `wp_search` | Full-text search across all content types |
229
- | `wp_list_pages` | List pages with hierarchy (parent/child), templates, and menu order |
230
- | `wp_get_page` | Get page content, template, and hierarchy info |
231
- | `wp_create_page` | Create a page with parent, template, and menu_order support |
232
- | `wp_update_page` | Update any page field |
233
-
234
- ### Media Library
235
-
236
- | Tool | Description |
237
- |---|---|
238
- | `wp_list_media` | Browse media with type filtering (image/video/audio/document) |
239
- | `wp_get_media` | Get URL, dimensions, alt text, caption, and all available sizes |
240
- | `wp_upload_media` | Upload a file from a public URL to the WordPress media library |
241
-
242
- ### Taxonomies & Structure
243
-
244
- | Tool | Description |
245
- |---|---|
246
- | `wp_list_categories` | List categories with hierarchy, post count, and descriptions |
247
- | `wp_list_tags` | List tags with post count |
248
- | `wp_create_taxonomy_term` | Create a new category or tag |
249
- | `wp_list_post_types` | Discover all registered post types (including custom ones) |
250
- | `wp_list_custom_posts` | List content from any custom post type (products, portfolio, events) |
251
-
252
- ### Engagement
253
-
254
- | Tool | Description |
255
- |---|---|
256
- | `wp_list_comments` | List comments with filtering by post, status, and author |
257
- | `wp_create_comment` | Create a comment or reply on any post |
258
- | `wp_list_users` | List users with roles (read-only) |
259
-
260
- ### SEO Metadata
261
-
262
- | Tool | Description |
263
- |---|---|
264
- | `wp_get_seo_meta` | Read SEO title, description, focus keyword, canonical, robots, Open Graph. Auto-detects Yoast, RankMath, SEOPress, All in One SEO |
265
- | `wp_update_seo_meta` | Update SEO metadata with automatic plugin detection |
266
- | `wp_audit_seo` | Bulk audit SEO across posts/pages with quality scoring (0-100), missing fields detection, and length checks |
267
-
268
- SEO metadata updates are subject to the same enterprise controls and execution policies as all other write operations.
269
-
270
- ### SEO Audit Suite
271
-
272
- > **New in v4.0–v4.2** Deep technical SEO analysis without requiring any WordPress plugin.
273
-
274
- | Tool | Description |
275
- |---|---|
276
- | `wp_audit_media_seo` | Audit media library for missing alt text, short alt text, and unoptimized filenames. Returns per-image scores and prioritized fix list |
277
- | `wp_find_orphan_pages` | Identify posts with no internal links pointing to them, sorted by word count. Configurable minimum word threshold and exclusion list |
278
- | `wp_audit_heading_structure` | Analyze H1/H2/H3 hierarchy in post content. Detects H1 in body, heading level skips, empty headings, focus keyword absent from H2 |
279
- | `wp_find_thin_content` | Surface posts below a configurable word count threshold. Scores content quality by word count, heading density, and paragraph structure |
280
- | `wp_audit_canonicals` | Validate canonical URLs across posts and pages. Detects missing canonicals, self-referencing mismatches, and cross-domain canonicals. Auto-detects RankMath/Yoast/SEOPress/AIOSEO |
281
- | `wp_analyze_eeat_signals` | Score E-E-A-T signals per post: author bio presence, publication/update dates, outbound citations, word count, structured data markers. Returns a 0-100 score with a breakdown by dimension |
282
- | `wp_find_broken_internal_links` | Check all internal links in a post via HEAD requests. Returns broken (4xx/5xx), redirected (3xx), and slow links. Configurable batch size and timeout |
283
- | `wp_find_keyword_cannibalization` | Detect posts sharing the same RankMath/Yoast/SEOPress/AIOSEO focus keyword. Groups conflicts by keyword and flags the weakest post by word count |
284
- | `wp_audit_taxonomies` | Identify taxonomy bloat: unused categories/tags, near-duplicate terms via Levenshtein distance, single-post terms, and over-tagged posts |
285
- | `wp_audit_outbound_links` | Analyze external link profile per post. Detects links to low-authority domains, missing rel="nofollow" on sponsored links, and broken external URLs |
286
-
287
- All SEO audit tools are read-only and always allowed regardless of governance flags.
288
-
289
- ### Content Intelligence
290
-
291
- > **New in v4.4.0** — Deep content analysis and editorial intelligence without any WordPress plugin.
292
-
293
- | Tool | Description |
294
- |---|---|
295
- | `wp_get_content_brief` | Editorial brief aggregator: SEO + structure + links in 1 call |
296
- | `wp_extract_post_outline` | H1-H6 outline extraction with category-level pattern analysis |
297
- | `wp_audit_readability` | Bulk Flesch-Kincaid FR scoring with transition word and passive voice analysis |
298
- | `wp_audit_update_frequency` | Outdated content detection cross-referenced with SEO scores |
299
- | `wp_build_link_map` | Internal link matrix with simplified PageRank scoring (0-100) |
300
- | `wp_audit_anchor_texts` | Anchor text diversity audit: generic, over-optimized, image link detection |
301
- | `wp_audit_schema_markup` | JSON-LD schema.org detection and validation (Article, FAQ, HowTo, LocalBusiness) |
302
- | `wp_audit_content_structure` | Editorial structure scoring (0-100): intro, conclusion, FAQ, TOC, lists, images |
303
- | `wp_find_duplicate_content` | TF-IDF cosine similarity for near-duplicate detection with union-find clustering |
304
- | `wp_find_content_gaps` | Taxonomy under-representation analysis (categories + tags) |
305
- | `wp_extract_faq_blocks` | FAQ inventory: JSON-LD, Gutenberg blocks, HTML patterns |
306
- | `wp_audit_cta_presence` | CTA detection (6 types) with scoring 0-100 |
307
- | `wp_extract_entities` | Regex/heuristic named entity extraction (brands, locations, persons, organizations) |
308
- | `wp_get_publishing_velocity` | Publication cadence by author/category with trend detection |
309
- | `wp_compare_revisions_diff` | Textual diff between revisions with amplitude scoring |
310
- | `wp_list_posts_by_word_count` | Posts sorted by length with 6-tier segmentation |
311
-
312
- All Content Intelligence tools are read-only and always allowed regardless of governance flags.
313
-
314
- ### Plugins
265
+ ## Available Tools (175)
266
+
267
+ ### Content Management (12)
268
+
269
+ | Tool | Description |
270
+ |-------------------|------------------------------------------------------------------------------------------------|
271
+ | `wp_list_posts` | List posts with pagination, filtering by status/category/tag/author, and search |
272
+ | `wp_get_post` | Get a post by ID with full content, meta fields, and taxonomy info |
273
+ | `wp_create_post` | Create a post (defaults to draft). Supports HTML, categories, tags, featured image, meta |
274
+ | `wp_update_post` | Update any post field. Only provided fields are modified |
275
+ | `wp_delete_post` | Move to trash by default. Permanent deletion requires `force=true`. Confirmation token when `WP_CONFIRM_DESTRUCTIVE=true` |
276
+ | `wp_search` | Full-text search across all content types |
277
+ | `wp_list_pages` | List pages with hierarchy (parent/child), templates, and menu order |
278
+ | `wp_get_page` | Get page content, template, and hierarchy info |
279
+ | `wp_create_page` | Create a page with parent, template, and menu_order support |
280
+ | `wp_update_page` | Update any page field |
281
+ | `wp_validate_block_structure` | Validate Gutenberg block HTML before saving. Detects unclosed blocks, malformed JSON, invalid nesting, deprecated blocks |
282
+ | `wp_bulk_update` | Bulk update content across multiple posts/pages. Supports text replacement, meta updates, status changes, content append. Dry-run by default |
283
+
284
+ ### Media Library (3)
285
+
286
+ | Tool | Description |
287
+ |-------------------|--------------------------------------------------------------------------|
288
+ | `wp_list_media` | Browse media with type filtering (image/video/audio/document) |
289
+ | `wp_get_media` | Get URL, dimensions, alt text, caption, and all available sizes |
290
+ | `wp_upload_media` | Upload a file from a public URL to the WordPress media library |
291
+
292
+ ### Taxonomies & Structure (5)
293
+
294
+ | Tool | Description |
295
+ |--------------------------|----------------------------------------------------------------------|
296
+ | `wp_list_categories` | List categories with hierarchy, post count, and descriptions |
297
+ | `wp_list_tags` | List tags with post count |
298
+ | `wp_create_taxonomy_term`| Create a new category or tag |
299
+ | `wp_list_post_types` | Discover all registered post types (including custom ones) |
300
+ | `wp_list_custom_posts` | List content from any custom post type (products, portfolio, events) |
301
+
302
+ ### Engagement (2)
303
+
304
+ | Tool | Description |
305
+ |---------------------|--------------------------------------------------------|
306
+ | `wp_list_comments` | List comments with filtering by post, status, and author |
307
+ | `wp_create_comment` | Create a comment or reply on any post |
308
+
309
+ ### Users & Security (10)
310
+
311
+ > **New in v4.7.0** — Full user CRUD, role/capability inspection, password reset, and application password management.
312
+
313
+ | Tool | Description |
314
+ |-------------------------------------|--------------------------------------------------------------------------------------------|
315
+ | `wp_list_users` | List users with roles, search, pagination. Supports full/summary/ids_only modes |
316
+ | `wp_get_user` | Full user profile: login, email, role, meta, registration date, avatar |
317
+ | `wp_create_user` | Create user with username, email, password, role. Requires `confirm=true`. Write |
318
+ | `wp_update_user` | Update email, display_name, role, bio, meta. Write |
319
+ | `wp_delete_user` | Delete user with mandatory post reassignment. Requires `confirm=true`. Blocked by `WP_DISABLE_DELETE` |
320
+ | `wp_list_user_roles` | All available roles with their capabilities listed |
321
+ | `wp_get_user_capabilities` | Active capabilities for a specific user |
322
+ | `wp_reset_user_password` | Trigger password reset email. Requires mu-plugin companion. Write |
323
+ | `wp_list_user_application_passwords`| List app passwords with name, UUID, created date, last used. Read-only |
324
+ | `wp_revoke_application_password` | Revoke an application password by UUID. Write |
325
+
326
+ ### SEO Metadata (3)
327
+
328
+ Auto-detects Yoast, RankMath, SEOPress, AIOSEO.
329
+
330
+ | Tool | Description |
331
+ |---------------------|----------------------------------------------------------------------------------------------|
332
+ | `wp_get_seo_meta` | Read SEO title, description, focus keyword, canonical, robots, Open Graph |
333
+ | `wp_update_seo_meta`| Update SEO metadata with automatic plugin detection |
334
+ | `wp_audit_seo` | Bulk audit SEO across posts/pages with quality scoring (0-100) and missing fields detection |
335
+
336
+ ### SEO Audit Suite (10) — New in v4.0-v4.2
337
+
338
+ All read-only, always allowed regardless of governance flags.
339
+
340
+ | Tool | Description |
341
+ |-----------------------------------|------------------------------------------------------------------------------------------|
342
+ | `wp_audit_media_seo` | Audit media library for missing alt text, short alt text, and unoptimized filenames |
343
+ | `wp_find_orphan_pages` | Identify posts with no internal links pointing to them, sorted by word count |
344
+ | `wp_audit_heading_structure` | Analyze H1/H2/H3 hierarchy. Detects H1 in body, heading level skips, empty headings |
345
+ | `wp_find_thin_content` | Surface posts below configurable word count threshold with quality scoring |
346
+ | `wp_audit_canonicals` | Validate canonical URLs. Detects missing, mismatched, cross-domain. Multi-plugin support |
347
+ | `wp_analyze_eeat_signals` | E-E-A-T scoring per post (0-100): author bio, dates, citations, structured data |
348
+ | `wp_find_broken_internal_links` | HEAD request link checker. Detects 404s, redirects, timeouts. Configurable batch size |
349
+ | `wp_find_keyword_cannibalization` | Detect posts sharing the same focus keyword. Groups conflicts, flags weakest |
350
+ | `wp_audit_taxonomies` | Taxonomy bloat: unused terms, near-duplicates (Levenshtein), single-post terms |
351
+ | `wp_audit_outbound_links` | External link profile: low-authority domains, missing nofollow, broken URLs |
352
+
353
+ ### Schema.org Intelligence (7) New in v4.9
354
+
355
+ Generation + injection + local validation end-to-end.
356
+
357
+ | Tool | Description |
358
+ |----------------------------------|--------------------------------------------------------------------------------------------|
359
+ | `wp_generate_schema_article` | Generates Article JSON-LD from post data with `_embed` for author and featured image |
360
+ | `wp_generate_schema_faq` | Detects Q&A from Gutenberg FAQ blocks, RankMath, AIOSEO, `<details>`, or H3+paragraph |
361
+ | `wp_generate_schema_howto` | Detects steps from ordered lists or numbered headings. Extracts totalTime, estimatedCost |
362
+ | `wp_generate_schema_localbusiness`| Pulls business data from ACF, Yoast Local SEO, or WP options |
363
+ | `wp_generate_schema_breadcrumb` | Rebuilds full breadcrumb hierarchy: Home > Category/Parent > Post |
364
+ | `wp_inject_schema` | Injects JSON-LD into `_custom_schema_jsonld` post meta. Supports `dry_run=true`. Requires mu-plugin |
365
+ | `wp_validate_schema_live` | Fetches live URL, extracts all JSON-LD blocks, validates structure and required fields |
366
+
367
+ ### Content Intelligence (16) — New in v4.4
368
+
369
+ All read-only, always allowed regardless of governance flags.
370
+
371
+ | Tool | Description |
372
+ |-------------------------------|------------------------------------------------------------------------------------------|
373
+ | `wp_get_content_brief` | Editorial brief aggregator: SEO + structure + links in 1 call |
374
+ | `wp_extract_post_outline` | H1-H6 outline extraction with category-level pattern analysis |
375
+ | `wp_audit_readability` | Bulk Flesch-Kincaid FR scoring with transition word and passive voice analysis |
376
+ | `wp_audit_update_frequency` | Outdated content detection cross-referenced with SEO scores |
377
+ | `wp_build_link_map` | Internal link matrix with simplified PageRank scoring (0-100) |
378
+ | `wp_audit_anchor_texts` | Anchor text diversity audit: generic, over-optimized, image link detection |
379
+ | `wp_audit_schema_markup` | JSON-LD schema.org detection and validation (Article, FAQ, HowTo, LocalBusiness) |
380
+ | `wp_audit_content_structure` | Editorial structure scoring (0-100): intro, conclusion, FAQ, TOC, lists, images |
381
+ | `wp_find_duplicate_content` | TF-IDF cosine similarity for near-duplicate detection with union-find clustering |
382
+ | `wp_find_content_gaps` | Taxonomy under-representation analysis (categories + tags) |
383
+ | `wp_extract_faq_blocks` | FAQ inventory: JSON-LD, Gutenberg blocks, HTML patterns |
384
+ | `wp_audit_cta_presence` | CTA detection (6 types) with scoring 0-100 |
385
+ | `wp_extract_entities` | Regex/heuristic named entity extraction (brands, locations, persons, organizations) |
386
+ | `wp_get_publishing_velocity` | Publication cadence by author/category with trend detection |
387
+ | `wp_compare_revisions_diff` | Textual diff between revisions with amplitude scoring |
388
+ | `wp_list_posts_by_word_count` | Posts sorted by length with 6-tier segmentation |
389
+
390
+ ### Editorial Intelligence (6) — New in v4.13
391
+
392
+ Batch processing up to 500 posts, reuses TF-IDF engine. All read-only.
393
+
394
+ | Tool | Description |
395
+ |----------------------------------|------------------------------------------------------------------------------------------|
396
+ | `wp_suggest_content_updates` | Finds stale posts needing updates. Prioritizes by age, outdated date references, thin content |
397
+ | `wp_audit_author_consistency` | Profiles each author: post count, avg word count, frequency, readability, media usage |
398
+ | `wp_build_editorial_calendar` | Analyzes 12 months of history for seasonality, best days, scheduled posts, gaps |
399
+ | `wp_find_pillar_content_gaps` | Identifies topics with 3+ posts without a dedicated pillar page |
400
+ | `wp_audit_internal_link_equity` | Builds link graph, identifies orphans, over-linked pages, equity distribution 0-100 |
401
+ | `wp_suggest_content_cluster` | Clusters content by TF-IDF + cosine similarity around a keyword or post_id seed |
402
+
403
+ ### Multilingual Intelligence EU (6) — New in v4.10
404
+
405
+ WPML · Polylang Pro · Polylang Free (hreflang fallback) · TranslatePress.
406
+
407
+ | Tool | Description |
408
+ |-----------------------------------|----------------------------------------------------------------------------------------|
409
+ | `wp_detect_multilingual_plugin` | Auto-detects WPML > Polylang Pro > Polylang Free > TranslatePress |
410
+ | `wp_list_languages` | Lists configured languages with code, name, locale, URL prefix, flag |
411
+ | `wp_get_post_translations` | Gets all translations with post IDs, titles, URLs, statuses, SEO meta per language |
412
+ | `wp_audit_translation_coverage` | Coverage percentages, missing counts, top 10 untranslated posts by word count |
413
+ | `wp_find_missing_seo_translations`| Finds translated posts missing SEO metadata (title, description, OG) |
414
+ | `wp_sync_seo_meta_translations` | Copies SEO meta from source to translations. `dry_run=true` by default. Write |
415
+
416
+ ### Performance & Core Web Vitals (6) — New in v4.9
417
+
418
+ | Tool | Description |
419
+ |--------------------------------------|----------------------------------------------------------------------------------------|
420
+ | `wp_audit_page_speed` | Google PageSpeed Insights: Core Web Vitals (LCP, CLS, INP, FCP, TTFB), score, opportunities. Requires `PAGESPEED_API_KEY` |
421
+ | `wp_find_render_blocking_resources` | Detects render-blocking `<link>` and `<script>` in `<head>` (excludes defer/async) |
422
+ | `wp_audit_image_optimization` | Media library audit: non-WebP, large files (>100KB), missing alt text |
423
+ | `wp_check_caching_status` | Detects caching plugins (WP Rocket, W3TC, LiteSpeed) and cache HTTP headers |
424
+ | `wp_audit_database_bloat` | Revisions, expired transients, auto-drafts, spam, orphan postmeta. Requires mu-plugin |
425
+ | `wp_get_plugin_performance_impact` | Ranks active plugins by estimated performance impact (~50 plugin database) |
426
+
427
+ ### Security Audit (6) — New in v4.11
428
+
429
+ All read-only. Optional `WPSCAN_API_KEY` for CVE data.
430
+
431
+ | Tool | Description |
432
+ |----------------------------------|------------------------------------------------------------------------------------------|
433
+ | `wp_audit_user_security` | Audits admin accounts: default usernames, inactive accounts, generic emails, missing 2FA |
434
+ | `wp_check_file_permissions` | Checks wp-config.php, .htaccess, uploads/ permissions. Requires mu-plugin |
435
+ | `wp_list_recently_modified_files`| Recently modified files with suspicious detection: PHP in uploads, hex filenames |
436
+ | `wp_audit_plugin_vulnerabilities`| Scans plugins against WPScan API. CVEs with CVSS scores. Without API key: version list |
437
+ | `wp_check_ssl_certificate` | TLS validation (expiry, issuer, SAN), security headers (HSTS, CSP). Grades A+ to F |
438
+ | `wp_audit_login_security` | Login security score /100: XML-RPC, user enumeration, 2FA, brute force protection |
439
+
440
+ ### Site Health & Diagnostics (8) — New in v4.7
441
+
442
+ `wp_get_debug_log` and `wp_get_active_hooks` require mu-plugin companion.
443
+
444
+ | Tool | Description |
445
+ |----------------------------|----------------------------------------------------------------------------------------|
446
+ | `wp_get_site_health_status`| Overall health score (good/recommended/critical) with issue counts by severity |
447
+ | `wp_list_site_health_issues`| All health issues with label, description, severity, and badge |
448
+ | `wp_get_site_health_info` | System info: PHP version, MySQL, memory limit, extensions, WP constants |
449
+ | `wp_get_debug_log` | Read last N lines of `debug.log` filtered by level. Max 500 lines. Requires mu-plugin |
450
+ | `wp_get_cron_events` | List all WP-Cron events with hook, schedule, next run, and overdue detection |
451
+ | `wp_get_transients` | List database transients with key, expiration, size. Filter by expired/active |
452
+ | `wp_check_php_compatibility`| Check each plugin's PHP version requirement vs current PHP |
453
+ | `wp_get_active_hooks` | Inventory of registered actions and filters with callbacks and priorities. Requires mu-plugin |
454
+
455
+ ### Full Site Editing — FSE (26) — New in v4.6
456
+
457
+ **Templates (5)** · **Template Parts (5)** · **Global Styles (3)** · **Block Patterns (4)** · **Navigation Menus (5)** · **Widgets (4)**
458
+
459
+ | Tool | Description |
460
+ |-----------------------------|--------------------------------------------------------------------------|
461
+ | `wp_list_templates` | List all block templates with filtering by post type |
462
+ | `wp_get_template` | Get a single block template by ID |
463
+ | `wp_create_template` | Create a new block template. Write |
464
+ | `wp_update_template` | Update an existing block template. Write |
465
+ | `wp_delete_template` | Delete a block template. Blocked by `WP_DISABLE_DELETE` |
466
+ | `wp_list_template_parts` | List template parts with area filtering (header/footer/general) |
467
+ | `wp_get_template_part` | Get a single template part by ID |
468
+ | `wp_create_template_part` | Create a new template part. Write |
469
+ | `wp_update_template_part` | Update an existing template part. Write |
470
+ | `wp_delete_template_part` | Delete a template part. Blocked by `WP_DISABLE_DELETE` |
471
+ | `wp_get_global_styles` | Get global styles (colors, typography, spacing) by post ID |
472
+ | `wp_update_global_styles` | Update global styles and settings. Write |
473
+ | `wp_get_global_styles_variations` | List available style variations for a theme |
474
+ | `wp_list_block_patterns` | List all registered block patterns |
475
+ | `wp_get_block_pattern` | Get a single block pattern by name |
476
+ | `wp_create_block_pattern` | Create a custom block pattern. Write |
477
+ | `wp_delete_block_pattern` | Delete a custom block pattern. Blocked by `WP_DISABLE_DELETE` |
478
+ | `wp_list_navigation_menus` | List navigation menus with search and status filtering |
479
+ | `wp_get_navigation_menu` | Get a single navigation menu with block content |
480
+ | `wp_create_navigation_menu` | Create a navigation menu. Write |
481
+ | `wp_update_navigation_menu` | Update a navigation menu. Write |
482
+ | `wp_delete_navigation_menu` | Delete a navigation menu. Blocked by `WP_DISABLE_DELETE` |
483
+ | `wp_list_widgets` | List all widgets with sidebar filtering |
484
+ | `wp_get_widget` | Get a single widget with instance settings and rendered output |
485
+ | `wp_update_widget` | Update widget settings or move to another sidebar. Write |
486
+ | `wp_delete_widget` | Delete a widget. Blocked by `WP_DISABLE_DELETE` |
487
+
488
+ ### Plugin Intelligence Layer (up to 7) — New in v4.5-v4.6
489
+
490
+ Activates only when plugin detected via REST namespace discovery. Disable all: `WP_DISABLE_PLUGIN_LAYERS=true`
491
+
492
+ **ACF (Advanced Custom Fields)** — requires `/acf/v3` namespace
493
+
494
+ | Tool | Description |
495
+ |----------------------|--------------------------------------------------------------------------|
496
+ | `acf_get_fields` | Get ACF custom fields for a post/page with key filtering and raw/compact/summary modes |
497
+ | `acf_list_field_groups` | List all configured ACF field groups |
498
+ | `acf_get_field_group`| Get full detail of an ACF field group by ID |
499
+ | `acf_update_fields` | Update ACF custom fields. Write — blocked by `WP_READ_ONLY` |
500
+
501
+ **Elementor** — requires `/elementor/v1` namespace
502
+
503
+ | Tool | Description |
504
+ |-----------------------------|------------------------------------------------------------------------|
505
+ | `elementor_list_templates` | List Elementor templates (page, section, block, popup) |
506
+ | `elementor_get_template` | Get full template content and elements. Context-guarded at 50k chars |
507
+ | `elementor_get_page_data` | Elementor editor data: widgets used, elements count |
508
+
509
+ ### Plugin Intelligence (6) — New in v4.5
510
+
511
+ Requires `WP_ENABLE_PLUGIN_INTELLIGENCE=true`. Read-only (except write modes noted).
512
+
513
+ | Tool | Description |
514
+ |---------------------------|------------------------------------------------------------------------------------------|
515
+ | `wp_get_rendered_head` | Fetch real `<head>` HTML via RankMath/Yoast headless endpoint. Compare rendered vs stored |
516
+ | `wp_audit_rendered_seo` | Bulk rendered-vs-stored SEO divergence detection with per-post scoring |
517
+ | `wp_get_pillar_content` | Read or set RankMath cornerstone/pillar flag. Write blocked by `WP_READ_ONLY` |
518
+ | `wp_audit_schema_plugins` | Validate JSON-LD from SEO plugin native fields (rank_math_schema or yoast_head_json) |
519
+ | `wp_get_seo_score` | Read RankMath native SEO score (0-100) with bulk mode distribution stats |
520
+ | `wp_get_twitter_meta` | Read/write Twitter Card meta for RankMath, Yoast, SEOPress. Write blocked by `WP_READ_ONLY` |
521
+
522
+ ### Plugins & Themes (5)
523
+
524
+ | Tool | Description |
525
+ |-----------------------|--------------------------------------------------------------------------------------|
526
+ | `wp_list_plugins` | List installed plugins with status, version, author. Requires `activate_plugins` |
527
+ | `wp_activate_plugin` | Activate a plugin. Blocked by `WP_READ_ONLY` and `WP_DISABLE_PLUGIN_MANAGEMENT` |
528
+ | `wp_deactivate_plugin`| Deactivate a plugin. Blocked by `WP_READ_ONLY` and `WP_DISABLE_PLUGIN_MANAGEMENT` |
529
+ | `wp_list_themes` | List installed themes with active theme detection |
530
+ | `wp_get_theme` | Get theme details by stylesheet slug |
531
+
532
+ ### Revisions (4)
533
+
534
+ | Tool | Description |
535
+ |----------------------|------------------------------------------------------------------------------------------|
536
+ | `wp_list_revisions` | List revisions of a post or page (metadata only) |
537
+ | `wp_get_revision` | Get a specific revision with full content |
538
+ | `wp_restore_revision`| Restore a post to a previous revision |
539
+ | `wp_delete_revision` | Permanently delete a revision. Blocked by `WP_READ_ONLY`, `WP_DISABLE_DELETE`, `WP_CONFIRM_DESTRUCTIVE` |
540
+
541
+ ### Editorial Workflow & Visual Staging (9) — v3.2 / v4.15 / v5.1
542
+
543
+ Requires `WP_REQUIRE_APPROVAL=true`.
544
+
545
+ | Tool | Description |
546
+ |------------------------|--------------------------------------------------------------------------|
547
+ | `wp_submit_for_review` | Transition a draft post to pending status (author action) |
548
+ | `wp_approve_post` | Transition a pending post to publish (editor/admin action) |
549
+ | `wp_reject_post` | Return a pending post to draft with a mandatory rejection reason |
550
+
551
+ **Visual Staging (5)** — New in v4.15. Requires `WP_VISUAL_STAGING=true` for interception.
315
552
 
316
553
  | Tool | Description |
317
- |---|---|
318
- | `wp_list_plugins` | List installed plugins with status, version, author. Requires Administrator (`activate_plugins` capability) |
319
- | `wp_activate_plugin` | Activate a plugin. Blocked by `WP_READ_ONLY` and `WP_DISABLE_PLUGIN_MANAGEMENT` |
320
- | `wp_deactivate_plugin` | Deactivate a plugin. Blocked by `WP_READ_ONLY` and `WP_DISABLE_PLUGIN_MANAGEMENT` |
554
+ |------|-------------|
555
+ | `wp_create_staging_draft` | Clone a published page/post into a shadow draft for safe editing |
556
+ | `wp_list_staging_drafts` | List all pending staging drafts, optionally filtered by source |
557
+ | `wp_get_staging_preview_url` | Get native WordPress preview URL for a staging draft |
558
+ | `wp_merge_staging_to_live` | Merge validated staging draft content to the live page (two-step) |
559
+ | `wp_discard_staging_draft` | Permanently delete a staging draft without touching the live page |
321
560
 
322
- ### Themes
561
+ **Workflow Orchestrator (1)** — New in v5.1.
323
562
 
324
563
  | Tool | Description |
325
- |---|---|
326
- | `wp_list_themes` | List installed themes with active theme detection. Requires `switch_themes` capability |
327
- | `wp_get_theme` | Get theme details by stylesheet slug |
564
+ |------|-------------|
565
+ | `wp_run_workflow` | Execute named or custom tool sequences in a single call. Built-in: seo_audit_and_stage, site_health_report, content_publish_safe, wc_product_audit |
328
566
 
329
- ### Revisions
567
+ ### Internal Link Intelligence (2) — New in v3.3
330
568
 
331
- | Tool | Description |
332
- |---|---|
333
- | `wp_list_revisions` | List revisions of a post or page (metadata only) |
334
- | `wp_get_revision` | Get a specific revision with full content |
335
- | `wp_restore_revision` | Restore a post to a previous revision (plugin-free 2-step approach) |
336
- | `wp_delete_revision` | Permanently delete a revision. Blocked by `WP_READ_ONLY`, `WP_DISABLE_DELETE`, and `WP_CONFIRM_DESTRUCTIVE` |
569
+ | Tool | Description |
570
+ |-----------------------------|----------------------------------------------------------------------------------------|
571
+ | `wp_analyze_links` | Audit all internal/external links in a post. HEAD verification per link |
572
+ | `wp_suggest_internal_links` | Semantic link suggestions scored by category, freshness, SEO keyword, title match |
337
573
 
338
- ### Editorial Workflow
574
+ ### WooCommerce Core (6) — New in v3.4
339
575
 
340
- > **New in v3.2.0** — Approval workflow for regulated content operations.
576
+ Requires `WC_CONSUMER_KEY` and `WC_CONSUMER_SECRET`.
341
577
 
342
- | Tool | Description |
343
- |---|---|
344
- | `wp_submit_for_review` | Transition a draft post to pending status (author action). Blocked by `WP_READ_ONLY` |
345
- | `wp_approve_post` | Transition a pending post to publish (editor/admin action). Blocked by `WP_READ_ONLY` and `WP_DRAFT_ONLY` |
346
- | `wp_reject_post` | Return a pending post to draft with a mandatory rejection reason (editor/admin action). Blocked by `WP_READ_ONLY` |
578
+ | Tool | Description |
579
+ |---------------------|--------------------------------------------------------------------------------------|
580
+ | `wc_list_products` | List products with filtering by status, category, search, and sorting |
581
+ | `wc_get_product` | Get product by ID with full details and variations summary |
582
+ | `wc_list_orders` | List orders with filtering by status, customer, and date |
583
+ | `wc_get_order` | Get order by ID with line items, shipping, billing, and payment details |
584
+ | `wc_list_customers` | List customers with search and role filtering |
585
+ | `wc_price_guardrail`| Analyze a price change for safety (read-only). Returns safe/unsafe |
347
586
 
348
- The approval workflow is enforced by `WP_REQUIRE_APPROVAL=true`, which blocks direct publish via `wp_update_post` and forces the draft → pending → publish path.
587
+ ### WooCommerce Intelligence (4) New in v3.5
349
588
 
350
- ### Internal Link Intelligence
589
+ | Tool | Description |
590
+ |---------------------------|------------------------------------------------------------------------------------|
591
+ | `wc_inventory_alert` | Identify low-stock and out-of-stock products below threshold, sorted by urgency |
592
+ | `wc_order_intelligence` | Customer purchase history: lifetime value, average order, favourite products |
593
+ | `wc_seo_product_audit` | Audit product listings for SEO issues (descriptions, images, alt text, slugs) |
594
+ | `wc_suggest_product_links`| Suggest WooCommerce products to link from blog posts based on keyword relevance |
351
595
 
352
- > **New in v3.3.0**Audit and improve internal linking without auto-insertion.
596
+ ### WooCommerce Advanced Intelligence (7) New in v4.12
353
597
 
354
- | Tool | Description |
355
- |---|---|
356
- | `wp_analyze_links` | Audit all internal and external links in a post. HEAD request verification per link (broken/warning/unknown). Configurable max checks and timeout |
357
- | `wp_suggest_internal_links` | Semantic link suggestions scored by category match (+3), freshness (+3/2/1), SEO focus keyword match (+2), title match (+2). Excludes already-linked posts |
598
+ All read-only.
358
599
 
359
- Pre-flight linking workflow: `wp_suggest_internal_links` → user validates → `wp_update_post` (never auto-insert).
600
+ | Tool | Description |
601
+ |-------------------------------------|------------------------------------------------------------------------------------|
602
+ | `wc_audit_product_seo` | Product SEO score /100: title, description, slug, image alt, schema presence |
603
+ | `wc_find_abandoned_carts_pattern` | Abandoned cart patterns: hourly/daily trends, top products, revenue loss |
604
+ | `wc_audit_checkout_friction` | Checkout friction score 0-10: guest checkout, required fields, coupon, multi-step |
605
+ | `wc_get_product_performance` | Product metrics with trend comparison: units sold, revenue, refund rate |
606
+ | `wc_audit_stock_alerts` | Out-of-stock and low-stock audit with last sale dates. Includes variations |
607
+ | `wc_find_duplicate_products` | Duplicates by SKU, title/slug Levenshtein similarity. Union-find grouping |
608
+ | `wc_audit_pricing_consistency` | Pricing errors: sale >= regular, zero sale, minimal discounts, expired sales |
360
609
 
361
- ### WooCommerce
610
+ ### WooCommerce Write (3) — New in v3.6
362
611
 
363
- > **New in v3.4.0–v3.6.0** — Full WooCommerce integration with read, intelligence, and write operations.
612
+ All blocked by `WP_READ_ONLY`.
364
613
 
365
- Requires `WC_CONSUMER_KEY` and `WC_CONSUMER_SECRET` environment variables. Generate API keys at WooCommerce → Settings → Advanced → REST API.
614
+ | Tool | Description |
615
+ |-----------------------|--------------------------------------------------------------------------------------|
616
+ | `wc_update_product` | Update product fields. Subject to `wc_price_guardrail` threshold enforcement |
617
+ | `wc_update_stock` | Update stock quantity of a product or variation |
618
+ | `wc_update_order_status`| Transition order status (e.g., processing → completed) |
366
619
 
367
- | Tool | Description |
368
- |---|---|
369
- | `wc_list_products` | List products with filtering by status, category, search, and sorting by price/popularity |
370
- | `wc_get_product` | Get a product by ID with full details. Includes variations summary for variable products |
371
- | `wc_list_orders` | List orders with filtering by status, customer, and date |
372
- | `wc_get_order` | Get an order by ID with line items, shipping, billing, and payment details |
373
- | `wc_list_customers` | List customers with search and role filtering |
374
- | `wc_get_customer` | Get a customer by ID with full profile, order history summary, and lifetime value |
375
- | `wc_list_coupons` | List coupons with filtering by type, expiry status, and usage |
376
- | `wc_get_coupon` | Get a coupon by ID with full discount rules and usage statistics |
377
- | `wc_sales_report` | Generate sales summary for a date range: revenue, orders, average order value, top products |
378
- | `wc_top_products` | Rank products by revenue, quantity sold, or order count for a given period |
379
- | `wc_price_guardrail` | Analyze a price change for safety (read-only). Returns safe/unsafe based on configurable threshold percentage |
380
- | `wc_update_product` | Update product fields (title, description, price, stock, status). Blocked by `WP_READ_ONLY` and subject to `wc_price_guardrail` thresholds |
381
- | `wc_update_order_status` | Transition order status (e.g., processing → completed). Blocked by `WP_READ_ONLY` |
382
-
383
- All WooCommerce write tools are blocked by `WP_READ_ONLY`. `wc_price_guardrail` is always allowed — it never modifies data.
384
-
385
- ### Operations
620
+ ### Operations (3)
386
621
 
387
- | Tool | Description |
388
- |---|---|
389
- | `wp_set_target` | Switch active WordPress site in multi-target mode |
390
- | `wp_site_info` | Site info, current user, post types, enterprise controls, and available targets |
622
+ | Tool | Description |
623
+ |------------------------|--------------------------------------------------------------------------------------|
624
+ | `wp_set_target` | Switch active WordPress site in multi-target mode |
625
+ | `wp_site_info` | Site info, current user, post types, enterprise controls, tool_categories, plugin_layer |
626
+ | `wp_get_site_options` | Read WordPress site settings (title, tagline, language, timezone) via /wp/v2/settings |
391
627
 
392
628
  ---
393
629
 
394
630
  ## Enterprise Controls
395
631
 
396
- Configure execution policy via environment variables. All restrictions are enforced before any API call is made — including SEO metadata, plugin operations, and WooCommerce writes.
397
-
398
- | Control | Default | Effect |
399
- |---|---|---|
400
- | `WP_READ_ONLY` | `false` | Blocks all write operations (create, update, delete, upload, SEO updates, plugin management, WooCommerce writes) |
401
- | `WP_DRAFT_ONLY` | `false` | Restricts to draft and pending statuses only |
402
- | `WP_DISABLE_DELETE` | `false` | Blocks all delete operations (posts + revisions) |
403
- | `WP_DISABLE_PLUGIN_MANAGEMENT` | `false` | Blocks plugin activate/deactivate (list still allowed) |
404
- | `WP_REQUIRE_APPROVAL` | `false` | Blocks direct publish via `wp_update_post`. Forces draft → pending → publish approval workflow |
405
- | `WP_CONFIRM_DESTRUCTIVE` | `false` | Requires a token confirmation before `wp_delete_post` and `wp_delete_revision` execute |
406
- | `WP_ALLOWED_TYPES` | `all` | Restricts to specific post types (e.g., `post,page`) |
407
- | `WP_ALLOWED_STATUSES` | `all` | Restricts to specific statuses (e.g., `draft,pending`) |
408
- | `WP_MAX_CALLS_PER_MINUTE` | unlimited | Client-side rate limiting |
409
- | `WP_AUDIT_LOG` | `on` | Structured JSON audit trail |
632
+ Configure execution policy via environment variables. All restrictions are enforced before any API call is made.
633
+
634
+ | Control | Default | Effect |
635
+ |--------------------------------|-------------|--------------------------------------------------------------------------------|
636
+ | `WP_READ_ONLY` | `false` | Blocks all write operations |
637
+ | `WP_DRAFT_ONLY` | `false` | Restricts to draft and pending statuses only |
638
+ | `WP_DISABLE_DELETE` | `false` | Blocks all delete operations |
639
+ | `WP_DISABLE_PLUGIN_MANAGEMENT` | `false` | Blocks plugin activate/deactivate (list still allowed) |
640
+ | `WP_REQUIRE_APPROVAL` | `false` | Blocks direct publish. Forces draft → pending → publish workflow |
641
+ | `WP_CONFIRM_DESTRUCTIVE` | `false` | Requires token confirmation before delete operations |
642
+ | `WP_VISUAL_STAGING` | `false` | When true, direct edits to published pages are intercepted. AI must use staging workflow: `wp_create_staging_draft` → edit draft → `wp_merge_staging_to_live` |
643
+ | `WP_VALIDATE_BLOCKS` | `false` | When true, auto-validates Gutenberg block structure on `wp_update_post`/`wp_update_page`. Blocks update if errors found |
644
+ | `WP_ALLOWED_TYPES` | `all` | Restricts to specific post types (e.g., `post,page`) |
645
+ | `WP_ALLOWED_STATUSES` | `all` | Restricts to specific statuses (e.g., `draft,pending`) |
646
+ | `WP_MAX_CALLS_PER_MINUTE` | unlimited | Client-side rate limiting |
647
+ | `WP_AUDIT_LOG` | `on` | Structured JSON audit trail |
648
+ | `WP_COMPACT_JSON` | `true` | Compact JSON output (~30% token reduction). `false` for debugging |
649
+ | `WP_TOOL_CATEGORIES` | _(none)_ | Comma-separated categories to expose. Empty = all 173 tools. Always includes `core`. Categories: content · media · taxonomy · engagement · users · seo · schema · intelligence · editorial · fse · plugins · workflow · links · woocommerce · security · performance · health |
650
+ | `PAGESPEED_API_KEY` | _(none)_ | Google PageSpeed Insights API key. Optional — `wp_audit_page_speed` degrades gracefully |
651
+ | `WPSCAN_API_KEY` | _(none)_ | WPScan vulnerability database API key. Optional — free at wpscan.com/register |
410
652
 
411
653
  ### Destructive confirmation flow
412
654
 
@@ -458,10 +700,108 @@ WC_CONSUMER_KEY=ck_xxx
458
700
  WC_CONSUMER_SECRET=cs_xxx
459
701
  ```
460
702
 
703
+ **Maximum safety** — all governance layers active:
704
+ ```env
705
+ WP_READ_ONLY=false
706
+ WP_REQUIRE_APPROVAL=true
707
+ WP_CONFIRM_DESTRUCTIVE=true
708
+ WP_VISUAL_STAGING=true
709
+ WP_VALIDATE_BLOCKS=true
710
+ ```
711
+
712
+ ### Context optimization profiles
713
+
714
+ Reduce ListTools from ~20k tokens to ~4-9k tokens by loading only the categories you need:
715
+
716
+ ```env
717
+ # SEO Agency — content + SEO focus (~32 tools, ~5k tokens)
718
+ WP_TOOL_CATEGORIES=seo,content,schema,editorial,intelligence
719
+
720
+ # E-commerce — WooCommerce focus (~40 tools, ~7k tokens)
721
+ WP_TOOL_CATEGORIES=woocommerce,seo,performance,content
722
+
723
+ # Content team — writing focus (~30 tools, ~5k tokens)
724
+ WP_TOOL_CATEGORIES=content,editorial,media,engagement,intelligence
725
+
726
+ # DevOps / Security audit (~25 tools, ~4k tokens)
727
+ WP_TOOL_CATEGORIES=security,health,performance,plugins
728
+
729
+ # Developer — FSE + plugins (~40 tools, ~7k tokens)
730
+ WP_TOOL_CATEGORIES=fse,plugins,content,users
731
+
732
+ # Full agency mode — all tools (default)
733
+ # WP_TOOL_CATEGORIES= (empty or unset)
734
+ ```
735
+
461
736
  Blocked actions return a clear error message explaining which control prevented execution, and are logged in the audit trail with status `blocked`.
462
737
 
463
738
  ---
464
739
 
740
+ ## MU-Plugin Companion
741
+
742
+ Some tools require the optional MCP Diagnostics companion mu-plugin to access data not available via the WordPress REST API.
743
+
744
+ ### Installation
745
+ ```bash
746
+ cp companion/mcp-diagnostics.php /path/to/wp-content/mu-plugins/
747
+ ```
748
+
749
+ ### Exposed endpoints
750
+
751
+ **Diagnostics** — require `manage_options`
752
+
753
+ | Endpoint | Method | Description |
754
+ |---------------------------------------------|--------|------------------------------------------|
755
+ | `/mcp-diagnostics/v1/debug-log` | GET | Last N lines of `debug.log` by level |
756
+ | `/mcp-diagnostics/v1/cron-events` | GET | All scheduled WP-Cron events |
757
+ | `/mcp-diagnostics/v1/transients` | GET | Database transients with expiration/size |
758
+ | `/mcp-diagnostics/v1/hooks` | GET | Registered actions and filters |
759
+
760
+ **Security** — require `manage_options`
761
+
762
+ | Endpoint | Method | Description |
763
+ |---------------------------------------------|--------|------------------------------------------|
764
+ | `/mcp-diagnostics/v1/user-activity` | GET | Admin last login timestamps |
765
+ | `/mcp-diagnostics/v1/file-permissions` | GET | Critical file permission checks |
766
+ | `/mcp-diagnostics/v1/modified-files` | GET | Recently modified file listing |
767
+
768
+ **Performance** — requires `manage_options`
769
+
770
+ | Endpoint | Method | Description |
771
+ |---------------------------------------------|--------|------------------------------------------|
772
+ | `/mcp-diagnostics/v1/database-bloat` | GET | Database bloat analysis |
773
+
774
+ **WooCommerce** — requires `manage_options`
775
+
776
+ | Endpoint | Method | Description |
777
+ |---------------------------------------------|--------|------------------------------------------|
778
+ | `/mcp-diagnostics/v1/wc-abandoned-carts` | GET | Abandoned cart data from available sources|
779
+
780
+ **Schema** — requires `edit_posts`
781
+
782
+ | Endpoint | Method | Description |
783
+ |---------------------------------------------|--------|------------------------------------------|
784
+ | `/mcp-diagnostics/v1/schema/{post_id}` | GET | Read `_custom_schema_jsonld` meta |
785
+ | `/mcp-diagnostics/v1/schema/{post_id}` | POST | Write schema meta. Blocked by `WP_READ_ONLY` |
786
+ | `/mcp-diagnostics/v1/schema/{post_id}` | DELETE | Remove schema meta. Blocked by `WP_READ_ONLY` |
787
+
788
+ **Polylang Free** — public (no auth required)
789
+
790
+ | Endpoint | Method | Description |
791
+ |------------------------------------------------------|--------|----------------------------------|
792
+ | `/mcp-diagnostics/v1/polylang/languages` | GET | Polylang languages list |
793
+ | `/mcp-diagnostics/v1/polylang/translations/{post_id}`| GET | Post translations by language |
794
+
795
+ **Users** — requires `manage_options`
796
+
797
+ | Endpoint | Method | Description |
798
+ |---------------------------------------------|--------|------------------------------------------|
799
+ | `/mcp-diagnostics/v1/password-reset` | POST | Trigger password reset email |
800
+
801
+ All endpoints require manage_options capability (Administrator) unless noted. No endpoint modifies data except POST `/schema/{post_id}` and POST `/password-reset` — both blocked when `WP_READ_ONLY=true`.
802
+
803
+ ---
804
+
465
805
  ## SEO Metadata
466
806
 
467
807
  The SEO tools auto-detect which SEO plugin is installed on your WordPress site and use the correct meta fields automatically.
@@ -477,14 +817,14 @@ Supported plugins:
477
817
 
478
818
  `wp_audit_seo` scores each post on a 100-point scale:
479
819
 
480
- | Check | Penalty |
481
- |---|---|
482
- | Missing SEO title | -30 |
483
- | SEO title too short (< 30 chars) or too long (> 60 chars) | -10 |
484
- | Missing meta description | -30 |
820
+ | Check | Penalty |
821
+ |--------------------------------------------------------------|---------|
822
+ | Missing SEO title | -30 |
823
+ | SEO title too short (< 30 chars) or too long (> 60 chars) | -10 |
824
+ | Missing meta description | -30 |
485
825
  | Meta description too short (< 120 chars) or too long (> 160 chars) | -10 |
486
- | Missing focus keyword | -20 |
487
- | Focus keyword not in SEO title | -10 |
826
+ | Missing focus keyword | -20 |
827
+ | Focus keyword not in SEO title | -10 |
488
828
 
489
829
  ### Exposing SEO Meta Fields (Required)
490
830
 
@@ -492,7 +832,7 @@ Most SEO plugins store their data in WordPress post meta fields that are not exp
492
832
 
493
833
  Add the following code to your theme's `functions.php` (Appearance → Theme File Editor → functions.php) or — preferably — create a custom mini-plugin (see below).
494
834
 
495
- > ⚠️ **Important:** When pasting code into `functions.php`, make sure the file starts with exactly `<?php` — no extra characters before it. A stray character (like `<<?php`) will break the WordPress REST API by injecting invalid output before JSON responses, causing `Unexpected token '<'` errors in MCP.
835
+ > **Important:** When pasting code into `functions.php`, make sure the file starts with exactly `<?php` — no extra characters before it. A stray character (like `<<?php`) will break the WordPress REST API by injecting invalid output before JSON responses, causing `Unexpected token '<'` errors in MCP.
496
836
 
497
837
  **RankMath:**
498
838
  ```php
@@ -681,13 +1021,13 @@ If you see your SEO fields in the `meta` object, the configuration is working.
681
1021
 
682
1022
  ### Troubleshooting SEO Fields
683
1023
 
684
- | Symptom | Cause | Fix |
685
- |---|---|---|
686
- | `wp_audit_seo` returns empty SEO data | Meta fields not exposed via REST API | Add `register_post_meta()` code above |
687
- | `Unexpected token '<'` on all MCP calls | Stray character before `<?php` in `functions.php` | Remove any characters before `<?php` |
688
- | SEO fields visible but all null | SEO plugin not yet configured on those posts | Set titles/descriptions in RankMath/Yoast editor |
689
- | No SEO plugin detected | Plugin constant not matched | Verify your SEO plugin is active |
690
- | Fields lost after theme update | Code was in `functions.php` | Use the MCP SEO Bridge plugin instead |
1024
+ | Symptom | Cause | Fix |
1025
+ |--------------------------------------|------------------------------------------|-------------------------------------------------|
1026
+ | `wp_audit_seo` returns empty SEO data | Meta fields not exposed via REST API | Add `register_post_meta()` code above |
1027
+ | `Unexpected token '<'` on all calls | Stray character before `<?php` | Remove any characters before `<?php` |
1028
+ | SEO fields visible but all null | SEO plugin not yet configured on posts | Set titles/descriptions in RankMath/Yoast editor|
1029
+ | No SEO plugin detected | Plugin constant not matched | Verify your SEO plugin is active |
1030
+ | Fields lost after theme update | Code was in `functions.php` | Use the MCP SEO Bridge plugin instead |
691
1031
 
692
1032
  ---
693
1033
 
@@ -716,49 +1056,74 @@ WC_PRICE_GUARDRAIL_THRESHOLD=20 # percentage — changes above this require ex
716
1056
 
717
1057
  ## Testing
718
1058
 
719
- 713 unit tests covering all 85 tools — zero network calls, fully mocked.
1059
+ 57 test files · 1061 unit tests covering all 173 tools — zero network calls, fully mocked.
1060
+
720
1061
  ```bash
721
1062
  npm test # run all tests (vitest)
722
1063
  npm run test:watch # watch mode
723
1064
  npm run test:coverage # coverage report
724
1065
  ```
725
1066
 
726
- | Test file | Scope | Tests |
727
- |---|---|---|
728
- | `governance.test.js` | All governance flags + combinations including `WP_REQUIRE_APPROVAL` and `WP_CONFIRM_DESTRUCTIVE` | 30 |
729
- | `posts.test.js` | list, get, create, update, delete, search | 18 |
730
- | `pages.test.js` | list, get, create, update | 12 |
731
- | `media.test.js` | list, get, upload | 14 |
732
- | `taxonomies.test.js` | categories, tags, create term | 16 |
733
- | `comments.test.js` | list, create | 12 |
734
- | `users.test.js` | list | 7 |
735
- | `search.test.js` | search, post types, custom posts | 10 |
736
- | `seo.test.js` | get, update, audit | 12 |
737
- | `plugins.test.js` | list, activate, deactivate | 16 |
738
- | `themes.test.js` | list, get | 8 |
739
- | `revisions.test.js` | list, get, restore, delete | 17 |
740
- | `editorial.test.js` | submit_for_review, approve, reject | 15 |
741
- | `links.test.js` | analyze_links, suggest_internal_links | 16 |
742
- | `woocommerce.test.js` | products, orders, customers, coupons, reports, write, guardrail | 40 |
743
- | `auditMediaSeo.test.js` | media alt text audit, filename scoring | 12 |
744
- | `findOrphanPages.test.js` | inbound link detection, exclusion list | 10 |
745
- | `auditHeadingStructure.test.js` | H1/H2/H3 hierarchy, level skips, keyword detection | 12 |
746
- | `findThinContent.test.js` | word count threshold, heading density | 10 |
747
- | `auditCanonicals.test.js` | canonical validation, mismatch detection, multi-plugin | 12 |
748
- | `analyzeEeatSignals.test.js` | E-E-A-T scoring, author bio, citations, structured data | 12 |
749
- | `findBrokenInternalLinks.test.js` | HEAD request batching, 4xx/3xx detection | 12 |
750
- | `findKeywordCannibalization.test.js` | focus keyword conflicts, multi-plugin detection | 10 |
751
- | `auditTaxonomies.test.js` | Levenshtein duplicates, unused terms, over-tagging | 12 |
752
- | `auditOutboundLinks.test.js` | external link profile, nofollow detection | 10 |
753
- | `contentAnalyzer.test.js` | readability, TF-IDF, cosine similarity, entities, text diff | 44 |
754
- | `contentIntelligence.test.js` | 16 content intelligence tools: brief, outline, readability, update frequency, link map, anchor texts, schema, structure, duplicates, gaps, FAQ, CTA, entities, velocity, revisions diff, word count | 125 |
755
- | `site.test.js` | site info, set target | 5 |
756
- | `transport/http.test.js` | HTTP transport, Bearer auth, sessions | 10 |
757
- | `pluginDetector.test.js` | SEO plugin detection, rendered head, HTML head parsing | 13 |
758
- | `pluginIntelligence.test.js` | 6 plugin intelligence tools: rendered head, rendered SEO audit, pillar content, schema plugins, SEO score, Twitter meta | 48 |
759
- | `dxt/manifest.test.js` | MCPB manifest validation, 85 tools declared | 10 |
760
- | `dynamicFiltering.test.js` | WooCommerce/editorial/plugin-intelligence filtering, combined counts, callable when filtered | 9 |
761
- | `outputCompression.test.js` | mode=full/summary/ids_only for 10 listing tools (pages, media, comments, categories, tags, users, custom posts, plugins, themes, revisions) | 30 |
1067
+ | Test file | Scope | Tests |
1068
+ |----------------------------------|------------------------------------------------------------------------------------------------|-------|
1069
+ | `governance.test.js` | All governance flags + combinations including `WP_REQUIRE_APPROVAL` and `WP_CONFIRM_DESTRUCTIVE` | 30 |
1070
+ | `posts.test.js` | list, get, create, update, delete, search | 18 |
1071
+ | `pages.test.js` | list, get, create, update | 12 |
1072
+ | `media.test.js` | list, get, upload | 14 |
1073
+ | `taxonomies.test.js` | categories, tags, create term | 16 |
1074
+ | `comments.test.js` | list, create | 12 |
1075
+ | `users.test.js` | list | 7 |
1076
+ | `users.crud.test.js` | get, create, update, delete, roles, capabilities, password reset, app passwords | — |
1077
+ | `search.test.js` | search, post types, custom posts | 10 |
1078
+ | `seo.test.js` | get, update, audit | 12 |
1079
+ | `plugins.test.js` | list, activate, deactivate | 16 |
1080
+ | `themes.test.js` | list, get | 8 |
1081
+ | `revisions.test.js` | list, get, restore, delete | 17 |
1082
+ | `editorial.test.js` | submit_for_review, approve, reject | 15 |
1083
+ | `links.test.js` | analyze_links, suggest_internal_links | 16 |
1084
+ | `woocommerce.test.js` | products, orders, customers, write, guardrail | 40 |
1085
+ | `woocommerce.advanced.test.js` | product SEO, abandoned carts, checkout friction, performance, stock, duplicates, pricing | 37 |
1086
+ | `auditMediaSeo.test.js` | media alt text audit, filename scoring | 12 |
1087
+ | `findOrphanPages.test.js` | inbound link detection, exclusion list | 10 |
1088
+ | `auditHeadingStructure.test.js` | H1/H2/H3 hierarchy, level skips, keyword detection | 12 |
1089
+ | `findThinContent.test.js` | word count threshold, heading density | 10 |
1090
+ | `auditCanonicals.test.js` | canonical validation, mismatch detection, multi-plugin | 12 |
1091
+ | `analyzeEeatSignals.test.js` | E-E-A-T scoring, author bio, citations, structured data | 12 |
1092
+ | `findBrokenInternalLinks.test.js`| HEAD request batching, 4xx/3xx detection | 12 |
1093
+ | `findKeywordCannibalization.test.js` | focus keyword conflicts, multi-plugin detection | 10 |
1094
+ | `auditTaxonomies.test.js` | Levenshtein duplicates, unused terms, over-tagging | 12 |
1095
+ | `auditOutboundLinks.test.js` | external link profile, nofollow detection | 10 |
1096
+ | `contentAnalyzer.test.js` | readability, TF-IDF, cosine similarity, entities, text diff | 44 |
1097
+ | `contentIntelligence.test.js` | 16 content intelligence tools | 125 |
1098
+ | `pluginIntelligence.test.js` | 6 plugin intelligence tools | 48 |
1099
+ | `editorialIntelligence.test.js` | 6 editorial intelligence tools | 37 |
1100
+ | `fse.test.js` | FSE templates, template parts, global styles, patterns, navigation, widgets | |
1101
+ | `diagnostics.test.js` | Site health, debug log, cron, transients, PHP compat, hooks | |
1102
+ | `performance.test.js` | Page speed, render blocking, image optimization, caching, database bloat, plugin impact | |
1103
+ | `schema.test.js` | Schema generation, injection, live validation | — |
1104
+ | `multilingual.test.js` | Plugin detection, languages, translations, coverage, SEO translations | — |
1105
+ | `security.test.js` | User security, file permissions, modified files, vulnerabilities, SSL, login security | 37 |
1106
+ | `dynamicFiltering.test.js` | WooCommerce/editorial/plugin-intelligence/category filtering, combined counts | 19 |
1107
+ | `outputCompression.test.js` | mode=full/summary/ids_only for 10 listing tools | 30 |
1108
+ | `site.test.js` | site info, set target | 5 |
1109
+ | `siteOptions.test.js` | wp_get_site_options: all options, key filtering, 403, audit log | 5 |
1110
+ | `destructive.test.js` | Destructive confirmation flow | 12 |
1111
+ | `helpers/pagination.test.js` | buildPaginationMeta: total_pages, has_more, next_page | 5 |
1112
+ | `transport/http.test.js` | HTTP transport, Bearer auth, sessions | 10 |
1113
+ | `pluginDetector.test.js` | SEO plugin detection, rendered head, HTML head parsing | 13 |
1114
+ | `dxt/manifest.test.js` | MCPB manifest validation | 10 |
1115
+ | `contentCompressor.test.js` | Content compression and field filtering | — |
1116
+ | `plugins/registry.test.js` | PluginRegistry: ACF/Elementor detection, WP_DISABLE_PLUGIN_LAYERS | 6 |
1117
+ | `plugins/contextGuard.test.js` | applyContextGuard: threshold, truncation, raw bypass | 4 |
1118
+ | `plugins/iPluginAdapter.test.js` | validateAdapter: complete adapter, missing fields | 3 |
1119
+ | `plugins/acf/acfAdapter.test.js` | ACF read tools: fields, filter, contextGuard, groups | 10 |
1120
+ | `plugins/acf/acfAdapter.write.test.js` | ACF write: update fields, WP_READ_ONLY blocking | 8 |
1121
+ | `plugins/elementor/elementorAdapter.test.js` | Elementor: templates, page data, contextGuard | 10 |
1122
+ | `pluginLayer.test.js` | Plugin Layer integration: listTools, callTool routing | 8 |
1123
+ | `perTargetControls.test.js` | Per-target governance controls | — |
1124
+ | `approval.test.js` | Approval workflow integration | — |
1125
+ | `woocommerceIntelligence.test.js` | WooCommerce intelligence tools | — |
1126
+ | `woocommerceWrite.test.js` | WooCommerce write tools | — |
762
1127
 
763
1128
  Each test verifies: success response shape, governance blocking (write tools), HTTP error handling (403/404), and audit log entries.
764
1129
 
@@ -767,9 +1132,10 @@ Each test verifies: success response shape, governance blocking (write tools), H
767
1132
  ## Structured Audit Log
768
1133
 
769
1134
  Every tool invocation is recorded as a JSON event on stderr — ready for ingestion into Datadog, Splunk, CloudWatch, Langfuse, ELK, or any JSON-compatible pipeline.
1135
+
770
1136
  ```json
771
1137
  {
772
- "timestamp": "2026-02-19T18:42:00.000Z",
1138
+ "timestamp": "2026-03-11T10:42:00.000Z",
773
1139
  "tool": "wp_create_post",
774
1140
  "target": 1234,
775
1141
  "target_type": "post",
@@ -782,20 +1148,20 @@ Every tool invocation is recorded as a JSON event on stderr — ready for ingest
782
1148
  }
783
1149
  ```
784
1150
 
785
- 79 instrumentation points across all tools. Three status types: `success`, `error`, `blocked`.
786
-
787
- | Field | Description |
788
- |---|---|
789
- | `timestamp` | ISO 8601 |
790
- | `tool` | Tool name invoked |
791
- | `target` | Resource ID when applicable |
792
- | `target_type` | Resource type (post, page, media, comment, category, tag, plugin, theme, revision, product, order, customer, coupon) |
793
- | `action` | Operation: list, read, create, update, trash, permanent_delete, upload, search, switch_target, read_seo, update_seo, audit_seo, activate, deactivate, restore, submit_review, approve, reject, analyze_links, suggest_links, guardrail, audit_media_seo, find_orphans, audit_headings, find_thin_content, audit_canonicals, analyze_eeat, find_broken_links, find_cannibalization, audit_taxonomies, audit_outbound_links, content_brief, extract_outline, audit_readability, audit_update_frequency, build_link_map, audit_anchor_texts, audit_schema, audit_content_structure, find_duplicates, find_content_gaps, extract_faq, audit_cta, extract_entities, publishing_velocity, compare_revisions, list_by_word_count |
794
- | `status` | `success`, `error`, or `blocked` |
795
- | `latency_ms` | Execution time |
796
- | `site` | Active target name |
797
- | `params` | Sanitized parameters (content fields truncated) |
798
- | `error` | Error detail or null |
1151
+ 79+ instrumentation points across all tools. Three status types: `success`, `error`, `blocked`.
1152
+
1153
+ | Field | Description |
1154
+ |---------------|------------------------------------------|
1155
+ | `timestamp` | ISO 8601 |
1156
+ | `tool` | Tool name invoked |
1157
+ | `target` | Resource ID when applicable |
1158
+ | `target_type` | Resource type |
1159
+ | `action` | Operation performed |
1160
+ | `status` | `success`, `error`, or `blocked` |
1161
+ | `latency_ms` | Execution time |
1162
+ | `site` | Active target name |
1163
+ | `params` | Sanitized parameters (content truncated) |
1164
+ | `error` | Error detail or null |
799
1165
 
800
1166
  ---
801
1167
 
@@ -840,11 +1206,11 @@ Switch targets during a session with `wp_set_target`. All available sites and th
840
1206
 
841
1207
  The server performs a health check on startup: REST API connectivity, user authentication, and role verification. During operation: automatic retry with exponential backoff (configurable, default 3 attempts), request timeout (default 30s), rate limit handling (respects 429 + retry-after), and contextual error messages with diagnosis guidance.
842
1208
 
843
- | Setting | Default | Description |
844
- |---|---|---|
845
- | `WP_MCP_VERBOSE` | `false` | Debug-level logging |
846
- | `WP_MCP_TIMEOUT` | `30000` | Request timeout (ms) |
847
- | `WP_MCP_MAX_RETRIES` | `3` | Max retry attempts |
1209
+ | Setting | Default | Description |
1210
+ |----------------------|---------|----------------------------|
1211
+ | `WP_MCP_VERBOSE` | `false` | Debug-level logging |
1212
+ | `WP_MCP_TIMEOUT` | `30000` | Request timeout (ms) |
1213
+ | `WP_MCP_MAX_RETRIES` | `3` | Max retry attempts |
848
1214
 
849
1215
  ---
850
1216
 
@@ -855,7 +1221,7 @@ The server performs a health check on startup: REST API connectivity, user authe
855
1221
  - Credentials never logged — audit trail sanitizes all sensitive data
856
1222
  - No credentials in code — `.env` or environment variables only
857
1223
  - Instant revocation — Application Passwords can be revoked from WordPress admin
858
- - Traceable requests — custom `User-Agent: WordPress-MCP-Server/4.4.0`
1224
+ - Traceable requests — custom `User-Agent: WordPress-MCP-Server/4.14.0`
859
1225
  - Bearer token auth in HTTP mode — timing-safe comparison, no token in logs
860
1226
  - Origin validation in HTTP mode — anti-DNS-rebinding protection
861
1227
 
@@ -863,33 +1229,39 @@ The server performs a health check on startup: REST API connectivity, user authe
863
1229
 
864
1230
  ## Troubleshooting
865
1231
 
866
- | Issue | Solution |
867
- |---|---|
868
- | `401 Unauthorized` | Verify username and Application Password |
869
- | `403 Forbidden` | Check WordPress user role and capabilities |
870
- | `404 Not Found` | Verify `WP_API_URL` and REST API availability |
871
- | `Unexpected token '<'` | Stray character before `<?php` in `functions.php` — see SEO Troubleshooting |
872
- | `Blocked: READ-ONLY mode` | Disable `WP_READ_ONLY` to allow writes |
873
- | `Blocked: DRAFT-ONLY mode` | Only draft/pending allowed. Check `WP_DRAFT_ONLY` |
874
- | `Blocked: PLUGIN MANAGEMENT` | Disable `WP_DISABLE_PLUGIN_MANAGEMENT` to allow activate/deactivate |
875
- | `Blocked: APPROVAL REQUIRED` | `WP_REQUIRE_APPROVAL=true` — use `wp_submit_for_review` then `wp_approve_post` |
876
- | Confirmation token required | `WP_CONFIRM_DESTRUCTIVE=true` — pass the returned token on a second call within 60s |
877
- | `401 Unauthorized (HTTP mode)` | Set `MCP_AUTH_TOKEN` and pass `Authorization: Bearer <token>` |
878
- | `403 Forbidden (HTTP mode)` | Check `MCP_ALLOWED_ORIGINS` includes your client origin |
879
- | WooCommerce 401 | Verify `WC_CONSUMER_KEY` and `WC_CONSUMER_SECRET` |
880
- | WooCommerce 403 | API key needs Read/Write permissions for write tools |
881
- | Rate limit exceeded | Adjust `WP_MAX_CALLS_PER_MINUTE` |
882
- | Timeout | Increase `WP_MCP_TIMEOUT` or check server |
883
- | Site not found | Verify site key in `WP_TARGETS_JSON` or file |
884
- | No SEO plugin detected | Install Yoast, RankMath, SEOPress, or AIOSEO |
885
- | SEO meta fields empty | Add `register_post_meta()` code or install MCP SEO Bridge plugin — see Exposing SEO Meta Fields |
886
- | `wp_find_broken_internal_links` slow | Reduce `batchSize` parameter or increase `timeoutMs` |
887
- | `wp_audit_outbound_links` empty | External HEAD requests blocked by your server firewall |
888
- | Server not starting | Check Node.js 18+ is installed: `node --version` |
1232
+ | Issue | Solution |
1233
+ |------------------------------------------|---------------------------------------------------------------------------------------|
1234
+ | `401 Unauthorized` | Verify username and Application Password |
1235
+ | `403 Forbidden` | Check WordPress user role and capabilities |
1236
+ | `404 Not Found` | Verify `WP_API_URL` and REST API availability |
1237
+ | `Unexpected token '<'` | Stray character before `<?php` in `functions.php` — see SEO Troubleshooting |
1238
+ | `Blocked: READ-ONLY mode` | Disable `WP_READ_ONLY` to allow writes |
1239
+ | `Blocked: DRAFT-ONLY mode` | Only draft/pending allowed. Check `WP_DRAFT_ONLY` |
1240
+ | `Blocked: PLUGIN MANAGEMENT` | Disable `WP_DISABLE_PLUGIN_MANAGEMENT` to allow activate/deactivate |
1241
+ | `Blocked: APPROVAL REQUIRED` | Use `wp_submit_for_review` then `wp_approve_post` |
1242
+ | Confirmation token required | `WP_CONFIRM_DESTRUCTIVE=true` — pass returned token within 60s |
1243
+ | `401 Unauthorized (HTTP mode)` | Set `MCP_AUTH_TOKEN` and pass `Authorization: Bearer <token>` |
1244
+ | `403 Forbidden (HTTP mode)` | Check `MCP_ALLOWED_ORIGINS` includes your client origin |
1245
+ | WooCommerce 401 | Verify `WC_CONSUMER_KEY` and `WC_CONSUMER_SECRET` |
1246
+ | WooCommerce 403 | API key needs Read/Write permissions for write tools |
1247
+ | Rate limit exceeded | Adjust `WP_MAX_CALLS_PER_MINUTE` |
1248
+ | Timeout | Increase `WP_MCP_TIMEOUT` or check server |
1249
+ | Site not found | Verify site key in `WP_TARGETS_JSON` or file |
1250
+ | No SEO plugin detected | Install Yoast, RankMath, SEOPress, or AIOSEO |
1251
+ | SEO meta fields empty | Add `register_post_meta()` code or install MCP SEO Bridge plugin |
1252
+ | `PAGESPEED_API_KEY` missing | `wp_audit_page_speed` returns partial data. Add key to .env |
1253
+ | `WPSCAN_API_KEY` missing | `wp_audit_plugin_vulnerabilities` lists plugins without CVEs. Set key for full scan |
1254
+ | mu-plugin not installed | Debug log / file permissions / abandoned carts return error. Copy `companion/mcp-diagnostics.php` to `mu-plugins/` |
1255
+ | No multilingual plugin | `wp_list_languages` returns site default only. Install WPML, Polylang, or TranslatePress |
1256
+ | `WP_TOOL_CATEGORIES` unknown category | Only core tools exposed. Check category names in README |
1257
+ | Schema not rendering in `<head>` | `wp_inject_schema` succeeded but schema not in output. Install mu-plugin companion |
1258
+ | `wp_find_broken_internal_links` slow | Reduce `batchSize` parameter or increase `timeoutMs` |
1259
+ | Server not starting | Check Node.js 18+ is installed: `node --version` |
889
1260
 
890
1261
  ---
891
1262
 
892
1263
  ## Development
1264
+
893
1265
  ```bash
894
1266
  # Clone the repository
895
1267
  git clone https://github.com/GeorgesAdSim/wordpress-mcp-server.git
@@ -928,204 +1300,242 @@ npx @modelcontextprotocol/inspector node index.js
928
1300
 
929
1301
  ## Changelog
930
1302
 
931
- ### v4.5.1 (2026-02-21) — Context Optimization
1303
+ ### v5.1.0 (2026-03-11) — Workflow Orchestrator
1304
+
1305
+ - `wp_run_workflow`: execute named or custom tool sequences in a single call
1306
+ - 4 built-in workflows: seo_audit_and_stage, site_health_report, content_publish_safe, wc_product_audit
1307
+ - Template variables: {{key}} resolved from context
1308
+ - dry_run mode: preview execution plan before running
1309
+ - stop_on_error control: abort or continue on step failure
1310
+ - 175 tools · ~1101 Vitest tests
1311
+
1312
+ ### v5.0.0 (2026-03-11) — Modular Architecture
1313
+
1314
+ - Refactored monolithic index.js (~9000 lines) into 18 tool modules + 4 shared modules
1315
+ - Zero functional changes — all 180 tools and 1093 tests unchanged
1316
+ - New structure: `src/tools/*.js` (18 category modules) + `src/shared/*.js` (context, utils, governance, api) + `src/plugins/registry.js`
1317
+ - `handleToolCall` reduced from ~8000-line switch/case to modular dispatch (~40 lines)
1318
+ - Foundation for `wp_run_workflow` (v5.1.0)
1319
+
1320
+ ### v4.20.0 (2026-03-11) — Block Validation
1321
+
1322
+ - `wp_validate_block_structure`: validate Gutenberg block HTML (unclosed blocks, malformed JSON, invalid nesting, deprecated blocks)
1323
+ - `WP_VALIDATE_BLOCKS`: optional guard on `wp_update_post`/`wp_update_page` — blocks save if invalid structure
1324
+ - 180 tools · ~1093 Vitest tests
1325
+
1326
+ ### v4.19.0 (2026-03-11) — Bulk Update
1327
+
1328
+ - `wp_bulk_update`: bulk update content across multiple posts/pages with dry-run safety
1329
+ - Supports: `replace_text`, `update_meta`, `update_status`, `append_content` operations
1330
+ - Two-step safety: `dry_run=true` (default) → preview, then `confirm=true` to execute
1331
+ - Batch processing with configurable `batch_size` and `limit` (max 500)
1332
+ - 179 tools · ~1084 Vitest tests
1333
+
1334
+ ### v4.15.0 (2026-03-11) — Visual Staging (5 tools)
1335
+
1336
+ - `wp_create_staging_draft`: clone live page to shadow draft
1337
+ - `wp_list_staging_drafts`: list all pending staging drafts
1338
+ - `wp_get_staging_preview_url`: native WordPress preview URL
1339
+ - `wp_merge_staging_to_live`: merge validated draft to production
1340
+ - `wp_discard_staging_draft`: discard without touching live page
1341
+ - `WP_VISUAL_STAGING`: automatic interception on `wp_update_post`/`wp_update_page`
1342
+ - Completes the enterprise governance triad
1343
+ - 178 tools · ~1076 Vitest tests
1344
+
1345
+ ### v4.14.0 (2026-03-11) — Editorial Intelligence Advanced
1346
+
1347
+ 6 new editorial analysis tools for content-driven teams. All read-only, batch-optimized up to 500 posts.
1348
+
1349
+ - `wp_suggest_content_updates` — stale content detection with outdated date references
1350
+ - `wp_audit_author_consistency` — author profiling with deviation analysis
1351
+ - `wp_build_editorial_calendar` — seasonality, best publishing days, gap detection
1352
+ - `wp_find_pillar_content_gaps` — topics with 3+ posts without pillar page
1353
+ - `wp_audit_internal_link_equity` — link graph with orphan/over-linked detection
1354
+ - `wp_suggest_content_cluster` — TF-IDF cosine similarity clustering
1355
+ - 1061 Vitest unit tests · 173 tools
1356
+
1357
+ ### v4.12.0 — WooCommerce Advanced Intelligence
1358
+
1359
+ 7 new WooCommerce analytics tools for agencies. All read-only.
1360
+
1361
+ - `wc_audit_product_seo` — product SEO scoring /100
1362
+ - `wc_find_abandoned_carts_pattern` — abandoned cart analysis (3 data source adapters)
1363
+ - `wc_audit_checkout_friction` — checkout friction scoring 0-10
1364
+ - `wc_get_product_performance` — product metrics with period comparison
1365
+ - `wc_audit_stock_alerts` — out-of-stock audit with variation support
1366
+ - `wc_find_duplicate_products` — duplicate detection by SKU and Levenshtein similarity
1367
+ - `wc_audit_pricing_consistency` — pricing error detection
1368
+
1369
+ ### v4.11.0 — Security Audit
1370
+
1371
+ 6 new security audit tools. All read-only.
1372
+
1373
+ - `wp_audit_user_security` — admin account risk assessment
1374
+ - `wp_check_file_permissions` — critical file permission checks
1375
+ - `wp_list_recently_modified_files` — suspicious file modification detection
1376
+ - `wp_audit_plugin_vulnerabilities` — WPScan CVE scanning
1377
+ - `wp_check_ssl_certificate` — TLS and security header grading
1378
+ - `wp_audit_login_security` — login security scoring /100
1379
+
1380
+ ### v4.10.0 — Multilingual Intelligence EU
1381
+
1382
+ 6 new multilingual tools. WPML, Polylang Pro, Polylang Free, TranslatePress.
1383
+
1384
+ - `wp_detect_multilingual_plugin` — auto-detection with priority fallback
1385
+ - `wp_list_languages` — language listing with post counts
1386
+ - `wp_get_post_translations` — translation mapping across all plugins
1387
+ - `wp_audit_translation_coverage` — coverage percentages and missing counts
1388
+ - `wp_find_missing_seo_translations` — SEO metadata gaps in translations
1389
+ - `wp_sync_seo_meta_translations` — cross-language SEO meta sync (dry_run default)
1390
+
1391
+ ### v4.9.0 — Schema.org Intelligence
1392
+
1393
+ 7 new schema tools: generation + injection + validation.
1394
+
1395
+ - `wp_generate_schema_article/faq/howto/localbusiness/breadcrumb` — 5 schema generators
1396
+ - `wp_inject_schema` — JSON-LD injection with dry_run support
1397
+ - `wp_validate_schema_live` — live URL validation against Google requirements
1398
+
1399
+ ### v4.8.0 — Performance & Core Web Vitals
1400
+
1401
+ 6 new performance tools + complete user management (10 tools).
1402
+
1403
+ - `wp_audit_page_speed` — Google PageSpeed Insights integration
1404
+ - `wp_find_render_blocking_resources` — render-blocking detection
1405
+ - `wp_audit_image_optimization` — media optimization audit
1406
+ - `wp_check_caching_status` — caching plugin detection
1407
+ - `wp_audit_database_bloat` — database health analysis
1408
+ - `wp_get_plugin_performance_impact` — plugin performance ranking
1409
+ - User CRUD: `wp_get_user`, `wp_create_user`, `wp_update_user`, `wp_delete_user`
1410
+ - User security: `wp_list_user_roles`, `wp_get_user_capabilities`, `wp_reset_user_password`, `wp_list_user_application_passwords`, `wp_revoke_application_password`
1411
+
1412
+ ### v4.7.0 — Site Health & Diagnostics + FSE
1413
+
1414
+ 26 FSE tools + 8 diagnostics tools + companion mu-plugin.
1415
+
1416
+ - Full Site Editing: templates, template parts, global styles, block patterns, navigation menus, widgets
1417
+ - Site Health: status, issues, system info
1418
+ - Diagnostics: debug log, cron events, transients, PHP compatibility, active hooks
1419
+ - `companion/mcp-diagnostics.php` — mu-plugin for data not available via REST API
1420
+
1421
+ ### v4.6.0 — Plugin Intelligence Layer
1422
+
1423
+ Extensible adapter architecture for third-party plugins.
932
1424
 
933
- LLM context reduction across all 85 tools — zero breaking changes.
1425
+ - `src/plugins/registry.js` PluginRegistry with REST namespace discovery
1426
+ - ACF adapter: `acf_get_fields`, `acf_list_field_groups`, `acf_get_field_group`, `acf_update_fields`
1427
+ - Elementor adapter: `elementor_list_templates`, `elementor_get_template`, `elementor_get_page_data`
1428
+ - `wp_site_info` reports `plugin_layer` (detected plugins, tools count)
934
1429
 
935
- **Dynamic filtering:**
936
- - `getFilteredTools()` hides WooCommerce (13), editorial (3), and plugin intelligence (6) tools when their env vars are absent
937
- - `listTools` returns only exposed tools; `callTool` still handles all 85
938
- - `wp_site_info` now reports `tools_total`, `tools_exposed`, `filtered_out`
1430
+ ### v4.5.1 — Context Optimization
939
1431
 
940
- **LLM-optimized descriptions:**
941
- - All 85 tool descriptions rewritten: `"Use when [TRIGGER]. [ACTION]. [Read-only | Write — blocked by X]. [Hint: optional]"`
1432
+ LLM context reduction across all tools — zero breaking changes.
942
1433
 
943
- **Schema compact:**
944
- - Redundant `description` fields removed from `inputSchema` properties (id, per_page, page, status with enum, search, force, post_type with enum, etc.)
1434
+ - `WP_COMPACT_JSON` — compact JSON output (~30% token reduction)
1435
+ - `WP_TOOL_CATEGORIES` category-based tool filtering (18 categories)
1436
+ - Pagination `has_more` metadata on 10 listing tools
1437
+ - 53 property descriptions trimmed (~446 tokens saved)
1438
+ - `getFilteredTools()` — dynamic tool filtering by env vars
945
1439
 
946
- **Output compression (`mode` parameter):**
947
- - 10 listing tools gain `mode` param: `full` (default), `summary` (key fields only), `ids_only` (flat array)
948
- - wp_list_pages, wp_list_media, wp_list_comments, wp_list_categories, wp_list_tags, wp_list_users, wp_list_custom_posts, wp_list_plugins, wp_list_themes, wp_list_revisions
1440
+ ### v4.5.0 — Plugin Intelligence (RankMath + Yoast)
949
1441
 
950
- 713 Vitest unit tests · 85 tools
1442
+ 6 new tools exploiting native SEO plugin API endpoints.
951
1443
 
952
- ### v4.5.0 (2026-02-21) Plugin Intelligence (RankMath + Yoast)
1444
+ - `wp_get_rendered_head`rendered `<head>` fetching via RankMath/Yoast
1445
+ - `wp_audit_rendered_seo` — bulk rendered vs stored SEO comparison
1446
+ - `wp_get_pillar_content` — RankMath cornerstone flag
1447
+ - `wp_audit_schema_plugins` — JSON-LD validation from plugin fields
1448
+ - `wp_get_seo_score` — RankMath native SEO score
1449
+ - `wp_get_twitter_meta` — Twitter Card meta management
953
1450
 
954
- 6 new tools exploiting native RankMath and Yoast SEO API endpoints for rendered head analysis, schema validation, and social meta management.
1451
+ ### v4.4.0 Content Intelligence
955
1452
 
956
- **New shared module:**
957
- - `src/pluginDetector.js` — SEO plugin auto-detection via REST API namespace discovery (cached), rendered head fetching, HTML head parsing
1453
+ 16 new read-only analysis tools.
958
1454
 
959
- **Rendered SEO Analysis:**
960
- - `wp_get_rendered_head` fetch the real `<head>` HTML via RankMath `/rankmath/v1/getHead` or Yoast `/yoast/v1/get_head` endpoints, compare rendered vs stored meta
961
- - `wp_audit_rendered_seo` bulk audit rendered vs stored SEO meta divergences with per-post scoring (title/description/canonical/robots/schema mismatches)
1455
+ - `src/contentAnalyzer.js` — shared engine: readability, TF-IDF, cosine similarity, entity extraction
1456
+ - Editorial: content brief, outline, readability, update frequency, link map, anchor texts
1457
+ - Technical: schema markup, content structure, duplicate detection, content gaps
1458
+ - Advanced: FAQ extraction, CTA detection, entity extraction, publishing velocity, revision diff, word count
962
1459
 
963
- **Plugin-Native Features:**
964
- - `wp_get_pillar_content` — read/write RankMath `rank_math_pillar_content` cornerstone flag. Write mode blocked by `WP_READ_ONLY`
965
- - `wp_audit_schema_plugins` — validate JSON-LD schemas from plugin native fields (`rank_math_schema` or Yoast `yoast_head_json`). Checks required fields per @type
966
- - `wp_get_seo_score` — read RankMath native SEO score (0-100) with bulk mode distribution stats
967
- - `wp_get_twitter_meta` — read/write Twitter Card meta (title, description, image) for RankMath, Yoast, and SEOPress. Write mode blocked by `WP_READ_ONLY`
1460
+ ### v4.2.0 — SEO Audit Suite (Sprint 3)
968
1461
 
969
- 674 Vitest unit tests · 85 tools
1462
+ - `wp_find_broken_internal_links`, `wp_find_keyword_cannibalization`, `wp_audit_taxonomies`, `wp_audit_outbound_links`
970
1463
 
971
- ### v4.4.0 (2026-02-21) Content Intelligence
1464
+ ### v4.1.0 — SEO Audit Suite (Sprint 2)
972
1465
 
973
- 16 new read-only analysis tools for deep content intelligence without any WordPress plugin.
1466
+ - `wp_find_thin_content`, `wp_audit_canonicals`, `wp_analyze_eeat_signals`
974
1467
 
975
- **Foundations:**
976
- - `src/contentAnalyzer.js` — shared analysis engine: readability (Flesch-Kincaid FR), TF-IDF, cosine similarity, entity extraction, text diff, content structure detection
977
- - `wp_get_content_brief` — editorial brief aggregator (SEO + structure + links in 1 call)
978
- - `wp_extract_post_outline` — H1-H6 outline extraction with category-level pattern analysis
1468
+ ### v4.0.0 — SEO Audit Suite (Sprint 1)
979
1469
 
980
- **SEO Advanced:**
981
- - `wp_audit_readability` — bulk Flesch-Kincaid FR scoring with transition word and passive voice analysis
982
- - `wp_audit_update_frequency` — outdated content detection cross-referenced with SEO scores
983
- - `wp_build_link_map` — internal link matrix with simplified PageRank scoring (0-100)
1470
+ - `wp_audit_media_seo`, `wp_find_orphan_pages`, `wp_audit_heading_structure`
984
1471
 
985
- **Technical Quality:**
986
- - `wp_audit_anchor_texts` — anchor text diversity audit: generic, over-optimized, image link detection
987
- - `wp_audit_schema_markup` — JSON-LD schema.org detection and validation (Article, FAQ, HowTo, LocalBusiness)
988
- - `wp_audit_content_structure` — editorial structure scoring (0-100): intro, conclusion, FAQ, TOC, lists, images
1472
+ ### v3.6.0 — WooCommerce Write
989
1473
 
990
- **Intelligence Advanced:**
991
- - `wp_find_duplicate_content` — TF-IDF cosine similarity for near-duplicate detection with union-find clustering
992
- - `wp_find_content_gaps` — taxonomy under-representation analysis (categories + tags)
993
- - `wp_extract_faq_blocks` — FAQ inventory: JSON-LD, Gutenberg blocks, HTML patterns
994
- - `wp_audit_cta_presence` — CTA detection (6 types) with scoring 0-100
995
- - `wp_extract_entities` — regex/heuristic named entity extraction (brands, locations, persons, organizations)
996
- - `wp_get_publishing_velocity` — publication cadence by author/category with trend detection
997
- - `wp_compare_revisions_diff` — textual diff between revisions with amplitude scoring
998
- - `wp_list_posts_by_word_count` — posts sorted by length with 6-tier segmentation
1474
+ - `wc_update_product`, `wc_update_stock`, `wc_update_order_status`
1475
+ - `WC_PRICE_GUARDRAIL_THRESHOLD` — configurable price change safety
999
1476
 
1000
- All Content Intelligence tools are read-only and always allowed regardless of governance flags.
1477
+ ### v3.5.0 WooCommerce Intelligence
1001
1478
 
1002
- 613 Vitest unit tests · 79 tools
1479
+ - `wc_inventory_alert`, `wc_order_intelligence`, `wc_seo_product_audit`, `wc_suggest_product_links`
1003
1480
 
1004
- ### v4.2.0 (2026-02-19) SEO Audit Suite (Sprint 3)
1481
+ ### v3.4.0 — WooCommerce Core
1005
1482
 
1006
- - `wp_find_broken_internal_links` HEAD request link checker with configurable batch size and timeout. Returns broken (4xx/5xx), redirected (3xx), and slow links
1007
- - `wp_find_keyword_cannibalization` — detect posts sharing the same focus keyword. Auto-detects RankMath/Yoast/SEOPress/AIOSEO. Groups conflicts by keyword, flags weakest post by word count
1008
- - `wp_audit_taxonomies` — taxonomy bloat detection: unused terms, near-duplicate detection via Levenshtein distance, single-post terms, over-tagged posts
1009
- - `wp_audit_outbound_links` — external link profile per post: low-authority domains, missing rel="nofollow", broken external URLs
1010
- - `src/htmlParser.js` — shared HTML parsing service (parseImagesFromHtml, extractHeadings, extractInternalLinks, countWords)
1011
- - 400 Vitest unit tests · 63 tools
1483
+ - `wc_list_products`, `wc_get_product`, `wc_list_orders`, `wc_get_order`, `wc_list_customers`, `wc_price_guardrail`
1012
1484
 
1013
- ### v4.1.0 (2026-02-19) SEO Audit Suite (Sprint 2)
1485
+ ### v3.3.0 — Internal Link Intelligence
1014
1486
 
1015
- - `wp_find_thin_content` — surface posts below configurable word count threshold. Scores content quality by word count, heading density, and paragraph structure
1016
- - `wp_audit_canonicals` — validate canonical URLs across posts and pages. Detects missing canonicals, self-referencing mismatches, cross-domain canonicals. Auto-detects RankMath/Yoast/SEOPress/AIOSEO
1017
- - `wp_analyze_eeat_signals` — E-E-A-T scoring per post (0-100): author bio presence, publication/update dates, outbound citations, word count, structured data markers
1018
- - 368 Vitest unit tests · 59 tools
1487
+ - `wp_analyze_links`, `wp_suggest_internal_links`
1488
+ - `src/linkUtils.js` — shared link utilities
1019
1489
 
1020
- ### v4.0.0 (2026-02-19) SEO Audit Suite (Sprint 1)
1490
+ ### v3.2.0 — Governance Workflows
1021
1491
 
1022
- - `wp_audit_media_seo` audit media library for missing alt text, short alt text, unoptimized filenames. Returns per-image scores and prioritized fix list
1023
- - `wp_find_orphan_pages` — identify posts with no internal links pointing to them, sorted by word count. Configurable minimum word threshold and exclusion list
1024
- - `wp_audit_heading_structure` — analyze H1/H2/H3 hierarchy in post content. Detects H1 in body, heading level skips, empty headings, focus keyword absent from H2
1025
- - All 10 SEO audit tools are read-only and always allowed regardless of governance flags
1026
- - 340 Vitest unit tests · 56 tools
1492
+ - Editorial approval: `wp_submit_for_review`, `wp_approve_post`, `wp_reject_post`
1493
+ - `WP_REQUIRE_APPROVAL`, `WP_CONFIRM_DESTRUCTIVE`
1494
+ - `src/confirmationToken.js` — stateless token system
1027
1495
 
1028
- ### v3.6.0 (2026-02-19) WooCommerce Write
1496
+ ### v3.1.0 — MCPB Bundle
1029
1497
 
1030
- - `wc_update_product` — update product fields (title, description, price, stock, status). Integrated with `wc_price_guardrail` threshold enforcement
1031
- - `wc_update_order_status` transition order status (e.g., processing → completed)
1032
- - `WC_PRICE_GUARDRAIL_THRESHOLD` — configurable price change safety threshold (default 20%)
1033
- - All WooCommerce write tools blocked by `WP_READ_ONLY`
1034
- - 305 Vitest unit tests · 53 tools
1498
+ - `dxt/manifest.json` — MCPB v0.3 spec
1499
+ - OS keychain credential storage
1035
1500
 
1036
- ### v3.5.0 (2026-02-19) WooCommerce Intelligence
1501
+ ### v3.0.0 — HTTP Streamable Transport
1037
1502
 
1038
- - `wc_get_customer` customer profile with order history summary and lifetime value
1039
- - `wc_list_coupons` / `wc_get_coupon` — coupon management with discount rules and usage stats
1040
- - `wc_sales_report` revenue, orders, and average order value for a date range
1041
- - `wc_top_products` — ranking by revenue, quantity sold, or order count
1042
- - 287 Vitest unit tests · 50 tools
1503
+ - HTTP transport (MCP spec 2025-03-26) via `MCP_TRANSPORT=http`
1504
+ - Bearer auth, session management, origin validation
1505
+ - Dual mode: stdio + HTTP simultaneously
1043
1506
 
1044
- ### v3.4.0 (2026-02-19) WooCommerce Core
1507
+ ### v2.2.0 — Enterprise Edition
1045
1508
 
1046
- - `wc_list_products` / `wc_get_product` product catalog with variation support
1047
- - `wc_list_orders` / `wc_get_order` — order management with full line item detail
1048
- - `wc_list_customers` — customer list with search and role filtering
1049
- - `wc_price_guardrail` — read-only price change safety analysis
1050
- - Requires `WC_CONSUMER_KEY` and `WC_CONSUMER_SECRET`
1051
- - 271 Vitest unit tests · 46 tools
1052
-
1053
- ### v3.3.0 (2026-02-19) — Internal Link Intelligence
1054
-
1055
- - `wp_analyze_links` — audit all internal/external links in a post. HEAD request verification per link (broken/warning/unknown). Max 20 checks, configurable timeout
1056
- - `wp_suggest_internal_links` — semantic link suggestions scored by category match (+3), freshness (+3/2/1), SEO focus keyword match (+2), title match (+2). Excludes already-linked posts
1057
- - `src/linkUtils.js` — 6 shared utilities: extractInternalLinks, extractExternalLinks, checkLinkStatus, extractFocusKeyword (auto-detects RankMath/Yoast/SEOPress/AIOSEO), calculateRelevanceScore, suggestAnchorText
1058
- - Pre-flight linking workflow: suggest → user validates → `wp_update_post` (never auto-insert)
1059
- - 253 Vitest unit tests · 40 tools
1060
-
1061
- ### v3.2.0 (2026-02-19) — Governance Workflows
1062
-
1063
- - Editorial approval workflow: `wp_submit_for_review` (draft → pending), `wp_approve_post` (pending → publish), `wp_reject_post` (pending → draft + mandatory reason)
1064
- - New governance flag: `WP_REQUIRE_APPROVAL` — blocks direct publish, forces approval workflow
1065
- - Two-step confirmation for destructive operations: `wp_delete_post` and `wp_delete_revision` return a stateless token (60s TTL, SHA-256) when `WP_CONFIRM_DESTRUCTIVE=true`
1066
- - New governance flag: `WP_CONFIRM_DESTRUCTIVE` — requires explicit token confirmation before any delete
1067
- - `src/confirmationToken.js` — stateless token system, zero persistence
1068
- - Governance priority: `WP_READ_ONLY` → `WP_DISABLE_DELETE` → `WP_CONFIRM_DESTRUCTIVE`
1069
- - 225 Vitest unit tests · 38 tools
1070
-
1071
- ### v3.1.0 (2026-02-19) — MCPB Bundle
1072
-
1073
- - `dxt/manifest.json` — MCPB v0.3 spec, 35 tools declared
1074
- - WordPress credentials stored in OS keychain (`sensitive: true`)
1075
- - `npm run build:mcpb` — build script for `.mcpb` distribution
1076
- - 10 new manifest validation tests (201 total)
1077
- - Published to npm: `npx -y @adsim/wordpress-mcp-server@3.1.0`
1078
-
1079
- ### v3.0.0 (2026-02-19) — HTTP Streamable Transport
1080
-
1081
- - HTTP Streamable transport (MCP spec 2025-03-26) via `MCP_TRANSPORT=http`
1082
- - Bearer token authentication with timing-safe comparison (`MCP_AUTH_TOKEN`)
1083
- - Session management via `Mcp-Session-Id` header (UUID v4)
1084
- - Origin header validation (anti-DNS-rebinding)
1085
- - Health endpoint `GET /health`
1086
- - Dual mode `MCP_DUAL_MODE=true` — stdio + HTTP simultaneously
1087
- - Graceful shutdown SIGTERM/SIGINT across both transports
1088
- - 10 new HTTP/auth unit tests (191 total)
1089
- - Published to npm: `@adsim/wordpress-mcp-server`
1090
-
1091
- ### v2.2.0 (2026-02-19) — Enterprise Edition
1092
-
1093
- - 9 new tools: plugins (list/activate/deactivate), themes (list/get), revisions (list/get/restore/delete)
1094
- - New governance flag: `WP_DISABLE_PLUGIN_MANAGEMENT`
1095
- - 171 Vitest unit tests covering all 35 tools (governance, success, 403/404, audit logs)
1096
- - GitHub Actions CI workflow
1097
- - Governance functions read env at call time for testability
1098
- - Exported `handleToolCall` for direct testing
1509
+ - Plugins (list/activate/deactivate), themes (list/get), revisions (list/get/restore/delete)
1510
+ - `WP_DISABLE_PLUGIN_MANAGEMENT`
1099
1511
 
1100
- ### v2.1.0 (2026-02-16)
1512
+ ### v2.1.0 — Enterprise Governance + Multi-Target
1101
1513
 
1102
- - Enterprise governance controls (read-only, draft-only, type/status allowlists)
1103
- - Structured JSON audit trail (27 instrumentation points)
1514
+ - Governance controls (read-only, draft-only, allowlists)
1515
+ - Structured JSON audit trail
1104
1516
  - Multi-target site management
1105
- - 27 MCP tools including pages CRUD, media upload, taxonomy creation, custom post types
1106
- - SEO auto-detection for 4 plugins (Yoast, RankMath, SEOPress, AIOSEO)
1107
- - Health checks, retry with backoff, rate limiting
1517
+ - SEO auto-detection for 4 plugins
1108
1518
 
1109
1519
  ### v1.0.0 (2025-10-17)
1110
1520
 
1111
- - Initial release — JavaScript, 5 tools (list, get, create, update, search posts)
1521
+ - Initial release — 5 tools (list, get, create, update, search posts)
1112
1522
 
1113
1523
  ---
1114
1524
 
1115
1525
  ## Roadmap
1116
1526
 
1117
- ### v4.5 — GSC Integration
1527
+ ### v4.14 — GSC Integration
1118
1528
  - `wp_get_gsc_performance` — Google Search Console API (clicks, impressions, position, CTR per URL)
1119
- - `wp_find_quick_win_keywords` — surface keywords ranking positions 1120 for targeted updates
1120
- - `wp_seo_content_decay` — cross-reference GSC traffic loss with content age to prioritize refresh candidates
1529
+ - `wp_find_quick_win_keywords` — surface keywords ranking positions 11-20
1530
+ - `wp_seo_content_decay` — cross-reference GSC traffic loss with content age
1121
1531
 
1122
- ### v4.6 — Redirect Intelligence
1123
- - `wp_create_redirect` — create 301 redirects via Redirection plugin or RankMath/Yoast Redirects. Auto-triggered governance hook when `wp_update_post` changes a slug
1532
+ ### v4.15 — Redirect Intelligence
1533
+ - `wp_create_redirect` — create 301 redirects via Redirection plugin or RankMath/Yoast
1124
1534
  - `wp_list_404_errors` — surface recent 404s from Redirection plugin log
1125
1535
 
1126
- ### v4.7OAuth & Registry
1127
- - OAuth 2.0 / JWT authentication
1128
- - MCP Registry submission
1536
+ ### v5.0Architecture Refactoring
1537
+ - Modular tool files (`src/tools/*.js`)
1538
+ - TypeScript migration
1129
1539
 
1130
1540
  ---
1131
1541
 
@@ -1139,6 +1549,6 @@ MIT — see [LICENSE](LICENSE).
1139
1549
 
1140
1550
  ## Credits
1141
1551
 
1142
- Built by [AdSim](https://adsim.be) — Digital Marketing & AI Agency, Liège, Belgium.
1552
+ Built by [AdSim](https://adsim.be) — Digital Marketing & AI Agency, Liege, Belgium.
1143
1553
 
1144
1554
  Building the governance layer for Claude-powered WordPress infrastructure in regulated environments.