@adsim/wordpress-mcp-server 4.5.1 → 5.1.0

package/tests/unit/tools/site.test.js

@@ -80,7 +80,7 @@ describe('wp_site_info', () => {
 
     // Server info
     expect(data.server.mcp_version).toBeDefined();
-    expect(data.server.tools_total).toBe(85);
+    expect(data.server.tools_total).toBe(175);
     expect(typeof data.server.tools_exposed).toBe('number');
     expect(Array.isArray(data.server.filtered_out)).toBe(true);
   });

package/tests/unit/tools/siteOptions.test.js

@@ -0,0 +1,101 @@
+import { vi, describe, it, expect, beforeEach, afterEach } from 'vitest';
+
+vi.mock('node-fetch', () => ({ default: vi.fn() }));
+
+import fetch from 'node-fetch';
+import { handleToolCall } from '../../../index.js';
+import { mockSuccess, mockError, makeRequest, parseResult, getAuditLogs } from '../../helpers/mockWpRequest.js';
+
+function call(name, args = {}) {
+  return handleToolCall(makeRequest(name, args));
+}
+
+let consoleSpy;
+const envBackup = {};
+
+function saveEnv(...keys) {
+  keys.forEach(k => { envBackup[k] = process.env[k]; });
+}
+function restoreEnv() {
+  Object.entries(envBackup).forEach(([k, v]) => {
+    if (v === undefined) delete process.env[k];
+    else process.env[k] = v;
+  });
+}
+
+beforeEach(() => {
+  fetch.mockReset();
+  consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
+  saveEnv('WP_READ_ONLY');
+});
+afterEach(() => {
+  consoleSpy.mockRestore();
+  restoreEnv();
+});
+
+// ── Mock data ──
+
+const mockSettings = {
+  title: 'My Site',
+  description: 'Just another WordPress site',
+  url: 'https://test.example.com',
+  email: 'admin@test.example.com',
+  timezone_string: 'Europe/Brussels',
+  date_format: 'Y-m-d',
+  time_format: 'H:i',
+  language: 'en_US',
+  posts_per_page: 10,
+};
+
+// =========================================================================
+// wp_get_site_options
+// =========================================================================
+
+describe('wp_get_site_options', () => {
+  it('returns all options when no keys parameter', async () => {
+    fetch.mockResolvedValue(mockSuccess(mockSettings));
+    const data = parseResult(await call('wp_get_site_options'));
+    expect(data.title).toBe('My Site');
+    expect(data.description).toBe('Just another WordPress site');
+    expect(data.timezone_string).toBe('Europe/Brussels');
+    expect(Object.keys(data).length).toBe(Object.keys(mockSettings).length);
+  });
+
+  it('filters to requested keys only', async () => {
+    fetch.mockResolvedValue(mockSuccess(mockSettings));
+    const data = parseResult(await call('wp_get_site_options', { keys: ['title', 'language'] }));
+    expect(data.title).toBe('My Site');
+    expect(data.language).toBe('en_US');
+    expect(Object.keys(data)).toEqual(['title', 'language']);
+    expect(data.email).toBeUndefined();
+  });
+
+  it('handles 403 (insufficient permissions)', async () => {
+    mockError(403, '{"code":"rest_forbidden","message":"Sorry, you are not allowed to manage options."}');
+    const res = await call('wp_get_site_options');
+    expect(res.isError).toBe(true);
+    expect(res.content[0].text).toContain('403');
+  });
+
+  it('logs correct audit format to stderr', async () => {
+    fetch.mockResolvedValue(mockSuccess(mockSettings));
+    await call('wp_get_site_options', { keys: ['title'] });
+    const logs = getAuditLogs();
+    const entry = logs.find(l => l.tool === 'wp_get_site_options');
+    expect(entry).toBeDefined();
+    expect(entry.action).toBe('read_options');
+    expect(entry.status).toBe('success');
+    expect(typeof entry.latency_ms).toBe('number');
+    expect(entry.params.keys_requested).toBe(1);
+    expect(entry.params.keys_returned).toBe(1);
+  });
+
+  it('is NOT blocked by WP_READ_ONLY=true', async () => {
+    process.env.WP_READ_ONLY = 'true';
+    fetch.mockResolvedValue(mockSuccess(mockSettings));
+    const res = await call('wp_get_site_options');
+    expect(res.isError).toBeUndefined();
+    const data = parseResult(res);
+    expect(data.title).toBe('My Site');
+  });
+});

package/tests/unit/tools/users.crud.test.js

@@ -0,0 +1,399 @@
+import { vi, describe, it, expect, beforeEach, afterEach } from 'vitest';
+
+vi.mock('node-fetch', () => ({ default: vi.fn() }));
+
+import fetch from 'node-fetch';
+import { handleToolCall } from '../../../index.js';
+import { mockSuccess, mockError, getAuditLogs, makeRequest, parseResult } from '../../helpers/mockWpRequest.js';
+
+function call(name, args = {}) {
+  return handleToolCall(makeRequest(name, args));
+}
+
+// Helper: mock two sequential fetch calls
+function mockTwoSuccess(data1, data2) {
+  fetch
+    .mockImplementationOnce(() => Promise.resolve({
+      ok: true, status: 200,
+      headers: { get: (h) => h === 'content-type' ? 'application/json' : null },
+      json: () => Promise.resolve(data1),
+      text: () => Promise.resolve(JSON.stringify(data1))
+    }))
+    .mockImplementationOnce(() => Promise.resolve({
+      ok: true, status: 200,
+      headers: { get: (h) => h === 'content-type' ? 'application/json' : null },
+      json: () => Promise.resolve(data2),
+      text: () => Promise.resolve(JSON.stringify(data2))
+    }));
+}
+
+// ════════════════════════════════════════════════════════════
+// wp_get_user
+// ════════════════════════════════════════════════════════════
+
+describe('wp_get_user', () => {
+  let consoleSpy;
+  beforeEach(() => { fetch.mockReset(); consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {}); });
+  afterEach(() => { consoleSpy.mockRestore(); });
+
+  it('returns full user profile', async () => {
+    fetch.mockResolvedValue(mockSuccess({
+      id: 1, username: 'admin', name: 'Admin', slug: 'admin', email: 'admin@example.com',
+      roles: ['administrator'], first_name: 'Site', last_name: 'Admin', url: 'https://example.com',
+      description: 'The admin', link: 'https://example.com/author/admin', registered_date: '2023-01-01T00:00:00',
+      locale: 'en_US', nickname: 'admin', avatar_urls: { '96': 'https://example.com/avatar.jpg' }, meta: {}
+    }));
+    const result = await call('wp_get_user', { id: 1 });
+    const data = parseResult(result);
+    expect(data.id).toBe(1);
+    expect(data.username).toBe('admin');
+    expect(data.email).toBe('admin@example.com');
+    expect(data.roles).toContain('administrator');
+    expect(data.first_name).toBe('Site');
+    expect(data.registered_date).toBe('2023-01-01T00:00:00');
+  });
+
+  it('returns error on 404', async () => {
+    fetch.mockResolvedValue(mockError(404));
+    const result = await call('wp_get_user', { id: 9999 });
+    expect(result.isError).toBe(true);
+  });
+
+  it('logs audit entry', async () => {
+    fetch.mockResolvedValue(mockSuccess({ id: 1, name: 'Admin', slug: 'admin', roles: [] }));
+    await call('wp_get_user', { id: 1 });
+    const logs = getAuditLogs();
+    const entry = logs.find(l => l.tool === 'wp_get_user');
+    expect(entry).toBeDefined();
+    expect(entry.target).toBe(1);
+  });
+});
+
+// ════════════════════════════════════════════════════════════
+// wp_create_user
+// ════════════════════════════════════════════════════════════
+
+describe('wp_create_user', () => {
+  let consoleSpy;
+  beforeEach(() => { fetch.mockReset(); consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {}); });
+  afterEach(() => { consoleSpy.mockRestore(); });
+
+  it('creates a user when confirm=true', async () => {
+    fetch.mockResolvedValue(mockSuccess({
+      id: 5, username: 'newuser', slug: 'newuser', email: 'new@example.com',
+      name: 'New User', roles: ['subscriber']
+    }));
+    const result = await call('wp_create_user', {
+      username: 'newuser', email: 'new@example.com', password: 'Str0ngP@ss!', confirm: true
+    });
+    const data = parseResult(result);
+    expect(data.success).toBe(true);
+    expect(data.user.id).toBe(5);
+    expect(data.user.username).toBe('newuser');
+  });
+
+  it('rejects when confirm is not true', async () => {
+    const result = await call('wp_create_user', {
+      username: 'test', email: 'test@example.com', password: 'pass', confirm: false
+    });
+    expect(result.isError).toBe(true);
+    expect(result.content[0].text).toContain('confirm=true');
+  });
+
+  it('rejects when confirm is missing', async () => {
+    const result = await call('wp_create_user', {
+      username: 'test', email: 'test@example.com', password: 'pass'
+    });
+    expect(result.isError).toBe(true);
+  });
+
+  it('passes optional fields', async () => {
+    fetch.mockResolvedValue(mockSuccess({
+      id: 6, username: 'jane', slug: 'jane', email: 'jane@example.com',
+      name: 'Jane Doe', roles: ['editor']
+    }));
+    await call('wp_create_user', {
+      username: 'jane', email: 'jane@example.com', password: 'P@ss123!',
+      role: 'editor', first_name: 'Jane', last_name: 'Doe', confirm: true
+    });
+    const [, opts] = fetch.mock.calls[0];
+    const body = JSON.parse(opts.body);
+    expect(body.roles).toEqual(['editor']);
+    expect(body.first_name).toBe('Jane');
+    expect(body.last_name).toBe('Doe');
+  });
+
+  it('is blocked by WP_READ_ONLY', async () => {
+    process.env.WP_READ_ONLY = 'true';
+    try {
+      const result = await call('wp_create_user', {
+        username: 'test', email: 'test@example.com', password: 'pass', confirm: true
+      });
+      expect(result.isError).toBe(true);
+      expect(result.content[0].text).toContain('READ-ONLY');
+    } finally {
+      delete process.env.WP_READ_ONLY;
+    }
+  });
+});
+
+// ════════════════════════════════════════════════════════════
+// wp_update_user
+// ════════════════════════════════════════════════════════════
+
+describe('wp_update_user', () => {
+  let consoleSpy;
+  beforeEach(() => { fetch.mockReset(); consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {}); });
+  afterEach(() => { consoleSpy.mockRestore(); });
+
+  it('updates user fields', async () => {
+    fetch.mockResolvedValue(mockSuccess({
+      id: 2, name: 'Updated Name', email: 'updated@example.com', roles: ['editor'], slug: 'updated'
+    }));
+    const result = await call('wp_update_user', { id: 2, display_name: 'Updated Name', role: 'editor' });
+    const data = parseResult(result);
+    expect(data.success).toBe(true);
+    expect(data.user.name).toBe('Updated Name');
+  });
+
+  it('sends correct payload', async () => {
+    fetch.mockResolvedValue(mockSuccess({ id: 2, name: 'X', email: 'x@x.com', roles: ['author'], slug: 'x' }));
+    await call('wp_update_user', { id: 2, email: 'new@example.com', description: 'A bio', meta: { custom: 'value' } });
+    const [, opts] = fetch.mock.calls[0];
+    const body = JSON.parse(opts.body);
+    expect(body.email).toBe('new@example.com');
+    expect(body.description).toBe('A bio');
+    expect(body.meta).toEqual({ custom: 'value' });
+  });
+
+  it('is blocked by WP_READ_ONLY', async () => {
+    process.env.WP_READ_ONLY = 'true';
+    try {
+      const result = await call('wp_update_user', { id: 2, display_name: 'X' });
+      expect(result.isError).toBe(true);
+      expect(result.content[0].text).toContain('READ-ONLY');
+    } finally {
+      delete process.env.WP_READ_ONLY;
+    }
+  });
+});
+
+// ════════════════════════════════════════════════════════════
+// wp_delete_user
+// ════════════════════════════════════════════════════════════
+
+describe('wp_delete_user', () => {
+  let consoleSpy;
+  beforeEach(() => { fetch.mockReset(); consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {}); });
+  afterEach(() => { consoleSpy.mockRestore(); });
+
+  it('deletes user when confirm=true and reassign provided', async () => {
+    fetch.mockResolvedValue(mockSuccess({ deleted: true }));
+    const result = await call('wp_delete_user', { id: 5, reassign: 1, confirm: true });
+    const data = parseResult(result);
+    expect(data.success).toBe(true);
+    expect(data.message).toContain('reassigned to user 1');
+  });
+
+  it('rejects when confirm is not true', async () => {
+    const result = await call('wp_delete_user', { id: 5, reassign: 1, confirm: false });
+    expect(result.isError).toBe(true);
+    expect(result.content[0].text).toContain('confirm=true');
+  });
+
+  it('passes force and reassign in URL', async () => {
+    fetch.mockResolvedValue(mockSuccess({ deleted: true }));
+    await call('wp_delete_user', { id: 5, reassign: 1, confirm: true });
+    const [url] = fetch.mock.calls[0];
+    expect(url).toContain('/users/5?force=true&reassign=1');
+  });
+
+  it('is blocked by WP_READ_ONLY', async () => {
+    process.env.WP_READ_ONLY = 'true';
+    try {
+      const result = await call('wp_delete_user', { id: 5, reassign: 1, confirm: true });
+      expect(result.isError).toBe(true);
+      expect(result.content[0].text).toContain('READ-ONLY');
+    } finally {
+      delete process.env.WP_READ_ONLY;
+    }
+  });
+
+  it('is blocked by WP_DISABLE_DELETE', async () => {
+    process.env.WP_DISABLE_DELETE = 'true';
+    try {
+      const result = await call('wp_delete_user', { id: 5, reassign: 1, confirm: true });
+      expect(result.isError).toBe(true);
+      expect(result.content[0].text).toContain('DISABLE_DELETE');
+    } finally {
+      delete process.env.WP_DISABLE_DELETE;
+    }
+  });
+});
+
+// ════════════════════════════════════════════════════════════
+// wp_list_user_roles
+// ════════════════════════════════════════════════════════════
+
+describe('wp_list_user_roles', () => {
+  let consoleSpy;
+  beforeEach(() => { fetch.mockReset(); consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {}); });
+  afterEach(() => { consoleSpy.mockRestore(); });
+
+  it('returns roles as array', async () => {
+    fetch.mockResolvedValue(mockSuccess([
+      { slug: 'administrator', name: 'Administrator', capabilities: { manage_options: true, edit_posts: true } },
+      { slug: 'editor', name: 'Editor', capabilities: { edit_posts: true, edit_others_posts: true } }
+    ]));
+    const result = await call('wp_list_user_roles');
+    const data = parseResult(result);
+    expect(data.total).toBe(2);
+    expect(data.roles[0].slug).toBe('administrator');
+    expect(data.roles[0].capabilities.manage_options).toBe(true);
+  });
+
+  it('handles object format', async () => {
+    fetch.mockResolvedValue(mockSuccess({
+      administrator: { name: 'Administrator', capabilities: { manage_options: true } },
+      subscriber: { name: 'Subscriber', capabilities: { read: true } }
+    }));
+    const result = await call('wp_list_user_roles');
+    const data = parseResult(result);
+    expect(data.total).toBe(2);
+    expect(data.roles.find(r => r.slug === 'administrator')).toBeDefined();
+  });
+});
+
+// ════════════════════════════════════════════════════════════
+// wp_get_user_capabilities
+// ════════════════════════════════════════════════════════════
+
+describe('wp_get_user_capabilities', () => {
+  let consoleSpy;
+  beforeEach(() => { fetch.mockReset(); consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {}); });
+  afterEach(() => { consoleSpy.mockRestore(); });
+
+  it('returns active capabilities', async () => {
+    fetch.mockResolvedValue(mockSuccess({
+      id: 1, name: 'Admin', roles: ['administrator'],
+      capabilities: { manage_options: true, edit_posts: true, read: true, delete_posts: false }
+    }));
+    const result = await call('wp_get_user_capabilities', { id: 1 });
+    const data = parseResult(result);
+    expect(data.id).toBe(1);
+    expect(data.capabilities).toContain('manage_options');
+    expect(data.capabilities).toContain('edit_posts');
+    expect(data.capabilities).not.toContain('delete_posts');
+    expect(data.capabilities_count).toBe(3);
+  });
+});
+
+// ════════════════════════════════════════════════════════════
+// wp_reset_user_password
+// ════════════════════════════════════════════════════════════
+
+describe('wp_reset_user_password', () => {
+  let consoleSpy;
+  beforeEach(() => { fetch.mockReset(); consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {}); });
+  afterEach(() => { consoleSpy.mockRestore(); });
+
+  it('sends password reset email', async () => {
+    mockTwoSuccess(
+      { id: 3, name: 'User', email: 'user@example.com' },
+      { success: true, user_id: 3, message: 'Password reset email sent.' }
+    );
+    const result = await call('wp_reset_user_password', { id: 3 });
+    const data = parseResult(result);
+    expect(data.success).toBe(true);
+    expect(data.user.email).toContain('***'); // Masked email
+  });
+
+  it('is blocked by WP_READ_ONLY', async () => {
+    process.env.WP_READ_ONLY = 'true';
+    try {
+      const result = await call('wp_reset_user_password', { id: 3 });
+      expect(result.isError).toBe(true);
+      expect(result.content[0].text).toContain('READ-ONLY');
+    } finally {
+      delete process.env.WP_READ_ONLY;
+    }
+  });
+
+  it('calls mcp-diagnostics endpoint', async () => {
+    mockTwoSuccess(
+      { id: 3, name: 'User', email: 'user@example.com' },
+      { success: true }
+    );
+    await call('wp_reset_user_password', { id: 3 });
+    const secondUrl = fetch.mock.calls[1][0];
+    expect(secondUrl).toContain('/wp-json/mcp-diagnostics/v1/password-reset');
+  });
+});
+
+// ════════════════════════════════════════════════════════════
+// wp_list_user_application_passwords
+// ════════════════════════════════════════════════════════════
+
+describe('wp_list_user_application_passwords', () => {
+  let consoleSpy;
+  beforeEach(() => { fetch.mockReset(); consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {}); });
+  afterEach(() => { consoleSpy.mockRestore(); });
+
+  it('returns application passwords', async () => {
+    fetch.mockResolvedValue(mockSuccess([
+      { uuid: 'abc-123', name: 'MCP Server', created: '2024-01-01', last_used: '2024-06-01', last_ip: '1.2.3.4' },
+      { uuid: 'def-456', name: 'Mobile App', created: '2024-03-01', last_used: null, last_ip: null }
+    ]));
+    const result = await call('wp_list_user_application_passwords', { id: 1 });
+    const data = parseResult(result);
+    expect(data.user_id).toBe(1);
+    expect(data.total).toBe(2);
+    expect(data.application_passwords[0].uuid).toBe('abc-123');
+    expect(data.application_passwords[0].name).toBe('MCP Server');
+    expect(data.application_passwords[1].last_used).toBeNull();
+  });
+
+  it('calls correct endpoint', async () => {
+    fetch.mockResolvedValue(mockSuccess([]));
+    await call('wp_list_user_application_passwords', { id: 1 });
+    const [url] = fetch.mock.calls[0];
+    expect(url).toContain('/users/1/application-passwords');
+  });
+});
+
+// ════════════════════════════════════════════════════════════
+// wp_revoke_application_password
+// ════════════════════════════════════════════════════════════
+
+describe('wp_revoke_application_password', () => {
+  let consoleSpy;
+  beforeEach(() => { fetch.mockReset(); consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {}); });
+  afterEach(() => { consoleSpy.mockRestore(); });
+
+  it('revokes an application password', async () => {
+    fetch.mockResolvedValue(mockSuccess({ deleted: true }));
+    const result = await call('wp_revoke_application_password', { id: 1, uuid: 'abc-123' });
+    const data = parseResult(result);
+    expect(data.success).toBe(true);
+    expect(data.message).toContain('abc-123');
+  });
+
+  it('calls correct DELETE endpoint', async () => {
+    fetch.mockResolvedValue(mockSuccess({ deleted: true }));
+    await call('wp_revoke_application_password', { id: 1, uuid: 'abc-123' });
+    const [url, opts] = fetch.mock.calls[0];
+    expect(url).toContain('/users/1/application-passwords/abc-123');
+    expect(opts.method).toBe('DELETE');
+  });
+
+  it('is blocked by WP_READ_ONLY', async () => {
+    process.env.WP_READ_ONLY = 'true';
+    try {
+      const result = await call('wp_revoke_application_password', { id: 1, uuid: 'abc-123' });
+      expect(result.isError).toBe(true);
+      expect(result.content[0].text).toContain('READ-ONLY');
+    } finally {
+      delete process.env.WP_READ_ONLY;
+    }
+  });
+});