@adsim/wordpress-mcp-server 4.6.0 → 5.1.0

package/tests/unit/tools/site.test.js

@@ -80,7 +80,7 @@ describe('wp_site_info', () => {
 
     // Server info
     expect(data.server.mcp_version).toBeDefined();
-    expect(data.server.tools_total).toBe(86);
+    expect(data.server.tools_total).toBe(175);
     expect(typeof data.server.tools_exposed).toBe('number');
     expect(Array.isArray(data.server.filtered_out)).toBe(true);
   });

package/tests/unit/tools/users.crud.test.js

@@ -0,0 +1,399 @@
+import { vi, describe, it, expect, beforeEach, afterEach } from 'vitest';
+
+vi.mock('node-fetch', () => ({ default: vi.fn() }));
+
+import fetch from 'node-fetch';
+import { handleToolCall } from '../../../index.js';
+import { mockSuccess, mockError, getAuditLogs, makeRequest, parseResult } from '../../helpers/mockWpRequest.js';
+
+function call(name, args = {}) {
+  return handleToolCall(makeRequest(name, args));
+}
+
+// Helper: mock two sequential fetch calls
+function mockTwoSuccess(data1, data2) {
+  fetch
+    .mockImplementationOnce(() => Promise.resolve({
+      ok: true, status: 200,
+      headers: { get: (h) => h === 'content-type' ? 'application/json' : null },
+      json: () => Promise.resolve(data1),
+      text: () => Promise.resolve(JSON.stringify(data1))
+    }))
+    .mockImplementationOnce(() => Promise.resolve({
+      ok: true, status: 200,
+      headers: { get: (h) => h === 'content-type' ? 'application/json' : null },
+      json: () => Promise.resolve(data2),
+      text: () => Promise.resolve(JSON.stringify(data2))
+    }));
+}
+
+// ════════════════════════════════════════════════════════════
+// wp_get_user
+// ════════════════════════════════════════════════════════════
+
+describe('wp_get_user', () => {
+  let consoleSpy;
+  beforeEach(() => { fetch.mockReset(); consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {}); });
+  afterEach(() => { consoleSpy.mockRestore(); });
+
+  it('returns full user profile', async () => {
+    fetch.mockResolvedValue(mockSuccess({
+      id: 1, username: 'admin', name: 'Admin', slug: 'admin', email: 'admin@example.com',
+      roles: ['administrator'], first_name: 'Site', last_name: 'Admin', url: 'https://example.com',
+      description: 'The admin', link: 'https://example.com/author/admin', registered_date: '2023-01-01T00:00:00',
+      locale: 'en_US', nickname: 'admin', avatar_urls: { '96': 'https://example.com/avatar.jpg' }, meta: {}
+    }));
+    const result = await call('wp_get_user', { id: 1 });
+    const data = parseResult(result);
+    expect(data.id).toBe(1);
+    expect(data.username).toBe('admin');
+    expect(data.email).toBe('admin@example.com');
+    expect(data.roles).toContain('administrator');
+    expect(data.first_name).toBe('Site');
+    expect(data.registered_date).toBe('2023-01-01T00:00:00');
+  });
+
+  it('returns error on 404', async () => {
+    fetch.mockResolvedValue(mockError(404));
+    const result = await call('wp_get_user', { id: 9999 });
+    expect(result.isError).toBe(true);
+  });
+
+  it('logs audit entry', async () => {
+    fetch.mockResolvedValue(mockSuccess({ id: 1, name: 'Admin', slug: 'admin', roles: [] }));
+    await call('wp_get_user', { id: 1 });
+    const logs = getAuditLogs();
+    const entry = logs.find(l => l.tool === 'wp_get_user');
+    expect(entry).toBeDefined();
+    expect(entry.target).toBe(1);
+  });
+});
+
+// ════════════════════════════════════════════════════════════
+// wp_create_user
+// ════════════════════════════════════════════════════════════
+
+describe('wp_create_user', () => {
+  let consoleSpy;
+  beforeEach(() => { fetch.mockReset(); consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {}); });
+  afterEach(() => { consoleSpy.mockRestore(); });
+
+  it('creates a user when confirm=true', async () => {
+    fetch.mockResolvedValue(mockSuccess({
+      id: 5, username: 'newuser', slug: 'newuser', email: 'new@example.com',
+      name: 'New User', roles: ['subscriber']
+    }));
+    const result = await call('wp_create_user', {
+      username: 'newuser', email: 'new@example.com', password: 'Str0ngP@ss!', confirm: true
+    });
+    const data = parseResult(result);
+    expect(data.success).toBe(true);
+    expect(data.user.id).toBe(5);
+    expect(data.user.username).toBe('newuser');
+  });
+
+  it('rejects when confirm is not true', async () => {
+    const result = await call('wp_create_user', {
+      username: 'test', email: 'test@example.com', password: 'pass', confirm: false
+    });
+    expect(result.isError).toBe(true);
+    expect(result.content[0].text).toContain('confirm=true');
+  });
+
+  it('rejects when confirm is missing', async () => {
+    const result = await call('wp_create_user', {
+      username: 'test', email: 'test@example.com', password: 'pass'
+    });
+    expect(result.isError).toBe(true);
+  });
+
+  it('passes optional fields', async () => {
+    fetch.mockResolvedValue(mockSuccess({
+      id: 6, username: 'jane', slug: 'jane', email: 'jane@example.com',
+      name: 'Jane Doe', roles: ['editor']
+    }));
+    await call('wp_create_user', {
+      username: 'jane', email: 'jane@example.com', password: 'P@ss123!',
+      role: 'editor', first_name: 'Jane', last_name: 'Doe', confirm: true
+    });
+    const [, opts] = fetch.mock.calls[0];
+    const body = JSON.parse(opts.body);
+    expect(body.roles).toEqual(['editor']);
+    expect(body.first_name).toBe('Jane');
+    expect(body.last_name).toBe('Doe');
+  });
+
+  it('is blocked by WP_READ_ONLY', async () => {
+    process.env.WP_READ_ONLY = 'true';
+    try {
+      const result = await call('wp_create_user', {
+        username: 'test', email: 'test@example.com', password: 'pass', confirm: true
+      });
+      expect(result.isError).toBe(true);
+      expect(result.content[0].text).toContain('READ-ONLY');
+    } finally {
+      delete process.env.WP_READ_ONLY;
+    }
+  });
+});
+
+// ════════════════════════════════════════════════════════════
+// wp_update_user
+// ════════════════════════════════════════════════════════════
+
+describe('wp_update_user', () => {
+  let consoleSpy;
+  beforeEach(() => { fetch.mockReset(); consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {}); });
+  afterEach(() => { consoleSpy.mockRestore(); });
+
+  it('updates user fields', async () => {
+    fetch.mockResolvedValue(mockSuccess({
+      id: 2, name: 'Updated Name', email: 'updated@example.com', roles: ['editor'], slug: 'updated'
+    }));
+    const result = await call('wp_update_user', { id: 2, display_name: 'Updated Name', role: 'editor' });
+    const data = parseResult(result);
+    expect(data.success).toBe(true);
+    expect(data.user.name).toBe('Updated Name');
+  });
+
+  it('sends correct payload', async () => {
+    fetch.mockResolvedValue(mockSuccess({ id: 2, name: 'X', email: 'x@x.com', roles: ['author'], slug: 'x' }));
+    await call('wp_update_user', { id: 2, email: 'new@example.com', description: 'A bio', meta: { custom: 'value' } });
+    const [, opts] = fetch.mock.calls[0];
+    const body = JSON.parse(opts.body);
+    expect(body.email).toBe('new@example.com');
+    expect(body.description).toBe('A bio');
+    expect(body.meta).toEqual({ custom: 'value' });
+  });
+
+  it('is blocked by WP_READ_ONLY', async () => {
+    process.env.WP_READ_ONLY = 'true';
+    try {
+      const result = await call('wp_update_user', { id: 2, display_name: 'X' });
+      expect(result.isError).toBe(true);
+      expect(result.content[0].text).toContain('READ-ONLY');
+    } finally {
+      delete process.env.WP_READ_ONLY;
+    }
+  });
+});
+
+// ════════════════════════════════════════════════════════════
+// wp_delete_user
+// ════════════════════════════════════════════════════════════
+
+describe('wp_delete_user', () => {
+  let consoleSpy;
+  beforeEach(() => { fetch.mockReset(); consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {}); });
+  afterEach(() => { consoleSpy.mockRestore(); });
+
+  it('deletes user when confirm=true and reassign provided', async () => {
+    fetch.mockResolvedValue(mockSuccess({ deleted: true }));
+    const result = await call('wp_delete_user', { id: 5, reassign: 1, confirm: true });
+    const data = parseResult(result);
+    expect(data.success).toBe(true);
+    expect(data.message).toContain('reassigned to user 1');
+  });
+
+  it('rejects when confirm is not true', async () => {
+    const result = await call('wp_delete_user', { id: 5, reassign: 1, confirm: false });
+    expect(result.isError).toBe(true);
+    expect(result.content[0].text).toContain('confirm=true');
+  });
+
+  it('passes force and reassign in URL', async () => {
+    fetch.mockResolvedValue(mockSuccess({ deleted: true }));
+    await call('wp_delete_user', { id: 5, reassign: 1, confirm: true });
+    const [url] = fetch.mock.calls[0];
+    expect(url).toContain('/users/5?force=true&reassign=1');
+  });
+
+  it('is blocked by WP_READ_ONLY', async () => {
+    process.env.WP_READ_ONLY = 'true';
+    try {
+      const result = await call('wp_delete_user', { id: 5, reassign: 1, confirm: true });
+      expect(result.isError).toBe(true);
+      expect(result.content[0].text).toContain('READ-ONLY');
+    } finally {
+      delete process.env.WP_READ_ONLY;
+    }
+  });
+
+  it('is blocked by WP_DISABLE_DELETE', async () => {
+    process.env.WP_DISABLE_DELETE = 'true';
+    try {
+      const result = await call('wp_delete_user', { id: 5, reassign: 1, confirm: true });
+      expect(result.isError).toBe(true);
+      expect(result.content[0].text).toContain('DISABLE_DELETE');
+    } finally {
+      delete process.env.WP_DISABLE_DELETE;
+    }
+  });
+});
+
+// ════════════════════════════════════════════════════════════
+// wp_list_user_roles
+// ════════════════════════════════════════════════════════════
+
+describe('wp_list_user_roles', () => {
+  let consoleSpy;
+  beforeEach(() => { fetch.mockReset(); consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {}); });
+  afterEach(() => { consoleSpy.mockRestore(); });
+
+  it('returns roles as array', async () => {
+    fetch.mockResolvedValue(mockSuccess([
+      { slug: 'administrator', name: 'Administrator', capabilities: { manage_options: true, edit_posts: true } },
+      { slug: 'editor', name: 'Editor', capabilities: { edit_posts: true, edit_others_posts: true } }
+    ]));
+    const result = await call('wp_list_user_roles');
+    const data = parseResult(result);
+    expect(data.total).toBe(2);
+    expect(data.roles[0].slug).toBe('administrator');
+    expect(data.roles[0].capabilities.manage_options).toBe(true);
+  });
+
+  it('handles object format', async () => {
+    fetch.mockResolvedValue(mockSuccess({
+      administrator: { name: 'Administrator', capabilities: { manage_options: true } },
+      subscriber: { name: 'Subscriber', capabilities: { read: true } }
+    }));
+    const result = await call('wp_list_user_roles');
+    const data = parseResult(result);
+    expect(data.total).toBe(2);
+    expect(data.roles.find(r => r.slug === 'administrator')).toBeDefined();
+  });
+});
+
+// ════════════════════════════════════════════════════════════
+// wp_get_user_capabilities
+// ════════════════════════════════════════════════════════════
+
+describe('wp_get_user_capabilities', () => {
+  let consoleSpy;
+  beforeEach(() => { fetch.mockReset(); consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {}); });
+  afterEach(() => { consoleSpy.mockRestore(); });
+
+  it('returns active capabilities', async () => {
+    fetch.mockResolvedValue(mockSuccess({
+      id: 1, name: 'Admin', roles: ['administrator'],
+      capabilities: { manage_options: true, edit_posts: true, read: true, delete_posts: false }
+    }));
+    const result = await call('wp_get_user_capabilities', { id: 1 });
+    const data = parseResult(result);
+    expect(data.id).toBe(1);
+    expect(data.capabilities).toContain('manage_options');
+    expect(data.capabilities).toContain('edit_posts');
+    expect(data.capabilities).not.toContain('delete_posts');
+    expect(data.capabilities_count).toBe(3);
+  });
+});
+
+// ════════════════════════════════════════════════════════════
+// wp_reset_user_password
+// ════════════════════════════════════════════════════════════
+
+describe('wp_reset_user_password', () => {
+  let consoleSpy;
+  beforeEach(() => { fetch.mockReset(); consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {}); });
+  afterEach(() => { consoleSpy.mockRestore(); });
+
+  it('sends password reset email', async () => {
+    mockTwoSuccess(
+      { id: 3, name: 'User', email: 'user@example.com' },
+      { success: true, user_id: 3, message: 'Password reset email sent.' }
+    );
+    const result = await call('wp_reset_user_password', { id: 3 });
+    const data = parseResult(result);
+    expect(data.success).toBe(true);
+    expect(data.user.email).toContain('***'); // Masked email
+  });
+
+  it('is blocked by WP_READ_ONLY', async () => {
+    process.env.WP_READ_ONLY = 'true';
+    try {
+      const result = await call('wp_reset_user_password', { id: 3 });
+      expect(result.isError).toBe(true);
+      expect(result.content[0].text).toContain('READ-ONLY');
+    } finally {
+      delete process.env.WP_READ_ONLY;
+    }
+  });
+
+  it('calls mcp-diagnostics endpoint', async () => {
+    mockTwoSuccess(
+      { id: 3, name: 'User', email: 'user@example.com' },
+      { success: true }
+    );
+    await call('wp_reset_user_password', { id: 3 });
+    const secondUrl = fetch.mock.calls[1][0];
+    expect(secondUrl).toContain('/wp-json/mcp-diagnostics/v1/password-reset');
+  });
+});
+
+// ════════════════════════════════════════════════════════════
+// wp_list_user_application_passwords
+// ════════════════════════════════════════════════════════════
+
+describe('wp_list_user_application_passwords', () => {
+  let consoleSpy;
+  beforeEach(() => { fetch.mockReset(); consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {}); });
+  afterEach(() => { consoleSpy.mockRestore(); });
+
+  it('returns application passwords', async () => {
+    fetch.mockResolvedValue(mockSuccess([
+      { uuid: 'abc-123', name: 'MCP Server', created: '2024-01-01', last_used: '2024-06-01', last_ip: '1.2.3.4' },
+      { uuid: 'def-456', name: 'Mobile App', created: '2024-03-01', last_used: null, last_ip: null }
+    ]));
+    const result = await call('wp_list_user_application_passwords', { id: 1 });
+    const data = parseResult(result);
+    expect(data.user_id).toBe(1);
+    expect(data.total).toBe(2);
+    expect(data.application_passwords[0].uuid).toBe('abc-123');
+    expect(data.application_passwords[0].name).toBe('MCP Server');
+    expect(data.application_passwords[1].last_used).toBeNull();
+  });
+
+  it('calls correct endpoint', async () => {
+    fetch.mockResolvedValue(mockSuccess([]));
+    await call('wp_list_user_application_passwords', { id: 1 });
+    const [url] = fetch.mock.calls[0];
+    expect(url).toContain('/users/1/application-passwords');
+  });
+});
+
+// ════════════════════════════════════════════════════════════
+// wp_revoke_application_password
+// ════════════════════════════════════════════════════════════
+
+describe('wp_revoke_application_password', () => {
+  let consoleSpy;
+  beforeEach(() => { fetch.mockReset(); consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {}); });
+  afterEach(() => { consoleSpy.mockRestore(); });
+
+  it('revokes an application password', async () => {
+    fetch.mockResolvedValue(mockSuccess({ deleted: true }));
+    const result = await call('wp_revoke_application_password', { id: 1, uuid: 'abc-123' });
+    const data = parseResult(result);
+    expect(data.success).toBe(true);
+    expect(data.message).toContain('abc-123');
+  });
+
+  it('calls correct DELETE endpoint', async () => {
+    fetch.mockResolvedValue(mockSuccess({ deleted: true }));
+    await call('wp_revoke_application_password', { id: 1, uuid: 'abc-123' });
+    const [url, opts] = fetch.mock.calls[0];
+    expect(url).toContain('/users/1/application-passwords/abc-123');
+    expect(opts.method).toBe('DELETE');
+  });
+
+  it('is blocked by WP_READ_ONLY', async () => {
+    process.env.WP_READ_ONLY = 'true';
+    try {
+      const result = await call('wp_revoke_application_password', { id: 1, uuid: 'abc-123' });
+      expect(result.isError).toBe(true);
+      expect(result.content[0].text).toContain('READ-ONLY');
+    } finally {
+      delete process.env.WP_READ_ONLY;
+    }
+  });
+});

package/tests/unit/tools/validateBlocks.test.js

@@ -0,0 +1,186 @@
+import { vi, describe, it, expect, beforeEach, afterEach } from 'vitest';
+
+vi.mock('node-fetch', () => ({ default: vi.fn() }));
+
+import fetch from 'node-fetch';
+import { handleToolCall, _testSetTarget } from '../../../index.js';
+import { makeRequest, mockSuccess, parseResult } from '../../helpers/mockWpRequest.js';
+
+function call(name, args = {}) {
+  return handleToolCall(makeRequest(name, args));
+}
+
+let consoleSpy;
+
+beforeEach(() => {
+  fetch.mockReset();
+  consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
+  _testSetTarget('site1', { url: 'https://example.com', auth: 'Basic dGVzdDp0ZXN0' });
+  delete process.env.WP_VALIDATE_BLOCKS;
+  delete process.env.WP_READ_ONLY;
+});
+afterEach(() => {
+  consoleSpy.mockRestore();
+  delete process.env.WP_VALIDATE_BLOCKS;
+  delete process.env.WP_READ_ONLY;
+});
+
+// =========================================================================
+// 1. Valid HTML → valid: true, errors: []
+// =========================================================================
+describe('wp_validate_block_structure', () => {
+  it('returns valid for well-formed Gutenberg blocks', async () => {
+    const content = [
+      '<!-- wp:paragraph -->',
+      '<p>Hello world</p>',
+      '<!-- /wp:paragraph -->',
+      '',
+      '<!-- wp:heading {"level":2} -->',
+      '<h2>Title</h2>',
+      '<!-- /wp:heading -->'
+    ].join('\n');
+
+    const res = await call('wp_validate_block_structure', { content });
+    const data = parseResult(res);
+    expect(data.valid).toBe(true);
+    expect(data.errors).toHaveLength(0);
+    expect(data.blocks_found).toEqual(
+      expect.arrayContaining([
+        { name: 'core/paragraph', count: 1 },
+        { name: 'core/heading', count: 1 }
+      ])
+    );
+  });
+
+  // =========================================================================
+  // 2. Unclosed block → error detected
+  // =========================================================================
+  it('detects unclosed block comment', async () => {
+    const content = [
+      '<!-- wp:paragraph -->',
+      '<p>No closing comment</p>'
+    ].join('\n');
+
+    const res = await call('wp_validate_block_structure', { content });
+    const data = parseResult(res);
+    expect(data.valid).toBe(false);
+    expect(data.errors.some(e => e.type === 'unclosed_block')).toBe(true);
+  });
+
+  // =========================================================================
+  // 3. Malformed JSON in comment → error detected
+  // =========================================================================
+  it('detects malformed JSON in block attributes', async () => {
+    const content = [
+      '<!-- wp:heading {level:2} -->',
+      '<h2>Bad JSON</h2>',
+      '<!-- /wp:heading -->'
+    ].join('\n');
+
+    const res = await call('wp_validate_block_structure', { content });
+    const data = parseResult(res);
+    expect(data.valid).toBe(false);
+    expect(data.errors.some(e => e.type === 'malformed_json')).toBe(true);
+  });
+
+  // =========================================================================
+  // 4. Invalid nesting → error detected
+  // =========================================================================
+  it('detects invalid nesting (paragraph inside paragraph)', async () => {
+    const content = [
+      '<!-- wp:paragraph -->',
+      '<p>Outer</p>',
+      '<!-- wp:paragraph -->',
+      '<p>Inner — invalid</p>',
+      '<!-- /wp:paragraph -->',
+      '<!-- /wp:paragraph -->'
+    ].join('\n');
+
+    const res = await call('wp_validate_block_structure', { content });
+    const data = parseResult(res);
+    expect(data.valid).toBe(false);
+    expect(data.errors.some(e => e.type === 'invalid_nesting')).toBe(true);
+  });
+
+  // =========================================================================
+  // 5. strict: false → no error on missing attributes
+  // =========================================================================
+  it('does not error on missing attributes when strict=false', async () => {
+    const content = [
+      '<!-- wp:heading -->',
+      '<h2>No attributes</h2>',
+      '<!-- /wp:heading -->'
+    ].join('\n');
+
+    const res = await call('wp_validate_block_structure', { content, strict: false });
+    const data = parseResult(res);
+    expect(data.valid).toBe(true);
+    expect(data.errors.filter(e => e.type === 'missing_attributes')).toHaveLength(0);
+  });
+
+  // =========================================================================
+  // 6. strict: true → error on missing attributes
+  // =========================================================================
+  it('errors on missing attributes when strict=true', async () => {
+    const content = [
+      '<!-- wp:heading -->',
+      '<h2>No attributes</h2>',
+      '<!-- /wp:heading -->'
+    ].join('\n');
+
+    const res = await call('wp_validate_block_structure', { content, strict: true });
+    const data = parseResult(res);
+    expect(data.valid).toBe(false);
+    expect(data.errors.some(e => e.type === 'missing_attributes')).toBe(true);
+  });
+});
+
+// =========================================================================
+// 7-9. WP_VALIDATE_BLOCKS guard on wp_update_post
+// =========================================================================
+describe('WP_VALIDATE_BLOCKS guard', () => {
+  // 7. WP_VALIDATE_BLOCKS=true → blocks update if invalid content
+  it('blocks wp_update_post with invalid content when WP_VALIDATE_BLOCKS=true', async () => {
+    process.env.WP_VALIDATE_BLOCKS = 'true';
+    const invalidContent = '<!-- wp:paragraph -->\n<p>Unclosed block</p>';
+
+    const res = await call('wp_update_post', { id: 1, content: invalidContent });
+    expect(res.isError).toBe(true);
+    const data = JSON.parse(res.content[0].text);
+    expect(data.status).toBe('blocked');
+    expect(data.reason).toContain('WP_VALIDATE_BLOCKS');
+    expect(data.errors.length).toBeGreaterThan(0);
+  });
+
+  // 8. WP_VALIDATE_BLOCKS=true → allows update if valid content
+  it('allows wp_update_post with valid content when WP_VALIDATE_BLOCKS=true', async () => {
+    process.env.WP_VALIDATE_BLOCKS = 'true';
+    const validContent = '<!-- wp:paragraph -->\n<p>Valid</p>\n<!-- /wp:paragraph -->';
+
+    // POST /posts/1 → updated
+    mockSuccess({
+      id: 1, title: { rendered: 'Test' }, status: 'publish',
+      link: 'https://example.com/test/', modified: '2025-06-16'
+    });
+
+    const res = await call('wp_update_post', { id: 1, content: validContent });
+    const data = parseResult(res);
+    expect(data.success).toBe(true);
+  });
+
+  // 9. WP_VALIDATE_BLOCKS not set → no interception
+  it('does not intercept wp_update_post when WP_VALIDATE_BLOCKS is not set', async () => {
+    // No WP_VALIDATE_BLOCKS env var
+    const invalidContent = '<!-- wp:paragraph -->\n<p>Unclosed</p>';
+
+    // POST /posts/1 → updated normally despite invalid blocks
+    mockSuccess({
+      id: 1, title: { rendered: 'Test' }, status: 'publish',
+      link: 'https://example.com/test/', modified: '2025-06-16'
+    });
+
+    const res = await call('wp_update_post', { id: 1, content: invalidContent });
+    const data = parseResult(res);
+    expect(data.success).toBe(true);
+  });
+});