@adsim/wordpress-mcp-server 4.6.0 → 5.1.0

package/companion/mcp-diagnostics.php

@@ -0,0 +1,1184 @@
+<?php
+/**
+ * Plugin Name: MCP Diagnostics Companion
+ * Description: Exposes secure REST endpoints for WordPress MCP Server diagnostics (debug log, cron events, transients, hooks).
+ * Version: 1.0.0
+ * Requires PHP: 7.4
+ * Author: AdSim
+ * License: MIT
+ *
+ * Installation: Copy this file to wp-content/mu-plugins/mcp-diagnostics.php
+ *
+ * Security: All endpoints require 'manage_options' capability (Administrator).
+ * Schema endpoints require 'edit_posts' capability.
+ * Read endpoints are read-only; schema POST/DELETE respect WP_READ_ONLY.
+ */
+
+if ( ! defined( 'ABSPATH' ) ) {
+	exit;
+}
+
+add_action( 'rest_api_init', 'mcp_diagnostics_register_routes' );
+add_action( 'wp_head', 'mcp_schema_output_jsonld', 1 );
+
+function mcp_diagnostics_register_routes() {
+	$namespace = 'mcp-diagnostics/v1';
+
+	register_rest_route( $namespace, '/debug-log', array(
+		'methods'             => 'GET',
+		'callback'            => 'mcp_diagnostics_debug_log',
+		'permission_callback' => 'mcp_diagnostics_permission_check',
+		'args'                => array(
+			'lines' => array(
+				'type'              => 'integer',
+				'default'           => 100,
+				'minimum'           => 1,
+				'maximum'           => 500,
+				'sanitize_callback' => 'absint',
+			),
+			'level' => array(
+				'type'              => 'string',
+				'default'           => 'all',
+				'enum'              => array( 'error', 'warning', 'notice', 'all' ),
+				'sanitize_callback' => 'sanitize_text_field',
+			),
+		),
+	) );
+
+	register_rest_route( $namespace, '/cron-events', array(
+		'methods'             => 'GET',
+		'callback'            => 'mcp_diagnostics_cron_events',
+		'permission_callback' => 'mcp_diagnostics_permission_check',
+	) );
+
+	register_rest_route( $namespace, '/transients', array(
+		'methods'             => 'GET',
+		'callback'            => 'mcp_diagnostics_transients',
+		'permission_callback' => 'mcp_diagnostics_permission_check',
+		'args'                => array(
+			'filter' => array(
+				'type'              => 'string',
+				'default'           => 'all',
+				'enum'              => array( 'all', 'expired', 'active' ),
+				'sanitize_callback' => 'sanitize_text_field',
+			),
+			'search' => array(
+				'type'              => 'string',
+				'default'           => '',
+				'sanitize_callback' => 'sanitize_text_field',
+			),
+			'per_page' => array(
+				'type'              => 'integer',
+				'default'           => 50,
+				'minimum'           => 1,
+				'maximum'           => 200,
+				'sanitize_callback' => 'absint',
+			),
+		),
+	) );
+
+	register_rest_route( $namespace, '/database-bloat', array(
+		'methods'             => 'GET',
+		'callback'            => 'mcp_diagnostics_database_bloat',
+		'permission_callback' => 'mcp_diagnostics_permission_check',
+	) );
+
+	register_rest_route( $namespace, '/password-reset', array(
+		'methods'             => 'POST',
+		'callback'            => 'mcp_diagnostics_password_reset',
+		'permission_callback' => 'mcp_diagnostics_permission_check',
+		'args'                => array(
+			'user_id' => array(
+				'type'              => 'integer',
+				'required'          => true,
+				'sanitize_callback' => 'absint',
+			),
+		),
+	) );
+
+	// ── Schema.org JSON-LD management ──
+	register_rest_route( $namespace, '/schema/(?P<post_id>\d+)', array(
+		array(
+			'methods'             => 'GET',
+			'callback'            => 'mcp_diagnostics_schema_get',
+			'permission_callback' => 'mcp_diagnostics_schema_permission_check',
+			'args'                => array(
+				'post_id' => array(
+					'type'              => 'integer',
+					'required'          => true,
+					'sanitize_callback' => 'absint',
+				),
+			),
+		),
+		array(
+			'methods'             => 'POST',
+			'callback'            => 'mcp_diagnostics_schema_set',
+			'permission_callback' => 'mcp_diagnostics_schema_permission_check',
+			'args'                => array(
+				'post_id' => array(
+					'type'              => 'integer',
+					'required'          => true,
+					'sanitize_callback' => 'absint',
+				),
+				'schema' => array(
+					'type'     => 'string',
+					'required' => true,
+				),
+			),
+		),
+		array(
+			'methods'             => 'DELETE',
+			'callback'            => 'mcp_diagnostics_schema_delete',
+			'permission_callback' => 'mcp_diagnostics_schema_permission_check',
+			'args'                => array(
+				'post_id' => array(
+					'type'              => 'integer',
+					'required'          => true,
+					'sanitize_callback' => 'absint',
+				),
+			),
+		),
+	) );
+
+	// ── Polylang Free REST fallback ──
+	register_rest_route( $namespace, '/polylang/languages', array(
+		'methods'             => 'GET',
+		'callback'            => 'mcp_diagnostics_polylang_languages',
+		'permission_callback' => '__return_true',
+	) );
+
+	register_rest_route( $namespace, '/polylang/translations/(?P<post_id>\d+)', array(
+		'methods'             => 'GET',
+		'callback'            => 'mcp_diagnostics_polylang_translations',
+		'permission_callback' => '__return_true',
+		'args'                => array(
+			'post_id' => array(
+				'type'              => 'integer',
+				'required'          => true,
+				'sanitize_callback' => 'absint',
+			),
+		),
+	) );
+
+	// ── WooCommerce Intelligence endpoints ──
+	register_rest_route( $namespace, '/wc-abandoned-carts', array(
+		'methods'             => 'GET',
+		'callback'            => 'mcp_diagnostics_wc_abandoned_carts',
+		'permission_callback' => 'mcp_diagnostics_permission_check',
+		'args'                => array(
+			'days' => array(
+				'type'              => 'integer',
+				'default'           => 30,
+				'minimum'           => 1,
+				'maximum'           => 365,
+				'sanitize_callback' => 'absint',
+			),
+			'min_value' => array(
+				'type'              => 'number',
+				'default'           => 0,
+				'sanitize_callback' => 'floatval',
+			),
+		),
+	) );
+
+	// ── Security Audit endpoints ──
+	register_rest_route( $namespace, '/user-activity', array(
+		'methods'             => 'GET',
+		'callback'            => 'mcp_diagnostics_user_activity',
+		'permission_callback' => 'mcp_diagnostics_permission_check',
+	) );
+
+	register_rest_route( $namespace, '/file-permissions', array(
+		'methods'             => 'GET',
+		'callback'            => 'mcp_diagnostics_file_permissions',
+		'permission_callback' => 'mcp_diagnostics_permission_check',
+	) );
+
+	register_rest_route( $namespace, '/modified-files', array(
+		'methods'             => 'GET',
+		'callback'            => 'mcp_diagnostics_modified_files',
+		'permission_callback' => 'mcp_diagnostics_permission_check',
+		'args'                => array(
+			'days' => array(
+				'type'              => 'integer',
+				'default'           => 7,
+				'minimum'           => 1,
+				'maximum'           => 90,
+				'sanitize_callback' => 'absint',
+			),
+			'paths' => array(
+				'type'              => 'string',
+				'default'           => 'plugins,themes',
+				'sanitize_callback' => 'sanitize_text_field',
+			),
+			'extensions' => array(
+				'type'              => 'string',
+				'default'           => '.php,.js',
+				'sanitize_callback' => 'sanitize_text_field',
+			),
+		),
+	) );
+
+	register_rest_route( $namespace, '/hooks', array(
+		'methods'             => 'GET',
+		'callback'            => 'mcp_diagnostics_hooks',
+		'permission_callback' => 'mcp_diagnostics_permission_check',
+		'args'                => array(
+			'type' => array(
+				'type'              => 'string',
+				'default'           => 'all',
+				'enum'              => array( 'actions', 'filters', 'all' ),
+				'sanitize_callback' => 'sanitize_text_field',
+			),
+			'search' => array(
+				'type'              => 'string',
+				'default'           => '',
+				'sanitize_callback' => 'sanitize_text_field',
+			),
+			'per_page' => array(
+				'type'              => 'integer',
+				'default'           => 50,
+				'minimum'           => 1,
+				'maximum'           => 200,
+				'sanitize_callback' => 'absint',
+			),
+		),
+	) );
+}
+
+/**
+ * Permission check: require manage_options (Administrator).
+ */
+function mcp_diagnostics_permission_check( $request ) {
+	if ( ! current_user_can( 'manage_options' ) ) {
+		return new WP_Error(
+			'rest_forbidden',
+			__( 'MCP Diagnostics requires Administrator privileges.' ),
+			array( 'status' => 403 )
+		);
+	}
+	return true;
+}
+
+/**
+ * GET /mcp-diagnostics/v1/debug-log
+ * Reads the last N lines of wp-content/debug.log.
+ */
+function mcp_diagnostics_debug_log( $request ) {
+	$max_lines = $request->get_param( 'lines' );
+	$level     = $request->get_param( 'level' );
+
+	$log_file = WP_CONTENT_DIR . '/debug.log';
+
+	if ( ! file_exists( $log_file ) ) {
+		return new WP_REST_Response( array(
+			'lines'         => array(),
+			'total_lines'   => 0,
+			'file_size'     => 0,
+			'last_modified' => null,
+			'message'       => 'debug.log not found. Ensure WP_DEBUG and WP_DEBUG_LOG are enabled in wp-config.php.',
+		), 200 );
+	}
+
+	$file_size     = filesize( $log_file );
+	$last_modified = gmdate( 'c', filemtime( $log_file ) );
+
+	// Read last N lines efficiently via tail-like approach
+	$all_lines = array();
+	$handle    = fopen( $log_file, 'r' );
+	if ( $handle ) {
+		// For files > 1MB, seek from end
+		$chunk_size = 65536;
+		$buffer     = '';
+
+		if ( $file_size > $chunk_size ) {
+			$pos = $file_size;
+			while ( $pos > 0 && count( $all_lines ) < $max_lines ) {
+				$read_size = min( $chunk_size, $pos );
+				$pos      -= $read_size;
+				fseek( $handle, $pos );
+				$buffer = fread( $handle, $read_size ) . $buffer;
+				$all_lines = explode( "\n", $buffer );
+			}
+			$all_lines = array_slice( $all_lines, -$max_lines );
+		} else {
+			$content   = fread( $handle, $file_size );
+			$all_lines = explode( "\n", $content );
+			$all_lines = array_slice( $all_lines, -$max_lines );
+		}
+		fclose( $handle );
+	}
+
+	// Filter empty lines
+	$all_lines = array_values( array_filter( $all_lines, function( $line ) {
+		return trim( $line ) !== '';
+	} ) );
+
+	// Filter by level
+	if ( $level !== 'all' ) {
+		$level_upper = strtoupper( $level );
+		$all_lines   = array_values( array_filter( $all_lines, function( $line ) use ( $level_upper ) {
+			// Match common PHP error format: "PHP Warning:", "PHP Fatal error:", "PHP Notice:"
+			$line_upper = strtoupper( $line );
+			switch ( $level_upper ) {
+				case 'ERROR':
+					return strpos( $line_upper, 'ERROR' ) !== false || strpos( $line_upper, 'FATAL' ) !== false;
+				case 'WARNING':
+					return strpos( $line_upper, 'WARNING' ) !== false;
+				case 'NOTICE':
+					return strpos( $line_upper, 'NOTICE' ) !== false || strpos( $line_upper, 'DEPRECATED' ) !== false;
+				default:
+					return true;
+			}
+		} ) );
+	}
+
+	return new WP_REST_Response( array(
+		'lines'         => $all_lines,
+		'total_lines'   => count( $all_lines ),
+		'file_size'     => $file_size,
+		'last_modified' => $last_modified,
+	), 200 );
+}
+
+/**
+ * GET /mcp-diagnostics/v1/cron-events
+ * Lists all scheduled WP-Cron events.
+ */
+function mcp_diagnostics_cron_events( $request ) {
+	$crons  = _get_cron_array();
+	$events = array();
+
+	if ( ! is_array( $crons ) ) {
+		return new WP_REST_Response( array( 'events' => array() ), 200 );
+	}
+
+	$schedules = wp_get_schedules();
+
+	foreach ( $crons as $timestamp => $cron_group ) {
+		foreach ( $cron_group as $hook => $hook_events ) {
+			foreach ( $hook_events as $key => $event ) {
+				$schedule_name = $event['schedule'] ?? false;
+				$interval      = 0;
+				if ( $schedule_name && isset( $schedules[ $schedule_name ] ) ) {
+					$interval = $schedules[ $schedule_name ]['interval'];
+				}
+
+				$events[] = array(
+					'hook'     => $hook,
+					'args'     => $event['args'] ?? array(),
+					'schedule' => $schedule_name ?: 'single',
+					'interval' => $interval ?: null,
+					'next_run' => (int) $timestamp,
+				);
+			}
+		}
+	}
+
+	// Sort by next_run ascending
+	usort( $events, function( $a, $b ) {
+		return $a['next_run'] - $b['next_run'];
+	} );
+
+	return new WP_REST_Response( array( 'events' => $events ), 200 );
+}
+
+/**
+ * GET /mcp-diagnostics/v1/transients
+ * Lists database transients.
+ */
+function mcp_diagnostics_transients( $request ) {
+	global $wpdb;
+
+	$filter   = $request->get_param( 'filter' );
+	$search   = $request->get_param( 'search' );
+	$per_page = $request->get_param( 'per_page' );
+	$now      = time();
+
+	$where = array( "option_name LIKE '_transient_%'" );
+	$where[] = "option_name NOT LIKE '_transient_timeout_%'";
+
+	if ( $search ) {
+		$like    = '%' . $wpdb->esc_like( $search ) . '%';
+		$where[] = $wpdb->prepare( 'option_name LIKE %s', $like );
+	}
+
+	$sql = "SELECT option_name, LENGTH(option_value) as value_size FROM {$wpdb->options} WHERE " . implode( ' AND ', $where ) . " LIMIT {$per_page}";
+
+	$rows       = $wpdb->get_results( $sql ); // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared
+	$transients = array();
+
+	foreach ( $rows as $row ) {
+		$key          = str_replace( '_transient_', '', $row->option_name );
+		$timeout_row  = $wpdb->get_var( $wpdb->prepare(
+			"SELECT option_value FROM {$wpdb->options} WHERE option_name = %s",
+			'_transient_timeout_' . $key
+		) );
+		$expiration   = $timeout_row ? (int) $timeout_row : 0;
+		$is_expired   = $expiration > 0 && $expiration < $now;
+
+		if ( $filter === 'expired' && ! $is_expired ) continue;
+		if ( $filter === 'active' && $is_expired ) continue;
+
+		$transients[] = array(
+			'key'        => $key,
+			'expiration' => $expiration ?: null,
+			'size_bytes' => (int) $row->value_size,
+		);
+	}
+
+	return new WP_REST_Response( array( 'transients' => $transients ), 200 );
+}
+
+/**
+ * POST /mcp-diagnostics/v1/password-reset
+ * Triggers a password reset email for a user.
+ */
+/**
+ * GET /mcp-diagnostics/v1/database-bloat
+ * Analyzes database bloat: revisions, expired transients, table sizes.
+ */
+function mcp_diagnostics_database_bloat( $request ) {
+	global $wpdb;
+
+	// Count revisions
+	$revision_count = (int) $wpdb->get_var(
+		"SELECT COUNT(*) FROM {$wpdb->posts} WHERE post_type = 'revision'"
+	);
+
+	// Count auto-drafts
+	$autodraft_count = (int) $wpdb->get_var(
+		"SELECT COUNT(*) FROM {$wpdb->posts} WHERE post_status = 'auto-draft'"
+	);
+
+	// Count trashed posts
+	$trash_count = (int) $wpdb->get_var(
+		"SELECT COUNT(*) FROM {$wpdb->posts} WHERE post_status = 'trash'"
+	);
+
+	// Count spam comments
+	$spam_comments = (int) $wpdb->get_var(
+		"SELECT COUNT(*) FROM {$wpdb->comments} WHERE comment_approved = 'spam'"
+	);
+
+	// Count trashed comments
+	$trash_comments = (int) $wpdb->get_var(
+		"SELECT COUNT(*) FROM {$wpdb->comments} WHERE comment_approved = 'trash'"
+	);
+
+	// Count expired transients
+	$now = time();
+	$expired_transients = (int) $wpdb->get_var( $wpdb->prepare(
+		"SELECT COUNT(*) FROM {$wpdb->options} WHERE option_name LIKE %s AND option_value < %d",
+		$wpdb->esc_like( '_transient_timeout_' ) . '%',
+		$now
+	) );
+
+	// Total transients
+	$total_transients = (int) $wpdb->get_var(
+		"SELECT COUNT(*) FROM {$wpdb->options} WHERE option_name LIKE '_transient_%' AND option_name NOT LIKE '_transient_timeout_%'"
+	);
+
+	// Table sizes
+	$db_name = DB_NAME;
+	$tables  = $wpdb->get_results( $wpdb->prepare(
+		"SELECT table_name AS name, ROUND(((data_length + index_length) / 1024 / 1024), 2) AS size_mb, table_rows AS rows
+		 FROM information_schema.tables WHERE table_schema = %s ORDER BY (data_length + index_length) DESC LIMIT 20",
+		$db_name
+	) );
+
+	$total_size_mb = 0;
+	$table_report  = array();
+	foreach ( $tables as $t ) {
+		$total_size_mb += (float) $t->size_mb;
+		$table_report[] = array(
+			'table'   => $t->name,
+			'size_mb' => (float) $t->size_mb,
+			'rows'    => (int) $t->rows,
+		);
+	}
+
+	// Orphan postmeta
+	$orphan_postmeta = (int) $wpdb->get_var(
+		"SELECT COUNT(*) FROM {$wpdb->postmeta} pm LEFT JOIN {$wpdb->posts} p ON pm.post_id = p.ID WHERE p.ID IS NULL"
+	);
+
+	// Build recommendations
+	$recommendations = array();
+	if ( $revision_count > 100 ) {
+		$recommendations[] = "Delete old revisions ($revision_count found). Consider WP_POST_REVISIONS constant to limit.";
+	}
+	if ( $expired_transients > 50 ) {
+		$recommendations[] = "Clean expired transients ($expired_transients found). Use wp transient delete --expired via WP-CLI.";
+	}
+	if ( $autodraft_count > 20 ) {
+		$recommendations[] = "Remove auto-drafts ($autodraft_count found).";
+	}
+	if ( $spam_comments > 100 ) {
+		$recommendations[] = "Empty spam comments ($spam_comments found).";
+	}
+	if ( $orphan_postmeta > 100 ) {
+		$recommendations[] = "Clean orphan postmeta ($orphan_postmeta rows with no parent post).";
+	}
+	if ( $trash_count > 50 ) {
+		$recommendations[] = "Empty trash ($trash_count trashed posts).";
+	}
+
+	return new WP_REST_Response( array(
+		'revisions'           => $revision_count,
+		'auto_drafts'         => $autodraft_count,
+		'trashed_posts'       => $trash_count,
+		'spam_comments'       => $spam_comments,
+		'trashed_comments'    => $trash_comments,
+		'transients_total'    => $total_transients,
+		'transients_expired'  => $expired_transients,
+		'orphan_postmeta'     => $orphan_postmeta,
+		'database_size_mb'    => round( $total_size_mb, 2 ),
+		'tables'              => $table_report,
+		'recommendations'     => $recommendations,
+	), 200 );
+}
+
+function mcp_diagnostics_password_reset( $request ) {
+	$user_id = $request->get_param( 'user_id' );
+	$user    = get_userdata( $user_id );
+
+	if ( ! $user ) {
+		return new WP_Error(
+			'user_not_found',
+			__( 'User not found.' ),
+			array( 'status' => 404 )
+		);
+	}
+
+	// Generate reset key and send email
+	$key    = get_password_reset_key( $user );
+	if ( is_wp_error( $key ) ) {
+		return new WP_Error(
+			'reset_key_error',
+			__( 'Could not generate password reset key.' ),
+			array( 'status' => 500 )
+		);
+	}
+
+	$locale  = get_user_locale( $user );
+	$message = sprintf(
+		/* translators: %s: password reset URL */
+		__( 'Someone has requested a password reset for your account. Visit the following address to reset your password: %s' ),
+		network_site_url( "wp-login.php?action=rp&key=$key&login=" . rawurlencode( $user->user_login ), 'login' )
+	);
+
+	$title   = sprintf( __( '[%s] Password Reset' ), get_bloginfo( 'name' ) );
+	$sent    = wp_mail( $user->user_email, $title, $message );
+
+	if ( ! $sent ) {
+		return new WP_Error(
+			'email_failed',
+			__( 'Password reset email could not be sent.' ),
+			array( 'status' => 500 )
+		);
+	}
+
+	return new WP_REST_Response( array(
+		'success' => true,
+		'user_id' => $user_id,
+		'message' => 'Password reset email sent.',
+	), 200 );
+}
+
+/**
+ * GET /mcp-diagnostics/v1/hooks
+ * Lists registered actions and filters.
+ */
+function mcp_diagnostics_hooks( $request ) {
+	global $wp_filter, $wp_actions;
+
+	$type     = $request->get_param( 'type' );
+	$search   = $request->get_param( 'search' );
+	$per_page = $request->get_param( 'per_page' );
+
+	$hooks  = array();
+	$count  = 0;
+
+	$action_names = is_array( $wp_actions ) ? array_keys( $wp_actions ) : array();
+
+	foreach ( $wp_filter as $hook_name => $hook_obj ) {
+		if ( $count >= $per_page ) break;
+
+		if ( $search && strpos( $hook_name, $search ) === false ) continue;
+
+		$is_action = in_array( $hook_name, $action_names, true );
+		$hook_type = $is_action ? 'action' : 'filter';
+
+		if ( $type === 'actions' && ! $is_action ) continue;
+		if ( $type === 'filters' && $is_action ) continue;
+
+		$callbacks = array();
+		if ( $hook_obj instanceof WP_Hook ) {
+			foreach ( $hook_obj->callbacks as $priority => $funcs ) {
+				foreach ( $funcs as $func_data ) {
+					$func_name = mcp_diagnostics_get_callback_name( $func_data['function'] );
+					$callbacks[] = array(
+						'function'      => $func_name,
+						'priority'      => $priority,
+						'accepted_args' => $func_data['accepted_args'],
+					);
+				}
+			}
+		}
+
+		$hooks[] = array(
+			'name'      => $hook_name,
+			'type'      => $hook_type,
+			'callbacks' => $callbacks,
+		);
+
+		$count++;
+	}
+
+	return new WP_REST_Response( array( 'hooks' => $hooks ), 200 );
+}
+
+/**
+ * Convert a callback to a human-readable string.
+ */
+function mcp_diagnostics_get_callback_name( $callback ) {
+	if ( is_string( $callback ) ) {
+		return $callback;
+	}
+	if ( is_array( $callback ) && count( $callback ) === 2 ) {
+		$class  = is_object( $callback[0] ) ? get_class( $callback[0] ) : (string) $callback[0];
+		$method = $callback[1];
+		return $class . '::' . $method;
+	}
+	if ( $callback instanceof Closure ) {
+		return '{closure}';
+	}
+	return '{unknown}';
+}
+
+// ============================================================
+// Schema.org JSON-LD — REST endpoints + wp_head output
+// ============================================================
+
+/**
+ * Permission check for schema endpoints: require edit_posts capability.
+ */
+function mcp_diagnostics_schema_permission_check( $request ) {
+	if ( ! current_user_can( 'edit_posts' ) ) {
+		return new WP_Error(
+			'rest_forbidden',
+			__( 'Schema management requires edit_posts capability.' ),
+			array( 'status' => 403 )
+		);
+	}
+	return true;
+}
+
+/**
+ * Check if the site is in read-only mode.
+ */
+function mcp_diagnostics_is_read_only() {
+	if ( defined( 'WP_READ_ONLY' ) && WP_READ_ONLY ) {
+		return true;
+	}
+	if ( get_option( 'mcp_read_only', false ) ) {
+		return true;
+	}
+	return false;
+}
+
+/**
+ * GET /mcp-diagnostics/v1/schema/{post_id}
+ * Read the _custom_schema_jsonld meta for a post.
+ */
+function mcp_diagnostics_schema_get( $request ) {
+	$post_id = $request->get_param( 'post_id' );
+	$post    = get_post( $post_id );
+
+	if ( ! $post ) {
+		return new WP_Error( 'not_found', __( 'Post not found.' ), array( 'status' => 404 ) );
+	}
+
+	$schema = get_post_meta( $post_id, '_custom_schema_jsonld', true );
+
+	return new WP_REST_Response( array(
+		'post_id' => $post_id,
+		'schema'  => $schema ?: null,
+	), 200 );
+}
+
+/**
+ * POST /mcp-diagnostics/v1/schema/{post_id}
+ * Write the _custom_schema_jsonld meta for a post.
+ */
+function mcp_diagnostics_schema_set( $request ) {
+	if ( mcp_diagnostics_is_read_only() ) {
+		return new WP_Error( 'read_only', __( 'Site is in read-only mode.' ), array( 'status' => 403 ) );
+	}
+
+	$post_id = $request->get_param( 'post_id' );
+	$schema  = $request->get_param( 'schema' );
+	$post    = get_post( $post_id );
+
+	if ( ! $post ) {
+		return new WP_Error( 'not_found', __( 'Post not found.' ), array( 'status' => 404 ) );
+	}
+
+	// Validate JSON
+	$decoded = json_decode( $schema );
+	if ( json_last_error() !== JSON_ERROR_NONE ) {
+		return new WP_Error( 'invalid_json', __( 'Schema must be valid JSON.' ), array( 'status' => 400 ) );
+	}
+
+	update_post_meta( $post_id, '_custom_schema_jsonld', $schema );
+
+	return new WP_REST_Response( array(
+		'post_id' => $post_id,
+		'status'  => 'saved',
+		'schema'  => $schema,
+	), 200 );
+}
+
+/**
+ * DELETE /mcp-diagnostics/v1/schema/{post_id}
+ * Remove the _custom_schema_jsonld meta from a post.
+ */
+function mcp_diagnostics_schema_delete( $request ) {
+	if ( mcp_diagnostics_is_read_only() ) {
+		return new WP_Error( 'read_only', __( 'Site is in read-only mode.' ), array( 'status' => 403 ) );
+	}
+
+	$post_id = $request->get_param( 'post_id' );
+	$post    = get_post( $post_id );
+
+	if ( ! $post ) {
+		return new WP_Error( 'not_found', __( 'Post not found.' ), array( 'status' => 404 ) );
+	}
+
+	delete_post_meta( $post_id, '_custom_schema_jsonld' );
+
+	return new WP_REST_Response( array(
+		'post_id' => $post_id,
+		'status'  => 'deleted',
+	), 200 );
+}
+
+/**
+ * Output JSON-LD schema in wp_head for singular posts/pages.
+ */
+function mcp_schema_output_jsonld() {
+	if ( ! is_singular() ) {
+		return;
+	}
+
+	$post_id = get_the_ID();
+	if ( ! $post_id ) {
+		return;
+	}
+
+	$schema = get_post_meta( $post_id, '_custom_schema_jsonld', true );
+	if ( empty( $schema ) ) {
+		return;
+	}
+
+	// Validate JSON before outputting
+	$decoded = json_decode( $schema );
+	if ( json_last_error() !== JSON_ERROR_NONE ) {
+		return;
+	}
+
+	echo '<script type="application/ld+json">' . $schema . '</script>' . "\n";
+}
+
+// ============================================================
+// Polylang Free REST fallback endpoints
+// ============================================================
+
+/**
+ * GET /mcp-diagnostics/v1/polylang/languages
+ * Returns Polylang languages via pll_languages_list() if Polylang is active.
+ */
+function mcp_diagnostics_polylang_languages( $request ) {
+	if ( ! function_exists( 'pll_languages_list' ) ) {
+		return new WP_REST_Response( array(
+			'languages' => array(),
+			'message'   => 'Polylang is not active.',
+		), 200 );
+	}
+
+	$languages = array();
+	$pll_langs = PLL()->model->get_languages_list();
+
+	foreach ( $pll_langs as $lang ) {
+		$languages[] = array(
+			'slug'        => $lang->slug,
+			'name'        => $lang->name,
+			'native_name' => $lang->name,
+			'locale'      => $lang->locale,
+			'is_default'  => (bool) $lang->is_default,
+			'home_url'    => $lang->home_url ?? null,
+			'flag'        => $lang->flag_url ?? null,
+		);
+	}
+
+	return new WP_REST_Response( array( 'languages' => $languages ), 200 );
+}
+
+/**
+ * GET /mcp-diagnostics/v1/polylang/translations/{post_id}
+ * Returns {lang_code: post_id} via pll_get_post() for each language.
+ */
+function mcp_diagnostics_polylang_translations( $request ) {
+	$post_id = $request->get_param( 'post_id' );
+
+	if ( ! function_exists( 'pll_get_post' ) || ! function_exists( 'pll_languages_list' ) ) {
+		return new WP_REST_Response( array(
+			'post_id'      => $post_id,
+			'translations' => array(),
+			'message'      => 'Polylang is not active.',
+		), 200 );
+	}
+
+	$post = get_post( $post_id );
+	if ( ! $post ) {
+		return new WP_Error( 'not_found', __( 'Post not found.' ), array( 'status' => 404 ) );
+	}
+
+	$translations = array();
+	$lang_slugs   = pll_languages_list( array( 'fields' => 'slug' ) );
+
+	foreach ( $lang_slugs as $slug ) {
+		$tr_id = pll_get_post( $post_id, $slug );
+		if ( $tr_id ) {
+			$translations[ $slug ] = (int) $tr_id;
+		}
+	}
+
+	return new WP_REST_Response( array(
+		'post_id'      => $post_id,
+		'translations' => $translations,
+	), 200 );
+}
+
+// ============================================================
+// Security Audit endpoints
+// ============================================================
+
+/**
+ * GET /mcp-diagnostics/v1/user-activity
+ * Returns last login/activity timestamps for administrator users.
+ */
+function mcp_diagnostics_user_activity( $request ) {
+	$admins = get_users( array( 'role' => 'administrator', 'number' => 100 ) );
+	$results = array();
+
+	foreach ( $admins as $user ) {
+		$last_login = null;
+
+		// Try common last_login meta keys
+		$meta_keys = array( 'last_login', 'wfls-last-login', 'woocommerce_last_active' );
+		foreach ( $meta_keys as $key ) {
+			$val = get_user_meta( $user->ID, $key, true );
+			if ( $val ) {
+				$last_login = is_numeric( $val ) ? gmdate( 'c', (int) $val ) : $val;
+				break;
+			}
+		}
+
+		// Fallback: session_tokens (last key timestamp)
+		if ( ! $last_login ) {
+			$sessions = get_user_meta( $user->ID, 'session_tokens', true );
+			if ( is_array( $sessions ) && ! empty( $sessions ) ) {
+				$latest = 0;
+				foreach ( $sessions as $token ) {
+					if ( isset( $token['login'] ) && $token['login'] > $latest ) {
+						$latest = $token['login'];
+					}
+				}
+				if ( $latest > 0 ) {
+					$last_login = gmdate( 'c', $latest );
+				}
+			}
+		}
+
+		$results[] = array(
+			'user_id'     => $user->ID,
+			'login'       => $user->user_login,
+			'email'       => $user->user_email,
+			'last_login'  => $last_login,
+			'last_active' => $last_login,
+		);
+	}
+
+	return new WP_REST_Response( array( 'users' => $results ), 200 );
+}
+
+/**
+ * GET /mcp-diagnostics/v1/file-permissions
+ * Checks permissions of critical WordPress files and directories.
+ */
+function mcp_diagnostics_file_permissions( $request ) {
+	$checks = array(
+		array( 'path' => ABSPATH . 'wp-config.php', 'recommended' => '400', 'max_safe' => '440' ),
+		array( 'path' => ABSPATH . '.htaccess', 'recommended' => '644', 'max_safe' => '644' ),
+		array( 'path' => WP_CONTENT_DIR . '/uploads', 'recommended' => '755', 'max_safe' => '755' ),
+		array( 'path' => ABSPATH . WPINC, 'recommended' => '755', 'max_safe' => '755' ),
+		array( 'path' => ABSPATH . 'wp-admin', 'recommended' => '755', 'max_safe' => '755' ),
+	);
+
+	$files = array();
+	foreach ( $checks as $check ) {
+		$path = $check['path'];
+		$exists = file_exists( $path );
+		$perm_octal = '';
+		$perm_human = '';
+
+		if ( $exists ) {
+			$perms = fileperms( $path );
+			$perm_octal = decoct( $perms & 0777 );
+			// Build human-readable
+			$perm_human = '';
+			$perm_human .= ( $perms & 0x0100 ) ? 'r' : '-';
+			$perm_human .= ( $perms & 0x0080 ) ? 'w' : '-';
+			$perm_human .= ( $perms & 0x0040 ) ? 'x' : '-';
+			$perm_human .= ( $perms & 0x0020 ) ? 'r' : '-';
+			$perm_human .= ( $perms & 0x0010 ) ? 'w' : '-';
+			$perm_human .= ( $perms & 0x0008 ) ? 'x' : '-';
+			$perm_human .= ( $perms & 0x0004 ) ? 'r' : '-';
+			$perm_human .= ( $perms & 0x0002 ) ? 'w' : '-';
+			$perm_human .= ( $perms & 0x0001 ) ? 'x' : '-';
+		}
+
+		$files[] = array(
+			'path'             => str_replace( ABSPATH, '', $path ),
+			'permission_octal' => $perm_octal,
+			'permission_human' => $perm_human,
+			'recommended'      => $check['recommended'],
+			'exists'           => $exists,
+		);
+	}
+
+	return new WP_REST_Response( array( 'files' => $files ), 200 );
+}
+
+/**
+ * GET /mcp-diagnostics/v1/modified-files
+ * Lists recently modified files in wp-content subdirectories.
+ */
+function mcp_diagnostics_modified_files( $request ) {
+	$days       = $request->get_param( 'days' );
+	$paths_str  = $request->get_param( 'paths' );
+	$ext_str    = $request->get_param( 'extensions' );
+	$since      = strtotime( "-{$days} days" );
+	$paths      = array_map( 'trim', explode( ',', $paths_str ) );
+	$extensions = array_map( 'trim', explode( ',', $ext_str ) );
+	$max_files  = 500;
+	$results    = array();
+
+	foreach ( $paths as $rel_path ) {
+		$dir = WP_CONTENT_DIR . '/' . $rel_path;
+		if ( ! is_dir( $dir ) ) {
+			continue;
+		}
+
+		$iterator = new RecursiveIteratorIterator(
+			new RecursiveDirectoryIterator( $dir, RecursiveDirectoryIterator::SKIP_DOTS ),
+			RecursiveIteratorIterator::SELF_FIRST
+		);
+
+		foreach ( $iterator as $file ) {
+			if ( count( $results ) >= $max_files ) {
+				break 2;
+			}
+			if ( ! $file->isFile() ) {
+				continue;
+			}
+
+			$ext = '.' . $file->getExtension();
+			if ( ! in_array( $ext, $extensions, true ) ) {
+				continue;
+			}
+
+			$mtime = $file->getMTime();
+			if ( $mtime < $since ) {
+				continue;
+			}
+
+			$full_path = $file->getPathname();
+			$rel       = str_replace( ABSPATH, '', $full_path );
+
+			$results[] = array(
+				'path'        => $rel,
+				'modified_at' => gmdate( 'c', $mtime ),
+				'size'        => $file->getSize(),
+				'extension'   => $ext,
+			);
+		}
+	}
+
+	// Sort by modification time descending
+	usort( $results, function( $a, $b ) {
+		return strtotime( $b['modified_at'] ) - strtotime( $a['modified_at'] );
+	} );
+
+	return new WP_REST_Response( array( 'files' => $results ), 200 );
+}
+
+// ============================================================
+// WooCommerce Intelligence endpoints
+// ============================================================
+
+/**
+ * GET /mcp-diagnostics/v1/wc-abandoned-carts
+ * Detects abandoned cart data from available sources.
+ */
+function mcp_diagnostics_wc_abandoned_carts( $request ) {
+	global $wpdb;
+
+	$days      = $request->get_param( 'days' );
+	$min_value = $request->get_param( 'min_value' );
+	$since     = time() - ( $days * 86400 );
+	$max_carts = 1000;
+
+	// Source 1: Abandoned Cart Lite/Pro plugin table
+	$ac_table = $wpdb->prefix . 'ac_abandoned_cart_history';
+	if ( $wpdb->get_var( $wpdb->prepare( 'SHOW TABLES LIKE %s', $ac_table ) ) === $ac_table ) {
+		$rows = $wpdb->get_results( $wpdb->prepare(
+			"SELECT id, abandoned_cart_info, abandoned_cart_time, cart_total
+			 FROM {$ac_table}
+			 WHERE abandoned_cart_time >= %d
+			 AND recovered_cart = 0
+			 ORDER BY abandoned_cart_time DESC
+			 LIMIT %d",
+			$since,
+			$max_carts
+		) );
+
+		$carts = array();
+		foreach ( $rows as $row ) {
+			$value = floatval( $row->cart_total );
+			if ( $value < $min_value ) continue;
+			$info     = maybe_unserialize( $row->abandoned_cart_info );
+			$products = array();
+			if ( is_array( $info ) ) {
+				foreach ( $info as $item ) {
+					$products[] = array(
+						'product_id' => isset( $item['product_id'] ) ? (int) $item['product_id'] : 0,
+						'name'       => isset( $item['product_name'] ) ? $item['product_name'] : '',
+						'quantity'   => isset( $item['quantity'] ) ? (int) $item['quantity'] : 1,
+					);
+				}
+			}
+			$carts[] = array(
+				'cart_value'   => $value,
+				'abandoned_at' => gmdate( 'c', (int) $row->abandoned_cart_time ),
+				'products'     => $products,
+			);
+		}
+
+		return new WP_REST_Response( array(
+			'available' => true,
+			'source'    => 'abandoned_cart_plugin',
+			'carts'     => $carts,
+		), 200 );
+	}
+
+	// Source 2: CartFlows plugin table
+	$cf_table = $wpdb->prefix . 'cartflows_ca_cart_abandonment';
+	if ( $wpdb->get_var( $wpdb->prepare( 'SHOW TABLES LIKE %s', $cf_table ) ) === $cf_table ) {
+		$rows = $wpdb->get_results( $wpdb->prepare(
+			"SELECT id, cart_contents, cart_total, time
+			 FROM {$cf_table}
+			 WHERE time >= %s
+			 AND order_status = 'abandoned'
+			 ORDER BY time DESC
+			 LIMIT %d",
+			gmdate( 'Y-m-d H:i:s', $since ),
+			$max_carts
+		) );
+
+		$carts = array();
+		foreach ( $rows as $row ) {
+			$value = floatval( $row->cart_total );
+			if ( $value < $min_value ) continue;
+			$contents = maybe_unserialize( $row->cart_contents );
+			$products = array();
+			if ( is_array( $contents ) ) {
+				foreach ( $contents as $item ) {
+					$products[] = array(
+						'product_id' => isset( $item['product_id'] ) ? (int) $item['product_id'] : 0,
+						'name'       => isset( $item['name'] ) ? $item['name'] : '',
+						'quantity'   => isset( $item['quantity'] ) ? (int) $item['quantity'] : 1,
+					);
+				}
+			}
+			$carts[] = array(
+				'cart_value'   => $value,
+				'abandoned_at' => $row->time,
+				'products'     => $products,
+			);
+		}
+
+		return new WP_REST_Response( array(
+			'available' => true,
+			'source'    => 'cartflows',
+			'carts'     => $carts,
+		), 200 );
+	}
+
+	// Source 3: WooCommerce native sessions
+	$wc_table = $wpdb->prefix . 'woocommerce_sessions';
+	if ( $wpdb->get_var( $wpdb->prepare( 'SHOW TABLES LIKE %s', $wc_table ) ) === $wc_table ) {
+		$rows = $wpdb->get_results( $wpdb->prepare(
+			"SELECT session_key, session_value, session_expiry
+			 FROM {$wc_table}
+			 WHERE session_expiry >= %d
+			 ORDER BY session_expiry DESC
+			 LIMIT %d",
+			$since,
+			$max_carts
+		) );
+
+		$carts = array();
+		foreach ( $rows as $row ) {
+			$session_data = maybe_unserialize( $row->session_value );
+			if ( ! is_array( $session_data ) || empty( $session_data['cart'] ) ) {
+				continue;
+			}
+			$cart_data = maybe_unserialize( $session_data['cart'] );
+			if ( ! is_array( $cart_data ) || empty( $cart_data ) ) {
+				continue;
+			}
+
+			$cart_value = 0;
+			$products   = array();
+			foreach ( $cart_data as $item ) {
+				$price = isset( $item['line_total'] ) ? floatval( $item['line_total'] ) : 0;
+				$cart_value += $price;
+				$products[] = array(
+					'product_id' => isset( $item['product_id'] ) ? (int) $item['product_id'] : 0,
+					'name'       => '',
+					'quantity'   => isset( $item['quantity'] ) ? (int) $item['quantity'] : 1,
+				);
+			}
+
+			if ( $cart_value < $min_value ) continue;
+
+			$carts[] = array(
+				'cart_value'   => round( $cart_value, 2 ),
+				'abandoned_at' => gmdate( 'c', (int) $row->session_expiry ),
+				'products'     => $products,
+			);
+		}
+
+		return new WP_REST_Response( array(
+			'available' => true,
+			'source'    => 'wc_sessions',
+			'carts'     => $carts,
+		), 200 );
+	}
+
+	// No source available
+	return new WP_REST_Response( array( 'available' => false ), 200 );
+}