@diviops/mcp-server 0.2.17 → 0.2.19

package/README.md

@@ -9,7 +9,8 @@ Claude Code <-> MCP Server (stdio) <-> WordPress REST API <-> Divi MCP Plugin
 ## Requirements
 
 - **Node.js** >= 18.0.0
-- **WordPress** >= 5.6 (Application Passwords support)
+- **PHP** >= 7.4
+- **WordPress** >= 6.5
 - **Divi 5** theme active
 - **DiviOps Agent** WordPress plugin installed and active
 
@@ -175,6 +176,8 @@ Read-only commands plus non-destructive writes needed for core MCP functionality
 | Cache | `cache flush`, `transient delete`, `rewrite flush` |
 | Export | `export` (WXR data export to file) |
 | Info | `cron event list`, `plugin list`, `theme list`, `menu list`, `site url` |
+| Core (read-only) | `core version`, `core check-update`, `core is-installed`, `core verify-checksums`, `core language list` |
+| DB (introspection) | `db columns`, `db size`, `db tables`, `db check`, `db search` |
 
 ### Extended commands (opt-in)
 

package/dist/compatibility.d.ts

@@ -2,7 +2,7 @@
  * Version compatibility between MCP server and WP plugin.
  */
 /** Minimum WP plugin version this server requires. */
-export declare const MIN_PLUGIN_VERSION = "1.0.0-beta.35";
+export declare const MIN_PLUGIN_VERSION = "1.0.0-beta.36";
 /**
  * Compare two semver-like version strings (supports pre-release tags).
  *

package/dist/compatibility.js

@@ -2,7 +2,7 @@
  * Version compatibility between MCP server and WP plugin.
  */
 /** Minimum WP plugin version this server requires. */
-export const MIN_PLUGIN_VERSION = '1.0.0-beta.35';
+export const MIN_PLUGIN_VERSION = '1.0.0-beta.36';
 /**
  * Compare two semver-like version strings (supports pre-release tags).
  *

package/dist/index.js

@@ -726,7 +726,7 @@ server.registerTool("diviops_preset_create", {
     };
 });
 server.registerTool("diviops_preset_reassign", {
-    description: 'Reassign a preset UUID across page content. Covers both module-level refs (`attrs.modulePreset[...]`) and attribute-level group-preset refs (`attrs.groupPreset.<slot>.presetId`), plus — for group presets — registry chain refs: module-bucket presets via top-level `groupPresets.<slot>.presetId`, group-bucket presets via `attrs.groupPreset.<slot>.presetId`. The `scope` param controls which ref types are walked (default "both", auto-selects based on new_uuid\'s bucket). Cross-bucket swaps (module ↔ group) are rejected. For module-scope swaps, optionally strips inline attrs that duplicate the new preset\'s attrs (otherwise inline wins over preset); slot-scoped inline strip for group scope is not yet implemented and is skipped with an advisory. Defaults to dry-run — set mode="apply" to actually rewrite. Use this to consolidate repeated inline styling into a reusable preset after creating one with diviops_preset_create.',
+    description: 'Reassign a preset UUID across page content. Covers both module-level refs (`attrs.modulePreset[...]`) and attribute-level group-preset refs (`attrs.groupPreset.<slot>.presetId`), plus — for group presets — registry chain refs: module-bucket presets via top-level `groupPresets.<slot>.presetId`, group-bucket presets via `attrs.groupPreset.<slot>.presetId`. The `scope` param controls which ref types are walked (default "both", auto-selects based on new_uuid\'s bucket). Cross-bucket swaps (module ↔ group) are rejected. When `strip_inline=true` (default), strips inline attrs that duplicate the new preset\'s attrs (otherwise inline wins over preset): for module scope, strips from block root; for group scope, strips per-slot using Divi\'s own slot→target-path resolver (handles composite button groups, `-id-classes` suffix, FormField/checkbox/radio `attrName` mappings, cross-module translation). Both scopes enforce a singular-stack guard (skip strip when slot holds multiple presets). Unmappable group slots skip strip and emit a per-slot advisory at `summary.strip_advisory_per_slot[<module>::<slot>]`; neighbor slots are unaffected. Defaults to dry-run — set mode="apply" to actually rewrite. Use this to consolidate repeated inline styling into a reusable preset after creating one with diviops_preset_create.',
     inputSchema: {
         old_uuid: z
             .string()
@@ -747,7 +747,7 @@ server.registerTool("diviops_preset_reassign", {
             .boolean()
             .optional()
             .default(true)
-            .describe("If true (default), strip inline attrs that deep-equal the new preset's attrs so the preset actually takes effect. Applies to module-scope swaps only; group-scope swaps currently skip strip with an advisory in the summary. Set false to swap UUIDs only."),
+            .describe("If true (default), strip inline attrs that deep-equal the new preset's attrs so the preset actually takes effect. Applies to both module-scope (block-root strip) and group-scope (per-slot strip via Divi's target-path resolver). Singular-stack guard enforced at both scopes — strip is skipped when the modulePreset stack or a groupPreset slot holds multiple presets. Unmappable group slots skip strip with a per-slot advisory. Set false to swap UUIDs only."),
         scope: z
             .enum(["module", "group", "both"])
             .optional()

package/dist/wp-client.js

@@ -5,6 +5,48 @@
  * Generate one at: WP Admin → Users → Your Profile → Application Passwords.
  */
 import { MIN_PLUGIN_VERSION, compareVersions, } from './compatibility.js';
+/**
+ * Normalize over-escaped variable-token quote sequences inside `$variable(...)$`
+ * token regions only.
+ *
+ * Divi block-attrs JSON uses `\"` (2-byte) for inner quotes inside Divi variable
+ * tokens. Two over-escaped forms can leak in via callers that round-trip
+ * pre-existing broken bytes:
+ *   - `\u0022` (11 bytes literal) — the mass-corruption form (backslash
+ *     itself unicode-escaped, observed in the wild on Divi 5.3.x sites)
+ *   - `\\u0022`     (7 bytes literal) — produced when a caller passes the
+ *     6-byte `"` form through an extra JSON-encoding layer
+ *
+ * Both decode to the same value after Divi's resolver, but cause render asymmetry
+ * across attr paths (`background.color`, `spacing.margin`, `border.color`,
+ * `layout.columnGap` silently fail to resolve). We normalize defensively so any
+ * write — clean or pre-broken — settles on canonical bytes.
+ *
+ * Scope is intentionally narrow: rewrites only happen inside `$variable(...)$`
+ * regions (Divi's actual resolver boundary). Bytes outside those regions —
+ * arbitrary user text, code samples, string-variable values that happen to
+ * contain `\u0022` — are left untouched.
+ */
+function normalizeQuoteEscapes(s) {
+    return s.replace(/\$variable\([^$]*?\)\$/g, (token) => token.replace(/(?:\\u005cu0022|\\\\u0022)/g, '\\"'));
+}
+function normalizeBody(value) {
+    if (typeof value === 'string')
+        return normalizeQuoteEscapes(value);
+    if (Array.isArray(value))
+        return value.map(normalizeBody);
+    // Restrict recursion to plain objects so Date / RegExp / class instances
+    // with custom `toJSON` keep their canonical serialization.
+    if (value &&
+        typeof value === 'object' &&
+        Object.getPrototypeOf(value) === Object.prototype) {
+        const out = {};
+        for (const [k, v] of Object.entries(value))
+            out[k] = normalizeBody(v);
+        return out;
+    }
+    return value;
+}
 export class WPClient {
     baseUrl;
     authHeader;
@@ -34,7 +76,7 @@ export class WPClient {
             },
         };
         if (body && method !== 'GET') {
-            fetchOptions.body = JSON.stringify(body);
+            fetchOptions.body = JSON.stringify(normalizeBody(body));
         }
         const response = await fetch(url, fetchOptions);
         if (!response.ok) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@diviops/mcp-server",
-  "version": "0.2.17",
+  "version": "0.2.19",
   "description": "MCP server exposing Divi 5 Visual Builder as tools for Claude",
   "type": "module",
   "main": "dist/index.js",