@diviops/mcp-server 0.2.18 → 0.2.20

package/README.md

@@ -9,7 +9,8 @@ Claude Code <-> MCP Server (stdio) <-> WordPress REST API <-> Divi MCP Plugin
 ## Requirements
 
 - **Node.js** >= 18.0.0
-- **WordPress** >= 5.6 (Application Passwords support)
+- **PHP** >= 7.4
+- **WordPress** >= 6.5
 - **Divi 5** theme active
 - **DiviOps Agent** WordPress plugin installed and active
 
@@ -175,6 +176,8 @@ Read-only commands plus non-destructive writes needed for core MCP functionality
 | Cache | `cache flush`, `transient delete`, `rewrite flush` |
 | Export | `export` (WXR data export to file) |
 | Info | `cron event list`, `plugin list`, `theme list`, `menu list`, `site url` |
+| Core (read-only) | `core version`, `core check-update`, `core is-installed`, `core verify-checksums`, `core language list` |
+| DB (introspection) | `db columns`, `db size`, `db tables`, `db check`, `db search` |
 
 ### Extended commands (opt-in)
 

package/dist/wp-client.js

@@ -5,6 +5,93 @@
  * Generate one at: WP Admin → Users → Your Profile → Application Passwords.
  */
 import { MIN_PLUGIN_VERSION, compareVersions, } from './compatibility.js';
+/**
+ * Normalize quote-escape pathologies inside `$variable(...)$` token regions only.
+ *
+ * Divi block-attrs JSON uses `\"` (2-byte: backslash + quote) for inner quotes
+ * inside variable token payloads. Three pathological forms can leak in through
+ * callers and silently break the WP block parser at write time.
+ *
+ * Over-escape (existing #395/#396 fix). Two forms produced when callers
+ * round-trip pre-existing broken bytes:
+ *   - `\u005cu0022` (11 bytes literal) — the
+ *     mass-corruption form (backslash itself unicode-escaped, observed in the
+ *     wild on Divi 5.3.x sites)
+ *   - `\\u0022`     (7 bytes literal: 2 backslashes + `u0022`) — produced when
+ *     a caller passes the 6-byte unicode-escape form through an extra
+ *     JSON-encoding layer
+ *   These cause render-only failure: the resolver can't decode the token, and
+ *   attr paths like `background.color`, `spacing.margin`, `border.color`,
+ *   `layout.columnGap` silently fall through to defaults (or leak literal
+ *   `0022` into emitted CSS).
+ *
+ * Under-escape (#409 fix). One form produced when an agent transcribes
+ * `get_section` markup (which emits inner quotes as `"` HTML entities) and
+ * a layer in the agent → MCP → WP pipeline strips one level of escaping:
+ *   - bare `"` (1 byte) — the inner quote loses its `\` prefix and prematurely
+ *     terminates the OUTER block-attrs string at parse time. The WP block
+ *     parser then silently drops ALL attrs from the affected module. Section
+ *     appears to save (`success: true`) but renders empty / broken.
+ *
+ * We normalize defensively so any write — clean, pre-broken, or
+ * agent-transcribed — settles on canonical 2-byte `\"`.
+ *
+ * Order matters: collapse over-escapes first, then escape under-escapes. The
+ * negative lookbehind on the under-escape rule skips `\"` produced by the
+ * over-escape pass (and any already-canonical input). Idempotent.
+ *
+ * Scope is intentionally narrow: rewrites only happen inside `$variable(...)$`
+ * regions (Divi's actual resolver boundary). Bytes outside those regions —
+ * arbitrary user text, code samples, string-variable values that happen to
+ * contain `\u005cu0022`, `\\u0022`, or bare `"` — are left untouched.
+ */
+function normalizeQuoteEscapes(s) {
+    return s.replace(/\$variable\([^$]*?\)\$/g, (token) => {
+        // Pass 1: collapse over-escaped forms (#395/#396) to canonical \"
+        let normalized = token.replace(/(?:\\u005cu0022|\\\\u0022)/g, '\\"');
+        // Pass 2: escape any bare " (#409) to canonical \" — negative lookbehind
+        // skips properly-escaped quotes produced by Pass 1 or already canonical.
+        normalized = normalized.replace(/(?<!\\)"/g, '\\"');
+        return normalized;
+    });
+}
+/**
+ * Body keys whose values (and descendants) carry Divi block markup or block
+ * attribute trees, where `$variable(...)$` token-region normalization is the
+ * intended behavior. Strings reachable only through other top-level keys
+ * — variable values, labels, match-text predicates, descriptions, etc.
+ * — are passed through verbatim so a literal `$variable({"x":"y"})$`
+ * docs example in a `string_variable_value` is preserved (#409 review:
+ * Codex-flagged regression — without this scoping, the bare-quote pass would
+ * silently rewrite literal token-shaped substrings in user-prose fields).
+ */
+const BLOCK_CONTENT_KEYS = new Set([
+    'content', // update_page_content, render_preview, validate_blocks,
+    // append_section, replace_section, update_tb_layout,
+    // save_to_library, create_page
+    'attrs', // update_module — attr values embedded in block JSON
+    'header_content', // create_tb_template
+    'footer_content', // create_tb_template
+]);
+function normalizeBody(value, withinBlockTree = false) {
+    if (typeof value === 'string') {
+        return withinBlockTree ? normalizeQuoteEscapes(value) : value;
+    }
+    if (Array.isArray(value))
+        return value.map((v) => normalizeBody(v, withinBlockTree));
+    // Restrict recursion to plain objects so Date / RegExp / class instances
+    // with custom `toJSON` keep their canonical serialization.
+    if (value &&
+        typeof value === 'object' &&
+        Object.getPrototypeOf(value) === Object.prototype) {
+        const out = {};
+        for (const [k, v] of Object.entries(value)) {
+            out[k] = normalizeBody(v, withinBlockTree || BLOCK_CONTENT_KEYS.has(k));
+        }
+        return out;
+    }
+    return value;
+}
 export class WPClient {
     baseUrl;
     authHeader;
@@ -34,7 +121,7 @@ export class WPClient {
             },
         };
         if (body && method !== 'GET') {
-            fetchOptions.body = JSON.stringify(body);
+            fetchOptions.body = JSON.stringify(normalizeBody(body));
         }
         const response = await fetch(url, fetchOptions);
         if (!response.ok) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@diviops/mcp-server",
-  "version": "0.2.18",
+  "version": "0.2.20",
   "description": "MCP server exposing Divi 5 Visual Builder as tools for Claude",
   "type": "module",
   "main": "dist/index.js",