@mangerik/wordpress-mcp 0.1.0 → 0.1.2

package/CHANGELOG.md

@@ -5,6 +5,28 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.1.2] - 2026-05-17
+
+### Added
+- `SECURITY.md` documenting supply chain practices and reporting policy.
+- GitHub Actions workflows for CI (test on Node 18/20/22) and tag-triggered
+  publish with `--provenance` (npm provenance via OIDC).
+
+### Changed
+- Documented the GitHub Actions release flow as the recommended path; local
+  publish is now positioned as a fallback.
+
+## [0.1.1] - 2026-05-17
+
+### Added
+- `docs/USAGE.md` — bilingual (Indonesian + English) prompt examples covering
+  authoring, audit, WooCommerce, SEO, block themes, batch, and multisite.
+- `docs/TOOLS.md` — auto-generated reference for all 96 tools, complete with
+  argument tables, types, and read-only / destructive hints.
+- `npm run docs` script that regenerates `docs/TOOLS.md` from the running
+  server (also runs automatically before publish).
+- `docs/` is now shipped in the npm tarball.
+
 ## [0.1.0] - 2026-05-17
 
 Initial public preview. Tagged `beta` on npm while we collect feedback from

package/README.md

@@ -1,5 +1,9 @@
 # WordPress MCP Server
 
+<p align="center">
+  <img src="https://raw.githubusercontent.com/mangerik/WordPress-MCP/main/assets/cover.jpg" alt="WordPress MCP Server" width="100%" />
+</p>
+
 A [Model Context Protocol](https://modelcontextprotocol.io) server that lets any MCP-compatible AI client (Claude Desktop, Kiro, Cursor, Continue, etc.) read and manage a WordPress site through the official REST API.
 
 ## Features
@@ -37,7 +41,7 @@ npx -y @mangerik/wordpress-mcp
 ### From source
 
 ```bash
-git clone https://github.com/mangerik/wordpress-mcp.git
+git clone https://github.com/mangerik/WordPress-MCP.git
 cd wordpress-mcp
 npm install
 npm run build
@@ -225,6 +229,20 @@ Both plugins store SEO data in post meta with different keys; one uniform tool r
 ### JWT diagnostics (only in JWT mode)
 - `wp_jwt_validate` — validate the active token via `/jwt-auth/v1/token/validate`.
 
+## Documentation
+
+- 📖 **[USAGE.md](docs/USAGE.md)** — Real-world prompt examples (Indonesian + English): authoring, audit, WooCommerce, SEO, batch, multisite, etc.
+- 📚 **[TOOLS.md](docs/TOOLS.md)** — Full reference for all 96 tools with arguments, types, and hints. Auto-generated from the running server.
+- 🔒 **[SECURITY.md](SECURITY.md)** — Supply chain practices (npm provenance, no install scripts, 2FA) and how to report vulnerabilities.
+
+## Notes & gotchas
+
+- **`status` defaults to `draft`** for `wp_create_post` / `wp_create_page`. Override explicitly if you really want to publish.
+- **Custom fields (`meta`)** must be registered server-side with `register_post_meta(..., 'show_in_rest' => true)` to be writable through REST.
+- **Use `_fields`** to slim responses — e.g. `_fields: "id,title,slug"` cuts response size by ~80% for list calls.
+- **`context=edit`** is required to receive raw (unfiltered) content for round-tripping through `wp_update_post`.
+- The server logs to **stderr only**. Stdout is reserved for JSON-RPC framing.
+
 ## Resources
 
 | URI | What |
@@ -243,14 +261,6 @@ Both plugins store SEO data in post meta with different keys; one uniform tool r
 | `translate_page` | `page_id`, `target_language`, `create_new?` |
 | `draft_post` | `topic`, `tone?`, `word_count?` |
 
-## Notes & gotchas
-
-- **`status` defaults to `draft`** for `wp_create_post` / `wp_create_page`. Override explicitly if you really want to publish.
-- **Custom fields (`meta`)** must be registered server-side with `register_post_meta(..., 'show_in_rest' => true)` to be writable through REST.
-- **Use `_fields`** to slim responses — e.g. `_fields: "id,title,slug"` cuts response size by ~80% for list calls.
-- **`context=edit`** is required to receive raw (unfiltered) content for round-tripping through `wp_update_post`.
-- The server logs to **stderr only**. Stdout is reserved for JSON-RPC framing.
-
 ## License
 
 MIT

package/SECURITY.md

@@ -0,0 +1,42 @@
+# Security Policy
+
+## Reporting a vulnerability
+
+If you discover a security issue, **please do not open a public GitHub issue**.
+Instead, email the maintainer directly:
+
+📧 erikhidayatullah23@gmail.com
+
+We aim to respond within 7 days and disclose responsibly once a fix is shipped.
+
+## Supply chain practices
+
+This package follows these supply chain security measures:
+
+- **npm provenance** — every release is signed via [npm's provenance feature](https://docs.npmjs.com/generating-provenance-statements)
+  using GitHub Actions OIDC, so consumers can cryptographically verify each
+  tarball was built from a specific commit in the public repo.
+- **No install / postinstall scripts** — the package never executes code on
+  install.
+- **No native bindings** — pure TypeScript / JavaScript, easy to audit.
+- **2FA on npm publish** — the maintainer's npm account requires two-factor
+  authentication for write actions.
+- **Pinned dependencies** — runtime deps are kept to four well-known packages
+  (`@modelcontextprotocol/sdk`, `axios`, `form-data`, `zod`). No transitive
+  surprises from one-letter abandoned modules.
+- **Reproducible builds** — `npm pack --dry-run` produces a deterministic
+  list; CI runs `typecheck → build → smoke → docs` before every publish.
+
+## Verifying a published version
+
+```bash
+# Inspect the provenance attestation:
+npm audit signatures
+
+# Or for a specific install:
+npm install @mangerik/wordpress-mcp
+npx @npmcli/get-provenance @mangerik/wordpress-mcp
+```
+
+If `npm audit signatures` reports anything other than “verified”, do not
+trust that install — please report to the email above.