@mangerik/wordpress-mcp 0.1.0

package/.env.example

@@ -0,0 +1,32 @@
+# ── Required: where to connect ───────────────────────────────────────────
+WP_URL=https://example.com
+
+# ── Auth mode: 'application_password' (default) or 'jwt' ─────────────────
+WP_AUTH_MODE=application_password
+
+# Application Password mode (recommended; built into WP core)
+WP_USERNAME=your-wp-username
+# Application Password from: WP Admin → Users → Profile → Application Passwords
+# Spaces are fine and should be preserved.
+WP_APP_PASSWORD=xxxx xxxx xxxx xxxx xxxx xxxx
+
+# JWT mode (requires the "JWT Authentication for WP REST API" plugin or compatible)
+# Either supply WP_USERNAME + WP_PASSWORD (server fetches a token at startup),
+# or supply WP_JWT_TOKEN directly.
+# WP_PASSWORD=
+# WP_JWT_TOKEN=
+# WP_JWT_NAMESPACE=jwt-auth/v1
+
+# ── Optional: tuning ─────────────────────────────────────────────────────
+WP_TIMEOUT_MS=30000
+WP_MAX_RETRIES=3
+# Set to "false" only for local dev with self-signed certificates
+WP_VERIFY_SSL=true
+WP_USER_AGENT=WordPress-MCP-Server/1.0
+
+# ── Optional: WooCommerce dedicated credentials ──────────────────────────
+# Generate at: WC Admin → Settings → Advanced → REST API → Add key.
+# When set, /wc/* and /wc-analytics/* requests use these instead of the
+# Application Password (the WP user no longer needs `manage_woocommerce`).
+WC_CONSUMER_KEY=
+WC_CONSUMER_SECRET=

package/CHANGELOG.md

@@ -0,0 +1,23 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [0.1.0] - 2026-05-17
+
+Initial public preview. Tagged `beta` on npm while we collect feedback from
+real WordPress installations. API surface may evolve before 1.0.0.
+
+### Added
+- Initial release.
+- Application Password and JWT auth modes.
+- 95+ MCP tools spanning posts, pages, media, comments, taxonomies, users,
+  settings, search, custom post types, WooCommerce, Yoast / Rank Math SEO,
+  block themes (templates, parts, patterns, global styles, menus), multisite,
+  the WP 5.6+ batch endpoint, and JWT diagnostics.
+- Resources: `wp://site`, `wp://post/{id}`, `wp://page/{id}`, `wp://media/{id}`.
+- Prompts: `summarize_post`, `seo_rewrite`, `translate_page`, `draft_post`.
+- Auto-retry on 408/425/429/5xx with `Retry-After` honored.
+- WooCommerce consumer key/secret auth path for `/wc/*` routes.

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 mangerik
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,256 @@
+# WordPress MCP Server
+
+A [Model Context Protocol](https://modelcontextprotocol.io) server that lets any MCP-compatible AI client (Claude Desktop, Kiro, Cursor, Continue, etc.) read and manage a WordPress site through the official REST API.
+
+## Features
+
+- **30+ tools** covering posts, pages, media, comments, categories, tags, users, settings, search, and revisions.
+- **Generic CPT tools** (`wp_list_items`, `wp_get_item`, `wp_create_item`, `wp_update_item`, `wp_delete_item`) for any custom post type, custom taxonomy, or third-party namespace (WooCommerce, ACF, Yoast, etc.).
+- **Resources** so the LLM can attach a post/page as context: `wp://post/{id}`, `wp://page/{id}`, `wp://media/{id}`, `wp://site`.
+- **Prompts** for common workflows: summarize, SEO rewrite, translate, draft.
+- **Application Password** auth (recommended by WordPress core).
+- **Auto-retry** on 429/5xx with `Retry-After` honored.
+- **Token-saving knobs**: `_fields`, `_embed`, `context=view|edit`.
+- **Safety**: destructive tool annotations, drafts default to `status=draft`.
+
+## Requirements
+
+- Node.js ≥ 18
+- A WordPress site with the REST API enabled (default since WP 4.7).
+- A user with an Application Password (WP Admin → Users → Profile → Application Passwords).
+
+## Install
+
+### From npm (when published)
+
+```bash
+npm install -g @mangerik/wordpress-mcp
+# the `wordpress-mcp` binary is now on your PATH
+```
+
+Or run on demand without installing:
+
+```bash
+npx -y @mangerik/wordpress-mcp
+```
+
+### From source
+
+```bash
+git clone https://github.com/mangerik/wordpress-mcp.git
+cd wordpress-mcp
+npm install
+npm run build
+```
+
+## Configure
+
+Two auth modes are supported.
+
+### A. Application Password (default, recommended)
+
+Copy `.env.example` to `.env` and fill in:
+
+```env
+WP_URL=https://example.com
+WP_USERNAME=your-wp-username
+WP_APP_PASSWORD=xxxx xxxx xxxx xxxx xxxx xxxx
+```
+
+### B. JWT (when Application Passwords are blocked or you need short-lived tokens)
+
+Install the "JWT Authentication for WP REST API" plugin (Tmeister) or compatible. Add to `wp-config.php`:
+
+```php
+define('JWT_AUTH_SECRET_KEY', 'a long random string');
+define('JWT_AUTH_CORS_ENABLE', true);
+```
+
+Then in `.env`:
+
+```env
+WP_AUTH_MODE=jwt
+WP_URL=https://example.com
+WP_USERNAME=your-wp-username
+WP_PASSWORD=your-wp-password
+# Optional override if your plugin uses a different namespace:
+# WP_JWT_NAMESPACE=jwt-auth/v1
+
+# Or skip credentials and supply a pre-issued token:
+# WP_JWT_TOKEN=eyJhbGciOiJIUzI1NiIs...
+```
+
+The server fetches a token at startup, attaches it as `Authorization: Bearer …`, and you can validate it any time via the `wp_jwt_validate` tool.
+
+Optional:
+
+| Variable | Default | Purpose |
+|----------|---------|---------|
+| `WP_TIMEOUT_MS` | `30000` | Per-request timeout |
+| `WP_MAX_RETRIES` | `3` | Retries on 408/425/429/5xx |
+| `WP_VERIFY_SSL` | `true` | Set `false` only for local self-signed certs |
+| `WP_USER_AGENT` | `WordPress-MCP-Server/1.0` | UA header |
+
+## Use it from an MCP client
+
+### Claude Desktop / Kiro
+
+Add to your MCP config (`~/.kiro/settings/mcp.json` or `~/Library/Application Support/Claude/claude_desktop_config.json`):
+
+```json
+{
+  "mcpServers": {
+    "wordpress": {
+      "command": "npx",
+      "args": ["-y", "@mangerik/wordpress-mcp"],
+      "env": {
+        "WP_URL": "https://example.com",
+        "WP_USERNAME": "your-wp-username",
+        "WP_APP_PASSWORD": "xxxx xxxx xxxx xxxx xxxx xxxx"
+      }
+    }
+  }
+}
+```
+
+For local development (running from source):
+
+```json
+{
+  "command": "node",
+  "args": ["/absolute/path/to/wordpress-mcp/dist/index.js"],
+  "env": { "WP_URL": "...", "WP_USERNAME": "...", "WP_APP_PASSWORD": "..." }
+}
+```
+
+### Test from the terminal
+
+```bash
+WP_URL=https://example.com \
+WP_USERNAME=admin \
+WP_APP_PASSWORD="xxxx xxxx xxxx xxxx xxxx xxxx" \
+npm run dev
+```
+
+The server speaks JSON-RPC over stdio. Use the [MCP Inspector](https://github.com/modelcontextprotocol/inspector) to drive it interactively:
+
+```bash
+npx @modelcontextprotocol/inspector node dist/index.js
+```
+
+## Tool catalogue
+
+### Site / discovery
+- `wp_site_info` · `wp_get_settings` · `wp_update_settings`
+- `wp_get_post_types` · `wp_get_taxonomies` · `wp_search`
+
+### Posts
+- `wp_get_posts` · `wp_get_post` · `wp_create_post` · `wp_update_post` · `wp_delete_post` · `wp_get_post_revisions`
+
+### Pages
+- `wp_get_pages` · `wp_get_page` · `wp_create_page` · `wp_update_page` · `wp_delete_page`
+
+### Media
+- `wp_get_media` · `wp_get_media_item` · `wp_upload_media_file` · `wp_upload_media_url` · `wp_update_media` · `wp_delete_media`
+
+### Comments
+- `wp_get_comments` · `wp_get_comment` · `wp_create_comment` · `wp_update_comment` · `wp_delete_comment`
+
+### Taxonomies
+- `wp_get_categories` · `wp_get_category` · `wp_create_category` · `wp_update_category` · `wp_delete_category`
+- `wp_get_tags` · `wp_get_tag` · `wp_create_tag` · `wp_update_tag` · `wp_delete_tag`
+
+### Users
+- `wp_get_users` · `wp_get_user` · `wp_get_current_user` · `wp_create_user` · `wp_update_user` · `wp_delete_user`
+
+### Generic (CPT, custom taxonomies, plugin namespaces)
+- `wp_list_items` · `wp_get_item` · `wp_create_item` · `wp_update_item` · `wp_delete_item`
+
+Use these with any REST route, e.g. `wc/v3/products`, `wp/v2/movie`, `acf/v3/posts/123`.
+
+### WooCommerce (`wc/v3`)
+Auth: set `WC_CONSUMER_KEY` + `WC_CONSUMER_SECRET` (recommended) or rely on the WP user having `manage_woocommerce`.
+
+- Products: `wc_list_products` · `wc_get_product` · `wc_create_product` · `wc_update_product` · `wc_delete_product`
+- Variations: `wc_list_variations` · `wc_create_variation`
+- Categories: `wc_list_product_categories`
+- Orders: `wc_list_orders` · `wc_get_order` · `wc_update_order` · `wc_create_order_note` · `wc_create_refund`
+- Customers: `wc_list_customers` · `wc_get_customer`
+- Coupons: `wc_list_coupons` · `wc_create_coupon`
+- Reports: `wc_get_sales_report` · `wc_get_top_sellers`
+
+### SEO (Yoast & Rank Math)
+Both plugins store SEO data in post meta with different keys; one uniform tool reads/writes either.
+
+- `seo_get_meta` — read SEO meta (`plugin: 'yoast' | 'rank_math'`)
+- `seo_set_meta` — write SEO meta
+- `yoast_get_head` — render Yoast `<head>` for a URL (SERP preview)
+- `yoast_indexable_for_post` — Yoast computed indexable record
+- `rankmath_list_redirections` · `rankmath_create_redirection` (Rank Math Pro)
+
+> Yoast exposes its meta via REST automatically. **Rank Math** may require enabling "REST API" in the plugin settings, and meta keys must be marked `show_in_rest`.
+
+### Block themes (WP 5.9+)
+- Templates: `wp_list_templates` · `wp_get_template` · `wp_update_template`
+- Template parts: `wp_list_template_parts` · `wp_get_template_part` · `wp_update_template_part`
+- Patterns: `wp_list_block_patterns` · `wp_list_block_pattern_categories`
+- Block types: `wp_list_block_types`
+- Global styles: `wp_get_global_styles`
+- Menus: `wp_list_menus` · `wp_list_menu_items`
+
+> Template IDs are strings shaped like `theme//slug`, e.g. `twentytwentyfour//single`.
+
+### Multisite
+- `ms_list_sites` · `ms_get_site` · `ms_create_site` · `ms_update_site` · `ms_delete_site`
+- `ms_list_networks` · `ms_get_network`
+
+> Core WP does **not yet** ship `/wp/v2/sites`. These tools assume a Multisite REST plugin is installed (e.g. `brettkrueger/multisite-rest-api`). Without one you will get `rest_no_route`.
+
+### Batch operations (WP 5.6+, `/batch/v1`)
+- `wp_batch_options` — discover the per-batch limit (default 25, filterable).
+- `wp_batch` — execute up to N writes in one request. GET is **not** supported by core; only `POST/PUT/PATCH/DELETE`.
+
+```jsonc
+// Example call to wp_batch
+{
+  "validation": "require-all-validate",
+  "requests": [
+    { "method": "POST", "path": "/wp/v2/posts",      "body": { "title": "First",  "content": "...", "status": "draft" } },
+    { "method": "POST", "path": "/wp/v2/posts",      "body": { "title": "Second", "content": "...", "status": "draft" } },
+    { "method": "POST", "path": "/wp/v2/posts/123",  "body": { "status": "publish" } }
+  ]
+}
+```
+
+### JWT diagnostics (only in JWT mode)
+- `wp_jwt_validate` — validate the active token via `/jwt-auth/v1/token/validate`.
+
+## Resources
+
+| URI | What |
+|-----|------|
+| `wp://site` | REST root summary (name, namespaces, etc.) |
+| `wp://post/{id}` | Single post (rendered + embedded relations) |
+| `wp://page/{id}` | Single page |
+| `wp://media/{id}` | Single media item |
+
+## Prompts
+
+| Name | Args |
+|------|------|
+| `summarize_post` | `post_id`, `length` |
+| `seo_rewrite` | `post_id`, `primary_keyword`, `target_audience?` |
+| `translate_page` | `page_id`, `target_language`, `create_new?` |
+| `draft_post` | `topic`, `tone?`, `word_count?` |
+
+## Notes & gotchas
+
+- **`status` defaults to `draft`** for `wp_create_post` / `wp_create_page`. Override explicitly if you really want to publish.
+- **Custom fields (`meta`)** must be registered server-side with `register_post_meta(..., 'show_in_rest' => true)` to be writable through REST.
+- **Use `_fields`** to slim responses — e.g. `_fields: "id,title,slug"` cuts response size by ~80% for list calls.
+- **`context=edit`** is required to receive raw (unfiltered) content for round-tripping through `wp_update_post`.
+- The server logs to **stderr only**. Stdout is reserved for JSON-RPC framing.
+
+## License
+
+MIT

package/dist/config.d.ts

@@ -0,0 +1,80 @@
+import { z } from "zod";
+/**
+ * Server configuration loaded from environment variables.
+ * Validated with zod so we fail fast at startup.
+ */
+declare const ConfigSchema: z.ZodEffects<z.ZodObject<{
+    WP_URL: z.ZodString;
+    WP_AUTH_MODE: z.ZodDefault<z.ZodEnum<["application_password", "jwt"]>>;
+    WP_USERNAME: z.ZodOptional<z.ZodString>;
+    WP_APP_PASSWORD: z.ZodOptional<z.ZodString>;
+    WP_PASSWORD: z.ZodOptional<z.ZodString>;
+    WP_JWT_TOKEN: z.ZodOptional<z.ZodString>;
+    WP_JWT_NAMESPACE: z.ZodDefault<z.ZodString>;
+    WP_TIMEOUT_MS: z.ZodDefault<z.ZodNumber>;
+    WP_MAX_RETRIES: z.ZodDefault<z.ZodNumber>;
+    WP_VERIFY_SSL: z.ZodEffects<z.ZodDefault<z.ZodUnion<[z.ZodLiteral<"true">, z.ZodLiteral<"false">]>>, boolean, "true" | "false" | undefined>;
+    WP_USER_AGENT: z.ZodDefault<z.ZodString>;
+    WC_CONSUMER_KEY: z.ZodOptional<z.ZodString>;
+    WC_CONSUMER_SECRET: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    WP_URL: string;
+    WP_AUTH_MODE: "application_password" | "jwt";
+    WP_JWT_NAMESPACE: string;
+    WP_TIMEOUT_MS: number;
+    WP_MAX_RETRIES: number;
+    WP_VERIFY_SSL: boolean;
+    WP_USER_AGENT: string;
+    WP_USERNAME?: string | undefined;
+    WP_APP_PASSWORD?: string | undefined;
+    WP_PASSWORD?: string | undefined;
+    WP_JWT_TOKEN?: string | undefined;
+    WC_CONSUMER_KEY?: string | undefined;
+    WC_CONSUMER_SECRET?: string | undefined;
+}, {
+    WP_URL: string;
+    WP_AUTH_MODE?: "application_password" | "jwt" | undefined;
+    WP_USERNAME?: string | undefined;
+    WP_APP_PASSWORD?: string | undefined;
+    WP_PASSWORD?: string | undefined;
+    WP_JWT_TOKEN?: string | undefined;
+    WP_JWT_NAMESPACE?: string | undefined;
+    WP_TIMEOUT_MS?: number | undefined;
+    WP_MAX_RETRIES?: number | undefined;
+    WP_VERIFY_SSL?: "true" | "false" | undefined;
+    WP_USER_AGENT?: string | undefined;
+    WC_CONSUMER_KEY?: string | undefined;
+    WC_CONSUMER_SECRET?: string | undefined;
+}>, {
+    WP_URL: string;
+    WP_AUTH_MODE: "application_password" | "jwt";
+    WP_JWT_NAMESPACE: string;
+    WP_TIMEOUT_MS: number;
+    WP_MAX_RETRIES: number;
+    WP_VERIFY_SSL: boolean;
+    WP_USER_AGENT: string;
+    WP_USERNAME?: string | undefined;
+    WP_APP_PASSWORD?: string | undefined;
+    WP_PASSWORD?: string | undefined;
+    WP_JWT_TOKEN?: string | undefined;
+    WC_CONSUMER_KEY?: string | undefined;
+    WC_CONSUMER_SECRET?: string | undefined;
+}, {
+    WP_URL: string;
+    WP_AUTH_MODE?: "application_password" | "jwt" | undefined;
+    WP_USERNAME?: string | undefined;
+    WP_APP_PASSWORD?: string | undefined;
+    WP_PASSWORD?: string | undefined;
+    WP_JWT_TOKEN?: string | undefined;
+    WP_JWT_NAMESPACE?: string | undefined;
+    WP_TIMEOUT_MS?: number | undefined;
+    WP_MAX_RETRIES?: number | undefined;
+    WP_VERIFY_SSL?: "true" | "false" | undefined;
+    WP_USER_AGENT?: string | undefined;
+    WC_CONSUMER_KEY?: string | undefined;
+    WC_CONSUMER_SECRET?: string | undefined;
+}>;
+export type ServerConfig = z.infer<typeof ConfigSchema>;
+export declare function loadConfig(env?: NodeJS.ProcessEnv): ServerConfig;
+export {};
+//# sourceMappingURL=config.d.ts.map

package/dist/config.js

@@ -0,0 +1,84 @@
+import { z } from "zod";
+/**
+ * Server configuration loaded from environment variables.
+ * Validated with zod so we fail fast at startup.
+ */
+const ConfigSchema = z
+    .object({
+    WP_URL: z
+        .string()
+        .url()
+        .describe("Base URL of the WordPress site, e.g. https://example.com"),
+    WP_AUTH_MODE: z
+        .enum(["application_password", "jwt"])
+        .default("application_password"),
+    // ── Application Password mode ───────────────────────────────────────
+    WP_USERNAME: z.string().min(1).optional(),
+    WP_APP_PASSWORD: z.string().min(1).optional(),
+    // ── JWT mode (Tmeister "JWT Authentication for WP REST API") ────────
+    // Either supply username + password and we'll fetch a token at startup,
+    // or supply WP_JWT_TOKEN directly (e.g. issued by another auth plugin).
+    WP_PASSWORD: z.string().min(1).optional(),
+    WP_JWT_TOKEN: z.string().min(10).optional(),
+    WP_JWT_NAMESPACE: z.string().default("jwt-auth/v1"),
+    // ── Common ──────────────────────────────────────────────────────────
+    WP_TIMEOUT_MS: z.coerce.number().int().positive().default(30_000),
+    WP_MAX_RETRIES: z.coerce.number().int().min(0).max(10).default(3),
+    WP_VERIFY_SSL: z
+        .union([z.literal("true"), z.literal("false")])
+        .default("true")
+        .transform((v) => v === "true"),
+    WP_USER_AGENT: z.string().default("WordPress-MCP-Server/1.0"),
+    // ── WooCommerce (optional) ──────────────────────────────────────────
+    WC_CONSUMER_KEY: z.string().optional(),
+    WC_CONSUMER_SECRET: z.string().optional(),
+})
+    .superRefine((c, ctx) => {
+    if (c.WP_AUTH_MODE === "application_password") {
+        if (!c.WP_USERNAME)
+            ctx.addIssue({ code: "custom", path: ["WP_USERNAME"], message: "Required for application_password mode" });
+        if (!c.WP_APP_PASSWORD)
+            ctx.addIssue({ code: "custom", path: ["WP_APP_PASSWORD"], message: "Required for application_password mode" });
+    }
+    if (c.WP_AUTH_MODE === "jwt") {
+        const hasToken = !!c.WP_JWT_TOKEN;
+        const hasUserPass = !!c.WP_USERNAME && !!c.WP_PASSWORD;
+        if (!hasToken && !hasUserPass) {
+            ctx.addIssue({
+                code: "custom",
+                path: ["WP_JWT_TOKEN"],
+                message: "JWT mode requires either WP_JWT_TOKEN, or WP_USERNAME + WP_PASSWORD to obtain a token",
+            });
+        }
+    }
+});
+export function loadConfig(env = process.env) {
+    const parsed = ConfigSchema.safeParse(env);
+    if (!parsed.success) {
+        const issues = parsed.error.issues
+            .map((i) => `  • ${i.path.join(".")}: ${i.message}`)
+            .join("\n");
+        throw new Error(`Invalid configuration. Check your environment variables:\n${issues}\n\n` +
+            `Required (application_password mode, default):\n` +
+            `  WP_URL            (e.g. https://example.com)\n` +
+            `  WP_USERNAME       (your WordPress username)\n` +
+            `  WP_APP_PASSWORD   (Application Password from WP profile)\n\n` +
+            `Required (jwt mode):\n` +
+            `  WP_AUTH_MODE=jwt\n` +
+            `  WP_URL\n` +
+            `  Either:\n` +
+            `    WP_USERNAME + WP_PASSWORD          (server fetches token)\n` +
+            `  or:\n` +
+            `    WP_JWT_TOKEN                       (pre-issued token)\n` +
+            `  WP_JWT_NAMESPACE  (default jwt-auth/v1; change if your plugin differs)\n\n` +
+            `Optional:\n` +
+            `  WP_TIMEOUT_MS     (default 30000)\n` +
+            `  WP_MAX_RETRIES    (default 3)\n` +
+            `  WP_VERIFY_SSL     (default true)\n` +
+            `  WP_USER_AGENT     (default WordPress-MCP-Server/1.0)\n` +
+            `  WC_CONSUMER_KEY   (optional, WooCommerce consumer key)\n` +
+            `  WC_CONSUMER_SECRET(optional, WooCommerce consumer secret)`);
+    }
+    return parsed.data;
+}
+//# sourceMappingURL=config.js.map

package/dist/index.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/index.js

@@ -0,0 +1,145 @@
+#!/usr/bin/env node
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { loadConfig } from "./config.js";
+import { WordPressClient, WPError } from "./wordpress-client.js";
+import { postTools } from "./tools/posts.js";
+import { pageTools } from "./tools/pages.js";
+import { mediaTools } from "./tools/media.js";
+import { commentTools } from "./tools/comments.js";
+import { taxonomyTools } from "./tools/taxonomy.js";
+import { userTools } from "./tools/users.js";
+import { siteTools } from "./tools/site.js";
+import { cptTools } from "./tools/cpt.js";
+import { woocommerceTools } from "./tools/woocommerce.js";
+import { seoTools } from "./tools/seo.js";
+import { blockTools } from "./tools/blocks.js";
+import { multisiteTools } from "./tools/multisite.js";
+import { batchTools } from "./tools/batch.js";
+import { jwtTools } from "./tools/jwt.js";
+import { registerResources } from "./resources.js";
+import { registerPrompts } from "./prompts.js";
+const NAME = "wordpress-mcp";
+const VERSION = "1.0.0";
+/**
+ * Wrap a tool handler so its return value becomes a proper `CallToolResult`
+ * and any thrown error becomes an `isError: true` result the LLM can see.
+ *
+ * Important for stdio: never write to stdout outside the MCP framing — all
+ * logs go to stderr.
+ */
+function wrap(tool) {
+    return async (input) => {
+        try {
+            const data = await tool.handler(input);
+            const text = typeof data === "string" ? data : JSON.stringify(data, null, 2);
+            const result = {
+                content: [{ type: "text", text }],
+            };
+            // Attach structured output when it's a JSON-compatible object.
+            if (data && typeof data === "object") {
+                result.structuredContent = data;
+            }
+            return result;
+        }
+        catch (err) {
+            const message = formatError(err);
+            // Log full error to stderr for debugging without breaking stdio framing.
+            console.error(`[${tool.name}]`, err);
+            return {
+                isError: true,
+                content: [{ type: "text", text: message }],
+            };
+        }
+    };
+}
+function formatError(err) {
+    if (err instanceof WPError) {
+        const parts = [
+            `WordPress error: ${err.message}`,
+            `code: ${err.code}`,
+            `status: ${err.status}`,
+        ];
+        if (err.details && typeof err.details === "object") {
+            parts.push(`details: ${JSON.stringify(err.details)}`);
+        }
+        return parts.join(" | ");
+    }
+    if (err instanceof Error)
+        return `${err.name}: ${err.message}`;
+    return `Unknown error: ${String(err)}`;
+}
+async function main() {
+    const config = loadConfig();
+    const wp = new WordPressClient({
+        baseUrl: config.WP_URL,
+        authMode: config.WP_AUTH_MODE,
+        username: config.WP_USERNAME,
+        appPassword: config.WP_APP_PASSWORD,
+        password: config.WP_PASSWORD,
+        jwtToken: config.WP_JWT_TOKEN,
+        jwtNamespace: config.WP_JWT_NAMESPACE,
+        timeoutMs: config.WP_TIMEOUT_MS,
+        maxRetries: config.WP_MAX_RETRIES,
+        verifySsl: config.WP_VERIFY_SSL,
+        userAgent: config.WP_USER_AGENT,
+        wcConsumerKey: config.WC_CONSUMER_KEY,
+        wcConsumerSecret: config.WC_CONSUMER_SECRET,
+    });
+    // Bootstrap JWT if needed (no-op for application_password mode).
+    await wp.ensureJwt();
+    const server = new McpServer({ name: NAME, version: VERSION }, {
+        capabilities: {
+            tools: {},
+            resources: {},
+            prompts: {},
+            logging: {},
+        },
+        instructions: "WordPress MCP server. Authenticated via Application Password. " +
+            "Discover the site shape with wp_site_info / wp_get_post_types / wp_get_taxonomies " +
+            "before performing CRUD on custom content. Destructive tools (delete, force=true) " +
+            "are irreversible — confirm with the user first.",
+    });
+    // Collect all tools from feature modules.
+    const tools = [
+        ...siteTools(wp),
+        ...postTools(wp),
+        ...pageTools(wp),
+        ...mediaTools(wp),
+        ...commentTools(wp),
+        ...taxonomyTools(wp),
+        ...userTools(wp),
+        ...cptTools(wp),
+        ...woocommerceTools(wp),
+        ...seoTools(wp),
+        ...blockTools(wp),
+        ...multisiteTools(wp),
+        ...batchTools(wp),
+        ...(config.WP_AUTH_MODE === "jwt" ? jwtTools(wp) : []),
+    ];
+    // Sanity check: tool names must be unique.
+    const seen = new Set();
+    for (const t of tools) {
+        if (seen.has(t.name))
+            throw new Error(`Duplicate tool name: ${t.name}`);
+        seen.add(t.name);
+    }
+    for (const tool of tools) {
+        server.registerTool(tool.name, {
+            title: tool.title,
+            description: tool.description,
+            inputSchema: tool.inputSchema,
+            annotations: tool.annotations,
+        }, wrap(tool));
+    }
+    registerResources(server, wp);
+    registerPrompts(server);
+    const transport = new StdioServerTransport();
+    await server.connect(transport);
+    console.error(`[${NAME}] connected · ${tools.length} tools · auth: ${config.WP_AUTH_MODE} · target: ${config.WP_URL}`);
+}
+main().catch((err) => {
+    console.error(`[${NAME}] fatal:`, err instanceof Error ? err.message : err);
+    process.exit(1);
+});
+//# sourceMappingURL=index.js.map

package/dist/prompts.d.ts

@@ -0,0 +1,7 @@
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+/**
+ * Reusable prompt templates that turn common WordPress workflows into one-click
+ * actions for the LLM client.
+ */
+export declare function registerPrompts(server: McpServer): void;
+//# sourceMappingURL=prompts.d.ts.map