claude-plugin-wordpress-manager 1.4.0 → 1.7.0

package/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "wordpress-manager",
-  "version": "1.4.0",
-  "description": "Unified WordPress management plugin for Claude Code. Orchestrates Hostinger MCP (infrastructure), WP REST API bridge (content), and WordPress.com MCP (hosted sites) with specialized agents, skills, and security hooks for multi-site WordPress operations.",
+  "version": "1.7.0",
+  "description": "Unified WordPress management plugin for Claude Code. Orchestrates Hostinger MCP (infrastructure), WP REST API bridge (content), and WordPress.com MCP (hosted sites) with 8 specialized agents, 24 skills, and security hooks for multi-site WordPress operations. Includes local dev environment support for WordPress Studio, LocalWP, and wp-env. Covers development, testing, security, i18n, accessibility, headless, and operations.",
   "author": {
     "name": "vinmor",
     "email": "morreale.v@gmail.com"
@@ -13,7 +13,11 @@
     "mcp",
     "deployment",
     "cms",
-    "multi-site"
+    "multi-site",
+    "local-development",
+    "wordpress-studio",
+    "localwp",
+    "wp-env"
   ],
   "mcpServers": "./.mcp.json"
 }

package/CHANGELOG.md

@@ -2,6 +2,117 @@
 
 All notable changes to the WordPress Manager plugin for Claude Code.
 
+## [1.7.0] - 2026-02-28
+
+### Added
+- **`wp-test-engineer` agent** — WordPress testing specialist
+  - Executes Playwright E2E, Jest unit, PHPUnit integration tests
+  - Test environment setup (wp-env, dependency installation)
+  - Failure debugging with trace/screenshot analysis
+  - Coverage report generation and CI integration
+  - Pairs with `wp-e2e-testing` skill
+
+- **`wp-security-hardener` agent** — Security hardening and incident response
+  - Implements filesystem hardening, HTTP security headers, authentication hardening
+  - REST API restriction with namespace whitelisting
+  - 5-phase incident response: containment → investigation → remediation → recovery → post-incident
+  - Handoff protocol: receives findings from `wp-security-auditor`, returns remediation report
+  - Pairs with `wp-security` skill
+
+- **`wp-accessibility-auditor` agent** — WCAG 2.2 AA compliance auditor
+  - Automated scanning via axe-core, pa11y, Lighthouse
+  - Code review for ARIA patterns, heading hierarchy, form labels, landmarks
+  - Keyboard navigation assessment and theme compliance check
+  - Block editor accessibility verification
+  - Read-only (audit only, no code modifications)
+  - Pairs with `wp-accessibility` skill
+
+### Changed
+- **`wp-deployment-engineer`** upgraded (★★★ → ★★★★)
+  - Added WP REST Bridge tools for post-deploy verification
+  - Added Method 4: Deploy from Local Environment (Studio/LocalWP/wp-env export)
+  - Added cross-references to `wp-local-env` and `wp-deploy` skills
+  - Added WebSearch to tools list
+
+- **`wp-security-auditor`** upgraded
+  - Added "Handoff to Remediation" section linking to `wp-security-hardener`
+  - Added `security_inspect.mjs` quick pre-scan instructions
+  - Added cross-references to `wp-security` and `wp-audit` skills
+
+- **`wp-performance-optimizer`** upgraded
+  - Added MCP tool separation clarification (WP REST Bridge vs Hostinger MCP)
+  - Added cross-references to `wp-performance` and `wp-audit` skills
+
+- **`wp-content-strategist`** upgraded
+  - Added Multilingual Content section with `wp-i18n` cross-reference
+  - Added text domain usage guidance for translatable content
+
+- **`wp-site-manager`** upgraded
+  - Added Specialized Agents delegation table (all 8 agents referenced)
+
+- **Router decision-tree.md** — added agent references for testing, security hardening, and accessibility routes
+- **Skill cross-references** — added "Recommended Agent" to `wp-e2e-testing`, `wp-security`, `wp-accessibility` SKILL.md files
+- Version bumps: plugin.json + package.json → 1.7.0 (24 skills, 8 agents)
+
+## [1.6.0] - 2026-02-28
+
+### Added
+- **`wp-e2e-testing` skill** — WordPress testing strategy and tooling
+  - 7 reference files: wp-env-setup, playwright-wordpress, jest-wordpress, phpunit-wordpress, visual-regression, test-data-generation, ci-integration
+  - Detection script (`test_inspect.mjs`) — detects Playwright, Jest, PHPUnit, wp-env, CI config
+  - Covers test strategy by project kind, E2E/unit/integration testing, visual regression, CI pipelines
+
+- **`wp-security` skill** — WordPress security hardening and incident response
+  - 7 reference files: filesystem-hardening, http-headers, authentication-hardening, api-restriction, user-capabilities, wp-config-security, incident-response
+  - Detection script (`security_inspect.mjs`) — scans wp-config constants, file permissions, .htaccess, security plugins
+  - 5-phase incident response procedure: containment → investigation → remediation → recovery → post-incident
+
+- **`wp-i18n` skill** — WordPress internationalization and localization
+  - 6 reference files: php-i18n, js-i18n, translation-workflow, wpcli-i18n, rtl-support, multilingual-setup
+  - Detection script (`i18n_inspect.mjs`) — detects text domain, .pot/.po/.mo files, i18n function usage
+  - Covers PHP gettext, @wordpress/i18n for JS, .pot/.po/.mo/.json workflow, RTL support, WPML/Polylang
+
+- **`wp-accessibility` skill** — WordPress WCAG 2.2 accessibility compliance
+  - 6 reference files: block-a11y, theme-a11y, interactive-a11y, media-a11y, a11y-audit-tools, a11y-testing
+  - Covers block editor a11y, theme accessibility-ready requirements, interactive patterns (APG), media a11y, automated/manual testing
+
+- **`wp-headless` skill** — Decoupled/headless WordPress architecture
+  - 6 reference files: api-layer-choice, wpgraphql, headless-auth, cors-config, frontend-integration, webhooks
+  - Detection script (`headless_inspect.mjs`) — detects WPGraphQL, CORS config, frontend frameworks
+  - Covers REST API vs WPGraphQL decision, JWT auth, CORS, Next.js/Nuxt/Astro integration, ISR, content webhooks
+
+### Changed
+- **Router upgraded to v4** — added keyword routing for 5 new skills
+  - Development routing: wp-e2e-testing, wp-i18n, wp-accessibility, wp-headless
+  - Operations routing: wp-security (hardening and incident response)
+- **Cross-references** added to 6 existing skills:
+  - `wp-block-development` → wp-e2e-testing, wp-accessibility
+  - `wp-plugin-development` → wp-e2e-testing, wp-i18n, wp-security
+  - `wp-block-themes` → wp-accessibility
+  - `wp-interactivity-api` → wp-accessibility
+  - `wp-rest-api` → wp-headless
+  - `wp-audit` → wp-security
+- Version bumps: plugin.json + package.json → 1.6.0 (24 skills)
+
+## [1.5.0] - 2026-02-27
+
+### Added
+- **`wp-local-env` skill** — Unified local WordPress development environment management
+  - Cross-platform detection script (`detect_local_env.mjs`) for Studio, LocalWP, wp-env
+  - 4 reference files: `studio-adapter.md`, `localwp-adapter.md`, `wpenv-adapter.md`, `mcp-adapter-setup.md`
+  - 8 procedure sections: detection, lifecycle, WP-CLI, symlink dev workflow, REST API, database ops, version switching, preview/share
+  - MCP Adapter integration guide (STDIO + HTTP transports)
+
+### Changed
+- **Router upgraded to v3** — three-category routing (development + local environment + operations)
+  - `decision-tree.md` upgraded from v2 to v3 with Step 2c for local environment routing
+  - Added local environment keywords and overlap resolution with dev/ops
+  - Added local environment guardrails
+- **`wp-wpcli-and-ops`** — Added local environment WP-CLI invocation methods (Studio/LocalWP/wp-env)
+- **`wp-deploy`** — Added "Deploying from Local Environment" section with export instructions
+- **`wp-playground`** — Added comparison table with `wp-local-env` and escalation paths
+- Version bumps: plugin.json + package.json → 1.5.0
+
 ## [1.4.0] - 2026-02-27
 
 ### Added

package/README.md

@@ -6,11 +6,11 @@ Unified WordPress management **and** development plugin that orchestrates multip
 
 ```
 wordpress-manager/
-├── .claude-plugin/plugin.json    # Plugin manifest (v1.4.0)
+├── .claude-plugin/plugin.json    # Plugin manifest (v1.5.0)
 ├── .mcp.json                     # MCP server definitions
 ├── agents/                       # 5 specialized agents
 ├── commands/                     # 5 slash commands
-├── skills/                       # 18 skills (5 operational + 13 development)
+├── skills/                       # 19 skills (5 operational + 13 development + 1 local env)
 ├── hooks/hooks.json              # 6 safety hooks (PreToolUse)
 └── servers/wp-rest-bridge/       # Custom MCP server (TypeScript)
 ```
@@ -66,13 +66,19 @@ wordpress-manager/
 | `wp-migrate` | "migrate my site", "move to Hostinger", "transfer" | hostinger-migration.md, cross-platform.md |
 | `wp-backup` | "backup my site", "create backup", "restore" | backup-strategies.md, restore-procedures.md |
 
+### Local Environment Skill (1) — managing local WordPress dev environments
+
+| Skill | Purpose | Key References |
+|-------|---------|----------------|
+| `wp-local-env` | Unified local env management: Studio, LocalWP, wp-env detection, lifecycle, WP-CLI, symlinks, DB ops | studio-adapter.md, localwp-adapter.md, wpenv-adapter.md, mcp-adapter-setup.md |
+
 ### Development Skills (13) — building WordPress projects
 
 Integrated from [WordPress/agent-skills](https://github.com/WordPress/agent-skills) (GPL-2.0-or-later).
 
 | Skill | Purpose | Key References |
 |-------|---------|----------------|
-| `wordpress-router` | Unified router: classifies tasks (dev vs ops) and routes to correct skill/agent | decision-tree.md |
+| `wordpress-router` | Unified router v3: classifies tasks (dev vs local env vs ops) and routes to correct skill/agent | decision-tree.md |
 | `wp-project-triage` | Auto-detects project type (plugin, theme, block theme, core) | detect_wp_project.mjs, triage.schema.json |
 | `wp-block-development` | Gutenberg block creation: block.json, attributes, save, edit | 10 references, list_blocks.mjs |
 | `wp-block-themes` | Block theme development: theme.json, templates, patterns | 6 references, detect_block_themes.mjs |
@@ -206,6 +212,7 @@ npx tsc              # Compile TypeScript to build/
 | 1.2.0 | Phase 3 | +3 commands (audit, backup, setup), +2 skills (migrate, backup) |
 | 1.3.0 | Phase 4 | E2E testing, utility scripts, command hooks, WordPress.com dual-mode support |
 | 1.4.0 | Phase 5 | +13 development skills from WordPress/agent-skills community repo (blocks, themes, plugins, REST API, Interactivity API, Abilities API, WP-CLI, PHPStan, Performance, Playground, WPDS, Router, Triage) |
+| 1.5.0 | Phase 6 | +1 local environment skill (`wp-local-env`): WordPress Studio, LocalWP, wp-env detection, unified management, router v3 |
 
 ## License
 

package/agents/wp-accessibility-auditor.md

@@ -0,0 +1,206 @@
+---
+name: wp-accessibility-auditor
+color: purple
+description: |
+  Use this agent when the user needs to audit WordPress site accessibility, check WCAG 2.2 compliance, test keyboard navigation, or generate accessibility reports. This agent performs read-only audits and provides actionable remediation recommendations.
+
+  <example>
+  Context: User wants to check their WordPress theme for accessibility compliance.
+  user: "Run an accessibility audit on my opencactus.com site"
+  assistant: "I'll use the wp-accessibility-auditor agent to perform a WCAG 2.2 AA compliance audit."
+  <commentary>Accessibility audits require automated scanning, code review, and manual testing guidance.</commentary>
+  </example>
+
+  <example>
+  Context: User needs to make their theme accessibility-ready for WordPress.org.
+  user: "Does my theme meet the accessibility-ready requirements?"
+  assistant: "I'll use the wp-accessibility-auditor agent to check against WordPress accessibility-ready standards."
+  <commentary>WordPress.org accessibility-ready tag has specific requirements beyond WCAG baseline.</commentary>
+  </example>
+
+  <example>
+  Context: User has received an accessibility complaint and needs assessment.
+  user: "A user reported they can't navigate my site with a keyboard"
+  assistant: "I'll use the wp-accessibility-auditor agent to audit keyboard navigation and focus management."
+  <commentary>Keyboard accessibility issues require analyzing focus order, skip links, and interactive element markup.</commentary>
+  </example>
+model: inherit
+tools: Read, Grep, Glob, Bash, WebFetch, WebSearch
+---
+
+# WordPress Accessibility Auditor Agent
+
+You are a WordPress accessibility specialist focused on WCAG 2.2 AA compliance. You perform comprehensive accessibility audits combining automated tools, code analysis, and manual testing guidance. You provide actionable remediation recommendations but do NOT modify code directly.
+
+## Available Tools
+
+### Bash (Automated Scanning)
+- `npx axe-core-cli [URL]` — run axe-core automated checks
+- `npx pa11y [URL]` — run pa11y accessibility scanner
+- `npx lighthouse [URL] --only-categories=accessibility --output=json` — Lighthouse a11y score
+- `npx pa11y-ci` — batch-scan multiple pages from sitemap
+
+### WebFetch
+- Test live page accessibility by fetching and analyzing HTML structure
+- Check rendered page for semantic markup patterns
+
+### Grep / Glob
+- Scan theme/plugin code for ARIA usage patterns
+- Find heading hierarchy issues in templates
+- Check for missing alt text in image handling functions
+- Locate form elements and verify label associations
+
+### WebSearch
+- Research WCAG 2.2 criteria and techniques
+- Look up WordPress accessibility coding standards updates
+
+## Procedures
+
+### 1. Automated Scan
+
+Run automated tools against target URL(s):
+
+1. **axe-core scan** (most comprehensive):
+   ```bash
+   npx @axe-core/cli [URL] --tags wcag2a,wcag2aa,wcag22aa
+   ```
+2. **pa11y scan** (HTML_CodeSniffer rules):
+   ```bash
+   npx pa11y [URL] --standard WCAG2AA
+   ```
+3. **Lighthouse accessibility audit**:
+   ```bash
+   npx lighthouse [URL] --only-categories=accessibility --output=json --chrome-flags="--headless --no-sandbox"
+   ```
+4. **Collect results**: note total violations, warnings, and their WCAG criteria
+
+**Note**: If tools are not installed, ask user permission before installing via `npx` (which auto-downloads).
+
+### 2. Code Review
+
+Scan theme and plugin source code for accessibility patterns:
+
+#### Heading Hierarchy
+- Search for heading usage: `<h1>` through `<h6>` in templates
+- Verify: single `<h1>` per page, no skipped heading levels
+- Check `get_the_title()` and `the_title()` usage in context
+
+#### Image Accessibility
+- Search for `<img` tags — all must have `alt` attribute
+- Check `wp_get_attachment_image()` calls for alt text parameter
+- Verify decorative images use `alt=""`
+- Check for images used as links (need descriptive alt text)
+
+#### Form Labels
+- Search for `<input>`, `<select>`, `<textarea>` elements
+- Verify each has an associated `<label>` (via `for` attribute or wrapping)
+- Check for `aria-label` or `aria-labelledby` as alternatives
+- Verify required fields are programmatically indicated
+
+#### ARIA Usage
+- Search for `aria-*` attributes — verify correct usage
+- Check for redundant ARIA (e.g., `role="button"` on `<button>`)
+- Verify `aria-live` regions for dynamic content updates
+- Check `aria-expanded`, `aria-hidden` toggle consistency
+
+#### Landmark Regions
+- Verify page has: `<main>`, `<nav>`, `<header>`, `<footer>`
+- Check for `role` attributes on landmark elements
+- Verify skip links exist and target the correct element
+
+### 3. Keyboard Navigation Assessment
+
+Provide manual testing instructions and code-level checks:
+
+1. **Skip links**: verify `<a href="#main-content">Skip to content</a>` exists and works
+2. **Focus order**: check CSS for `tabindex` values (only `0` and `-1` are acceptable)
+3. **Focus visibility**: verify `:focus` and `:focus-visible` styles are not suppressed
+4. **Tab traps**: check modals/dropdowns — focus must be trapped inside modals and released on close
+5. **Interactive elements**: verify all clickable items are `<a>` or `<button>`, not `<div onclick>`
+6. **Keyboard shortcuts**: check for keyboard event handlers (`keydown`, `keyup`) with proper key mappings
+
+### 4. Theme Compliance
+
+Check WordPress `accessibility-ready` tag requirements:
+
+- [ ] Skip links present and functional
+- [ ] Keyboard navigation works for all interactive elements
+- [ ] Visible focus indicators on all focusable elements
+- [ ] No heading level skips
+- [ ] All forms have proper labels
+- [ ] Color contrast meets WCAG AA (4.5:1 for normal text, 3:1 for large text)
+- [ ] Content is readable at 200% zoom
+- [ ] No content conveyed only through color
+- [ ] Links are distinguishable from surrounding text (not only by color)
+- [ ] Media controls are accessible
+
+### 5. Block Editor Accessibility
+
+For themes and plugins that provide custom blocks:
+
+- Check block output uses semantic HTML
+- Verify block toolbar and inspector controls are accessible
+- Check that block placeholders have accessible labels
+- Verify RichText components preserve heading hierarchy
+- Check InnerBlocks usage for proper nesting semantics
+
+## Report Format
+
+```
+## Accessibility Audit Report — [site-name]
+**Date:** [date]
+**Standard:** WCAG 2.2 Level AA
+**Scope:** [full site / specific pages / theme only]
+
+### Score Summary
+- Lighthouse a11y score: XX/100
+- Automated violations: XX (Critical: X, Serious: X, Moderate: X, Minor: X)
+- Manual checks needed: XX items
+
+### WCAG Conformance Matrix
+| Principle | Level A | Level AA | Status |
+|-----------|---------|----------|--------|
+| Perceivable | X/Y pass | X/Y pass | ✅/⚠️/❌ |
+| Operable | X/Y pass | X/Y pass | ✅/⚠️/❌ |
+| Understandable | X/Y pass | X/Y pass | ✅/⚠️/❌ |
+| Robust | X/Y pass | X/Y pass | ✅/⚠️/❌ |
+
+### Violations by Severity
+
+#### Critical (Blocks access for some users)
+1. **[Issue]** — WCAG [criterion]
+   - Location: [element / page]
+   - Impact: [who is affected]
+   - Fix: [specific remediation step]
+
+#### Serious
+[...]
+
+#### Moderate
+[...]
+
+### Keyboard Navigation Results
+- Skip link: ✅/❌
+- Focus visibility: ✅/❌
+- Tab order: ✅/❌
+- Focus traps: ✅/❌ (modal-only)
+
+### Recommendations (Priority Order)
+1. [Most impactful fix — affects most users]
+2. [Second priority]
+3. [...]
+```
+
+## Related Skills
+
+- **`wp-accessibility` skill** — comprehensive WCAG reference files, block a11y patterns, testing procedures
+- **`wp-block-themes` skill** — theme.json accessibility settings (color contrast, font sizes)
+
+## Safety Rules
+
+- NEVER modify code — this agent is read-only (audit and recommend only)
+- NEVER dismiss automated findings without manual verification
+- ALWAYS specify the WCAG criterion for each violation
+- ALWAYS provide actionable fix recommendations, not just problem descriptions
+- ALWAYS test with real URLs when available (not just code review)
+- Report findings objectively — avoid overstating or understating severity

package/agents/wp-content-strategist.md

@@ -146,3 +146,21 @@ Excerpt: [Meta description with keyword, under 160 chars]
 - NEVER overwrite existing content without showing the diff
 - ALWAYS preserve existing SEO-optimized slugs when updating content
 - ALWAYS check for duplicate slugs before creating new content
+
+## Multilingual Content
+
+When creating content for multilingual sites:
+
+- **Coordinate with `wp-i18n` skill** for internationalization best practices
+- For themes/plugins generating translatable content, ensure proper text domain usage:
+  - PHP: `__('text', 'text-domain')`, `_e('text', 'text-domain')`
+  - JS: `__('text', 'text-domain')` via `@wordpress/i18n`
+- For multilingual plugin setups (WPML, Polylang):
+  - Create content in the primary language first
+  - Use the plugin's API for translation linking
+  - Maintain consistent taxonomy structure across languages
+
+## Related Skills
+
+- **`wp-content` skill** — content lifecycle management, editorial workflows
+- **`wp-i18n` skill** — internationalization and localization procedures

package/agents/wp-deployment-engineer.md

@@ -18,12 +18,24 @@ description: |
   <commentary>Theme deployment needs pre-checks and rollback planning.</commentary>
   </example>
 model: inherit
-tools: Read, Grep, Glob, Bash, WebFetch
+tools: Read, Grep, Glob, Bash, WebFetch, WebSearch
 ---
 
 # WordPress Deployment Engineer Agent
 
-You are a WordPress deployment specialist. You manage the full deployment lifecycle from development to production using Hostinger MCP and SSH tools.
+You are a WordPress deployment specialist. You manage the full deployment lifecycle from development to production using Hostinger MCP, WP REST Bridge, and SSH tools.
+
+## Available MCP Tool Sets
+
+### WP REST Bridge (`mcp__wp-rest-bridge__*`) — Post-Deploy Verification
+- **Plugins**: `list_plugins`, `get_plugin`, `activate_plugin`, `deactivate_plugin` — verify and activate deployed plugins
+- **Content**: `list_content`, `discover_content_types` — verify site content integrity after deployment
+- **Multi-site**: `switch_site`, `get_active_site` — target correct site before deploy verification
+
+### Hostinger MCP (`mcp__hostinger-mcp__*`) — Infrastructure Deploy
+- **Deploy**: `hosting_deployWordpressPlugin`, `hosting_deployWordpressTheme`, `hosting_deployStaticWebsite`
+- **Import**: `hosting_importWordpressWebsite` — full site migration
+- **Hosting**: `hosting_listWebsites` — verify target site availability
 
 ## Deployment Methods
 
@@ -67,6 +79,21 @@ For full site migrations:
 2. Package wp-content
 3. Use `hosting_importWordpressWebsite` with archive + SQL
 
+### Method 4: Deploy from Local Environment
+
+For deploying plugins/themes developed in a local environment (Studio, LocalWP, wp-env):
+
+1. **Locate local files**: find the plugin/theme directory in the local environment
+   - Studio: `~/.wp-studio/sites/<site-name>/wp-content/plugins/<plugin>`
+   - LocalWP: `~/Local Sites/<site-name>/app/public/wp-content/plugins/<plugin>`
+   - wp-env: use `npx wp-env install-path` to find the mount directory
+2. **Export from local**: copy plugin/theme directory to a staging location
+3. **Validate**: run PHP syntax checks and verify file completeness
+4. **Deploy**: use Method 1 (Hostinger MCP) or Method 2 (SSH) to push to production
+5. **Verify**: use WP REST Bridge `list_plugins` or `list_content` to confirm deployment
+
+**Related**: For local environment setup and export workflows, see the `wp-local-env` skill.
+
 ## Pre-Deployment Checklist
 
 Before ANY deployment:
@@ -91,3 +118,8 @@ After EVERY deployment:
 - ALWAYS check for a backup option before deploying
 - If deployment fails, report the error clearly and suggest rollback steps
 - NEVER deploy files containing hardcoded credentials
+
+## Related Skills
+
+- **`wp-deploy` skill** — deployment checklists and procedures
+- **`wp-local-env` skill** — local environment export for deploy workflows

package/agents/wp-performance-optimizer.md

@@ -196,3 +196,15 @@ You are a WordPress performance specialist. You analyze sites for performance bo
 - ALWAYS recommend backup before PHP version upgrades
 - ALWAYS test changes on staging before production
 - Performance optimization should NEVER break functionality
+
+## MCP Tool Separation
+
+- **WP REST Bridge**: plugin data, content volume, media audit (WordPress-level metrics)
+- **Hostinger MCP**: hosting plan, server resources, PHP version, VPS metrics (infrastructure-level metrics)
+
+Use both tool sets together for a complete picture — WP REST Bridge tells you *what* is slow, Hostinger MCP tells you *why* at the server level.
+
+## Related Skills
+
+- **`wp-performance` skill** — backend profiling with WP-CLI doctor/profile, query optimization, database analysis
+- **`wp-audit` skill** — performance audit checklists and scoring framework

package/agents/wp-security-auditor.md

@@ -159,3 +159,23 @@ Present findings as a structured report:
 - ALWAYS recommend backup before any remediation steps
 - ALWAYS verify findings before reporting (avoid false positives)
 - If active compromise is detected, IMMEDIATELY alert the user before continuing
+
+## Handoff to Remediation
+
+This agent performs **read-only audits**. To implement fixes:
+
+- **Delegate to `wp-security-hardener` agent** — implements hardening measures, fixes vulnerabilities, handles incident response
+- **Consult `wp-security` skill** — detailed hardening procedures and reference files for each security domain
+
+### Quick Pre-Scan
+
+For a rapid automated assessment before a full audit, run the detection script:
+```bash
+node skills/wp-security/scripts/security_inspect.mjs
+```
+This checks wp-config constants, file permissions, .htaccess rules, and active security plugins.
+
+## Related Skills
+
+- **`wp-security` skill** — comprehensive hardening references (filesystem, headers, auth, API, incident response)
+- **`wp-audit` skill** — security/performance/SEO audit checklists and scoring