mcp-wordpress 2.11.13 → 3.0.0

package/src/client/operations/taxonomies.ts

@@ -0,0 +1,115 @@
+/**
+ * Taxonomies Operations Module
+ * Handles all taxonomy-related WordPress REST API operations (categories, tags)
+ */
+
+import type {
+  WordPressCategory,
+  WordPressTag,
+  CreateCategoryRequest,
+  UpdateCategoryRequest,
+  CreateTagRequest,
+  UpdateTagRequest,
+} from "@/types/wordpress.js";
+
+/**
+ * Interface for the base client methods needed by taxonomies operations
+ */
+export interface TaxonomiesClientBase {
+  get<T>(endpoint: string): Promise<T>;
+  post<T>(endpoint: string, data?: unknown): Promise<T>;
+  put<T>(endpoint: string, data?: unknown): Promise<T>;
+  delete<T>(endpoint: string): Promise<T>;
+}
+
+/**
+ * Taxonomies operations mixin
+ * Provides CRUD operations for WordPress categories and tags
+ */
+export class TaxonomiesOperations {
+  constructor(private client: TaxonomiesClientBase) {}
+
+  // Categories
+
+  /**
+   * Get a list of categories with optional filtering
+   */
+  async getCategories(params?: Record<string, string | number | boolean>): Promise<WordPressCategory[]> {
+    const normalizedParams = params
+      ? Object.fromEntries(Object.entries(params).map(([k, v]) => [k, String(v)]))
+      : undefined;
+    const queryString = normalizedParams ? "?" + new URLSearchParams(normalizedParams).toString() : "";
+    return this.client.get<WordPressCategory[]>(`categories${queryString}`);
+  }
+
+  /**
+   * Get a single category by ID
+   */
+  async getCategory(id: number): Promise<WordPressCategory> {
+    return this.client.get<WordPressCategory>(`categories/${id}`);
+  }
+
+  /**
+   * Create a new category
+   */
+  async createCategory(data: CreateCategoryRequest): Promise<WordPressCategory> {
+    return this.client.post<WordPressCategory>("categories", data);
+  }
+
+  /**
+   * Update an existing category
+   */
+  async updateCategory(data: UpdateCategoryRequest): Promise<WordPressCategory> {
+    const { id, ...updateData } = data;
+    return this.client.put<WordPressCategory>(`categories/${id}`, updateData);
+  }
+
+  /**
+   * Delete a category
+   */
+  async deleteCategory(id: number, force = false): Promise<{ deleted: boolean; previous?: WordPressCategory }> {
+    return this.client.delete(`categories/${id}?force=${force}`);
+  }
+
+  // Tags
+
+  /**
+   * Get a list of tags with optional filtering
+   */
+  async getTags(params?: Record<string, string | number | boolean>): Promise<WordPressTag[]> {
+    const normalizedParams = params
+      ? Object.fromEntries(Object.entries(params).map(([k, v]) => [k, String(v)]))
+      : undefined;
+    const queryString = normalizedParams ? "?" + new URLSearchParams(normalizedParams).toString() : "";
+    return this.client.get<WordPressTag[]>(`tags${queryString}`);
+  }
+
+  /**
+   * Get a single tag by ID
+   */
+  async getTag(id: number): Promise<WordPressTag> {
+    return this.client.get<WordPressTag>(`tags/${id}`);
+  }
+
+  /**
+   * Create a new tag
+   */
+  async createTag(data: CreateTagRequest): Promise<WordPressTag> {
+    return this.client.post<WordPressTag>("tags", data);
+  }
+
+  /**
+   * Update an existing tag
+   */
+  async updateTag(data: UpdateTagRequest): Promise<WordPressTag> {
+    const { id, ...updateData } = data;
+    return this.client.put<WordPressTag>(`tags/${id}`, updateData);
+  }
+
+  /**
+   * Delete a tag
+   */
+  async deleteTag(id: number, force = false): Promise<{ deleted: boolean; previous?: WordPressTag }> {
+    return this.client.delete(`tags/${id}?force=${force}`);
+  }
+}

package/src/client/operations/users.ts

@@ -0,0 +1,72 @@
+/**
+ * Users Operations Module
+ * Handles all user-related WordPress REST API operations
+ */
+
+import type { WordPressUser, UserQueryParams, CreateUserRequest, UpdateUserRequest } from "@/types/wordpress.js";
+
+/**
+ * Interface for the base client methods needed by users operations
+ */
+export interface UsersClientBase {
+  get<T>(endpoint: string): Promise<T>;
+  post<T>(endpoint: string, data?: unknown): Promise<T>;
+  put<T>(endpoint: string, data?: unknown): Promise<T>;
+  delete<T>(endpoint: string): Promise<T>;
+}
+
+/**
+ * Users operations mixin
+ * Provides CRUD operations for WordPress users
+ */
+export class UsersOperations {
+  constructor(private client: UsersClientBase) {}
+
+  /**
+   * Get a list of users with optional filtering
+   */
+  async getUsers(params?: UserQueryParams): Promise<WordPressUser[]> {
+    const normalizedParams = params
+      ? Object.fromEntries(Object.entries(params).map(([k, v]) => [k, String(v)]))
+      : undefined;
+    const queryString = normalizedParams ? "?" + new URLSearchParams(normalizedParams).toString() : "";
+    return this.client.get<WordPressUser[]>(`users${queryString}`);
+  }
+
+  /**
+   * Get a single user by ID or "me" for current user
+   */
+  async getUser(id: number | "me", context: "view" | "embed" | "edit" = "view"): Promise<WordPressUser> {
+    return this.client.get<WordPressUser>(`users/${id}?context=${context}`);
+  }
+
+  /**
+   * Create a new user
+   */
+  async createUser(data: CreateUserRequest): Promise<WordPressUser> {
+    return this.client.post<WordPressUser>("users", data);
+  }
+
+  /**
+   * Update an existing user
+   */
+  async updateUser(data: UpdateUserRequest): Promise<WordPressUser> {
+    const { id, ...updateData } = data;
+    return this.client.put<WordPressUser>(`users/${id}`, updateData);
+  }
+
+  /**
+   * Delete a user
+   */
+  async deleteUser(id: number, reassign?: number): Promise<{ deleted: boolean; previous?: WordPressUser }> {
+    const params = reassign ? `?reassign=${reassign}&force=true` : "?force=true";
+    return this.client.delete(`users/${id}${params}`);
+  }
+
+  /**
+   * Get the current authenticated user
+   */
+  async getCurrentUser(): Promise<WordPressUser> {
+    return this.getUser("me", "edit");
+  }
+}

package/src/config/ServerConfiguration.ts

@@ -2,12 +2,12 @@ import dotenv from "dotenv";
 import { promises as fsPromises } from "fs";
 import * as path from "path";
 import { fileURLToPath } from "url";
-import { WordPressClient } from "../client/api.js";
-import { CachedWordPressClient } from "../client/CachedWordPressClient.js";
-import { MockWordPressClient } from "../client/MockWordPressClient.js";
-import { WordPressClientConfig } from "../types/client.js";
-import { getErrorMessage } from "../utils/error.js";
-import { LoggerFactory } from "../utils/logger.js";
+import { WordPressClient } from "@/client/api.js";
+import { CachedWordPressClient } from "@/client/CachedWordPressClient.js";
+import { MockWordPressClient } from "@/client/MockWordPressClient.js";
+import { WordPressClientConfig } from "@/types/client.js";
+import { getErrorMessage } from "@/utils/error.js";
+import { LoggerFactory } from "@/utils/logger.js";
 import { ConfigHelpers } from "./Config.js";
 import {
   ConfigurationValidator,

package/src/docs/DocumentationGenerator.ts

@@ -5,9 +5,9 @@
 
 import * as fs from "fs";
 import * as path from "path";
-import * as Tools from "../tools/index.js";
-import type { ToolDefinition } from "../server/ToolRegistry.js";
-import { LoggerFactory } from "../utils/logger.js";
+import * as Tools from "@/tools/index.js";
+import type { ToolDefinition } from "@/server/ToolRegistry.js";
+import { LoggerFactory } from "@/utils/logger.js";
 
 export interface DocumentationConfig {
   outputDir: string;

package/src/performance/MetricsCollector.ts

@@ -4,10 +4,10 @@
  */
 
 import { PerformanceMonitor, PerformanceMetrics } from "./PerformanceMonitor.js";
-import type { CacheStats } from "../cache/CacheManager.js";
-import type { ClientStats } from "../types/client.js";
-import { ConfigHelpers } from "../config/Config.js";
-import { LoggerFactory } from "../utils/logger.js";
+import type { CacheStats } from "@/cache/CacheManager.js";
+import type { ClientStats } from "@/types/client.js";
+import { ConfigHelpers } from "@/config/Config.js";
+import { LoggerFactory } from "@/utils/logger.js";
 
 export interface CollectorConfig {
   enableRealTime: boolean;

package/src/performance/PerformanceMonitor.ts

@@ -3,7 +3,7 @@
  * Collects, analyzes, and reports performance metrics
  */
 
-import { ConfigHelpers } from "../config/Config.js";
+import { ConfigHelpers } from "@/config/Config.js";
 
 export interface PerformanceMetrics {
   // Request Performance

package/src/security/AISecurityScanner.ts

@@ -7,7 +7,7 @@ import * as fs from "fs/promises";
 import * as path from "path";
 import { SecurityUtils } from "./SecurityConfig.js";
 import { SecurityValidationError } from "./InputValidator.js";
-import { LoggerFactory } from "../utils/logger.js";
+import { LoggerFactory } from "@/utils/logger.js";
 
 export interface SecurityVulnerability {
   id: string;
@@ -67,7 +67,7 @@ export interface RemediationResult {
 const SECURITY_PATTERNS = {
   // SQL Injection patterns
   sqlInjection: [
-    /['"\-\-;]|\/\*|\*\//g, // Match quotes, double hyphens, semicolons, and SQL comments
+    /['";\-]|\/\*|\*\/|--/g, // Match quotes, double hyphens, semicolons, and SQL comments
     /(union|select|insert|update|delete|drop|create|alter)\s+/gi,
     /\b(or|and)\s+['"]?\d+['"]?\s*=\s*['"]?\d+['"]?/gi,
     /\b(char|ascii|substring|length|concat)\s*\(/gi,
@@ -75,7 +75,8 @@ const SECURITY_PATTERNS = {
 
   // XSS patterns
   xss: [
-    /<script[^>]*>.*?<\/script>/gis, // Match script tags with any attributes
+    /<script/gi, // Detect script tag start
+    /<\/script/gi, // Detect script tag end
     /javascript\s*:/gi,
     /on\w+\s*=\s*['"][^'"]*['"]?/gi,
     /eval\s*\(/gi,

package/src/security/AutomatedRemediation.ts

@@ -8,7 +8,7 @@ import * as path from "path";
 import { SecurityVulnerability, SecurityScanResult } from "./AISecurityScanner.js";
 import { SecurityUtils } from "./SecurityConfig.js";
 import { SecurityValidationError } from "./InputValidator.js";
-import { LoggerFactory } from "../utils/logger.js";
+import { LoggerFactory } from "@/utils/logger.js";
 
 interface RemediationAction {
   id: string;

package/src/security/InputValidator.ts

@@ -4,7 +4,7 @@
  */
 
 import { z } from "zod";
-import { LoggerFactory } from "../utils/logger.js";
+import { LoggerFactory } from "@/utils/logger.js";
 
 const logger = LoggerFactory.security();
 
@@ -12,7 +12,9 @@ const logger = LoggerFactory.security();
 const URL_PATTERN = /^https?:\/\/[^\s<>'"{}|\\^`\[\]]+$/;
 const EMAIL_PATTERN = /^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/;
 const SLUG_PATTERN = /^[a-z0-9-]+$/;
-const SCRIPT_PATTERN = /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi;
+// Patterns for detecting dangerous content (used for validation, not sanitization)
+const SCRIPT_TAG_PATTERN = /<script/gi;
+const SCRIPT_END_PATTERN = /<\/script/gi;
 const SQL_INJECTION_PATTERN = /('|(\\')|(;)|(\\x00)|(\\n)|(\\r)|(\\x1a)|(\\x22)|(\\x27)|(\\x5c)|(\\x60))/i;
 
 /**
@@ -23,9 +25,9 @@ export const SecuritySchemas = {
   safeString: z
     .string()
     .max(10000, "String too long")
-    .refine((val) => !SCRIPT_PATTERN.test(val), "Script tags not allowed")
-    .refine((val) => !val.includes("javascript:"), "JavaScript URLs not allowed")
-    .refine((val) => !val.includes("data:"), "Data URLs not allowed")
+    .refine((val) => !SCRIPT_TAG_PATTERN.test(val) && !SCRIPT_END_PATTERN.test(val), "Script tags not allowed")
+    .refine((val) => !/javascript\s*:/i.test(val), "JavaScript URLs not allowed")
+    .refine((val) => !/data\s*:/i.test(val), "Data URLs not allowed")
     .refine((val) => !val.includes("onerror="), "Event handlers not allowed")
     .refine((val) => !val.includes("onload="), "Event handlers not allowed")
     .refine((val) => !val.includes("onfocus="), "Event handlers not allowed"),
@@ -34,8 +36,8 @@ export const SecuritySchemas = {
   htmlContent: z
     .string()
     .max(100000, "Content too long")
-    .refine((val) => !SCRIPT_PATTERN.test(val), "Script tags not allowed")
-    .refine((val) => !val.includes("javascript:"), "JavaScript URLs not allowed")
+    .refine((val) => !SCRIPT_TAG_PATTERN.test(val) && !SCRIPT_END_PATTERN.test(val), "Script tags not allowed")
+    .refine((val) => !/javascript\s*:/i.test(val), "JavaScript URLs not allowed")
     .refine((val) => !val.includes("on[a-z]+="), "Event handlers not allowed"),
 
   // URL validation
@@ -43,8 +45,8 @@ export const SecuritySchemas = {
     .string()
     .url("Invalid URL format")
     .regex(URL_PATTERN, "URL contains invalid characters")
-    .refine((val) => !val.includes("javascript:"), "JavaScript URLs not allowed")
-    .refine((val) => !val.includes("data:"), "Data URLs not allowed"),
+    .refine((val) => !/javascript\s*:/i.test(val), "JavaScript URLs not allowed")
+    .refine((val) => !/data\s*:/i.test(val), "Data URLs not allowed"),
 
   // Email validation
   email: z
@@ -64,8 +66,11 @@ export const SecuritySchemas = {
   wpContent: z
     .string()
     .max(1000000, "Content too long")
-    .refine((val) => !SCRIPT_PATTERN.test(val), "Script tags not allowed in content")
-    .refine((val) => !val.includes("javascript:"), "JavaScript URLs not allowed"),
+    .refine(
+      (val) => !SCRIPT_TAG_PATTERN.test(val) && !SCRIPT_END_PATTERN.test(val),
+      "Script tags not allowed in content",
+    )
+    .refine((val) => !/javascript\s*:/i.test(val), "JavaScript URLs not allowed"),
 
   // Site ID validation
   siteId: z
@@ -111,14 +116,26 @@ export class InputSanitizer {
    * Sanitize HTML content by removing dangerous elements
    */
   static sanitizeHtml(input: string): string {
-    return input
-      .replace(SCRIPT_PATTERN, "") // Remove script tags
-      .replace(/javascript:/gi, "") // Remove javascript: URLs
-      .replace(/data:/gi, "") // Remove data: URLs
-      .replace(/on[a-z]+\s*=/gi, "") // Remove event handlers
-      .replace(/<iframe[^>]*>/gi, "") // Remove iframes
-      .replace(/<object[^>]*>/gi, "") // Remove objects
-      .replace(/<embed[^>]*>/gi, ""); // Remove embeds
+    let result = input;
+    let previous = "";
+
+    // Apply sanitization repeatedly until no more changes occur
+    // This prevents bypass via nested dangerous patterns like "jajavascript:vascript:"
+    while (result !== previous) {
+      previous = result;
+      result = result
+        .replace(/<script[^>]*>/gi, "") // Remove script open tags
+        .replace(/<\/script[^>]*>/gi, "") // Remove script close tags
+        .replace(/javascript\s*:/gi, "") // Remove javascript: URLs (with optional whitespace)
+        .replace(/data\s*:/gi, "") // Remove data: URLs (with optional whitespace)
+        .replace(/vbscript\s*:/gi, "") // Remove vbscript: URLs
+        .replace(/on[a-z]+\s*=/gi, "") // Remove event handlers
+        .replace(/<iframe[^>]*>/gi, "") // Remove iframes
+        .replace(/<object[^>]*>/gi, "") // Remove objects
+        .replace(/<embed[^>]*>/gi, ""); // Remove embeds
+    }
+
+    return result;
   }
 
   /**