{
  "version": "3.4.3",
  "download_url": "https://updates.mcpwp.net/mcpwp-agency-3.4.3.zip",
  "requires": "5.0",
  "requires_php": "7.4",
  "tested": "6.9",
  "name": "MCPWP",
  "homepage": "https://mcpwp.net/",
  "author": "Mumega",
  "author_homepage": "https://mumega.com/",
  "changelog": "<strong>3.4.3</strong> — fix(oauth): Claude connector registration behind HTTPS proxies; OAuth discovery endpoints now use the public issuer origin instead of internal http REST URLs<h4>3.4.2</h4> — fix(oauth): Claude connector registration compatibility; protected-resource metadata now advertises the issuer and Dynamic Client Registration supports client_secret_basic<h4>3.4.1</h4> — fix(oauth): Dynamic Client Registration for claude.ai and ChatGPT connectors; OAuth clients can register automatically without manual Client ID setup<h4>3.4.0</h4> — feat: GET /openapi.json — OpenAPI 3.0 schema from free-tools registry; ChatGPT GPT Actions support<h4>3.3.9</h4> — fix(ux): staging tools now visible in tools/list on all plans (non-Pro calls return upgrade prompt); MCP server instructions note Pro-gated features when unlicensed<h4>3.3.8</h4> — feat(staging): Pro staging — WP Engine/Kinsta/Pressable adapters + Generic WP-CLI fallback; REST /staging GET/POST/status; 4 MCP tools (wp_get_staging_info, wp_push_to_staging, wp_push_to_live, wp_get_staging_status); push-to-live gated by approval workflow; three new integration providers; SSRF mitigated<h4>3.3.7</h4> — feat(T50): MCP resources/list returns 6 real site resources (site-info, context, pages, posts, design-refs, elementor-status); resources/read proxies to mcpwp/v1 REST with API key forwarding; feat(T51): MCP prompts/list returns 5 named templates (audit-seo, build-page, refresh-content, onboard, design-match); prompts/get fills arguments and returns messages[]; both declared in initialize capabilities<h4>3.3.6</h4> — fix(#575): wp_upload_media_b64 now exposes mime_type in MCP schema; fix(#576): wp_update_menu_item errors include actionable ID-lookup hints; feat(#577): wp_list_media search param + image-reuse guidance; fix(#578): design-reference retry guidance in tool description and missing_image error — fix(#575): wp_upload_media_b64 now exposes mime_type in MCP schema; fix(#576): wp_update_menu_item errors include actionable ID-lookup hints; feat(#577): wp_list_media search param + image-reuse guidance; fix(#578): design-reference retry guidance in tool description and missing_image error<h4>3.3.5</h4> — feat: before/after change summary on wp_update_page/wp_update_post (changes[], unchanged[]); structural_changes on wp_set_elementor (sections/widgets before+after); fix(security): sslverify=false in CSS-prime loopback<h4>3.3.4</h4> — Fix(security): SSRF redirect bypass in wp_get_rendered_copy fetcher — redirection=0 was missing; redirect chains could bypass same-host allowlist<h4>3.3.3</h4> — Mutation tool schema docs: wp_create/update_page now documents parent/template/menu_order; wp_create/update_post documents categories and tags; fix(security): SSRF redirect bypass closed — fetchers pass redirection=0 to prevent redirect chains bypassing same-host allowlist<h4>3.3.2</h4> — New: wp_get_rendered_copy tool returns structured visible text from live rendered page (headings, paragraphs, button labels, list items, link text, image alts) — ground truth for copy audits (#569); Fix(security): sslverify=false in wp_get_rendered_html fixed<h4>3.3.1</h4> — New: wp_flush_cache tool flushes WP page cache (W3TC, WP Super Cache, LiteSpeed, WP Rocket, Breeze, Cloudflare) after bulk edits (#568); Elementor write tools surface validation_warnings in response (#571); Fix(security): batch sub-request rate-limit bypass via static flag, not HTTP header (#573); /onboard adds suggested_first_tools + quick_start (#574)<h4>3.3.0</h4> — <strong>3.3.0</strong> — Render-truth validation: every validator now has validation_basis + note; validate_structured_data fetches live JSON-LD from rendered page; validate_internal_links covers Elementor widget links; validate_blocks notes dynamic-render caveat; audit_seo_site shows per-URL basis (#569)<h4>3.2.9</h4> — New: validate_seo_readiness fetches live rendered &lt;head&gt; for published pages; issues reconciled against ground truth; rendered_head + validation_basis in response (#569)<h4>3.2.8</h4> — Fix: SEO readiness detects AIOSEO excerpt fallback (no false 'missing meta description'); apply_internal_link now checks Elementor data for existing links before inserting (#569)<h4>3.2.7</h4> — New: wp_bulk_upload_media tool for migrations (up to 20 URLs, one rate-limit count) (#566)<h4>3.2.6</h4> — REST Pro gate enforced (#564), dead hostname routing removed (#547), rate status identifier fix (#533)<h4>3.2.5</h4><ul><li>Elementor ID dedup (#565), MCP rate-limit fix (#566), CSS verification improvements (#567)</li></ul><h4>3.2.4</h4><ul><li>Security: Encryption key is now stored in a dedicated WordPress option (mcpwp_encryption_key) instead of being derived from AUTH_SALT. AUTH_SALT rotation no longer silently corrupts stored provider credentials. A one-time non-destructive migration re-encrypts existing blobs on first load; blobs that cannot be decrypted are preserved as-is with an admin notice listing affected providers.</li><li>Security: Admin AJAX pro-gate bypass is now restricted to verified admin users with activate_plugins capability, confirmed nonce, and an explicit action allowlist — replacing the open apply_filters hook.</li></ul><h4>3.2.3</h4><ul><li>Improved: screenshots return media-library URLs by default (inline=true for base64).</li><li>Improved: wp_get_elementor drops the duplicate raw-JSON payload (include_raw=true to restore).</li></ul><h4>3.2.2</h4><ul><li>New: Pro tools on Free installs return a clear upgrade-path error (pro_required) instead of \"unknown tool\".</li><li>Improved: /introspect compact by default (~80% smaller; ?full=true for legacy full schemas).</li><li>Fixed: /option refuses plain-string overwrites of array options (decodes JSON; force_type_change to override).</li><li>Fixed: numeric JSON types for analytics counts and Elementor page_id.</li></ul><h4>3.2.1</h4><ul><li>Maintenance: Internal rebrand cleanup (spai→mcpwp) — cron label, code comments, and admin JS object renamed. Webhook deliveries now also emit X-MCPWP-Signature/X-MCPWP-Event/X-MCPWP-Webhook-ID headers alongside existing X-SPAI-* headers (both sets sent; X-SPAI-* retained for backward-compat). MCP tools/list response now also includes x_mcpwp envelope key alongside x_spai. Bridge migration of legacy sites unchanged.</li></ul><h4>3.2.0</h4><ul><li>New: Minimal OAuth 2.1 authorization server — MCP clients (Claude Desktop, ChatGPT) can now authenticate via browser sign-in. Adds RFC 9728 protected-resource metadata, RFC 8414 authorization-server metadata, PKCE S256 authorize endpoint, and token exchange (authorization_code + refresh_token). X-API-Key authentication is unchanged. Requires oauth_enabled setting + allow-listed redirect URIs to activate.</li><li>Fix: wp_recall PHP 8.x compatibility (#534).</li></ul><h4>3.1.0</h4><ul><li>New: Seamless migration bridge — sites upgrading from the earlier site-pilot-ai build carry over all content, API keys, OAuth access tokens, settings, and licensing entitlement automatically. Existing keys keep authenticating during and after the change; migration is idempotent and non-destructive (originals left intact for rollback).</li><li>New: Dual-prefix authentication — legacy keys and OAuth tokens continue to work alongside new mcpwp_ credentials, with original scopes preserved.</li><li>Compliance: WordPress.org Plugin Check clean (0 errors); the WordPress.org build makes no third-party network calls; GPL-2.0.</li><li>Docs: per-site cutover runbook and verified MCP client connect matrix added.</li></ul><h4>3.0.1</h4><ul><li>Fix: signals fatal on every compute — compute_seo_issues() called private get_issues() and filtered on severity 'critical' (store never writes it); now uses public list_issues(status=open, severity=error).</li><li>Fix: GET /signals lazily computes on first read — closes permanently-empty feed on low-traffic hosts where WP-Cron never fires. Response includes last_computed, partial, skipped_types.</li><li>Fix: compute_pending_updates() no longer hits wordpress.org on web requests — reads cached transient; network refresh is cron-only.</li><li>Improvement: compute() time-budgeted — over-budget signal types skip and preserve stored values; reported via mcpwp_signals_meta.</li><li>Licensing: Freemius single source of truth — removed legacy local trial and Lemon Squeezy store that could independently grant Pro. New get_license_info() accessor guarantees plan/is_pro consistency.</li><li>Hardening (G5): gateway tool-registration contract enforced; unknown tools rejected at tools/call.</li><li>Refactor (G1–G4): split REST Site, tool mega-files, Admin, and Elementor Basic into focused per-surface controllers and trait groups (no behavior change).</li></ul><h4>3.0.0</h4><ul><li>Rebrand: the plugin is now MCPWP throughout — folder, main file, classes, function\\/option prefixes, constants, text domain, and REST namespace (mcpwp\\/v1). A clean reinstall is recommended; settings and API keys are re-created fresh.</li></ul><h4>2.8.56</h4><ul><li>Fix: front-end fatal error (\"Class Spai_Elementor_Chat_Widget not found\") when Elementor initialized widgets before the chat-widget class was defined under certain plugin load orders. Widget registration is now guarded and skips safely instead of crashing the site.</li><li>Fix: capability detection now refreshes immediately when a plugin is activated or deactivated. The capabilities response (woocommerce, learnpress, etc.) was cached up to an hour, so a newly-enabled integration could report as unavailable — making connected AI agents blind to tools that were actually ready. The cache is now cleared on plugin activate/deactivate.</li></ul><h4>2.8.55</h4><ul><li>Improvement: Admin JavaScript consolidated into a single enqueued, cacheable asset — inline scripts removed from Setup, Tools, Chat, and Integrations pages; data passed via wp_localize_script.</li><li>Fix: PostHog analytics now initializes exactly once (was double-initialized on Tools and Integrations pages).</li><li>Fix: admin script now loads on every MCPWP page (Control Room and Chat previously missing it).</li><li>Security: chat history JSON data element is now tag-escaped, preventing a stored message containing markup from breaking out of the script element.</li><li>Design system: added surface/border/text and status color tokens plus a radius scale; consolidated two badge styles into one; replaced hardcoded values with tokens and status classes.</li></ul><h4>2.8.54</h4><ul><li>Improvement: Control Room — empty-state guidance, in-page section navigation, change summaries on pending approvals, and a confirm before applying changes.</li><li>Improvement: Library — design-reference form split into Required/Optional groups, consistent cards, clearer empty states.</li><li>Improvement: Integrations — upgrade link always shown on Pro cards with per-provider unlock descriptions; version pill; translatable status messages.</li><li>Accessibility: input label associations, a 1024px responsive breakpoint, fluid chat height.</li></ul><h4>2.8.53</h4><ul><li>New: Setup onboarding checklist — 3-step guide (generate key → connect → first tool call) so new users always know the next step.</li><li>Improvement: Chat shows a \"connect OpenAI or Gemini\" notice when no AI provider is configured, instead of silently degrading.</li><li>Accessibility: tool toggles now show a visible keyboard focus ring (WCAG 2.1 AA).</li><li>Polish: clearer \"Update channel\" labeling; removed a stale admin template; design-system cleanups.</li></ul><h4>2.8.52</h4><ul><li>New: wp_keyword_research — keyless keyword research via Google Suggest. Expands a seed phrase into related keywords and grouped questions (long-tail terms, content ideas, SEO topic discovery). No API key required.</li></ul><h4>2.8.51</h4><ul><li>Fix: wp_bulk_find_replace no longer returns \"not found\" for searches containing HTML tags or URL slashes — the pre-check ran on raw JSON (where &lt; is stored as \\u003c and / as \\/); it now matches on the decoded element tree.</li><li>Fix: wp_bulk_find_replace no longer corrupts page structure when a search term overlaps Elementor vocabulary — structural keys (elType, widgetType, id, isInner, structure) are excluded from replacement.</li><li>Hardening: find-replace search term now requires a minimum length of 1.</li><li>Tests: added Elementor find/replace regression suite.</li></ul><h4>2.8.50</h4><ul><li>New: spai_register_tools filter — third-party plugins register MCP tools with a simple array, no PHP class required. Full dispatch, category, scope, and destructive/open_world hints supported.</li><li>Improvement: 56 tool descriptions rewritten for BM25 search accuracy — more specific verbs, synonyms, and use-case context.</li><li>Docs: openapi-chatgpt.yaml updated to v2.8.50 — adds /onboard, menus, approvals, full Elementor edit suite, /batch, and 24 other missing endpoints. 49 operations total.</li></ul><h4>2.8.49</h4><ul><li>New: Blueprint Library — wp_list_site_blueprints/wp_deploy_site_blueprint/wp_extract_site_blueprint. Deploy 5 starter site structures (law firm, restaurant, SaaS, real estate, portfolio) or save custom blueprints from your existing site.</li><li>New: Chat Excellence — multi-model routing (OpenAI GPT-4o mini, Gemini 2.5 Flash, Workers AI), SSE streaming, persistent history per user, Clear button, model indicator.</li><li>New: Destructive tool confirmation in chat — delete/rollback tools require explicit OK before executing.</li><li>New: Chat model picker in Settings.</li></ul><h4>2.8.48</h4><ul><li>New: Dynamic site memory — wp_remember/wp_recall/wp_forget/wp_list_memories. AI decisions and brand rules persist across sessions in structured namespaces.</li><li>New: Proactive site signals — wp_get_signals surfaces stale content, broken Elementor data, missing featured images, draft accumulation, plugin updates, and SEO issues without being asked.</li><li>New: Site Signals panel in Control Room with severity indicators and direct edit links.</li></ul><h4>2.8.47</h4><ul><li>New: White-label mode — agency name, logo, primary color, and chat greeting configurable in WP Admin > Settings.</li><li>New: [mcpwp_chat] shortcode renders branded floating chat widget on any page or post.</li><li>New: Elementor chat widget wrapping the shortcode (available in Elementor widget panel).</li><li>New: Agency custom hostname routing in proxy worker (CNAME ai.agency.com → proxy.mcpwp.net via KV).</li></ul><h4>2.8.46</h4><ul><li>New: AI action audit log — every write-tool call logged to DB with before/after state snapshots (EU AI Act compliance).</li><li>New: One-click rollback for post/page updates and Elementor writes in Control Room.</li><li>New: CSV export of action log for compliance reporting.</li><li>New: Configurable log retention (default 90 days, daily auto-prune).</li></ul><h4>2.8.45</h4><ul><li>New: Server-side MCP tool analytics — anonymous tool call data (tool name, success/failure, duration) sent to PostHog when enabled. Opt-in for free tier, opt-out for paid. No site content or PII collected.</li><li>New: Site support UUID in Settings page.</li><li>New: PostHog token and host configurable via WP Admin > Integrations.</li><li>Docs: Privacy section added to readme.txt per WP.org guidelines.</li></ul><h4>2.8.44</h4><ul><li>New: PostHog analytics integration — configure token via WP Admin > Integrations. Tracks 10 key admin actions (API key copy, connection test, upgrade click, key create/revoke, integration save/remove, tool toggle, client tab switch).</li><li>Fix: PostHog token no longer hardcoded — removed default public token, must be configured per-site.</li></ul><h4>2.8.43</h4><ul><li>Fix: wp_set_template_conditions accepts positional array form [\"include\",\"singular\",\"product\"] — was flattening to include>general.</li><li>Fix: wp_get_elementor_globals returns both system_typography/custom_typography and system_colors/custom_colors.</li><li>Fix: wp_upload_media_from_url now exposes filename, title, alt params in tools/list.</li><li>Fix: Elementor v4 atomic elements skip settings key validation (they use props/styles).</li><li>Fix: Form widget schema includes button color keys — removes false-positive validator warnings.</li></ul><h4>2.8.42</h4><ul><li>Fix: Theme handler corrupted entries removed — only Astra, GeneratePress, Kadence remain with accurate settings_type.</li><li>Fix: Integrations admin page JS handlers now implemented (save/remove/test connection).</li><li>Fix: version.json download_url corrected (was 404).</li><li>Polish: Admin UI inline styles extracted to CSS classes.</li></ul><h4>2.8.41</h4><ul><li>Fix: Scoped API key scope enforcement — submitted scopes now respected with role-based ceiling; non-admin roles capped at read+write.</li><li>Fix: SEO MCP tool contract — normalized title/description/canonical_url fields, bulk items alias, Google Indexing tools fixed.</li><li>New: wp_create/get/update_elementor_custom_code — Elementor Pro custom code snippets with location, conditions, and dry_run.</li></ul><h4>2.8.40</h4><ul><li>Fix: wp_validate_seo_readiness transport deserialize error on large sites — graph query reduced from 500 to 100 posts.</li><li>Fix: MCP tools/call handles json_encode failure gracefully.</li><li>Polish: MCPWP admin shell with CSS design tokens, dark product headers, shared card/badge/toggle components; admin assets load by page slug (#342, #344).</li><li>Assets: Refreshed WordPress.org banner, icon, and screenshots to MCPWP branding (#341).</li></ul><h4>2.8.38</h4><ul><li>New: wp_update_media — update alt text, title, caption, or description on existing attachments without re-uploading.</li></ul><h4>2.8.37</h4><ul><li>Fix: PHP fatal in wp_seo_audit_site and wp_validate_seo_readiness — extract_internal_links_from_content() moved to base class.</li><li>Fix: Disabled tool categories now enforced at execution time, not just discovery.</li><li>Fix: Elementor custom-code tools hidden from tools/list when Elementor Pro is not installed.</li></ul><h4>2.8.36</h4><ul><li>Fix: wp_bulk_find_replace operates on decoded element tree to prevent JSON corruption.</li><li>New: wp_get_kit_css and wp_set_kit_css for Elementor kit global CSS.</li></ul>"
}
