Skip to content

v1.19.0 — post-write render check (P0.2 complete)

Choose a tag to compare

@BenKalsky BenKalsky released this 07 Jul 15:37
5206c3d

Post-write render check with auto-revert — P0.2 complete

The third and final plank of P0.2 (bring fork writes under SiteAgent governance). Together with 1.17.0 (capture-before-write snapshot + rollback) and 1.18.0 (server-enforced Ed25519 grants), governed Elementor page edits now have snapshot → approve → write → verify-render → auto-revert safety end to end.

When enabled, after a successful governed edit the edited page's front end is fetched and, if it comes back definitely broken, the write is reverted to its pre-write snapshot and the tool returns governance_render_failed (or governance_rollback_failed if the revert itself fails). A write that succeeds at the data layer but produces a white screen / fatal no longer ships.

Fail-safe by construction

  • Definitely broken = HTTP 5xx (a real PHP fatal is served with a 500) or an empty 2xx body (WSOD). A 200 body is never scanned for a fatal string, so ordinary page copy can't trip it.
  • Baselined: the page's render is probed before the write; a rollback fires only when a confirmed-healthy page turns broken — never when the pre-write render couldn't be confirmed healthy (maintenance mode, unrelated 5xx, a flaky/inconclusive probe).
  • Never reverts on ambiguity: a transient loopback WP_Error, a 3xx/4xx (auth redirect, WAF 401/403), a draft/private page, or an elementor_library template/popup is inconclusive → the write stands.
  • Edits only: create-style tools aren't render-checked (reverting a create would leave an orphan post behind).

Loopback hardening (SSRF-safe)

  • Validates the permalink is on the site's own origin (scheme + host + port) before fetching — a get_permalink filter pointing off-origin is refused.
  • Does not follow redirects (redirection => 0) — an open redirect can't turn the probe into an SSRF hop.
  • Keeps TLS verification on — a spoofed cert can't control the probe result.
  • Cache-busts the probe and bounds the response size so a warm cache can't mask a fresh fatal and a large page can't exhaust memory.

Opt-in

Default OFF (adds a loopback per write); enable via the elementor_mcp_render_check option / filter (or emcp_governance_render_check()). Fires elementor_mcp_governance_render_reverted on revert; opt-in cleared on uninstall.

Tests

Full suite 676 green; 43 GovernanceFunctionalTest cases. Converged over 11 Codex review rounds — every round hardened the loopback probe (SSRF, TLS, memory, caching, baseline correctness, create/template handling). All 12 findings were real.