v1.19.0 — post-write render check (P0.2 complete)
Post-write render check with auto-revert — P0.2 complete
The third and final plank of P0.2 (bring fork writes under SiteAgent governance). Together with 1.17.0 (capture-before-write snapshot + rollback) and 1.18.0 (server-enforced Ed25519 grants), governed Elementor page edits now have snapshot → approve → write → verify-render → auto-revert safety end to end.
When enabled, after a successful governed edit the edited page's front end is fetched and, if it comes back definitely broken, the write is reverted to its pre-write snapshot and the tool returns governance_render_failed (or governance_rollback_failed if the revert itself fails). A write that succeeds at the data layer but produces a white screen / fatal no longer ships.
Fail-safe by construction
- Definitely broken = HTTP 5xx (a real PHP fatal is served with a 500) or an empty 2xx body (WSOD). A 200 body is never scanned for a fatal string, so ordinary page copy can't trip it.
- Baselined: the page's render is probed before the write; a rollback fires only when a confirmed-healthy page turns broken — never when the pre-write render couldn't be confirmed healthy (maintenance mode, unrelated 5xx, a flaky/inconclusive probe).
- Never reverts on ambiguity: a transient loopback
WP_Error, a 3xx/4xx (auth redirect, WAF 401/403), a draft/private page, or anelementor_librarytemplate/popup is inconclusive → the write stands. - Edits only: create-style tools aren't render-checked (reverting a create would leave an orphan post behind).
Loopback hardening (SSRF-safe)
- Validates the permalink is on the site's own origin (scheme + host + port) before fetching — a
get_permalinkfilter pointing off-origin is refused. - Does not follow redirects (
redirection => 0) — an open redirect can't turn the probe into an SSRF hop. - Keeps TLS verification on — a spoofed cert can't control the probe result.
- Cache-busts the probe and bounds the response size so a warm cache can't mask a fresh fatal and a large page can't exhaust memory.
Opt-in
Default OFF (adds a loopback per write); enable via the elementor_mcp_render_check option / filter (or emcp_governance_render_check()). Fires elementor_mcp_governance_render_reverted on revert; opt-in cleared on uninstall.
Tests
Full suite 676 green; 43 GovernanceFunctionalTest cases. Converged over 11 Codex review rounds — every round hardened the loopback probe (SSRF, TLS, memory, caching, baseline correctness, create/template handling). All 12 findings were real.