Skip to content

Add/mcp Server#117

Merged
jasperf merged 15 commits into
mainfrom
add/mcp-server
Jul 8, 2026
Merged

Add/mcp Server#117
jasperf merged 15 commits into
mainfrom
add/mcp-server

Conversation

@jasperf

@jasperf jasperf commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

MCP Server integration is now available for WordPress operations, providing a structured protocol interface for AI assistants to interact with Trellis-managed sites through a TypeScript-based server with support for both stdio and HTTP transports. This release introduces six core MCP tools covering database backups, security scanning, WP-CLI execution, and newly added SEO auditing capabilities for redirects and structured data schemas. The implementation includes runtime validation of site configuration via a Zod schema, a Docker deployment path with documented VM transport limitations, and complementary standalone wp-cli/seo shell scripts for blog, page, orphan-page, redirect, and schema auditing. Supporting documentation was expanded across the repository, including a new MCP server recommendations guide and sanitization of remaining imagewize.com references from shared docs and scripts. The change set totals 39 files and roughly 6,300 insertions, reflecting a new subsystem alongside incremental documentation and configuration updates throughout the existing toolset.

MCP Server Core and Tools:

  • Added a new mcp-server/ project scaffold with TypeScript source, Dockerfile, .dockerignore/.gitignore, and package configuration to host the MCP server independently of the rest of the repository.
  • Implemented security_scan, db_backup, and wp_cli MCP tools to expose existing WordPress operational workflows through the MCP protocol.
  • Added redirect_audit and schema_audit MCP tools alongside corresponding standalone scripts, extending server capabilities into SEO auditing.
  • Added Trellis VM transport support to the MCP server tools, enabling execution against VM-based environments in addition to standard SSH transport, with the Docker documentation noting a known limitation for this transport.
  • Introduced Zod-based schema validation for sites.json to catch malformed site configuration at load time rather than at first use.

Documentation:

  • Added docs/mcp-server-recommendations.md and a dedicated mcp-server/README.md documenting setup, usage, and configuration of the new server.
  • Added a new MCP Server section to the root README.md and a corresponding CHANGELOG entry for version 3.0.0, marking the MCP server as a versioned feature addition.
  • Updated CHANGELOG.md, scripts/README.md, wp-cli/README.md, and several Trellis/troubleshooting docs (FAIL2BAN.md, MANUAL-IP-BLOCKING.md, security README.md, updater/README.md, MULTI-SITE-ADDITION.md) for consistency with the new tooling and to sanitize residual imagewize.com references.

SEO Audit Scripts:

  • Added wp-cli/seo/ with blog-audit.sh, orphan-pages-audit.sh, page-audit.sh, redirect-audit.sh, and schema-audit.sh, plus a README.md describing usage, giving operators standalone shell-based equivalents to the new MCP audit tools.

Configuration and Maintenance:

  • Updated .vibe/config.toml and monitoring scripts (404-checker.sh, cf7-smoke-test.js, post-count.sh) as part of general repository maintenance alongside the MCP server introduction.
  • Updated bedrock/local-package-development/README.md and wordpress-utilities/snippets/wp-template-db-override-wpcli.md for accuracy and consistency with the broader documentation pass.

Files Changed:

Dependency lock files updated: package-lock.json,

jasperf and others added 15 commits July 8, 2026 09:23
Node/TypeScript setup for a new MCP server exposing wp-ops operations
as tools: package manifest, TS config, and git/docker ignore rules.
Registers a security_scan tool that runs the wp-cli/security scanners
against a registered site/environment (local exec or streamed over SSH
stdin for remote hosts, so nothing touches disk remotely). Site/env
lookup comes from a gitignored config/sites.json, resolved via
registry.ts against the example template.

Supports both transports: stdio (default, for Claude Code/Desktop) and
Streamable HTTP behind a required bearer token, since the HTTP mode can
reach staging/production over SSH and must not listen unauthenticated.
Builds from the repo root (not mcp-server/) since the image needs
wp-cli/security/ alongside the server code for the security_scan tool.
Installs php-cli and openssh-client for local/remote scanner execution.
Covers site registry setup, registering the server with Claude Code/
Desktop, running as a Streamable HTTP service, Docker usage, the local
dev loop, and the pattern for adding new tools.
Documents the new mcp-server addition as a major version bump: the
first executable service shipped in the repo rather than scripts/docs.
Links the new mcp-server/ tool from the main contents/table structure,
matching the existing category format.
Runs wp db export against a registered site/environment, gzips the
result, and saves it locally. Remote environments stream the export
over SSH stdout so nothing touches disk on the remote host, matching
security_scan's pattern. Dockerfile now installs WP-CLI so the tool
works inside the container too.
Runs an arbitrary WP-CLI command (passed as an argv array, not a
shell string) against a registered site/environment. Read-only verbs
run immediately; anything else requires confirm: true. Remote
arguments are individually shell-quoted before being sent over ssh,
since ssh otherwise concatenates trailing argv into one string for
the remote shell to re-parse — a real injection vector for a
passthrough tool that takes arbitrary caller-supplied arguments.
A Trellis development box keeps the database inside the VM, so running wp
against host files fails to connect. Add trellisDir/vmWorkdir/vmPath to the
site registry and route DB-dependent tools through `trellis vm shell`:

- wp_cli and db_backup are VM-first (they need the database)
- security_scan still prefers host localPath, since the scanners only read
  files and need no database or VM round trip
Bad config previously failed deep inside a tool call with a confusing
error. Now loadRegistry() rejects malformed JSON and invalid entries
(missing transport, mismatched sshHost/remotePath or
trellisDir/vmWorkdir pairs) at load time with a clear per-path message.
…cripts

Adds two new MCP tools (redirect_audit, schema_audit) covering redirect
chain and JSON-LD schema markup auditing over HTTP, plus the matching
wp-cli/seo/ shell scripts (page, redirect, schema, blog, orphan-pages
audits) for running the same checks directly against a WordPress site.

Schema detection in both the TS tool and schema-audit.sh now matches
script tags with extra attributes (e.g. Yoast/Rank Math's class
attribute) instead of requiring an exact opening tag, and also fixes a
missing-quote typo in schema-audit.sh that made its detection grep never
match anything. The www-canonicalization check in both redirect_audit
and redirect-audit.sh now strips a leading "www." from the domain before
building the test URL, avoiding a "www.www.example.com" false negative
on sites whose canonical URL is already the www form.
Trellis dev VM sites depend on trellis vm shell, which drives a
Vagrant/VirtualBox VM on the host - unreachable from inside the
container, and the trellis CLI isn't installed in the image either.
…endations doc

Replace leftover hardcoded imagewize.com references with the example.com
placeholder across docs and scripts, and add docs/mcp-server-recommendations.md
covering setup gaps and follow-up work for the MCP server.
Sanitized all references to the robdisbergen client project, replacing with
generic 'client' placeholder across security scanner docs and scripts.

Files updated:
- docs/mcp-server-recommendations.md
- wp-cli/diagnostics/diagnostic-transients.php
- wp-cli/diagnostics/transient-debug-browser.php
- wp-cli/security/SCANNER-SUMMARY.md
- wp-cli/security/SECURITY-GUIDE.md
- wp-cli/security/scanner-general.php
- wp-cli/security/scanner-targeted.php

Generated by Mistral Vibe.
Co-Authored-By: Mistral Vibe <vibe@mistral.ai>
@jasperf jasperf merged commit 1f02e07 into main Jul 8, 2026
@jasperf jasperf deleted the add/mcp-server branch July 8, 2026 04:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant