Add/mcp Server#117
Merged
Merged
Conversation
Node/TypeScript setup for a new MCP server exposing wp-ops operations as tools: package manifest, TS config, and git/docker ignore rules.
Registers a security_scan tool that runs the wp-cli/security scanners against a registered site/environment (local exec or streamed over SSH stdin for remote hosts, so nothing touches disk remotely). Site/env lookup comes from a gitignored config/sites.json, resolved via registry.ts against the example template. Supports both transports: stdio (default, for Claude Code/Desktop) and Streamable HTTP behind a required bearer token, since the HTTP mode can reach staging/production over SSH and must not listen unauthenticated.
Builds from the repo root (not mcp-server/) since the image needs wp-cli/security/ alongside the server code for the security_scan tool. Installs php-cli and openssh-client for local/remote scanner execution.
Covers site registry setup, registering the server with Claude Code/ Desktop, running as a Streamable HTTP service, Docker usage, the local dev loop, and the pattern for adding new tools.
Documents the new mcp-server addition as a major version bump: the first executable service shipped in the repo rather than scripts/docs.
Links the new mcp-server/ tool from the main contents/table structure, matching the existing category format.
Runs wp db export against a registered site/environment, gzips the result, and saves it locally. Remote environments stream the export over SSH stdout so nothing touches disk on the remote host, matching security_scan's pattern. Dockerfile now installs WP-CLI so the tool works inside the container too.
Runs an arbitrary WP-CLI command (passed as an argv array, not a shell string) against a registered site/environment. Read-only verbs run immediately; anything else requires confirm: true. Remote arguments are individually shell-quoted before being sent over ssh, since ssh otherwise concatenates trailing argv into one string for the remote shell to re-parse — a real injection vector for a passthrough tool that takes arbitrary caller-supplied arguments.
A Trellis development box keeps the database inside the VM, so running wp against host files fails to connect. Add trellisDir/vmWorkdir/vmPath to the site registry and route DB-dependent tools through `trellis vm shell`: - wp_cli and db_backup are VM-first (they need the database) - security_scan still prefers host localPath, since the scanners only read files and need no database or VM round trip
Bad config previously failed deep inside a tool call with a confusing error. Now loadRegistry() rejects malformed JSON and invalid entries (missing transport, mismatched sshHost/remotePath or trellisDir/vmWorkdir pairs) at load time with a clear per-path message.
…cripts Adds two new MCP tools (redirect_audit, schema_audit) covering redirect chain and JSON-LD schema markup auditing over HTTP, plus the matching wp-cli/seo/ shell scripts (page, redirect, schema, blog, orphan-pages audits) for running the same checks directly against a WordPress site. Schema detection in both the TS tool and schema-audit.sh now matches script tags with extra attributes (e.g. Yoast/Rank Math's class attribute) instead of requiring an exact opening tag, and also fixes a missing-quote typo in schema-audit.sh that made its detection grep never match anything. The www-canonicalization check in both redirect_audit and redirect-audit.sh now strips a leading "www." from the domain before building the test URL, avoiding a "www.www.example.com" false negative on sites whose canonical URL is already the www form.
Trellis dev VM sites depend on trellis vm shell, which drives a Vagrant/VirtualBox VM on the host - unreachable from inside the container, and the trellis CLI isn't installed in the image either.
…endations doc Replace leftover hardcoded imagewize.com references with the example.com placeholder across docs and scripts, and add docs/mcp-server-recommendations.md covering setup gaps and follow-up work for the MCP server.
Sanitized all references to the robdisbergen client project, replacing with generic 'client' placeholder across security scanner docs and scripts. Files updated: - docs/mcp-server-recommendations.md - wp-cli/diagnostics/diagnostic-transients.php - wp-cli/diagnostics/transient-debug-browser.php - wp-cli/security/SCANNER-SUMMARY.md - wp-cli/security/SECURITY-GUIDE.md - wp-cli/security/scanner-general.php - wp-cli/security/scanner-targeted.php Generated by Mistral Vibe. Co-Authored-By: Mistral Vibe <vibe@mistral.ai>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
MCP Server integration is now available for WordPress operations, providing a structured protocol interface for AI assistants to interact with Trellis-managed sites through a TypeScript-based server with support for both stdio and HTTP transports. This release introduces six core MCP tools covering database backups, security scanning, WP-CLI execution, and newly added SEO auditing capabilities for redirects and structured data schemas. The implementation includes runtime validation of site configuration via a Zod schema, a Docker deployment path with documented VM transport limitations, and complementary standalone
wp-cli/seoshell scripts for blog, page, orphan-page, redirect, and schema auditing. Supporting documentation was expanded across the repository, including a new MCP server recommendations guide and sanitization of remainingimagewize.comreferences from shared docs and scripts. The change set totals 39 files and roughly 6,300 insertions, reflecting a new subsystem alongside incremental documentation and configuration updates throughout the existing toolset.MCP Server Core and Tools:
mcp-server/project scaffold with TypeScript source, Dockerfile,.dockerignore/.gitignore, and package configuration to host the MCP server independently of the rest of the repository.security_scan,db_backup, andwp_cliMCP tools to expose existing WordPress operational workflows through the MCP protocol.redirect_auditandschema_auditMCP tools alongside corresponding standalone scripts, extending server capabilities into SEO auditing.sites.jsonto catch malformed site configuration at load time rather than at first use.Documentation:
docs/mcp-server-recommendations.mdand a dedicatedmcp-server/README.mddocumenting setup, usage, and configuration of the new server.README.mdand a corresponding CHANGELOG entry for version 3.0.0, marking the MCP server as a versioned feature addition.CHANGELOG.md,scripts/README.md,wp-cli/README.md, and several Trellis/troubleshooting docs (FAIL2BAN.md,MANUAL-IP-BLOCKING.md, securityREADME.md,updater/README.md,MULTI-SITE-ADDITION.md) for consistency with the new tooling and to sanitize residualimagewize.comreferences.SEO Audit Scripts:
wp-cli/seo/withblog-audit.sh,orphan-pages-audit.sh,page-audit.sh,redirect-audit.sh, andschema-audit.sh, plus aREADME.mddescribing usage, giving operators standalone shell-based equivalents to the new MCP audit tools.Configuration and Maintenance:
.vibe/config.tomland monitoring scripts (404-checker.sh,cf7-smoke-test.js,post-count.sh) as part of general repository maintenance alongside the MCP server introduction.bedrock/local-package-development/README.mdandwordpress-utilities/snippets/wp-template-db-override-wpcli.mdfor accuracy and consistency with the broader documentation pass.Files Changed:
.vibe/config.toml(Modified)CHANGELOG.md(Modified)README.md(Modified)bedrock/local-package-development/README.md(Modified)scripts/README.md(Modified)scripts/monitoring/404-checker.sh(Modified)scripts/monitoring/cf7-smoke-test.js(Modified)scripts/post-count.sh(Modified)trellis/security/FAIL2BAN.md(Modified)trellis/security/MANUAL-IP-BLOCKING.md(Modified)trellis/security/README.md(Modified)trellis/updater/README.md(Modified)troubleshooting/MULTI-SITE-ADDITION.md(Modified)wordpress-utilities/snippets/wp-template-db-override-wpcli.md(Modified)wp-cli/README.md(Modified)docs/mcp-server-recommendations.md(Added)mcp-server/.dockerignore(Added)mcp-server/.gitignore(Added)mcp-server/Dockerfile(Added)mcp-server/README.md(Added)mcp-server/config/sites.example.json(Added)mcp-server/package.json(Added)mcp-server/src/httpServer.ts(Added)mcp-server/src/index.ts(Added)mcp-server/src/registry.ts(Added)mcp-server/src/server.ts(Added)mcp-server/src/tools/dbBackup.ts(Added)mcp-server/src/tools/redirectAudit.ts(Added)mcp-server/src/tools/schemaAudit.ts(Added)mcp-server/src/tools/securityScan.ts(Added)mcp-server/src/tools/wpCli.ts(Added)mcp-server/tsconfig.json(Added)wp-cli/seo/README.md(Added)wp-cli/seo/blog-audit.sh(Added)wp-cli/seo/orphan-pages-audit.sh(Added)wp-cli/seo/page-audit.sh(Added)wp-cli/seo/redirect-audit.sh(Added)wp-cli/seo/schema-audit.sh(Added)Dependency lock files updated: package-lock.json,