Skip to content

Commit 83bf10d

Browse files
committed
fix: add auth gate to test-delays fixture and harden performance-audit recipe
- tools/qm-bridge/ai-ddtk-test-delays.php: add current_user_can('manage_options') gate to both template_redirect action and shortcode handler so anonymous visitors cannot trigger slow queries or CPU-bound loops via query param - recipes/performance-audit.md: add mu-plugins path confirmation step before writing any instrumentation files; add Phase 5 Cleanup with security warning about test-delays fixture; renumber Phase 5 Report to Phase 6; update WP Performance Timer link to Hypercart-Dev-Tools org; prefer MCP tool for WPCC scan in agent summary; add cleanup step to agent workflow
1 parent 69ba3c1 commit 83bf10d

2 files changed

Lines changed: 30 additions & 6 deletions

File tree

recipes/performance-audit.md

Lines changed: 21 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,8 @@ Focus on:
5757

5858
### Phase 3: Runtime Profiling
5959

60+
> **Before writing any mu-plugin or instrumentation file**, confirm the target site's mu-plugins path with the user. For Local by Flywheel, this is typically `~/Local Sites/<site-name>/app/public/wp-content/mu-plugins/`. Do not assume the path — show it and get confirmation first.
61+
6062
For each confirmed issue, add performance timers:
6163

6264
```php
@@ -98,7 +100,18 @@ if (isset($timer) && function_exists('perf_timer_stop')) {
98100
- NeoLog session files
99101
- Admin → Tools → Performance Logs
100102

101-
### Phase 5: Report
103+
### Phase 5: Cleanup
104+
105+
After profiling is complete, remove all instrumentation before merging or deploying:
106+
107+
1. **Remove `perf_timer_start()` / `perf_timer_stop()` wrappers** from the code under test
108+
2. **Remove `ai-ddtk-test-delays.php`** from `mu-plugins/` if it was installed (see security warning below)
109+
3. **Remove `PERF_LOG_ALL`** from `wp-config.php` if it was added
110+
4. **Verify** the site loads cleanly without debug artifacts
111+
112+
> **Security warning:** `ai-ddtk-test-delays.php` has no auth gate — any visitor can trigger `?aiddtk_test_delays=1` to force slow queries, external HTTP calls, and CPU-bound loops. **Never leave it installed on a public-facing site.** It is a fixture for local profiling only.
113+
114+
### Phase 6: Report
102115

103116
Document findings in this format:
104117

@@ -159,17 +172,19 @@ tail -100 /path/to/wordpress/wp-content/debug.log | grep PERF
159172

160173
- [WPCC Features](../bin/wpcc) - Run `wpcc --features` for all options
161174
- [AGENTS.md](../AGENTS.md) - Performance Profiling section
162-
- [WP Performance Timer](https://github.com/yourusername/wp-performance-timer) - Plugin documentation
175+
- [Hypercart WP Performance Timer](https://github.com/Hypercart-Dev-Tools/wp-performance-timer) - Plugin documentation
163176

164177
---
165178

166179
## AI Agent Instructions
167180

168181
When user asks for a performance audit:
169182

170-
1. Run WPCC scan on the target path
183+
1. Run WPCC scan on the target path (prefer `wpcc_run_scan` MCP tool if available; fall back to `wpcc --paths <path> --format json` via shell if MCP is not connected)
171184
2. Triage findings for performance-related issues
172-
3. Guide user to add timers around flagged code
173-
4. Help interpret the runtime metrics
174-
5. Provide optimization recommendations based on confirmed bottlenecks
185+
3. **Confirm the target site's mu-plugins path** with the user before writing any files
186+
4. Guide user to add timers around flagged code
187+
5. Help interpret the runtime metrics
188+
6. Provide optimization recommendations based on confirmed bottlenecks
189+
7. **Run cleanup** — remove all instrumentation, test fixtures, and debug config before finishing
175190

tools/qm-bridge/ai-ddtk-test-delays.php

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,12 @@
3030
return;
3131
}
3232

33+
// Auth gate — only administrators can trigger test delays.
34+
// Without this, any visitor could cause slow queries and CPU load via the query param.
35+
if ( ! current_user_can( 'manage_options' ) ) {
36+
return;
37+
}
38+
3339
// Run the delays early in the page lifecycle so QM captures everything.
3440
aiddtk_run_test_delays();
3541
}, 5 );
@@ -38,6 +44,9 @@
3844
* Also register as a shortcode for non-BB pages.
3945
*/
4046
add_shortcode( 'aiddtk_test_delays', function () {
47+
if ( ! current_user_can( 'manage_options' ) ) {
48+
return '';
49+
}
4150
aiddtk_run_test_delays();
4251
return '<p style="font-family:monospace;color:#666;">AI-DDTK test delays executed. Check QM for profiling data.</p>';
4352
} );

0 commit comments

Comments
 (0)